====================================================== WARNING: possible circular locking dependency detected 4.14.293-syzkaller #0 Not tainted ------------------------------------------------------ syz-executor.1/9554 is trying to acquire lock: ("dio/%s"sb->s_id){+.+.}, at: [] flush_workqueue+0xcb/0x1310 kernel/workqueue.c:2622 but task is already holding lock: (&sb->s_type->i_mutex_key#21){+.+.}, at: [] inode_lock include/linux/fs.h:719 [inline] (&sb->s_type->i_mutex_key#21){+.+.}, at: [] generic_file_write_iter+0x99/0x650 mm/filemap.c:3205 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (&sb->s_type->i_mutex_key#21){+.+.}: down_write+0x34/0x90 kernel/locking/rwsem.c:54 inode_lock include/linux/fs.h:719 [inline] __generic_file_fsync+0x9e/0x190 fs/libfs.c:989 fat_file_fsync+0x73/0x1f0 fs/fat/file.c:165 vfs_fsync_range+0x103/0x260 fs/sync.c:196 generic_write_sync include/linux/fs.h:2684 [inline] dio_complete+0x561/0x8d0 fs/direct-io.c:330 process_one_work+0x793/0x14a0 kernel/workqueue.c:2117 worker_thread+0x5cc/0xff0 kernel/workqueue.c:2251 kthread+0x30d/0x420 kernel/kthread.c:232 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404 -> #1 ((&dio->complete_work)){+.+.}: process_one_work+0x736/0x14a0 kernel/workqueue.c:2093 worker_thread+0x5cc/0xff0 kernel/workqueue.c:2251 kthread+0x30d/0x420 kernel/kthread.c:232 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404 -> #0 ("dio/%s"sb->s_id){+.+.}: lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 flush_workqueue+0xfa/0x1310 kernel/workqueue.c:2625 drain_workqueue+0x177/0x3e0 kernel/workqueue.c:2790 destroy_workqueue+0x71/0x710 kernel/workqueue.c:4116 __alloc_workqueue_key+0xd50/0x1080 kernel/workqueue.c:4093 sb_init_dio_done_wq+0x34/0x80 fs/direct-io.c:624 do_blockdev_direct_IO fs/direct-io.c:1287 [inline] __blockdev_direct_IO+0x3df1/0xdcb0 fs/direct-io.c:1423 blockdev_direct_IO include/linux/fs.h:2994 [inline] fat_direct_IO+0x19b/0x320 fs/fat/inode.c:275 generic_file_direct_write+0x1df/0x420 mm/filemap.c:2958 __generic_file_write_iter+0x2a2/0x590 mm/filemap.c:3137 generic_file_write_iter+0x36f/0x650 mm/filemap.c:3208 call_write_iter include/linux/fs.h:1780 [inline] aio_write+0x2ed/0x560 fs/aio.c:1553 io_submit_one fs/aio.c:1641 [inline] do_io_submit+0x847/0x1570 fs/aio.c:1709 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb other info that might help us debug this: Chain exists of: "dio/%s"sb->s_id --> (&dio->complete_work) --> &sb->s_type->i_mutex_key#21 Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&sb->s_type->i_mutex_key#21); lock((&dio->complete_work)); lock(&sb->s_type->i_mutex_key#21); lock("dio/%s"sb->s_id); *** DEADLOCK *** 2 locks held by syz-executor.1/9554: #0: (sb_writers#13){.+.+}, at: [] file_start_write include/linux/fs.h:2714 [inline] #0: (sb_writers#13){.+.+}, at: [] aio_write+0x408/0x560 fs/aio.c:1552 #1: (&sb->s_type->i_mutex_key#21){+.+.}, at: [] inode_lock include/linux/fs.h:719 [inline] #1: (&sb->s_type->i_mutex_key#21){+.+.}, at: [] generic_file_write_iter+0x99/0x650 mm/filemap.c:3205 stack backtrace: CPU: 0 PID: 9554 Comm: syz-executor.1 Not tainted 4.14.293-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x281 lib/dump_stack.c:58 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258 check_prev_add kernel/locking/lockdep.c:1905 [inline] check_prevs_add kernel/locking/lockdep.c:2022 [inline] validate_chain kernel/locking/lockdep.c:2464 [inline] __lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 flush_workqueue+0xfa/0x1310 kernel/workqueue.c:2625 drain_workqueue+0x177/0x3e0 kernel/workqueue.c:2790 destroy_workqueue+0x71/0x710 kernel/workqueue.c:4116 __alloc_workqueue_key+0xd50/0x1080 kernel/workqueue.c:4093 sb_init_dio_done_wq+0x34/0x80 fs/direct-io.c:624 do_blockdev_direct_IO fs/direct-io.c:1287 [inline] __blockdev_direct_IO+0x3df1/0xdcb0 fs/direct-io.c:1423 blockdev_direct_IO include/linux/fs.h:2994 [inline] fat_direct_IO+0x19b/0x320 fs/fat/inode.c:275 generic_file_direct_write+0x1df/0x420 mm/filemap.c:2958 __generic_file_write_iter+0x2a2/0x590 mm/filemap.c:3137 generic_file_write_iter+0x36f/0x650 mm/filemap.c:3208 call_write_iter include/linux/fs.h:1780 [inline] aio_write+0x2ed/0x560 fs/aio.c:1553 io_submit_one fs/aio.c:1641 [inline] do_io_submit+0x847/0x1570 fs/aio.c:1709 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb RIP: 0033:0x7faaf484a409 RSP: 002b:00007faaf319e168 EFLAGS: 00000246 ORIG_RAX: 00000000000000d1 RAX: ffffffffffffffda RBX: 00007faaf495d050 RCX: 00007faaf484a409 RDX: 0000000020000540 RSI: 0000000000001801 RDI: 00007faaf4938000 RBP: 00007faaf48a5367 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffc4afaa00f R14: 00007faaf319e300 R15: 0000000000022000 netlink: 140 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 140 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 140 bytes leftover after parsing attributes in process `syz-executor.4'. netlink: 140 bytes leftover after parsing attributes in process `syz-executor.3'. netlink: 140 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 140 bytes leftover after parsing attributes in process `syz-executor.5'. netlink: 140 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 140 bytes leftover after parsing attributes in process `syz-executor.4'. netlink: 140 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 140 bytes leftover after parsing attributes in process `syz-executor.3'. usb usb9: Requested nonsensical USBDEVFS_URB_SHORT_NOT_OK. usb usb9: Requested nonsensical USBDEVFS_URB_SHORT_NOT_OK. usb usb9: Requested nonsensical USBDEVFS_URB_SHORT_NOT_OK. device team0 entered promiscuous mode device team_slave_0 entered promiscuous mode device team_slave_1 entered promiscuous mode batman_adv: batadv0: Adding interface: team0 batman_adv: batadv0: The MTU of interface team0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. batman_adv: batadv0: Interface activated: team0 batman_adv: batadv0: Interface deactivated: team0 batman_adv: batadv0: Removing interface: team0 bridge0: port 3(team0) entered blocking state bridge0: port 3(team0) entered disabled state bridge0: port 3(team0) entered blocking state bridge0: port 3(team0) entered forwarding state usb usb9: Requested nonsensical USBDEVFS_URB_SHORT_NOT_OK. L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. usb usb9: Requested nonsensical USBDEVFS_URB_SHORT_NOT_OK. usb usb9: Requested nonsensical USBDEVFS_URB_SHORT_NOT_OK. input: syz1 as /devices/virtual/input/input5 audit: type=1800 audit(1663253493.969:2): pid=10078 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.3" name="bus" dev="sda1" ino=13961 res=0 audit: type=1800 audit(1663253494.439:3): pid=10105 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.5" name="file0" dev="sda1" ino=13879 res=0 audit: type=1804 audit(1663253494.439:4): pid=10105 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.5" name="/root/syzkaller-testdir1043111903/syzkaller.pClUnd/16/file0" dev="sda1" ino=13879 res=1 audit: type=1800 audit(1663253494.859:5): pid=10130 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.3" name="bus" dev="sda1" ino=13959 res=0