<div dir="ltr">Alasdir, Mike, and to whom it may concern:<div><br></div><div>Hello! We have found a bug in the Linux kernel version 6.2.0 by syzkaller with our own templates. The bug causes a possible recursive locking scenario, resulting in a deadlock.<br>The key trace is as follows (the complete trace is in the attached report file):<div><div><br><div><span id="gmail-docs-internal-guid-cf06a76b-7fff-ab0b-c243-d0887e5cc8a9"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"> </span><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">down_read</span><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">+0x9d/0x450 kernel/locking/rwsem.c:1509</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"> </span><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">dm_get_inactive_table</span><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">+0x2b/0xc0 drivers/md/dm-ioctl.c:773</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"> </span><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">__dev_status</span><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">+0x4fd/0x7c0 drivers/md/dm-ioctl.c:844</span></p><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"> </span><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">table_clear</span><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">+0x197/0x280 drivers/md/dm-ioctl.c:1537</span></span><br></div></div><div><span><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"><br></span></span></div><div>In table_clear, it acquires a <b>write lock</b></div><div><a href="https://elixir.bootlin.com/linux/v6.2/source/drivers/md/dm-ioctl.c#L1520" style="text-decoration-line:none"><span style="font-size:11pt;font-family:Arial;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">https://elixir.bootlin.com/linux/v6.2/source/drivers/md/dm-ioctl.c#L1520</span></a><br></div>down_write(&_hash_lock);<div><br></div><div>Then before the lock is released at L1539, there is a path shown above:<br></div><div><span id="gmail-docs-internal-guid-aba47ca2-7fff-db62-0639-9cbf66fcdcc5">table_clear -> __dev_status -> dm_get_inactive_table ->  down_read</span></div><div><a href="https://elixir.bootlin.com/linux/v6.2/source/drivers/md/dm-ioctl.c#L773" style="text-decoration-line:none"><span style="font-size:11pt;font-family:Arial;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">https://elixir.bootlin.com/linux/v6.2/source/drivers/md/dm-ioctl.c#L773</span></a></div><div>down_read(&_hash_lock);<br></div><div>It tries to acquire<b> the same read lock</b> again, resulting in the deadlock problem</div><div><span><br></span></div><div><span>Attached is the report, log, and reproducers generated by syzkaller</span></div>Please let me know if there is any additional information that I can provide to help debug this issue.<br>Thanks!</div><div><br></div><div>Best</div><div>zheng<br><div><span style="color:rgb(55,65,81);font-family:Söhne,ui-sans-serif,system-ui,-apple-system,"Segoe UI",Roboto,Ubuntu,Cantarell,"Noto Sans",sans-serif,"Helvetica Neue",Arial,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";font-size:16px;white-space:pre-wrap;background-color:rgb(247,247,248)"><br></span></div></div></div></div>