syzbot


possible deadlock in blkdev_put

Status: upstream: reported C repro on 2020/10/01 09:27
Reported-by: syzbot+6348c095f6a5ccbb6500@syzkaller.appspotmail.com
First crash: 1095d, last: 224d
Similar bugs (4)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 possible deadlock in blkdev_put btrfs C error 2 243d 273d 0/1 upstream: reported C repro on 2023/01/01 16:48
upstream possible deadlock in blkdev_put btrfs 1 1105d 1105d 0/25 auto-closed as invalid on 2021/01/18 22:03
upstream possible deadlock in blkdev_put (3) block C 870 495d 568d 24/25 fixed on 2023/02/24 13:50
upstream possible deadlock in blkdev_put (2) block C done 502 572d 673d 22/25 fixed on 2022/03/08 16:11
Fix bisection attempts (25)
Created Duration User Patch Repo Result
2023/02/19 17:48 29m bisect fix linux-4.14.y job log (0) log
2023/01/20 07:24 27m bisect fix linux-4.14.y job log (0) log
2022/10/27 16:19 24m bisect fix linux-4.14.y job log (0) log
2022/09/19 15:57 34m bisect fix linux-4.14.y job log (0) log
2022/08/20 12:50 25m bisect fix linux-4.14.y job log (0) log
2022/07/21 12:20 30m bisect fix linux-4.14.y job log (0) log
2022/06/21 11:43 24m bisect fix linux-4.14.y job log (0) log
2022/05/22 11:14 25m bisect fix linux-4.14.y job log (0) log
2022/04/22 07:29 24m bisect fix linux-4.14.y job log (0) log
2022/03/23 06:34 26m bisect fix linux-4.14.y job log (0) log
2022/02/20 23:15 26m bisect fix linux-4.14.y job log (0) log
2022/01/21 22:31 29m bisect fix linux-4.14.y job log (0) log
2021/12/22 21:57 30m bisect fix linux-4.14.y job log (0) log
2021/11/22 21:21 24m bisect fix linux-4.14.y job log (0) log
2021/10/23 20:49 29m bisect fix linux-4.14.y job log (0) log
2021/09/23 00:52 25m bisect fix linux-4.14.y job log (0) log
2021/08/23 21:54 29m bisect fix linux-4.14.y job log (0) log
2021/07/24 21:27 26m bisect fix linux-4.14.y job log (0) log
2021/06/24 21:02 25m bisect fix linux-4.14.y job log (0) log
2021/05/25 18:07 27m bisect fix linux-4.14.y job log (0) log
2021/04/25 15:15 31m bisect fix linux-4.14.y job log (0) log
2021/03/26 07:16 28m bisect fix linux-4.14.y job log (0) log
2021/02/24 06:12 30m bisect fix linux-4.14.y job log (0) log
2021/01/24 10:15 29m bisect fix linux-4.14.y job log (0) log
2020/11/26 12:42 31m bisect fix linux-4.14.y job log (0) log

Sample crash report:
loop0: partition table beyond EOD, truncated
REISERFS (device loop4): using 3.5.x disk format
REISERFS (device loop4): Created .reiserfs_priv - reserved for xattr storage.
REISERFS (device loop1): Using r5 hash to sort names
======================================================
WARNING: possible circular locking dependency detected
4.14.202-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor942/7993 is trying to acquire lock:
 (&bdev->bd_mutex){+.+.}, at: [<ffffffff819615f7>] blkdev_put+0x27/0x4c0 fs/block_dev.c:1826

but task is already holding lock:
 (&type->s_umount_key#46){++++}, at: [<ffffffff81897ea7>] deactivate_super+0x77/0xa0 fs/super.c:349

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 (&type->s_umount_key#46){++++}:
       down_read+0x36/0x80 kernel/locking/rwsem.c:24
       __get_super.part.0+0x271/0x390 fs/super.c:678
       __get_super include/linux/spinlock.h:317 [inline]
       get_super+0x2b/0x50 fs/super.c:707
       fsync_bdev+0x14/0xc0 fs/block_dev.c:495
       invalidate_partition+0x74/0xb0 block/genhd.c:1506
       drop_partitions.isra.0+0x83/0x150 block/partition-generic.c:442
       rescan_partitions+0xa9/0x800 block/partition-generic.c:515
       __blkdev_reread_part+0x140/0x1d0 block/ioctl.c:173
       blkdev_reread_part+0x23/0x40 block/ioctl.c:193
       loop_reread_partitions drivers/block/loop.c:624 [inline]
       loop_set_status+0xeeb/0x12b0 drivers/block/loop.c:1193
       loop_set_status_old+0x18a/0x200 drivers/block/loop.c:1301
       lo_ioctl+0x5ae/0x1cd0 drivers/block/loop.c:1431
       __blkdev_driver_ioctl block/ioctl.c:297 [inline]
       blkdev_ioctl+0x540/0x1830 block/ioctl.c:594
       block_ioctl+0xd9/0x120 fs/block_dev.c:1893
       vfs_ioctl fs/ioctl.c:46 [inline]
       file_ioctl fs/ioctl.c:500 [inline]
       do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684
       SYSC_ioctl fs/ioctl.c:701 [inline]
       SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
       do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x46/0xbb

-> #0 (&bdev->bd_mutex){+.+.}:
       lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
       __mutex_lock_common kernel/locking/mutex.c:756 [inline]
       __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
       blkdev_put+0x27/0x4c0 fs/block_dev.c:1826
       release_journal_dev fs/reiserfs/journal.c:2598 [inline]
       free_journal_ram+0x41a/0x5c0 fs/reiserfs/journal.c:1903
       do_journal_release fs/reiserfs/journal.c:1969 [inline]
       journal_release+0x1cf/0x450 fs/reiserfs/journal.c:1980
       reiserfs_put_super+0xbb/0x560 fs/reiserfs/super.c:616
       generic_shutdown_super+0x144/0x370 fs/super.c:446
       kill_block_super+0x95/0xe0 fs/super.c:1161
       deactivate_locked_super+0x6c/0xd0 fs/super.c:319
       deactivate_super+0x7f/0xa0 fs/super.c:350
       cleanup_mnt+0x186/0x2c0 fs/namespace.c:1183
       task_work_run+0x11f/0x190 kernel/task_work.c:113
       tracehook_notify_resume include/linux/tracehook.h:191 [inline]
       exit_to_usermode_loop+0x1ad/0x200 arch/x86/entry/common.c:164
       prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
       syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
       do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
       entry_SYSCALL_64_after_hwframe+0x46/0xbb

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&type->s_umount_key#46);
                               lock(&bdev->bd_mutex);
                               lock(&type->s_umount_key#46);
  lock(&bdev->bd_mutex);

 *** DEADLOCK ***

1 lock held by syz-executor942/7993:
 #0:  (&type->s_umount_key#46){++++}, at: [<ffffffff81897ea7>] deactivate_super+0x77/0xa0 fs/super.c:349

stack backtrace:
CPU: 0 PID: 7993 Comm: syz-executor942 Not tainted 4.14.202-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x283 lib/dump_stack.c:58
 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258
 check_prev_add kernel/locking/lockdep.c:1905 [inline]
 check_prevs_add kernel/locking/lockdep.c:2022 [inline]
 validate_chain kernel/locking/lockdep.c:2464 [inline]
 __lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491
 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
 __mutex_lock_common kernel/locking/mutex.c:756 [inline]
 __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
 blkdev_put+0x27/0x4c0 fs/block_dev.c:1826
 release_journal_dev fs/reiserfs/journal.c:2598 [inline]
 free_journal_ram+0x41a/0x5c0 fs/reiserfs/journal.c:1903
 do_journal_release fs/reiserfs/journal.c:1969 [inline]
 journal_release+0x1cf/0x450 fs/reiserfs/journal.c:1980
 reiserfs_put_super+0xbb/0x560 fs/reiserfs/super.c:616
 generic_shutdown_super+0x144/0x370 fs/super.c:446
 kill_block_super+0x95/0xe0 fs/super.c:1161
 deactivate_locked_super+0x6c/0xd0 fs/super.c:319
 deactivate_super+0x7f/0xa0 fs/super.c:350
 cleanup_mnt+0x186/0x2c0 fs/namespace.c:1183
 task_work_run+0x11f/0x190 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 exit_to_usermode_loop+0x1ad/0x200 arch/x86/entry/common.c:164
 prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
 do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x44dfd7
RSP: 002b:00007ffe5f4ce478 EFLAGS: 00000202 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 000000000000b05d RCX: 000000000044dfd7
RDX: 0000000000400d57 RSI: 0000000000000002 RDI: 00007ffe5f4ce520
RBP: 0000000000001f3b R08: 0000000000000000 R09: 0000000000000009
R10: 0000000000000005 R11: 0000000000000202 R12: 00007ffe5f4cf5c0
R13: 00000000018aa880 R14: 0000000000000000 R15: 0000000000000000
REISERFS (device loop1): using 3.5.x disk format
REISERFS (device loop1): Created .reiserfs_priv - reserved for xattr storage.
Dev loop0: unable to read partition block 735977472
 loop0: RDSK (-336099328) unable to read partition table
loop0: partition table beyond EOD, truncated
REISERFS (device loop5): Using r5 hash to sort names
REISERFS (device loop5): using 3.5.x disk format
REISERFS (device loop5): Created .reiserfs_priv - reserved for xattr storage.
REISERFS (device loop2): Using r5 hash to sort names
REISERFS (device loop2): using 3.5.x disk format
REISERFS (device loop2): Created .reiserfs_priv - reserved for xattr storage.
REISERFS (device loop3): Using r5 hash to sort names
REISERFS (device loop3): using 3.5.x disk format
REISERFS (device loop3): Created .reiserfs_priv - reserved for xattr storage.
Dev loop0: unable to read partition block 735977472
 loop0: RDSK (-336099328) unable to read partition table
loop0: partition table beyond EOD, truncated
REISERFS warning (device loop0): sh-2021 reiserfs_fill_super: can not find reiserfs on loop0
Dev loop0: unable to read partition block 735977472
 loop0: RDSK (-336099328) unable to read partition table
loop0: partition table beyond EOD, truncated
loop_reread_partitions: partition scan of loop0 (°Jƒpf”§QTÆ)÷[q©Z;(’qÆ­²-MyÃ) failed (rc=-5)
REISERFS (device loop1): found reiserfs format "3.5" with non-standard journal
REISERFS (device loop1): using ordered data mode
reiserfs: using flush barriers
REISERFS warning (device loop4):  reiserfs_fill_super: Cannot allocate commit workqueue
REISERFS (device loop1): journal params: device loop1, size 8192, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30
REISERFS (device loop1): checking transaction log (loop1)
REISERFS (device loop3): found reiserfs format "3.5" with non-standard journal
REISERFS (device loop5): found reiserfs format "3.5" with non-standard journal
REISERFS (device loop3): using ordered data mode
REISERFS (device loop5): using ordered data mode
REISERFS (device loop2): found reiserfs format "3.5" with non-standard journal
reiserfs: using flush barriers
REISERFS (device loop2): using ordered data mode
reiserfs: using flush barriers
REISERFS (device loop5): journal params: device loop5, size 8192, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30
reiserfs: using flush barriers
REISERFS (device loop3): journal params: device loop3, size 8192, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30
REISERFS (device loop5): checking transaction log (loop5)
REISERFS (device loop2): journal params: device loop2, size 8192, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30
REISERFS (device loop4): found reiserfs format "3.5" with non-standard journal
REISERFS (device loop3): checking transaction log (loop3)
REISERFS (device loop2): checking transaction log (loop2)
REISERFS (device loop4): using ordered data mode
reiserfs: using flush barriers
REISERFS (device loop4): journal params: device loop4, size 8192, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30
Dev loop0: unable to read partition block 735977472
 loop0: RDSK (-336099328) unable to read partition table
REISERFS (device loop4): checking transaction log (loop4)
loop0: partition table beyond EOD, truncated
Dev loop0: unable to read partition block 735977472
 loop0: RDSK (-336099328) unable to read partition table
loop0: partition table beyond EOD, truncated
Dev loop0: unable to read partition block 735977472
 loop0: RDSK (-336099328) unable to read partition table
loop0: partition table beyond EOD, truncated
Dev loop0: unable to read partition block 735977472
 loop0: RDSK (-336099328) unable to read partition table
loop0: partition table beyond EOD, truncated
Dev loop0: unable to read partition block 735977472
 loop0: RDSK (-336099328) unable to read partition table
REISERFS (device loop1): Using r5 hash to sort names
loop0: partition table beyond EOD, truncated
REISERFS (device loop1): using 3.5.x disk format
REISERFS (device loop1): Created .reiserfs_priv - reserved for xattr storage.
Dev loop0: unable to read partition block 735977472
 loop0: RDSK (-336099328) unable to read partition table
loop0: partition table beyond EOD, truncated
REISERFS (device loop3): Using r5 hash to sort names
REISERFS (device loop3): using 3.5.x disk format
REISERFS (device loop3): Created .reiserfs_priv - reserved for xattr storage.
REISERFS (device loop2): Using r5 hash to sort names
REISERFS (device loop2): using 3.5.x disk format
REISERFS (device loop2): Created .reiserfs_priv - reserved for xattr storage.
REISERFS (device loop5): Using r5 hash to sort names
REISERFS (device loop4): Using r5 hash to sort names
REISERFS (device loop5): using 3.5.x disk format
REISERFS (device loop4): using 3.5.x disk format
REISERFS (device loop4): Created .reiserfs_priv - reserved for xattr storage.
REISERFS (device loop5): Created .reiserfs_priv - reserved for xattr storage.
Dev loop0: unable to read partition block 735977472
 loop0: RDSK (-336099328) unable to read partition table
loop0: partition table beyond EOD, truncated
REISERFS (device loop0): found reiserfs format "3.5" with non-standard journal
REISERFS (device loop0): using ordered data mode
reiserfs: using flush barriers
REISERFS warning (device loop0): sh-460 journal_init: journal header magic 49a51c6e (device loop0) does not match to magic found in super block 49ad1c61
REISERFS (device loop1): found reiserfs format "3.5" with non-standard journal
REISERFS (device loop1): using ordered data mode
reiserfs: using flush barriers
REISERFS (device loop1): journal params: device loop1, size 8192, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30
REISERFS (device loop1): checking transaction log (loop1)
REISERFS (device loop2): found reiserfs format "3.5" with non-standard journal
REISERFS (device loop2): using ordered data mode
reiserfs: using flush barriers
REISERFS (device loop5): found reiserfs format "3.5" with non-standard journal
REISERFS (device loop2): journal params: device loop2, size 8192, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30
REISERFS (device loop3): found reiserfs format "3.5" with non-standard journal
REISERFS (device loop2): checking transaction log (loop2)
REISERFS (device loop5): using ordered data mode
REISERFS (device loop4): found reiserfs format "3.5" with non-standard journal
reiserfs: using flush barriers
REISERFS (device loop4): using ordered data mode
REISERFS (device loop5): journal params: device loop5, size 8192, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30
reiserfs: using flush barriers
REISERFS (device loop3): using ordered data mode
reiserfs: using flush barriers
REISERFS (device loop4): journal params: device loop4, size 8192, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30
REISERFS (device loop3): journal params: device loop3, size 8192, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30
REISERFS (device loop5): checking transaction log (loop5)
REISERFS (device loop4): checking transaction log (loop4)
REISERFS (device loop3): checking transaction log (loop3)
REISERFS (device loop5): Using r5 hash to sort names
REISERFS (device loop5): using 3.5.x disk format
REISERFS (device loop5): Created .reiserfs_priv - reserved for xattr storage.
REISERFS (device loop1): Using r5 hash to sort names
REISERFS (device loop1): using 3.5.x disk format
REISERFS (device loop1): Created .reiserfs_priv - reserved for xattr storage.
REISERFS (device loop2): Using r5 hash to sort names
REISERFS (device loop2): using 3.5.x disk format
REISERFS (device loop3): Using r5 hash to sort names
REISERFS (device loop2): Created .reiserfs_priv - reserved for xattr storage.
REISERFS (device loop3): using 3.5.x disk format
REISERFS (device loop3): Created .reiserfs_priv - reserved for xattr storage.
REISERFS (device loop4): Using r5 hash to sort names
REISERFS (device loop4): using 3.5.x disk format
REISERFS (device loop4): Created .reiserfs_priv - reserved for xattr storage.

Crashes (5):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/10/27 12:42 linux-4.14.y 5b7a52cd2eef 94942294 .config console log report syz C ci2-linux-4-14
2020/12/25 10:15 linux-4.14.y 3f2ecb86cb90 b982b3ea .config console log report info ci2-linux-4-14
2020/12/23 12:22 linux-4.14.y 3f2ecb86cb90 c2c1d1dd .config console log report info ci2-linux-4-14
2020/10/27 10:47 linux-4.14.y 5b7a52cd2eef 94942294 .config console log report info ci2-linux-4-14
2020/10/01 09:26 linux-4.14.y cbfa1702aaf6 4103fce0 .config console log report info ci2-linux-4-14
* Struck through repros no longer work on HEAD.