| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CADCV8sr-X2exO_GR00vtpLOfL659nggQDXU=mHH=aja+a5uSEA@mail.gmail.com>
Date: Sun, 9 Feb 2025 17:56:10 +0800
From: Liebes Wang <wanghaichi0403@...il.com>
To: mark@...heh.com, jlbec@...lplan.org,
Joseph Qi <joseph.qi@...ux.alibaba.com>, ocfs2-devel@...ts.linux.dev,
linux-kernel@...r.kernel.org
Cc: syzkaller@...glegroups.com
Subject: Kernel bug report: "possible deadlock in ocfs2_page_mkwrite"
Dear Linux maintainers and reviewers:
We are reporting a Linux kernel bug titled **possible deadlock in
ocfs2_page_mkwrite**, discovered using a modified version of Syzkaller.
Linux version: bb066fe812d6fb3a9d01c073d9f1e2fd5a63403b
The bisection log shows the first introduced commit is
5fc8cbe4cf0fd34ded8045c385790c3bf04f6785
5fc8cbe4cf0f rcu-tasks: Avoid pr_info() with spin lock in
cblist_init_generic()
The test case, kernel config and full bisection log are attached.
The report is (The full report is attached):
WARNING: possible circular locking dependency detected
6.13.0-rc6-g2144da25584e #1 Not tainted
------------------------------------------------------
syz.6.75/4548 is trying to acquire lock:
ff110001359d14a0 (&oi->ip_alloc_sem){++++}-{4:4}, at:
ocfs2_page_mkwrite+0x29c/0xca0 -new/fs/ocfs2/mmap.c:142
but task is already holding lock:
ff1100015e45c4f0 (sb_pagefaults#3){.+.+}-{0:0}, at:
do_page_mkwrite+0x17d/0x380 -new/mm/memory.c:3176
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #2 (sb_pagefaults#3){.+.+}-{0:0}:
percpu_down_read -new/include/linux/percpu-rwsem.h:51 [inline]
__sb_start_write -new/include/linux/fs.h:1725 [inline]
sb_start_pagefault -new/include/linux/fs.h:1890 [inline]
ocfs2_page_mkwrite+0x17b/0xca0 -new/fs/ocfs2/mmap.c:122
do_page_mkwrite+0x17d/0x380 -new/mm/memory.c:3176
wp_page_shared -new/mm/memory.c:3577 [inline]
do_wp_page+0x1041/0x2f40 -new/mm/memory.c:3727
handle_pte_fault -new/mm/memory.c:5817 [inline]
__handle_mm_fault+0xdb1/0x3020 -new/mm/memory.c:5944
handle_mm_fault+0x2b8/0x6b0 -new/mm/memory.c:6112
faultin_page -new/mm/gup.c:1196 [inline]
__get_user_pages+0x599/0x3650 -new/mm/gup.c:1494
__get_user_pages_locked -new/mm/gup.c:1760 [inline]
faultin_page_range+0x248/0x950 -new/mm/gup.c:1984
madvise_populate -new/mm/madvise.c:951 [inline]
do_madvise+0x14dc/0x3f20 -new/mm/madvise.c:1681
__do_sys_madvise -new/mm/madvise.c:1700 [inline]
__se_sys_madvise -new/mm/madvise.c:1698 [inline]
__x64_sys_madvise+0xa9/0x110 -new/mm/madvise.c:1698
do_syscall_x64 -new/arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xc1/0x1d0 -new/arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #1 (&mm->mmap_lock){++++}-{4:4}:
__might_fault -new/mm/memory.c:6751 [inline]
__might_fault+0x110/0x190 -new/mm/memory.c:6744
_inline_copy_to_user -new/include/linux/uaccess.h:192 [inline]
_copy_to_user+0x2d/0xd0 -new/lib/usercopy.c:26
copy_to_user -new/include/linux/uaccess.h:225 [inline]
fiemap_fill_next_extent+0x22c/0x390 -new/fs/ioctl.c:145
ocfs2_fiemap+0x5fe/0xe10 -new/fs/ocfs2/extent_map.c:796
ioctl_fiemap -new/fs/ioctl.c:220 [inline]
do_vfs_ioctl+0x3a3/0x1840 -new/fs/ioctl.c:840
__do_sys_ioctl -new/fs/ioctl.c:904 [inline]
__se_sys_ioctl -new/fs/ioctl.c:892 [inline]
__x64_sys_ioctl+0x11f/0x210 -new/fs/ioctl.c:892
do_syscall_x64 -new/arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xc1/0x1d0 -new/arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #0 (&oi->ip_alloc_sem){++++}-{4:4}:
check_prev_add -new/kernel/locking/lockdep.c:3161 [inline]
check_prevs_add -new/kernel/locking/lockdep.c:3280 [inline]
validate_chain -new/kernel/locking/lockdep.c:3904 [inline]
__lock_acquire+0x24a1/0x3b90 -new/kernel/locking/lockdep.c:5226
lock_acquire -new/kernel/locking/lockdep.c:5849 [inline]
lock_acquire+0x19b/0x520 -new/kernel/locking/lockdep.c:5814
down_write+0x92/0x1f0 -new/kernel/locking/rwsem.c:1577
ocfs2_page_mkwrite+0x29c/0xca0 -new/fs/ocfs2/mmap.c:142
do_page_mkwrite+0x17d/0x380 -new/mm/memory.c:3176
wp_page_shared -new/mm/memory.c:3577 [inline]
do_wp_page+0x1041/0x2f40 -new/mm/memory.c:3727
handle_pte_fault -new/mm/memory.c:5817 [inline]
__handle_mm_fault+0xdb1/0x3020 -new/mm/memory.c:5944
handle_mm_fault+0x2b8/0x6b0 -new/mm/memory.c:6112
faultin_page -new/mm/gup.c:1196 [inline]
__get_user_pages+0x599/0x3650 -new/mm/gup.c:1494
__get_user_pages_locked -new/mm/gup.c:1760 [inline]
faultin_page_range+0x248/0x950 -new/mm/gup.c:1984
madvise_populate -new/mm/madvise.c:951 [inline]
do_madvise+0x14dc/0x3f20 -new/mm/madvise.c:1681
__do_sys_madvise -new/mm/madvise.c:1700 [inline]
__se_sys_madvise -new/mm/madvise.c:1698 [inline]
__x64_sys_madvise+0xa9/0x110 -new/mm/madvise.c:1698
do_syscall_x64 -new/arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xc1/0x1d0 -new/arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Content of type "text/html" skipped
Download attachment "bisect.log" of type "application/octet-stream" (26267 bytes)
Download attachment "report4" of type "application/octet-stream" (9479 bytes)
Download attachment "kconfig" of type "application/octet-stream" (149021 bytes)
Download attachment "repro.cprog" of type "application/octet-stream" (96755 bytes)
Powered by blists - more mailing lists