audit: type=1804 audit(1676850432.321:2): pid=10039 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.4" name="/root/syzkaller-testdir3888480279/syzkaller.5CbL68/25/bus" dev="sda1" ino=13957 res=1 ====================================================== WARNING: possible circular locking dependency detected 4.14.305-syzkaller #0 Not tainted ------------------------------------------------------ syz-executor.0/10028 is trying to acquire lock: (&sbi->alloc_mutex){+.+.}, at: [] hfsplus_block_free+0xc7/0x560 fs/hfsplus/bitmap.c:182 but task is already holding lock: (&tree->tree_lock/1){+.+.}, at: [] hfsplus_find_init+0x161/0x220 fs/hfsplus/bfind.c:33 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (&tree->tree_lock/1){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 hfsplus_find_init+0x161/0x220 fs/hfsplus/bfind.c:33 hfsplus_ext_read_extent+0x15f/0x9e0 fs/hfsplus/extents.c:216 hfsplus_get_block+0x23e/0x820 fs/hfsplus/extents.c:268 block_read_full_page+0x25e/0x8d0 fs/buffer.c:2316 do_read_cache_page+0x38e/0xc10 mm/filemap.c:2713 read_mapping_page include/linux/pagemap.h:398 [inline] hfsplus_block_allocate+0x189/0x910 fs/hfsplus/bitmap.c:37 hfsplus_file_extend+0x421/0xef0 fs/hfsplus/extents.c:463 hfsplus_get_block+0x15b/0x820 fs/hfsplus/extents.c:245 __block_write_begin_int+0x35c/0x11d0 fs/buffer.c:2038 __block_write_begin fs/buffer.c:2088 [inline] block_write_begin+0x58/0x270 fs/buffer.c:2147 cont_write_begin+0x4a3/0x740 fs/buffer.c:2497 hfsplus_write_begin+0x87/0x130 fs/hfsplus/inode.c:53 generic_perform_write+0x1d5/0x430 mm/filemap.c:3055 __generic_file_write_iter+0x227/0x590 mm/filemap.c:3180 generic_file_write_iter+0x36f/0x650 mm/filemap.c:3208 call_write_iter include/linux/fs.h:1780 [inline] new_sync_write fs/read_write.c:469 [inline] __vfs_write+0x44c/0x630 fs/read_write.c:482 vfs_write+0x17f/0x4d0 fs/read_write.c:544 SYSC_write fs/read_write.c:590 [inline] SyS_write+0xf2/0x210 fs/read_write.c:582 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x5e/0xd3 -> #1 (&HFSPLUS_I(inode)->extents_lock){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 hfsplus_get_block+0x1f9/0x820 fs/hfsplus/extents.c:260 block_read_full_page+0x25e/0x8d0 fs/buffer.c:2316 do_read_cache_page+0x38e/0xc10 mm/filemap.c:2713 read_mapping_page include/linux/pagemap.h:398 [inline] hfsplus_block_allocate+0x189/0x910 fs/hfsplus/bitmap.c:37 hfsplus_file_extend+0x421/0xef0 fs/hfsplus/extents.c:463 hfsplus_get_block+0x15b/0x820 fs/hfsplus/extents.c:245 __block_write_begin_int+0x35c/0x11d0 fs/buffer.c:2038 __block_write_begin fs/buffer.c:2088 [inline] block_write_begin+0x58/0x270 fs/buffer.c:2147 cont_write_begin+0x4a3/0x740 fs/buffer.c:2497 hfsplus_write_begin+0x87/0x130 fs/hfsplus/inode.c:53 generic_perform_write+0x1d5/0x430 mm/filemap.c:3055 __generic_file_write_iter+0x227/0x590 mm/filemap.c:3180 generic_file_write_iter+0x36f/0x650 mm/filemap.c:3208 call_write_iter include/linux/fs.h:1780 [inline] new_sync_write fs/read_write.c:469 [inline] __vfs_write+0x44c/0x630 fs/read_write.c:482 vfs_write+0x17f/0x4d0 fs/read_write.c:544 SYSC_write fs/read_write.c:590 [inline] SyS_write+0xf2/0x210 fs/read_write.c:582 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x5e/0xd3 -> #0 (&sbi->alloc_mutex){+.+.}: lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 hfsplus_block_free+0xc7/0x560 fs/hfsplus/bitmap.c:182 hfsplus_free_extents+0x170/0x440 fs/hfsplus/extents.c:360 hfsplus_file_truncate+0xbc0/0xe80 fs/hfsplus/extents.c:585 hfsplus_setattr+0x182/0x310 fs/hfsplus/inode.c:264 notify_change+0x56b/0xd10 fs/attr.c:315 do_truncate+0xff/0x1a0 fs/open.c:63 handle_truncate fs/namei.c:3010 [inline] do_last fs/namei.c:3437 [inline] path_openat+0x1dcc/0x2970 fs/namei.c:3571 do_filp_open+0x179/0x3c0 fs/namei.c:3605 do_sys_open+0x296/0x410 fs/open.c:1081 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x5e/0xd3 other info that might help us debug this: Chain exists of: &sbi->alloc_mutex --> &HFSPLUS_I(inode)->extents_lock --> &tree->tree_lock/1 Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&tree->tree_lock/1); lock(&HFSPLUS_I(inode)->extents_lock); lock(&tree->tree_lock/1); lock(&sbi->alloc_mutex); *** DEADLOCK *** 4 locks held by syz-executor.0/10028: #0: (sb_writers#15){.+.+}, at: [] sb_start_write include/linux/fs.h:1551 [inline] #0: (sb_writers#15){.+.+}, at: [] mnt_want_write+0x3a/0xb0 fs/namespace.c:386 #1: (&sb->s_type->i_mutex_key#21){+.+.}, at: [] inode_lock include/linux/fs.h:719 [inline] #1: (&sb->s_type->i_mutex_key#21){+.+.}, at: [] do_truncate+0xf0/0x1a0 fs/open.c:61 #2: (&HFSPLUS_I(inode)->extents_lock){+.+.}, at: [] hfsplus_file_truncate+0x1ba/0xe80 fs/hfsplus/extents.c:571 #3: (&tree->tree_lock/1){+.+.}, at: [] hfsplus_find_init+0x161/0x220 fs/hfsplus/bfind.c:33 stack backtrace: CPU: 0 PID: 10028 Comm: syz-executor.0 Not tainted 4.14.305-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x281 lib/dump_stack.c:58 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258 check_prev_add kernel/locking/lockdep.c:1905 [inline] check_prevs_add kernel/locking/lockdep.c:2022 [inline] validate_chain kernel/locking/lockdep.c:2464 [inline] __lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 hfsplus_block_free+0xc7/0x560 fs/hfsplus/bitmap.c:182 hfsplus_free_extents+0x170/0x440 fs/hfsplus/extents.c:360 hfsplus_file_truncate+0xbc0/0xe80 fs/hfsplus/extents.c:585 hfsplus_setattr+0x182/0x310 fs/hfsplus/inode.c:264 notify_change+0x56b/0xd10 fs/attr.c:315 do_truncate+0xff/0x1a0 fs/open.c:63 handle_truncate fs/namei.c:3010 [inline] do_last fs/namei.c:3437 [inline] path_openat+0x1dcc/0x2970 fs/namei.c:3571 do_filp_open+0x179/0x3c0 fs/namei.c:3605 do_sys_open+0x296/0x410 fs/open.c:1081 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x5e/0xd3 RIP: 0033:0x7f0d15a710f9 RSP: 002b:00007f0d13fe3168 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 RAX: ffffffffffffffda RBX: 00007f0d15b90f80 RCX: 00007f0d15a710f9 RDX: 0000000000000000 RSI: 0000000000143242 RDI: 0000000020000000 RBP: 00007f0d15accae9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fff6e14dfbf R14: 00007f0d13fe3300 R15: 0000000000022000 EXT4-fs (loop1): mounted filesystem without journal. Opts: ,errors=continue ISO 9660 Extensions: Microsoft Joliet Level 3 ISOFS: changing to secondary root ISOFS: unable to read i-node block ISOFS: unable to read i-node block ISO 9660 Extensions: Microsoft Joliet Level 3 ISOFS: changing to secondary root EXT4-fs (loop1): mounted filesystem without journal. Opts: ,errors=continue XFS (loop5): Superblock has unknown read-only compatible features (0x8) enabled. XFS (loop5): Attempted to mount read-only compatible filesystem read-write. XFS (loop5): Filesystem can only be safely mounted read only. XFS (loop5): SB validate failed with error -22. audit: type=1800 audit(1676850433.791:3): pid=10030 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.5" name="file1" dev="sda1" ino=13977 res=0 EXT4-fs (loop1): mounted filesystem without journal. Opts: ,errors=continue XFS (loop2): Mounting V4 Filesystem XFS (loop2): Ending clean mount overlayfs: unrecognized mount option "owerdir=" or missing value XFS (loop2): Unmounting Filesystem audit: type=1804 audit(1676850434.111:4): pid=10141 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.4" name="/root/syzkaller-testdir3888480279/syzkaller.5CbL68/26/bus" dev="sda1" ino=13968 res=1 EXT4-fs (loop1): Unsupported blocksize for fs encryption overlayfs: unrecognized mount option "owerdir=" or missing value overlayfs: 'file0' not a directory XFS (loop2): unknown mount option [./file0]. hfsplus: unable to parse mount options audit: type=1804 audit(1676850435.021:5): pid=10230 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.4" name="/root/syzkaller-testdir3888480279/syzkaller.5CbL68/27/bus" dev="sda1" ino=13992 res=1 ntfs: volume version 3.1. ntfs: (device loop5): ntfs_truncate(): Inode 0x43 has unknown attribute type 0x80. Aborting truncate. autofs4:pid:10304:check_dev_ioctl_version: ioctl control interface version mismatch: kernel(1.1), user(2.1), cmd(0xc0189378) autofs4:pid:10304:validate_dev_ioctl: invalid device control module version supplied for cmd(0xc0189378) XFS (loop5): Superblock has unknown read-only compatible features (0x8) enabled. XFS (loop5): Attempted to mount read-only compatible filesystem read-write. XFS (loop5): Filesystem can only be safely mounted read only. XFS (loop5): SB validate failed with error -22. audit: type=1800 audit(1676850436.351:6): pid=10332 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.5" name="file1" dev="sda1" ino=13960 res=0 EXT4-fs (loop3): Test dummy encryption mount option ignored EXT4-fs (loop3): Ignoring removed nomblk_io_submit option hfs: unable to locate alternate MDB hfs: continuing without an alternate MDB hfs: invalid btree extent records EXT4-fs (loop3): Unsupported blocksize for fs encryption hfs: unable to open extent tree print_req_error: I/O error, dev loop0, sector 0 Buffer I/O error on dev loop0, logical block 0, async page read print_req_error: I/O error, dev loop0, sector 1 Buffer I/O error on dev loop0, logical block 1, async page read print_req_error: I/O error, dev loop0, sector 4 Buffer I/O error on dev loop0, logical block 4, async page read print_req_error: I/O error, dev loop0, sector 5 Buffer I/O error on dev loop0, logical block 5, async page read print_req_error: I/O error, dev loop0, sector 6 Buffer I/O error on dev loop0, logical block 6, async page read print_req_error: I/O error, dev loop0, sector 7 Buffer I/O error on dev loop0, logical block 7, async page read hfs: unable to locate alternate MDB hfs: continuing without an alternate MDB hfs: invalid btree extent records hfs: unable to open extent tree Trying to free block not in datazone Trying to free block not in datazone Trying to free block not in datazone Trying to free block not in datazone Trying to free block not in datazone minix_free_block (loop3:6): bit already cleared Trying to free block not in datazone hfs: unable to locate alternate MDB hfs: continuing without an alternate MDB hfs: invalid btree extent records hfs: unable to open extent tree Trying to free block not in datazone Trying to free block not in datazone Trying to free block not in datazone Trying to free block not in datazone Trying to free block not in datazone minix_free_block (loop3:6): bit already cleared Trying to free block not in datazone dlm: non-version read from control device 0 hfs: unable to locate alternate MDB hfs: continuing without an alternate MDB hfs: invalid btree extent records Trying to free block not in datazone hfs: unable to open extent tree Trying to free block not in datazone Trying to free block not in datazone Trying to free block not in datazone Trying to free block not in datazone minix_free_block (loop3:6): bit already cleared Trying to free block not in datazone Trying to free block not in datazone Trying to free block not in datazone Trying to free block not in datazone Trying to free block not in datazone Trying to free block not in datazone minix_free_block (loop3:6): bit already cleared Trying to free block not in datazone EXT4-fs (loop5): mounted filesystem without journal. Opts: ,errors=continue audit: type=1800 audit(1676850439.232:7): pid=10740 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.1" name="file0" dev="sda1" ino=14035 res=0 EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue JFS: discard option not supported on device JFS: discard option not supported on device ERROR: (device loop4): txAbort: ERROR: (device loop4): txAbort: XFS (loop0): Mounting V4 Filesystem XFS (loop0): Ending clean mount audit: type=1800 audit(1676850440.042:8): pid=10798 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.1" name="file0" dev="sda1" ino=14045 res=0 EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue Trying to free block not in datazone Trying to free block not in datazone Trying to free block not in datazone Trying to free block not in datazone minix_free_block (loop5:6): bit already cleared Trying to free block not in datazone Trying to free block not in datazone audit: type=1800 audit(1676850440.252:9): pid=10810 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.1" name="file0" dev="sda1" ino=14048 res=0 overlayfs: unrecognized mount option "owerdir=" or missing value XFS (loop0): Unmounting Filesystem Trying to free block not in datazone Trying to free block not in datazone Trying to free block not in datazone JFS: discard option not supported on device Trying to free block not in datazone JFS: discard option not supported on device minix_free_block (loop5:6): bit already cleared Trying to free block not in datazone Trying to free block not in datazone ERROR: (device loop3): txAbort: ERROR: (device loop3): txAbort: JFS: discard option not supported on device JFS: discard option not supported on device ERROR: (device loop4): txAbort: ERROR: (device loop4): txAbort: Trying to free block not in datazone EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue Trying to free block not in datazone Trying to free block not in datazone Trying to free block not in datazone minix_free_block (loop5:6): bit already cleared Trying to free block not in datazone Trying to free block not in datazone JFS: discard option not supported on device JFS: discard option not supported on device ERROR: (device loop3): txAbort: ERROR: (device loop3): txAbort: JFS: discard option not supported on device JFS: discard option not supported on device ERROR: (device loop4): txAbort: EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue Trying to free block not in datazone Trying to free block not in datazone ERROR: (device loop4): txAbort: Trying to free block not in datazone Trying to free block not in datazone minix_free_block (loop5:6): bit already cleared Trying to free block not in datazone Trying to free block not in datazone JFS: discard option not supported on device JFS: discard option not supported on device ERROR: (device loop3): txAbort: ERROR: (device loop3): txAbort: EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue FAT-fs (loop0): Invalid FSINFO signature: 0x41615252, 0x00000000 (sector = 1) EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue