====================================================== WARNING: possible circular locking dependency detected 4.19.211-syzkaller #0 Not tainted ------------------------------------------------------ syz-executor.2/12186 is trying to acquire lock: 000000003021ac6b (&HFSPLUS_I(inode)->extents_lock){+.+.}, at: hfsplus_file_extend+0x1bb/0xf40 fs/hfsplus/extents.c:457 but task is already holding lock: 00000000bb3baff0 (&tree->tree_lock){+.+.}, at: hfsplus_find_init+0x1b7/0x220 fs/hfsplus/bfind.c:30 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&tree->tree_lock){+.+.}: hfsplus_file_truncate+0xde7/0x1040 fs/hfsplus/extents.c:595 hfsplus_setattr+0x1e7/0x310 fs/hfsplus/inode.c:263 notify_change+0x70b/0xfc0 fs/attr.c:334 do_truncate+0x134/0x1f0 fs/open.c:63 handle_truncate fs/namei.c:3009 [inline] do_last fs/namei.c:3427 [inline] path_openat+0x2308/0x2df0 fs/namei.c:3537 do_filp_open+0x18c/0x3f0 fs/namei.c:3567 do_sys_open+0x3b3/0x520 fs/open.c:1085 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe -> #0 (&HFSPLUS_I(inode)->extents_lock){+.+.}: __mutex_lock_common kernel/locking/mutex.c:937 [inline] __mutex_lock+0xd7/0x1190 kernel/locking/mutex.c:1078 hfsplus_file_extend+0x1bb/0xf40 fs/hfsplus/extents.c:457 hfsplus_bmap_reserve+0x298/0x440 fs/hfsplus/btree.c:357 hfsplus_rename_cat+0x272/0x1490 fs/hfsplus/catalog.c:456 hfsplus_unlink+0x49c/0x820 fs/hfsplus/dir.c:376 vfs_unlink+0x27d/0x4e0 fs/namei.c:4002 do_unlinkat+0x3b8/0x660 fs/namei.c:4065 do_coredump+0x1f9c/0x2d60 fs/coredump.c:687 get_signal+0xed9/0x1f70 kernel/signal.c:2583 do_signal+0x8f/0x1670 arch/x86/kernel/signal.c:799 exit_to_usermode_loop+0x204/0x2a0 arch/x86/entry/common.c:163 prepare_exit_to_usermode+0x277/0x2d0 arch/x86/entry/common.c:198 retint_user+0x8/0x18 other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&tree->tree_lock); lock(&HFSPLUS_I(inode)->extents_lock); lock(&tree->tree_lock); lock(&HFSPLUS_I(inode)->extents_lock); *** DEADLOCK *** 5 locks held by syz-executor.2/12186: #0: 0000000036c39521 (sb_writers#21){.+.+}, at: sb_start_write include/linux/fs.h:1579 [inline] #0: 0000000036c39521 (sb_writers#21){.+.+}, at: mnt_want_write+0x3a/0xb0 fs/namespace.c:360 #1: 000000005c238047 (&type->i_mutex_dir_key#13/1){+.+.}, at: inode_lock_nested include/linux/fs.h:783 [inline] #1: 000000005c238047 (&type->i_mutex_dir_key#13/1){+.+.}, at: do_unlinkat+0x27d/0x660 fs/namei.c:4051 #2: 000000006cdc7d16 (&sb->s_type->i_mutex_key#27){+.+.}, at: inode_lock include/linux/fs.h:748 [inline] #2: 000000006cdc7d16 (&sb->s_type->i_mutex_key#27){+.+.}, at: vfs_unlink+0xca/0x4e0 fs/namei.c:3993 #3: 00000000400e202c (&sbi->vh_mutex){+.+.}, at: hfsplus_unlink+0x140/0x820 fs/hfsplus/dir.c:370 #4: 00000000bb3baff0 (&tree->tree_lock){+.+.}, at: hfsplus_find_init+0x1b7/0x220 fs/hfsplus/bfind.c:30 stack backtrace: CPU: 0 PID: 12186 Comm: syz-executor.2 Not tainted 4.19.211-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1222 check_prev_add kernel/locking/lockdep.c:1866 [inline] check_prevs_add kernel/locking/lockdep.c:1979 [inline] validate_chain kernel/locking/lockdep.c:2420 [inline] __lock_acquire+0x30c9/0x3ff0 kernel/locking/lockdep.c:3416 lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3908 __mutex_lock_common kernel/locking/mutex.c:937 [inline] __mutex_lock+0xd7/0x1190 kernel/locking/mutex.c:1078 hfsplus_file_extend+0x1bb/0xf40 fs/hfsplus/extents.c:457 hfsplus_bmap_reserve+0x298/0x440 fs/hfsplus/btree.c:357 hfsplus_rename_cat+0x272/0x1490 fs/hfsplus/catalog.c:456 hfsplus_unlink+0x49c/0x820 fs/hfsplus/dir.c:376 vfs_unlink+0x27d/0x4e0 fs/namei.c:4002 do_unlinkat+0x3b8/0x660 fs/namei.c:4065 do_coredump+0x1f9c/0x2d60 fs/coredump.c:687 get_signal+0xed9/0x1f70 kernel/signal.c:2583 do_signal+0x8f/0x1670 arch/x86/kernel/signal.c:799 exit_to_usermode_loop+0x204/0x2a0 arch/x86/entry/common.c:163 prepare_exit_to_usermode+0x277/0x2d0 arch/x86/entry/common.c:198 retint_user+0x8/0x18 RIP: 0033:0x8000000001 Code: Bad RIP value. RSP: 002b:0000000020000188 EFLAGS: 00010217 RAX: 0000000000000000 RBX: 00007f832f680050 RCX: 00007f832f5600f9 RDX: 0000000020000200 RSI: 0000000020000180 RDI: 0000000015003400 RBP: 00007f832f5bbae9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000020000240 R11: 0000000000000206 R12: 0000000000000000 R13: 00007ffc2ee4e84f R14: 00007f832dab1300 R15: 0000000000022000 mac80211_hwsim hwsim13 : renamed from wlan1 netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'. EXT4-fs (sda1): Unrecognized mount option "metacopy=on" or missing value EXT4-fs (sda1): Unrecognized mount option "metacopy=on" or missing value EXT4-fs (sda1): Unrecognized mount option "metacopy=on" or missing value netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'. F2FS-fs (loop5): Found nat_bits in checkpoint netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'. F2FS-fs (loop5): Mounted with checkpoint version = 48b305e5 netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'. audit: type=1800 audit(1678029797.620:27): pid=12356 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.5" name="bus" dev="overlay" ino=26 res=0 attempt to access beyond end of device loop5: rw=2049, want=45120, limit=40427 netlink: 20 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 20 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 20 bytes leftover after parsing attributes in process `syz-executor.0'. BTRFS info (device loop2): using free space tree audit: type=1800 audit(1678029798.230:28): pid=12572 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.5" name="bus" dev="sda1" ino=14201 res=0 BTRFS info (device loop2): has skinny extents F2FS-fs (loop4): Found nat_bits in checkpoint F2FS-fs (loop4): Mounted with checkpoint version = 48b305e5 audit: type=1800 audit(1678029798.550:29): pid=12495 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.4" name="bus" dev="overlay" ino=26 res=0 attempt to access beyond end of device loop4: rw=2049, want=45120, limit=40427 BTRFS info (device loop1): using free space tree BTRFS info (device loop1): has skinny extents audit: type=1800 audit(1678029799.100:30): pid=12724 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.0" name="file0" dev="sda1" ino=14176 res=0 BTRFS warning (device ): duplicate device /dev/loop2 devid 1 generation 8 scanned by syz-executor.2 (12699) sg_write: data in/out 778331472/4 bytes for SCSI command 0x0-- guessing data in; program syz-executor.3 not setting count and/or reply_len properly audit: type=1804 audit(1678029799.100:31): pid=12724 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.0" name="/root/syzkaller-testdir1522736238/syzkaller.Tc7nNX/49/file0" dev="sda1" ino=14176 res=1 BTRFS warning (device ): duplicate device /dev/loop2 devid 1 generation 8 scanned by systemd-udevd (12676) audit: type=1804 audit(1678029799.140:32): pid=12724 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.0" name="/root/syzkaller-testdir1522736238/syzkaller.Tc7nNX/49/file0" dev="sda1" ino=14176 res=1 F2FS-fs (loop4): Found nat_bits in checkpoint audit: type=1800 audit(1678029799.920:33): pid=12778 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.0" name="file0" dev="sda1" ino=14176 res=0 F2FS-fs (loop5): Found nat_bits in checkpoint audit: type=1800 audit(1678029800.060:34): pid=12787 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.3" name="file0" dev="sda1" ino=14211 res=0 F2FS-fs (loop4): Mounted with checkpoint version = 48b305e5 audit: type=1804 audit(1678029800.080:35): pid=12787 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.3" name="/root/syzkaller-testdir3701281643/syzkaller.WSCwMm/51/file0" dev="sda1" ino=14211 res=1 F2FS-fs (loop5): Mounted with checkpoint version = 48b305e5 audit: type=1804 audit(1678029800.110:36): pid=12787 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.3" name="/root/syzkaller-testdir3701281643/syzkaller.WSCwMm/51/file0" dev="sda1" ino=14211 res=1 BTRFS info (device loop2): using free space tree BTRFS info (device loop2): has skinny extents attempt to access beyond end of device loop5: rw=2049, want=45120, limit=40427 attempt to access beyond end of device BTRFS warning (device ): duplicate device /dev/loop1 devid 1 generation 8 scanned by syz-executor.1 (12776) loop4: rw=2049, want=45120, limit=40427 BTRFS warning (device ): duplicate device /dev/loop1 devid 1 generation 8 scanned by systemd-udevd (12826) IPVS: ftp: loaded support on port[0] = 21 BTRFS info (device loop1): using free space tree BTRFS info (device loop1): has skinny extents F2FS-fs (loop4): Found nat_bits in checkpoint F2FS-fs (loop4): Mounted with checkpoint version = 48b305e5 kauditd_printk_skb: 11 callbacks suppressed audit: type=1800 audit(1678029803.380:48): pid=12870 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.4" name="bus" dev="overlay" ino=26 res=0 IPVS: ftp: loaded support on port[0] = 21 audit: type=1800 audit(1678029803.550:49): pid=12982 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.3" name="file0" dev="sda1" ino=14137 res=0 attempt to access beyond end of device loop4: rw=2049, want=45120, limit=40427 audit: type=1804 audit(1678029803.560:50): pid=12982 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.3" name="/root/syzkaller-testdir3701281643/syzkaller.WSCwMm/54/file0" dev="sda1" ino=14137 res=1 audit: type=1804 audit(1678029803.600:51): pid=12982 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.3" name="/root/syzkaller-testdir3701281643/syzkaller.WSCwMm/54/file0" dev="sda1" ino=14137 res=1 BTRFS info (device loop1): using free space tree BTRFS info (device loop1): has skinny extents