====================================================== WARNING: possible circular locking dependency detected 4.14.302-syzkaller #0 Not tainted ------------------------------------------------------ syz-executor.2/9771 is trying to acquire lock: (&tree->tree_lock/1){+.+.}, at: [] hfsplus_find_init+0x161/0x220 fs/hfsplus/bfind.c:33 but task is already holding lock: (&HFSPLUS_I(inode)->extents_lock){+.+.}, at: [] hfsplus_get_block+0x1f9/0x820 fs/hfsplus/extents.c:260 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (&HFSPLUS_I(inode)->extents_lock){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 hfsplus_get_block+0x1f9/0x820 fs/hfsplus/extents.c:260 block_read_full_page+0x25e/0x8d0 fs/buffer.c:2316 do_read_cache_page+0x38e/0xc10 mm/filemap.c:2713 read_mapping_page include/linux/pagemap.h:398 [inline] hfsplus_block_allocate+0x189/0x910 fs/hfsplus/bitmap.c:37 hfsplus_file_extend+0x421/0xef0 fs/hfsplus/extents.c:463 hfsplus_get_block+0x15b/0x820 fs/hfsplus/extents.c:245 __block_write_begin_int+0x35c/0x11d0 fs/buffer.c:2038 __block_write_begin fs/buffer.c:2088 [inline] block_write_begin+0x58/0x270 fs/buffer.c:2147 cont_write_begin+0x4a3/0x740 fs/buffer.c:2497 hfsplus_write_begin+0x87/0x130 fs/hfsplus/inode.c:53 __page_symlink+0x147/0x1b0 fs/namei.c:4857 hfsplus_symlink+0xc9/0x2a0 fs/hfsplus/dir.c:451 vfs_symlink+0x3ce/0x620 fs/namei.c:4158 SYSC_symlinkat fs/namei.c:4185 [inline] SyS_symlinkat+0x1dc/0x240 fs/namei.c:4165 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x5e/0xd3 -> #1 (&sbi->alloc_mutex){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 hfsplus_block_free+0xc7/0x560 fs/hfsplus/bitmap.c:182 hfsplus_free_extents+0x170/0x440 fs/hfsplus/extents.c:360 hfsplus_file_truncate+0xbc0/0xe80 fs/hfsplus/extents.c:585 hfsplus_delete_inode+0x160/0x1f0 fs/hfsplus/inode.c:431 hfsplus_unlink+0x48c/0x6b0 fs/hfsplus/dir.c:407 vfs_unlink+0x230/0x470 fs/namei.c:4029 do_unlinkat+0x30c/0x5c0 fs/namei.c:4094 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x5e/0xd3 -> #0 (&tree->tree_lock/1){+.+.}: lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 hfsplus_find_init+0x161/0x220 fs/hfsplus/bfind.c:33 hfsplus_ext_read_extent+0x15f/0x9e0 fs/hfsplus/extents.c:216 hfsplus_get_block+0x23e/0x820 fs/hfsplus/extents.c:268 block_read_full_page+0x25e/0x8d0 fs/buffer.c:2316 do_read_cache_page+0x38e/0xc10 mm/filemap.c:2713 read_mapping_page include/linux/pagemap.h:398 [inline] hfsplus_block_allocate+0x189/0x910 fs/hfsplus/bitmap.c:37 hfsplus_file_extend+0x421/0xef0 fs/hfsplus/extents.c:463 hfsplus_get_block+0x15b/0x820 fs/hfsplus/extents.c:245 __block_write_begin_int+0x35c/0x11d0 fs/buffer.c:2038 __block_write_begin fs/buffer.c:2088 [inline] block_write_begin+0x58/0x270 fs/buffer.c:2147 cont_write_begin+0x4a3/0x740 fs/buffer.c:2497 hfsplus_write_begin+0x87/0x130 fs/hfsplus/inode.c:53 __page_symlink+0x147/0x1b0 fs/namei.c:4857 hfsplus_symlink+0xc9/0x2a0 fs/hfsplus/dir.c:451 vfs_symlink+0x3ce/0x620 fs/namei.c:4158 SYSC_symlinkat fs/namei.c:4185 [inline] SyS_symlinkat+0x1dc/0x240 fs/namei.c:4165 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x5e/0xd3 other info that might help us debug this: Chain exists of: &tree->tree_lock/1 --> &sbi->alloc_mutex --> &HFSPLUS_I(inode)->extents_lock Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&HFSPLUS_I(inode)->extents_lock); lock(&sbi->alloc_mutex); lock(&HFSPLUS_I(inode)->extents_lock); lock(&tree->tree_lock/1); *** DEADLOCK *** 6 locks held by syz-executor.2/9771: #0: (sb_writers#13){.+.+}, at: [] sb_start_write include/linux/fs.h:1551 [inline] #0: (sb_writers#13){.+.+}, at: [] mnt_want_write+0x3a/0xb0 fs/namespace.c:386 #1: (&type->i_mutex_dir_key#8/1){+.+.}, at: [] inode_lock_nested include/linux/fs.h:754 [inline] #1: (&type->i_mutex_dir_key#8/1){+.+.}, at: [] filename_create+0x12a/0x3f0 fs/namei.c:3676 #2: (&sbi->vh_mutex){+.+.}, at: [] hfsplus_symlink+0x79/0x2a0 fs/hfsplus/dir.c:446 #3: (&hip->extents_lock){+.+.}, at: [] hfsplus_file_extend+0x188/0xef0 fs/hfsplus/extents.c:452 #4: (&sbi->alloc_mutex){+.+.}, at: [] hfsplus_block_allocate+0xd2/0x910 fs/hfsplus/bitmap.c:35 #5: (&HFSPLUS_I(inode)->extents_lock){+.+.}, at: [] hfsplus_get_block+0x1f9/0x820 fs/hfsplus/extents.c:260 stack backtrace: CPU: 0 PID: 9771 Comm: syz-executor.2 Not tainted 4.14.302-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x281 lib/dump_stack.c:58 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258 check_prev_add kernel/locking/lockdep.c:1905 [inline] check_prevs_add kernel/locking/lockdep.c:2022 [inline] validate_chain kernel/locking/lockdep.c:2464 [inline] __lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 hfsplus_find_init+0x161/0x220 fs/hfsplus/bfind.c:33 hfsplus_ext_read_extent+0x15f/0x9e0 fs/hfsplus/extents.c:216 hfsplus_get_block+0x23e/0x820 fs/hfsplus/extents.c:268 block_read_full_page+0x25e/0x8d0 fs/buffer.c:2316 do_read_cache_page+0x38e/0xc10 mm/filemap.c:2713 read_mapping_page include/linux/pagemap.h:398 [inline] hfsplus_block_allocate+0x189/0x910 fs/hfsplus/bitmap.c:37 hfsplus_file_extend+0x421/0xef0 fs/hfsplus/extents.c:463 hfsplus_get_block+0x15b/0x820 fs/hfsplus/extents.c:245 __block_write_begin_int+0x35c/0x11d0 fs/buffer.c:2038 __block_write_begin fs/buffer.c:2088 [inline] block_write_begin+0x58/0x270 fs/buffer.c:2147 cont_write_begin+0x4a3/0x740 fs/buffer.c:2497 hfsplus_write_begin+0x87/0x130 fs/hfsplus/inode.c:53 __page_symlink+0x147/0x1b0 fs/namei.c:4857 hfsplus_symlink+0xc9/0x2a0 fs/hfsplus/dir.c:451 vfs_symlink+0x3ce/0x620 fs/namei.c:4158 SYSC_symlinkat fs/namei.c:4185 [inline] SyS_symlinkat+0x1dc/0x240 fs/namei.c:4165 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x5e/0xd3 RIP: 0033:0x7f23dc2e70c9 RSP: 002b:00007f23da859168 EFLAGS: 00000246 ORIG_RAX: 0000000000000058 RAX: ffffffffffffffda RBX: 00007f23dc406f80 RCX: 00007f23dc2e70c9 RDX: 0000000000000000 RSI: 0000000020000080 RDI: 00000000200000c0 RBP: 00007f23dc342ae9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fffee9ae38f R14: 00007f23da859300 R15: 0000000000022000 audit: type=1804 audit(1674013772.967:5): pid=9831 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.4" name="/root/syzkaller-testdir2934039786/syzkaller.mNquWr/11/bus" dev="sda1" ino=13933 res=1 audit: type=1800 audit(1674013773.227:6): pid=9846 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.3" name="file0" dev="sda1" ino=13927 res=0 audit: type=1804 audit(1674013773.897:7): pid=9913 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.4" name="/root/syzkaller-testdir2934039786/syzkaller.mNquWr/12/bus" dev="sda1" ino=13896 res=1 audit: type=1804 audit(1674013774.707:8): pid=9959 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.4" name="/root/syzkaller-testdir2934039786/syzkaller.mNquWr/13/bus" dev="sda1" ino=13903 res=1 Zero length message leads to an empty skb caif:caif_disconnect_client(): nothing to disconnect tmpfs: Bad value 'within_sizeŻ' for mount option 'huge' device gretap1 entered promiscuous mode hrtimer: interrupt took 27124 ns device lo entered promiscuous mode Y­4`Ҙ: renamed from lo netlink: 24 bytes leftover after parsing attributes in process `syz-executor.4'. audit: type=1800 audit(1674013776.167:9): pid=10084 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.1" name="bus" dev="sda1" ino=13957 res=0 netlink: 24 bytes leftover after parsing attributes in process `syz-executor.4'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.4'. audit: type=1800 audit(1674013777.037:10): pid=10209 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.1" name="bus" dev="sda1" ino=13893 res=0 audit: type=1800 audit(1674013778.187:11): pid=10255 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.0" name="bus" dev="sda1" ino=13981 res=0 audit: type=1800 audit(1674013778.197:12): pid=10258 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.2" name="bus" dev="sda1" ino=13982 res=0 XFS (loop3): Mounting V4 Filesystem XFS (loop3): Ending clean mount XFS (loop3): Unmounting Filesystem could not allocate digest TFM handle sha512_mb unregister_netdevice: waiting for ip6gre0 to become free. Usage count = -1 autofs4:pid:10519:validate_dev_ioctl: path string terminator missing for cmd(0xc0189377)