Update from P615XXS9FXJ1#4
Open
cat658011 wants to merge 3 commits intolinux4-bringup-priv:lineage-22.0from
Open
Update from P615XXS9FXJ1#4cat658011 wants to merge 3 commits intolinux4-bringup-priv:lineage-22.0from
cat658011 wants to merge 3 commits intolinux4-bringup-priv:lineage-22.0from
Conversation
Fede2782
pushed a commit
to Fede2782/android_kernel_samsung_gta4xl-lineage
that referenced
this pull request
Dec 5, 2024
[ Upstream commit f8bbc07ac535593139c875ffa19af924b1084540 ] vhost_worker will call tun call backs to receive packets. If too many illegal packets arrives, tun_do_read will keep dumping packet contents. When console is enabled, it will costs much more cpu time to dump packet and soft lockup will be detected. net_ratelimit mechanism can be used to limit the dumping rate. PID: 33036 TASK: ffff949da6f20000 CPU: 23 COMMAND: "vhost-32980" #0 [fffffe00003fce50] crash_nmi_callback at ffffffff89249253 linux4-bringup-priv#1 [fffffe00003fce58] nmi_handle at ffffffff89225fa3 linux4-bringup-priv#2 [fffffe00003fceb0] default_do_nmi at ffffffff8922642e linux4-bringup-priv#3 [fffffe00003fced0] do_nmi at ffffffff8922660d linux4-bringup-priv#4 [fffffe00003fcef0] end_repeat_nmi at ffffffff89c01663 [exception RIP: io_serial_in+20] RIP: ffffffff89792594 RSP: ffffa655314979e8 RFLAGS: 00000002 RAX: ffffffff89792500 RBX: ffffffff8af428a0 RCX: 0000000000000000 RDX: 00000000000003fd RSI: 0000000000000005 RDI: ffffffff8af428a0 RBP: 0000000000002710 R8: 0000000000000004 R9: 000000000000000f R10: 0000000000000000 R11: ffffffff8acbf64f R12: 0000000000000020 R13: ffffffff8acbf698 R14: 0000000000000058 R15: 0000000000000000 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 linux4-bringup-priv#5 [ffffa655314979e8] io_serial_in at ffffffff89792594 linux4-bringup-priv#6 [ffffa655314979e8] wait_for_xmitr at ffffffff89793470 linux4-bringup-priv#7 [ffffa65531497a08] serial8250_console_putchar at ffffffff897934f6 #8 [ffffa65531497a20] uart_console_write at ffffffff8978b605 #9 [ffffa65531497a48] serial8250_console_write at ffffffff89796558 #10 [ffffa65531497ac8] console_unlock at ffffffff89316124 #11 [ffffa65531497b10] vprintk_emit at ffffffff89317c07 #12 [ffffa65531497b68] printk at ffffffff89318306 #13 [ffffa65531497bc8] print_hex_dump at ffffffff89650765 #14 [ffffa65531497ca8] tun_do_read at ffffffffc0b06c27 [tun] #15 [ffffa65531497d38] tun_recvmsg at ffffffffc0b06e34 [tun] #16 [ffffa65531497d68] handle_rx at ffffffffc0c5d682 [vhost_net] #17 [ffffa65531497ed0] vhost_worker at ffffffffc0c644dc [vhost] #18 [ffffa65531497f10] kthread at ffffffff892d2e72 #19 [ffffa65531497f50] ret_from_fork at ffffffff89c0022f Fixes: ef3db4a ("tun: avoid BUG, dump packet on GSO errors") Signed-off-by: Lei Chen <lei.chen@smartx.com> Reviewed-by: Willem de Bruijn <willemb@google.com> Acked-by: Jason Wang <jasowang@redhat.com> Reviewed-by: Eric Dumazet <edumazet@google.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Link: https://lore.kernel.org/r/20240415020247.2207781-1-lei.chen@smartx.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 68459b8e3ee554ce71878af9eb69659b9462c588) Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Linux4
pushed a commit
that referenced
this pull request
Dec 24, 2024
commit 22f00812862564b314784167a89f27b444f82a46 upstream. The syzbot fuzzer found that the interrupt-URB completion callback in the cdc-wdm driver was taking too long, and the driver's immediate resubmission of interrupt URBs with -EPROTO status combined with the dummy-hcd emulation to cause a CPU lockup: cdc_wdm 1-1:1.0: nonzero urb status received: -71 cdc_wdm 1-1:1.0: wdm_int_callback - 0 bytes watchdog: BUG: soft lockup - CPU#0 stuck for 26s! [syz-executor782:6625] CPU#0 Utilization every 4s during lockup: #1: 98% system, 0% softirq, 3% hardirq, 0% idle #2: 98% system, 0% softirq, 3% hardirq, 0% idle #3: 98% system, 0% softirq, 3% hardirq, 0% idle #4: 98% system, 0% softirq, 3% hardirq, 0% idle #5: 98% system, 1% softirq, 3% hardirq, 0% idle Modules linked in: irq event stamp: 73096 hardirqs last enabled at (73095): [<ffff80008037bc00>] console_emit_next_record kernel/printk/printk.c:2935 [inline] hardirqs last enabled at (73095): [<ffff80008037bc00>] console_flush_all+0x650/0xb74 kernel/printk/printk.c:2994 hardirqs last disabled at (73096): [<ffff80008af10b00>] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline] hardirqs last disabled at (73096): [<ffff80008af10b00>] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551 softirqs last enabled at (73048): [<ffff8000801ea530>] softirq_handle_end kernel/softirq.c:400 [inline] softirqs last enabled at (73048): [<ffff8000801ea530>] handle_softirqs+0xa60/0xc34 kernel/softirq.c:582 softirqs last disabled at (73043): [<ffff800080020de8>] __do_softirq+0x14/0x20 kernel/softirq.c:588 CPU: 0 PID: 6625 Comm: syz-executor782 Tainted: G W 6.10.0-rc2-syzkaller-g8867bbd4a056 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 Testing showed that the problem did not occur if the two error messages -- the first two lines above -- were removed; apparently adding material to the kernel log takes a surprisingly large amount of time. In any case, the best approach for preventing these lockups and to avoid spamming the log with thousands of error messages per second is to ratelimit the two dev_err() calls. Therefore we replace them with dev_err_ratelimited(). Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Suggested-by: Greg KH <gregkh@linuxfoundation.org> Reported-and-tested-by: syzbot+5f996b83575ef4058638@syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-usb/00000000000073d54b061a6a1c65@google.com/ Reported-and-tested-by: syzbot+1b2abad17596ad03dcff@syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-usb/000000000000f45085061aa9b37e@google.com/ Fixes: 9908a32 ("USB: remove err() macro from usb class drivers") Link: https://lore.kernel.org/linux-usb/40dfa45b-5f21-4eef-a8c1-51a2f320e267@rowland.harvard.edu/ Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/29855215-52f5-4385-b058-91f42c2bee18@rowland.harvard.edu Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 217d1f44fff560b3995a685a60aa66e55a7f0f56) Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Linux4
pushed a commit
that referenced
this pull request
Mar 21, 2025
[ Upstream commit d1bc560e9a9c78d0b2314692847fc8661e0aeb99 ]
Add nested locking with I_MUTEX_XATTR subclass to avoid lockdep warning
while handling xattr inode on file open syscall at ext4_xattr_inode_iget.
Backtrace
EXT4-fs (loop0): Ignoring removed oldalloc option
======================================================
WARNING: possible circular locking dependency detected
5.10.0-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor543/2794 is trying to acquire lock:
ffff8880215e1a48 (&ea_inode->i_rwsem#7/1){+.+.}-{3:3}, at: inode_lock include/linux/fs.h:782 [inline]
ffff8880215e1a48 (&ea_inode->i_rwsem#7/1){+.+.}-{3:3}, at: ext4_xattr_inode_iget+0x42a/0x5c0 fs/ext4/xattr.c:425
but task is already holding lock:
ffff8880215e3278 (&ei->i_data_sem/3){++++}-{3:3}, at: ext4_setattr+0x136d/0x19c0 fs/ext4/inode.c:5559
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&ei->i_data_sem/3){++++}-{3:3}:
lock_acquire+0x197/0x480 kernel/locking/lockdep.c:5566
down_write+0x93/0x180 kernel/locking/rwsem.c:1564
ext4_update_i_disksize fs/ext4/ext4.h:3267 [inline]
ext4_xattr_inode_write fs/ext4/xattr.c:1390 [inline]
ext4_xattr_inode_lookup_create fs/ext4/xattr.c:1538 [inline]
ext4_xattr_set_entry+0x331a/0x3d80 fs/ext4/xattr.c:1662
ext4_xattr_ibody_set+0x124/0x390 fs/ext4/xattr.c:2228
ext4_xattr_set_handle+0xc27/0x14e0 fs/ext4/xattr.c:2385
ext4_xattr_set+0x219/0x390 fs/ext4/xattr.c:2498
ext4_xattr_user_set+0xc9/0xf0 fs/ext4/xattr_user.c:40
__vfs_setxattr+0x404/0x450 fs/xattr.c:177
__vfs_setxattr_noperm+0x11d/0x4f0 fs/xattr.c:208
__vfs_setxattr_locked+0x1f9/0x210 fs/xattr.c:266
vfs_setxattr+0x112/0x2c0 fs/xattr.c:283
setxattr+0x1db/0x3e0 fs/xattr.c:548
path_setxattr+0x15a/0x240 fs/xattr.c:567
__do_sys_setxattr fs/xattr.c:582 [inline]
__se_sys_setxattr fs/xattr.c:578 [inline]
__x64_sys_setxattr+0xc5/0xe0 fs/xattr.c:578
do_syscall_64+0x6d/0xa0 arch/x86/entry/common.c:62
entry_SYSCALL_64_after_hwframe+0x61/0xcb
-> #0 (&ea_inode->i_rwsem#7/1){+.+.}-{3:3}:
check_prev_add kernel/locking/lockdep.c:2988 [inline]
check_prevs_add kernel/locking/lockdep.c:3113 [inline]
validate_chain+0x1695/0x58f0 kernel/locking/lockdep.c:3729
__lock_acquire+0x12fd/0x20d0 kernel/locking/lockdep.c:4955
lock_acquire+0x197/0x480 kernel/locking/lockdep.c:5566
down_write+0x93/0x180 kernel/locking/rwsem.c:1564
inode_lock include/linux/fs.h:782 [inline]
ext4_xattr_inode_iget+0x42a/0x5c0 fs/ext4/xattr.c:425
ext4_xattr_inode_get+0x138/0x410 fs/ext4/xattr.c:485
ext4_xattr_move_to_block fs/ext4/xattr.c:2580 [inline]
ext4_xattr_make_inode_space fs/ext4/xattr.c:2682 [inline]
ext4_expand_extra_isize_ea+0xe70/0x1bb0 fs/ext4/xattr.c:2774
__ext4_expand_extra_isize+0x304/0x3f0 fs/ext4/inode.c:5898
ext4_try_to_expand_extra_isize fs/ext4/inode.c:5941 [inline]
__ext4_mark_inode_dirty+0x591/0x810 fs/ext4/inode.c:6018
ext4_setattr+0x1400/0x19c0 fs/ext4/inode.c:5562
notify_change+0xbb6/0xe60 fs/attr.c:435
do_truncate+0x1de/0x2c0 fs/open.c:64
handle_truncate fs/namei.c:2970 [inline]
do_open fs/namei.c:3311 [inline]
path_openat+0x29f3/0x3290 fs/namei.c:3425
do_filp_open+0x20b/0x450 fs/namei.c:3452
do_sys_openat2+0x124/0x460 fs/open.c:1207
do_sys_open fs/open.c:1223 [inline]
__do_sys_open fs/open.c:1231 [inline]
__se_sys_open fs/open.c:1227 [inline]
__x64_sys_open+0x221/0x270 fs/open.c:1227
do_syscall_64+0x6d/0xa0 arch/x86/entry/common.c:62
entry_SYSCALL_64_after_hwframe+0x61/0xcb
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&ei->i_data_sem/3);
lock(&ea_inode->i_rwsem#7/1);
lock(&ei->i_data_sem/3);
lock(&ea_inode->i_rwsem#7/1);
*** DEADLOCK ***
5 locks held by syz-executor543/2794:
#0: ffff888026fbc448 (sb_writers#4){.+.+}-{0:0}, at: mnt_want_write+0x4a/0x2a0 fs/namespace.c:365
#1: ffff8880215e3488 (&sb->s_type->i_mutex_key#7){++++}-{3:3}, at: inode_lock include/linux/fs.h:782 [inline]
#1: ffff8880215e3488 (&sb->s_type->i_mutex_key#7){++++}-{3:3}, at: do_truncate+0x1cf/0x2c0 fs/open.c:62
#2: ffff8880215e3310 (&ei->i_mmap_sem){++++}-{3:3}, at: ext4_setattr+0xec4/0x19c0 fs/ext4/inode.c:5519
#3: ffff8880215e3278 (&ei->i_data_sem/3){++++}-{3:3}, at: ext4_setattr+0x136d/0x19c0 fs/ext4/inode.c:5559
#4: ffff8880215e30c8 (&ei->xattr_sem){++++}-{3:3}, at: ext4_write_trylock_xattr fs/ext4/xattr.h:162 [inline]
#4: ffff8880215e30c8 (&ei->xattr_sem){++++}-{3:3}, at: ext4_try_to_expand_extra_isize fs/ext4/inode.c:5938 [inline]
#4: ffff8880215e30c8 (&ei->xattr_sem){++++}-{3:3}, at: __ext4_mark_inode_dirty+0x4fb/0x810 fs/ext4/inode.c:6018
stack backtrace:
CPU: 1 PID: 2794 Comm: syz-executor543 Not tainted 5.10.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x177/0x211 lib/dump_stack.c:118
print_circular_bug+0x146/0x1b0 kernel/locking/lockdep.c:2002
check_noncircular+0x2cc/0x390 kernel/locking/lockdep.c:2123
check_prev_add kernel/locking/lockdep.c:2988 [inline]
check_prevs_add kernel/locking/lockdep.c:3113 [inline]
validate_chain+0x1695/0x58f0 kernel/locking/lockdep.c:3729
__lock_acquire+0x12fd/0x20d0 kernel/locking/lockdep.c:4955
lock_acquire+0x197/0x480 kernel/locking/lockdep.c:5566
down_write+0x93/0x180 kernel/locking/rwsem.c:1564
inode_lock include/linux/fs.h:782 [inline]
ext4_xattr_inode_iget+0x42a/0x5c0 fs/ext4/xattr.c:425
ext4_xattr_inode_get+0x138/0x410 fs/ext4/xattr.c:485
ext4_xattr_move_to_block fs/ext4/xattr.c:2580 [inline]
ext4_xattr_make_inode_space fs/ext4/xattr.c:2682 [inline]
ext4_expand_extra_isize_ea+0xe70/0x1bb0 fs/ext4/xattr.c:2774
__ext4_expand_extra_isize+0x304/0x3f0 fs/ext4/inode.c:5898
ext4_try_to_expand_extra_isize fs/ext4/inode.c:5941 [inline]
__ext4_mark_inode_dirty+0x591/0x810 fs/ext4/inode.c:6018
ext4_setattr+0x1400/0x19c0 fs/ext4/inode.c:5562
notify_change+0xbb6/0xe60 fs/attr.c:435
do_truncate+0x1de/0x2c0 fs/open.c:64
handle_truncate fs/namei.c:2970 [inline]
do_open fs/namei.c:3311 [inline]
path_openat+0x29f3/0x3290 fs/namei.c:3425
do_filp_open+0x20b/0x450 fs/namei.c:3452
do_sys_openat2+0x124/0x460 fs/open.c:1207
do_sys_open fs/open.c:1223 [inline]
__do_sys_open fs/open.c:1231 [inline]
__se_sys_open fs/open.c:1227 [inline]
__x64_sys_open+0x221/0x270 fs/open.c:1227
do_syscall_64+0x6d/0xa0 arch/x86/entry/common.c:62
entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f0cde4ea229
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd81d1c978 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 0030656c69662f30 RCX: 00007f0cde4ea229
RDX: 0000000000000089 RSI: 00000000000a0a00 RDI: 00000000200001c0
RBP: 2f30656c69662f2e R08: 0000000000208000 R09: 0000000000208000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd81d1c9c0
R13: 00007ffd81d1ca00 R14: 0000000000080000 R15: 0000000000000003
EXT4-fs error (device loop0): ext4_expand_extra_isize_ea:2730: inode #13: comm syz-executor543: corrupted in-inode xattr
Signed-off-by: Wojciech Gładysz <wojciech.gladysz@infogain.com>
Link: https://patch.msgid.link/20240801143827.19135-1-wojciech.gladysz@infogain.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit c0f57dd0f1603ae27ef694bacde66147f9d57d32)
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Linux4
pushed a commit
that referenced
this pull request
Mar 21, 2025
Commit b471f2f1de8b ("bpf: implement MAP_GET_NEXT_KEY command
for LPM_TRIE map") introduces a bug likes below:
if (!rcu_dereference(trie->root))
return -ENOENT;
if (!key || key->prefixlen > trie->max_prefixlen) {
root = &trie->root;
goto find_leftmost;
}
......
find_leftmost:
for (node = rcu_dereference(*root); node;) {
In the code after label find_leftmost, it is assumed
that *root should not be NULL, but it is not true as
it is possbile trie->root is changed to NULL by an
asynchronous delete operation.
The issue is reported by syzbot and Eric Dumazet with the
below error log:
......
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 8033 Comm: syz-executor3 Not tainted 4.15.0-rc8+ #4
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:trie_get_next_key+0x3c2/0xf10 kernel/bpf/lpm_trie.c:682
......
This patch fixed the issue by use local rcu_dereferenced
pointer instead of *(&trie->root) later on.
Fixes: b471f2f1de8b ("bpf: implement MAP_GET_NEXT_KEY command or LPM_TRIE map")
Reported-by: syzbot <syzkaller@googlegroups.com>
Reported-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Yonghong Song <yhs@fb.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
ashstone-dev
pushed a commit
to ashstone-dev/android_kernel_samsung_universal9611
that referenced
this pull request
Feb 28, 2026
[ Upstream commit d1bc560e9a9c78d0b2314692847fc8661e0aeb99 ]
Add nested locking with I_MUTEX_XATTR subclass to avoid lockdep warning
while handling xattr inode on file open syscall at ext4_xattr_inode_iget.
Backtrace
EXT4-fs (loop0): Ignoring removed oldalloc option
======================================================
WARNING: possible circular locking dependency detected
5.10.0-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor543/2794 is trying to acquire lock:
ffff8880215e1a48 (&ea_inode->i_rwsem#7/1){+.+.}-{3:3}, at: inode_lock include/linux/fs.h:782 [inline]
ffff8880215e1a48 (&ea_inode->i_rwsem#7/1){+.+.}-{3:3}, at: ext4_xattr_inode_iget+0x42a/0x5c0 fs/ext4/xattr.c:425
but task is already holding lock:
ffff8880215e3278 (&ei->i_data_sem/3){++++}-{3:3}, at: ext4_setattr+0x136d/0x19c0 fs/ext4/inode.c:5559
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> linux4-bringup-priv#1 (&ei->i_data_sem/3){++++}-{3:3}:
lock_acquire+0x197/0x480 kernel/locking/lockdep.c:5566
down_write+0x93/0x180 kernel/locking/rwsem.c:1564
ext4_update_i_disksize fs/ext4/ext4.h:3267 [inline]
ext4_xattr_inode_write fs/ext4/xattr.c:1390 [inline]
ext4_xattr_inode_lookup_create fs/ext4/xattr.c:1538 [inline]
ext4_xattr_set_entry+0x331a/0x3d80 fs/ext4/xattr.c:1662
ext4_xattr_ibody_set+0x124/0x390 fs/ext4/xattr.c:2228
ext4_xattr_set_handle+0xc27/0x14e0 fs/ext4/xattr.c:2385
ext4_xattr_set+0x219/0x390 fs/ext4/xattr.c:2498
ext4_xattr_user_set+0xc9/0xf0 fs/ext4/xattr_user.c:40
__vfs_setxattr+0x404/0x450 fs/xattr.c:177
__vfs_setxattr_noperm+0x11d/0x4f0 fs/xattr.c:208
__vfs_setxattr_locked+0x1f9/0x210 fs/xattr.c:266
vfs_setxattr+0x112/0x2c0 fs/xattr.c:283
setxattr+0x1db/0x3e0 fs/xattr.c:548
path_setxattr+0x15a/0x240 fs/xattr.c:567
__do_sys_setxattr fs/xattr.c:582 [inline]
__se_sys_setxattr fs/xattr.c:578 [inline]
__x64_sys_setxattr+0xc5/0xe0 fs/xattr.c:578
do_syscall_64+0x6d/0xa0 arch/x86/entry/common.c:62
entry_SYSCALL_64_after_hwframe+0x61/0xcb
-> #0 (&ea_inode->i_rwsem#7/1){+.+.}-{3:3}:
check_prev_add kernel/locking/lockdep.c:2988 [inline]
check_prevs_add kernel/locking/lockdep.c:3113 [inline]
validate_chain+0x1695/0x58f0 kernel/locking/lockdep.c:3729
__lock_acquire+0x12fd/0x20d0 kernel/locking/lockdep.c:4955
lock_acquire+0x197/0x480 kernel/locking/lockdep.c:5566
down_write+0x93/0x180 kernel/locking/rwsem.c:1564
inode_lock include/linux/fs.h:782 [inline]
ext4_xattr_inode_iget+0x42a/0x5c0 fs/ext4/xattr.c:425
ext4_xattr_inode_get+0x138/0x410 fs/ext4/xattr.c:485
ext4_xattr_move_to_block fs/ext4/xattr.c:2580 [inline]
ext4_xattr_make_inode_space fs/ext4/xattr.c:2682 [inline]
ext4_expand_extra_isize_ea+0xe70/0x1bb0 fs/ext4/xattr.c:2774
__ext4_expand_extra_isize+0x304/0x3f0 fs/ext4/inode.c:5898
ext4_try_to_expand_extra_isize fs/ext4/inode.c:5941 [inline]
__ext4_mark_inode_dirty+0x591/0x810 fs/ext4/inode.c:6018
ext4_setattr+0x1400/0x19c0 fs/ext4/inode.c:5562
notify_change+0xbb6/0xe60 fs/attr.c:435
do_truncate+0x1de/0x2c0 fs/open.c:64
handle_truncate fs/namei.c:2970 [inline]
do_open fs/namei.c:3311 [inline]
path_openat+0x29f3/0x3290 fs/namei.c:3425
do_filp_open+0x20b/0x450 fs/namei.c:3452
do_sys_openat2+0x124/0x460 fs/open.c:1207
do_sys_open fs/open.c:1223 [inline]
__do_sys_open fs/open.c:1231 [inline]
__se_sys_open fs/open.c:1227 [inline]
__x64_sys_open+0x221/0x270 fs/open.c:1227
do_syscall_64+0x6d/0xa0 arch/x86/entry/common.c:62
entry_SYSCALL_64_after_hwframe+0x61/0xcb
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&ei->i_data_sem/3);
lock(&ea_inode->i_rwsem#7/1);
lock(&ei->i_data_sem/3);
lock(&ea_inode->i_rwsem#7/1);
*** DEADLOCK ***
5 locks held by syz-executor543/2794:
#0: ffff888026fbc448 (sb_writers#4){.+.+}-{0:0}, at: mnt_want_write+0x4a/0x2a0 fs/namespace.c:365
linux4-bringup-priv#1: ffff8880215e3488 (&sb->s_type->i_mutex_key#7){++++}-{3:3}, at: inode_lock include/linux/fs.h:782 [inline]
linux4-bringup-priv#1: ffff8880215e3488 (&sb->s_type->i_mutex_key#7){++++}-{3:3}, at: do_truncate+0x1cf/0x2c0 fs/open.c:62
linux4-bringup-priv#2: ffff8880215e3310 (&ei->i_mmap_sem){++++}-{3:3}, at: ext4_setattr+0xec4/0x19c0 fs/ext4/inode.c:5519
linux4-bringup-priv#3: ffff8880215e3278 (&ei->i_data_sem/3){++++}-{3:3}, at: ext4_setattr+0x136d/0x19c0 fs/ext4/inode.c:5559
linux4-bringup-priv#4: ffff8880215e30c8 (&ei->xattr_sem){++++}-{3:3}, at: ext4_write_trylock_xattr fs/ext4/xattr.h:162 [inline]
linux4-bringup-priv#4: ffff8880215e30c8 (&ei->xattr_sem){++++}-{3:3}, at: ext4_try_to_expand_extra_isize fs/ext4/inode.c:5938 [inline]
linux4-bringup-priv#4: ffff8880215e30c8 (&ei->xattr_sem){++++}-{3:3}, at: __ext4_mark_inode_dirty+0x4fb/0x810 fs/ext4/inode.c:6018
stack backtrace:
CPU: 1 PID: 2794 Comm: syz-executor543 Not tainted 5.10.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x177/0x211 lib/dump_stack.c:118
print_circular_bug+0x146/0x1b0 kernel/locking/lockdep.c:2002
check_noncircular+0x2cc/0x390 kernel/locking/lockdep.c:2123
check_prev_add kernel/locking/lockdep.c:2988 [inline]
check_prevs_add kernel/locking/lockdep.c:3113 [inline]
validate_chain+0x1695/0x58f0 kernel/locking/lockdep.c:3729
__lock_acquire+0x12fd/0x20d0 kernel/locking/lockdep.c:4955
lock_acquire+0x197/0x480 kernel/locking/lockdep.c:5566
down_write+0x93/0x180 kernel/locking/rwsem.c:1564
inode_lock include/linux/fs.h:782 [inline]
ext4_xattr_inode_iget+0x42a/0x5c0 fs/ext4/xattr.c:425
ext4_xattr_inode_get+0x138/0x410 fs/ext4/xattr.c:485
ext4_xattr_move_to_block fs/ext4/xattr.c:2580 [inline]
ext4_xattr_make_inode_space fs/ext4/xattr.c:2682 [inline]
ext4_expand_extra_isize_ea+0xe70/0x1bb0 fs/ext4/xattr.c:2774
__ext4_expand_extra_isize+0x304/0x3f0 fs/ext4/inode.c:5898
ext4_try_to_expand_extra_isize fs/ext4/inode.c:5941 [inline]
__ext4_mark_inode_dirty+0x591/0x810 fs/ext4/inode.c:6018
ext4_setattr+0x1400/0x19c0 fs/ext4/inode.c:5562
notify_change+0xbb6/0xe60 fs/attr.c:435
do_truncate+0x1de/0x2c0 fs/open.c:64
handle_truncate fs/namei.c:2970 [inline]
do_open fs/namei.c:3311 [inline]
path_openat+0x29f3/0x3290 fs/namei.c:3425
do_filp_open+0x20b/0x450 fs/namei.c:3452
do_sys_openat2+0x124/0x460 fs/open.c:1207
do_sys_open fs/open.c:1223 [inline]
__do_sys_open fs/open.c:1231 [inline]
__se_sys_open fs/open.c:1227 [inline]
__x64_sys_open+0x221/0x270 fs/open.c:1227
do_syscall_64+0x6d/0xa0 arch/x86/entry/common.c:62
entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f0cde4ea229
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd81d1c978 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 0030656c69662f30 RCX: 00007f0cde4ea229
RDX: 0000000000000089 RSI: 00000000000a0a00 RDI: 00000000200001c0
RBP: 2f30656c69662f2e R08: 0000000000208000 R09: 0000000000208000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd81d1c9c0
R13: 00007ffd81d1ca00 R14: 0000000000080000 R15: 0000000000000003
EXT4-fs error (device loop0): ext4_expand_extra_isize_ea:2730: inode #13: comm syz-executor543: corrupted in-inode xattr
Signed-off-by: Wojciech Gładysz <wojciech.gladysz@infogain.com>
Link: https://patch.msgid.link/20240801143827.19135-1-wojciech.gladysz@infogain.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit c0f57dd0f1603ae27ef694bacde66147f9d57d32)
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
drivers/hid/hid-input.c
drivers/media/usb/uvc/uvc_driver.c
sound/usb/clock.c
No idea for comment