F2FS-fs (loop4): Found nat_bits in checkpoint
F2FS-fs (loop4): f2fs_check_nid_range: out-of-range nid=2, run fsck to fix.
======================================================
WARNING: possible circular locking dependency detected
6.2.0-rc6-syzkaller-17549-gca72d58361ee #0 Not tainted
------------------------------------------------------
syz-executor.4/15627 is trying to acquire lock:
ffff00011c5dc088 (&sbi->sb_lock){++++}-{3:3}, at: f2fs_handle_error+0x9c/0x178

but task is already holding lock:
ffff00011921a930 (&nm_i->nat_tree_lock){++++}-{3:3}, at: f2fs_build_free_nids+0x3e4/0x8f8

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #4 (&nm_i->nat_tree_lock){++++}-{3:3}:
       down_read+0x5c/0x78
       f2fs_get_node_info+0x5c/0x5f4
       f2fs_new_node_page+0xc4/0x580
       f2fs_get_dnode_of_data+0x2e8/0xb28
       f2fs_get_new_data_page+0x80/0x648
       f2fs_add_regular_entry+0x358/0x78c
       f2fs_do_add_link+0x1b0/0x358
       f2fs_mkdir+0x120/0x264
       vfs_mkdir+0x1f8/0x2b0
       do_mkdirat+0xf4/0x2ec
       __arm64_sys_mkdirat+0x40/0x54
       invoke_syscall+0x64/0x178
       el0_svc_common+0xbc/0x180
       do_el0_svc+0x48/0x110
       el0_svc+0x58/0x14c
       el0t_64_sync_handler+0x84/0xf0
       el0t_64_sync+0x190/0x194

-> #3 (&sbi->cp_rwsem){++++}-{3:3}:
       down_read+0x5c/0x78
       f2fs_do_truncate_blocks+0x164/0xa30
       f2fs_truncate_blocks+0x9c/0x1dc
       f2fs_truncate+0x2ec/0x4dc
       f2fs_setattr+0x5c4/0x784
       notify_change+0x730/0x7c8
       do_truncate+0x10c/0x154
       path_openat+0x1078/0x1330
       do_filp_open+0xd0/0x1a8
       do_sys_openat2+0xb8/0x22c
       __arm64_sys_openat+0xb0/0xe0
       invoke_syscall+0x64/0x178
       el0_svc_common+0xbc/0x180
       do_el0_svc+0x48/0x110
       el0_svc+0x58/0x14c
       el0t_64_sync_handler+0x84/0xf0
       el0t_64_sync+0x190/0x194

-> #2 (mapping.invalidate_lock#4){++++}-{3:3}:
       down_read+0x5c/0x78
       filemap_fault+0x220/0xaa4
       f2fs_filemap_fault+0x34/0x29c
       __do_fault+0x74/0x32c
       handle_mm_fault+0xca4/0x241c
       do_page_fault+0x4b4/0x808
       do_translation_fault+0x78/0xac
       do_mem_abort+0x54/0x130
       el0_da+0x70/0x168
       el0t_64_sync_handler+0xcc/0xf0
       el0t_64_sync+0x190/0x194

-> #1 (&mm->mmap_lock){++++}-{3:3}:
       __might_fault+0x7c/0xb4
       __f2fs_ioctl+0x4df8/0x5104
       f2fs_ioctl+0x74/0xbc
       __arm64_sys_ioctl+0xd0/0x148
       invoke_syscall+0x64/0x178
       el0_svc_common+0xbc/0x180
       do_el0_svc+0x48/0x110
       el0_svc+0x58/0x14c
       el0t_64_sync_handler+0x84/0xf0
       el0t_64_sync+0x190/0x194

-> #0 (&sbi->sb_lock){++++}-{3:3}:
       __lock_acquire+0x1670/0x2f48
       lock_acquire+0x164/0x334
       down_write+0x5c/0x88
       f2fs_handle_error+0x9c/0x178
       add_free_nid+0x458/0x48c
       f2fs_build_free_nids+0x680/0x8f8
       f2fs_build_node_manager+0xd08/0xf00
       f2fs_fill_super+0x18c0/0x23d0
       mount_bdev+0x1b8/0x210
       f2fs_mount+0x44/0x58
       legacy_get_tree+0x30/0x74
       vfs_get_tree+0x40/0x140
       do_new_mount+0x1dc/0x4e4
       path_mount+0x348/0x86c
       __arm64_sys_mount+0x2c4/0x3c4
       invoke_syscall+0x64/0x178
       el0_svc_common+0xbc/0x180
       do_el0_svc+0x48/0x110
       el0_svc+0x58/0x14c
       el0t_64_sync_handler+0x84/0xf0
       el0t_64_sync+0x190/0x194

other info that might help us debug this:

Chain exists of:
  &sbi->sb_lock --> &sbi->cp_rwsem --> &nm_i->nat_tree_lock

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&nm_i->nat_tree_lock);
                               lock(&sbi->cp_rwsem);
                               lock(&nm_i->nat_tree_lock);
  lock(&sbi->sb_lock);

 *** DEADLOCK ***

3 locks held by syz-executor.4/15627:
 #0: ffff0001199ce0e0 (&type->s_umount_key#62/1){+.+.}-{3:3}, at: alloc_super+0xf8/0x430
 #1: ffff00011921aac8 (&nm_i->build_lock){+.+.}-{3:3}, at: f2fs_build_free_nids+0x50/0x8f8
 #2: ffff00011921a930 (&nm_i->nat_tree_lock){++++}-{3:3}, at: f2fs_build_free_nids+0x3e4/0x8f8

stack backtrace:
CPU: 1 PID: 15627 Comm: syz-executor.4 Not tainted 6.2.0-rc6-syzkaller-17549-gca72d58361ee #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023
Call trace:
 dump_backtrace+0x1c8/0x1f4
 show_stack+0x2c/0x3c
 dump_stack_lvl+0xd0/0x124
 dump_stack+0x1c/0x28
 print_circular_bug+0x2c4/0x2c8
 check_noncircular+0x148/0x150
 __lock_acquire+0x1670/0x2f48
 lock_acquire+0x164/0x334
 down_write+0x5c/0x88
 f2fs_handle_error+0x9c/0x178
 add_free_nid+0x458/0x48c
 f2fs_build_free_nids+0x680/0x8f8
 f2fs_build_node_manager+0xd08/0xf00
 f2fs_fill_super+0x18c0/0x23d0
 mount_bdev+0x1b8/0x210
 f2fs_mount+0x44/0x58
 legacy_get_tree+0x30/0x74
 vfs_get_tree+0x40/0x140
 do_new_mount+0x1dc/0x4e4
 path_mount+0x348/0x86c
 __arm64_sys_mount+0x2c4/0x3c4
 invoke_syscall+0x64/0x178
 el0_svc_common+0xbc/0x180
 do_el0_svc+0x48/0x110
 el0_svc+0x58/0x14c
 el0t_64_sync_handler+0x84/0xf0
 el0t_64_sync+0x190/0x194
F2FS-fs (loop4): Mounted with checkpoint version = 48b305e4