device vlan1 entered promiscuous mode BTRFS: device fsid 28302361-d975-4c41-bd4c-c547b14b74a1 devid 1 transid 8 /dev/loop3 BTRFS info (device loop3): using free space tree BTRFS info (device loop3): has skinny extents ====================================================== WARNING: possible circular locking dependency detected 4.19.211-syzkaller #0 Not tainted ------------------------------------------------------ syz-executor.3/13371 is trying to acquire lock: 000000005db2ea9a (&fs_info->qgroup_ioctl_lock){+.+.}, at: btrfs_create_qgroup+0x5a/0x270 fs/btrfs/qgroup.c:1380 but task is already holding lock: 0000000043a19243 (sb_internal#2){.+.+}, at: sb_start_intwrite include/linux/fs.h:1626 [inline] 0000000043a19243 (sb_internal#2){.+.+}, at: start_transaction+0xa37/0xf90 fs/btrfs/transaction.c:528 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (sb_internal#2){.+.+}: sb_start_intwrite include/linux/fs.h:1626 [inline] start_transaction+0xa37/0xf90 fs/btrfs/transaction.c:528 btrfs_quota_enable+0x169/0x10b0 fs/btrfs/qgroup.c:905 btrfs_ioctl_quota_ctl fs/btrfs/ioctl.c:5233 [inline] btrfs_ioctl+0x622c/0x76d0 fs/btrfs/ioctl.c:6021 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:501 [inline] do_vfs_ioctl+0xcdb/0x12e0 fs/ioctl.c:688 ksys_ioctl+0x9b/0xc0 fs/ioctl.c:705 __do_sys_ioctl fs/ioctl.c:712 [inline] __se_sys_ioctl fs/ioctl.c:710 [inline] __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:710 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe -> #0 (&fs_info->qgroup_ioctl_lock){+.+.}: __mutex_lock_common kernel/locking/mutex.c:937 [inline] __mutex_lock+0xd7/0x1190 kernel/locking/mutex.c:1078 btrfs_create_qgroup+0x5a/0x270 fs/btrfs/qgroup.c:1380 btrfs_ioctl_qgroup_create fs/btrfs/ioctl.c:5335 [inline] btrfs_ioctl+0xcce/0x76d0 fs/btrfs/ioctl.c:6025 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:501 [inline] do_vfs_ioctl+0xcdb/0x12e0 fs/ioctl.c:688 ksys_ioctl+0x9b/0xc0 fs/ioctl.c:705 __do_sys_ioctl fs/ioctl.c:712 [inline] __se_sys_ioctl fs/ioctl.c:710 [inline] __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:710 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(sb_internal#2); lock(&fs_info->qgroup_ioctl_lock); lock(sb_internal#2); lock(&fs_info->qgroup_ioctl_lock); *** DEADLOCK *** 2 locks held by syz-executor.3/13371: #0: 00000000d36a486e (sb_writers#14){.+.+}, at: sb_start_write include/linux/fs.h:1579 [inline] #0: 00000000d36a486e (sb_writers#14){.+.+}, at: mnt_want_write_file+0x63/0x1d0 fs/namespace.c:418 #1: 0000000043a19243 (sb_internal#2){.+.+}, at: sb_start_intwrite include/linux/fs.h:1626 [inline] #1: 0000000043a19243 (sb_internal#2){.+.+}, at: start_transaction+0xa37/0xf90 fs/btrfs/transaction.c:528 stack backtrace: CPU: 0 PID: 13371 Comm: syz-executor.3 Not tainted 4.19.211-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1222 check_prev_add kernel/locking/lockdep.c:1866 [inline] check_prevs_add kernel/locking/lockdep.c:1979 [inline] validate_chain kernel/locking/lockdep.c:2420 [inline] __lock_acquire+0x30c9/0x3ff0 kernel/locking/lockdep.c:3416 lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3908 __mutex_lock_common kernel/locking/mutex.c:937 [inline] __mutex_lock+0xd7/0x1190 kernel/locking/mutex.c:1078 btrfs_create_qgroup+0x5a/0x270 fs/btrfs/qgroup.c:1380 btrfs_ioctl_qgroup_create fs/btrfs/ioctl.c:5335 [inline] btrfs_ioctl+0xcce/0x76d0 fs/btrfs/ioctl.c:6025 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:501 [inline] do_vfs_ioctl+0xcdb/0x12e0 fs/ioctl.c:688 ksys_ioctl+0x9b/0xc0 fs/ioctl.c:705 __do_sys_ioctl fs/ioctl.c:712 [inline] __se_sys_ioctl fs/ioctl.c:710 [inline] __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:710 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7ff5cd5460f9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ff5cbab8168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007ff5cd665f80 RCX: 00007ff5cd5460f9 RDX: 00000000200010c0 RSI: 000000004010942a RDI: 0000000000000004 RBP: 00007ff5cd5a1ae9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffffd7e1bbf R14: 00007ff5cbab8300 R15: 0000000000022000 BTRFS error (device loop3): fail to start transaction for status update: -28 netlink: 20 bytes leftover after parsing attributes in process `syz-executor.4'. REISERFS (device loop2): found reiserfs format "3.6" with non-standard journal bridge14: port 1(vlan2) entered blocking state REISERFS (device loop2): using ordered data mode bridge14: port 1(vlan2) entered disabled state reiserfs: using flush barriers REISERFS (device loop2): journal params: device loop2, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 device vlan2 entered promiscuous mode REISERFS (device loop2): checking transaction log (loop2) REISERFS (device loop2): Using r5 hash to sort names REISERFS (device loop2): Created .reiserfs_priv - reserved for xattr storage. audit: type=1804 audit(1675860157.283:20715): pid=13423 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.2" name="/root/syzkaller-testdir2857505076/syzkaller.AkXaJ2/45/file1/bus" dev="loop2" ino=4 res=1 bridge16: port 1(vlan3) entered blocking state bridge16: port 1(vlan3) entered disabled state device vlan3 entered promiscuous mode BTRFS info (device loop3): using free space tree BTRFS info (device loop3): has skinny extents BTRFS error (device loop3): fail to start transaction for status update: -28 bridge18: port 1(vlan4) entered blocking state bridge18: port 1(vlan4) entered disabled state device vlan4 entered promiscuous mode REISERFS (device loop2): found reiserfs format "3.6" with non-standard journal REISERFS (device loop2): using ordered data mode reiserfs: using flush barriers REISERFS (device loop2): journal params: device loop2, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 REISERFS (device loop2): checking transaction log (loop2) audit: type=1804 audit(1675860158.083:20716): pid=13505 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.5" name="/root/syzkaller-testdir3340521352/syzkaller.VAU7Z9/1443/bus" dev="sda1" ino=14633 res=1 REISERFS (device loop2): Using r5 hash to sort names REISERFS (device loop2): Created .reiserfs_priv - reserved for xattr storage. audit: type=1804 audit(1675860158.413:20717): pid=13527 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.4" name="/root/syzkaller-testdir2370174586/syzkaller.TPdA4s/1479/bus" dev="sda1" ino=14634 res=1 BTRFS info (device loop3): using free space tree audit: type=1804 audit(1675860158.623:20718): pid=13515 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.2" name="/root/syzkaller-testdir2857505076/syzkaller.AkXaJ2/46/file1/bus" dev="loop2" ino=4 res=1 BTRFS info (device loop3): has skinny extents BTRFS error (device loop3): fail to start transaction for status update: -28 audit: type=1804 audit(1675860159.143:20719): pid=13542 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.5" name="/root/syzkaller-testdir3340521352/syzkaller.VAU7Z9/1444/bus" dev="sda1" ino=13944 res=1 audit: type=1804 audit(1675860159.303:20720): pid=13567 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.4" name="/root/syzkaller-testdir2370174586/syzkaller.TPdA4s/1480/bus" dev="sda1" ino=14547 res=1 REISERFS (device loop2): found reiserfs format "3.6" with non-standard journal REISERFS (device loop2): using ordered data mode reiserfs: using flush barriers REISERFS (device loop2): journal params: device loop2, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 REISERFS (device loop2): checking transaction log (loop2) REISERFS (device loop2): Using r5 hash to sort names REISERFS (device loop2): Created .reiserfs_priv - reserved for xattr storage. audit: type=1804 audit(1675860159.873:20721): pid=13585 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.1" name="/root/syzkaller-testdir3820876122/syzkaller.6zFtzd/1433/bus" dev="sda1" ino=14276 res=1 audit: type=1804 audit(1675860159.923:20722): pid=13575 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.2" name="/root/syzkaller-testdir2857505076/syzkaller.AkXaJ2/47/file1/bus" dev="loop2" ino=4 res=1 audit: type=1804 audit(1675860160.123:20723): pid=13588 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.5" name="/root/syzkaller-testdir3340521352/syzkaller.VAU7Z9/1445/bus" dev="sda1" ino=14638 res=1 BTRFS info (device loop3): using free space tree BTRFS info (device loop3): has skinny extents audit: type=1804 audit(1675860160.193:20724): pid=13589 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.0" name="/root/syzkaller-testdir2768174500/syzkaller.HZBGn6/1478/bus" dev="sda1" ino=14640 res=1 audit: type=1804 audit(1675860160.643:20725): pid=13594 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.4" name="/root/syzkaller-testdir2370174586/syzkaller.TPdA4s/1481/bus" dev="sda1" ino=14638 res=1 audit: type=1804 audit(1675860160.713:20726): pid=13601 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.5" name="/root/syzkaller-testdir3340521352/syzkaller.VAU7Z9/1446/bus" dev="sda1" ino=14276 res=1 REISERFS (device loop2): found reiserfs format "3.6" with non-standard journal REISERFS (device loop2): using ordered data mode reiserfs: using flush barriers REISERFS (device loop2): journal params: device loop2, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 BTRFS error (device loop3): fail to start transaction for status update: -28 REISERFS (device loop2): checking transaction log (loop2) audit: type=1804 audit(1675860161.143:20727): pid=13619 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.0" name="/root/syzkaller-testdir2768174500/syzkaller.HZBGn6/1479/bus" dev="sda1" ino=14641 res=1 audit: type=1804 audit(1675860161.243:20728): pid=13613 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.1" name="/root/syzkaller-testdir3820876122/syzkaller.6zFtzd/1434/bus" dev="sda1" ino=14548 res=1 REISERFS (device loop2): Using r5 hash to sort names REISERFS (device loop2): Created .reiserfs_priv - reserved for xattr storage. audit: type=1804 audit(1675860161.803:20729): pid=13607 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.2" name="/root/syzkaller-testdir2857505076/syzkaller.AkXaJ2/48/file1/bus" dev="loop2" ino=4 res=1 audit: type=1804 audit(1675860162.083:20730): pid=13652 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.1" name="/root/syzkaller-testdir3820876122/syzkaller.6zFtzd/1435/bus" dev="sda1" ino=14548 res=1 BTRFS info (device loop3): using free space tree BTRFS info (device loop3): has skinny extents nla_parse: 5 callbacks suppressed netlink: 20 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 12 bytes leftover after parsing attributes in process `syz-executor.2'. bridge1: port 1(vlan2) entered blocking state bridge1: port 1(vlan2) entered disabled state BTRFS error (device loop3): fail to start transaction for status update: -28 device vlan2 entered promiscuous mode netlink: 20 bytes leftover after parsing attributes in process `syz-executor.2'. IPv6 header not found netlink: 12 bytes leftover after parsing attributes in process `syz-executor.2'. bridge3: port 1(vlan3) entered blocking state bridge3: port 1(vlan3) entered disabled state device vlan3 entered promiscuous mode BTRFS info (device loop3): using free space tree BTRFS info (device loop3): has skinny extents BTRFS error (device loop3): fail to start transaction for status update: -28 netlink: 20 bytes leftover after parsing attributes in process `syz-executor.2'. IPv6 header not found netlink: 12 bytes leftover after parsing attributes in process `syz-executor.2'. bridge5: port 1(vlan4) entered blocking state bridge5: port 1(vlan4) entered disabled state device vlan4 entered promiscuous mode IPv6 header not found BTRFS info (device loop3): using free space tree BTRFS info (device loop3): has skinny extents BTRFS error (device loop3): fail to start transaction for status update: -28 IPv6 header not found