From nobody Fri Apr 17 02:59:30 2026 Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 72DA02DC35C for ; Tue, 24 Feb 2026 08:49:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.50 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771922960; cv=none; b=no2Ms96wIm1LADcoGRYgxofAn3SB4dQ2rAodtA1htr9RWSsvLtTnY/7/vBpFMrV2nYu2LXXWwcdm8DZulsh9/4IHGTBuyqwWxZgmQNQFQTJfw2B0pHrTBwXkll5YVy5fXTGySVt86ki6BUSa+gLI5OKzufwPUnA08zG6w1qojHs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771922960; c=relaxed/simple; bh=CNBTjUv2xrwAGE4qlRwBo5cl6jo4JIStuJMs5MuLocM=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=WPL33JXebiu5gpH638HhLQ0WucLPEgPm03mPTWWWOCZnLz4de9mp8Oqh8MOJ0aZJFGcQgd4pHum6SSo0IvRmfxAyHFDz7FnC9VWz0GzlE8IfoLYquAvshaudz9ZXk1g1uHHp9Sj8EFxsZb/CTYzA+J0lialLLun/JSBHTMK7P68= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com; spf=pass smtp.mailfrom=suse.com; dkim=pass (2048-bit key) header.d=suse.com header.i=@suse.com header.b=BUBAyzMg; arc=none smtp.client-ip=209.85.128.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=suse.com header.i=@suse.com header.b="BUBAyzMg" Received: by mail-wm1-f50.google.com with SMTP id 5b1f17b1804b1-4832c8f9d87so6069575e9.3 for ; Tue, 24 Feb 2026 00:49:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=google; t=1771922958; x=1772527758; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=ZjUYzArAmnEOIEwlqNfAVhWqoWtQkCGMPCKvsuXwxiE=; b=BUBAyzMgUUIR7gJcf5Yt3O6a2CTK7gJoII99LKGByBtrvXCgyJwkNIyIeIuI7TXRHT 2LumZD4bCoehCBaMsrchOi9k+iiTyvSmMRUozH+nO9e8kB3BC4M9GnMM/9x4imxJ9t1m 5lfDE2HmpSPbakqjEoWVK+P5ztCYUbAq/0xo7W6XofMLvdJF2v7FK+eYDTusdew1IUJK TYDD7lgBsPgyvnQULGLT+2HBgRoLdxGQc+UUv09bA96Zf0tyMKFHuSYeEGjI2DlOWQhx 1Xad7v1fgW4lqOJfI8KFipT/Jyg7nyG7LXiKt7qjwbpTkz7bkA34UpcAdztR/JTCo7H9 8biw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771922958; x=1772527758; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=ZjUYzArAmnEOIEwlqNfAVhWqoWtQkCGMPCKvsuXwxiE=; b=Nt4nCS3OYZjkw5KRr2OhCKikHwzuHvzVVDQXc70ktuGzzLQHh+xNz1MKIJgaKwXYfJ nxCQpL90ZA4LPC8uSmNF2UM0KrHYgh61xPjEpfTTjvOe4rQq5/EqbsuTB60TgVoO5lij 9Y7ZSwdwyOx4BQgh6Mp7WjN7ksqY1gbZ7oFz/mk3/bH+rqEa4GIGkwayhhWqKlsgEU8p TWzH0N/xJiaO27TVWzGgL5/S8RJ4ItzWhn74wItbxigZGvui3zp5Bh40DFdWr5p+7KGE lDSpwuoI2qn3gr9hM07GdNnYSesnMqJxAHzSCXDnGCN+jq+5CtKsMi4re9w+Rd1LU1uv asmg== X-Forwarded-Encrypted: i=1; AJvYcCVJUvs6ntJVgplqg6jRjgG6pMho/+9CL6H0wxYf8RqmjGesZt6DDE65ukviEtRulBzPxxasmPySW6gduG0=@vger.kernel.org X-Gm-Message-State: AOJu0Yy/DsWQEnpVALE2o7ddAYfezCQScNJHqRTxsS6qghYV21/xj93U fi7IhVwtZgSGaqNTbMAOdDsXiBjaWxREoel2EBEIOHMtLw+MrNR+7p0bNJCwNTA8BOo= X-Gm-Gg: AZuq6aJUJBPTjuSmRGUE80FHxv3ujQnPSBeGiVuGGN05xnojTN5I1XdZJFkAgniA/Hp ZqZs2drIz5IZ1EN5lQFGxhe81Ngmp49C6RZNfP3Mv+rAPdPSJ/n6t7LQLd/GlUn9hMlMgbO3Bxe 6SB6+hOLH87Qaqx7DAzxMgQCEd8hgc8wwKOmYKyiqkE+U1KJAtlKDhZfb/RauOFCGZnJNi3kJ4L IA6LDlUSw+EF9wt5fqwKgRoAJgiXIsMxbFhWEyfh+sgK3PjAyNqovN3Upxlqm3j26vK95edbSau a9Rp3loNKuOZy4KZUYHfJbSLycRpuDlUiPWDfPn4os5L0XCp4ZfcHCO8IbtiHR+WnK8MqrBtv7H 2LuIR7HQ1E+C0rSL13G8orVPlRaXOlDQglnipIBt6ouh6hvXBiQb5UTsYi9J/B+ITpxOLXDO+zG fWRbNYvM91skSmzNPXdKzlbAMJY8KNsonUvHCv X-Received: by 2002:a05:600c:1988:b0:483:816b:67cf with SMTP id 5b1f17b1804b1-483a962f20dmr95581805e9.4.1771922957788; Tue, 24 Feb 2026 00:49:17 -0800 (PST) Received: from localhost.localdomain ([202.127.77.110]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-c70b7269771sm9668914a12.30.2026.02.24.00.49.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 24 Feb 2026 00:49:17 -0800 (PST) From: Heming Zhao To: joseph.qi@linux.alibaba.com Cc: Heming Zhao , ocfs2-devel@lists.linux.dev, linux-kernel@vger.kernel.org, activprithvi@gmail.com, syzbot+78359d5fbb04318c35e9@syzkaller.appspotmail.com Subject: [PATCH] ocfs2: fix deadlock when creating quota file Date: Tue, 24 Feb 2026 16:48:56 +0800 Message-ID: <20260224084909.28361-1-heming.zhao@suse.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" syzbot detected a circular locking dependency. the scenarios: CPU0 CPU1 ---- ---- lock(&ocfs2_quota_ip_alloc_sem_key); lock(&ocfs2_sysfile_lock_key[USER_QUOTA_SYS= TEM_INODE]); lock(&ocfs2_quota_ip_alloc_sem_key); lock(&ocfs2_sysfile_lock_key[ORPHAN_DIR_SYSTEM_INODE]); or: CPU0 CPU1 ---- ---- lock(&ocfs2_quota_ip_alloc_sem_key); lock(&dquot->dq_lock); lock(&ocfs2_quota_ip_alloc_sem_key); lock(&ocfs2_sysfile_lock_key[ORPHAN_DIR_SYSTEM_INODE]); Following are the code paths for above scenarios: path_openat ocfs2_create ocfs2_mknod + ocfs2_reserve_new_inode | ocfs2_reserve_suballoc_bits | inode_lock(alloc_inode) //C0: hold INODE_ALLOC_SYSTEM_INODE | //at end of this func, ocfs2_free_alloc_context(inode_ac) calls inod= e_unlock | + ocfs2_get_init_inode __dquot_initialize dqget ocfs2_acquire_dquot + ocfs2_lock_global_qf | down_write(&OCFS2_I(oinfo->dqi_gqinode)->ip_alloc_sem)//A2:grabbi= ng + ocfs2_create_local_dquot down_write(&OCFS2_I(lqinode)->ip_alloc_sem)//A3:grabbing evict ocfs2_evict_inode ocfs2_delete_inode ocfs2_wipe_inode + inode_lock(orphan_dir_inode) //B0:hold + ... + ocfs2_remove_inode inode_lock(inode_alloc_inode) //INODE_ALLOC_SYSTEM_INODE down_write(&inode->i_rwsem) //C1:grabbing generic_file_direct_write ocfs2_direct_IO __blockdev_direct_IO dio_complete ocfs2_dio_end_io ocfs2_dio_end_io_write + down_write(&oi->ip_alloc_sem) //A0:hold + ocfs2_del_inode_from_orphan inode_lock(orphan_dir_inode) //B1:grabbing Root cause for the circular locking: DIO completion path: holds oi->ip_alloc_sem and is trying to acquire the orphan_dir_inode lock. evict path: holds the orphan_dir_inode lock and is trying to acquire the inode_alloc_inode lock. ocfs2_mknod path: Holds the inode_alloc_inode lock (to allocate a new quota file) and is blocked waiting for oi->ip_alloc_sem in ocfs2_acquire_dquot(). How to fix: Replace down_write() with down_write_trylock() in ocfs2_acquire_dquot(). If acquiring oi->ip_alloc_sem fails, return -EBUSY to abort the file creati= on routine and break the deadlock. Reported-by: syzbot+78359d5fbb04318c35e9@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D78359d5fbb04318c35e9 Signed-off-by: Heming Zhao --- fs/ocfs2/quota_global.c | 5 ++++- fs/ocfs2/quota_local.c | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/fs/ocfs2/quota_global.c b/fs/ocfs2/quota_global.c index e85b1ccf81be..4321d8f59402 100644 --- a/fs/ocfs2/quota_global.c +++ b/fs/ocfs2/quota_global.c @@ -311,7 +311,10 @@ int ocfs2_lock_global_qf(struct ocfs2_mem_dqinfo *oinf= o, int ex) spin_unlock(&dq_data_lock); if (ex) { inode_lock(oinfo->dqi_gqinode); - down_write(&OCFS2_I(oinfo->dqi_gqinode)->ip_alloc_sem); + if (!down_write_trylock(&OCFS2_I(oinfo->dqi_gqinode)->ip_alloc_sem)) { + inode_unlock(oinfo->dqi_gqinode); + return -EBUSY; + } } else { down_read(&OCFS2_I(oinfo->dqi_gqinode)->ip_alloc_sem); } diff --git a/fs/ocfs2/quota_local.c b/fs/ocfs2/quota_local.c index c4e0117d8977..e451f3d96037 100644 --- a/fs/ocfs2/quota_local.c +++ b/fs/ocfs2/quota_local.c @@ -1224,7 +1224,10 @@ int ocfs2_create_local_dquot(struct dquot *dquot) int status; u64 pcount; =20 - down_write(&OCFS2_I(lqinode)->ip_alloc_sem); + if (!down_write_trylock(&OCFS2_I(lqinode)->ip_alloc_sem)) { + status =3D -EBUSY; + goto out; + } chunk =3D ocfs2_find_free_entry(sb, type, &offset); if (!chunk) { chunk =3D ocfs2_extend_local_quota_file(sb, type, &offset); --=20 2.43.0