| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <679cac23.050a0220.163cdc.0007.GAE@google.com>
Date: Fri, 31 Jan 2025 02:55:31 -0800
From: syzbot <syzbot+d27edf9f96ae85939222@...kaller.appspotmail.com>
To: almaz.alexandrovich@...agon-software.com, linux-kernel@...r.kernel.org,
ntfs3@...ts.linux.dev, syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [ntfs3?] possible deadlock in ntfs_look_for_free_space
syzbot has found a reproducer for the following issue on:
HEAD commit: 1950a0af2d55 Merge tag 'arm64-upstream' into for-kernelci
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=10404518580000
kernel config: https://syzkaller.appspot.com/x/.config?x=cc031f8aa606a448
dashboard link: https://syzkaller.appspot.com/bug?extid=d27edf9f96ae85939222
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=118aab64580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15865ddf980000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/f7a210b6e168/disk-1950a0af.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/fffe4bd5b59c/vmlinux-1950a0af.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b5e6fc6340b2/Image-1950a0af.gz.xz
mounted in repro #1: https://storage.googleapis.com/syzbot-assets/8ae15bf11712/mount_0.gz
mounted in repro #2: https://storage.googleapis.com/syzbot-assets/3b6c55850042/mount_3.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d27edf9f96ae85939222@...kaller.appspotmail.com
ntfs3(loop3): Different NTFS sector size (4096) and media sector size (512).
ntfs3(loop3): Mark volume as dirty due to NTFS errors
======================================================
WARNING: possible circular locking dependency detected
6.13.0-rc7-syzkaller-g1950a0af2d55 #0 Not tainted
------------------------------------------------------
syz-executor323/6469 is trying to acquire lock:
ffff0000c9402270 (&wnd->rw_lock){++++}-{4:4}, at: ntfs_look_for_free_space+0xe4/0x58c fs/ntfs3/fsntfs.c:362
but task is already holding lock:
ffff0000dca92dc0 (&ni->file.run_lock#2){++++}-{4:4}, at: ntfs_set_size+0x130/0x200 fs/ntfs3/inode.c:852
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&ni->file.run_lock#2){++++}-{4:4}:
down_read+0x58/0x2fc kernel/locking/rwsem.c:1524
run_unpack_ex+0x43c/0x7fc fs/ntfs3/run.c:1119
ntfs_read_mft fs/ntfs3/inode.c:401 [inline]
ntfs_iget5+0x15b4/0x2c60 fs/ntfs3/inode.c:537
dir_search_u+0x298/0x324 fs/ntfs3/dir.c:264
ntfs_lookup+0x108/0x1f8 fs/ntfs3/namei.c:85
lookup_open fs/namei.c:3627 [inline]
open_last_lookups fs/namei.c:3748 [inline]
path_openat+0xf7c/0x2b14 fs/namei.c:3984
do_filp_open+0x1e8/0x404 fs/namei.c:4014
do_sys_openat2+0x124/0x1b8 fs/open.c:1402
do_sys_open fs/open.c:1417 [inline]
__do_sys_openat fs/open.c:1433 [inline]
__se_sys_openat fs/open.c:1428 [inline]
__arm64_sys_openat+0x1f0/0x240 fs/open.c:1428
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
-> #0 (&wnd->rw_lock){++++}-{4:4}:
check_prev_add kernel/locking/lockdep.c:3161 [inline]
check_prevs_add kernel/locking/lockdep.c:3280 [inline]
validate_chain kernel/locking/lockdep.c:3904 [inline]
__lock_acquire+0x34f0/0x7904 kernel/locking/lockdep.c:5226
lock_acquire+0x23c/0x724 kernel/locking/lockdep.c:5849
down_write_nested+0x58/0xcc kernel/locking/rwsem.c:1693
ntfs_look_for_free_space+0xe4/0x58c fs/ntfs3/fsntfs.c:362
attr_allocate_clusters+0x1dc/0x85c fs/ntfs3/attrib.c:159
attr_set_size+0x192c/0x3468 fs/ntfs3/attrib.c:574
ntfs_set_size+0x158/0x200 fs/ntfs3/inode.c:854
ntfs_extend+0x19c/0x8e8 fs/ntfs3/file.c:409
ntfs_setattr+0x220/0x95c fs/ntfs3/file.c:826
notify_change+0x9f0/0xca0 fs/attr.c:552
do_truncate+0x1c0/0x28c fs/open.c:65
vfs_truncate+0x2b8/0x360 fs/open.c:111
do_sys_truncate+0xe8/0x1ac fs/open.c:134
__do_sys_truncate fs/open.c:146 [inline]
__se_sys_truncate fs/open.c:144 [inline]
__arm64_sys_truncate+0x5c/0x70 fs/open.c:144
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&ni->file.run_lock#2);
lock(&wnd->rw_lock);
lock(&ni->file.run_lock#2);
lock(&wnd->rw_lock);
*** DEADLOCK ***
4 locks held by syz-executor323/6469:
#0: ffff0000c9404420 (sb_writers#10){.+.+}-{0:0}, at: mnt_want_write+0x44/0x9c fs/namespace.c:516
#1: ffff0000dca92fa8 (&sb->s_type->i_mutex_key#18){+.+.}-{4:4}, at: inode_lock include/linux/fs.h:818 [inline]
#1: ffff0000dca92fa8 (&sb->s_type->i_mutex_key#18){+.+.}-{4:4}, at: do_truncate+0x1ac/0x28c fs/open.c:63
#2: ffff0000dca92d10 (&ni->ni_lock#3/5){+.+.}-{4:4}, at: ni_lock fs/ntfs3/ntfs_fs.h:1110 [inline]
#2: ffff0000dca92d10 (&ni->ni_lock#3/5){+.+.}-{4:4}, at: ntfs_set_size+0x124/0x200 fs/ntfs3/inode.c:851
#3: ffff0000dca92dc0 (&ni->file.run_lock#2){++++}-{4:4}, at: ntfs_set_size+0x130/0x200 fs/ntfs3/inode.c:852
stack backtrace:
CPU: 0 UID: 0 PID: 6469 Comm: syz-executor323 Not tainted 6.13.0-rc7-syzkaller-g1950a0af2d55 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Call trace:
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C)
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:120
dump_stack+0x1c/0x28 lib/dump_stack.c:129
print_circular_bug+0x154/0x1c0 kernel/locking/lockdep.c:2074
check_noncircular+0x310/0x404 kernel/locking/lockdep.c:2206
check_prev_add kernel/locking/lockdep.c:3161 [inline]
check_prevs_add kernel/locking/lockdep.c:3280 [inline]
validate_chain kernel/locking/lockdep.c:3904 [inline]
__lock_acquire+0x34f0/0x7904 kernel/locking/lockdep.c:5226
lock_acquire+0x23c/0x724 kernel/locking/lockdep.c:5849
down_write_nested+0x58/0xcc kernel/locking/rwsem.c:1693
ntfs_look_for_free_space+0xe4/0x58c fs/ntfs3/fsntfs.c:362
attr_allocate_clusters+0x1dc/0x85c fs/ntfs3/attrib.c:159
attr_set_size+0x192c/0x3468 fs/ntfs3/attrib.c:574
ntfs_set_size+0x158/0x200 fs/ntfs3/inode.c:854
ntfs_extend+0x19c/0x8e8 fs/ntfs3/file.c:409
ntfs_setattr+0x220/0x95c fs/ntfs3/file.c:826
notify_change+0x9f0/0xca0 fs/attr.c:552
do_truncate+0x1c0/0x28c fs/open.c:65
vfs_truncate+0x2b8/0x360 fs/open.c:111
do_sys_truncate+0xe8/0x1ac fs/open.c:134
__do_sys_truncate fs/open.c:146 [inline]
__se_sys_truncate fs/open.c:144 [inline]
__arm64_sys_truncate+0x5c/0x70 fs/open.c:144
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
Powered by blists - more mailing lists