iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/fs/btrfs
History
Filipe Manana a70c6e5731 btrfs: fix lockdep splat and potential deadlock after failure running delayed items 
commit e110f8911ddb93e6f55da14ccbbe705397b30d0b upstream.

When running delayed items we are holding a delayed node's mutex and then
we will attempt to modify a subvolume btree to insert/update/delete the
delayed items. However if have an error during the insertions for example,
btrfs_insert_delayed_items() may return with a path that has locked extent
buffers (a leaf at the very least), and then we attempt to release the
delayed node at __btrfs_run_delayed_items(), which requires taking the
delayed node's mutex, causing an ABBA type of deadlock. This was reported
by syzbot and the lockdep splat is the following:

  WARNING: possible circular locking dependency detected
  6.5.0-rc7-syzkaller-00024-g93f5de5f648d #0 Not tainted
  ------------------------------------------------------
  syz-executor.2/13257 is trying to acquire lock:
  ffff88801835c0c0 (&delayed_node->mutex){+.+.}-{3:3}, at: __btrfs_release_delayed_node+0x9a/0xaa0 fs/btrfs/delayed-inode.c:256

  but task is already holding lock:
  ffff88802a5ab8e8 (btrfs-tree-00){++++}-{3:3}, at: __btrfs_tree_lock+0x3c/0x2a0 fs/btrfs/locking.c:198

  which lock already depends on the new lock.

  the existing dependency chain (in reverse order) is:

  -> #1 (btrfs-tree-00){++++}-{3:3}:
         __lock_release kernel/locking/lockdep.c:5475 [inline]
         lock_release+0x36f/0x9d0 kernel/locking/lockdep.c:5781
         up_write+0x79/0x580 kernel/locking/rwsem.c:1625
         btrfs_tree_unlock_rw fs/btrfs/locking.h:189 [inline]
         btrfs_unlock_up_safe+0x179/0x3b0 fs/btrfs/locking.c:239
         search_leaf fs/btrfs/ctree.c:1986 [inline]
         btrfs_search_slot+0x2511/0x2f80 fs/btrfs/ctree.c:2230
         btrfs_insert_empty_items+0x9c/0x180 fs/btrfs/ctree.c:4376
         btrfs_insert_delayed_item fs/btrfs/delayed-inode.c:746 [inline]
         btrfs_insert_delayed_items fs/btrfs/delayed-inode.c:824 [inline]
         __btrfs_commit_inode_delayed_items+0xd24/0x2410 fs/btrfs/delayed-inode.c:1111
         __btrfs_run_delayed_items+0x1db/0x430 fs/btrfs/delayed-inode.c:1153
         flush_space+0x269/0xe70 fs/btrfs/space-info.c:723
         btrfs_async_reclaim_metadata_space+0x106/0x350 fs/btrfs/space-info.c:1078
         process_one_work+0x92c/0x12c0 kernel/workqueue.c:2600
         worker_thread+0xa63/0x1210 kernel/workqueue.c:2751
         kthread+0x2b8/0x350 kernel/kthread.c:389
         ret_from_fork+0x2e/0x60 arch/x86/kernel/process.c:145
         ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304

  -> #0 (&delayed_node->mutex){+.+.}-{3:3}:
         check_prev_add kernel/locking/lockdep.c:3142 [inline]
         check_prevs_add kernel/locking/lockdep.c:3261 [inline]
         validate_chain kernel/locking/lockdep.c:3876 [inline]
         __lock_acquire+0x39ff/0x7f70 kernel/locking/lockdep.c:5144
         lock_acquire+0x1e3/0x520 kernel/locking/lockdep.c:5761
         __mutex_lock_common+0x1d8/0x2530 kernel/locking/mutex.c:603
         __mutex_lock kernel/locking/mutex.c:747 [inline]
         mutex_lock_nested+0x1b/0x20 kernel/locking/mutex.c:799
         __btrfs_release_delayed_node+0x9a/0xaa0 fs/btrfs/delayed-inode.c:256
         btrfs_release_delayed_node fs/btrfs/delayed-inode.c:281 [inline]
         __btrfs_run_delayed_items+0x2b5/0x430 fs/btrfs/delayed-inode.c:1156
         btrfs_commit_transaction+0x859/0x2ff0 fs/btrfs/transaction.c:2276
         btrfs_sync_file+0xf56/0x1330 fs/btrfs/file.c:1988
         vfs_fsync_range fs/sync.c:188 [inline]
         vfs_fsync fs/sync.c:202 [inline]
         do_fsync fs/sync.c:212 [inline]
         __do_sys_fsync fs/sync.c:220 [inline]
         __se_sys_fsync fs/sync.c:218 [inline]
         __x64_sys_fsync+0x196/0x1e0 fs/sync.c:218
         do_syscall_x64 arch/x86/entry/common.c:50 [inline]
         do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
         entry_SYSCALL_64_after_hwframe+0x63/0xcd

  other info that might help us debug this:

   Possible unsafe locking scenario:

         CPU0                    CPU1
         ----                    ----
    lock(btrfs-tree-00);
                                 lock(&delayed_node->mutex);
                                 lock(btrfs-tree-00);
    lock(&delayed_node->mutex);

   *** DEADLOCK ***

  3 locks held by syz-executor.2/13257:
   #0: ffff88802c1ee370 (btrfs_trans_num_writers){++++}-{0:0}, at: spin_unlock include/linux/spinlock.h:391 [inline]
   #0: ffff88802c1ee370 (btrfs_trans_num_writers){++++}-{0:0}, at: join_transaction+0xb87/0xe00 fs/btrfs/transaction.c:287
   #1: ffff88802c1ee398 (btrfs_trans_num_extwriters){++++}-{0:0}, at: join_transaction+0xbb2/0xe00 fs/btrfs/transaction.c:288
   #2: ffff88802a5ab8e8 (btrfs-tree-00){++++}-{3:3}, at: __btrfs_tree_lock+0x3c/0x2a0 fs/btrfs/locking.c:198

  stack backtrace:
  CPU: 0 PID: 13257 Comm: syz-executor.2 Not tainted 6.5.0-rc7-syzkaller-00024-g93f5de5f648d #0
  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
  Call Trace:
   <TASK>
   __dump_stack lib/dump_stack.c:88 [inline]
   dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
   check_noncircular+0x375/0x4a0 kernel/locking/lockdep.c:2195
   check_prev_add kernel/locking/lockdep.c:3142 [inline]
   check_prevs_add kernel/locking/lockdep.c:3261 [inline]
   validate_chain kernel/locking/lockdep.c:3876 [inline]
   __lock_acquire+0x39ff/0x7f70 kernel/locking/lockdep.c:5144
   lock_acquire+0x1e3/0x520 kernel/locking/lockdep.c:5761
   __mutex_lock_common+0x1d8/0x2530 kernel/locking/mutex.c:603
   __mutex_lock kernel/locking/mutex.c:747 [inline]
   mutex_lock_nested+0x1b/0x20 kernel/locking/mutex.c:799
   __btrfs_release_delayed_node+0x9a/0xaa0 fs/btrfs/delayed-inode.c:256
   btrfs_release_delayed_node fs/btrfs/delayed-inode.c:281 [inline]
   __btrfs_run_delayed_items+0x2b5/0x430 fs/btrfs/delayed-inode.c:1156
   btrfs_commit_transaction+0x859/0x2ff0 fs/btrfs/transaction.c:2276
   btrfs_sync_file+0xf56/0x1330 fs/btrfs/file.c:1988
   vfs_fsync_range fs/sync.c:188 [inline]
   vfs_fsync fs/sync.c:202 [inline]
   do_fsync fs/sync.c:212 [inline]
   __do_sys_fsync fs/sync.c:220 [inline]
   __se_sys_fsync fs/sync.c:218 [inline]
   __x64_sys_fsync+0x196/0x1e0 fs/sync.c:218
   do_syscall_x64 arch/x86/entry/common.c:50 [inline]
   do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
   entry_SYSCALL_64_after_hwframe+0x63/0xcd
  RIP: 0033:0x7f3ad047cae9
  Code: 28 00 00 00 75 (...)
  RSP: 002b:00007f3ad12510c8 EFLAGS: 00000246 ORIG_RAX: 000000000000004a
  RAX: ffffffffffffffda RBX: 00007f3ad059bf80 RCX: 00007f3ad047cae9
  RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005
  RBP: 00007f3ad04c847a R08: 0000000000000000 R09: 0000000000000000
  R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
  R13: 000000000000000b R14: 00007f3ad059bf80 R15: 00007ffe56af92f8
   </TASK>
  ------------[ cut here ]------------

Fix this by releasing the path before releasing the delayed node in the
error path at __btrfs_run_delayed_items().

Reported-by: syzbot+a379155f07c134ea9879@syzkaller.appspotmail.com
Link: https://lore.kernel.org/linux-btrfs/000000000000abba27060403b5bd@google.com/
CC: stable@vger.kernel.org # 4.14+
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2023-09-23 11:00:06 +02:00
..
tests
btrfs: remove pointless and double ulist frees in error paths of qgroup tests
2022-11-25 17:42:13 +01:00
acl.c
async-thread.c
btrfs: fix memory ordering between normal and ordered work functions
2021-11-26 10:47:21 +01:00
async-thread.h
Btrfs: fix crash during unmount due to race with delayed inode workers
2020-04-17 10:50:15 +02:00
backref.c
btrfs: fix resolving backrefs for inline extent followed by prealloc
2023-01-18 11:41:46 +01:00
backref.h
btrfs: fiemap: preallocate ulists for btrfs_check_shared
2019-07-01 13:34:53 +02:00
block-group.c
btrfs: reset block group chunk force if we have to wait
2022-08-25 11:18:11 +02:00
block-group.h
btrfs: scrub: Don't check free space before marking a block group RO
2021-03-20 10:39:46 +01:00
block-rsv.c
btrfs: don't free qgroup space unless specified
2023-05-17 11:36:00 +02:00
block-rsv.h
btrfs: migrate the global_block_rsv helpers to block-rsv.c
2019-07-02 12:30:55 +02:00
btrfs_inode.h
btrfs: fix race between marking inode needs to be logged and log syncing
2021-09-03 10:08:15 +02:00
check-integrity.c
btrfs: fix possible NULL-pointer dereference in integrity checks
2020-02-24 08:36:53 +01:00
check-integrity.h
compression.c
btrfs: mark compressed range uptodate only if all bio succeed
2021-08-04 12:27:37 +02:00
compression.h
btrfs: compression: replace set_level callbacks by a common helper
2019-09-09 14:59:11 +02:00
ctree.c
btrfs: fix extent buffer leak after tree mod log failure at split_node()
2023-08-11 11:53:44 +02:00
ctree.h
btrfs: move btrfs_pinned_by_swapfile prototype into volumes.h
2023-09-23 11:00:05 +02:00
delalloc-space.c
btrfs: make btrfs_qgroup_reserve_data take btrfs_inode
2021-08-15 13:08:04 +02:00
delalloc-space.h
btrfs: migrate the delalloc space stuff to it's own home
2019-07-04 17:26:17 +02:00
delayed-inode.c
btrfs: fix lockdep splat and potential deadlock after failure running delayed items
2023-09-23 11:00:06 +02:00
delayed-inode.h
delayed-ref.c
Btrfs: fix race between adding and putting tree mod seq elements and nodes
2020-02-11 04:35:34 -08:00
delayed-ref.h
btrfs: migrate the delayed refs rsv code
2019-07-04 17:26:17 +02:00
dev-replace.c
btrfs: add info when mount fails due to stale replace target
2022-09-05 10:27:43 +02:00
dev-replace.h
dir-item.c
btrfs: unify lookup return value when dir entry is missing
2022-09-05 10:27:46 +02:00
disk-io.c
btrfs: compare the correct fsid/metadata_uuid in btrfs_validate_super
2023-09-23 11:00:05 +02:00
disk-io.h
btrfs: Make reada_tree_block_flagged private
2019-09-09 14:59:11 +02:00
export.c
btrfs: fix type of parameter generation in btrfs_get_dentry
2022-11-10 17:57:55 +01:00
export.h
btrfs: fix type of parameter generation in btrfs_get_dentry
2022-11-10 17:57:55 +01:00
extent_io.c
btrfs: don't stop integrity writeback too early
2023-08-16 18:19:24 +02:00
extent_io.h
btrfs: fix qgroup reserve overflow the qgroup limit
2022-04-15 14:18:39 +02:00
extent_map.c
Btrfs: fix race between using extent maps and merging them
2020-02-19 19:53:00 +01:00
extent_map.h
extent-tree.c
btrfs: output extra debug info if we failed to find an inline backref
2023-09-23 11:00:02 +02:00
file-item.c
btrfs: handle memory allocation failure in btrfs_csum_one_bio
2023-06-21 15:44:09 +02:00
file.c
btrfs: fix race between marking inode needs to be logged and log syncing
2021-09-03 10:08:15 +02:00
free-space-cache.c
btrfs: fix space cache inconsistency after error loading it from disk
2023-05-30 12:44:04 +01:00
free-space-cache.h
btrfs: move struct io_ctl to free-space-cache.h
2019-09-09 14:59:15 +02:00
free-space-tree.c
btrfs: fix possible free space tree corruption with online conversion
2021-02-03 23:25:57 +01:00
free-space-tree.h
btrfs: move basic block_group definitions to their own header
2019-09-09 14:59:03 +02:00
inode-item.c
btrfs: Make btrfs_find_name_in_ext_backref return struct btrfs_inode_extref
2019-09-09 14:59:16 +02:00
inode-map.c
btrfs: qgroup: Always free PREALLOC META reserve in btrfs_delalloc_release_extents()
2019-10-15 18:50:07 +02:00
inode-map.h
inode.c
btrfs: replace calls to btrfs_find_free_ino with btrfs_find_free_objectid
2023-05-30 12:44:04 +01:00
ioctl.c
btrfs: fix race between quota disable and quota assign ioctls
2023-08-11 11:53:54 +02:00
Kconfig
btrfs: disable build on platforms having page size 256K
2021-07-14 16:53:14 +02:00
locking.c
btrfs: move cond_wake_up functions out of ctree
2019-09-09 14:59:15 +02:00
locking.h
btrfs: Remove unused locking functions
2019-09-09 14:58:59 +02:00
lzo.c
btrfs: compression: replace set_level callbacks by a common helper
2019-09-09 14:59:11 +02:00
Makefile
btrfs: migrate the block group lookup code
2019-09-09 14:59:04 +02:00
misc.h
btrfs: move math functions to misc.h
2019-09-09 14:59:15 +02:00
ordered-data.c
Btrfs: fix btrfs_wait_ordered_range() so that it waits for all ordered extents
2020-02-28 17:22:24 +01:00
ordered-data.h
btrfs: don't assume ordered sums to be 4 bytes
2019-07-01 13:35:00 +02:00
orphan.c
print-tree.c
btrfs: print-tree: parent bytenr must be aligned to sector size
2023-05-17 11:36:00 +02:00
print-tree.h
props.c
btrfs: rename the btrfs_calc_*_metadata_size helpers
2019-09-09 14:59:13 +02:00
props.h
qgroup.c
btrfs: fix race between quota disable and quota assign ioctls
2023-08-11 11:53:54 +02:00
qgroup.h
btrfs: qgroup: catch reserved space leaks at unmount time
2023-08-11 11:53:44 +02:00
raid56.c
btrfs: raid56: don't trust any cached sector in __raid56_parity_recover()
2022-08-25 11:18:40 +02:00
raid56.h
btrfs: constify map parameter for nr_parity_stripes and nr_data_stripes
2019-07-01 13:34:58 +02:00
rcu-string.h
btrfs: replace strncpy() with strscpy()
2023-01-18 11:41:52 +01:00
reada.c
btrfs: fix readahead hang and use-after-free after removing a device
2020-11-05 11:43:27 +01:00
ref-verify.c
btrfs: ref-verify: fix memory leak in btrfs_ref_tree_mod
2020-11-18 19:20:28 +01:00
ref-verify.h
relocation.c
btrfs: unset reloc control if transaction commit fails in prepare_to_relocate()
2023-06-14 10:59:59 +02:00
root-tree.c
btrfs: fix silent failure when deleting root reference
2022-09-05 10:27:43 +02:00
scrub.c
btrfs: scrub: try to fix super block errors
2022-10-26 13:22:55 +02:00
send.c
btrfs: send: limit number of clones and allocated memory size
2023-03-03 11:41:48 +01:00
send.h
space-info.c
btrfs: prevent __btrfs_dump_space_info() to underflow its free space
2021-09-30 10:09:22 +02:00
space-info.h
btrfs: take overcommit into account in inc_block_group_ro
2020-10-17 10:11:21 +02:00
struct-funcs.c
btrfs: tie extent buffer and it's token together
2019-09-09 14:59:16 +02:00
super.c
btrfs: fix fast csum implementation detection
2023-04-20 12:07:35 +02:00
sysfs.c
btrfs: sysfs: normalize the error handling branch in btrfs_init_sysfs()
2022-12-08 11:23:01 +01:00
sysfs.h
btrfs: sysfs: move helper macros to sysfs.c
2019-09-09 14:59:08 +02:00
transaction.c
btrfs: don't start transaction when joining with TRANS_JOIN_NOSTART
2023-09-23 11:00:00 +02:00
transaction.h
btrfs: fix race between marking inode needs to be logged and log syncing
2021-09-03 10:08:15 +02:00
tree-checker.c
btrfs: tree-checker: check for overlapping extent items
2022-09-05 10:27:47 +02:00
tree-checker.h
tree-defrag.c
tree-log.c
btrfs: unify lookup return value when dir entry is missing
2022-09-05 10:27:46 +02:00
tree-log.h
btrfs: do not commit logs and transactions during link and rename operations
2021-08-08 09:04:07 +02:00
ulist.c
ulist.h
uuid-tree.c
btrfs: handle ENOENT in btrfs_uuid_tree_iterate
2019-12-31 16:42:05 +01:00
volumes.c
btrfs: add a helper to read the superblock metadata_uuid
2023-09-23 11:00:05 +02:00
volumes.h
btrfs: add a helper to read the superblock metadata_uuid
2023-09-23 11:00:05 +02:00
xattr.c
btrfs: check if root is readonly while setting security xattr
2022-09-05 10:27:43 +02:00
xattr.h
zlib.c
btrfs: zlib: zero-initialize zlib workspace
2023-02-22 12:50:30 +01:00
zstd.c
btrfs: move cond_wake_up functions out of ctree
2019-09-09 14:59:15 +02:00