syzbot is reporting circular locking dependency between ntfs_file_mmap() (which has mm->mmap_lock => ni->ni_lock dependency) and ntfs_fiemap() (which has ni->ni_lock => mm->mmap_lock dependency). Since ni_fiemap() is called by ioctl(FS_IOC_FIEMAP) via optional "struct inode_operations"->fiemap callback, I assume that importance of ni_fiemap() is lower than ntfs_file_mmap(). Also, since Documentation/filesystems/fiemap.rst says that "If an error is encountered while copying the extent to user memory, -EFAULT will be returned.", I assume that ioctl(FS_IOC_FIEMAP) users can handle -EFAULT error. Therefore, in order to eliminate possibility of deadlock, until Assumed ni_lock. TODO: Less aggressive locks. comment in ni_fiemap() is removed, use ni_fiemap() with best-effort basis (i.e. fail with -EFAULT when a page fault is inevitable). Reported-by: syzbot <syzbot+96cee7d33ca3f87eee86@xxxxxxxxxxxxxxxxxxxxxxxxx> Link: https://syzkaller.appspot.com/bug?extid=96cee7d33ca3f87eee86 Fixes: 4342306f0f0d ("fs/ntfs3: Add file operations and implementation") Signed-off-by: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx> --- fs/ntfs3/file.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/ntfs3/file.c b/fs/ntfs3/file.c index e9bdc1ff08c9..a9e7204e1579 100644 --- a/fs/ntfs3/file.c +++ b/fs/ntfs3/file.c @@ -1146,9 +1146,11 @@ int ntfs_fiemap(struct inode *inode, struct fiemap_extent_info *fieinfo, return err; ni_lock(ni); + pagefault_disable(); err = ni_fiemap(ni, fieinfo, start, len); + pagefault_enable(); ni_unlock(ni); return err; -- 2.34.1
