CR4: actual=0x0000000000002050, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 audit: type=1804 audit(1642300744.595:79): pid=14054 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="ToMToU" comm="syz-executor.3" name="/root/syzkaller-testdir446254001/syzkaller.oWxbLH/90/bus" dev="sda1" ino=14089 res=1 ====================================================== WARNING: possible circular locking dependency detected 4.14.262-syzkaller #0 Not tainted ------------------------------------------------------ syz-executor.1/14069 is trying to acquire lock: ("dio/%s"sb->s_id){+.+.}, at: [] flush_workqueue+0xcb/0x1310 kernel/workqueue.c:2622 but task is already holding lock: CR3 = 0x00000000fffbc000 (&sb->s_type->i_mutex_key#21){++++}, at: [] inode_lock include/linux/fs.h:719 [inline] (&sb->s_type->i_mutex_key#21){++++}, at: [] generic_file_write_iter+0x99/0x650 mm/filemap.c:3205 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: RSP = 0x0000000000000000 RIP = 0x0000000000000231 -> #2 (&sb->s_type->i_mutex_key#21){++++}: down_write+0x34/0x90 kernel/locking/rwsem.c:54 inode_lock include/linux/fs.h:719 [inline] __generic_file_fsync+0x9e/0x190 fs/libfs.c:989 fat_file_fsync+0x73/0x1f0 fs/fat/file.c:165 RFLAGS=0x00000296 DR7 = 0x0000000000000400 vfs_fsync_range+0x103/0x260 fs/sync.c:196 generic_write_sync include/linux/fs.h:2684 [inline] dio_complete+0x561/0x8d0 fs/direct-io.c:330 process_one_work+0x793/0x14a0 kernel/workqueue.c:2117 worker_thread+0x5cc/0xff0 kernel/workqueue.c:2251 Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 kthread+0x30d/0x420 kernel/kthread.c:232 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404 -> #1 ((&dio->complete_work)){+.+.}: process_one_work+0x736/0x14a0 kernel/workqueue.c:2093 worker_thread+0x5cc/0xff0 kernel/workqueue.c:2251 CS: sel=0x0000, attr=0x0009b, limit=0x0000ffff, base=0x0000000000000000 kthread+0x30d/0x420 kernel/kthread.c:232 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404 -> #0 ( DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 "dio/%s"sb->s_id){+.+.}: lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 flush_workqueue+0xfa/0x1310 kernel/workqueue.c:2625 SS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 drain_workqueue+0x177/0x3e0 kernel/workqueue.c:2790 destroy_workqueue+0x71/0x710 kernel/workqueue.c:4116 __alloc_workqueue_key+0xd50/0x1080 kernel/workqueue.c:4093 sb_init_dio_done_wq+0x34/0x80 fs/direct-io.c:624 ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 do_blockdev_direct_IO fs/direct-io.c:1287 [inline] __blockdev_direct_IO+0x3df1/0xdcb0 fs/direct-io.c:1423 blockdev_direct_IO include/linux/fs.h:2994 [inline] fat_direct_IO+0x19b/0x320 fs/fat/inode.c:275 generic_file_direct_write+0x1df/0x420 mm/filemap.c:2958 __generic_file_write_iter+0x2a2/0x590 mm/filemap.c:3137 generic_file_write_iter+0x36f/0x650 mm/filemap.c:3208 FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 call_write_iter include/linux/fs.h:1780 [inline] aio_write+0x2ed/0x560 fs/aio.c:1553 GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 io_submit_one fs/aio.c:1641 [inline] do_io_submit+0x847/0x1570 fs/aio.c:1709 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb other info that might help us debug this: Chain exists of: "dio/%s"sb->s_id --> GDTR: limit=0x0000ffff, base=0x0000000000000000 (&dio->complete_work) LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000 --> &sb->s_type->i_mutex_key#21 Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&sb->s_type->i_mutex_key#21); lock((&dio->complete_work)); lock(&sb->s_type->i_mutex_key#21); lock("dio/%s"sb->s_id IDTR: limit=0x0000ffff, base=0x0000000000000000 ); TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 *** DEADLOCK *** 2 locks held by syz-executor.1/14069: #0: (sb_writers#13){.+.+}, at: [] file_start_write include/linux/fs.h:2714 [inline] #0: (sb_writers#13){.+.+}, at: [] aio_write+0x408/0x560 fs/aio.c:1552 #1: EFER = 0x0000000000000000 PAT = 0x0007040600070406 (&sb->s_type->i_mutex_key#21){++++}, at: [] inode_lock include/linux/fs.h:719 [inline] (&sb->s_type->i_mutex_key#21){++++}, at: [] generic_file_write_iter+0x99/0x650 mm/filemap.c:3205 stack backtrace: CPU: 1 PID: 14069 Comm: syz-executor.1 Not tainted 4.14.262-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x281 lib/dump_stack.c:58 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258 check_prev_add kernel/locking/lockdep.c:1905 [inline] check_prevs_add kernel/locking/lockdep.c:2022 [inline] validate_chain kernel/locking/lockdep.c:2464 [inline] __lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491 Interruptibility = 00000001 ActivityState = 00000000 *** Host State *** RIP = 0xffffffff81160b1e RSP = 0xffff88809e4a79b8 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 flush_workqueue+0xfa/0x1310 kernel/workqueue.c:2625 FSBase=00007fb521026700 GSBase=ffff8880ba400000 TRBase=fffffe0000003000 GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 drain_workqueue+0x177/0x3e0 kernel/workqueue.c:2790 CR0=0000000080050033 CR3=00000000a60f4000 CR4=00000000003426f0 destroy_workqueue+0x71/0x710 kernel/workqueue.c:4116 __alloc_workqueue_key+0xd50/0x1080 kernel/workqueue.c:4093 Sysenter RSP=fffffe0000003000 CS:RIP=0010:ffffffff87401690 sb_init_dio_done_wq+0x34/0x80 fs/direct-io.c:624 do_blockdev_direct_IO fs/direct-io.c:1287 [inline] __blockdev_direct_IO+0x3df1/0xdcb0 fs/direct-io.c:1423 blockdev_direct_IO include/linux/fs.h:2994 [inline] fat_direct_IO+0x19b/0x320 fs/fat/inode.c:275 generic_file_direct_write+0x1df/0x420 mm/filemap.c:2958 __generic_file_write_iter+0x2a2/0x590 mm/filemap.c:3137 generic_file_write_iter+0x36f/0x650 mm/filemap.c:3208 call_write_iter include/linux/fs.h:1780 [inline] aio_write+0x2ed/0x560 fs/aio.c:1553 io_submit_one fs/aio.c:1641 [inline] do_io_submit+0x847/0x1570 fs/aio.c:1709 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb RIP: 0033:0x7f33ec878fe9 RSP: 002b:00007f33eb1ee168 EFLAGS: 00000246 ORIG_RAX: 00000000000000d1 RAX: ffffffffffffffda RBX: 00007f33ec98bf60 RCX: 00007f33ec878fe9 RDX: 0000000020000540 RSI: 00000000000018af RDI: 00007f33ec967000 RBP: 00007f33ec8d308d R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fffba535adf R14: 00007f33eb1ee300 R15: 0000000000022000 EFER = 0x0000000000000d01 PAT = 0x0407050600070106 *** Control State *** PinBased=0000003f CPUBased=b699edfa SecondaryExec=000000e2 EntryControls=0000d1ff ExitControls=002fefff ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 netlink: 40 bytes leftover after parsing attributes in process `syz-executor.0'. VMEntry: intr_info=80000202 errcode=00000000 ilen=00000000 VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 reason=80000021 qualification=0000000000000003 IDTVectoring: info=00000000 errcode=00000000 TSC Offset = 0xffffff9993a983b4 EPT pointer = 0x00000000a304f01e Virtual processor ID = 0x0001 FAT-fs (loop1): Unrecognized mount option "./bus" or missing value audit: type=1804 audit(1642300746.005:80): pid=14160 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.3" name="/root/syzkaller-testdir446254001/syzkaller.oWxbLH/91/bus" dev="sda1" ino=14092 res=1 netlink: 40 bytes leftover after parsing attributes in process `syz-executor.0'. audit: type=1804 audit(1642300746.035:81): pid=14160 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.3" name="/root/syzkaller-testdir446254001/syzkaller.oWxbLH/91/bus" dev="sda1" ino=14092 res=1 netlink: 24 bytes leftover after parsing attributes in process `syz-executor.1'. audit: type=1804 audit(1642300746.035:82): pid=14160 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.3" name="/root/syzkaller-testdir446254001/syzkaller.oWxbLH/91/bus" dev="sda1" ino=14092 res=1 audit: type=1804 audit(1642300746.035:83): pid=14160 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.3" name="/root/syzkaller-testdir446254001/syzkaller.oWxbLH/91/bus" dev="sda1" ino=14092 res=1 device veth9 entered promiscuous mode audit: type=1804 audit(1642300746.035:84): pid=14160 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.3" name="/root/syzkaller-testdir446254001/syzkaller.oWxbLH/91/bus" dev="sda1" ino=14092 res=1 audit: type=1804 audit(1642300746.035:85): pid=14160 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.3" name="/root/syzkaller-testdir446254001/syzkaller.oWxbLH/91/bus" dev="sda1" ino=14092 res=1 *** Guest State *** audit: type=1804 audit(1642300746.035:86): pid=14160 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.3" name="/root/syzkaller-testdir446254001/syzkaller.oWxbLH/91/bus" dev="sda1" ino=14092 res=1 IPv6: ADDRCONF(NETDEV_UP): veth9: link is not ready CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 CR4: actual=0x0000000000002050, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 CR3 = 0x00000000fffbc000 RSP = 0x0000000000000000 RIP = 0x0000000000000231 RFLAGS=0x00000296 DR7 = 0x0000000000000400 Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 CS: sel=0x0000, attr=0x0009b, limit=0x0000ffff, base=0x0000000000000000 netlink: 24 bytes leftover after parsing attributes in process `syz-executor.1'. DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 SS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 GDTR: limit=0x0000ffff, base=0x0000000000000000 LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000 IDTR: limit=0x0000ffff, base=0x0000000000000000 TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 EFER = 0x0000000000000000 PAT = 0x0007040600070406 DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 Interruptibility = 00000001 ActivityState = 00000000 *** Host State *** RIP = 0xffffffff81160b1e RSP = 0xffff888058bef9b8 CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 FSBase=00007fb521026700 GSBase=ffff8880ba400000 TRBase=fffffe0000003000 GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 CR0=0000000080050033 CR3=00000000a1968000 CR4=00000000003426f0 Sysenter RSP=fffffe0000003000 CS:RIP=0010:ffffffff87401690 EFER = 0x0000000000000d01 PAT = 0x0407050600070106 *** Control State *** PinBased=0000003f CPUBased=b699edfa SecondaryExec=000000e2 EntryControls=0000d1ff ExitControls=002fefff ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 VMEntry: intr_info=80000202 errcode=00000000 ilen=00000000 VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 reason=80000021 qualification=0000000000000003 IDTVectoring: info=00000000 errcode=00000000 TSC Offset = 0xffffff98aa3db3e6 EPT pointer = 0x00000000af55f01e Virtual processor ID = 0x0001 Zero length message leads to an empty skb device geneve2 entered promiscuous mode EXT4-fs (loop4): Unrecognized mount option "" or missing value EXT4-fs (loop4): Unrecognized mount option "" or missing value EXT4-fs (loop4): Unrecognized mount option "" or missing value EXT4-fs (loop4): Unrecognized mount option "" or missing value print_req_error: 154 callbacks suppressed print_req_error: I/O error, dev loop4, sector 0 buffer_io_error: 276 callbacks suppressed Buffer I/O error on dev loop4, logical block 0, async page read print_req_error: I/O error, dev loop4, sector 4 Buffer I/O error on dev loop4, logical block 2, async page read print_req_error: I/O error, dev loop4, sector 6 Buffer I/O error on dev loop4, logical block 3, async page read print_req_error: I/O error, dev loop4, sector 0 Buffer I/O error on dev loop4, logical block 0, async page read print_req_error: I/O error, dev loop4, sector 4 Buffer I/O error on dev loop4, logical block 2, async page read print_req_error: I/O error, dev loop4, sector 6 Buffer I/O error on dev loop4, logical block 3, async page read print_req_error: I/O error, dev loop4, sector 0 Buffer I/O error on dev loop4, logical block 0, async page read print_req_error: I/O error, dev loop4, sector 4 Buffer I/O error on dev loop4, logical block 2, async page read print_req_error: I/O error, dev loop4, sector 6 Buffer I/O error on dev loop4, logical block 3, async page read print_req_error: I/O error, dev loop4, sector 0 Buffer I/O error on dev loop4, logical block 0, async page read device geneve2 entered promiscuous mode device geneve0 entered promiscuous mode device geneve2 entered promiscuous mode device geneve2 entered promiscuous mode mkiss: ax0: crc mode is auto. device geneve0 entered promiscuous mode mkiss: ax0: crc mode is auto. device geneve0 entered promiscuous mode mkiss: ax0: crc mode is auto. EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue UDF-fs: error (device loop4): udf_process_sequence: Block 99 of volume descriptor sequence is corrupted or we could not read it UDF-fs: error (device loop4): udf_process_sequence: Block 1984 of volume descriptor sequence is corrupted or we could not read it UDF-fs: Scanning with blocksize 512 failed UDF-fs: warning (device loop4): udf_load_vrs: No anchor found UDF-fs: Scanning with blocksize 1024 failed UDF-fs: warning (device loop4): udf_load_vrs: No anchor found UDF-fs: Scanning with blocksize 2048 failed UDF-fs: warning (device loop4): udf_load_vrs: No VRS found UDF-fs: Scanning with blocksize 4096 failed EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue UDF-fs: error (device loop4): udf_process_sequence: Block 99 of volume descriptor sequence is corrupted or we could not read it UDF-fs: error (device loop4): udf_process_sequence: Block 1984 of volume descriptor sequence is corrupted or we could not read it UDF-fs: Scanning with blocksize 512 failed UDF-fs: warning (device loop4): udf_load_vrs: No anchor found UDF-fs: Scanning with blocksize 1024 failed UDF-fs: warning (device loop4): udf_load_vrs: No anchor found UDF-fs: Scanning with blocksize 2048 failed UDF-fs: warning (device loop4): udf_load_vrs: No VRS found EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue UDF-fs: Scanning with blocksize 4096 failed UDF-fs: error (device loop4): udf_process_sequence: Block 99 of volume descriptor sequence is corrupted or we could not read it UDF-fs: error (device loop4): udf_process_sequence: Block 1984 of volume descriptor sequence is corrupted or we could not read it UDF-fs: Scanning with blocksize 512 failed UDF-fs: warning (device loop4): udf_load_vrs: No anchor found UDF-fs: Scanning with blocksize 1024 failed UDF-fs: warning (device loop4): udf_load_vrs: No anchor found