BTRFS info (device loop0): enabling ssd optimizations
BTRFS info (device loop0): using spread ssd allocation scheme
BTRFS info (device loop0): using free space tree
BTRFS info (device loop0): has skinny extents
======================================================
WARNING: possible circular locking dependency detected
4.14.307-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.0/10225 is trying to acquire lock:
 ("%s-%s""btrfs", name){+.+.}, at: [<ffffffff8135cb4b>] flush_workqueue+0xcb/0x1310 kernel/workqueue.c:2622

but task is already holding lock:
 (&fs_info->scrub_lock){+.+.}, at: [<ffffffff82b1bdb6>] btrfs_scrub_dev+0x506/0xcd0 fs/btrfs/scrub.c:4217

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #3 (&fs_info->scrub_lock){+.+.}:
       __mutex_lock_common kernel/locking/mutex.c:756 [inline]
       __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
       btrfs_scrub_dev+0x1f3/0xcd0 fs/btrfs/scrub.c:4150
       btrfs_ioctl_scrub fs/btrfs/ioctl.c:4451 [inline]
       btrfs_ioctl+0xba8/0x5b20 fs/btrfs/ioctl.c:5681
       vfs_ioctl fs/ioctl.c:46 [inline]
       file_ioctl fs/ioctl.c:500 [inline]
       do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684
       SYSC_ioctl fs/ioctl.c:701 [inline]
       SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
       do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x5e/0xd3

-> #2 (&fs_devs->device_list_mutex){+.+.}:
       __mutex_lock_common kernel/locking/mutex.c:756 [inline]
       __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
       __reada_start_machine fs/btrfs/reada.c:765 [inline]
       reada_start_machine_worker+0x1d2/0xa90 fs/btrfs/reada.c:746
       normal_work_helper+0x304/0x1330 fs/btrfs/async-thread.c:376
       process_one_work+0x793/0x14a0 kernel/workqueue.c:2117
       worker_thread+0x5cc/0xff0 kernel/workqueue.c:2251
       kthread+0x30d/0x420 kernel/kthread.c:232
       ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:406

-> #1 ((&work->normal_work)){+.+.}:
       process_one_work+0x736/0x14a0 kernel/workqueue.c:2093
       worker_thread+0x5cc/0xff0 kernel/workqueue.c:2251
       kthread+0x30d/0x420 kernel/kthread.c:232
       ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:406

-> #0 ("%s-%s""btrfs", name){+.+.}:
       lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
       flush_workqueue+0xfa/0x1310 kernel/workqueue.c:2625
       drain_workqueue+0x177/0x3e0 kernel/workqueue.c:2790
       destroy_workqueue+0x71/0x710 kernel/workqueue.c:4116
       __btrfs_destroy_workqueue fs/btrfs/async-thread.c:436 [inline]
       btrfs_destroy_workqueue+0xf8/0x630 fs/btrfs/async-thread.c:447
       scrub_workers_put+0x90/0x1a0 fs/btrfs/scrub.c:4075
       btrfs_scrub_dev+0x536/0xcd0 fs/btrfs/scrub.c:4219
       btrfs_ioctl_scrub fs/btrfs/ioctl.c:4451 [inline]
       btrfs_ioctl+0xba8/0x5b20 fs/btrfs/ioctl.c:5681
       vfs_ioctl fs/ioctl.c:46 [inline]
       file_ioctl fs/ioctl.c:500 [inline]
       do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684
       SYSC_ioctl fs/ioctl.c:701 [inline]
       SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
       do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x5e/0xd3

other info that might help us debug this:

Chain exists of:
  "%s-%s""btrfs", name --> &fs_devs->device_list_mutex --> &fs_info->scrub_lock

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&fs_info->scrub_lock);
                               lock(&fs_devs->device_list_mutex);
                               lock(&fs_info->scrub_lock);
  lock("%s-%s""btrfs", name);

 *** DEADLOCK ***

1 lock held by syz-executor.0/10225:
 #0:  (&fs_info->scrub_lock){+.+.}, at: [<ffffffff82b1bdb6>] btrfs_scrub_dev+0x506/0xcd0 fs/btrfs/scrub.c:4217

stack backtrace:
CPU: 1 PID: 10225 Comm: syz-executor.0 Not tainted 4.14.307-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x281 lib/dump_stack.c:58
 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258
 check_prev_add kernel/locking/lockdep.c:1905 [inline]
 check_prevs_add kernel/locking/lockdep.c:2022 [inline]
 validate_chain kernel/locking/lockdep.c:2464 [inline]
 __lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491
 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
 flush_workqueue+0xfa/0x1310 kernel/workqueue.c:2625
 drain_workqueue+0x177/0x3e0 kernel/workqueue.c:2790
 destroy_workqueue+0x71/0x710 kernel/workqueue.c:4116
 __btrfs_destroy_workqueue fs/btrfs/async-thread.c:436 [inline]
 btrfs_destroy_workqueue+0xf8/0x630 fs/btrfs/async-thread.c:447
 scrub_workers_put+0x90/0x1a0 fs/btrfs/scrub.c:4075
 btrfs_scrub_dev+0x536/0xcd0 fs/btrfs/scrub.c:4219
 btrfs_ioctl_scrub fs/btrfs/ioctl.c:4451 [inline]
 btrfs_ioctl+0xba8/0x5b20 fs/btrfs/ioctl.c:5681
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:500 [inline]
 do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684
 SYSC_ioctl fs/ioctl.c:701 [inline]
 SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x5e/0xd3
RIP: 0033:0x7f140f8520f9
RSP: 002b:00007f140ddc4168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f140f971f80 RCX: 00007f140f8520f9
RDX: 0000000020000100 RSI: 00000000c400941b RDI: 0000000000000004
RBP: 00007f140f8adae9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffeb43b8fff R14: 00007f140ddc4300 R15: 0000000000022000
EXT4-fs (loop3): Ignoring removed nobh option
EXT4-fs (loop3): Unsupported blocksize for fs encryption
new mount options do not match the existing superblock, will be ignored
new mount options do not match the existing superblock, will be ignored
new mount options do not match the existing superblock, will be ignored
EXT4-fs (loop3): Ignoring removed nobh option
EXT4-fs (loop3): Unsupported blocksize for fs encryption
unregister_netdevice: waiting for ip6gre0 to become free. Usage count = -1
EXT4-fs (loop5): Ignoring removed nobh option
EXT4-fs (loop5): Unsupported blocksize for fs encryption
new mount options do not match the existing superblock, will be ignored
EXT4-fs (loop3): Ignoring removed nobh option
EXT4-fs (loop3): Unsupported blocksize for fs encryption
hub 5-0:1.0: USB hub found
hub 5-0:1.0: 1 port detected
new mount options do not match the existing superblock, will be ignored
hub 5-0:1.0: USB hub found
hub 5-0:1.0: 1 port detected
new mount options do not match the existing superblock, will be ignored
xt_policy: too many policy elements
hub 5-0:1.0: USB hub found
hub 5-0:1.0: 1 port detected
EXT4-fs (loop5): Ignoring removed nobh option
EXT4-fs (loop5): Unsupported blocksize for fs encryption
new mount options do not match the existing superblock, will be ignored
hub 5-0:1.0: USB hub found
hub 5-0:1.0: 1 port detected
EXT4-fs (loop3): Ignoring removed nobh option
EXT4-fs (loop3): Unsupported blocksize for fs encryption
EXT4-fs (loop5): Ignoring removed nobh option
EXT4-fs (loop5): Unsupported blocksize for fs encryption
ISO 9660 Extensions: Microsoft Joliet Level 3
ISOFS: changing to secondary root
ISO 9660 Extensions: Microsoft Joliet Level 3
ISOFS: changing to secondary root
EXT4-fs (loop2): Unrecognized mount option "" or missing value
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.5'.
ISO 9660 Extensions: Microsoft Joliet Level 3
device dummy0 entered promiscuous mode
ISOFS: changing to secondary root
team0: Device macvtap1 failed to register rx_handler
device dummy0 left promiscuous mode
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.5'.
device dummy0 entered promiscuous mode
team0: Device macvtap1 failed to register rx_handler
device dummy0 left promiscuous mode
EXT4-fs (loop2): Unrecognized mount option "" or missing value
ISO 9660 Extensions: Microsoft Joliet Level 3
print_req_error: I/O error, dev loop2, sector 0
Buffer I/O error on dev loop2, logical block 0, async page read
print_req_error: I/O error, dev loop2, sector 4
Buffer I/O error on dev loop2, logical block 2, async page read
ISOFS: changing to secondary root
print_req_error: I/O error, dev loop2, sector 6
Buffer I/O error on dev loop2, logical block 3, async page read
BTRFS info (device loop1): enabling inode map caching
BTRFS warning (device loop1): excessive commit interval 622039222
BTRFS info (device loop1): force zlib compression
BTRFS info (device loop1): using free space tree
BTRFS info (device loop1): has skinny extents
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.0'.
device dummy0 entered promiscuous mode
team0: Device macvtap1 failed to register rx_handler
device dummy0 left promiscuous mode
EXT4-fs (loop2): Unrecognized mount option "" or missing value
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.5'.
device dummy0 entered promiscuous mode
team0: Device macvtap1 failed to register rx_handler
device dummy0 left promiscuous mode
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.5'.
device dummy0 entered promiscuous mode
team0: Device macvtap1 failed to register rx_handler
device dummy0 left promiscuous mode
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.0'.
device dummy0 entered promiscuous mode
team0: Device macvtap1 failed to register rx_handler
EXT4-fs (loop2): Unrecognized mount option "" or missing value
device dummy0 left promiscuous mode
print_req_error: I/O error, dev loop2, sector 0
Buffer I/O error on dev loop2, logical block 0, async page read
print_req_error: I/O error, dev loop2, sector 4
Buffer I/O error on dev loop2, logical block 2, async page read
print_req_error: I/O error, dev loop2, sector 6
Buffer I/O error on dev loop2, logical block 3, async page read
IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready
BTRFS info (device loop1): enabling inode map caching
chnl_net:chnl_net_open(): err: Unable to register and open device, Err:-19
BTRFS warning (device loop1): excessive commit interval 622039222
caif:caif_disconnect_client(): nothing to disconnect
BTRFS info (device loop1): force zlib compression
chnl_net:chnl_flowctrl_cb(): NET flowctrl func called flow: CLOSE/DEINIT
BTRFS info (device loop1): using free space tree
chnl_net:chnl_net_open(): state disconnected
BTRFS info (device loop1): has skinny extents
A link change request failed with some changes committed already. Interface caif0 may have been left with an inconsistent configuration, please check.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.0'.
device dummy0 entered promiscuous mode
team0: Device macvtap1 failed to register rx_handler
device dummy0 left promiscuous mode
Zero length message leads to an empty skb
BTRFS info (device loop1): enabling inode map caching
BTRFS warning (device loop1): excessive commit interval 622039222
BTRFS info (device loop1): force zlib compression
BTRFS info (device loop1): using free space tree
BTRFS info (device loop1): has skinny extents
BTRFS info (device loop1): enabling inode map caching