[v5.15] possible deadlock in ocfs2_read_virt_blocks
6 views
Skip to first unread message
syzbot
Dec 22, 2024, 6:42:26 AM12/22/24
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 91786f140358 Linux 5.15.175
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1706f2df980000
kernel config: https://syzkaller.appspot.com/x/.config?x=1fc30776feb70ea7
dashboard link: https://syzkaller.appspot.com/bug?extid=3e2174c956a9427f8739
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/210b1e4b59b1/disk-91786f14.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/1cf8391059a0/vmlinux-91786f14.xz
kernel image: https://storage.googleapis.com/syzbot-assets/1d9077a44b1c/bzImage-91786f14.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3e2174...@syzkaller.appspotmail.com
======================================================
WARNING: possible circular locking dependency detected
5.15.175-syzkaller #0 Not tainted
------------------------------------------------------
syz.0.1772/8977 is trying to acquire lock:
ffff8880713b22e0 (&ocfs2_file_ip_alloc_sem_key){++++}-{3:3}, at: ocfs2_read_virt_blocks+0x2b3/0xa10 fs/ocfs2/extent_map.c:976
but task is already holding lock:
ffff88802a4f8990 (jbd2_handle){++++}-{0:0}, at: start_this_handle+0x12b9/0x1570 fs/jbd2/transaction.c:462
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #2 (jbd2_handle){++++}-{0:0}
:
lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5623
start_this_handle+0x12e1/0x1570 fs/jbd2/transaction.c:464
jbd2__journal_start+0x2d1/0x5c0 fs/jbd2/transaction.c:521
__ext4_journal_start_sb+0x175/0x370 fs/ext4/ext4_jbd2.c:105
__ext4_journal_start fs/ext4/ext4_jbd2.h:326 [inline]
ext4_dirty_inode+0x8b/0x100 fs/ext4/inode.c:6007
__mark_inode_dirty+0x2fd/0xd60 fs/fs-writeback.c:2464
generic_update_time fs/inode.c:1856 [inline]
inode_update_time fs/inode.c:1869 [inline]
touch_atime+0x3fa/0x680 fs/inode.c:1941
file_accessed include/linux/fs.h:2523 [inline]
ext4_file_mmap+0x18e/0x370 fs/ext4/file.c:763
call_mmap include/linux/fs.h:2179 [inline]
mmap_file+0x5a/0xb0 mm/util.c:1092
__mmap_region mm/mmap.c:1784 [inline]
mmap_region+0x1035/0x1870 mm/mmap.c:2921
do_mmap+0x78d/0xe00 mm/mmap.c:1574
vm_mmap_pgoff+0x1ca/0x2d0 mm/util.c:551
ksys_mmap_pgoff+0x559/0x780 mm/mmap.c:1623
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
-> #1 (&mm->mmap_lock){++++}-{3:3}:
lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5623
__might_fault+0xb4/0x110 mm/memory.c:5355
_copy_to_user+0x28/0x130 lib/usercopy.c:35
copy_to_user include/linux/uaccess.h:200 [inline]
fiemap_fill_next_extent+0x231/0x410 fs/ioctl.c:144
ocfs2_fiemap_inline fs/ocfs2/extent_map.c:725 [inline]
ocfs2_fiemap+0xc1d/0xf80 fs/ocfs2/extent_map.c:762
ioctl_fiemap fs/ioctl.c:219 [inline]
do_vfs_ioctl+0x1934/0x2b70 fs/ioctl.c:814
__do_sys_ioctl fs/ioctl.c:872 [inline]
__se_sys_ioctl+0x81/0x160 fs/ioctl.c:860
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
-> #0 (&ocfs2_file_ip_alloc_sem_key){++++}-{3:3}:
check_prev_add kernel/locking/lockdep.c:3053 [inline]
check_prevs_add kernel/locking/lockdep.c:3172 [inline]
validate_chain+0x1649/0x5930 kernel/locking/lockdep.c:3788
__lock_acquire+0x1295/0x1ff0 kernel/locking/lockdep.c:5012
lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5623
down_read+0x45/0x2e0 kernel/locking/rwsem.c:1498
ocfs2_read_virt_blocks+0x2b3/0xa10 fs/ocfs2/extent_map.c:976
ocfs2_read_dir_block+0x102/0x5b0 fs/ocfs2/dir.c:508
ocfs2_dir_foreach_blk_el fs/ocfs2/dir.c:1829 [inline]
ocfs2_dir_foreach_blk+0x2a8/0x1ba0 fs/ocfs2/dir.c:1915
ocfs2_dir_foreach fs/ocfs2/dir.c:1925 [inline]
ocfs2_empty_dir+0x1d1/0x8c0 fs/ocfs2/dir.c:2139
ocfs2_rename+0x25d5/0x3ea0 fs/ocfs2/namei.c:1499
vfs_rename+0xd32/0x10f0 fs/namei.c:4832
do_renameat2+0xe0f/0x1700 fs/namei.c:4985
__do_sys_rename fs/namei.c:5031 [inline]
__se_sys_rename fs/namei.c:5029 [inline]
__x64_sys_rename+0x82/0x90 fs/namei.c:5029
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
other info that might help us debug this:
Chain exists of:
&ocfs2_file_ip_alloc_sem_key --> &mm->mmap_lock --> jbd2_handle
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(jbd2_handle);
lock(&mm->mmap_lock);
lock(jbd2_handle);
lock(&ocfs2_file_ip_alloc_sem_key);
*** DEADLOCK ***
7 locks held by syz.0.1772/8977:
#0: ffff88807e34e460 (sb_writers#34){.+.+}-{0:0}, at: mnt_want_write+0x3b/0x80 fs/namespace.c:377
#1: ffff8880712e5108 (&type->i_mutex_dir_key#23/1){+.+.}-{3:3}, at: do_renameat2+0x67e/0x1700 fs/namei.c:4924
#2: ffff8880713b2648 (&sb->s_type->i_mutex_key#39){+.+.}-{3:3}, at: inode_lock include/linux/fs.h:789 [inline]
#2: ffff8880713b2648 (&sb->s_type->i_mutex_key#39){+.+.}-{3:3}, at: vfs_rename+0x814/0x10f0 fs/namei.c:4797
#3: ffff8880712e6d88 (&ocfs2_sysfile_lock_key[args->fi_sysfile_type]){+.+.}-{3:3}, at: inode_lock include/linux/fs.h:789 [inline]
#3: ffff8880712e6d88 (&ocfs2_sysfile_lock_key[args->fi_sysfile_type]){+.+.}-{3:3}, at: ocfs2_lookup_lock_orphan_dir+0xfe/0x340 fs/ocfs2/namei.c:2116
#4: ffff88807e34e650 (sb_internal#4){.+.+}-{0:0}, at: ocfs2_rename+0x1e36/0x3ea0 fs/ocfs2/namei.c:1488
#5: ffff888060f20ce8 (&journal->j_trans_barrier){.+.+}-{3:3}, at: ocfs2_start_trans+0x3b7/0x6f0 fs/ocfs2/journal.c:352
#6: ffff88802a4f8990 (jbd2_handle){++++}-{0:0}, at: start_this_handle+0x12b9/0x1570 fs/jbd2/transaction.c:462
stack backtrace:
CPU: 1 PID: 8977 Comm: syz.0.1772 Not tainted 5.15.175-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2d0 lib/dump_stack.c:106
check_noncircular+0x2f8/0x3b0 kernel/locking/lockdep.c:2133
check_prev_add kernel/locking/lockdep.c:3053 [inline]
check_prevs_add kernel/locking/lockdep.c:3172 [inline]
validate_chain+0x1649/0x5930 kernel/locking/lockdep.c:3788
__lock_acquire+0x1295/0x1ff0 kernel/locking/lockdep.c:5012
lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5623
down_read+0x45/0x2e0 kernel/locking/rwsem.c:1498
ocfs2_read_virt_blocks+0x2b3/0xa10 fs/ocfs2/extent_map.c:976
ocfs2_read_dir_block+0x102/0x5b0 fs/ocfs2/dir.c:508
ocfs2_dir_foreach_blk_el fs/ocfs2/dir.c:1829 [inline]
ocfs2_dir_foreach_blk+0x2a8/0x1ba0 fs/ocfs2/dir.c:1915
ocfs2_dir_foreach fs/ocfs2/dir.c:1925 [inline]
ocfs2_empty_dir+0x1d1/0x8c0 fs/ocfs2/dir.c:2139
ocfs2_rename+0x25d5/0x3ea0 fs/ocfs2/namei.c:1499
vfs_rename+0xd32/0x10f0 fs/namei.c:4832
do_renameat2+0xe0f/0x1700 fs/namei.c:4985
__do_sys_rename fs/namei.c:5031 [inline]
__se_sys_rename fs/namei.c:5029 [inline]
__x64_sys_rename+0x82/0x90 fs/namei.c:5029
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7f9af53d0d29
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f9af3241038 EFLAGS: 00000246 ORIG_RAX: 0000000000000052
RAX: ffffffffffffffda RBX: 00007f9af55c0fa0 RCX: 00007f9af53d0d29
RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000020000200
RBP: 00007f9af544caa8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f9af55c0fa0 R15: 00007ffc8aa151e8
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 91786f140358 Linux 5.15.175
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1706f2df980000
kernel config: https://syzkaller.appspot.com/x/.config?x=1fc30776feb70ea7
dashboard link: https://syzkaller.appspot.com/bug?extid=3e2174c956a9427f8739
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/210b1e4b59b1/disk-91786f14.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/1cf8391059a0/vmlinux-91786f14.xz
kernel image: https://storage.googleapis.com/syzbot-assets/1d9077a44b1c/bzImage-91786f14.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3e2174...@syzkaller.appspotmail.com
======================================================
WARNING: possible circular locking dependency detected
5.15.175-syzkaller #0 Not tainted
------------------------------------------------------
syz.0.1772/8977 is trying to acquire lock:
ffff8880713b22e0 (&ocfs2_file_ip_alloc_sem_key){++++}-{3:3}, at: ocfs2_read_virt_blocks+0x2b3/0xa10 fs/ocfs2/extent_map.c:976
but task is already holding lock:
ffff88802a4f8990 (jbd2_handle){++++}-{0:0}, at: start_this_handle+0x12b9/0x1570 fs/jbd2/transaction.c:462
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #2 (jbd2_handle){++++}-{0:0}
:
lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5623
start_this_handle+0x12e1/0x1570 fs/jbd2/transaction.c:464
jbd2__journal_start+0x2d1/0x5c0 fs/jbd2/transaction.c:521
__ext4_journal_start_sb+0x175/0x370 fs/ext4/ext4_jbd2.c:105
__ext4_journal_start fs/ext4/ext4_jbd2.h:326 [inline]
ext4_dirty_inode+0x8b/0x100 fs/ext4/inode.c:6007
__mark_inode_dirty+0x2fd/0xd60 fs/fs-writeback.c:2464
generic_update_time fs/inode.c:1856 [inline]
inode_update_time fs/inode.c:1869 [inline]
touch_atime+0x3fa/0x680 fs/inode.c:1941
file_accessed include/linux/fs.h:2523 [inline]
ext4_file_mmap+0x18e/0x370 fs/ext4/file.c:763
call_mmap include/linux/fs.h:2179 [inline]
mmap_file+0x5a/0xb0 mm/util.c:1092
__mmap_region mm/mmap.c:1784 [inline]
mmap_region+0x1035/0x1870 mm/mmap.c:2921
do_mmap+0x78d/0xe00 mm/mmap.c:1574
vm_mmap_pgoff+0x1ca/0x2d0 mm/util.c:551
ksys_mmap_pgoff+0x559/0x780 mm/mmap.c:1623
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
-> #1 (&mm->mmap_lock){++++}-{3:3}:
lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5623
__might_fault+0xb4/0x110 mm/memory.c:5355
_copy_to_user+0x28/0x130 lib/usercopy.c:35
copy_to_user include/linux/uaccess.h:200 [inline]
fiemap_fill_next_extent+0x231/0x410 fs/ioctl.c:144
ocfs2_fiemap_inline fs/ocfs2/extent_map.c:725 [inline]
ocfs2_fiemap+0xc1d/0xf80 fs/ocfs2/extent_map.c:762
ioctl_fiemap fs/ioctl.c:219 [inline]
do_vfs_ioctl+0x1934/0x2b70 fs/ioctl.c:814
__do_sys_ioctl fs/ioctl.c:872 [inline]
__se_sys_ioctl+0x81/0x160 fs/ioctl.c:860
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
-> #0 (&ocfs2_file_ip_alloc_sem_key){++++}-{3:3}:
check_prev_add kernel/locking/lockdep.c:3053 [inline]
check_prevs_add kernel/locking/lockdep.c:3172 [inline]
validate_chain+0x1649/0x5930 kernel/locking/lockdep.c:3788
__lock_acquire+0x1295/0x1ff0 kernel/locking/lockdep.c:5012
lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5623
down_read+0x45/0x2e0 kernel/locking/rwsem.c:1498
ocfs2_read_virt_blocks+0x2b3/0xa10 fs/ocfs2/extent_map.c:976
ocfs2_read_dir_block+0x102/0x5b0 fs/ocfs2/dir.c:508
ocfs2_dir_foreach_blk_el fs/ocfs2/dir.c:1829 [inline]
ocfs2_dir_foreach_blk+0x2a8/0x1ba0 fs/ocfs2/dir.c:1915
ocfs2_dir_foreach fs/ocfs2/dir.c:1925 [inline]
ocfs2_empty_dir+0x1d1/0x8c0 fs/ocfs2/dir.c:2139
ocfs2_rename+0x25d5/0x3ea0 fs/ocfs2/namei.c:1499
vfs_rename+0xd32/0x10f0 fs/namei.c:4832
do_renameat2+0xe0f/0x1700 fs/namei.c:4985
__do_sys_rename fs/namei.c:5031 [inline]
__se_sys_rename fs/namei.c:5029 [inline]
__x64_sys_rename+0x82/0x90 fs/namei.c:5029
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
other info that might help us debug this:
Chain exists of:
&ocfs2_file_ip_alloc_sem_key --> &mm->mmap_lock --> jbd2_handle
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(jbd2_handle);
lock(&mm->mmap_lock);
lock(jbd2_handle);
lock(&ocfs2_file_ip_alloc_sem_key);
*** DEADLOCK ***
7 locks held by syz.0.1772/8977:
#0: ffff88807e34e460 (sb_writers#34){.+.+}-{0:0}, at: mnt_want_write+0x3b/0x80 fs/namespace.c:377
#1: ffff8880712e5108 (&type->i_mutex_dir_key#23/1){+.+.}-{3:3}, at: do_renameat2+0x67e/0x1700 fs/namei.c:4924
#2: ffff8880713b2648 (&sb->s_type->i_mutex_key#39){+.+.}-{3:3}, at: inode_lock include/linux/fs.h:789 [inline]
#2: ffff8880713b2648 (&sb->s_type->i_mutex_key#39){+.+.}-{3:3}, at: vfs_rename+0x814/0x10f0 fs/namei.c:4797
#3: ffff8880712e6d88 (&ocfs2_sysfile_lock_key[args->fi_sysfile_type]){+.+.}-{3:3}, at: inode_lock include/linux/fs.h:789 [inline]
#3: ffff8880712e6d88 (&ocfs2_sysfile_lock_key[args->fi_sysfile_type]){+.+.}-{3:3}, at: ocfs2_lookup_lock_orphan_dir+0xfe/0x340 fs/ocfs2/namei.c:2116
#4: ffff88807e34e650 (sb_internal#4){.+.+}-{0:0}, at: ocfs2_rename+0x1e36/0x3ea0 fs/ocfs2/namei.c:1488
#5: ffff888060f20ce8 (&journal->j_trans_barrier){.+.+}-{3:3}, at: ocfs2_start_trans+0x3b7/0x6f0 fs/ocfs2/journal.c:352
#6: ffff88802a4f8990 (jbd2_handle){++++}-{0:0}, at: start_this_handle+0x12b9/0x1570 fs/jbd2/transaction.c:462
stack backtrace:
CPU: 1 PID: 8977 Comm: syz.0.1772 Not tainted 5.15.175-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2d0 lib/dump_stack.c:106
check_noncircular+0x2f8/0x3b0 kernel/locking/lockdep.c:2133
check_prev_add kernel/locking/lockdep.c:3053 [inline]
check_prevs_add kernel/locking/lockdep.c:3172 [inline]
validate_chain+0x1649/0x5930 kernel/locking/lockdep.c:3788
__lock_acquire+0x1295/0x1ff0 kernel/locking/lockdep.c:5012
lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5623
down_read+0x45/0x2e0 kernel/locking/rwsem.c:1498
ocfs2_read_virt_blocks+0x2b3/0xa10 fs/ocfs2/extent_map.c:976
ocfs2_read_dir_block+0x102/0x5b0 fs/ocfs2/dir.c:508
ocfs2_dir_foreach_blk_el fs/ocfs2/dir.c:1829 [inline]
ocfs2_dir_foreach_blk+0x2a8/0x1ba0 fs/ocfs2/dir.c:1915
ocfs2_dir_foreach fs/ocfs2/dir.c:1925 [inline]
ocfs2_empty_dir+0x1d1/0x8c0 fs/ocfs2/dir.c:2139
ocfs2_rename+0x25d5/0x3ea0 fs/ocfs2/namei.c:1499
vfs_rename+0xd32/0x10f0 fs/namei.c:4832
do_renameat2+0xe0f/0x1700 fs/namei.c:4985
__do_sys_rename fs/namei.c:5031 [inline]
__se_sys_rename fs/namei.c:5029 [inline]
__x64_sys_rename+0x82/0x90 fs/namei.c:5029
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7f9af53d0d29
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f9af3241038 EFLAGS: 00000246 ORIG_RAX: 0000000000000052
RAX: ffffffffffffffda RBX: 00007f9af55c0fa0 RCX: 00007f9af53d0d29
RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000020000200
RBP: 00007f9af544caa8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f9af55c0fa0 R15: 00007ffc8aa151e8
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Jan 1, 2025, 12:39:24 AM1/1/25
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 563edd786f0a Linux 6.1.122
syzbot found the following issue on:
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16d0fac4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=4d23ad74b95a6ead
dashboard link: https://syzkaller.appspot.com/bug?extid=2efc8bd7a919b4f33cff
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
vmlinux: https://storage.googleapis.com/syzbot-assets/e38af8a28784/vmlinux-563edd78.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e19edf883c6a/Image-563edd78.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
======================================================
WARNING: possible circular locking dependency detected
------------------------------------------------------
syz.0.1/4391 is trying to acquire lock:
ffff0000f59ab120 (&oi->ip_alloc_sem){++++}-{3:3}, at: ocfs2_read_virt_blocks+0x2bc/0x9f8 fs/ocfs2/extent_map.c:976
but task is already holding lock:
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
start_this_handle+0x1140/0x13ac fs/jbd2/transaction.c:463
jbd2__journal_start+0x298/0x544 fs/jbd2/transaction.c:520
jbd2_journal_start+0x3c/0x4c fs/jbd2/transaction.c:559
ocfs2_start_trans+0x3e8/0x73c fs/ocfs2/journal.c:354
ocfs2_mknod+0xe64/0x2560 fs/ocfs2/namei.c:361
ocfs2_create+0x1a8/0x560 fs/ocfs2/namei.c:674
lookup_open fs/namei.c:3482 [inline]
open_last_lookups fs/namei.c:3550 [inline]
path_openat+0xeac/0x2548 fs/namei.c:3780
do_filp_open+0x1bc/0x3cc fs/namei.c:3810
do_sys_openat2+0x128/0x3e0 fs/open.c:1318
do_sys_open fs/open.c:1334 [inline]
__do_sys_openat fs/open.c:1350 [inline]
__se_sys_openat fs/open.c:1345 [inline]
__arm64_sys_openat+0x1f0/0x240 fs/open.c:1345
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2bc arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
do_el0_svc+0x58/0x13c arch/arm64/kernel/syscall.c:204
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
-> #2 (&journal->j_trans_barrier){.+.+}-{3:3}:
down_read+0x64/0x308 kernel/locking/rwsem.c:1520
ocfs2_start_trans+0x3dc/0x73c fs/ocfs2/journal.c:352
ocfs2_mknod+0xe64/0x2560 fs/ocfs2/namei.c:361
ocfs2_create+0x1a8/0x560 fs/ocfs2/namei.c:674
lookup_open fs/namei.c:3482 [inline]
open_last_lookups fs/namei.c:3550 [inline]
path_openat+0xeac/0x2548 fs/namei.c:3780
do_filp_open+0x1bc/0x3cc fs/namei.c:3810
do_sys_openat2+0x128/0x3e0 fs/open.c:1318
do_sys_open fs/open.c:1334 [inline]
__do_sys_openat fs/open.c:1350 [inline]
__se_sys_openat fs/open.c:1345 [inline]
__arm64_sys_openat+0x1f0/0x240 fs/open.c:1345
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2bc arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
do_el0_svc+0x58/0x13c arch/arm64/kernel/syscall.c:204
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
-> #1 (sb_internal#2){.+.+}-{0:0}:
percpu_down_read include/linux/percpu-rwsem.h:51 [inline]
__sb_start_write include/linux/fs.h:1891 [inline]
sb_start_intwrite include/linux/fs.h:2013 [inline]
ocfs2_start_trans+0x260/0x73c fs/ocfs2/journal.c:350
ocfs2_write_begin_nolock+0x27c8/0x3f6c fs/ocfs2/aops.c:1770
ocfs2_write_begin+0x1ac/0x38c fs/ocfs2/aops.c:1904
generic_perform_write+0x278/0x55c mm/filemap.c:3845
__generic_file_write_iter+0x168/0x388 mm/filemap.c:3973
ocfs2_file_write_iter+0x156c/0x1f48 fs/ocfs2/file.c:2469
call_write_iter include/linux/fs.h:2265 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x610/0x91c fs/read_write.c:584
ksys_write+0x15c/0x26c fs/read_write.c:637
__do_sys_write fs/read_write.c:649 [inline]
__se_sys_write fs/read_write.c:646 [inline]
__arm64_sys_write+0x7c/0x90 fs/read_write.c:646
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2bc arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
do_el0_svc+0x58/0x13c arch/arm64/kernel/syscall.c:204
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
-> #0 (&oi->ip_alloc_sem){++++}-{3:3}:
check_prev_add kernel/locking/lockdep.c:3090 [inline]
check_prevs_add kernel/locking/lockdep.c:3209 [inline]
validate_chain kernel/locking/lockdep.c:3825 [inline]
__lock_acquire+0x3338/0x7680 kernel/locking/lockdep.c:5049
lock_acquire+0x26c/0x7cc kernel/locking/lockdep.c:5662
down_read+0x64/0x308 kernel/locking/rwsem.c:1520
ocfs2_read_virt_blocks+0x2bc/0x9f8 fs/ocfs2/extent_map.c:976
ocfs2_read_dir_block fs/ocfs2/dir.c:508 [inline]
ocfs2_find_entry_el fs/ocfs2/dir.c:715 [inline]
ocfs2_find_entry+0x3ac/0x2620 fs/ocfs2/dir.c:1080
ocfs2_rename+0x1cb4/0x3588 fs/ocfs2/namei.c:1568
vfs_rename+0xac8/0xe04 fs/namei.c:4874
do_renameat2+0x9ec/0xe64 fs/namei.c:5027
__do_sys_renameat2 fs/namei.c:5060 [inline]
__se_sys_renameat2 fs/namei.c:5057 [inline]
__arm64_sys_renameat2+0xe0/0xfc fs/namei.c:5057
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2bc arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
do_el0_svc+0x58/0x13c arch/arm64/kernel/syscall.c:204
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
other info that might help us debug this:
Chain exists of:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(jbd2_handle);
lock(jbd2_handle);
lock(&oi->ip_alloc_sem);
*** DEADLOCK ***
8 locks held by syz.0.1/4391:
#0: ffff0000d33a0460 (sb_writers#13){.+.+}-{0:0}, at: mnt_want_write+0x44/0x9c fs/namespace.c:393
#1: ffff0000d33a0748 (&type->s_vfs_rename_key){+.+.}-{3:3}, at: lock_rename fs/namei.c:3038 [inline]
#1: ffff0000d33a0748 (&type->s_vfs_rename_key){+.+.}-{3:3}, at: do_renameat2+0x498/0xe64 fs/namei.c:4966
#2: ffff0000f59aa648 (&sb->s_type->i_mutex_key#21/1){+.+.}-{3:3}, at: lock_rename fs/namei.c:3039 [inline]
#2: ffff0000f59aa648 (&sb->s_type->i_mutex_key#21/1){+.+.}-{3:3}, at: do_renameat2+0x50c/0xe64 fs/namei.c:4966
#3: ffff0000f59ab488 (&sb->s_type->i_mutex_key#21/5){+.+.}-{3:3}, at: do_renameat2+0x538/0xe64 fs/namei.c:4966
#4: ffff0000f59ac2c8 (&sb->s_type->i_mutex_key#21/2){+.+.}-{3:3}, at: inode_lock_nested include/linux/fs.h:793 [inline]
#4: ffff0000f59ac2c8 (&sb->s_type->i_mutex_key#21/2){+.+.}-{3:3}, at: vfs_rename+0x624/0xe04 fs/namei.c:4837
#5: ffff0000d33a0650 (sb_internal#2){.+.+}-{0:0}, at: ocfs2_rename+0x1870/0x3588 fs/ocfs2/namei.c:1488
#6: ffff0000cc7b48e8 (&journal->j_trans_barrier){.+.+}-{3:3}, at: ocfs2_start_trans+0x3dc/0x73c fs/ocfs2/journal.c:352
#7: ffff0000d3022990 (jbd2_handle){++++}-{0:0}, at: start_this_handle+0x1118/0x13ac fs/jbd2/transaction.c:461
stack backtrace:
CPU: 0 PID: 4391 Comm: syz.0.1 Tainted: G W 6.1.122-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
dump_stack+0x1c/0x58 lib/dump_stack.c:113
print_circular_bug+0x150/0x1b8 kernel/locking/lockdep.c:2048
check_noncircular+0x2cc/0x378 kernel/locking/lockdep.c:2170
check_prev_add kernel/locking/lockdep.c:3090 [inline]
check_prevs_add kernel/locking/lockdep.c:3209 [inline]
validate_chain kernel/locking/lockdep.c:3825 [inline]
__lock_acquire+0x3338/0x7680 kernel/locking/lockdep.c:5049
lock_acquire+0x26c/0x7cc kernel/locking/lockdep.c:5662
down_read+0x64/0x308 kernel/locking/rwsem.c:1520
ocfs2_read_virt_blocks+0x2bc/0x9f8 fs/ocfs2/extent_map.c:976
ocfs2_read_dir_block fs/ocfs2/dir.c:508 [inline]
ocfs2_find_entry_el fs/ocfs2/dir.c:715 [inline]
ocfs2_find_entry+0x3ac/0x2620 fs/ocfs2/dir.c:1080
ocfs2_rename+0x1cb4/0x3588 fs/ocfs2/namei.c:1568
vfs_rename+0xac8/0xe04 fs/namei.c:4874
do_renameat2+0x9ec/0xe64 fs/namei.c:5027
__do_sys_renameat2 fs/namei.c:5060 [inline]
__se_sys_renameat2 fs/namei.c:5057 [inline]
__arm64_sys_renameat2+0xe0/0xfc fs/namei.c:5057
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2bc arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
do_el0_svc+0x58/0x13c arch/arm64/kernel/syscall.c:204
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
syzbot
Jan 8, 2025, 4:22:29 AM1/8/25
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 7dc732d24ff7 Linux 6.1.123
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=105114b0580000
kernel config: https://syzkaller.appspot.com/x/.config?x=b700290711767e0c
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11b9dc18580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/7ad136b42edb/disk-7dc732d2.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/859a37ce3517/vmlinux-7dc732d2.xz
kernel image: https://storage.googleapis.com/syzbot-assets/6d506d0fa6c0/bzImage-7dc732d2.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/fa2bf5aeab02/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2efc8b...@syzkaller.appspotmail.com
======================================================
WARNING: possible circular locking dependency detected
6.1.123-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor341/4316 is trying to acquire lock:
ffff8880610acda0 (&oi->ip_alloc_sem){++++}-{3:3}, at: ocfs2_read_virt_blocks+0x2dc/0xab0 fs/ocfs2/extent_map.c:976
but task is already holding lock:
ffff888079d9e990 (jbd2_handle){++++}-{0:0}, at: start_this_handle+0x1f51/0x21b0 fs/jbd2/transaction.c:463
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #3 (jbd2_handle){++++}-{0:0}:
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5662
start_this_handle+0x1f71/0x21b0 fs/jbd2/transaction.c:463
jbd2__journal_start+0x2d1/0x5c0 fs/jbd2/transaction.c:520
jbd2_journal_start+0x25/0x30 fs/jbd2/transaction.c:559
ocfs2_start_trans+0x3c0/0x6f0 fs/ocfs2/journal.c:354
ocfs2_local_alloc_slide_window fs/ocfs2/localalloc.c:1258 [inline]
ocfs2_reserve_local_alloc_bits+0xc4c/0x29d0 fs/ocfs2/localalloc.c:668
ocfs2_reserve_clusters_with_limit+0x1b4/0xb50 fs/ocfs2/suballoc.c:1162
ocfs2_mknod+0x15b5/0x2e20 fs/ocfs2/namei.c:354
ocfs2_mkdir+0x1c0/0x4e0 fs/ocfs2/namei.c:657
vfs_mkdir+0x3b6/0x590 fs/namei.c:4106
do_mkdirat+0x225/0x360 fs/namei.c:4131
__do_sys_mkdir fs/namei.c:4151 [inline]
__se_sys_mkdir fs/namei.c:4149 [inline]
__x64_sys_mkdir+0x6a/0x80 fs/namei.c:4149
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
-> #2 (&journal->j_trans_barrier){.+.+}-{3:3}:
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5662
down_read+0xad/0xa30 kernel/locking/rwsem.c:1520
ocfs2_start_trans+0x3b5/0x6f0 fs/ocfs2/journal.c:352
ocfs2_local_alloc_slide_window fs/ocfs2/localalloc.c:1258 [inline]
ocfs2_reserve_local_alloc_bits+0xc4c/0x29d0 fs/ocfs2/localalloc.c:668
ocfs2_reserve_clusters_with_limit+0x1b4/0xb50 fs/ocfs2/suballoc.c:1162
ocfs2_mknod+0x15b5/0x2e20 fs/ocfs2/namei.c:354
ocfs2_mkdir+0x1c0/0x4e0 fs/ocfs2/namei.c:657
vfs_mkdir+0x3b6/0x590 fs/namei.c:4106
do_mkdirat+0x225/0x360 fs/namei.c:4131
__do_sys_mkdir fs/namei.c:4151 [inline]
__se_sys_mkdir fs/namei.c:4149 [inline]
__x64_sys_mkdir+0x6a/0x80 fs/namei.c:4149
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
-> #1 (sb_internal#2){.+.+}-{0:0}:
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5662
ocfs2_setattr+0xa89/0x1e60 fs/ocfs2/file.c:1263
notify_change+0xce3/0xfc0 fs/attr.c:499
ovl_do_notify_change fs/overlayfs/overlayfs.h:142 [inline]
ovl_workdir_create+0x78b/0x9d0 fs/overlayfs/super.c:833
ovl_make_workdir fs/overlayfs/super.c:1389 [inline]
ovl_get_workdir+0x3b7/0x17b0 fs/overlayfs/super.c:1539
ovl_fill_super+0x1b85/0x2a20 fs/overlayfs/super.c:2095
mount_nodev+0x52/0xe0 fs/super.c:1489
legacy_get_tree+0xeb/0x180 fs/fs_context.c:632
vfs_get_tree+0x88/0x270 fs/super.c:1573
do_new_mount+0x2ba/0xb40 fs/namespace.c:3056
do_mount fs/namespace.c:3399 [inline]
__do_sys_mount fs/namespace.c:3607 [inline]
__se_sys_mount+0x2d5/0x3c0 fs/namespace.c:3584
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
-> #0 (&oi->ip_alloc_sem){++++}-{3:3}:
check_prev_add kernel/locking/lockdep.c:3090 [inline]
check_prevs_add kernel/locking/lockdep.c:3209 [inline]
validate_chain+0x1661/0x5950 kernel/locking/lockdep.c:3825
__lock_acquire+0x125b/0x1f80 kernel/locking/lockdep.c:5049
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5662
down_read+0xad/0xa30 kernel/locking/rwsem.c:1520
ocfs2_read_virt_blocks+0x2dc/0xab0 fs/ocfs2/extent_map.c:976
ocfs2_dir_foreach+0x20c/0x270 fs/ocfs2/dir.c:1925
ocfs2_empty_dir+0x446/0x7b0 fs/ocfs2/dir.c:2139
ocfs2_rename+0x26c2/0x4000 fs/ocfs2/namei.c:1499
vfs_rename+0xd32/0x10f0 fs/namei.c:4874
do_renameat2+0xde0/0x1440 fs/namei.c:5027
__do_sys_rename fs/namei.c:5073 [inline]
__se_sys_rename fs/namei.c:5071 [inline]
__x64_sys_rename+0x82/0x90 fs/namei.c:5071
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
other info that might help us debug this:
Chain exists of:
&oi->ip_alloc_sem --> &journal->j_trans_barrier --> jbd2_handle
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(jbd2_handle);
lock(&journal->j_trans_barrier);
lock(jbd2_handle);
lock(&oi->ip_alloc_sem);
*** DEADLOCK ***
7 locks held by syz-executor341/4316:
#0: ffff888079d34460 (sb_writers#12){.+.+}-{0:0}, at: mnt_want_write+0x3b/0x80 fs/namespace.c:393
#1: ffff888061011808 (&type->i_mutex_dir_key#8/1){+.+.}-{3:3}, at: do_renameat2+0x65a/0x1440 fs/namei.c:4966
#2: ffff8880610ad108 (&sb->s_type->i_mutex_key#21){+.+.}-{3:3}, at: inode_lock include/linux/fs.h:758 [inline]
#2: ffff8880610ad108 (&sb->s_type->i_mutex_key#21){+.+.}-{3:3}, at: vfs_rename+0x814/0x10f0 fs/namei.c:4839
#3: ffff888061043488 (&ocfs2_sysfile_lock_key[args->fi_sysfile_type]){+.+.}-{3:3}, at: inode_lock include/linux/fs.h:758 [inline]
#3: ffff888061043488 (&ocfs2_sysfile_lock_key[args->fi_sysfile_type]){+.+.}-{3:3}, at: ocfs2_lookup_lock_orphan_dir+0xfe/0x340 fs/ocfs2/namei.c:2116
#4: ffff888079d34650 (sb_internal#2){.+.+}-{0:0}, at: ocfs2_rename+0x1eed/0x4000 fs/ocfs2/namei.c:1488
#5: ffff888144f038e8 (&journal->j_trans_barrier){.+.+}-{3:3}, at: ocfs2_start_trans+0x3b5/0x6f0 fs/ocfs2/journal.c:352
#6: ffff888079d9e990 (jbd2_handle){++++}-{0:0}, at: start_this_handle+0x1f51/0x21b0 fs/jbd2/transaction.c:463
stack backtrace:
CPU: 1 PID: 4316 Comm: syz-executor341 Not tainted 6.1.123-syzkaller #0
check_noncircular+0x2fa/0x3b0 kernel/locking/lockdep.c:2170
__lock_acquire+0x125b/0x1f80 kernel/locking/lockdep.c:5049
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5662
down_read+0xad/0xa30 kernel/locking/rwsem.c:1520
ocfs2_read_virt_blocks+0x2dc/0xab0 fs/ocfs2/extent_map.c:976
ocfs2_dir_foreach+0x20c/0x270 fs/ocfs2/dir.c:1925
ocfs2_empty_dir+0x446/0x7b0 fs/ocfs2/dir.c:2139
ocfs2_rename+0x26c2/0x4000 fs/ocfs2/namei.c:1499
vfs_rename+0xd32/0x10f0 fs/namei.c:4874
do_renameat2+0xde0/0x1440 fs/namei.c:5027
__do_sys_rename fs/namei.c:5073 [inline]
__se_sys_rename fs/namei.c:5071 [inline]
__x64_sys_rename+0x82/0x90 fs/namei.c:5071
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7fbd0ef4a409
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 1f 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fbd0eeb80d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000052
RAX: ffffffffffffffda RBX: 00007fbd0efd54a8 RCX: 00007fbd0ef4a409
RDX: 00007fbd0ef4a409 RSI: 00000000200001c0 RDI: 0000000020000080
RBP: 00007fbd0efd54a0 R08: 00007fbd0eeb86c0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fbd0efd54ac
R13: 000000000000006e R14: 00007ffd79ca8e10 R15: 00007ffd79ca8ef8
</TASK>
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: 7dc732d24ff7 Linux 6.1.123
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=105114b0580000
kernel config: https://syzkaller.appspot.com/x/.config?x=b700290711767e0c
dashboard link: https://syzkaller.appspot.com/bug?extid=2efc8bd7a919b4f33cff
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10987edf980000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11b9dc18580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/7ad136b42edb/disk-7dc732d2.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/859a37ce3517/vmlinux-7dc732d2.xz
kernel image: https://storage.googleapis.com/syzbot-assets/6d506d0fa6c0/bzImage-7dc732d2.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/fa2bf5aeab02/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2efc8b...@syzkaller.appspotmail.com
======================================================
WARNING: possible circular locking dependency detected
------------------------------------------------------
syz-executor341/4316 is trying to acquire lock:
ffff8880610acda0 (&oi->ip_alloc_sem){++++}-{3:3}, at: ocfs2_read_virt_blocks+0x2dc/0xab0 fs/ocfs2/extent_map.c:976
but task is already holding lock:
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #3 (jbd2_handle){++++}-{0:0}:
start_this_handle+0x1f71/0x21b0 fs/jbd2/transaction.c:463
jbd2__journal_start+0x2d1/0x5c0 fs/jbd2/transaction.c:520
jbd2_journal_start+0x25/0x30 fs/jbd2/transaction.c:559
ocfs2_start_trans+0x3c0/0x6f0 fs/ocfs2/journal.c:354
ocfs2_local_alloc_slide_window fs/ocfs2/localalloc.c:1258 [inline]
ocfs2_reserve_local_alloc_bits+0xc4c/0x29d0 fs/ocfs2/localalloc.c:668
ocfs2_reserve_clusters_with_limit+0x1b4/0xb50 fs/ocfs2/suballoc.c:1162
ocfs2_mknod+0x15b5/0x2e20 fs/ocfs2/namei.c:354
ocfs2_mkdir+0x1c0/0x4e0 fs/ocfs2/namei.c:657
vfs_mkdir+0x3b6/0x590 fs/namei.c:4106
do_mkdirat+0x225/0x360 fs/namei.c:4131
__do_sys_mkdir fs/namei.c:4151 [inline]
__se_sys_mkdir fs/namei.c:4149 [inline]
__x64_sys_mkdir+0x6a/0x80 fs/namei.c:4149
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
-> #2 (&journal->j_trans_barrier){.+.+}-{3:3}:
down_read+0xad/0xa30 kernel/locking/rwsem.c:1520
ocfs2_start_trans+0x3b5/0x6f0 fs/ocfs2/journal.c:352
ocfs2_local_alloc_slide_window fs/ocfs2/localalloc.c:1258 [inline]
ocfs2_reserve_local_alloc_bits+0xc4c/0x29d0 fs/ocfs2/localalloc.c:668
ocfs2_reserve_clusters_with_limit+0x1b4/0xb50 fs/ocfs2/suballoc.c:1162
ocfs2_mknod+0x15b5/0x2e20 fs/ocfs2/namei.c:354
ocfs2_mkdir+0x1c0/0x4e0 fs/ocfs2/namei.c:657
vfs_mkdir+0x3b6/0x590 fs/namei.c:4106
do_mkdirat+0x225/0x360 fs/namei.c:4131
__do_sys_mkdir fs/namei.c:4151 [inline]
__se_sys_mkdir fs/namei.c:4149 [inline]
__x64_sys_mkdir+0x6a/0x80 fs/namei.c:4149
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
-> #1 (sb_internal#2){.+.+}-{0:0}:
percpu_down_read include/linux/percpu-rwsem.h:51 [inline]
__sb_start_write include/linux/fs.h:1891 [inline]
sb_start_intwrite include/linux/fs.h:2013 [inline]
ocfs2_start_trans+0x2b0/0x6f0 fs/ocfs2/journal.c:350
__sb_start_write include/linux/fs.h:1891 [inline]
sb_start_intwrite include/linux/fs.h:2013 [inline]
ocfs2_setattr+0xa89/0x1e60 fs/ocfs2/file.c:1263
notify_change+0xce3/0xfc0 fs/attr.c:499
ovl_do_notify_change fs/overlayfs/overlayfs.h:142 [inline]
ovl_workdir_create+0x78b/0x9d0 fs/overlayfs/super.c:833
ovl_make_workdir fs/overlayfs/super.c:1389 [inline]
ovl_get_workdir+0x3b7/0x17b0 fs/overlayfs/super.c:1539
ovl_fill_super+0x1b85/0x2a20 fs/overlayfs/super.c:2095
mount_nodev+0x52/0xe0 fs/super.c:1489
legacy_get_tree+0xeb/0x180 fs/fs_context.c:632
vfs_get_tree+0x88/0x270 fs/super.c:1573
do_new_mount+0x2ba/0xb40 fs/namespace.c:3056
do_mount fs/namespace.c:3399 [inline]
__do_sys_mount fs/namespace.c:3607 [inline]
__se_sys_mount+0x2d5/0x3c0 fs/namespace.c:3584
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
-> #0 (&oi->ip_alloc_sem){++++}-{3:3}:
check_prev_add kernel/locking/lockdep.c:3090 [inline]
check_prevs_add kernel/locking/lockdep.c:3209 [inline]
__lock_acquire+0x125b/0x1f80 kernel/locking/lockdep.c:5049
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5662
down_read+0xad/0xa30 kernel/locking/rwsem.c:1520
ocfs2_read_virt_blocks+0x2dc/0xab0 fs/ocfs2/extent_map.c:976
ocfs2_read_dir_block+0x102/0x5b0 fs/ocfs2/dir.c:508
ocfs2_dir_foreach_blk_el fs/ocfs2/dir.c:1829 [inline]
ocfs2_dir_foreach_blk+0x2a1/0x1e10 fs/ocfs2/dir.c:1915
ocfs2_dir_foreach_blk_el fs/ocfs2/dir.c:1829 [inline]
ocfs2_dir_foreach+0x20c/0x270 fs/ocfs2/dir.c:1925
ocfs2_empty_dir+0x446/0x7b0 fs/ocfs2/dir.c:2139
ocfs2_rename+0x26c2/0x4000 fs/ocfs2/namei.c:1499
vfs_rename+0xd32/0x10f0 fs/namei.c:4874
do_renameat2+0xde0/0x1440 fs/namei.c:5027
__do_sys_rename fs/namei.c:5073 [inline]
__se_sys_rename fs/namei.c:5071 [inline]
__x64_sys_rename+0x82/0x90 fs/namei.c:5071
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
other info that might help us debug this:
Chain exists of:
&oi->ip_alloc_sem --> &journal->j_trans_barrier --> jbd2_handle
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(jbd2_handle);
lock(&journal->j_trans_barrier);
lock(jbd2_handle);
lock(&oi->ip_alloc_sem);
*** DEADLOCK ***
#0: ffff888079d34460 (sb_writers#12){.+.+}-{0:0}, at: mnt_want_write+0x3b/0x80 fs/namespace.c:393
#1: ffff888061011808 (&type->i_mutex_dir_key#8/1){+.+.}-{3:3}, at: do_renameat2+0x65a/0x1440 fs/namei.c:4966
#2: ffff8880610ad108 (&sb->s_type->i_mutex_key#21){+.+.}-{3:3}, at: inode_lock include/linux/fs.h:758 [inline]
#2: ffff8880610ad108 (&sb->s_type->i_mutex_key#21){+.+.}-{3:3}, at: vfs_rename+0x814/0x10f0 fs/namei.c:4839
#3: ffff888061043488 (&ocfs2_sysfile_lock_key[args->fi_sysfile_type]){+.+.}-{3:3}, at: inode_lock include/linux/fs.h:758 [inline]
#3: ffff888061043488 (&ocfs2_sysfile_lock_key[args->fi_sysfile_type]){+.+.}-{3:3}, at: ocfs2_lookup_lock_orphan_dir+0xfe/0x340 fs/ocfs2/namei.c:2116
#4: ffff888079d34650 (sb_internal#2){.+.+}-{0:0}, at: ocfs2_rename+0x1eed/0x4000 fs/ocfs2/namei.c:1488
#5: ffff888144f038e8 (&journal->j_trans_barrier){.+.+}-{3:3}, at: ocfs2_start_trans+0x3b5/0x6f0 fs/ocfs2/journal.c:352
#6: ffff888079d9e990 (jbd2_handle){++++}-{0:0}, at: start_this_handle+0x1f51/0x21b0 fs/jbd2/transaction.c:463
stack backtrace:
CPU: 1 PID: 4316 Comm: syz-executor341 Not tainted 6.1.123-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
check_noncircular+0x2fa/0x3b0 kernel/locking/lockdep.c:2170
check_prev_add kernel/locking/lockdep.c:3090 [inline]
check_prevs_add kernel/locking/lockdep.c:3209 [inline]
validate_chain+0x1661/0x5950 kernel/locking/lockdep.c:3825
check_prevs_add kernel/locking/lockdep.c:3209 [inline]
__lock_acquire+0x125b/0x1f80 kernel/locking/lockdep.c:5049
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5662
down_read+0xad/0xa30 kernel/locking/rwsem.c:1520
ocfs2_read_virt_blocks+0x2dc/0xab0 fs/ocfs2/extent_map.c:976
ocfs2_read_dir_block+0x102/0x5b0 fs/ocfs2/dir.c:508
ocfs2_dir_foreach_blk_el fs/ocfs2/dir.c:1829 [inline]
ocfs2_dir_foreach_blk+0x2a1/0x1e10 fs/ocfs2/dir.c:1915
ocfs2_dir_foreach_blk_el fs/ocfs2/dir.c:1829 [inline]
ocfs2_dir_foreach+0x20c/0x270 fs/ocfs2/dir.c:1925
ocfs2_empty_dir+0x446/0x7b0 fs/ocfs2/dir.c:2139
ocfs2_rename+0x26c2/0x4000 fs/ocfs2/namei.c:1499
vfs_rename+0xd32/0x10f0 fs/namei.c:4874
do_renameat2+0xde0/0x1440 fs/namei.c:5027
__do_sys_rename fs/namei.c:5073 [inline]
__se_sys_rename fs/namei.c:5071 [inline]
__x64_sys_rename+0x82/0x90 fs/namei.c:5071
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7fbd0ef4a409
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 1f 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fbd0eeb80d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000052
RAX: ffffffffffffffda RBX: 00007fbd0efd54a8 RCX: 00007fbd0ef4a409
RDX: 00007fbd0ef4a409 RSI: 00000000200001c0 RDI: 0000000020000080
RBP: 00007fbd0efd54a0 R08: 00007fbd0eeb86c0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fbd0efd54ac
R13: 000000000000006e R14: 00007ffd79ca8e10 R15: 00007ffd79ca8ef8
</TASK>
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
syzbot
May 15, 2025, 9:06:24 PM5/15/25
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 3b8db0e4f263 Linux 5.15.182
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1425af68580000
kernel config: https://syzkaller.appspot.com/x/.config?x=dd5e00a2e31fafd7
dashboard link: https://syzkaller.appspot.com/bug?extid=3e2174c956a9427f8739
compiler: Debian clang version 20.1.2 (++20250402124445+58df0ef89dd6-1~exp1~20250402004600.97), Debian LLD 20.1.2
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10a2b6f4580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1225af68580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ff1afedf7b4d/disk-3b8db0e4.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/19cb045784cf/vmlinux-3b8db0e4.xz
kernel image: https://storage.googleapis.com/syzbot-assets/43c663d2f6a5/Image-3b8db0e4.gz.xz
mounted in repro #1: https://storage.googleapis.com/syzbot-assets/c17d9085315c/mount_0.gz
fsck result: OK (log: https://syzkaller.appspot.com/x/fsck.log?x=148782d4580000)
mounted in repro #2: https://storage.googleapis.com/syzbot-assets/a2f64ddcdebb/mount_3.gz
fsck result: OK (log: https://syzkaller.appspot.com/x/fsck.log?x=1025af68580000)
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3e2174...@syzkaller.appspotmail.com
ocfs2: Slot 0 on device (7,0) was already allocated to this node!
ocfs2: Mounting device (7,0) on (node local, slot 0) with ordered data mode.
------------------------------------------------------
syz-executor426/4260 is trying to acquire lock:
ffff0000e9d394a0 (&ocfs2_file_ip_alloc_sem_key){++++}-{3:3}, at: ocfs2_read_virt_blocks+0x228/0x858 fs/ocfs2/extent_map.c:976
but task is already holding lock:
ffff0000c9476990 (jbd2_handle){++++}-{0:0}, at: start_this_handle+0xecc/0x11a4 fs/jbd2/transaction.c:462
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #3 (jbd2_handle){++++}-{0:0}:
start_this_handle+0xef4/0x11a4 fs/jbd2/transaction.c:464
jbd2__journal_start+0x28c/0x744 fs/jbd2/transaction.c:521
jbd2_journal_start+0x3c/0x4c fs/jbd2/transaction.c:560
ocfs2_start_trans+0x43c/0x794 fs/ocfs2/journal.c:354
ocfs2_setattr+0x954/0x16c4 fs/ocfs2/file.c:1266
notify_change+0xa08/0xcd8 fs/attr.c:505
chown_common+0x42c/0x5a0 fs/open.c:680
vfs_fchown fs/open.c:748 [inline]
ksys_fchown+0xe0/0x158 fs/open.c:759
__do_sys_fchown fs/open.c:767 [inline]
__se_sys_fchown fs/open.c:765 [inline]
__arm64_sys_fchown+0x7c/0x94 fs/open.c:765
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x78/0x1e0 arch/arm64/kernel/entry-common.c:608
el0t_64_sync_handler+0xcc/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
-> #2 (&journal->j_trans_barrier){.+.+}-{3:3}:
down_read+0xc0/0x390 kernel/locking/rwsem.c:1498
ocfs2_start_trans+0x430/0x794 fs/ocfs2/journal.c:352
ocfs2_setattr+0x954/0x16c4 fs/ocfs2/file.c:1266
notify_change+0xa08/0xcd8 fs/attr.c:505
chown_common+0x42c/0x5a0 fs/open.c:680
vfs_fchown fs/open.c:748 [inline]
ksys_fchown+0xe0/0x158 fs/open.c:759
__do_sys_fchown fs/open.c:767 [inline]
__se_sys_fchown fs/open.c:765 [inline]
__arm64_sys_fchown+0x7c/0x94 fs/open.c:765
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x78/0x1e0 arch/arm64/kernel/entry-common.c:608
el0t_64_sync_handler+0xcc/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
-> #1 (sb_internal#2){.+.+}-{0:0}:
percpu_down_read include/linux/percpu-rwsem.h:51 [inline]
__sb_start_write include/linux/fs.h:1811 [inline]
sb_start_intwrite include/linux/fs.h:1928 [inline]
ocfs2_start_trans+0x2c4/0x794 fs/ocfs2/journal.c:350
ocfs2_setattr+0x954/0x16c4 fs/ocfs2/file.c:1266
notify_change+0xa08/0xcd8 fs/attr.c:505
chown_common+0x42c/0x5a0 fs/open.c:680
vfs_fchown fs/open.c:748 [inline]
ksys_fchown+0xe0/0x158 fs/open.c:759
__do_sys_fchown fs/open.c:767 [inline]
__se_sys_fchown fs/open.c:765 [inline]
__arm64_sys_fchown+0x7c/0x94 fs/open.c:765
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x78/0x1e0 arch/arm64/kernel/entry-common.c:608
el0t_64_sync_handler+0xcc/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
-> #0 (&ocfs2_file_ip_alloc_sem_key){++++}-{3:3}:
check_prev_add kernel/locking/lockdep.c:3053 [inline]
check_prevs_add kernel/locking/lockdep.c:3172 [inline]
validate_chain kernel/locking/lockdep.c:3788 [inline]
__lock_acquire+0x2928/0x651c kernel/locking/lockdep.c:5012
lock_acquire+0x1f4/0x620 kernel/locking/lockdep.c:5623
down_read+0xc0/0x390 kernel/locking/rwsem.c:1498
ocfs2_read_virt_blocks+0x228/0x858 fs/ocfs2/extent_map.c:976
ocfs2_rename+0x1840/0x2e98 fs/ocfs2/namei.c:1568
vfs_rename+0x954/0xdcc fs/namei.c:4832
do_renameat2+0x74c/0xcdc fs/namei.c:4985
__do_sys_renameat2 fs/namei.c:5018 [inline]
__se_sys_renameat2 fs/namei.c:5015 [inline]
__arm64_sys_renameat2+0xe0/0xfc fs/namei.c:5015
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x78/0x1e0 arch/arm64/kernel/entry-common.c:608
el0t_64_sync_handler+0xcc/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
other info that might help us debug this:
Chain exists of:
&ocfs2_file_ip_alloc_sem_key --> &journal->j_trans_barrier --> jbd2_handle
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(jbd2_handle);
lock(&journal->j_trans_barrier);
#0: ffff0000d729a460 (sb_writers#10){.+.+}-{0:0}, at: mnt_want_write+0x44/0x9c fs/namespace.c:377
#1: ffff0000d729a748 (&type->s_vfs_rename_key){+.+.}-{3:3}, at: lock_rename fs/namei.c:3016 [inline]
#1: ffff0000d729a748 (&type->s_vfs_rename_key){+.+.}-{3:3}, at: do_renameat2+0x30c/0xcdc fs/namei.c:4924
#2: ffff0000e9d409c8 (&type->i_mutex_dir_key#8/1){+.+.}-{3:3}, at: inode_lock_nested include/linux/fs.h:822 [inline]
#2: ffff0000e9d409c8 (&type->i_mutex_dir_key#8/1){+.+.}-{3:3}, at: lock_two_directories fs/namei.c:-1 [inline]
#2: ffff0000e9d409c8 (&type->i_mutex_dir_key#8/1){+.+.}-{3:3}, at: lock_rename fs/namei.c:3017 [inline]
#2: ffff0000e9d409c8 (&type->i_mutex_dir_key#8/1){+.+.}-{3:3}, at: do_renameat2+0x388/0xcdc fs/namei.c:4924
#3: ffff0000e9d39808 (&sb->s_type->i_mutex_key#20/5){+.+.}-{3:3}, at: lock_rename include/linux/fs.h:-1 [inline]
#3: ffff0000e9d39808 (&sb->s_type->i_mutex_key#20/5){+.+.}-{3:3}, at: do_renameat2+0x3bc/0xcdc fs/namei.c:4924
#4: ffff0000e9d3a648 (&sb->s_type->i_mutex_key#21/2){+.+.}-{3:3}, at: inode_lock_nested include/linux/fs.h:822 [inline]
#4: ffff0000e9d3a648 (&sb->s_type->i_mutex_key#21/2){+.+.}-{3:3}, at: vfs_rename+0x60c/0xdcc fs/namei.c:4795
#5: ffff0000d729a650 (sb_internal#2){.+.+}-{0:0}, at: ocfs2_rename+0x14d8/0x2e98 fs/ocfs2/namei.c:1488
#6: ffff0000c9052ce8 (&journal->j_trans_barrier){.+.+}-{3:3}, at: ocfs2_start_trans+0x430/0x794 fs/ocfs2/journal.c:352
#7: ffff0000c9476990 (jbd2_handle){++++}-{0:0}, at: start_this_handle+0xecc/0x11a4 fs/jbd2/transaction.c:462
stack backtrace:
CPU: 0 PID: 4260 Comm: syz-executor426 Not tainted 5.15.182-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/19/2025
Call trace:
dump_backtrace+0x0/0x43c arch/arm64/kernel/stacktrace.c:152
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
__dump_stack+0x30/0x40 lib/dump_stack.c:88
dump_stack_lvl+0xf8/0x160 lib/dump_stack.c:106
dump_stack+0x1c/0x5c lib/dump_stack.c:113
print_circular_bug+0x148/0x1b0 kernel/locking/lockdep.c:2011
check_noncircular+0x240/0x2d4 kernel/locking/lockdep.c:2133
__lock_acquire+0x2928/0x651c kernel/locking/lockdep.c:5012
lock_acquire+0x1f4/0x620 kernel/locking/lockdep.c:5623
down_read+0xc0/0x390 kernel/locking/rwsem.c:1498
ocfs2_read_virt_blocks+0x228/0x858 fs/ocfs2/extent_map.c:976
ocfs2_rename+0x1840/0x2e98 fs/ocfs2/namei.c:1568
vfs_rename+0x954/0xdcc fs/namei.c:4832
do_renameat2+0x74c/0xcdc fs/namei.c:4985
__do_sys_renameat2 fs/namei.c:5018 [inline]
__se_sys_renameat2 fs/namei.c:5015 [inline]
__arm64_sys_renameat2+0xe0/0xfc fs/namei.c:5015
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x78/0x1e0 arch/arm64/kernel/entry-common.c:608
el0t_64_sync_handler+0xcc/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
HEAD commit: 3b8db0e4f263 Linux 5.15.182
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1425af68580000
kernel config: https://syzkaller.appspot.com/x/.config?x=dd5e00a2e31fafd7
dashboard link: https://syzkaller.appspot.com/bug?extid=3e2174c956a9427f8739
compiler: Debian clang version 20.1.2 (++20250402124445+58df0ef89dd6-1~exp1~20250402004600.97), Debian LLD 20.1.2
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10a2b6f4580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1225af68580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ff1afedf7b4d/disk-3b8db0e4.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/19cb045784cf/vmlinux-3b8db0e4.xz
kernel image: https://storage.googleapis.com/syzbot-assets/43c663d2f6a5/Image-3b8db0e4.gz.xz
mounted in repro #1: https://storage.googleapis.com/syzbot-assets/c17d9085315c/mount_0.gz
fsck result: OK (log: https://syzkaller.appspot.com/x/fsck.log?x=148782d4580000)
mounted in repro #2: https://storage.googleapis.com/syzbot-assets/a2f64ddcdebb/mount_3.gz
fsck result: OK (log: https://syzkaller.appspot.com/x/fsck.log?x=1025af68580000)
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3e2174...@syzkaller.appspotmail.com
ocfs2: Mounting device (7,0) on (node local, slot 0) with ordered data mode.
======================================================
WARNING: possible circular locking dependency detected
5.15.182-syzkaller #0 Not tainted
WARNING: possible circular locking dependency detected
------------------------------------------------------
syz-executor426/4260 is trying to acquire lock:
ffff0000e9d394a0 (&ocfs2_file_ip_alloc_sem_key){++++}-{3:3}, at: ocfs2_read_virt_blocks+0x228/0x858 fs/ocfs2/extent_map.c:976
but task is already holding lock:
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
start_this_handle+0xef4/0x11a4 fs/jbd2/transaction.c:464
jbd2__journal_start+0x28c/0x744 fs/jbd2/transaction.c:521
jbd2_journal_start+0x3c/0x4c fs/jbd2/transaction.c:560
ocfs2_start_trans+0x43c/0x794 fs/ocfs2/journal.c:354
ocfs2_setattr+0x954/0x16c4 fs/ocfs2/file.c:1266
notify_change+0xa08/0xcd8 fs/attr.c:505
chown_common+0x42c/0x5a0 fs/open.c:680
vfs_fchown fs/open.c:748 [inline]
ksys_fchown+0xe0/0x158 fs/open.c:759
__do_sys_fchown fs/open.c:767 [inline]
__se_sys_fchown fs/open.c:765 [inline]
__arm64_sys_fchown+0x7c/0x94 fs/open.c:765
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x78/0x1e0 arch/arm64/kernel/entry-common.c:608
el0t_64_sync_handler+0xcc/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
-> #2 (&journal->j_trans_barrier){.+.+}-{3:3}:
down_read+0xc0/0x390 kernel/locking/rwsem.c:1498
ocfs2_start_trans+0x430/0x794 fs/ocfs2/journal.c:352
ocfs2_setattr+0x954/0x16c4 fs/ocfs2/file.c:1266
notify_change+0xa08/0xcd8 fs/attr.c:505
chown_common+0x42c/0x5a0 fs/open.c:680
vfs_fchown fs/open.c:748 [inline]
ksys_fchown+0xe0/0x158 fs/open.c:759
__do_sys_fchown fs/open.c:767 [inline]
__se_sys_fchown fs/open.c:765 [inline]
__arm64_sys_fchown+0x7c/0x94 fs/open.c:765
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x78/0x1e0 arch/arm64/kernel/entry-common.c:608
el0t_64_sync_handler+0xcc/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
-> #1 (sb_internal#2){.+.+}-{0:0}:
__sb_start_write include/linux/fs.h:1811 [inline]
sb_start_intwrite include/linux/fs.h:1928 [inline]
ocfs2_start_trans+0x2c4/0x794 fs/ocfs2/journal.c:350
ocfs2_setattr+0x954/0x16c4 fs/ocfs2/file.c:1266
notify_change+0xa08/0xcd8 fs/attr.c:505
chown_common+0x42c/0x5a0 fs/open.c:680
vfs_fchown fs/open.c:748 [inline]
ksys_fchown+0xe0/0x158 fs/open.c:759
__do_sys_fchown fs/open.c:767 [inline]
__se_sys_fchown fs/open.c:765 [inline]
__arm64_sys_fchown+0x7c/0x94 fs/open.c:765
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x78/0x1e0 arch/arm64/kernel/entry-common.c:608
el0t_64_sync_handler+0xcc/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
-> #0 (&ocfs2_file_ip_alloc_sem_key){++++}-{3:3}:
check_prev_add kernel/locking/lockdep.c:3053 [inline]
check_prevs_add kernel/locking/lockdep.c:3172 [inline]
__lock_acquire+0x2928/0x651c kernel/locking/lockdep.c:5012
lock_acquire+0x1f4/0x620 kernel/locking/lockdep.c:5623
down_read+0xc0/0x390 kernel/locking/rwsem.c:1498
ocfs2_read_virt_blocks+0x228/0x858 fs/ocfs2/extent_map.c:976
ocfs2_read_dir_block fs/ocfs2/dir.c:508 [inline]
ocfs2_find_entry_el fs/ocfs2/dir.c:715 [inline]
ocfs2_find_entry+0x314/0x1b84 fs/ocfs2/dir.c:1091
ocfs2_find_entry_el fs/ocfs2/dir.c:715 [inline]
ocfs2_rename+0x1840/0x2e98 fs/ocfs2/namei.c:1568
vfs_rename+0x954/0xdcc fs/namei.c:4832
do_renameat2+0x74c/0xcdc fs/namei.c:4985
__do_sys_renameat2 fs/namei.c:5018 [inline]
__se_sys_renameat2 fs/namei.c:5015 [inline]
__arm64_sys_renameat2+0xe0/0xfc fs/namei.c:5015
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x78/0x1e0 arch/arm64/kernel/entry-common.c:608
el0t_64_sync_handler+0xcc/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
other info that might help us debug this:
Chain exists of:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(jbd2_handle);
lock(jbd2_handle);
lock(&ocfs2_file_ip_alloc_sem_key);
*** DEADLOCK ***
8 locks held by syz-executor426/4260:
lock(&ocfs2_file_ip_alloc_sem_key);
*** DEADLOCK ***
#0: ffff0000d729a460 (sb_writers#10){.+.+}-{0:0}, at: mnt_want_write+0x44/0x9c fs/namespace.c:377
#1: ffff0000d729a748 (&type->s_vfs_rename_key){+.+.}-{3:3}, at: lock_rename fs/namei.c:3016 [inline]
#1: ffff0000d729a748 (&type->s_vfs_rename_key){+.+.}-{3:3}, at: do_renameat2+0x30c/0xcdc fs/namei.c:4924
#2: ffff0000e9d409c8 (&type->i_mutex_dir_key#8/1){+.+.}-{3:3}, at: inode_lock_nested include/linux/fs.h:822 [inline]
#2: ffff0000e9d409c8 (&type->i_mutex_dir_key#8/1){+.+.}-{3:3}, at: lock_two_directories fs/namei.c:-1 [inline]
#2: ffff0000e9d409c8 (&type->i_mutex_dir_key#8/1){+.+.}-{3:3}, at: lock_rename fs/namei.c:3017 [inline]
#2: ffff0000e9d409c8 (&type->i_mutex_dir_key#8/1){+.+.}-{3:3}, at: do_renameat2+0x388/0xcdc fs/namei.c:4924
#3: ffff0000e9d39808 (&sb->s_type->i_mutex_key#20/5){+.+.}-{3:3}, at: lock_rename include/linux/fs.h:-1 [inline]
#3: ffff0000e9d39808 (&sb->s_type->i_mutex_key#20/5){+.+.}-{3:3}, at: do_renameat2+0x3bc/0xcdc fs/namei.c:4924
#4: ffff0000e9d3a648 (&sb->s_type->i_mutex_key#21/2){+.+.}-{3:3}, at: inode_lock_nested include/linux/fs.h:822 [inline]
#4: ffff0000e9d3a648 (&sb->s_type->i_mutex_key#21/2){+.+.}-{3:3}, at: vfs_rename+0x60c/0xdcc fs/namei.c:4795
#5: ffff0000d729a650 (sb_internal#2){.+.+}-{0:0}, at: ocfs2_rename+0x14d8/0x2e98 fs/ocfs2/namei.c:1488
#6: ffff0000c9052ce8 (&journal->j_trans_barrier){.+.+}-{3:3}, at: ocfs2_start_trans+0x430/0x794 fs/ocfs2/journal.c:352
#7: ffff0000c9476990 (jbd2_handle){++++}-{0:0}, at: start_this_handle+0xecc/0x11a4 fs/jbd2/transaction.c:462
stack backtrace:
CPU: 0 PID: 4260 Comm: syz-executor426 Not tainted 5.15.182-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/19/2025
Call trace:
dump_backtrace+0x0/0x43c arch/arm64/kernel/stacktrace.c:152
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
__dump_stack+0x30/0x40 lib/dump_stack.c:88
dump_stack_lvl+0xf8/0x160 lib/dump_stack.c:106
dump_stack+0x1c/0x5c lib/dump_stack.c:113
print_circular_bug+0x148/0x1b0 kernel/locking/lockdep.c:2011
check_noncircular+0x240/0x2d4 kernel/locking/lockdep.c:2133
check_prev_add kernel/locking/lockdep.c:3053 [inline]
check_prevs_add kernel/locking/lockdep.c:3172 [inline]
validate_chain kernel/locking/lockdep.c:3788 [inline]
check_prevs_add kernel/locking/lockdep.c:3172 [inline]
__lock_acquire+0x2928/0x651c kernel/locking/lockdep.c:5012
lock_acquire+0x1f4/0x620 kernel/locking/lockdep.c:5623
down_read+0xc0/0x390 kernel/locking/rwsem.c:1498
ocfs2_read_virt_blocks+0x228/0x858 fs/ocfs2/extent_map.c:976
ocfs2_read_dir_block fs/ocfs2/dir.c:508 [inline]
ocfs2_find_entry_el fs/ocfs2/dir.c:715 [inline]
ocfs2_find_entry+0x314/0x1b84 fs/ocfs2/dir.c:1091
ocfs2_find_entry_el fs/ocfs2/dir.c:715 [inline]
ocfs2_rename+0x1840/0x2e98 fs/ocfs2/namei.c:1568
vfs_rename+0x954/0xdcc fs/namei.c:4832
do_renameat2+0x74c/0xcdc fs/namei.c:4985
__do_sys_renameat2 fs/namei.c:5018 [inline]
__se_sys_renameat2 fs/namei.c:5015 [inline]
__arm64_sys_renameat2+0xe0/0xfc fs/namei.c:5015
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x78/0x1e0 arch/arm64/kernel/entry-common.c:608
el0t_64_sync_handler+0xcc/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
Reply all
Reply to author
Forward
0 new messages