ci starts bisection 2023-05-05 17:09:07.754972404 +0000 UTC m=+772.248779639 bisecting cause commit starting from 3c4aa44343777844e425c28f1427127f3e55826f building syzkaller on 518a39a63148f6aee9c82e5b6b1c20889a21f698 ensuring issue is reproducible on original commit 3c4aa44343777844e425c28f1427127f3e55826f testing commit 3c4aa44343777844e425c28f1427127f3e55826f gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 4140dbd1bd5d8ef1c780168a6ee48aa73ada397ac9d2236bd3109ae44339cdee all runs: crashed: possible deadlock in open_xa_dir testing release v6.3 testing commit 457391b0380335d5e9a5babdec90ac53928b23b4 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 9bd35dac31a3a60124a439f19911c0807ff991b9947dbe4454fcd2c49c1a9782 all runs: OK # git bisect start 3c4aa44343777844e425c28f1427127f3e55826f 457391b0380335d5e9a5babdec90ac53928b23b4 Bisecting: 7448 revisions left to test after this (roughly 13 steps) [b68ee1c6131c540a62ecd443be89c406401df091] Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi testing commit b68ee1c6131c540a62ecd443be89c406401df091 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 25601e2bd84c91ee805bcd7de1c6592c0aae949e085dd640525ad206658f52b9 all runs: crashed: possible deadlock in open_xa_dir # git bisect bad b68ee1c6131c540a62ecd443be89c406401df091 Bisecting: 2296 revisions left to test after this (roughly 12 steps) [c8cc58e289ed3b5bc50258f52776cf3dfa3bad66] Merge tag 'drm-next-2023-04-24' of git://anongit.freedesktop.org/drm/drm testing commit c8cc58e289ed3b5bc50258f52776cf3dfa3bad66 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 2459d2badfa14a095c9db6303259b042f20d83ad467682eddb8ef6660a671c6f all runs: crashed: possible deadlock in open_xa_dir # git bisect bad c8cc58e289ed3b5bc50258f52776cf3dfa3bad66 Bisecting: 1641 revisions left to test after this (roughly 11 steps) [d53c3eaaef6a05fec04e8b5990d97d7216eb5e42] Merge tag 'soc-dt-6.4' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit d53c3eaaef6a05fec04e8b5990d97d7216eb5e42 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e8a95f2965bea80d332defd8c53ccf33cae5e51bdda28edb5a527d989b3c8794 all runs: crashed: possible deadlock in open_xa_dir # git bisect bad d53c3eaaef6a05fec04e8b5990d97d7216eb5e42 Bisecting: 840 revisions left to test after this (roughly 10 steps) [1e14b4f9d9082f3a38dea2201e033c3b73785b0d] Merge tag 'v6.3-next-dts64' of https://git.kernel.org/pub/scm/linux/kernel/git/matthias.bgg/linux into soc/dt testing commit 1e14b4f9d9082f3a38dea2201e033c3b73785b0d gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e408ef3d06f37b7788426a9707f4e93bf184ad5121134e2fd5361d1b3facfe09 all runs: OK # git bisect good 1e14b4f9d9082f3a38dea2201e033c3b73785b0d Bisecting: 416 revisions left to test after this (roughly 9 steps) [ef36b9afc2edb0764cb3df7a1cb5e86406267b40] Merge tag 'pull-fd' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs testing commit ef36b9afc2edb0764cb3df7a1cb5e86406267b40 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 703bad955bdce7fced183b01417dba820a10380fca85050b2d333b16bd82044b all runs: crashed: possible deadlock in open_xa_dir # git bisect bad ef36b9afc2edb0764cb3df7a1cb5e86406267b40 Bisecting: 236 revisions left to test after this (roughly 8 steps) [5d77652fbf2318f61af2cf27779951393dd0f749] Merge tag 'nolibc.2023.04.04a' of git://git.kernel.org/pub/scm/linux/kernel/git/paulmck/linux-rcu testing commit 5d77652fbf2318f61af2cf27779951393dd0f749 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 2633c51f006d33bf9c9314333e8e975a1d4451686f68497d21a6ca7bb660300a all runs: crashed: possible deadlock in open_xa_dir # git bisect bad 5d77652fbf2318f61af2cf27779951393dd0f749 Bisecting: 103 revisions left to test after this (roughly 7 steps) [dc7e22a368c2a217d2d3338b3bd984fdd0301173] Merge tag 'Smack-for-6.4' of https://github.com/cschaufler/smack-next testing commit dc7e22a368c2a217d2d3338b3bd984fdd0301173 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 6976641b44048249a040e9663c33e3770739c60ba8e56f98fa473c36ff80b765 all runs: crashed: possible deadlock in open_xa_dir # git bisect bad dc7e22a368c2a217d2d3338b3bd984fdd0301173 Bisecting: 39 revisions left to test after this (roughly 5 steps) [72eaa0967b594cb9886c2f277a69ac1ea935b1a8] Merge tag 'selinux-pr-20230420' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux testing commit 72eaa0967b594cb9886c2f277a69ac1ea935b1a8 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 5e9745641160a4d8c75b8fb038be8141825fe359962e0d1c78ee673bdb78eea4 all runs: OK # git bisect good 72eaa0967b594cb9886c2f277a69ac1ea935b1a8 Bisecting: 19 revisions left to test after this (roughly 4 steps) [1cd2aca64a5dc4edb65539dc26f24e162ab0e11c] lsm: move the io_uring hook comments to security/security.c testing commit 1cd2aca64a5dc4edb65539dc26f24e162ab0e11c gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 9d3e55241bf784cec526b504525a26554a3f7b1a625d3378b272c17bf8f20f1a all runs: OK # git bisect good 1cd2aca64a5dc4edb65539dc26f24e162ab0e11c Bisecting: 9 revisions left to test after this (roughly 3 steps) [de3004c874e740304cc4f4a83d6200acb511bbda] ocfs2: Switch to security_inode_init_security() testing commit de3004c874e740304cc4f4a83d6200acb511bbda gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: f7c9730dedceb510255c1b8c8ab1285fbc8e21b727da7b6d1ea57f513b3431da all runs: OK # git bisect good de3004c874e740304cc4f4a83d6200acb511bbda Bisecting: 4 revisions left to test after this (roughly 2 steps) [5af4b523ba9be70372eafab02ebfb9babf77ec7d] Merge tag 'tomoyo-pr-20230424' of git://git.osdn.net/gitroot/tomoyo/tomoyo-test1 testing commit 5af4b523ba9be70372eafab02ebfb9babf77ec7d gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 968f64c64377603eeffb6e0edc1df077cbf662237c960d57c44f5e4c86f5e3a8 all runs: crashed: possible deadlock in open_xa_dir # git bisect bad 5af4b523ba9be70372eafab02ebfb9babf77ec7d Bisecting: 2 revisions left to test after this (roughly 1 step) [d82dcd9e21b77d338dc4875f3d4111f0db314a7c] reiserfs: Add security prefix to xattr name in reiserfs_security_write() testing commit d82dcd9e21b77d338dc4875f3d4111f0db314a7c gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 0472ee4fc9c2008a2161a5a3b050db6018894dd81a3692bc069fc5432ab0e3f6 all runs: crashed: possible deadlock in open_xa_dir # git bisect bad d82dcd9e21b77d338dc4875f3d4111f0db314a7c Bisecting: 0 revisions left to test after this (roughly 0 steps) [0d57b970df352517a75f4533820c49de360c4123] security: Remove security_old_inode_init_security() testing commit 0d57b970df352517a75f4533820c49de360c4123 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 56a6b9e9a5f5bdd60b02ee42ea6703d85a0bc519a24765df59065366c34d052a all runs: OK # git bisect good 0d57b970df352517a75f4533820c49de360c4123 d82dcd9e21b77d338dc4875f3d4111f0db314a7c is the first bad commit commit d82dcd9e21b77d338dc4875f3d4111f0db314a7c Author: Roberto Sassu Date: Fri Mar 31 14:32:18 2023 +0200 reiserfs: Add security prefix to xattr name in reiserfs_security_write() Reiserfs sets a security xattr at inode creation time in two stages: first, it calls reiserfs_security_init() to obtain the xattr from active LSMs; then, it calls reiserfs_security_write() to actually write that xattr. Unfortunately, it seems there is a wrong expectation that LSMs provide the full xattr name in the form 'security.'. However, LSMs always provided just the suffix, causing reiserfs to not write the xattr at all (if the suffix is shorter than the prefix), or to write an xattr with the wrong name. Add a temporary buffer in reiserfs_security_write(), and write to it the full xattr name, before passing it to reiserfs_xattr_set_handle(). Also replace the name length check with a check that the full xattr name is not larger than XATTR_NAME_MAX. Cc: stable@vger.kernel.org # v2.6.x Fixes: 57fe60df6241 ("reiserfs: add atomic addition of selinux attributes during inode creation") Signed-off-by: Roberto Sassu Signed-off-by: Paul Moore fs/reiserfs/xattr_security.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) culprit signature: 0472ee4fc9c2008a2161a5a3b050db6018894dd81a3692bc069fc5432ab0e3f6 parent signature: 56a6b9e9a5f5bdd60b02ee42ea6703d85a0bc519a24765df59065366c34d052a revisions tested: 15, total time: 3h41m40.701762337s (build: 2h17m0.35359756s, test: 1h23m2.962881028s) first bad commit: d82dcd9e21b77d338dc4875f3d4111f0db314a7c reiserfs: Add security prefix to xattr name in reiserfs_security_write() recipients (to): ["paul@paul-moore.com" "roberto.sassu@huawei.com"] recipients (cc): [] crash: possible deadlock in open_xa_dir REISERFS (device loop0): checking transaction log (loop0) REISERFS (device loop0): Using r5 hash to sort names REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage. ====================================================== WARNING: possible circular locking dependency detected 6.3.0-rc1-syzkaller #0 Not tainted ------------------------------------------------------ syz-executor.0/5418 is trying to acquire lock: ffff8880742c8980 (&type->i_mutex_dir_key#8/3){+.+.}-{3:3}, at: inode_lock_nested include/linux/fs.h:793 [inline] ffff8880742c8980 (&type->i_mutex_dir_key#8/3){+.+.}-{3:3}, at: open_xa_root fs/reiserfs/xattr.c:127 [inline] ffff8880742c8980 (&type->i_mutex_dir_key#8/3){+.+.}-{3:3}, at: open_xa_dir+0x134/0x540 fs/reiserfs/xattr.c:152 but task is already holding lock: ffff88807568d090 (&sbi->lock){+.+.}-{3:3}, at: reiserfs_write_lock_nested+0x4a/0xb0 fs/reiserfs/lock.c:78 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&sbi->lock){+.+.}-{3:3}: lock_acquire+0x23e/0x630 kernel/locking/lockdep.c:5669 __mutex_lock_common+0x1d8/0x2530 kernel/locking/mutex.c:603 __mutex_lock kernel/locking/mutex.c:747 [inline] mutex_lock_nested+0x1b/0x20 kernel/locking/mutex.c:799 reiserfs_write_lock+0x70/0xc0 fs/reiserfs/lock.c:27 reiserfs_mkdir+0x321/0x870 fs/reiserfs/namei.c:831 xattr_mkdir fs/reiserfs/xattr.c:76 [inline] open_xa_root fs/reiserfs/xattr.c:136 [inline] open_xa_dir+0x259/0x540 fs/reiserfs/xattr.c:152 xattr_lookup+0x17/0x210 fs/reiserfs/xattr.c:395 reiserfs_xattr_set_handle+0xda/0xc80 fs/reiserfs/xattr.c:533 reiserfs_security_write+0x134/0x190 fs/reiserfs/xattr_security.c:106 reiserfs_new_inode+0x13bf/0x1a90 fs/reiserfs/inode.c:2113 reiserfs_create+0x3b1/0x680 fs/reiserfs/namei.c:668 lookup_open fs/namei.c:3416 [inline] open_last_lookups fs/namei.c:3484 [inline] path_openat+0xf1e/0x2c10 fs/namei.c:3712 do_filp_open+0x22a/0x440 fs/namei.c:3742 do_sys_openat2+0x10f/0x430 fs/open.c:1348 do_sys_open fs/open.c:1364 [inline] __do_sys_creat fs/open.c:1440 [inline] __se_sys_creat fs/open.c:1434 [inline] __x64_sys_creat+0x11e/0x160 fs/open.c:1434 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd -> #0 (&type->i_mutex_dir_key#8/3){+.+.}-{3:3}: check_prev_add kernel/locking/lockdep.c:3098 [inline] check_prevs_add kernel/locking/lockdep.c:3217 [inline] validate_chain+0x166b/0x58e0 kernel/locking/lockdep.c:3832 __lock_acquire+0x125b/0x1f80 kernel/locking/lockdep.c:5056 lock_acquire+0x23e/0x630 kernel/locking/lockdep.c:5669 down_write_nested+0x3d/0x50 kernel/locking/rwsem.c:1689 inode_lock_nested include/linux/fs.h:793 [inline] open_xa_root fs/reiserfs/xattr.c:127 [inline] open_xa_dir+0x134/0x540 fs/reiserfs/xattr.c:152 xattr_lookup+0x17/0x210 fs/reiserfs/xattr.c:395 reiserfs_xattr_get+0xe1/0x4a0 fs/reiserfs/xattr.c:677 __vfs_getxattr+0x2fe/0x350 fs/xattr.c:426 smk_fetch+0x98/0xf0 security/smack/smack_lsm.c:295 smack_d_instantiate+0x5d5/0xa20 security/smack/smack_lsm.c:3491 security_d_instantiate+0x6b/0xb0 security/security.c:3760 d_instantiate_new+0x5e/0xe0 fs/dcache.c:2053 reiserfs_create+0x5ee/0x680 fs/reiserfs/namei.c:694 lookup_open fs/namei.c:3416 [inline] open_last_lookups fs/namei.c:3484 [inline] path_openat+0xf1e/0x2c10 fs/namei.c:3712 do_filp_open+0x22a/0x440 fs/namei.c:3742 do_sys_openat2+0x10f/0x430 fs/open.c:1348 do_sys_open fs/open.c:1364 [inline] __do_sys_creat fs/open.c:1440 [inline] __se_sys_creat fs/open.c:1434 [inline] __x64_sys_creat+0x11e/0x160 fs/open.c:1434 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&sbi->lock); lock(&type->i_mutex_dir_key#8/3); lock(&sbi->lock); lock(&type->i_mutex_dir_key#8/3); *** DEADLOCK *** 3 locks held by syz-executor.0/5418: #0: ffff888026b3c460 (sb_writers#14){.+.+}-{0:0}, at: mnt_want_write+0x3a/0x70 fs/namespace.c:394 #1: ffff8880742c82e0 (&type->i_mutex_dir_key#8){+.+.}-{3:3}, at: inode_lock include/linux/fs.h:758 [inline] #1: ffff8880742c82e0 (&type->i_mutex_dir_key#8){+.+.}-{3:3}, at: open_last_lookups fs/namei.c:3481 [inline] #1: ffff8880742c82e0 (&type->i_mutex_dir_key#8){+.+.}-{3:3}, at: path_openat+0x6ed/0x2c10 fs/namei.c:3712 #2: ffff88807568d090 (&sbi->lock){+.+.}-{3:3}, at: reiserfs_write_lock_nested+0x4a/0xb0 fs/reiserfs/lock.c:78 stack backtrace: CPU: 0 PID: 5418 Comm: syz-executor.0 Not tainted 6.3.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x167/0x220 lib/dump_stack.c:106 check_noncircular+0x2fe/0x3b0 kernel/locking/lockdep.c:2178 check_prev_add kernel/locking/lockdep.c:3098 [inline] check_prevs_add kernel/locking/lockdep.c:3217 [inline] validate_chain+0x166b/0x58e0 kernel/locking/lockdep.c:3832 __lock_acquire+0x125b/0x1f80 kernel/locking/lockdep.c:5056 lock_acquire+0x23e/0x630 kernel/locking/lockdep.c:5669 down_write_nested+0x3d/0x50 kernel/locking/rwsem.c:1689 inode_lock_nested include/linux/fs.h:793 [inline] open_xa_root fs/reiserfs/xattr.c:127 [inline] open_xa_dir+0x134/0x540 fs/reiserfs/xattr.c:152 xattr_lookup+0x17/0x210 fs/reiserfs/xattr.c:395 reiserfs_xattr_get+0xe1/0x4a0 fs/reiserfs/xattr.c:677 __vfs_getxattr+0x2fe/0x350 fs/xattr.c:426 smk_fetch+0x98/0xf0 security/smack/smack_lsm.c:295 smack_d_instantiate+0x5d5/0xa20 security/smack/smack_lsm.c:3491 security_d_instantiate+0x6b/0xb0 security/security.c:3760 d_instantiate_new+0x5e/0xe0 fs/dcache.c:2053 reiserfs_create+0x5ee/0x680 fs/reiserfs/namei.c:694 lookup_open fs/namei.c:3416 [inline] open_last_lookups fs/namei.c:3484 [inline] path_openat+0xf1e/0x2c10 fs/namei.c:3712 do_filp_open+0x22a/0x440 fs/namei.c:3742 do_sys_openat2+0x10f/0x430 fs/open.c:1348 do_sys_open fs/open.c:1364 [inline] __do_sys_creat fs/open.c:1440 [inline] __se_sys_creat fs/open.c:1434 [inline] __x64_sys_creat+0x11e/0x160 fs/open.c:1434 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f363da8c169 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f363e76d168 EFLAGS: 00000246 ORIG_RAX: 0000000000000055 RAX: ffffffffffffffda RBX: 00007f363dbabf80 RCX: 00007f363da8c169 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000080 RBP: 00007f363dae7ca1 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffcf155b81f R14: 00007f363e76d300 R15: 0000000000022000