slab_pre_alloc_hook mm/slab.h:424 [inline] slab_alloc_node mm/slab.c:3304 [inline] kmem_cache_alloc_node+0x245/0x3b0 mm/slab.c:3647 __alloc_skb+0x71/0x560 net/core/skbuff.c:193 alloc_skb include/linux/skbuff.h:995 [inline] pep_alloc_skb+0x35/0x290 net/phonet/pep.c:85 ====================================================== pipe_handler_request net/phonet/pep.c:148 [inline] pep_sock_connect+0x108/0x3c0 net/phonet/pep.c:905 WARNING: possible circular locking dependency detected 4.19.211-syzkaller #0 Not tainted ------------------------------------------------------ syz-executor.3/17582 is trying to acquire lock: 00000000271a72c1 (&tree->tree_lock){+.+.}, at: hfsplus_file_truncate+0xde7/0x1040 fs/hfsplus/extents.c:595 pn_socket_connect+0x41b/0x8c0 net/phonet/socket.c:268 but task is already holding lock: 000000006b89914e (&HFSPLUS_I(inode)->extents_lock){+.+.}, at: hfsplus_file_truncate+0x1e2/0x1040 fs/hfsplus/extents.c:576 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&HFSPLUS_I(inode)->extents_lock){+.+.}: hfsplus_file_extend+0x1bb/0xf40 fs/hfsplus/extents.c:457 __sys_connect+0x265/0x2c0 net/socket.c:1775 hfsplus_bmap_reserve+0x298/0x440 fs/hfsplus/btree.c:357 hfsplus_create_cat+0x1e3/0x1210 fs/hfsplus/catalog.c:272 hfsplus_fill_super+0x14a8/0x19e0 fs/hfsplus/super.c:560 mount_bdev+0x2fc/0x3b0 fs/super.c:1158 mount_fs+0xa3/0x310 fs/super.c:1261 vfs_kern_mount.part.0+0x68/0x470 fs/namespace.c:961 vfs_kern_mount fs/namespace.c:951 [inline] do_new_mount fs/namespace.c:2492 [inline] do_mount+0x115c/0x2f50 fs/namespace.c:2822 ksys_mount+0xcf/0x130 fs/namespace.c:3038 __do_sys_mount fs/namespace.c:3052 [inline] __se_sys_mount fs/namespace.c:3049 [inline] __x64_sys_mount+0xba/0x150 fs/namespace.c:3049 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe -> #0 (&tree->tree_lock){+.+.}: __do_sys_connect net/socket.c:1786 [inline] __se_sys_connect net/socket.c:1783 [inline] __x64_sys_connect+0x6f/0xb0 net/socket.c:1783 __mutex_lock_common kernel/locking/mutex.c:937 [inline] __mutex_lock+0xd7/0x1190 kernel/locking/mutex.c:1078 hfsplus_file_truncate+0xde7/0x1040 fs/hfsplus/extents.c:595 hfsplus_setattr+0x1e7/0x310 fs/hfsplus/inode.c:263 notify_change+0x70b/0xfc0 fs/attr.c:334 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 do_truncate+0x134/0x1f0 fs/open.c:63 handle_truncate fs/namei.c:3009 [inline] do_last fs/namei.c:3427 [inline] path_openat+0x2308/0x2df0 fs/namei.c:3537 entry_SYSCALL_64_after_hwframe+0x49/0xbe do_filp_open+0x18c/0x3f0 fs/namei.c:3567 RIP: 0033:0x7f4e0eeac0c9 do_sys_open+0x3b3/0x520 fs/open.c:1085 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 RSP: 002b:00007f4e0d41e168 EFLAGS: 00000246 ORIG_RAX: 000000000000002a entry_SYSCALL_64_after_hwframe+0x49/0xbe RAX: ffffffffffffffda RBX: 00007f4e0efcbf80 RCX: 00007f4e0eeac0c9 other info that might help us debug this: RDX: 0000000000000010 RSI: 0000000020000400 RDI: 0000000000000004 Possible unsafe locking scenario: CPU0 CPU1 RBP: 00007f4e0d41e1d0 R08: 0000000000000000 R09: 0000000000000000 ---- ---- lock(&HFSPLUS_I(inode)->extents_lock); R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 lock(&tree->tree_lock); R13: 00007ffcfcdbcc2f R14: 00007f4e0d41e300 R15: 0000000000022000 lock(&HFSPLUS_I(inode)->extents_lock); lock(&tree->tree_lock); *** DEADLOCK *** 3 locks held by syz-executor.3/17582: #0: 00000000416c5fdf (sb_writers#23){.+.+}, at: sb_start_write include/linux/fs.h:1579 [inline] #0: 00000000416c5fdf (sb_writers#23){.+.+}, at: mnt_want_write+0x3a/0xb0 fs/namespace.c:360 #1: 00000000ad02d1a4 (&sb->s_type->i_mutex_key#29){+.+.}, at: inode_lock include/linux/fs.h:748 [inline] #1: 00000000ad02d1a4 (&sb->s_type->i_mutex_key#29){+.+.}, at: do_truncate+0x125/0x1f0 fs/open.c:61 #2: 000000006b89914e (&HFSPLUS_I(inode)->extents_lock){+.+.}, at: hfsplus_file_truncate+0x1e2/0x1040 fs/hfsplus/extents.c:576 stack backtrace: CPU: 0 PID: 17582 Comm: syz-executor.3 Not tainted 4.19.211-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1222 check_prev_add kernel/locking/lockdep.c:1866 [inline] check_prevs_add kernel/locking/lockdep.c:1979 [inline] validate_chain kernel/locking/lockdep.c:2420 [inline] __lock_acquire+0x30c9/0x3ff0 kernel/locking/lockdep.c:3416 lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3908 __mutex_lock_common kernel/locking/mutex.c:937 [inline] __mutex_lock+0xd7/0x1190 kernel/locking/mutex.c:1078 hfsplus_file_truncate+0xde7/0x1040 fs/hfsplus/extents.c:595 hfsplus_setattr+0x1e7/0x310 fs/hfsplus/inode.c:263 notify_change+0x70b/0xfc0 fs/attr.c:334 do_truncate+0x134/0x1f0 fs/open.c:63 handle_truncate fs/namei.c:3009 [inline] do_last fs/namei.c:3427 [inline] path_openat+0x2308/0x2df0 fs/namei.c:3537 do_filp_open+0x18c/0x3f0 fs/namei.c:3567 do_sys_open+0x3b3/0x520 fs/open.c:1085 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7f50556eb0c9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f5053c5d168 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 RAX: ffffffffffffffda RBX: 00007f505580af80 RCX: 00007f50556eb0c9 RDX: 0000000000000000 RSI: 0000000000143242 RDI: 0000000020000000 RBP: 00007f5055746ae9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffed58e96ef R14: 00007f5053c5d300 R15: 0000000000022000 XFS (loop5): Mounting V4 Filesystem XFS (loop5): Ending clean mount XFS (loop5): Quotacheck needed: Please wait. XFS (loop5): Quotacheck: Done. overlayfs: unrecognized mount option "rootcontext=unconfined_u" or missing value overlayfs: failed to resolve './file0': -2 XFS (loop5): Unmounting Filesystem ntfs: volume version 3.1. XFS (loop5): Mounting V4 Filesystem XFS (loop5): Ending clean mount XFS (loop5): Quotacheck needed: Please wait. XFS (loop5): Quotacheck: Done. XFS (loop5): Unmounting Filesystem platform regulatory.0: Direct firmware load for regulatory.db failed with error -2 BTRFS info (device loop2): unrecognized mount option 'fowner>18446744073709551615' BTRFS error (device loop2): open_ctree failed platform regulatory.0: Direct firmware load for regulatory.db failed with error -2 nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. kauditd_printk_skb: 9 callbacks suppressed audit: type=1800 audit(1674968304.400:158): pid=17805 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.4" name="bus" dev="sda1" ino=14709 res=0 BTRFS info (device loop2): unrecognized mount option 'fowner>18446744073709551615' BTRFS error (device loop2): open_ctree failed audit: type=1800 audit(1674968304.750:159): pid=17866 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.4" name="bus" dev="sda1" ino=14677 res=0 platform regulatory.0: Direct firmware load for regulatory.db failed with error -2 BTRFS info (device loop5): unrecognized mount option 'fowner>18446744073709551615' BTRFS error (device loop5): open_ctree failed audit: type=1800 audit(1674968305.670:160): pid=17946 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.0" name="bus" dev="sda1" ino=13877 res=0 audit: type=1800 audit(1674968305.830:161): pid=17935 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.4" name="bus" dev="sda1" ino=14711 res=0 nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. audit: type=1800 audit(1674968306.980:162): pid=17952 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.2" name="bus" dev="sda1" ino=14209 res=0 audit: type=1800 audit(1674968307.270:163): pid=17959 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.3" name="bus" dev="sda1" ino=13874 res=0 platform regulatory.0: Direct firmware load for regulatory.db failed with error -2 platform regulatory.0: Direct firmware load for regulatory.db failed with error -2 could not allocate digest TFM handle syz5 could not allocate digest TFM handle syz5 could not allocate digest TFM handle syz5 could not allocate digest TFM handle syz5 could not allocate digest TFM handle syz5 could not allocate digest TFM handle syz5 could not allocate digest TFM handle syz5 could not allocate digest TFM handle syz5 platform regulatory.0: Direct firmware load for regulatory.db failed with error -2 could not allocate digest TFM handle syz5 could not allocate digest TFM handle syz5 REISERFS warning (device loop1): super-6506 reiserfs_getopt: bad value "no_unhayhed_relocation" for option "block-allocator" could not allocate digest TFM handle syz5 could not allocate digest TFM handle syz5 could not allocate digest TFM handle syz5 REISERFS warning (device loop5): super-6506 reiserfs_getopt: bad value "no_unhayhed_relocation" for option "block-allocator" REISERFS warning (device loop1): super-6506 reiserfs_getopt: bad value "no_unhayhed_relocation" for option "block-allocator" REISERFS warning (device loop1): super-6506 reiserfs_getopt: bad value "no_unhayhed_relocation" for option "block-allocator" usb usb4: usbfs: process 18324 (syz-executor.2) did not claim interface 1 before use REISERFS warning (device loop5): super-6506 reiserfs_getopt: bad value "no_unhayhed_relocation" for option "block-allocator" ---------------- Code disassembly (best guess): 0: 28 00 sub %al,(%rax) 2: 00 00 add %al,(%rax) 4: 75 05 jne 0xb 6: 48 83 c4 28 add $0x28,%rsp a: c3 retq b: e8 f1 19 00 00 callq 0x1a01 10: 90 nop 11: 48 89 f8 mov %rdi,%rax 14: 48 89 f7 mov %rsi,%rdi 17: 48 89 d6 mov %rdx,%rsi 1a: 48 89 ca mov %rcx,%rdx 1d: 4d 89 c2 mov %r8,%r10 20: 4d 89 c8 mov %r9,%r8 23: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9 28: 0f 05 syscall * 2a: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction 30: 73 01 jae 0x33 32: c3 retq 33: 48 c7 c1 b8 ff ff ff mov $0xffffffffffffffb8,%rcx 3a: f7 d8 neg %eax 3c: 64 89 01 mov %eax,%fs:(%rcx) 3f: 48 rex.W