In the Linux kernel, the following vulnerability has been resolved: btrfs: lock the inode in shared mode before starting fiemap Currently fiemap does not take the inode's lock (VFS lock), it only locks a file range in the inode's io tree. This however can lead to a deadlock if we have a concurrent fsync on the file and fiemap code triggers a fault when accessing the user space buffer with fiemapfillnextextent(). The deadlock happens on the inode's immaplock semaphore, which is taken both by fsync and btrfspagemkwrite(). This deadlock was recently reported by syzbot and triggers a trace like the following: task:syz-executor361 state:D stack:20264 pid:5668 ppid:5119 flags:0x00004004 Call Trace: <TASK> contextswitch kernel/sched/core.c:5293 [inline] _schedule+0x995/0xe20 kernel/sched/core.c:6606 schedule+0xcb/0x190 kernel/sched/core.c:6682 waitonstate fs/btrfs/extent-io-tree.c:707 [inline] waitextentbit+0x577/0x6f0 fs/btrfs/extent-io-tree.c:751 lockextent+0x1c2/0x280 fs/btrfs/extent-io-tree.c:1742 findlockdelallocrange+0x4e6/0x9c0 fs/btrfs/extentio.c:488 writepagedelalloc+0x1ef/0x540 fs/btrfs/extentio.c:1863 _extentwritepage+0x736/0x14e0 fs/btrfs/extentio.c:2174 extentwritecachepages+0x983/0x1220 fs/btrfs/extentio.c:3091 extentwritepages+0x219/0x540 fs/btrfs/extentio.c:3211 dowritepages+0x3c3/0x680 mm/page-writeback.c:2581 filemapfdatawritewbc+0x11e/0x170 mm/filemap.c:388 _filemapfdatawriterange mm/filemap.c:421 [inline] filemapfdatawriterange+0x175/0x200 mm/filemap.c:439 btrfsfdatawriterange fs/btrfs/file.c:3850 [inline] startorderedops fs/btrfs/file.c:1737 [inline] btrfssyncfile+0x4ff/0x1190 fs/btrfs/file.c:1839 genericwritesync include/linux/fs.h:2885 [inline] btrfsdowriteiter+0xcd3/0x1280 fs/btrfs/file.c:1684 callwriteiter include/linux/fs.h:2189 [inline] newsyncwrite fs/readwrite.c:491 [inline] vfswrite+0x7dc/0xc50 fs/readwrite.c:584 ksyswrite+0x177/0x2a0 fs/readwrite.c:637 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x3d/0xb0 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x63/0xcd RIP: 0033:0x7f7d4054e9b9 RSP: 002b:00007f7d404fa2f8 EFLAGS: 00000246 ORIGRAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007f7d405d87a0 RCX: 00007f7d4054e9b9 RDX: 0000000000000090 RSI: 0000000020000000 RDI: 0000000000000006 RBP: 00007f7d405a51d0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 61635f65646f6e69 R13: 65646f7475616f6e R14: 7261637369646f6e R15: 00007f7d405d87a8 </TASK> INFO: task syz-executor361:5697 blocked for more than 145 seconds. Not tainted 6.2.0-rc3-syzkaller-00376-g7c6984405241 #0 "echo 0 > /proc/sys/kernel/hungtasktimeoutsecs" disables this message. task:syz-executor361 state:D stack:21216 pid:5697 ppid:5119 flags:0x00004004 Call Trace: <TASK> contextswitch kernel/sched/core.c:5293 [inline] _schedule+0x995/0xe20 kernel/sched/core.c:6606 schedule+0xcb/0x190 kernel/sched/core.c:6682 rwsemdownreadslowpath+0x5f9/0x930 kernel/locking/rwsem.c:1095 _downreadcommon+0x54/0x2a0 kernel/locking/rwsem.c:1260 btrfspagemkwrite+0x417/0xc80 fs/btrfs/inode.c:8526 dopagemkwrite+0x19e/0x5e0 mm/memory.c:2947 wppageshared+0x15e/0x380 mm/memory.c:3295 handleptefault mm/memory.c:4949 [inline] _handlemmfault mm/memory.c:5073 [inline] handlemmfault+0x1b79/0x26b0 mm/memory.c:5219 douseraddrfault+0x69b/0xcb0 arch/x86/mm/fault.c:1428 handlepagefault arch/x86/mm/fault.c:1519 [inline] excpagefault+0x7a/0x110 arch/x86/mm/fault.c:1575 asmexcpagefault+0x22/0x30 arch/x86/include/asm/idtentry.h:570 RIP: 0010:copyusershortstring+0xd/0x40 arch/x86/lib/copyuser_64.S:233 Code: 74 0a 89 (...) RSP: 0018:ffffc9000570f330 EFLAGS: 000502 ---truncated---