lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <000000000000fd2b9505f0debfd1@google.com>
Date:   Tue, 27 Dec 2022 23:59:37 -0800
From:   syzbot <syzbot+d3bb749184481f92deb5@...kaller.appspotmail.com>
To:     adilger.kernel@...ger.ca, linux-ext4@...r.kernel.org,
        linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com,
        tytso@....edu
Subject: [syzbot] [ext4?] possible deadlock in ext4_find_inline_entry

Hello,

syzbot found the following issue on:

HEAD commit:    a5541c0811a0 Merge branch 'for-next/core' into for-kernelci
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=124896ff880000
kernel config:  https://syzkaller.appspot.com/x/.config?x=cbd4e584773e9397
dashboard link: https://syzkaller.appspot.com/bug?extid=d3bb749184481f92deb5
compiler:       Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11711df8480000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=161e81b0480000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/4b7702208fb9/disk-a5541c08.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/9ec0153ec051/vmlinux-a5541c08.xz
kernel image: https://storage.googleapis.com/syzbot-assets/6f8725ad290a/Image-a5541c08.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/5ea71b2bd574/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d3bb749184481f92deb5@...kaller.appspotmail.com

EXT4-fs: Warning: mounting with an experimental mount option 'dioread_nolock' for blocksize < PAGE_SIZE
EXT4-fs (loop0): mounted filesystem without journal. Quota mode: none.
======================================================
WARNING: possible circular locking dependency detected
6.1.0-rc8-syzkaller-33330-ga5541c0811a0 #0 Not tainted
------------------------------------------------------
syz-executor246/3073 is trying to acquire lock:
ffff0000cacbcd48 (&ei->xattr_sem){++++}-{3:3}, at: ext4_find_inline_entry+0x80/0x224 fs/ext4/inline.c:1690

but task is already holding lock:
ffff0000cacbda10 (&ea_inode->i_rwsem#8/1){+.+.}-{3:3}, at: inode_lock include/linux/fs.h:756 [inline]
ffff0000cacbda10 (&ea_inode->i_rwsem#8/1){+.+.}-{3:3}, at: vfs_unlink+0x78/0x300 fs/namei.c:4241

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 (&ea_inode->i_rwsem#8/1){+.+.}-{3:3}:
       down_write+0x5c/0x88 kernel/locking/rwsem.c:1562
       inode_lock include/linux/fs.h:756 [inline]
       ext4_xattr_inode_create fs/ext4/xattr.c:1454 [inline]
       ext4_xattr_inode_lookup_create fs/ext4/xattr.c:1537 [inline]
       ext4_xattr_set_entry+0xde4/0xe28 fs/ext4/xattr.c:1665
       ext4_xattr_ibody_set+0x94/0x184 fs/ext4/xattr.c:2225
       ext4_xattr_set_handle+0x648/0x9a0 fs/ext4/xattr.c:2382
       ext4_xattr_set+0x100/0x1d0 fs/ext4/xattr.c:2496
       ext4_xattr_trusted_set+0x4c/0x64 fs/ext4/xattr_trusted.c:38
       __vfs_setxattr+0x250/0x260 fs/xattr.c:182
       __vfs_setxattr_noperm+0xcc/0x320 fs/xattr.c:216
       __vfs_setxattr_locked+0x16c/0x194 fs/xattr.c:277
       vfs_setxattr+0xf4/0x1f4 fs/xattr.c:309
       do_setxattr fs/xattr.c:594 [inline]
       setxattr fs/xattr.c:617 [inline]
       path_setxattr+0x354/0x414 fs/xattr.c:636
       __do_sys_lsetxattr fs/xattr.c:659 [inline]
       __se_sys_lsetxattr fs/xattr.c:655 [inline]
       __arm64_sys_lsetxattr+0x2c/0x40 fs/xattr.c:655
       __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
       invoke_syscall arch/arm64/kernel/syscall.c:52 [inline]
       el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142
       do_el0_svc+0x48/0x140 arch/arm64/kernel/syscall.c:197
       el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:637
       el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
       el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:584

-> #0 (&ei->xattr_sem){++++}-{3:3}:
       check_prev_add kernel/locking/lockdep.c:3097 [inline]
       check_prevs_add kernel/locking/lockdep.c:3216 [inline]
       validate_chain kernel/locking/lockdep.c:3831 [inline]
       __lock_acquire+0x1530/0x3084 kernel/locking/lockdep.c:5055
       lock_acquire+0x100/0x1f8 kernel/locking/lockdep.c:5668
       down_read+0x5c/0x78 kernel/locking/rwsem.c:1509
       ext4_find_inline_entry+0x80/0x224 fs/ext4/inline.c:1690
       __ext4_find_entry+0xe8/0xb4c fs/ext4/namei.c:1596
       ext4_find_entry fs/ext4/namei.c:1731 [inline]
       __ext4_unlink+0xa8/0x3e4 fs/ext4/namei.c:3215
       ext4_unlink+0x150/0x200 fs/ext4/namei.c:3291
       vfs_unlink+0x1dc/0x300 fs/namei.c:4252
       do_unlinkat+0x200/0x3dc fs/namei.c:4320
       __do_sys_unlinkat fs/namei.c:4363 [inline]
       __se_sys_unlinkat fs/namei.c:4356 [inline]
       __arm64_sys_unlinkat+0x7c/0xa8 fs/namei.c:4356
       __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
       invoke_syscall arch/arm64/kernel/syscall.c:52 [inline]
       el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142
       do_el0_svc+0x48/0x140 arch/arm64/kernel/syscall.c:197
       el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:637
       el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
       el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:584

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&ea_inode->i_rwsem#8/1);
                               lock(&ei->xattr_sem);
                               lock(&ea_inode->i_rwsem#8/1);
  lock(&ei->xattr_sem);

 *** DEADLOCK ***

3 locks held by syz-executor246/3073:
 #0: ffff0000ca036460 (sb_writers#3){.+.+}-{0:0}, at: mnt_want_write+0x20/0x64 fs/namespace.c:393
 #1: ffff0000cacbd080 (&type->i_mutex_dir_key#3/1){+.+.}-{3:3}, at: inode_lock_nested include/linux/fs.h:791 [inline]
 #1: ffff0000cacbd080 (&type->i_mutex_dir_key#3/1){+.+.}-{3:3}, at: do_unlinkat+0xf0/0x3dc fs/namei.c:4303
 #2: ffff0000cacbda10 (&ea_inode->i_rwsem#8/1){+.+.}-{3:3}, at: inode_lock include/linux/fs.h:756 [inline]
 #2: ffff0000cacbda10 (&ea_inode->i_rwsem#8/1){+.+.}-{3:3}, at: vfs_unlink+0x78/0x300 fs/namei.c:4241

stack backtrace:
CPU: 1 PID: 3073 Comm: syz-executor246 Not tainted 6.1.0-rc8-syzkaller-33330-ga5541c0811a0 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call trace:
 dump_backtrace+0x1c4/0x1f0 arch/arm64/kernel/stacktrace.c:156
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:163
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x104/0x16c lib/dump_stack.c:106
 dump_stack+0x1c/0x58 lib/dump_stack.c:113
 print_circular_bug+0x2c4/0x2c8 kernel/locking/lockdep.c:2055
 check_noncircular+0x14c/0x154 kernel/locking/lockdep.c:2177
 check_prev_add kernel/locking/lockdep.c:3097 [inline]
 check_prevs_add kernel/locking/lockdep.c:3216 [inline]
 validate_chain kernel/locking/lockdep.c:3831 [inline]
 __lock_acquire+0x1530/0x3084 kernel/locking/lockdep.c:5055
 lock_acquire+0x100/0x1f8 kernel/locking/lockdep.c:5668
 down_read+0x5c/0x78 kernel/locking/rwsem.c:1509
 ext4_find_inline_entry+0x80/0x224 fs/ext4/inline.c:1690
 __ext4_find_entry+0xe8/0xb4c fs/ext4/namei.c:1596
 ext4_find_entry fs/ext4/namei.c:1731 [inline]
 __ext4_unlink+0xa8/0x3e4 fs/ext4/namei.c:3215
 ext4_unlink+0x150/0x200 fs/ext4/namei.c:3291
 vfs_unlink+0x1dc/0x300 fs/namei.c:4252
 do_unlinkat+0x200/0x3dc fs/namei.c:4320
 __do_sys_unlinkat fs/namei.c:4363 [inline]
 __se_sys_unlinkat fs/namei.c:4356 [inline]
 __arm64_sys_unlinkat+0x7c/0xa8 fs/namei.c:4356
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall arch/arm64/kernel/syscall.c:52 [inline]
 el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x48/0x140 arch/arm64/kernel/syscall.c:197
 el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:584


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@...glegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ