loop1: detected capacity change from 0 to 4096 ====================================================== WARNING: possible circular locking dependency detected 6.9.0-rc4-syzkaller-00329-g48cf398f15fc #0 Not tainted ------------------------------------------------------ syz-executor.1/24732 is trying to acquire lock: ffff88807996fb40 (mapping.invalidate_lock#3){++++}-{3:3}, at: filemap_invalidate_lock_shared include/linux/fs.h:850 [inline] ffff88807996fb40 (mapping.invalidate_lock#3){++++}-{3:3}, at: filemap_fault+0x277/0x38d0 mm/filemap.c:3277 but task is already holding lock: ffff8880150727a0 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_trylock include/linux/mmap_lock.h:165 [inline] ffff8880150727a0 (&mm->mmap_lock){++++}-{3:3}, at: get_mmap_lock_carefully mm/memory.c:5633 [inline] ffff8880150727a0 (&mm->mmap_lock){++++}-{3:3}, at: lock_mm_and_find_vma+0x35/0x580 mm/memory.c:5693 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #3 (&mm->mmap_lock){++++}-{3:3}: __might_fault mm/memory.c:6220 [inline] __might_fault+0x11b/0x190 mm/memory.c:6213 _copy_to_user+0x2b/0xc0 lib/usercopy.c:36 copy_to_user include/linux/uaccess.h:191 [inline] fiemap_fill_next_extent+0x232/0x390 fs/ioctl.c:145 ni_fiemap+0x444/0xc10 fs/ntfs3/frecord.c:2065 ntfs_fiemap+0xc9/0x120 fs/ntfs3/file.c:1206 ioctl_fiemap fs/ioctl.c:220 [inline] do_vfs_ioctl+0x407/0x1ac0 fs/ioctl.c:838 __do_sys_ioctl fs/ioctl.c:902 [inline] __se_sys_ioctl fs/ioctl.c:890 [inline] __x64_sys_ioctl+0x116/0x220 fs/ioctl.c:890 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #2 (&indx->run_lock){++++}-{3:3}: down_read+0x9a/0x330 kernel/locking/rwsem.c:1526 ni_fiemap+0x385/0xc10 fs/ntfs3/frecord.c:1961 ntfs_fiemap+0xc9/0x120 fs/ntfs3/file.c:1206 ioctl_fiemap fs/ioctl.c:220 [inline] do_vfs_ioctl+0x407/0x1ac0 fs/ioctl.c:838 __do_sys_ioctl fs/ioctl.c:902 [inline] __se_sys_ioctl fs/ioctl.c:890 [inline] __x64_sys_ioctl+0x116/0x220 fs/ioctl.c:890 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #1 (&ni->ni_lock/4){+.+.}-{3:3}: __mutex_lock_common kernel/locking/mutex.c:608 [inline] __mutex_lock+0x175/0x9c0 kernel/locking/mutex.c:752 ni_lock fs/ntfs3/ntfs_fs.h:1121 [inline] ntfs_read_folio+0xfc/0x1f0 fs/ntfs3/inode.c:718 filemap_read_folio+0xea/0x2c0 mm/filemap.c:2331 filemap_fault+0x189f/0x38d0 mm/filemap.c:3381 __do_fault+0x10d/0x4a0 mm/memory.c:4531 do_read_fault mm/memory.c:4894 [inline] do_fault mm/memory.c:5024 [inline] do_pte_missing mm/memory.c:3880 [inline] handle_pte_fault mm/memory.c:5300 [inline] __handle_mm_fault+0x3750/0x4b40 mm/memory.c:5441 handle_mm_fault+0x476/0xa00 mm/memory.c:5606 do_user_addr_fault+0x2e5/0x1080 arch/x86/mm/fault.c:1413 handle_page_fault arch/x86/mm/fault.c:1505 [inline] exc_page_fault+0x5c/0xc0 arch/x86/mm/fault.c:1563 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623 copy_user_generic arch/x86/include/asm/uaccess_64.h:110 [inline] raw_copy_from_user arch/x86/include/asm/uaccess_64.h:125 [inline] _copy_from_user+0xc1/0xf0 lib/usercopy.c:23 copy_from_user include/linux/uaccess.h:183 [inline] __do_sys_signalfd4 fs/signalfd.c:309 [inline] __se_sys_signalfd4 fs/signalfd.c:302 [inline] __x64_sys_signalfd4+0x126/0x1d0 fs/signalfd.c:302 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #0 (mapping.invalidate_lock#3){++++}-{3:3}: check_prev_add kernel/locking/lockdep.c:3134 [inline] check_prevs_add kernel/locking/lockdep.c:3253 [inline] validate_chain kernel/locking/lockdep.c:3869 [inline] __lock_acquire+0x2478/0x3b30 kernel/locking/lockdep.c:5137 lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719 down_read+0x9a/0x330 kernel/locking/rwsem.c:1526 filemap_invalidate_lock_shared include/linux/fs.h:850 [inline] filemap_fault+0x277/0x38d0 mm/filemap.c:3277 __do_fault+0x10d/0x4a0 mm/memory.c:4531 do_shared_fault mm/memory.c:4954 [inline] do_fault mm/memory.c:5028 [inline] do_pte_missing mm/memory.c:3880 [inline] handle_pte_fault mm/memory.c:5300 [inline] __handle_mm_fault+0x3142/0x4b40 mm/memory.c:5441 handle_mm_fault+0x476/0xa00 mm/memory.c:5606 do_user_addr_fault+0x2e5/0x1080 arch/x86/mm/fault.c:1413 handle_page_fault arch/x86/mm/fault.c:1505 [inline] exc_page_fault+0x5c/0xc0 arch/x86/mm/fault.c:1563 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623 filldir+0x28c/0x5e0 fs/readdir.c:293 dir_emit include/linux/fs.h:3570 [inline] ntfs_filldir fs/ntfs3/dir.c:338 [inline] ntfs_read_hdr+0x877/0xa60 fs/ntfs3/dir.c:376 ntfs_readdir+0x6cf/0x1090 fs/ntfs3/dir.c:487 iterate_dir+0x295/0x9e0 fs/readdir.c:110 __do_sys_getdents fs/readdir.c:326 [inline] __se_sys_getdents fs/readdir.c:311 [inline] __x64_sys_getdents+0x14f/0x2d0 fs/readdir.c:311 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f other info that might help us debug this: Chain exists of: mapping.invalidate_lock#3 --> &indx->run_lock --> &mm->mmap_lock Possible unsafe locking scenario: CPU0 CPU1 ---- ---- rlock(&mm->mmap_lock); lock(&indx->run_lock); lock(&mm->mmap_lock); rlock(mapping.invalidate_lock#3); *** DEADLOCK *** 3 locks held by syz-executor.1/24732: #0: ffff88807ee540c8 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0xeb/0x180 fs/file.c:1191 #1: ffff88807996c600 (&type->i_mutex_dir_key#10){++++}-{3:3}, at: iterate_dir+0x184/0x9e0 fs/readdir.c:103 #2: ffff8880150727a0 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_trylock include/linux/mmap_lock.h:165 [inline] #2: ffff8880150727a0 (&mm->mmap_lock){++++}-{3:3}, at: get_mmap_lock_carefully mm/memory.c:5633 [inline] #2: ffff8880150727a0 (&mm->mmap_lock){++++}-{3:3}, at: lock_mm_and_find_vma+0x35/0x580 mm/memory.c:5693 stack backtrace: CPU: 0 PID: 24732 Comm: syz-executor.1 Not tainted 6.9.0-rc4-syzkaller-00329-g48cf398f15fc #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114 check_noncircular+0x31a/0x400 kernel/locking/lockdep.c:2187 check_prev_add kernel/locking/lockdep.c:3134 [inline] check_prevs_add kernel/locking/lockdep.c:3253 [inline] validate_chain kernel/locking/lockdep.c:3869 [inline] __lock_acquire+0x2478/0x3b30 kernel/locking/lockdep.c:5137 lock_acquire kernel/locking/lockdep.c:5754 [inline] lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719 down_read+0x9a/0x330 kernel/locking/rwsem.c:1526 filemap_invalidate_lock_shared include/linux/fs.h:850 [inline] filemap_fault+0x277/0x38d0 mm/filemap.c:3277 __do_fault+0x10d/0x4a0 mm/memory.c:4531 do_shared_fault mm/memory.c:4954 [inline] do_fault mm/memory.c:5028 [inline] do_pte_missing mm/memory.c:3880 [inline] handle_pte_fault mm/memory.c:5300 [inline] __handle_mm_fault+0x3142/0x4b40 mm/memory.c:5441 handle_mm_fault+0x476/0xa00 mm/memory.c:5606 do_user_addr_fault+0x2e5/0x1080 arch/x86/mm/fault.c:1413 handle_page_fault arch/x86/mm/fault.c:1505 [inline] exc_page_fault+0x5c/0xc0 arch/x86/mm/fault.c:1563 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623 RIP: 0010:filldir+0x28c/0x5e0 fs/readdir.c:293 Code: db e8 08 2a 8e ff 89 d8 48 83 c4 48 5b 5d 41 5c 41 5d 41 5e 41 5f e9 fe 66 0f 09 e8 ee 29 8e ff 0f 01 cb 0f ae e8 48 8b 04 24 <49> 89 47 08 e8 db 29 8e ff 4c 8b 7c 24 28 48 8b 44 24 10 49 89 07 RSP: 0018:ffffc900046b7ba0 EFLAGS: 00050287 RAX: 0000000000000948 RBX: ffffc900046b7e80 RCX: ffffc90009879000 RDX: 0000000000040000 RSI: ffffffff8200da12 RDI: 0000000000000006 RBP: 0000000000000011 R08: 0000000000000006 R09: 0000000020001fc0 R10: 0000000020001fe8 R11: 0000000000000003 R12: 0000000020001fe8 R13: 0000000000000028 R14: ffff888068548000 R15: 0000000020001fc0 dir_emit include/linux/fs.h:3570 [inline] ntfs_filldir fs/ntfs3/dir.c:338 [inline] ntfs_read_hdr+0x877/0xa60 fs/ntfs3/dir.c:376 ntfs_readdir+0x6cf/0x1090 fs/ntfs3/dir.c:487 iterate_dir+0x295/0x9e0 fs/readdir.c:110 __do_sys_getdents fs/readdir.c:326 [inline] __se_sys_getdents fs/readdir.c:311 [inline] __x64_sys_getdents+0x14f/0x2d0 fs/readdir.c:311 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f5b5de7dea9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f5b5ecc60c8 EFLAGS: 00000246 ORIG_RAX: 000000000000004e RAX: ffffffffffffffda RBX: 00007f5b5dfabf80 RCX: 00007f5b5de7dea9 RDX: 00000000000000b8 RSI: 0000000020001fc0 RDI: 0000000000000006 RBP: 00007f5b5deca4a4 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f5b5dfabf80 R15: 00007fff2bcff5b8 ---------------- Code disassembly (best guess): 0: db e8 fucomi %st(0),%st 2: 08 2a or %ch,(%rdx) 4: 8e ff mov %edi,%? 6: 89 d8 mov %ebx,%eax 8: 48 83 c4 48 add $0x48,%rsp c: 5b pop %rbx d: 5d pop %rbp e: 41 5c pop %r12 10: 41 5d pop %r13 12: 41 5e pop %r14 14: 41 5f pop %r15 16: e9 fe 66 0f 09 jmp 0x90f6719 1b: e8 ee 29 8e ff call 0xff8e2a0e 20: 0f 01 cb stac 23: 0f ae e8 lfence 26: 48 8b 04 24 mov (%rsp),%rax * 2a: 49 89 47 08 mov %rax,0x8(%r15) <-- trapping instruction 2e: e8 db 29 8e ff call 0xff8e2a0e 33: 4c 8b 7c 24 28 mov 0x28(%rsp),%r15 38: 48 8b 44 24 10 mov 0x10(%rsp),%rax 3d: 49 89 07 mov %rax,(%r15)