audit: type=1804 audit(1672515526.144:179): pid=3149 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir2645380320/syzkaller.F58wu2/1047/file1/bus" dev="loop1" ino=4 res=1 ====================================================== WARNING: possible circular locking dependency detected 4.19.211-syzkaller #0 Not tainted ------------------------------------------------------ syz-executor.5/3162 is trying to acquire lock: 0000000055606c1b (&fs_info->qgroup_ioctl_lock){+.+.}, at: btrfs_remove_qgroup+0xae/0x770 fs/btrfs/qgroup.c:1415 BTRFS error (device loop5): fail to start transaction for status update: -28 but task is already holding lock: 0000000040dc74be (sb_internal#2){.+.+}, at: sb_start_intwrite include/linux/fs.h:1626 [inline] 0000000040dc74be (sb_internal#2){.+.+}, at: start_transaction+0xa37/0xf90 fs/btrfs/transaction.c:528 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (sb_internal#2){.+.+}: sb_start_intwrite include/linux/fs.h:1626 [inline] start_transaction+0xa37/0xf90 fs/btrfs/transaction.c:528 btrfs_quota_enable+0x169/0x10b0 fs/btrfs/qgroup.c:905 btrfs_ioctl_quota_ctl fs/btrfs/ioctl.c:5233 [inline] btrfs_ioctl+0x622c/0x76d0 fs/btrfs/ioctl.c:6021 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:501 [inline] do_vfs_ioctl+0xcdb/0x12e0 fs/ioctl.c:688 ksys_ioctl+0x9b/0xc0 fs/ioctl.c:705 __do_sys_ioctl fs/ioctl.c:712 [inline] __se_sys_ioctl fs/ioctl.c:710 [inline] __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:710 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe -> #0 (&fs_info->qgroup_ioctl_lock){+.+.}: __mutex_lock_common kernel/locking/mutex.c:937 [inline] __mutex_lock+0xd7/0x1190 kernel/locking/mutex.c:1078 btrfs_remove_qgroup+0xae/0x770 fs/btrfs/qgroup.c:1415 btrfs_ioctl_qgroup_create fs/btrfs/ioctl.c:5337 [inline] btrfs_ioctl+0x661c/0x76d0 fs/btrfs/ioctl.c:6025 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:501 [inline] do_vfs_ioctl+0xcdb/0x12e0 fs/ioctl.c:688 ksys_ioctl+0x9b/0xc0 fs/ioctl.c:705 __do_sys_ioctl fs/ioctl.c:712 [inline] __se_sys_ioctl fs/ioctl.c:710 [inline] __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:710 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(sb_internal#2); lock(&fs_info->qgroup_ioctl_lock); lock(sb_internal#2); lock(&fs_info->qgroup_ioctl_lock); *** DEADLOCK *** 2 locks held by syz-executor.5/3162: #0: 00000000ec13f0af (sb_writers#15){.+.+}, at: sb_start_write include/linux/fs.h:1579 [inline] #0: 00000000ec13f0af (sb_writers#15){.+.+}, at: mnt_want_write_file+0x63/0x1d0 fs/namespace.c:418 #1: 0000000040dc74be (sb_internal#2){.+.+}, at: sb_start_intwrite include/linux/fs.h:1626 [inline] #1: 0000000040dc74be (sb_internal#2){.+.+}, at: start_transaction+0xa37/0xf90 fs/btrfs/transaction.c:528 stack backtrace: CPU: 0 PID: 3162 Comm: syz-executor.5 Not tainted 4.19.211-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1222 check_prev_add kernel/locking/lockdep.c:1866 [inline] check_prevs_add kernel/locking/lockdep.c:1979 [inline] validate_chain kernel/locking/lockdep.c:2420 [inline] __lock_acquire+0x30c9/0x3ff0 kernel/locking/lockdep.c:3416 lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3908 __mutex_lock_common kernel/locking/mutex.c:937 [inline] __mutex_lock+0xd7/0x1190 kernel/locking/mutex.c:1078 btrfs_remove_qgroup+0xae/0x770 fs/btrfs/qgroup.c:1415 btrfs_ioctl_qgroup_create fs/btrfs/ioctl.c:5337 [inline] btrfs_ioctl+0x661c/0x76d0 fs/btrfs/ioctl.c:6025 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:501 [inline] do_vfs_ioctl+0xcdb/0x12e0 fs/ioctl.c:688 ksys_ioctl+0x9b/0xc0 fs/ioctl.c:705 __do_sys_ioctl fs/ioctl.c:712 [inline] __se_sys_ioctl fs/ioctl.c:710 [inline] __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:710 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7f93ef35b0a9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f93ed8cd168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f93ef47af80 RCX: 00007f93ef35b0a9 RDX: 00000000200011c0 RSI: 000000004010942a RDI: 0000000000000004 RBP: 00007f93ef3b6ae9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffda6480dff R14: 00007f93ed8cd300 R15: 0000000000022000 audit: type=1804 audit(1672515527.114:180): pid=3266 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.1" name="/root/syzkaller-testdir2645380320/syzkaller.F58wu2/1048/bus" dev="sda1" ino=15538 res=1 audit: type=1804 audit(1672515527.124:181): pid=3272 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.1" name="/root/syzkaller-testdir2645380320/syzkaller.F58wu2/1048/bus" dev="sda1" ino=15538 res=1 REISERFS (device loop1): found reiserfs format "3.6" with non-standard journal REISERFS (device loop1): using ordered data mode reiserfs: using flush barriers REISERFS (device loop1): journal params: device loop1, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 REISERFS (device loop3): found reiserfs format "3.6" with non-standard journal REISERFS (device loop3): using ordered data mode REISERFS (device loop1): checking transaction log (loop1) reiserfs: using flush barriers REISERFS (device loop3): journal params: device loop3, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 REISERFS (device loop3): checking transaction log (loop3) BTRFS info (device loop2): unrecognized mount option 'user_s5bvol_¢' REISERFS (device loop3): Using r5 hash to sort names REISERFS (device loop3): Created .reiserfs_priv - reserved for xattr storage. BTRFS error (device loop2): open_ctree failed audit: type=1804 audit(1672515527.634:182): pid=3281 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.3" name="/root/syzkaller-testdir1754670374/syzkaller.lz2hri/1032/file1/bus" dev="loop3" ino=4 res=1 audit: type=1804 audit(1672515527.654:183): pid=3281 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.3" name="/root/syzkaller-testdir1754670374/syzkaller.lz2hri/1032/file1/bus" dev="loop3" ino=4 res=1 REISERFS (device loop1): Using r5 hash to sort names REISERFS (device loop1): Created .reiserfs_priv - reserved for xattr storage. BTRFS info (device loop5): using free space tree BTRFS info (device loop5): has skinny extents FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 0 PID: 3393 Comm: syz-executor.4 Not tainted 4.19.211-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 fail_dump lib/fault-inject.c:51 [inline] should_fail.cold+0xa/0xf lib/fault-inject.c:149 __should_failslab+0x115/0x180 mm/failslab.c:32 should_failslab+0x5/0x10 mm/slab_common.c:1590 slab_pre_alloc_hook mm/slab.h:424 [inline] slab_alloc_node mm/slab.c:3304 [inline] kmem_cache_alloc_node_trace+0x244/0x3b0 mm/slab.c:3666 __do_kmalloc_node mm/slab.c:3688 [inline] __kmalloc_node+0x38/0x70 mm/slab.c:3696 kmalloc_node include/linux/slab.h:557 [inline] kvmalloc_node+0x61/0xf0 mm/util.c:423 kvmalloc include/linux/mm.h:577 [inline] seq_buf_alloc fs/seq_file.c:35 [inline] seq_read+0x85c/0x11c0 fs/seq_file.c:207 mmap: syz-executor.3 (3402) uses deprecated remap_file_pages() syscall. See Documentation/vm/remap_file_pages.rst. kernfs_fop_read+0xe9/0x550 fs/kernfs/file.c:252 do_loop_readv_writev fs/read_write.c:701 [inline] do_loop_readv_writev fs/read_write.c:688 [inline] do_iter_read+0x471/0x630 fs/read_write.c:925 vfs_readv+0xe5/0x150 fs/read_write.c:987 do_preadv fs/read_write.c:1071 [inline] __do_sys_preadv fs/read_write.c:1121 [inline] __se_sys_preadv fs/read_write.c:1116 [inline] __x64_sys_preadv+0x22b/0x310 fs/read_write.c:1116 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7fcb09dff0a9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fcb08371168 EFLAGS: 00000246 ORIG_RAX: 0000000000000127 RAX: ffffffffffffffda RBX: 00007fcb09f1ef80 RCX: 00007fcb09dff0a9 RDX: 0000000000000001 RSI: 00000000200004c0 RDI: 0000000000000003 RBP: 00007fcb083711d0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 R13: 00007ffff07864af R14: 00007fcb08371300 R15: 0000000000022000 REISERFS (device loop1): found reiserfs format "3.6" with non-standard journal BTRFS info (device loop5): using free space tree BTRFS info (device loop5): has skinny extents REISERFS (device loop1): using ordered data mode reiserfs: using flush barriers REISERFS (device loop1): journal params: device loop1, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 REISERFS (device loop1): checking transaction log (loop1) REISERFS (device loop1): Using r5 hash to sort names REISERFS (device loop1): Created .reiserfs_priv - reserved for xattr storage. audit: type=1804 audit(1672515528.784:184): pid=3435 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.1" name="/root/syzkaller-testdir2645380320/syzkaller.F58wu2/1049/file1/bus" dev="loop1" ino=4 res=1 BTRFS error (device loop5): fail to start transaction for status update: -28 UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/22 14:59 (1000) audit: type=1800 audit(1672515529.544:185): pid=3581 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.2" name="file0" dev="sda1" ino=14739 res=0 UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/22 14:59 (1000) UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/22 14:59 (1000) IPVS: ftp: loaded support on port[0] = 21 netlink: 'syz-executor.1': attribute type 32 has an invalid length. netlink: 44127 bytes leftover after parsing attributes in process `syz-executor.1'. audit: type=1800 audit(1672515530.244:186): pid=3681 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.2" name="file0" dev="sda1" ino=13886 res=0 IPVS: ftp: loaded support on port[0] = 21 XFS (loop5): Mounting V4 Filesystem XFS (loop5): Ending clean mount overlayfs: fs on './file0' does not support file handles, falling back to index=off,nfs_export=off. XFS (loop5): Unmounting Filesystem IPVS: ftp: loaded support on port[0] = 21 IPVS: ftp: loaded support on port[0] = 21 overlayfs: maximum fs stacking depth exceeded netlink: 'syz-executor.3': attribute type 32 has an invalid length. netlink: 44127 bytes leftover after parsing attributes in process `syz-executor.3'. audit: type=1800 audit(1672515531.184:187): pid=3790 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.2" name="file0" dev="sda1" ino=15714 res=0 IPVS: ftp: loaded support on port[0] = 21 XFS (loop3): Mounting V4 Filesystem XFS (loop3): Ending clean mount overlayfs: fs on './file0' does not support file handles, falling back to index=off,nfs_export=off. XFS (loop3): Unmounting Filesystem netlink: 'syz-executor.2': attribute type 32 has an invalid length. netlink: 44127 bytes leftover after parsing attributes in process `syz-executor.2'. IPVS: ftp: loaded support on port[0] = 21 XFS (loop1): Mounting V4 Filesystem XFS (loop1): Ending clean mount overlayfs: fs on './file0' does not support file handles, falling back to index=off,nfs_export=off. netlink: 'syz-executor.2': attribute type 32 has an invalid length. netlink: 44127 bytes leftover after parsing attributes in process `syz-executor.2'. audit: type=1800 audit(1672515532.914:188): pid=4025 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.5" name="file0" dev="sda1" ino=15202 res=0 XFS (loop3): Mounting V4 Filesystem XFS (loop1): Unmounting Filesystem XFS (loop3): Ending clean mount overlayfs: fs on './file0' does not support file handles, falling back to index=off,nfs_export=off. XFS (loop3): Unmounting Filesystem IPVS: ftp: loaded support on port[0] = 21 XFS (loop1): Mounting V4 Filesystem XFS (loop1): Ending clean mount netlink: 'syz-executor.2': attribute type 32 has an invalid length. netlink: 44127 bytes leftover after parsing attributes in process `syz-executor.2'. overlayfs: fs on './file0' does not support file handles, falling back to index=off,nfs_export=off. XFS (loop1): Unmounting Filesystem XFS (loop3): Mounting V4 Filesystem XFS (loop3): Ending clean mount overlayfs: fs on './file0' does not support file handles, falling back to index=off,nfs_export=off. XFS (loop3): Unmounting Filesystem audit: type=1800 audit(1672515534.264:189): pid=4171 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.5" name="file0" dev="sda1" ino=15139 res=0 XFS (loop1): Mounting V4 Filesystem XFS (loop1): Ending clean mount overlayfs: fs on './file0' does not support file handles, falling back to index=off,nfs_export=off. XFS (loop1): Unmounting Filesystem IPVS: ftp: loaded support on port[0] = 21 audit: type=1800 audit(1672515534.834:190): pid=4305 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.5" name="file0" dev="sda1" ino=16118 res=0 audit: type=1804 audit(1672515535.054:191): pid=4381 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.4" name="/root/syzkaller-testdir1042605340/syzkaller.XCiPCo/1094/file0" dev="sda1" ino=16112 res=1 XFS (loop3): Mounting V4 Filesystem XFS (loop1): Mounting V4 Filesystem XFS (loop3): Ending clean mount XFS (loop1): Ending clean mount overlayfs: fs on './file0' does not support file handles, falling back to index=off,nfs_export=off. overlayfs: fs on './file0' does not support file handles, falling back to index=off,nfs_export=off. XFS (loop3): Unmounting Filesystem XFS (loop1): Unmounting Filesystem IPVS: ftp: loaded support on port[0] = 21 audit: type=1804 audit(1672515535.905:192): pid=4459 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.4" name="/root/syzkaller-testdir1042605340/syzkaller.XCiPCo/1096/file0" dev="sda1" ino=16123 res=1 audit: type=1804 audit(1672515535.935:193): pid=4477 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.4" name="/root/syzkaller-testdir1042605340/syzkaller.XCiPCo/1096/file0" dev="sda1" ino=16123 res=1 vhci_hcd vhci_hcd.0: pdev(4) rhport(0) sockfd(4) vhci_hcd vhci_hcd.0: devid(0) speed(4) speed_str(wireless) audit: type=1804 audit(1672515535.945:194): pid=4476 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.4" name="/root/syzkaller-testdir1042605340/syzkaller.XCiPCo/1096/file0" dev="sda1" ino=16123 res=1 vhci_hcd vhci_hcd.0: Device attached vhci_hcd: connection closed vhci_hcd: stop threads vhci_hcd: release socket vhci_hcd: disconnect device IPVS: ftp: loaded support on port[0] = 21