device lo entered promiscuous mode ====================================================== WARNING: possible circular locking dependency detected 4.19.211-syzkaller #0 Not tainted ------------------------------------------------------ syz-executor.1/26193 is trying to acquire lock: 00000000bc2f1615 (&tree->tree_lock#2){+.+.}, at: hfsplus_file_truncate+0xde7/0x1040 fs/hfsplus/extents.c:595 but task is already holding lock: 00000000e76cc060 (&HFSPLUS_I(inode)->extents_lock){+.+.}, at: hfsplus_file_truncate+0x1e2/0x1040 fs/hfsplus/extents.c:576 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&HFSPLUS_I(inode)->extents_lock){+.+.}: hfsplus_get_block+0x292/0x960 fs/hfsplus/extents.c:260 block_read_full_page+0x288/0xd10 fs/buffer.c:2259 do_read_cache_page+0x533/0x1170 mm/filemap.c:2828 read_mapping_page include/linux/pagemap.h:402 [inline] __hfs_bnode_create+0x5b7/0xb60 fs/hfsplus/bnode.c:447 hfsplus_bnode_find+0x2aa/0xb80 fs/hfsplus/bnode.c:497 hfsplus_brec_find+0x2af/0x500 fs/hfsplus/bfind.c:183 hfsplus_brec_read+0x28/0x120 fs/hfsplus/bfind.c:222 hfsplus_find_cat+0x1d0/0x480 fs/hfsplus/catalog.c:202 hfsplus_iget+0x400/0x790 fs/hfsplus/super.c:81 hfsplus_fill_super+0xc5f/0x19e0 fs/hfsplus/super.c:503 mount_bdev+0x2fc/0x3b0 fs/super.c:1158 mount_fs+0xa3/0x310 fs/super.c:1261 vfs_kern_mount.part.0+0x68/0x470 fs/namespace.c:961 vfs_kern_mount fs/namespace.c:951 [inline] do_new_mount fs/namespace.c:2492 [inline] do_mount+0x115c/0x2f50 fs/namespace.c:2822 ksys_mount+0xcf/0x130 fs/namespace.c:3038 __do_sys_mount fs/namespace.c:3052 [inline] __se_sys_mount fs/namespace.c:3049 [inline] __x64_sys_mount+0xba/0x150 fs/namespace.c:3049 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe -> #0 (&tree->tree_lock#2){+.+.}: __mutex_lock_common kernel/locking/mutex.c:937 [inline] __mutex_lock+0xd7/0x1190 kernel/locking/mutex.c:1078 hfsplus_file_truncate+0xde7/0x1040 fs/hfsplus/extents.c:595 hfsplus_setattr+0x1e7/0x310 fs/hfsplus/inode.c:263 notify_change+0x70b/0xfc0 fs/attr.c:334 do_truncate+0x134/0x1f0 fs/open.c:63 handle_truncate fs/namei.c:3009 [inline] do_last fs/namei.c:3427 [inline] path_openat+0x2308/0x2df0 fs/namei.c:3537 do_filp_open+0x18c/0x3f0 fs/namei.c:3567 do_sys_open+0x3b3/0x520 fs/open.c:1085 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&HFSPLUS_I(inode)->extents_lock); lock(&tree->tree_lock#2); lock(&HFSPLUS_I(inode)->extents_lock); lock(&tree->tree_lock#2); *** DEADLOCK *** 3 locks held by syz-executor.1/26193: #0: 00000000c531091f (sb_writers#29){.+.+}, at: sb_start_write include/linux/fs.h:1579 [inline] #0: 00000000c531091f (sb_writers#29){.+.+}, at: mnt_want_write+0x3a/0xb0 fs/namespace.c:360 #1: 0000000060061a0c (&sb->s_type->i_mutex_key#37){+.+.}, at: inode_lock include/linux/fs.h:748 [inline] #1: 0000000060061a0c (&sb->s_type->i_mutex_key#37){+.+.}, at: do_truncate+0x125/0x1f0 fs/open.c:61 #2: 00000000e76cc060 (&HFSPLUS_I(inode)->extents_lock){+.+.}, at: hfsplus_file_truncate+0x1e2/0x1040 fs/hfsplus/extents.c:576 stack backtrace: CPU: 1 PID: 26193 Comm: syz-executor.1 Not tainted 4.19.211-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1222 check_prev_add kernel/locking/lockdep.c:1866 [inline] check_prevs_add kernel/locking/lockdep.c:1979 [inline] validate_chain kernel/locking/lockdep.c:2420 [inline] __lock_acquire+0x30c9/0x3ff0 kernel/locking/lockdep.c:3416 lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3908 __mutex_lock_common kernel/locking/mutex.c:937 [inline] __mutex_lock+0xd7/0x1190 kernel/locking/mutex.c:1078 hfsplus_file_truncate+0xde7/0x1040 fs/hfsplus/extents.c:595 hfsplus_setattr+0x1e7/0x310 fs/hfsplus/inode.c:263 notify_change+0x70b/0xfc0 fs/attr.c:334 do_truncate+0x134/0x1f0 fs/open.c:63 handle_truncate fs/namei.c:3009 [inline] do_last fs/namei.c:3427 [inline] path_openat+0x2308/0x2df0 fs/namei.c:3537 do_filp_open+0x18c/0x3f0 fs/namei.c:3567 do_sys_open+0x3b3/0x520 fs/open.c:1085 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7f53d9a700c9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f53d7fe2168 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 RAX: ffffffffffffffda RBX: 00007f53d9b8ff80 RCX: 00007f53d9a700c9 RDX: 0000000000000000 RSI: 0000000000143242 RDI: 0000000020000000 RBP: 00007f53d9acbae9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffe2277417f R14: 00007f53d7fe2300 R15: 0000000000022000 netlink: 'syz-executor.0': attribute type 1 has an invalid length. BTRFS error (device loop4): unsupported checksum algorithm 2 BTRFS error (device loop4): superblock checksum mismatch BTRFS error (device loop4): open_ctree failed IPv6: ADDRCONF(NETDEV_UP): bond1: link is not ready kauditd_printk_skb: 84 callbacks suppressed audit: type=1800 audit(1674904311.225:530): pid=26190 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.4" name="bus" dev="sda1" ino=13921 res=0 8021q: adding VLAN 0 to HW filter on device bond1 audit: type=1800 audit(1674904311.255:531): pid=26190 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.4" name="bus" dev="sda1" ino=13921 res=0 netlink: 4 bytes leftover after parsing attributes in process `syz-executor.0'. bond1: Enslaving veth3 as an active interface with a down link audit: type=1800 audit(1674904311.255:532): pid=26190 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.4" name="bus" dev="sda1" ino=13921 res=0 audit: type=1800 audit(1674904311.255:533): pid=26190 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.4" name="bus" dev="sda1" ino=13921 res=0 bond1: making interface ip6gretap1 the new active one audit: type=1800 audit(1674904311.255:534): pid=26190 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.4" name="bus" dev="sda1" ino=13921 res=0 audit: type=1800 audit(1674904311.255:535): pid=26190 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.4" name="bus" dev="sda1" ino=13921 res=0 device ip6gretap1 entered promiscuous mode audit: type=1800 audit(1674904311.255:536): pid=26190 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.4" name="bus" dev="sda1" ino=13921 res=0 bond1: Enslaving ip6gretap1 as an active interface with an up link audit: type=1800 audit(1674904311.255:537): pid=26190 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.4" name="bus" dev="sda1" ino=13921 res=0 IPv6: ADDRCONF(NETDEV_CHANGE): bond1: link becomes ready audit: type=1800 audit(1674904311.255:538): pid=26190 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.4" name="bus" dev="sda1" ino=13921 res=0 audit: type=1800 audit(1674904311.255:539): pid=26190 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.4" name="bus" dev="sda1" ino=13921 res=0 netlink: 'syz-executor.0': attribute type 1 has an invalid length. IPv6: ADDRCONF(NETDEV_UP): bond2: link is not ready 8021q: adding VLAN 0 to HW filter on device bond2 ISO 9660 Extensions: Microsoft Joliet Level 0 netlink: 4 bytes leftover after parsing attributes in process `syz-executor.0'. bond2: Enslaving veth5 as an active interface with a down link rock: corrupted directory entry. extent=32, offset=2044, size=237 device lo left promiscuous mode BTRFS error (device loop4): unsupported checksum algorithm 2 overlayfs: fs on './file0' does not support file handles, falling back to index=off,nfs_export=off. BTRFS error (device loop4): superblock checksum mismatch ISOFS: Interleaved files not (yet) supported. ISOFS: File unit size != 0 for ISO file (1856). device lo entered promiscuous mode BTRFS error (device loop4): open_ctree failed netlink: 'syz-executor.0': attribute type 1 has an invalid length. IPv6: ADDRCONF(NETDEV_UP): bond3: link is not ready 8021q: adding VLAN 0 to HW filter on device bond3 netlink: 4 bytes leftover after parsing attributes in process `syz-executor.0'. bond3: Enslaving veth7 as an active interface with a down link IPVS: ftp: loaded support on port[0] = 21 bond3: making interface ip6gretap2 the new active one device ip6gretap2 entered promiscuous mode bond3: Enslaving ip6gretap2 as an active interface with an up link IPv6: ADDRCONF(NETDEV_CHANGE): bond3: link becomes ready Unknown ioctl -1072131207 overlayfs: failed to resolve './Bus': -2 Y4`Ҙ: renamed from lo overlayfs: failed to resolve './Bus': -2 overlayfs: upperdir is in-use as upperdir/workdir of another mount, mount with '-o index=off' to override exclusive upperdir protection. IPVS: ftp: loaded support on port[0] = 21 overlayfs: failed to resolve './Bus': -2 Unknown ioctl -1072131207 overlayfs: failed to resolve './Bus': -2 FAT-fs (loop1): Directory bread(block 64) failed FAT-fs (loop1): Directory bread(block 65) failed netlink: 4 bytes leftover after parsing attributes in process `syz-executor.2'. FAT-fs (loop1): Directory bread(block 66) failed FAT-fs (loop1): Directory bread(block 67) failed FAT-fs (loop1): Directory bread(block 68) failed FAT-fs (loop1): Directory bread(block 69) failed FAT-fs (loop1): Directory bread(block 70) failed FAT-fs (loop1): Directory bread(block 71) failed FAT-fs (loop1): Directory bread(block 72) failed FAT-fs (loop1): Directory bread(block 73) failed Unknown ioctl -1072131207 netlink: 12 bytes leftover after parsing attributes in process `syz-executor.0'. FAT-fs (loop1): Directory bread(block 75) failed FAT-fs (loop1): Directory bread(block 76) failed FAT-fs (loop1): Directory bread(block 77) failed FAT-fs (loop1): Directory bread(block 78) failed FAT-fs (loop1): Directory bread(block 79) failed FAT-fs (loop1): Directory bread(block 80) failed FAT-fs (loop1): Directory bread(block 81) failed FAT-fs (loop1): Directory bread(block 82) failed FAT-fs (loop1): Directory bread(block 83) failed FAT-fs (loop1): Directory bread(block 84) failed FAT-fs (loop1): Directory bread(block 64) failed FAT-fs (loop1): Directory bread(block 65) failed FAT-fs (loop1): Directory bread(block 66) failed FAT-fs (loop1): Directory bread(block 67) failed FAT-fs (loop1): Directory bread(block 68) failed FAT-fs (loop1): Directory bread(block 69) failed FAT-fs (loop1): Directory bread(block 70) failed FAT-fs (loop1): Directory bread(block 71) failed FAT-fs (loop1): Directory bread(block 72) failed FAT-fs (loop1): Directory bread(block 73) failed netlink: 12 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 12 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor.2'. squashfs: SQUASHFS error: unable to read id index table squashfs: SQUASHFS error: unable to read id index table squashfs: SQUASHFS error: unable to read id index table squashfs: SQUASHFS error: unable to read id index table netlink: 'syz-executor.3': attribute type 1 has an invalid length. device bond1 entered promiscuous mode squashfs: SQUASHFS error: unable to read id index table netlink: 'syz-executor.3': attribute type 1 has an invalid length. squashfs: SQUASHFS error: unable to read id index table device bond2 entered promiscuous mode REISERFS (device loop4): found reiserfs format "3.6" with non-standard journal netlink: 'syz-executor.0': attribute type 1 has an invalid length. REISERFS (device loop4): using ordered data mode reiserfs: using flush barriers squashfs: SQUASHFS error: unable to read id index table REISERFS (device loop4): journal params: device loop4, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 device bond4 entered promiscuous mode REISERFS (device loop4): checking transaction log (loop4) REISERFS (device loop4): Using r5 hash to sort names REISERFS (device loop4): Created .reiserfs_priv - reserved for xattr storage. netlink: 'syz-executor.3': attribute type 1 has an invalid length. squashfs: SQUASHFS error: unable to read id index table device bond3 entered promiscuous mode squashfs: SQUASHFS error: unable to read id index table netlink: 'syz-executor.3': attribute type 1 has an invalid length. REISERFS (device loop4): found reiserfs format "3.6" with non-standard journal REISERFS (device loop4): using ordered data mode reiserfs: using flush barriers REISERFS (device loop4): journal params: device loop4, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 REISERFS (device loop4): checking transaction log (loop4) squashfs: SQUASHFS error: unable to read id index table : renamed from syztnl2 ieee80211 ,;qO!: Selected rate control algorithm 'minstrel_ht' REISERFS (device loop4): Using r5 hash to sort names REISERFS (device loop4): Created .reiserfs_priv - reserved for xattr storage. sysfs: cannot create duplicate filename '/class/ieee80211/,;qO!' CPU: 0 PID: 27449 Comm: syz-executor.3 Not tainted 4.19.211-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 sysfs_warn_dup.cold+0x1c/0x29 fs/sysfs/dir.c:30 sysfs_do_create_link_sd+0x116/0x130 fs/sysfs/symlink.c:50 sysfs_do_create_link fs/sysfs/symlink.c:79 [inline] sysfs_create_link+0x5f/0xc0 fs/sysfs/symlink.c:91 device_add_class_symlinks drivers/base/core.c:1934 [inline] device_add+0x7d1/0x16d0 drivers/base/core.c:2136 wiphy_register+0x1664/0x2130 net/wireless/core.c:832 ieee80211_register_hw+0x13be/0x3550 net/mac80211/main.c:1106 mac80211_hwsim_new_radio+0x1d3f/0x3c60 drivers/net/wireless/mac80211_hwsim.c:2896 hwsim_new_radio_nl+0x5c3/0x850 drivers/net/wireless/mac80211_hwsim.c:3374 genl_family_rcv_msg+0x642/0xc40 net/netlink/genetlink.c:602 genl_rcv_msg+0xbf/0x160 net/netlink/genetlink.c:627 netlink_rcv_skb+0x160/0x440 net/netlink/af_netlink.c:2463 genl_rcv+0x24/0x40 net/netlink/genetlink.c:638 netlink_unicast_kernel net/netlink/af_netlink.c:1325 [inline] netlink_unicast+0x4d5/0x690 net/netlink/af_netlink.c:1351 netlink_sendmsg+0x6c3/0xc50 net/netlink/af_netlink.c:1917 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg+0xc3/0x120 net/socket.c:661 ___sys_sendmsg+0x7bb/0x8e0 net/socket.c:2227 __sys_sendmsg net/socket.c:2265 [inline] __do_sys_sendmsg net/socket.c:2274 [inline] __se_sys_sendmsg net/socket.c:2272 [inline] __x64_sys_sendmsg+0x132/0x220 net/socket.c:2272 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7f7cc6d770c9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f7cc5265168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f7cc6e972c0 RCX: 00007f7cc6d770c9 RDX: 0000000000000000 RSI: 0000000020000400 RDI: 0000000000000004 RBP: 00007f7cc6dd2ae9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffee76d953f R14: 00007f7cc5265300 R15: 0000000000022000 : renamed from syztnl2 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 1 CPU: 0 PID: 27498 Comm: syz-executor.3 Not tainted 4.19.211-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 fail_dump lib/fault-inject.c:51 [inline] should_fail.cold+0xa/0xf lib/fault-inject.c:149 __should_failslab+0x115/0x180 mm/failslab.c:32 should_failslab+0x5/0x10 mm/slab_common.c:1590 slab_pre_alloc_hook mm/slab.h:424 [inline] slab_alloc mm/slab.c:3383 [inline] __do_kmalloc mm/slab.c:3725 [inline] __kmalloc+0x2ab/0x3c0 mm/slab.c:3736 kmalloc include/linux/slab.h:520 [inline] __do_sys_memfd_create mm/memfd.c:295 [inline] __se_sys_memfd_create+0xf8/0x440 mm/memfd.c:268 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7f7cc6d770c9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f7cc52e8f38 EFLAGS: 00000202 ORIG_RAX: 000000000000013f RAX: ffffffffffffffda RBX: 0000000000000177 RCX: 00007f7cc6d770c9 RDX: 00007f7cc52e8fdc RSI: 0000000000000000 RDI: 00007f7cc6dd1e81 IPVS: ftp: loaded support on port[0] = 21 RBP: 0000000000000177 R08: 00007f7cc52e8e20 R09: ffffffffffffffff R10: 0000000000000000 R11: 0000000000000202 R12: 0000000020000180 R13: 00007f7cc52e8fdc R14: 00007f7cc52e8fe0 R15: 0000000020000500