Re: [PATCH] ocfs2: fix deadlock when creating quota file

[Joseph Qi]

On 2/28/26 3:06 PM, Heming Zhao wrote:
> On Sat, Feb 28, 2026 at 02:01:55PM +0800, Joseph Qi wrote:
>> Hi Heming,
>>
>> On 2/24/26 4:48 PM, Heming Zhao wrote:
>>> syzbot detected a circular locking dependency. the scenarios:
>>>
>>>         CPU0                    CPU1
>>>         ----                    ----
>>>    lock(&ocfs2_quota_ip_alloc_sem_key);
>>>                                 lock(&ocfs2_sysfile_lock_key[USER_QUOTA_SYSTEM_INODE]);
>>>                                 lock(&ocfs2_quota_ip_alloc_sem_key);
>>>    lock(&ocfs2_sysfile_lock_key[ORPHAN_DIR_SYSTEM_INODE]);
>>>
>>> or:
>>>        CPU0                    CPU1
>>>        ----                    ----
>>>   lock(&ocfs2_quota_ip_alloc_sem_key);
>>>                                lock(&dquot->dq_lock);
>>>                                lock(&ocfs2_quota_ip_alloc_sem_key);
>>>   lock(&ocfs2_sysfile_lock_key[ORPHAN_DIR_SYSTEM_INODE]);
>>>
>>> Following are the code paths for above scenarios:
>>>
>>> path_openat
>>>  ocfs2_create
>>>   ocfs2_mknod
>>>   + ocfs2_reserve_new_inode
>>>   |  ocfs2_reserve_suballoc_bits
>>>   |   inode_lock(alloc_inode) //C0: hold INODE_ALLOC_SYSTEM_INODE
>>>   |    //at end of this func, ocfs2_free_alloc_context(inode_ac) calls inode_unlock
>>>   |
>>>   + ocfs2_get_init_inode
>>>      __dquot_initialize
>>>       dqget
>>>        ocfs2_acquire_dquot
>>>        + ocfs2_lock_global_qf
>>>        |  down_write(&OCFS2_I(oinfo->dqi_gqinode)->ip_alloc_sem)//A2:grabbing
>>>        + ocfs2_create_local_dquot
>>>           down_write(&OCFS2_I(lqinode)->ip_alloc_sem)//A3:grabbing
>>>
>>> evict
>>>  ocfs2_evict_inode
>>>   ocfs2_delete_inode
>>>    ocfs2_wipe_inode
>>>     + inode_lock(orphan_dir_inode) //B0:hold
>>>     + ...
>>>     + ocfs2_remove_inode
>>>        inode_lock(inode_alloc_inode) //INODE_ALLOC_SYSTEM_INODE
>>>         down_write(&inode->i_rwsem) //C1:grabbing
>>>
>>> generic_file_direct_write
>>>  ocfs2_direct_IO
>>>   __blockdev_direct_IO
>>>    dio_complete
>>>     ocfs2_dio_end_io
>>>      ocfs2_dio_end_io_write
>>>      + down_write(&oi->ip_alloc_sem) //A0:hold
>>>      + ocfs2_del_inode_from_orphan
>>>         inode_lock(orphan_dir_inode) //B1:grabbing
>>>
>>> Root cause for the circular locking:
>>>
>>> DIO completion path:
>>>  holds oi->ip_alloc_sem and is trying to acquire the orphan_dir_inode lock.
>>>
>>> evict path:
>>>  holds the orphan_dir_inode lock and is trying to acquire the
>>>  inode_alloc_inode lock.
>>>
>>> ocfs2_mknod path:
>>>  Holds the inode_alloc_inode lock (to allocate a new quota file) and is
>>>  blocked waiting for oi->ip_alloc_sem in ocfs2_acquire_dquot().
>>>
>>
>> When running into ocfs2_mknod->ocfs2_get_init_inode,
>> ocfs2_reserve_new_inode is finished and INODE_ALLOC_SYSTEM_INODE gets
>> unlocked in ocfs2_free_ac_resource at the end.
>> So I get confused about the above deadlock sequence.
>> Am I missing something?
>>
>> Joseph
> 
> ocfs2_reserve_new_inode only releases 'ac' when an error occurs (note the if
> condition: 'status< 0'). The normal path for releasing 'ac' is at the end of
> the caller ocfs2_mknod.
> 

I'm saying the calling ocfs2_free_ac_resource() at line 1170.
But take a look at it more, this will only be called in case ENOSPC
(the case of inode steal).
So I'm fine now.

Joseph