possible deadlock in ocfs2_try_remove_refcount_tree

From: Liebes Wang
Date: Tue Dec 31 2024 - 04:12:38 EST


Dear Linux maintainers and reviewers:

We are reporting a Linux kernel bug titled **possible deadlock in ocfs2_try_remove_refcount_tree**, discovered using a modified version of Syzkaller.

Linux version: v6.12-rc6:59b723cd2adbac2a34fc8e12c74ae26ae45bf230 (crash is also reproduced in the latest kernel version)
The test case and kernel config is in attach.

The KASAN report is (The full report is attached):

WARNING: possible circular locking dependency detected
6.12.0-rc6 #1 Not tainted
------------------------------------------------------
syz.6.101/4836 is trying to acquire lock:
ff110001317e5be0 (&oi->ip_alloc_sem){++++}-{3:3}, at: ocfs2_try_remove_refcount_tree+0xa6/0x310 fs/ocfs2/refcounttree.c:932

but task is already holding lock:
loop7: detected capacity change from 0 to 32768
ff110001317e5c78 (&oi->ip_xattr_sem){++++}-{3:3}, at: ocfs2_try_remove_refcount_tree+0x9e/0x310 fs/ocfs2/refcounttree.c:931

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #3 (&oi->ip_xattr_sem){++++}-{3:3}:
       down_read+0x9a/0x320 kernel/locking/rwsem.c:1524
       ocfs2_init_acl+0x2f7/0x7d0 fs/ocfs2/acl.c:366
       ocfs2_mknod+0xdac/0x24c0 fs/ocfs2/namei.c:408
       ocfs2_create+0x167/0x420 fs/ocfs2/namei.c:672
       lookup_open.isra.0+0x106e/0x1450 fs/namei.c:3595
       open_last_lookups fs/namei.c:3694 [inline]
       path_openat+0xcb9/0x2940 fs/namei.c:3930
       do_filp_open+0x1c7/0x410 fs/namei.c:3960
       do_sys_openat2+0x164/0x1d0 fs/open.c:1415
       do_sys_open fs/open.c:1430 [inline]
       __do_sys_creat fs/open.c:1508 [inline]
       __se_sys_creat fs/open.c:1502 [inline]
       __x64_sys_creat+0xcd/0x120 fs/open.c:1502
       do_syscall_x64 arch/x86/entry/common.c:52 [inline]
       do_syscall_64+0xc1/0x1d0 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

-> #2 (jbd2_handle){++++}-{0:0}:
       jbd2_journal_lock_updates+0xa5/0x310 fs/jbd2/transaction.c:865
       __ocfs2_flush_truncate_log+0x27d/0x11d0 fs/ocfs2/alloc.c:6029
       ocfs2_flush_truncate_log+0x4d/0x70 fs/ocfs2/alloc.c:6076
       ocfs2_sync_fs+0x1ca/0x3d0 fs/ocfs2/super.c:402
       sync_filesystem+0x1d3/0x2a0 fs/sync.c:66
       generic_shutdown_super+0x84/0x4f0 fs/super.c:621
       kill_block_super+0x3b/0x90 fs/super.c:1710
       deactivate_locked_super+0xbc/0x1a0 fs/super.c:473
       deactivate_super+0xb1/0xd0 fs/super.c:506
       cleanup_mnt+0x2df/0x430 fs/namespace.c:1373
       task_work_run+0x169/0x260 kernel/task_work.c:239
       resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
       exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
       exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
       __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
       syscall_exit_to_user_mode+0x1d0/0x1e0 kernel/entry/common.c:218
       do_syscall_64+0xce/0x1d0 arch/x86/entry/common.c:89
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

-> #1 (&ocfs2_sysfile_lock_key[args->fi_sysfile_type]#6){+.+.}-{3:3}:
       down_write+0x92/0x1f0 kernel/locking/rwsem.c:1577
       inode_lock include/linux/fs.h:815 [inline]
       ocfs2_remove_btree_range+0x318/0x1710 fs/ocfs2/alloc.c:5742
       ocfs2_commit_truncate+0x6da/0x1b30 fs/ocfs2/alloc.c:7353
       ocfs2_truncate_file+0x47d/0x17d0 fs/ocfs2/file.c:509
       ocfs2_setattr+0x140c/0x2320 fs/ocfs2/file.c:1212
       notify_change+0x6d3/0x1270 fs/attr.c:503
       do_truncate+0x143/0x200 fs/open.c:65
       handle_truncate fs/namei.c:3395 [inline]
       do_open fs/namei.c:3778 [inline]
       path_openat+0x22a6/0x2940 fs/namei.c:3933
       do_filp_open+0x1c7/0x410 fs/namei.c:3960
       do_sys_openat2+0x164/0x1d0 fs/open.c:1415
       do_sys_open fs/open.c:1430 [inline]
       __do_sys_creat fs/open.c:1508 [inline]
       __se_sys_creat fs/open.c:1502 [inline]
       __x64_sys_creat+0xcd/0x120 fs/open.c:1502
       do_syscall_x64 arch/x86/entry/common.c:52 [inline]
       do_syscall_64+0xc1/0x1d0 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

-> #0 (&oi->ip_alloc_sem){++++}-{3:3}:
       check_prev_add kernel/locking/lockdep.c:3161 [inline]
       check_prevs_add kernel/locking/lockdep.c:3280 [inline]
       validate_chain kernel/locking/lockdep.c:3904 [inline]
       __lock_acquire+0x2381/0x3a20 kernel/locking/lockdep.c:5202
       lock_acquire kernel/locking/lockdep.c:5825 [inline]
       lock_acquire+0x19d/0x530 kernel/locking/lockdep.c:5790
       down_write+0x92/0x1f0 kernel/locking/rwsem.c:1577
       ocfs2_try_remove_refcount_tree+0xa6/0x310 fs/ocfs2/refcounttree.c:932
       ocfs2_truncate_file+0x9c7/0x17d0 fs/ocfs2/file.c:521
       ocfs2_setattr+0x140c/0x2320 fs/ocfs2/file.c:1212
       notify_change+0x6d3/0x1270 fs/attr.c:503
       do_truncate+0x143/0x200 fs/open.c:65
       handle_truncate fs/namei.c:3395 [inline]
       do_open fs/namei.c:3778 [inline]
       path_openat+0x22a6/0x2940 fs/namei.c:3933
       do_filp_open+0x1c7/0x410 fs/namei.c:3960
       do_sys_openat2+0x164/0x1d0 fs/open.c:1415
       do_sys_open fs/open.c:1430 [inline]
       __do_sys_creat fs/open.c:1508 [inline]
       __se_sys_creat fs/open.c:1502 [inline]
       __x64_sys_creat+0xcd/0x120 fs/open.c:1502
       do_syscall_x64 arch/x86/entry/common.c:52 [inline]
       do_syscall_64+0xc1/0x1d0 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

other info that might help us debug this:

Chain exists of:
  &oi->ip_alloc_sem --> jbd2_handle --> &oi->ip_xattr_sem

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&oi->ip_xattr_sem);
                               lock(jbd2_handle);
                               lock(&oi->ip_xattr_sem);
  lock(&oi->ip_alloc_sem);

 *** DEADLOCK ***

3 locks held by syz.6.101/4836:
 #0: ff110001673bc3f8 (sb_writers#22){.+.+}-{0:0}, at: do_open fs/namei.c:3767 [inline]
 #0: ff110001673bc3f8 (sb_writers#22){.+.+}-{0:0}, at: path_openat+0x117d/0x2940 fs/namei.c:3933
 #1: ff110001317e5f40 (&sb->s_type->i_mutex_key#23){+.+.}-{3:3}, at: inode_lock include/linux/fs.h:815 [inline]
 #1: ff110001317e5f40 (&sb->s_type->i_mutex_key#23){+.+.}-{3:3}, at: do_truncate+0x131/0x200 fs/open.c:63
 #2: ff110001317e5c78 (&oi->ip_xattr_sem){++++}-{3:3}, at: ocfs2_try_remove_refcount_tree+0x9e/0x310 fs/ocfs2/refcounttree.c:931

stack backtrace:
CPU: 0 UID: 0 PID: 4836 Comm: syz.6.101 Not tainted 6.12.0-rc6 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0xca/0x120 lib/dump_stack.c:120
 print_circular_bug+0x53f/0x820 kernel/locking/lockdep.c:2074
 check_noncircular+0x2f9/0x3e0 kernel/locking/lockdep.c:2206
 check_prev_add kernel/locking/lockdep.c:3161 [inline]
 check_prevs_add kernel/locking/lockdep.c:3280 [inline]
 validate_chain kernel/locking/lockdep.c:3904 [inline]
 __lock_acquire+0x2381/0x3a20 kernel/locking/lockdep.c:5202
 lock_acquire kernel/locking/lockdep.c:5825 [inline]
 lock_acquire+0x19d/0x530 kernel/locking/lockdep.c:5790
 down_write+0x92/0x1f0 kernel/locking/rwsem.c:1577
 ocfs2_try_remove_refcount_tree+0xa6/0x310 fs/ocfs2/refcounttree.c:932
 ocfs2_truncate_file+0x9c7/0x17d0 fs/ocfs2/file.c:521
 ocfs2_setattr+0x140c/0x2320 fs/ocfs2/file.c:1212
 notify_change+0x6d3/0x1270 fs/attr.c:503
 do_truncate+0x143/0x200 fs/open.c:65
 handle_truncate fs/namei.c:3395 [inline]
 do_open fs/namei.c:3778 [inline]
 path_openat+0x22a6/0x2940 fs/namei.c:3933
 do_filp_open+0x1c7/0x410 fs/namei.c:3960
 do_sys_openat2+0x164/0x1d0 fs/open.c:1415
 do_sys_open fs/open.c:1430 [inline]
 __do_sys_creat fs/open.c:1508 [inline]
 __se_sys_creat fs/open.c:1502 [inline]
 __x64_sys_creat+0xcd/0x120 fs/open.c:1502
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xc1/0x1d0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Attachment: repro.c
Description: Binary data

Attachment: report0
Description: Binary data

Attachment: config
Description: Binary data