From: syzbot <syzbot+689207c321874efe3382@syzkaller.appspotmail.com>
To: adilger.kernel@dilger.ca, linux-ext4@vger.kernel.org,
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com,
tytso@mit.edu
Subject: [syzbot] possible deadlock in ext4_xattr_set_handle (2)
Date: Tue, 12 Jul 2022 05:03:25 -0700 [thread overview]
Message-ID: <000000000000a91fff05e39a74b0@google.com> (raw)
Hello,
syzbot found the following issue on:
HEAD commit: 32346491ddf2 Linux 5.19-rc6
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=123106e8080000
kernel config: https://syzkaller.appspot.com/x/.config?x=525bc0635a2b942a
dashboard link: https://syzkaller.appspot.com/bug?extid=689207c321874efe3382
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: i386
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+689207c321874efe3382@syzkaller.appspotmail.com
======================================================
WARNING: possible circular locking dependency detected
5.19.0-rc6-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.3/19826 is trying to acquire lock:
ffffffff8bebda20 (fs_reclaim){+.+.}-{0:0}, at: prepare_alloc_pages+0x15c/0x570 mm/page_alloc.c:5200
but task is already holding lock:
ffff888025ba94d8 (&ei->xattr_sem){++++}-{3:3}, at: ext4_write_lock_xattr fs/ext4/xattr.h:142 [inline]
ffff888025ba94d8 (&ei->xattr_sem){++++}-{3:3}, at: ext4_xattr_set_handle+0x15c/0x1500 fs/ext4/xattr.c:2293
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #2 (&ei->xattr_sem){++++}-{3:3}:
down_write+0x90/0x150 kernel/locking/rwsem.c:1542
ext4_write_lock_xattr fs/ext4/xattr.h:142 [inline]
ext4_xattr_set_handle+0x15c/0x1500 fs/ext4/xattr.c:2293
__ext4_set_acl+0x338/0x570 fs/ext4/acl.c:217
ext4_set_acl+0x443/0x580 fs/ext4/acl.c:258
set_posix_acl+0x22d/0x2e0 fs/posix_acl.c:946
posix_acl_xattr_set+0x135/0x1a0 fs/posix_acl.c:965
__vfs_removexattr+0xfe/0x170 fs/xattr.c:470
__vfs_removexattr_locked+0x1ac/0x440 fs/xattr.c:505
vfs_removexattr+0xcb/0x250 fs/xattr.c:527
ovl_do_removexattr fs/overlayfs/overlayfs.h:279 [inline]
ovl_workdir_create+0x484/0xbd0 fs/overlayfs/super.c:813
ovl_make_workdir fs/overlayfs/super.c:1367 [inline]
ovl_get_workdir fs/overlayfs/super.c:1514 [inline]
ovl_fill_super+0x1950/0x6380 fs/overlayfs/super.c:2070
mount_nodev+0x60/0x110 fs/super.c:1413
legacy_get_tree+0x105/0x220 fs/fs_context.c:610
vfs_get_tree+0x89/0x2f0 fs/super.c:1497
do_new_mount fs/namespace.c:3040 [inline]
path_mount+0x1320/0x1fa0 fs/namespace.c:3370
do_mount fs/namespace.c:3383 [inline]
__do_sys_mount fs/namespace.c:3591 [inline]
__se_sys_mount fs/namespace.c:3568 [inline]
__ia32_sys_mount+0x27e/0x300 fs/namespace.c:3568
do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
__do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178
do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:203
entry_SYSENTER_compat_after_hwframe+0x53/0x62
-> #1 (jbd2_handle){++++}-{0:0}:
start_this_handle+0xfe7/0x14a0 fs/jbd2/transaction.c:463
jbd2__journal_start+0x399/0x930 fs/jbd2/transaction.c:520
__ext4_journal_start_sb+0x3a8/0x4a0 fs/ext4/ext4_jbd2.c:105
__ext4_journal_start fs/ext4/ext4_jbd2.h:326 [inline]
ext4_dirty_inode+0x9d/0x110 fs/ext4/inode.c:5949
__mark_inode_dirty+0x495/0x1050 fs/fs-writeback.c:2381
mark_inode_dirty_sync include/linux/fs.h:2337 [inline]
iput.part.0+0x57/0x820 fs/inode.c:1767
iput+0x58/0x70 fs/inode.c:1760
dentry_unlink_inode+0x2b1/0x460 fs/dcache.c:401
__dentry_kill+0x3c0/0x640 fs/dcache.c:607
shrink_dentry_list+0x23c/0x800 fs/dcache.c:1201
prune_dcache_sb+0xe7/0x140 fs/dcache.c:1282
super_cache_scan+0x336/0x590 fs/super.c:104
do_shrink_slab+0x42d/0xbd0 mm/vmscan.c:770
shrink_slab_memcg mm/vmscan.c:839 [inline]
shrink_slab+0x3ee/0x6f0 mm/vmscan.c:918
shrink_node_memcgs mm/vmscan.c:3124 [inline]
shrink_node+0x8b3/0x1db0 mm/vmscan.c:3245
shrink_zones mm/vmscan.c:3482 [inline]
do_try_to_free_pages+0x3b5/0x1700 mm/vmscan.c:3540
try_to_free_pages+0x2ac/0x840 mm/vmscan.c:3775
__perform_reclaim mm/page_alloc.c:4641 [inline]
__alloc_pages_direct_reclaim mm/page_alloc.c:4663 [inline]
__alloc_pages_slowpath.constprop.0+0xa8a/0x2160 mm/page_alloc.c:5066
__alloc_pages+0x436/0x510 mm/page_alloc.c:5439
alloc_pages+0x1aa/0x310 mm/mempolicy.c:2272
folio_alloc+0x1c/0x70 mm/mempolicy.c:2282
filemap_alloc_folio mm/filemap.c:996 [inline]
__filemap_get_folio+0x614/0xf00 mm/filemap.c:1992
filemap_fault+0x1670/0x24e0 mm/filemap.c:3158
__do_fault+0x10d/0x650 mm/memory.c:4165
do_read_fault mm/memory.c:4511 [inline]
do_fault mm/memory.c:4640 [inline]
handle_pte_fault mm/memory.c:4903 [inline]
__handle_mm_fault+0x2739/0x3f50 mm/memory.c:5042
handle_mm_fault+0x1c8/0x790 mm/memory.c:5140
do_user_addr_fault+0x489/0x11c0 arch/x86/mm/fault.c:1397
handle_page_fault arch/x86/mm/fault.c:1484 [inline]
exc_page_fault+0x9e/0x180 arch/x86/mm/fault.c:1540
asm_exc_page_fault+0x27/0x30 arch/x86/include/asm/idtentry.h:570
-> #0 (fs_reclaim){+.+.}-{0:0}:
check_prev_add kernel/locking/lockdep.c:3095 [inline]
check_prevs_add kernel/locking/lockdep.c:3214 [inline]
validate_chain kernel/locking/lockdep.c:3829 [inline]
__lock_acquire+0x2abe/0x5660 kernel/locking/lockdep.c:5053
lock_acquire kernel/locking/lockdep.c:5665 [inline]
lock_acquire+0x1ab/0x570 kernel/locking/lockdep.c:5630
__fs_reclaim_acquire mm/page_alloc.c:4589 [inline]
fs_reclaim_acquire+0x115/0x160 mm/page_alloc.c:4603
prepare_alloc_pages+0x15c/0x570 mm/page_alloc.c:5200
__alloc_pages+0x145/0x510 mm/page_alloc.c:5415
__alloc_pages_node include/linux/gfp.h:587 [inline]
alloc_pages_node include/linux/gfp.h:610 [inline]
kmalloc_large_node+0x62/0x130 mm/slub.c:4460
__kmalloc_node+0x2ec/0x390 mm/slub.c:4476
kmalloc_node include/linux/slab.h:623 [inline]
kvmalloc_node+0xa4/0x190 mm/util.c:613
kvmalloc include/linux/slab.h:750 [inline]
ext4_xattr_inode_cache_find fs/ext4/xattr.c:1472 [inline]
ext4_xattr_inode_lookup_create fs/ext4/xattr.c:1515 [inline]
ext4_xattr_set_entry+0x1d94/0x3850 fs/ext4/xattr.c:1656
ext4_xattr_ibody_set+0x78/0x2b0 fs/ext4/xattr.c:2209
ext4_xattr_set_handle+0x964/0x1500 fs/ext4/xattr.c:2366
ext4_xattr_set+0x13a/0x340 fs/ext4/xattr.c:2479
__vfs_setxattr+0x115/0x180 fs/xattr.c:182
__vfs_setxattr_noperm+0x125/0x5f0 fs/xattr.c:216
__vfs_setxattr_locked+0x1cf/0x260 fs/xattr.c:277
vfs_setxattr+0x13f/0x330 fs/xattr.c:303
setxattr+0x146/0x160 fs/xattr.c:611
path_setxattr+0x197/0x1c0 fs/xattr.c:630
__do_sys_setxattr fs/xattr.c:646 [inline]
__se_sys_setxattr fs/xattr.c:642 [inline]
__ia32_sys_setxattr+0xbc/0x150 fs/xattr.c:642
do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
__do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178
do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:203
entry_SYSENTER_compat_after_hwframe+0x53/0x62
other info that might help us debug this:
Chain exists of:
fs_reclaim --> jbd2_handle --> &ei->xattr_sem
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&ei->xattr_sem);
lock(jbd2_handle);
lock(&ei->xattr_sem);
lock(fs_reclaim);
*** DEADLOCK ***
3 locks held by syz-executor.3/19826:
#0: ffff888014a30460 (sb_writers#4){.+.+}-{0:0}, at: path_setxattr+0xb2/0x1c0 fs/xattr.c:628
#1: ffff888025ba9810 (&type->i_mutex_dir_key#3){++++}-{3:3}, at: inode_lock include/linux/fs.h:741 [inline]
#1: ffff888025ba9810 (&type->i_mutex_dir_key#3){++++}-{3:3}, at: vfs_setxattr+0x11c/0x330 fs/xattr.c:302
#2: ffff888025ba94d8 (&ei->xattr_sem){++++}-{3:3}, at: ext4_write_lock_xattr fs/ext4/xattr.h:142 [inline]
#2: ffff888025ba94d8 (&ei->xattr_sem){++++}-{3:3}, at: ext4_xattr_set_handle+0x15c/0x1500 fs/ext4/xattr.c:2293
stack backtrace:
CPU: 0 PID: 19826 Comm: syz-executor.3 Not tainted 5.19.0-rc6-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
check_noncircular+0x25f/0x2e0 kernel/locking/lockdep.c:2175
check_prev_add kernel/locking/lockdep.c:3095 [inline]
check_prevs_add kernel/locking/lockdep.c:3214 [inline]
validate_chain kernel/locking/lockdep.c:3829 [inline]
__lock_acquire+0x2abe/0x5660 kernel/locking/lockdep.c:5053
lock_acquire kernel/locking/lockdep.c:5665 [inline]
lock_acquire+0x1ab/0x570 kernel/locking/lockdep.c:5630
__fs_reclaim_acquire mm/page_alloc.c:4589 [inline]
fs_reclaim_acquire+0x115/0x160 mm/page_alloc.c:4603
prepare_alloc_pages+0x15c/0x570 mm/page_alloc.c:5200
__alloc_pages+0x145/0x510 mm/page_alloc.c:5415
__alloc_pages_node include/linux/gfp.h:587 [inline]
alloc_pages_node include/linux/gfp.h:610 [inline]
kmalloc_large_node+0x62/0x130 mm/slub.c:4460
__kmalloc_node+0x2ec/0x390 mm/slub.c:4476
kmalloc_node include/linux/slab.h:623 [inline]
kvmalloc_node+0xa4/0x190 mm/util.c:613
kvmalloc include/linux/slab.h:750 [inline]
ext4_xattr_inode_cache_find fs/ext4/xattr.c:1472 [inline]
ext4_xattr_inode_lookup_create fs/ext4/xattr.c:1515 [inline]
ext4_xattr_set_entry+0x1d94/0x3850 fs/ext4/xattr.c:1656
ext4_xattr_ibody_set+0x78/0x2b0 fs/ext4/xattr.c:2209
ext4_xattr_set_handle+0x964/0x1500 fs/ext4/xattr.c:2366
ext4_xattr_set+0x13a/0x340 fs/ext4/xattr.c:2479
__vfs_setxattr+0x115/0x180 fs/xattr.c:182
__vfs_setxattr_noperm+0x125/0x5f0 fs/xattr.c:216
__vfs_setxattr_locked+0x1cf/0x260 fs/xattr.c:277
vfs_setxattr+0x13f/0x330 fs/xattr.c:303
setxattr+0x146/0x160 fs/xattr.c:611
path_setxattr+0x197/0x1c0 fs/xattr.c:630
__do_sys_setxattr fs/xattr.c:646 [inline]
__se_sys_setxattr fs/xattr.c:642 [inline]
__ia32_sys_setxattr+0xbc/0x150 fs/xattr.c:642
do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
__do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178
do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:203
entry_SYSENTER_compat_after_hwframe+0x53/0x62
RIP: 0023:0xf7f22549
Code: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00
RSP: 002b:00000000f7efc5cc EFLAGS: 00000296 ORIG_RAX: 00000000000000e2
RAX: ffffffffffffffda RBX: 0000000020000080 RCX: 0000000020000040
RDX: 0000000020000540 RSI: 000000000000c001 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
</TASK>
----------------
Code disassembly (best guess):
0: 03 74 c0 01 add 0x1(%rax,%rax,8),%esi
4: 10 05 03 74 b8 01 adc %al,0x1b87403(%rip) # 0x1b8740d
a: 10 06 adc %al,(%rsi)
c: 03 74 b4 01 add 0x1(%rsp,%rsi,4),%esi
10: 10 07 adc %al,(%rdi)
12: 03 74 b0 01 add 0x1(%rax,%rsi,4),%esi
16: 10 08 adc %cl,(%rax)
18: 03 74 d8 01 add 0x1(%rax,%rbx,8),%esi
1c: 00 00 add %al,(%rax)
1e: 00 00 add %al,(%rax)
20: 00 51 52 add %dl,0x52(%rcx)
23: 55 push %rbp
24: 89 e5 mov %esp,%ebp
26: 0f 34 sysenter
28: cd 80 int $0x80
* 2a: 5d pop %rbp <-- trapping instruction
2b: 5a pop %rdx
2c: 59 pop %rcx
2d: c3 retq
2e: 90 nop
2f: 90 nop
30: 90 nop
31: 90 nop
32: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi
39: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
reply other threads:[~2022-07-12 12:03 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=000000000000a91fff05e39a74b0@google.com \
--to=syzbot+689207c321874efe3382@syzkaller.appspotmail.com \
--cc=adilger.kernel@dilger.ca \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.