lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CADCV8soG_heAqXKFQZahO64CUwrMuRbuqxrsYV5M4CsYt34bfg@mail.gmail.com>
Date: Tue, 31 Dec 2024 14:02:25 +0800
From: Liebes Wang <wanghaichi0403@...il.com>
To: mark@...heh.com, jlbec@...lplan.org, joseph.qi@...ux.alibaba.com, 
	ocfs2-devel@...ts.linux.dev, linux-kernel@...r.kernel.org
Cc: syzkaller@...glegroups.com
Subject: possible deadlock in ocfs2_reserve_suballoc_bits

Dear Linux maintainers and reviewers:

We are reporting a Linux kernel bug titled **possible deadlock in
ocfs2_reserve_suballoc_bits**, discovered using a modified version of
Syzkaller.

Linux version: v6.12-rc6:59b723cd2adbac2a34fc8e12c74ae26ae45bf230 (crash is
also reproduced in the latest kernel version)
The test case and kernel config is in attach.

The report is (The full report is attached):

WARNING: possible circular locking dependency detected
6.12.0-rc6 #1 Not tainted
------------------------------------------------------
syz.3.114/4759 is trying to acquire lock:
ff1100015293b480
(&ocfs2_sysfile_lock_key[args->fi_sysfile_type]#5){+.+.}-{3:3}, at:
inode_lock include/linux/fs.h:815 [inline]
ff1100015293b480
(&ocfs2_sysfile_lock_key[args->fi_sysfile_type]#5){+.+.}-{3:3}, at:
ocfs2_xattr_set+0xe5a/0x27b0 fs/ocfs2/xattr.c:3623

but task is already holding lock:
ff1100015e045c78 (&oi->ip_xattr_sem){++++}-{3:3}, at:
ocfs2_xattr_set+0x3e2/0x27b0 fs/ocfs2/xattr.c:3584

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #2 (&oi->ip_xattr_sem){++++}-{3:3}:
       down_read+0x9a/0x320 kernel/locking/rwsem.c:1524
       ocfs2_init_acl+0x2f7/0x7d0 fs/ocfs2/acl.c:366
       ocfs2_mknod+0xdac/0x24c0 fs/ocfs2/namei.c:408
       ocfs2_create+0x167/0x420 fs/ocfs2/namei.c:672
       lookup_open.isra.0+0x106e/0x1450 fs/namei.c:3595
       open_last_lookups fs/namei.c:3694 [inline]
       path_openat+0xcb9/0x2940 fs/namei.c:3930
       do_filp_open+0x1c7/0x410 fs/namei.c:3960
       do_sys_openat2+0x164/0x1d0 fs/open.c:1415
       do_sys_open fs/open.c:1430 [inline]
       __do_sys_openat fs/open.c:1446 [inline]
       __se_sys_openat fs/open.c:1441 [inline]
       __x64_sys_openat+0x140/0x1f0 fs/open.c:1441
       do_syscall_x64 arch/x86/entry/common.c:52 [inline]
       do_syscall_64+0xc1/0x1d0 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

-> #1 (jbd2_handle){++++}-{0:0}:
       jbd2_journal_lock_updates+0xa5/0x310 fs/jbd2/transaction.c:865
       __ocfs2_flush_truncate_log+0x27d/0x11d0 fs/ocfs2/alloc.c:6029
       ocfs2_flush_truncate_log+0x4d/0x70 fs/ocfs2/alloc.c:6076
       ocfs2_sync_fs+0x1ca/0x3d0 fs/ocfs2/super.c:402
       sync_filesystem+0x1d3/0x2a0 fs/sync.c:66
       ocfs2_remount+0xb0/0xcb0 fs/ocfs2/super.c:611
       legacy_reconfigure+0x11d/0x190 fs/fs_context.c:685
       reconfigure_super+0x372/0xba0 fs/super.c:1083
       do_remount fs/namespace.c:3047 [inline]
       path_mount+0x189d/0x1eb0 fs/namespace.c:3826
       do_mount fs/namespace.c:3847 [inline]
       __do_sys_mount fs/namespace.c:4057 [inline]
       __se_sys_mount fs/namespace.c:4034 [inline]
       __x64_sys_mount+0x283/0x300 fs/namespace.c:4034
       do_syscall_x64 arch/x86/entry/common.c:52 [inline]
       do_syscall_64+0xc1/0x1d0 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

-> #0 (&ocfs2_sysfile_lock_key[args->fi_sysfile_type]#5){+.+.}-{3:3}:
       check_prev_add kernel/locking/lockdep.c:3161 [inline]
       check_prevs_add kernel/locking/lockdep.c:3280 [inline]
       validate_chain kernel/locking/lockdep.c:3904 [inline]
       __lock_acquire+0x2381/0x3a20 kernel/locking/lockdep.c:5202
       lock_acquire kernel/locking/lockdep.c:5825 [inline]
       lock_acquire+0x19d/0x530 kernel/locking/lockdep.c:5790
       down_write+0x92/0x1f0 kernel/locking/rwsem.c:1577
       inode_lock include/linux/fs.h:815 [inline]
       ocfs2_xattr_set+0xe5a/0x27b0 fs/ocfs2/xattr.c:3623
       ocfs2_set_acl+0x46f/0x530 fs/ocfs2/acl.c:254
       ocfs2_iop_set_acl+0x1d2/0x270 fs/ocfs2/acl.c:286
       set_posix_acl+0x25e/0x330 fs/posix_acl.c:955
       vfs_set_acl+0x5b7/0x920 fs/posix_acl.c:1134
       do_set_acl+0xd9/0x1a0 fs/posix_acl.c:1279
       do_setxattr+0xdf/0x1e0 fs/xattr.c:626
       path_setxattr+0x209/0x260 fs/xattr.c:658
       __do_sys_setxattr fs/xattr.c:676 [inline]
       __se_sys_setxattr fs/xattr.c:672 [inline]
       __x64_sys_setxattr+0xc4/0x160 fs/xattr.c:672
loop0: detected capacity change from 0 to 32768
       do_syscall_x64 arch/x86/entry/common.c:52 [inline]
       do_syscall_64+0xc1/0x1d0 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

other info that might help us debug this:

Chain exists of:
  &ocfs2_sysfile_lock_key[args->fi_sysfile_type]#5 --> jbd2_handle -->
&oi->ip_xattr_sem

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&oi->ip_xattr_sem);
                               lock(jbd2_handle);
                               lock(&oi->ip_xattr_sem);
  lock(&ocfs2_sysfile_lock_key[args->fi_sysfile_type]#5);

 *** DEADLOCK ***

3 locks held by syz.3.114/4759:
 #0: ff1100012f4763f8 (sb_writers#28){.+.+}-{0:0}, at:
path_setxattr+0x12d/0x260 fs/xattr.c:656
 #1: ff1100015e045f40 (&sb->s_type->i_mutex_key#30){+.+.}-{3:3}, at:
inode_lock include/linux/fs.h:815 [inline]
 #1: ff1100015e045f40 (&sb->s_type->i_mutex_key#30){+.+.}-{3:3}, at:
vfs_set_acl+0x351/0x920 fs/posix_acl.c:1115
 #2: ff1100015e045c78 (&oi->ip_xattr_sem){++++}-{3:3}, at:
ocfs2_xattr_set+0x3e2/0x27b0 fs/ocfs2/xattr.c:3584

stack backtrace:
CPU: 1 UID: 0 PID: 4759 Comm: syz.3.114 Not tainted 6.12.0-rc6 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0xca/0x120 lib/dump_stack.c:120
 print_circular_bug+0x53f/0x820 kernel/locking/lockdep.c:2074
 check_noncircular+0x2f9/0x3e0 kernel/locking/lockdep.c:2206
 check_prev_add kernel/locking/lockdep.c:3161 [inline]
 check_prevs_add kernel/locking/lockdep.c:3280 [inline]
 validate_chain kernel/locking/lockdep.c:3904 [inline]
 __lock_acquire+0x2381/0x3a20 kernel/locking/lockdep.c:5202
 lock_acquire kernel/locking/lockdep.c:5825 [inline]
 lock_acquire+0x19d/0x530 kernel/locking/lockdep.c:5790
 down_write+0x92/0x1f0 kernel/locking/rwsem.c:1577
 inode_lock include/linux/fs.h:815 [inline]
 ocfs2_xattr_set+0xe5a/0x27b0 fs/ocfs2/xattr.c:3623
 ocfs2_set_acl+0x46f/0x530 fs/ocfs2/acl.c:254
 ocfs2_iop_set_acl+0x1d2/0x270 fs/ocfs2/acl.c:286
 set_posix_acl+0x25e/0x330 fs/posix_acl.c:955
 vfs_set_acl+0x5b7/0x920 fs/posix_acl.c:1134
 do_set_acl+0xd9/0x1a0 fs/posix_acl.c:1279
 do_setxattr+0xdf/0x1e0 fs/xattr.c:626
 path_setxattr+0x209/0x260 fs/xattr.c:658
 __do_sys_setxattr fs/xattr.c:676 [inline]
 __se_sys_setxattr fs/xattr.c:672 [inline]
 __x64_sys_setxattr+0xc4/0x160 fs/xattr.c:672
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xc1/0x1d0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Content of type "text/html" skipped

Download attachment "repro.c" of type "application/octet-stream" (84811 bytes)

Download attachment "report0" of type "application/octet-stream" (8407 bytes)

Download attachment "config" of type "application/octet-stream" (148405 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ