netlink: 16 bytes leftover after parsing attributes in process `syz-executor.3'. hfsplus: request for non-existent node 2048 in B*Tree hfsplus: xattr searching failed netlink: 16 bytes leftover after parsing attributes in process `syz-executor.1'. ====================================================== WARNING: possible circular locking dependency detected 4.14.302-syzkaller #0 Not tainted ------------------------------------------------------ syz-executor.0/9936 is trying to acquire lock: (&HFSPLUS_I(inode)->extents_lock){+.+.}, at: [] hfsplus_file_extend+0x188/0xef0 fs/hfsplus/extents.c:452 but task is already holding lock: (&tree->tree_lock/1){+.+.}, at: [] hfsplus_find_init+0x161/0x220 fs/hfsplus/bfind.c:33 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&tree->tree_lock/1){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 hfsplus_find_init+0x161/0x220 fs/hfsplus/bfind.c:33 hfsplus_file_truncate+0x25b/0xe80 fs/hfsplus/extents.c:577 hfsplus_setattr+0x182/0x310 fs/hfsplus/inode.c:264 notify_change+0x56b/0xd10 fs/attr.c:315 do_truncate+0xff/0x1a0 fs/open.c:63 handle_truncate fs/namei.c:3010 [inline] do_last fs/namei.c:3437 [inline] path_openat+0x1dcc/0x2970 fs/namei.c:3571 do_filp_open+0x179/0x3c0 fs/namei.c:3605 do_sys_open+0x296/0x410 fs/open.c:1081 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x5e/0xd3 -> #0 (&HFSPLUS_I(inode)->extents_lock){+.+.}: lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 hfsplus_file_extend+0x188/0xef0 fs/hfsplus/extents.c:452 hfsplus_bmap_reserve+0x26e/0x410 fs/hfsplus/btree.c:357 __hfsplus_ext_write_extent+0x415/0x560 fs/hfsplus/extents.c:104 hfsplus_ext_write_extent_locked fs/hfsplus/extents.c:139 [inline] hfsplus_ext_write_extent_locked fs/hfsplus/extents.c:129 [inline] hfsplus_ext_write_extent+0x169/0x1a0 fs/hfsplus/extents.c:150 hfsplus_write_inode+0x1e/0x410 fs/hfsplus/super.c:153 write_inode fs/fs-writeback.c:1241 [inline] __writeback_single_inode+0x6a4/0x1010 fs/fs-writeback.c:1439 writeback_single_inode+0x1f3/0x370 fs/fs-writeback.c:1493 sync_inode fs/fs-writeback.c:2494 [inline] sync_inode_metadata+0x79/0xa0 fs/fs-writeback.c:2514 hfsplus_file_fsync+0x100/0x4a0 fs/hfsplus/inode.c:296 vfs_fsync_range+0x103/0x260 fs/sync.c:196 generic_write_sync include/linux/fs.h:2684 [inline] generic_file_write_iter+0x410/0x650 mm/filemap.c:3212 call_write_iter include/linux/fs.h:1780 [inline] do_iter_readv_writev+0x4cf/0x5f0 fs/read_write.c:675 do_iter_write+0x152/0x550 fs/read_write.c:954 vfs_writev+0x125/0x290 fs/read_write.c:999 do_pwritev fs/read_write.c:1088 [inline] SYSC_pwritev2 fs/read_write.c:1147 [inline] SyS_pwritev2+0x195/0x230 fs/read_write.c:1138 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x5e/0xd3 other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&tree->tree_lock/1); lock(&HFSPLUS_I(inode)->extents_lock); lock(&tree->tree_lock/1); lock(&HFSPLUS_I(inode)->extents_lock); *** DEADLOCK *** 4 locks held by syz-executor.0/9936: #0: (sb_writers#15){.+.+}, at: [] file_start_write include/linux/fs.h:2714 [inline] #0: (sb_writers#15){.+.+}, at: [] vfs_writev+0x208/0x290 fs/read_write.c:998 #1: (&sb->s_type->i_mutex_key#22){+.+.}, at: [] inode_lock include/linux/fs.h:719 [inline] #1: (&sb->s_type->i_mutex_key#22){+.+.}, at: [] hfsplus_file_fsync+0xf3/0x4a0 fs/hfsplus/inode.c:291 #2: (&hip->extents_lock){+.+.}, at: [] hfsplus_ext_write_extent+0x68/0x1a0 fs/hfsplus/extents.c:149 #3: (&tree->tree_lock/1){+.+.}, at: [] hfsplus_find_init+0x161/0x220 fs/hfsplus/bfind.c:33 stack backtrace: CPU: 0 PID: 9936 Comm: syz-executor.0 Not tainted 4.14.302-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x281 lib/dump_stack.c:58 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258 check_prev_add kernel/locking/lockdep.c:1905 [inline] check_prevs_add kernel/locking/lockdep.c:2022 [inline] validate_chain kernel/locking/lockdep.c:2464 [inline] __lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 hfsplus_file_extend+0x188/0xef0 fs/hfsplus/extents.c:452 hfsplus_bmap_reserve+0x26e/0x410 fs/hfsplus/btree.c:357 __hfsplus_ext_write_extent+0x415/0x560 fs/hfsplus/extents.c:104 hfsplus_ext_write_extent_locked fs/hfsplus/extents.c:139 [inline] hfsplus_ext_write_extent_locked fs/hfsplus/extents.c:129 [inline] hfsplus_ext_write_extent+0x169/0x1a0 fs/hfsplus/extents.c:150 hfsplus_write_inode+0x1e/0x410 fs/hfsplus/super.c:153 write_inode fs/fs-writeback.c:1241 [inline] __writeback_single_inode+0x6a4/0x1010 fs/fs-writeback.c:1439 writeback_single_inode+0x1f3/0x370 fs/fs-writeback.c:1493 sync_inode fs/fs-writeback.c:2494 [inline] sync_inode_metadata+0x79/0xa0 fs/fs-writeback.c:2514 hfsplus_file_fsync+0x100/0x4a0 fs/hfsplus/inode.c:296 vfs_fsync_range+0x103/0x260 fs/sync.c:196 generic_write_sync include/linux/fs.h:2684 [inline] generic_file_write_iter+0x410/0x650 mm/filemap.c:3212 call_write_iter include/linux/fs.h:1780 [inline] do_iter_readv_writev+0x4cf/0x5f0 fs/read_write.c:675 do_iter_write+0x152/0x550 fs/read_write.c:954 vfs_writev+0x125/0x290 fs/read_write.c:999 do_pwritev fs/read_write.c:1088 [inline] SYSC_pwritev2 fs/read_write.c:1147 [inline] SyS_pwritev2+0x195/0x230 fs/read_write.c:1138 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x5e/0xd3 RIP: 0033:0x7f8fd78930a9 RSP: 002b:00007f8fd5e05168 EFLAGS: 00000246 ORIG_RAX: 0000000000000148 RAX: ffffffffffffffda RBX: 00007f8fd79b2f80 RCX: 00007f8fd78930a9 RDX: 0000000000000001 RSI: 00000000200000c0 RDI: 0000000000000004 RBP: 00007f8fd78eeae9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffdead5f47f R14: 00007f8fd5e05300 R15: 0000000000022000 JFS: discard option not supported on device hfsplus: request for non-existent node 2048 in B*Tree hfsplus: request for non-existent node 2048 in B*Tree hfsplus: xattr searching failed hfsplus: request for non-existent node 2048 in B*Tree syz-executor.5 (9997) used greatest stack depth: 25312 bytes left hfsplus: request for non-existent node 2048 in B*Tree hfsplus: xattr searching failed hfsplus: request for non-existent node 2048 in B*Tree hfsplus: request for non-existent node 2048 in B*Tree hfsplus: xattr searching failed netlink: 4 bytes leftover after parsing attributes in process `syz-executor.4'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor.4'. audit: type=1800 audit(1672743415.249:17): pid=10378 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.5" name="bus" dev="loop5" ino=25 res=0 hfsplus: xattr exists yet EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue netlink: 4 bytes leftover after parsing attributes in process `syz-executor.4'. audit: type=1800 audit(1672743415.419:18): pid=10406 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.5" name="bus" dev="loop5" ino=25 res=0 hfsplus: xattr exists yet netlink: 4 bytes leftover after parsing attributes in process `syz-executor.4'. audit: type=1800 audit(1672743415.639:19): pid=10425 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.5" name="bus" dev="loop5" ino=25 res=0 hfsplus: xattr exists yet EXT4-fs (loop1): mounted filesystem without journal. Opts: ,errors=continue EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue audit: type=1800 audit(1672743415.769:20): pid=10449 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.5" name="bus" dev="loop5" ino=25 res=0 hfsplus: xattr exists yet hfsplus: xattr exists yet hfsplus: xattr exists yet audit: type=1800 audit(1672743415.799:21): pid=10444 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.0" name="bus" dev="loop0" ino=25 res=0 audit: type=1800 audit(1672743415.829:22): pid=10446 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.4" name="bus" dev="loop4" ino=25 res=0 audit: type=1800 audit(1672743416.099:23): pid=10479 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.5" name="bus" dev="loop5" ino=25 res=0 hfsplus: xattr exists yet hfsplus: xattr exists yet hfsplus: xattr exists yet EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue EXT4-fs (loop1): mounted filesystem without journal. Opts: ,errors=continue audit: type=1800 audit(1672743416.129:24): pid=10464 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.0" name="bus" dev="loop0" ino=25 res=0 syz-executor.2 (10475) used greatest stack depth: 24832 bytes left audit: type=1800 audit(1672743416.129:25): pid=10468 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.4" name="bus" dev="loop4" ino=25 res=0 hfsplus: xattr exists yet hfsplus: xattr exists yet audit: type=1800 audit(1672743416.339:26): pid=10504 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.0" name="bus" dev="loop0" ino=25 res=0 hfsplus: xattr exists yet EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue EXT4-fs (loop1): mounted filesystem without journal. Opts: ,errors=continue hfsplus: xattr exists yet Zero length message leads to an empty skb