hfs: bad catalog entry type 0 ====================================================== WARNING: possible circular locking dependency detected netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'. 4.19.211-syzkaller #0 Not tainted ------------------------------------------------------ syz-executor.1/4362 is trying to acquire lock: 00000000a2947f3e (&sbi->alloc_mutex){+.+.}, at: hfsplus_block_free+0xdb/0x5d0 fs/hfsplus/bitmap.c:182 but task is already holding lock: 000000005d0db6a8 (&HFSPLUS_I(inode)->extents_lock){+.+.}, at: hfsplus_file_truncate+0x1e2/0x1040 fs/hfsplus/extents.c:576 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&HFSPLUS_I(inode)->extents_lock){+.+.}: hfsplus_get_block+0x292/0x960 fs/hfsplus/extents.c:260 block_read_full_page+0x288/0xd10 fs/buffer.c:2259 do_read_cache_page+0x533/0x1170 mm/filemap.c:2828 read_mapping_page include/linux/pagemap.h:402 [inline] hfsplus_block_allocate+0x197/0xa60 fs/hfsplus/bitmap.c:37 hfsplus_file_extend+0x436/0xf40 fs/hfsplus/extents.c:468 hfsplus_get_block+0x196/0x960 fs/hfsplus/extents.c:245 __block_write_begin_int+0x46c/0x17b0 fs/buffer.c:1978 __block_write_begin fs/buffer.c:2028 [inline] block_write_begin+0x58/0x2e0 fs/buffer.c:2087 cont_write_begin+0x55a/0x820 fs/buffer.c:2440 hfsplus_write_begin+0x87/0x150 fs/hfsplus/inode.c:52 generic_perform_write+0x1f8/0x4d0 mm/filemap.c:3170 __generic_file_write_iter+0x24b/0x610 mm/filemap.c:3295 generic_file_write_iter+0x3f8/0x730 mm/filemap.c:3323 call_write_iter include/linux/fs.h:1821 [inline] new_sync_write fs/read_write.c:474 [inline] __vfs_write+0x51b/0x770 fs/read_write.c:487 __kernel_write+0x109/0x370 fs/read_write.c:506 dump_emit+0x183/0x300 fs/coredump.c:801 elf_core_dump+0x2914/0x4c10 fs/binfmt_elf.c:2335 do_coredump+0x1d4e/0x2d60 fs/coredump.c:765 get_signal+0xed9/0x1f70 kernel/signal.c:2583 do_signal+0x8f/0x1670 arch/x86/kernel/signal.c:799 exit_to_usermode_loop+0x204/0x2a0 arch/x86/entry/common.c:163 prepare_exit_to_usermode+0x277/0x2d0 arch/x86/entry/common.c:198 retint_user+0x8/0x18 -> #0 (&sbi->alloc_mutex){+.+.}: __mutex_lock_common kernel/locking/mutex.c:937 [inline] __mutex_lock+0xd7/0x1190 kernel/locking/mutex.c:1078 hfsplus_block_free+0xdb/0x5d0 fs/hfsplus/bitmap.c:182 hfsplus_free_extents+0x228/0x520 fs/hfsplus/extents.c:363 hfsplus_file_truncate+0xd96/0x1040 fs/hfsplus/extents.c:591 hfsplus_setattr+0x1e7/0x310 fs/hfsplus/inode.c:263 notify_change+0x70b/0xfc0 fs/attr.c:334 do_truncate+0x134/0x1f0 fs/open.c:63 handle_truncate fs/namei.c:3009 [inline] do_last fs/namei.c:3427 [inline] path_openat+0x2308/0x2df0 fs/namei.c:3537 do_filp_open+0x18c/0x3f0 fs/namei.c:3567 do_sys_open+0x3b3/0x520 fs/open.c:1085 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&HFSPLUS_I(inode)->extents_lock); lock(&sbi->alloc_mutex); lock(&HFSPLUS_I(inode)->extents_lock); lock(&sbi->alloc_mutex); *** DEADLOCK *** 3 locks held by syz-executor.1/4362: #0: 0000000088024bcb (sb_writers#25){.+.+}, at: sb_start_write include/linux/fs.h:1579 [inline] #0: 0000000088024bcb (sb_writers#25){.+.+}, at: mnt_want_write+0x3a/0xb0 fs/namespace.c:360 #1: 000000000bebbcab (&sb->s_type->i_mutex_key#33){+.+.}, at: inode_lock include/linux/fs.h:748 [inline] #1: 000000000bebbcab (&sb->s_type->i_mutex_key#33){+.+.}, at: do_truncate+0x125/0x1f0 fs/open.c:61 #2: 000000005d0db6a8 (&HFSPLUS_I(inode)->extents_lock){+.+.}, at: hfsplus_file_truncate+0x1e2/0x1040 fs/hfsplus/extents.c:576 stack backtrace: CPU: 1 PID: 4362 Comm: syz-executor.1 Not tainted 4.19.211-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1222 check_prev_add kernel/locking/lockdep.c:1866 [inline] check_prevs_add kernel/locking/lockdep.c:1979 [inline] validate_chain kernel/locking/lockdep.c:2420 [inline] __lock_acquire+0x30c9/0x3ff0 kernel/locking/lockdep.c:3416 lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3908 __mutex_lock_common kernel/locking/mutex.c:937 [inline] __mutex_lock+0xd7/0x1190 kernel/locking/mutex.c:1078 hfsplus_block_free+0xdb/0x5d0 fs/hfsplus/bitmap.c:182 hfsplus_free_extents+0x228/0x520 fs/hfsplus/extents.c:363 hfsplus_file_truncate+0xd96/0x1040 fs/hfsplus/extents.c:591 hfsplus_setattr+0x1e7/0x310 fs/hfsplus/inode.c:263 notify_change+0x70b/0xfc0 fs/attr.c:334 do_truncate+0x134/0x1f0 fs/open.c:63 handle_truncate fs/namei.c:3009 [inline] do_last fs/namei.c:3427 [inline] path_openat+0x2308/0x2df0 fs/namei.c:3537 do_filp_open+0x18c/0x3f0 fs/namei.c:3567 do_sys_open+0x3b3/0x520 fs/open.c:1085 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7fa5d1d060a9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fa5d0278168 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 RAX: ffffffffffffffda RBX: 00007fa5d1e25f80 RCX: 00007fa5d1d060a9 RDX: 0000000000000000 RSI: 0000000000143242 RDI: 0000000020000000 RBP: 00007fa5d1d61ae9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffc23c2bf2f R14: 00007fa5d0278300 R15: 0000000000022000 netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'. wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 hfs: bad catalog entry type 0 hfs: bad catalog entry type 0 netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'. audit: type=1804 audit(1672370128.139:731): pid=4451 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.4" name="/root/syzkaller-testdir3810405683/syzkaller.1nGg0a/174/bus" dev="sda1" ino=14464 res=1 audit: type=1800 audit(1672370128.169:732): pid=4458 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.2" name="bus" dev="sda1" ino=14479 res=0 audit: type=1804 audit(1672370128.309:733): pid=4476 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.4" name="/root/syzkaller-testdir3810405683/syzkaller.1nGg0a/174/bus" dev="sda1" ino=14464 res=1 netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'. audit: type=1800 audit(1672370128.349:734): pid=4481 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.2" name="bus" dev="sda1" ino=14487 res=0 audit: type=1800 audit(1672370128.599:735): pid=4521 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.2" name="bus" dev="sda1" ino=14473 res=0 netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'. audit: type=1804 audit(1672370129.249:736): pid=4598 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.4" name="/root/syzkaller-testdir3810405683/syzkaller.1nGg0a/175/bus" dev="sda1" ino=14103 res=1 xt_CT: You must specify a L4 protocol and not use inversions on it nla_parse: 2 callbacks suppressed netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'. xt_CT: You must specify a L4 protocol and not use inversions on it netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'. kauditd_printk_skb: 1 callbacks suppressed audit: type=1804 audit(1672370130.769:738): pid=4693 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.4" name="/root/syzkaller-testdir3810405683/syzkaller.1nGg0a/176/bus" dev="sda1" ino=14504 res=1 audit: type=1804 audit(1672370130.829:739): pid=4696 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.4" name="/root/syzkaller-testdir3810405683/syzkaller.1nGg0a/176/bus" dev="sda1" ino=14504 res=1 netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.1'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.2'. xt_CT: You must specify a L4 protocol and not use inversions on it netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.1'. ieee802154 phy0 wpan0: encryption failed: -22 ieee802154 phy1 wpan1: encryption failed: -22 nla_parse: 111 callbacks suppressed netlink: 24 bytes leftover after parsing attributes in process `syz-executor.1'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.5'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.4'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.5'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.4'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'.