syzbot

loop0: detected capacity change from 0 to 4096
======================================================
WARNING: possible circular locking dependency detected
syzkaller #0 Not tainted
------------------------------------------------------
syz.0.23/6153 is trying to acquire lock:
ffff88804164bbb8 (mapping.invalidate_lock#3){++++}-{4:4}, at: filemap_invalidate_lock_shared include/linux/fs.h:934 [inline]
ffff88804164bbb8 (mapping.invalidate_lock#3){++++}-{4:4}, at: filemap_fault+0x551/0x1210 mm/filemap.c:3433

but task is already holding lock:
ffff88803a1618d0 (&mm->mmap_lock){++++}-{4:4}, at: mmap_read_trylock include/linux/mmap_lock.h:472 [inline]
ffff88803a1618d0 (&mm->mmap_lock){++++}-{4:4}, at: get_mmap_lock_carefully mm/mmap_lock.c:277 [inline]
ffff88803a1618d0 (&mm->mmap_lock){++++}-{4:4}, at: lock_mm_and_find_vma+0x32/0x300 mm/mmap_lock.c:337

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #2 (&mm->mmap_lock){++++}-{4:4}:
       lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
       __might_fault+0xcc/0x130 mm/memory.c:6958
       _inline_copy_to_user include/linux/uaccess.h:192 [inline]
       _copy_to_user+0x2c/0xb0 lib/usercopy.c:26
       copy_to_user include/linux/uaccess.h:225 [inline]
       fiemap_fill_next_extent+0x1c0/0x390 fs/ioctl.c:145
       ni_fiemap+0x391/0xbf0 fs/ntfs3/frecord.c:1896
       ntfs_fiemap+0x11d/0x1a0 fs/ntfs3/file.c:1326
       ioctl_fiemap fs/ioctl.c:220 [inline]
       do_vfs_ioctl+0x1185/0x1440 fs/ioctl.c:532
       __do_sys_ioctl fs/ioctl.c:596 [inline]
       __se_sys_ioctl+0x82/0x170 fs/ioctl.c:584
       do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
       do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

-> #1 (&ni->ni_lock#3/5){+.+.}-{4:4}:
       lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
       __mutex_lock_common kernel/locking/rtmutex_api.c:535 [inline]
       mutex_lock_nested+0x5a/0x1d0 kernel/locking/rtmutex_api.c:547
       ni_lock fs/ntfs3/ntfs_fs.h:1113 [inline]
       ntfs_fallocate+0x580/0x10b0 fs/ntfs3/file.c:561
       vfs_fallocate+0x672/0x7f0 fs/open.c:342
       ioctl_preallocate fs/ioctl.c:290 [inline]
       file_ioctl+0x61d/0x780 fs/ioctl.c:-1
       do_vfs_ioctl+0xb36/0x1440 fs/ioctl.c:577
       __do_sys_ioctl fs/ioctl.c:596 [inline]
       __se_sys_ioctl+0x82/0x170 fs/ioctl.c:584
       do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
       do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

-> #0 (mapping.invalidate_lock#3){++++}-{4:4}:
       check_prev_add kernel/locking/lockdep.c:3165 [inline]
       check_prevs_add kernel/locking/lockdep.c:3284 [inline]
       validate_chain+0xb9b/0x2140 kernel/locking/lockdep.c:3908
       __lock_acquire+0xab9/0xd20 kernel/locking/lockdep.c:5237
       lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
       down_read+0x97/0x1f0 kernel/locking/rwsem.c:1537
       filemap_invalidate_lock_shared include/linux/fs.h:934 [inline]
       filemap_fault+0x551/0x1210 mm/filemap.c:3433
       __do_fault+0x135/0x390 mm/memory.c:5152
       do_read_fault mm/memory.c:5573 [inline]
       do_fault mm/memory.c:5707 [inline]
       do_pte_missing mm/memory.c:4234 [inline]
       handle_pte_fault mm/memory.c:6052 [inline]
       __handle_mm_fault mm/memory.c:6195 [inline]
       handle_mm_fault+0x23c6/0x3400 mm/memory.c:6364
       do_user_addr_fault+0x764/0x1390 arch/x86/mm/fault.c:1387
       handle_page_fault arch/x86/mm/fault.c:1476 [inline]
       exc_page_fault+0x76/0xf0 arch/x86/mm/fault.c:1532
       asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
       do_strncpy_from_user lib/strncpy_from_user.c:-1 [inline]
       strncpy_from_user+0xb7/0x290 lib/strncpy_from_user.c:130
       getname_flags+0xf3/0x540 fs/namei.c:157
       getname include/linux/fs.h:2918 [inline]
       __do_sys_symlinkat fs/namei.c:4772 [inline]
       __se_sys_symlinkat fs/namei.c:4769 [inline]
       __x64_sys_symlinkat+0x7a/0xb0 fs/namei.c:4769
       do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
       do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

other info that might help us debug this:

Chain exists of:
  mapping.invalidate_lock#3 --> &ni->ni_lock#3/5 --> &mm->mmap_lock

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  rlock(&mm->mmap_lock);
                               lock(&ni->ni_lock#3/5);
                               lock(&mm->mmap_lock);
  rlock(mapping.invalidate_lock#3);

 *** DEADLOCK ***

1 lock held by syz.0.23/6153:
 #0: ffff88803a1618d0 (&mm->mmap_lock){++++}-{4:4}, at: mmap_read_trylock include/linux/mmap_lock.h:472 [inline]
 #0: ffff88803a1618d0 (&mm->mmap_lock){++++}-{4:4}, at: get_mmap_lock_carefully mm/mmap_lock.c:277 [inline]
 #0: ffff88803a1618d0 (&mm->mmap_lock){++++}-{4:4}, at: lock_mm_and_find_vma+0x32/0x300 mm/mmap_lock.c:337

stack backtrace:
CPU: 1 UID: 0 PID: 6153 Comm: syz.0.23 Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_circular_bug+0x2ee/0x310 kernel/locking/lockdep.c:2043
 check_noncircular+0x134/0x160 kernel/locking/lockdep.c:2175
 check_prev_add kernel/locking/lockdep.c:3165 [inline]
 check_prevs_add kernel/locking/lockdep.c:3284 [inline]
 validate_chain+0xb9b/0x2140 kernel/locking/lockdep.c:3908
 __lock_acquire+0xab9/0xd20 kernel/locking/lockdep.c:5237
 lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
 down_read+0x97/0x1f0 kernel/locking/rwsem.c:1537
 filemap_invalidate_lock_shared include/linux/fs.h:934 [inline]
 filemap_fault+0x551/0x1210 mm/filemap.c:3433
 __do_fault+0x135/0x390 mm/memory.c:5152
 do_read_fault mm/memory.c:5573 [inline]
 do_fault mm/memory.c:5707 [inline]
 do_pte_missing mm/memory.c:4234 [inline]
 handle_pte_fault mm/memory.c:6052 [inline]
 __handle_mm_fault mm/memory.c:6195 [inline]
 handle_mm_fault+0x23c6/0x3400 mm/memory.c:6364
 do_user_addr_fault+0x764/0x1390 arch/x86/mm/fault.c:1387
 handle_page_fault arch/x86/mm/fault.c:1476 [inline]
 exc_page_fault+0x76/0xf0 arch/x86/mm/fault.c:1532
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
RIP: 0010:do_strncpy_from_user lib/strncpy_from_user.c:41 [inline]
RIP: 0010:strncpy_from_user+0xb7/0x290 lib/strncpy_from_user.c:130
Code: 00 00 4c 89 f6 e8 99 3c d0 fc 49 83 fe 07 0f 86 9d 00 00 00 48 89 1c 24 4c 89 74 24 08 48 c7 c5 f8 ff ff ff 45 31 e4 4c 89 fb <4f> 8b 34 27 48 b8 ff fe fe fe fe fe fe fe 4d 8d 3c 06 4d 89 f5 49
RSP: 0018:ffffc90003ae7e38 EFLAGS: 00050246
RAX: ffffffff84ee2507 RBX: 0000200000001040 RCX: ffff888026995940
RDX: 0000000000000000 RSI: 0000000000000fe0 RDI: 0000000000000007
RBP: fffffffffffffff8 R08: 0000000000000000 R09: 0000000000000000
R10: dffffc0000000000 R11: ffffed10054bfca0 R12: 0000000000000000
R13: dffffc0000000000 R14: 0000000000000fe0 R15: 0000200000001040
 getname_flags+0xf3/0x540 fs/namei.c:157
 getname include/linux/fs.h:2918 [inline]
 __do_sys_symlinkat fs/namei.c:4772 [inline]
 __se_sys_symlinkat fs/namei.c:4769 [inline]
 __x64_sys_symlinkat+0x7a/0xb0 fs/namei.c:4769
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7faf22c1ebe9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007faf22286038 EFLAGS: 00000246 ORIG_RAX: 000000000000010a
RAX: ffffffffffffffda RBX: 00007faf22e45fa0 RCX: 00007faf22c1ebe9
RDX: 0000000000000000 RSI: ffffffffffffff9c RDI: 0000200000001040
RBP: 00007faf22ca1e19 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007faf22e46038 R14: 00007faf22e45fa0 R15: 00007ffc02091218
 </TASK>
----------------
Code disassembly (best guess):
   0:	00 00                	add    %al,(%rax)
   2:	4c 89 f6             	mov    %r14,%rsi
   5:	e8 99 3c d0 fc       	call   0xfcd03ca3
   a:	49 83 fe 07          	cmp    $0x7,%r14
   e:	0f 86 9d 00 00 00    	jbe    0xb1
  14:	48 89 1c 24          	mov    %rbx,(%rsp)
  18:	4c 89 74 24 08       	mov    %r14,0x8(%rsp)
  1d:	48 c7 c5 f8 ff ff ff 	mov    $0xfffffffffffffff8,%rbp
  24:	45 31 e4             	xor    %r12d,%r12d
  27:	4c 89 fb             	mov    %r15,%rbx
* 2a:	4f 8b 34 27          	mov    (%r15,%r12,1),%r14 <-- trapping instruction
  2e:	48 b8 ff fe fe fe fe 	movabs $0xfefefefefefefeff,%rax
  35:	fe fe fe
  38:	4d 8d 3c 06          	lea    (%r14,%rax,1),%r15
  3c:	4d 89 f5             	mov    %r14,%r13
  3f:	49                   	rex.WB