In the Linux kernel, the following vulnerability has been resolved:
btrfs: lock the inode in shared mode before starting fiemap
Currently fiemap does not take the inode's lock (VFS lock), it only locks a file range in the inode's io tree. This however can lead to a deadlock if we have a concurrent fsync on the file and fiemap code triggers a fault when accessing the user space buffer with fiemapfillnextextent(). The deadlock happens on the inode's immaplock semaphore, which is taken both by fsync and btrfspage_mkwrite(). This deadlock was recently reported by syzbot and triggers a trace like the following:
task:syz-executor361 state:D stack:20264 pid:5668 ppid:5119 flags:0x00004004 Call Trace: <TASK> contextswitch kernel/sched/core.c:5293 [inline] _schedule+0x995/0xe20 kernel/sched/core.c:6606 schedule+0xcb/0x190 kernel/sched/core.c:6682 waitonstate fs/btrfs/extent-io-tree.c:707 [inline] waitextentbit+0x577/0x6f0 fs/btrfs/extent-io-tree.c:751 lockextent+0x1c2/0x280 fs/btrfs/extent-io-tree.c:1742 findlockdelallocrange+0x4e6/0x9c0 fs/btrfs/extentio.c:488 writepagedelalloc+0x1ef/0x540 fs/btrfs/extentio.c:1863 _extentwritepage+0x736/0x14e0 fs/btrfs/extentio.c:2174 extentwritecachepages+0x983/0x1220 fs/btrfs/extentio.c:3091 extentwritepages+0x219/0x540 fs/btrfs/extentio.c:3211 dowritepages+0x3c3/0x680 mm/page-writeback.c:2581 filemapfdatawritewbc+0x11e/0x170 mm/filemap.c:388 _filemapfdatawriterange mm/filemap.c:421 [inline] filemapfdatawriterange+0x175/0x200 mm/filemap.c:439 btrfsfdatawriterange fs/btrfs/file.c:3850 [inline] startorderedops fs/btrfs/file.c:1737 [inline] btrfssyncfile+0x4ff/0x1190 fs/btrfs/file.c:1839 genericwritesync include/linux/fs.h:2885 [inline] btrfsdowriteiter+0xcd3/0x1280 fs/btrfs/file.c:1684 callwriteiter include/linux/fs.h:2189 [inline] newsyncwrite fs/readwrite.c:491 [inline] vfswrite+0x7dc/0xc50 fs/readwrite.c:584 ksyswrite+0x177/0x2a0 fs/readwrite.c:637 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x3d/0xb0 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x63/0xcd RIP: 0033:0x7f7d4054e9b9 RSP: 002b:00007f7d404fa2f8 EFLAGS: 00000246 ORIGRAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007f7d405d87a0 RCX: 00007f7d4054e9b9 RDX: 0000000000000090 RSI: 0000000020000000 RDI: 0000000000000006 RBP: 00007f7d405a51d0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 61635f65646f6e69 R13: 65646f7475616f6e R14: 7261637369646f6e R15: 00007f7d405d87a8 </TASK> INFO: task syz-executor361:5697 blocked for more than 145 seconds. Not tainted 6.2.0-rc3-syzkaller-00376-g7c6984405241 #0 "echo 0 > /proc/sys/kernel/hungtasktimeoutsecs" disables this message. task:syz-executor361 state:D stack:21216 pid:5697 ppid:5119 flags:0x00004004 Call Trace: <TASK> contextswitch kernel/sched/core.c:5293 [inline] _schedule+0x995/0xe20 kernel/sched/core.c:6606 schedule+0xcb/0x190 kernel/sched/core.c:6682 rwsemdownreadslowpath+0x5f9/0x930 kernel/locking/rwsem.c:1095 _downreadcommon+0x54/0x2a0 kernel/locking/rwsem.c:1260 btrfspagemkwrite+0x417/0xc80 fs/btrfs/inode.c:8526 dopagemkwrite+0x19e/0x5e0 mm/memory.c:2947 wppageshared+0x15e/0x380 mm/memory.c:3295 handleptefault mm/memory.c:4949 [inline] _handlemmfault mm/memory.c:5073 [inline] handlemmfault+0x1b79/0x26b0 mm/memory.c:5219 douseraddrfault+0x69b/0xcb0 arch/x86/mm/fault.c:1428 handlepagefault arch/x86/mm/fault.c:1519 [inline] excpagefault+0x7a/0x110 arch/x86/mm/fault.c:1575 asmexcpagefault+0x22/0x30 arch/x86/include/asm/idtentry.h:570 RIP: 0010:copyusershortstring+0xd/0x40 arch/x86/lib/copyuser64.S:233 Code: 74 0a 89 (...) RSP: 0018:ffffc9000570f330 EFLAGS: 000502 ---truncated---