hfsplus: inconsistency in B*Tree (2,0,1,0,1) hfsplus: inconsistency in B*Tree (2,0,1,0,1) ====================================================== WARNING: possible circular locking dependency detected 4.19.211-syzkaller #0 Not tainted ------------------------------------------------------ syz-executor.0/18125 is trying to acquire lock: 0000000091965f01 (&tree->tree_lock){+.+.}, at: hfsplus_file_truncate+0xde7/0x1040 fs/hfsplus/extents.c:595 but task is already holding lock: 0000000029f5901e (&HFSPLUS_I(inode)->extents_lock){+.+.}, at: hfsplus_file_truncate+0x1e2/0x1040 fs/hfsplus/extents.c:576 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&HFSPLUS_I(inode)->extents_lock){+.+.}: hfsplus_file_extend+0x1bb/0xf40 fs/hfsplus/extents.c:457 hfsplus_bmap_reserve+0x298/0x440 fs/hfsplus/btree.c:357 hfsplus_create_cat+0x1e3/0x1210 fs/hfsplus/catalog.c:272 hfsplus_mknod+0x165/0x320 fs/hfsplus/dir.c:494 lookup_open+0x893/0x1a20 fs/namei.c:3235 do_last fs/namei.c:3327 [inline] path_openat+0x1094/0x2df0 fs/namei.c:3537 do_filp_open+0x18c/0x3f0 fs/namei.c:3567 do_sys_open+0x3b3/0x520 fs/open.c:1085 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe -> #0 (&tree->tree_lock){+.+.}: __mutex_lock_common kernel/locking/mutex.c:937 [inline] __mutex_lock+0xd7/0x1190 kernel/locking/mutex.c:1078 hfsplus_file_truncate+0xde7/0x1040 fs/hfsplus/extents.c:595 hfsplus_write_failed fs/hfsplus/inode.c:41 [inline] hfsplus_write_begin+0x118/0x150 fs/hfsplus/inode.c:56 generic_perform_write+0x1f8/0x4d0 mm/filemap.c:3170 __generic_file_write_iter+0x24b/0x610 mm/filemap.c:3295 generic_file_write_iter+0x3f8/0x730 mm/filemap.c:3323 call_write_iter include/linux/fs.h:1821 [inline] new_sync_write fs/read_write.c:474 [inline] __vfs_write+0x51b/0x770 fs/read_write.c:487 vfs_write+0x1f3/0x540 fs/read_write.c:549 ksys_write+0x12b/0x2a0 fs/read_write.c:599 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&HFSPLUS_I(inode)->extents_lock); lock(&tree->tree_lock); lock(&HFSPLUS_I(inode)->extents_lock); lock(&tree->tree_lock); *** DEADLOCK *** 4 locks held by syz-executor.0/18125: #0: 0000000015fcd1b9 (&f->f_pos_lock){+.+.}, at: __fdget_pos+0x26f/0x310 fs/file.c:767 #1: 00000000caa8c4d4 (sb_writers#16){.+.+}, at: file_start_write include/linux/fs.h:2779 [inline] #1: 00000000caa8c4d4 (sb_writers#16){.+.+}, at: vfs_write+0x463/0x540 fs/read_write.c:548 #2: 0000000049eead81 (&sb->s_type->i_mutex_key#23){+.+.}, at: inode_lock include/linux/fs.h:748 [inline] #2: 0000000049eead81 (&sb->s_type->i_mutex_key#23){+.+.}, at: generic_file_write_iter+0x99/0x730 mm/filemap.c:3320 #3: 0000000029f5901e (&HFSPLUS_I(inode)->extents_lock){+.+.}, at: hfsplus_file_truncate+0x1e2/0x1040 fs/hfsplus/extents.c:576 stack backtrace: CPU: 1 PID: 18125 Comm: syz-executor.0 Not tainted 4.19.211-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1222 check_prev_add kernel/locking/lockdep.c:1866 [inline] check_prevs_add kernel/locking/lockdep.c:1979 [inline] validate_chain kernel/locking/lockdep.c:2420 [inline] __lock_acquire+0x30c9/0x3ff0 kernel/locking/lockdep.c:3416 lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3908 __mutex_lock_common kernel/locking/mutex.c:937 [inline] __mutex_lock+0xd7/0x1190 kernel/locking/mutex.c:1078 hfsplus_file_truncate+0xde7/0x1040 fs/hfsplus/extents.c:595 hfsplus_write_failed fs/hfsplus/inode.c:41 [inline] hfsplus_write_begin+0x118/0x150 fs/hfsplus/inode.c:56 generic_perform_write+0x1f8/0x4d0 mm/filemap.c:3170 __generic_file_write_iter+0x24b/0x610 mm/filemap.c:3295 generic_file_write_iter+0x3f8/0x730 mm/filemap.c:3323 call_write_iter include/linux/fs.h:1821 [inline] new_sync_write fs/read_write.c:474 [inline] __vfs_write+0x51b/0x770 fs/read_write.c:487 vfs_write+0x1f3/0x540 fs/read_write.c:549 ksys_write+0x12b/0x2a0 fs/read_write.c:599 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7f91196880c9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f910f859168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007f91197a8050 RCX: 00007f91196880c9 RDX: 00000000000ffe00 RSI: 0000000020004200 RDI: 0000000000000004 RBP: 00007f91196e3ae9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffd6f74a31f R14: 00007f910f859300 R15: 0000000000022000 BTRFS info (device loop5): using free space tree BTRFS info (device loop5): has skinny extents BTRFS warning (device ): duplicate device /dev/loop2 devid 1 generation 8 scanned by syz-executor.2 (18107) BTRFS warning (device ): duplicate device /dev/loop2 devid 1 generation 8 scanned by systemd-udevd (18160) hfsplus: inconsistency in B*Tree (2,0,1,0,1) hfsplus: inconsistency in B*Tree (2,0,1,0,1) hfsplus: inconsistency in B*Tree (2,0,1,0,1) hfsplus: inconsistency in B*Tree (2,0,1,0,1) hfsplus: inconsistency in B*Tree (2,0,1,0,1) hfsplus: inconsistency in B*Tree (2,0,1,0,1) hfsplus: inconsistency in B*Tree (2,0,1,0,1) hfsplus: inconsistency in B*Tree (2,0,1,0,1) BTRFS info (device loop2): using free space tree BTRFS info (device loop2): has skinny extents BTRFS warning (device ): duplicate device /dev/loop5 devid 1 generation 8 scanned by syz-executor.5 (18196) BTRFS warning (device ): duplicate device /dev/loop5 devid 1 generation 8 scanned by systemd-udevd (18234) hfsplus: inconsistency in B*Tree (2,0,1,0,1) hfsplus: inconsistency in B*Tree (2,0,1,0,1) hfsplus: inconsistency in B*Tree (2,0,1,0,1) hfsplus: inconsistency in B*Tree (2,0,1,0,1) hfsplus: inconsistency in B*Tree (2,0,1,0,1) hfsplus: inconsistency in B*Tree (2,0,1,0,1) hfsplus: inconsistency in B*Tree (2,0,1,0,1) hfsplus: inconsistency in B*Tree (2,0,1,0,1) hfsplus: inconsistency in B*Tree (2,0,1,0,1) BTRFS info (device loop5): using free space tree BTRFS info (device loop5): has skinny extents hfsplus: inconsistency in B*Tree (2,0,1,0,1) hfsplus: inconsistency in B*Tree (2,0,1,0,1) hfsplus: inconsistency in B*Tree (2,0,1,0,1) hfsplus: inconsistency in B*Tree (2,0,1,0,1) hfsplus: inconsistency in B*Tree (2,0,1,0,1) BTRFS warning (device ): duplicate device /dev/loop2 devid 1 generation 8 scanned by syz-executor.2 (18308) hfsplus: inconsistency in B*Tree (2,0,1,0,1) hfsplus: inconsistency in B*Tree (2,0,1,0,1) xt_ct_set_helper: 22 callbacks suppressed xt_CT: You must specify a L4 protocol and not use inversions on it xt_CT: You must specify a L4 protocol and not use inversions on it xt_CT: You must specify a L4 protocol and not use inversions on it xt_CT: You must specify a L4 protocol and not use inversions on it xt_CT: You must specify a L4 protocol and not use inversions on it xt_CT: You must specify a L4 protocol and not use inversions on it xt_CT: You must specify a L4 protocol and not use inversions on it kauditd_printk_skb: 3 callbacks suppressed audit: type=1800 audit(1675521849.952:177): pid=18778 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.2" name="bus" dev="sda1" ino=14305 res=0 loop0: p1 p2 p3 audit: type=1800 audit(1675521850.012:178): pid=18778 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.2" name="bus" dev="sda1" ino=14305 res=0 hub 9-0:1.0: USB hub found hub 9-0:1.0: 8 ports detected audit: type=1800 audit(1675521850.802:179): pid=18844 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.2" name="bus" dev="sda1" ino=14225 res=0 audit: type=1800 audit(1675521850.812:180): pid=18848 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.1" name="bus" dev="sda1" ino=14339 res=0 audit: type=1800 audit(1675521850.842:181): pid=18844 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.2" name="bus" dev="sda1" ino=14225 res=0 audit: type=1800 audit(1675521850.872:182): pid=18855 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.1" name="bus" dev="sda1" ino=14339 res=0 loop0: p1 p2 p3 hub 9-0:1.0: USB hub found audit: type=1800 audit(1675521850.902:183): pid=18858 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.4" name="bus" dev="sda1" ino=14324 res=0 hub 9-0:1.0: 8 ports detected audit: type=1800 audit(1675521850.932:184): pid=18858 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.4" name="bus" dev="sda1" ino=14324 res=0 print_req_error: 10 callbacks suppressed print_req_error: I/O error, dev loop0, sector 58 print_req_error: I/O error, dev loop0, sector 1008 __loop_clr_fd: partition scan of loop0 failed (rc=-16) print_req_error: I/O error, dev loop0, sector 108 print_req_error: I/O error, dev loop0, sector 1008 buffer_io_error: 10 callbacks suppressed Buffer I/O error on dev loop0p3, logical block 8, async page read print_req_error: I/O error, dev loop0, sector 1009 Buffer I/O error on dev loop0p3, logical block 9, async page read print_req_error: I/O error, dev loop0, sector 1010 Buffer I/O error on dev loop0p3, logical block 10, async page read print_req_error: I/O error, dev loop0, sector 1011