syzbot


possible deadlock in ntfs_sync_mft_mirror

Status: upstream: reported on 2023/03/21 16:42
Subsystems: ntfs
[Documentation on labels]
Reported-by: syzbot+c9340661f4a0bb3e7e65@syzkaller.appspotmail.com
First crash: 264d, last: 32d
Discussions (2)
Title Replies (including bot) Last reply
[syzbot] Monthly ntfs report (Jun 2023) 0 (1) 2023/06/02 08:40
[syzbot] [ntfs?] possible deadlock in ntfs_sync_mft_mirror 0 (1) 2023/03/21 16:42
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 possible deadlock in ntfs_sync_mft_mirror ntfs 1 330d 330d 0/1 upstream: reported on 2023/01/14 12:35

Sample crash report:
======================================================
WARNING: possible circular locking dependency detected
6.6.0-syzkaller-15365-g305230142ae0 #0 Not tainted
------------------------------------------------------
syz-executor.3/5226 is trying to acquire lock:
ffff888079c92200 (&rl->lock){++++}-{3:3}, at: ntfs_sync_mft_mirror+0x19bb/0x1eb0 fs/ntfs/mft.c:536

but task is already holding lock:
ffff888079c96cd0 (&ni->mrec_lock){+.+.}-{3:3}, at: map_mft_record+0x4a/0x730 fs/ntfs/mft.c:154

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 (&ni->mrec_lock){+.+.}-{3:3}:
       __mutex_lock_common kernel/locking/mutex.c:603 [inline]
       __mutex_lock+0x181/0x1340 kernel/locking/mutex.c:747
       map_mft_record+0x4a/0x730 fs/ntfs/mft.c:154
       ntfs_map_runlist_nolock+0xbbd/0x17a0 fs/ntfs/attrib.c:91
       ntfs_map_runlist+0x7b/0xa0 fs/ntfs/attrib.c:292
       ntfs_read_block fs/ntfs/aops.c:277 [inline]
       ntfs_read_folio+0x1ae8/0x2420 fs/ntfs/aops.c:430
       read_pages+0xa76/0xdb0 mm/readahead.c:180
       page_cache_ra_unbounded+0x457/0x5e0 mm/readahead.c:269
       do_page_cache_ra mm/readahead.c:299 [inline]
       page_cache_ra_order+0x72b/0xa80 mm/readahead.c:546
       ondemand_readahead+0x493/0x1130 mm/readahead.c:668
       page_cache_sync_ra+0x174/0x1d0 mm/readahead.c:695
       page_cache_sync_readahead include/linux/pagemap.h:1266 [inline]
       filemap_get_pages+0xc06/0x1830 mm/filemap.c:2497
       filemap_read+0x39b/0xcf0 mm/filemap.c:2593
       generic_file_read_iter+0x346/0x450 mm/filemap.c:2772
       __kernel_read+0x301/0x870 fs/read_write.c:428
       integrity_kernel_read+0x7f/0xb0 security/integrity/iint.c:221
       ima_calc_file_hash_tfm+0x2c5/0x3d0 security/integrity/ima/ima_crypto.c:485
       ima_calc_file_shash security/integrity/ima/ima_crypto.c:516 [inline]
       ima_calc_file_hash+0x1c6/0x4a0 security/integrity/ima/ima_crypto.c:573
       ima_collect_measurement+0x85e/0xa20 security/integrity/ima/ima_api.c:290
       process_measurement+0xe92/0x2260 security/integrity/ima/ima_main.c:359
       ima_file_check+0xc2/0x110 security/integrity/ima/ima_main.c:557
       do_open fs/namei.c:3624 [inline]
       path_openat+0x77b/0x2c40 fs/namei.c:3779
       do_filp_open+0x1de/0x430 fs/namei.c:3809
       do_sys_openat2+0x176/0x1e0 fs/open.c:1440
       do_sys_open fs/open.c:1455 [inline]
       __do_compat_sys_open fs/open.c:1506 [inline]
       __se_compat_sys_open fs/open.c:1504 [inline]
       __ia32_compat_sys_open+0x147/0x1d0 fs/open.c:1504
       do_syscall_32_irqs_on arch/x86/entry/common.c:164 [inline]
       __do_fast_syscall_32+0x61/0xe0 arch/x86/entry/common.c:230
       do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:255
       entry_SYSENTER_compat_after_hwframe+0x70/0x7a

-> #0 (&rl->lock){++++}-{3:3}:
       check_prev_add kernel/locking/lockdep.c:3134 [inline]
       check_prevs_add kernel/locking/lockdep.c:3253 [inline]
       validate_chain kernel/locking/lockdep.c:3868 [inline]
       __lock_acquire+0x2e3d/0x5de0 kernel/locking/lockdep.c:5136
       lock_acquire kernel/locking/lockdep.c:5753 [inline]
       lock_acquire+0x1ae/0x510 kernel/locking/lockdep.c:5718
       down_read+0x9c/0x470 kernel/locking/rwsem.c:1526
       ntfs_sync_mft_mirror+0x19bb/0x1eb0 fs/ntfs/mft.c:536
       write_mft_record_nolock+0x1a12/0x1d90 fs/ntfs/mft.c:805
       write_mft_record+0x14b/0x380 fs/ntfs/mft.h:95
       __ntfs_write_inode+0x91b/0xc30 fs/ntfs/inode.c:3052
       ntfs_commit_inode fs/ntfs/inode.h:300 [inline]
       ntfs_commit_inode fs/ntfs/inode.h:297 [inline]
       ntfs_put_super+0x12b4/0x1650 fs/ntfs/super.c:2315
       generic_shutdown_super+0x161/0x3c0 fs/super.c:696
       kill_block_super+0x3b/0x90 fs/super.c:1667
       deactivate_locked_super+0xbc/0x1a0 fs/super.c:484
       deactivate_super+0xde/0x100 fs/super.c:517
       cleanup_mnt+0x222/0x450 fs/namespace.c:1256
       task_work_run+0x14d/0x240 kernel/task_work.c:180
       resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
       exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
       exit_to_user_mode_prepare+0x215/0x240 kernel/entry/common.c:204
       __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
       syscall_exit_to_user_mode+0x1d/0x60 kernel/entry/common.c:296
       __do_fast_syscall_32+0x6d/0xe0 arch/x86/entry/common.c:233
       do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:255
       entry_SYSENTER_compat_after_hwframe+0x70/0x7a

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&ni->mrec_lock);
                               lock(&rl->lock);
                               lock(&ni->mrec_lock);
  rlock(&rl->lock);

 *** DEADLOCK ***

2 locks held by syz-executor.3/5226:
 #0: ffff8880008800e0 (&type->s_umount_key#98){+.+.}-{3:3}, at: __super_lock fs/super.c:56 [inline]
 #0: ffff8880008800e0 (&type->s_umount_key#98){+.+.}-{3:3}, at: __super_lock_excl fs/super.c:71 [inline]
 #0: ffff8880008800e0 (&type->s_umount_key#98){+.+.}-{3:3}, at: deactivate_super+0xd6/0x100 fs/super.c:516
 #1: ffff888079c96cd0 (&ni->mrec_lock){+.+.}-{3:3}, at: map_mft_record+0x4a/0x730 fs/ntfs/mft.c:154

stack backtrace:
CPU: 3 PID: 5226 Comm: syz-executor.3 Not tainted 6.6.0-syzkaller-15365-g305230142ae0 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
 check_noncircular+0x311/0x3f0 kernel/locking/lockdep.c:2187
 check_prev_add kernel/locking/lockdep.c:3134 [inline]
 check_prevs_add kernel/locking/lockdep.c:3253 [inline]
 validate_chain kernel/locking/lockdep.c:3868 [inline]
 __lock_acquire+0x2e3d/0x5de0 kernel/locking/lockdep.c:5136
 lock_acquire kernel/locking/lockdep.c:5753 [inline]
 lock_acquire+0x1ae/0x510 kernel/locking/lockdep.c:5718
 down_read+0x9c/0x470 kernel/locking/rwsem.c:1526
 ntfs_sync_mft_mirror+0x19bb/0x1eb0 fs/ntfs/mft.c:536
 write_mft_record_nolock+0x1a12/0x1d90 fs/ntfs/mft.c:805
 write_mft_record+0x14b/0x380 fs/ntfs/mft.h:95
 __ntfs_write_inode+0x91b/0xc30 fs/ntfs/inode.c:3052
 ntfs_commit_inode fs/ntfs/inode.h:300 [inline]
 ntfs_commit_inode fs/ntfs/inode.h:297 [inline]
 ntfs_put_super+0x12b4/0x1650 fs/ntfs/super.c:2315
 generic_shutdown_super+0x161/0x3c0 fs/super.c:696
 kill_block_super+0x3b/0x90 fs/super.c:1667
 deactivate_locked_super+0xbc/0x1a0 fs/super.c:484
 deactivate_super+0xde/0x100 fs/super.c:517
 cleanup_mnt+0x222/0x450 fs/namespace.c:1256
 task_work_run+0x14d/0x240 kernel/task_work.c:180
 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
 exit_to_user_mode_prepare+0x215/0x240 kernel/entry/common.c:204
 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
 syscall_exit_to_user_mode+0x1d/0x60 kernel/entry/common.c:296
 __do_fast_syscall_32+0x6d/0xe0 arch/x86/entry/common.c:233
 do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:255
 entry_SYSENTER_compat_after_hwframe+0x70/0x7a
RIP: 0023:0xf7fd7579
Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00
RSP: 002b:00000000ffbe6278 EFLAGS: 00000292 ORIG_RAX: 0000000000000034
RAX: 0000000000000000 RBX: 00000000ffbe6320 RCX: 000000000000000a
RDX: 00000000f7353ff4 RSI: 00000000f72a53bd RDI: 00000000ffbe73c4
RBP: 00000000ffbe6320 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 </TASK>
----------------
Code disassembly (best guess), 2 bytes skipped:
   0:	10 06                	adc    %al,(%rsi)
   2:	03 74 b4 01          	add    0x1(%rsp,%rsi,4),%esi
   6:	10 07                	adc    %al,(%rdi)
   8:	03 74 b0 01          	add    0x1(%rax,%rsi,4),%esi
   c:	10 08                	adc    %cl,(%rax)
   e:	03 74 d8 01          	add    0x1(%rax,%rbx,8),%esi
  1e:	00 51 52             	add    %dl,0x52(%rcx)
  21:	55                   	push   %rbp
  22:	89 e5                	mov    %esp,%ebp
  24:	0f 34                	sysenter
  26:	cd 80                	int    $0x80
* 28:	5d                   	pop    %rbp <-- trapping instruction
  29:	5a                   	pop    %rdx
  2a:	59                   	pop    %rcx
  2b:	c3                   	ret
  2c:	90                   	nop
  2d:	90                   	nop
  2e:	90                   	nop
  2f:	90                   	nop
  30:	8d b4 26 00 00 00 00 	lea    0x0(%rsi,%riz,1),%esi
  37:	8d b4 26 00 00 00 00 	lea    0x0(%rsi,%riz,1),%esi

Crashes (13):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/11/08 14:26 upstream 305230142ae0 b93f63e8 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 possible deadlock in ntfs_sync_mft_mirror
2023/11/07 11:28 upstream be3ca57cfb77 83211397 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 possible deadlock in ntfs_sync_mft_mirror
2023/10/24 09:04 upstream e017769f4ce2 af8d2e46 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 possible deadlock in ntfs_sync_mft_mirror
2023/05/19 00:48 upstream 2d1bcbc6cd70 3bb7af1d .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream possible deadlock in ntfs_sync_mft_mirror
2023/05/17 13:27 upstream f1fcbaa18b28 258520f6 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream possible deadlock in ntfs_sync_mft_mirror
2023/03/21 16:18 upstream 17214b70a159 03fb9538 .config console log report info ci-qemu-upstream possible deadlock in ntfs_sync_mft_mirror
2023/08/22 19:24 upstream 53663f4103ff 96546ace .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 possible deadlock in ntfs_sync_mft_mirror
2023/08/04 03:17 upstream c1a515d3c027 74621247 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 possible deadlock in ntfs_sync_mft_mirror
2023/08/03 05:37 upstream 4b954598a47b 39a91c18 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 possible deadlock in ntfs_sync_mft_mirror
2023/07/05 21:06 upstream d528014517f2 e8b147c6 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 possible deadlock in ntfs_sync_mft_mirror
2023/05/14 22:44 upstream 31f4104e392a 2b9ba477 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 possible deadlock in ntfs_sync_mft_mirror
2023/05/14 05:58 upstream bb7c241fae62 2b9ba477 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 possible deadlock in ntfs_sync_mft_mirror
2023/05/12 09:07 upstream cc3c44c9fda2 adb9a3cd .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 possible deadlock in ntfs_sync_mft_mirror
* Struck through repros no longer work on HEAD.