syzbot


possible deadlock in ntfs_sync_mft_mirror

Status: upstream: reported on 2023/03/21 16:42
Labels: ntfs (incorrect?)
Reported-by: syzbot+c9340661f4a0bb3e7e65@syzkaller.appspotmail.com
First crash: 69d, last: 11d
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [ntfs?] possible deadlock in ntfs_sync_mft_mirror 0 (1) 2023/03/21 16:42
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 possible deadlock in ntfs_sync_mft_mirror ntfs 1 135d 135d 0/1 upstream: reported on 2023/01/14 12:35

Sample crash report:
======================================================
WARNING: possible circular locking dependency detected
6.4.0-rc2-syzkaller-00163-g2d1bcbc6cd70 #0 Not tainted
------------------------------------------------------
syz-executor.3/5162 is trying to acquire lock:
ffff88802a207180 (&rl->lock){++++}-{3:3}, at: ntfs_sync_mft_mirror+0x18bf/0x1ea0 fs/ntfs/mft.c:536

but task is already holding lock:
ffff88802a316350 (&ni->mrec_lock){+.+.}-{3:3}, at: map_mft_record+0x40/0x6c0 fs/ntfs/mft.c:154

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 (&ni->mrec_lock){+.+.}-{3:3}:
       __mutex_lock_common kernel/locking/mutex.c:603 [inline]
       __mutex_lock+0x12f/0x1350 kernel/locking/mutex.c:747
       map_mft_record+0x40/0x6c0 fs/ntfs/mft.c:154
       ntfs_truncate+0x243/0x2a50 fs/ntfs/inode.c:2383
       ntfs_truncate_vfs fs/ntfs/inode.c:2862 [inline]
       ntfs_setattr+0x397/0x560 fs/ntfs/inode.c:2914
       notify_change+0xb2c/0x1180 fs/attr.c:483
       do_truncate+0x143/0x200 fs/open.c:66
       handle_truncate fs/namei.c:3295 [inline]
       do_open fs/namei.c:3640 [inline]
       path_openat+0x2083/0x2750 fs/namei.c:3791
       do_filp_open+0x1ba/0x410 fs/namei.c:3818
       do_sys_openat2+0x16d/0x4c0 fs/open.c:1356
       do_sys_open fs/open.c:1372 [inline]
       __do_sys_open fs/open.c:1380 [inline]
       __se_sys_open fs/open.c:1376 [inline]
       __x64_sys_open+0x11d/0x1c0 fs/open.c:1376
       do_syscall_x64 arch/x86/entry/common.c:50 [inline]
       do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
       entry_SYSCALL_64_after_hwframe+0x63/0xcd

-> #0 (&rl->lock){++++}-{3:3}:
       check_prev_add kernel/locking/lockdep.c:3108 [inline]
       check_prevs_add kernel/locking/lockdep.c:3227 [inline]
       validate_chain kernel/locking/lockdep.c:3842 [inline]
       __lock_acquire+0x2f21/0x5df0 kernel/locking/lockdep.c:5074
       lock_acquire kernel/locking/lockdep.c:5691 [inline]
       lock_acquire+0x1b1/0x520 kernel/locking/lockdep.c:5656
       down_read+0x9c/0x480 kernel/locking/rwsem.c:1520
       ntfs_sync_mft_mirror+0x18bf/0x1ea0 fs/ntfs/mft.c:536
       write_mft_record_nolock+0x1971/0x1cc0 fs/ntfs/mft.c:805
       write_mft_record+0x14e/0x3b0 fs/ntfs/mft.h:95
       __ntfs_write_inode+0x915/0xc40 fs/ntfs/inode.c:3050
       ntfs_commit_inode fs/ntfs/inode.h:300 [inline]
       ntfs_put_super+0x135e/0x1700 fs/ntfs/super.c:2315
       generic_shutdown_super+0x158/0x480 fs/super.c:500
       kill_block_super+0xa1/0x100 fs/super.c:1407
       deactivate_locked_super+0x98/0x160 fs/super.c:331
       deactivate_super+0xb1/0xd0 fs/super.c:362
       cleanup_mnt+0x2ae/0x3d0 fs/namespace.c:1177
       task_work_run+0x16f/0x270 kernel/task_work.c:179
       resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
       exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
       exit_to_user_mode_prepare+0x210/0x240 kernel/entry/common.c:204
       __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
       syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:297
       do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
       entry_SYSCALL_64_after_hwframe+0x63/0xcd

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&ni->mrec_lock);
                               lock(&rl->lock);
                               lock(&ni->mrec_lock);
  rlock(&rl->lock);

 *** DEADLOCK ***

2 locks held by syz-executor.3/5162:
 #0: ffff88801e8280e0 (&type->s_umount_key#105){+.+.}-{3:3}, at: deactivate_super+0xa9/0xd0 fs/super.c:361
 #1: ffff88802a316350 (&ni->mrec_lock){+.+.}-{3:3}, at: map_mft_record+0x40/0x6c0 fs/ntfs/mft.c:154

stack backtrace:
CPU: 1 PID: 5162 Comm: syz-executor.3 Not tainted 6.4.0-rc2-syzkaller-00163-g2d1bcbc6cd70 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106
 check_noncircular+0x25f/0x2e0 kernel/locking/lockdep.c:2188
 check_prev_add kernel/locking/lockdep.c:3108 [inline]
 check_prevs_add kernel/locking/lockdep.c:3227 [inline]
 validate_chain kernel/locking/lockdep.c:3842 [inline]
 __lock_acquire+0x2f21/0x5df0 kernel/locking/lockdep.c:5074
 lock_acquire kernel/locking/lockdep.c:5691 [inline]
 lock_acquire+0x1b1/0x520 kernel/locking/lockdep.c:5656
 down_read+0x9c/0x480 kernel/locking/rwsem.c:1520
 ntfs_sync_mft_mirror+0x18bf/0x1ea0 fs/ntfs/mft.c:536
 write_mft_record_nolock+0x1971/0x1cc0 fs/ntfs/mft.c:805
 write_mft_record+0x14e/0x3b0 fs/ntfs/mft.h:95
 __ntfs_write_inode+0x915/0xc40 fs/ntfs/inode.c:3050
 ntfs_commit_inode fs/ntfs/inode.h:300 [inline]
 ntfs_put_super+0x135e/0x1700 fs/ntfs/super.c:2315
 generic_shutdown_super+0x158/0x480 fs/super.c:500
 kill_block_super+0xa1/0x100 fs/super.c:1407
 deactivate_locked_super+0x98/0x160 fs/super.c:331
 deactivate_super+0xb1/0xd0 fs/super.c:362
 cleanup_mnt+0x2ae/0x3d0 fs/namespace.c:1177
 task_work_run+0x16f/0x270 kernel/task_work.c:179
 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
 exit_to_user_mode_prepare+0x210/0x240 kernel/entry/common.c:204
 __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
 syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:297
 do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7ff87ee8d5d7
Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffea3cccc38 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007ff87ee8d5d7
RDX: 00007ffea3cccd0b RSI: 000000000000000a RDI: 00007ffea3cccd00
RBP: 00007ffea3cccd00 R08: 00000000ffffffff R09: 00007ffea3cccad0
R10: 00005555572bd9e3 R11: 0000000000000246 R12: 00007ff87eee6cdc
R13: 00007ffea3ccddc0 R14: 00005555572bd960 R15: 00007ffea3ccde00
 </TASK>

Crashes (6):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Manager Title
2023/05/19 00:48 upstream 2d1bcbc6cd70 3bb7af1d .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream possible deadlock in ntfs_sync_mft_mirror
2023/05/17 13:27 upstream f1fcbaa18b28 258520f6 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream possible deadlock in ntfs_sync_mft_mirror
2023/03/21 16:18 upstream 17214b70a159 03fb9538 .config console log report info ci-qemu-upstream possible deadlock in ntfs_sync_mft_mirror
2023/05/14 22:44 upstream 31f4104e392a 2b9ba477 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 possible deadlock in ntfs_sync_mft_mirror
2023/05/14 05:58 upstream bb7c241fae62 2b9ba477 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 possible deadlock in ntfs_sync_mft_mirror
2023/05/12 09:07 upstream cc3c44c9fda2 adb9a3cd .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 possible deadlock in ntfs_sync_mft_mirror
* Struck through repros no longer work on HEAD.