======================================================
WARNING: possible circular locking dependency detected
4.19.211-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.2/470 is trying to acquire lock:
0000000049391b23 ((wq_completion)"dio/%s"sb->s_id){+.+.}, at: flush_workqueue+0xe8/0x13e0 kernel/workqueue.c:2658

but task is already holding lock:
0000000019c88c79 (&sb->s_type->i_mutex_key#21){++++}, at: inode_lock include/linux/fs.h:748 [inline]
0000000019c88c79 (&sb->s_type->i_mutex_key#21){++++}, at: generic_file_write_iter+0x99/0x730 mm/filemap.c:3320

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #2 (&sb->s_type->i_mutex_key#21){++++}:
       inode_lock include/linux/fs.h:748 [inline]
       __generic_file_fsync+0xb0/0x1f0 fs/libfs.c:989
       fat_file_fsync+0x73/0x200 fs/fat/file.c:198
       vfs_fsync_range+0x13a/0x220 fs/sync.c:197
       generic_write_sync include/linux/fs.h:2750 [inline]
       dio_complete+0x763/0xac0 fs/direct-io.c:329
       process_one_work+0x864/0x1570 kernel/workqueue.c:2153
       worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
       kthread+0x33f/0x460 kernel/kthread.c:259
       ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

-> #1 ((work_completion)(&dio->complete_work)){+.+.}:
       worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
       kthread+0x33f/0x460 kernel/kthread.c:259
       ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

-> #0 ((wq_completion)"dio/%s"sb->s_id){+.+.}:
       flush_workqueue+0x117/0x13e0 kernel/workqueue.c:2661
       drain_workqueue+0x1a5/0x460 kernel/workqueue.c:2826
       destroy_workqueue+0x75/0x790 kernel/workqueue.c:4183
       __alloc_workqueue_key+0xb76/0xed0 kernel/workqueue.c:4160
       sb_init_dio_done_wq+0x34/0x90 fs/direct-io.c:623
       do_blockdev_direct_IO fs/direct-io.c:1285 [inline]
       __blockdev_direct_IO+0x5f55/0xef40 fs/direct-io.c:1419
       blockdev_direct_IO include/linux/fs.h:3059 [inline]
       fat_direct_IO+0x1d1/0x370 fs/fat/inode.c:282
       generic_file_direct_write+0x208/0x4a0 mm/filemap.c:3073
       __generic_file_write_iter+0x2d0/0x610 mm/filemap.c:3252
       generic_file_write_iter+0x3f8/0x730 mm/filemap.c:3323
       call_write_iter include/linux/fs.h:1821 [inline]
       aio_write+0x37f/0x5c0 fs/aio.c:1574
       __io_submit_one fs/aio.c:1858 [inline]
       io_submit_one+0xecd/0x20c0 fs/aio.c:1909
       __do_sys_io_submit fs/aio.c:1953 [inline]
       __se_sys_io_submit+0x11b/0x4a0 fs/aio.c:1924
       do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
       entry_SYSCALL_64_after_hwframe+0x49/0xbe

other info that might help us debug this:

Chain exists of:
  (wq_completion)"dio/%s"sb->s_id --> (work_completion)(&dio->complete_work) --> &sb->s_type->i_mutex_key#21

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&sb->s_type->i_mutex_key#21);
                               lock((work_completion)(&dio->complete_work));
                               lock(&sb->s_type->i_mutex_key#21);
  lock((wq_completion)"dio/%s"sb->s_id);

 *** DEADLOCK ***

1 lock held by syz-executor.2/470:
 #0: 0000000019c88c79 (&sb->s_type->i_mutex_key#21){++++}, at: inode_lock include/linux/fs.h:748 [inline]
 #0: 0000000019c88c79 (&sb->s_type->i_mutex_key#21){++++}, at: generic_file_write_iter+0x99/0x730 mm/filemap.c:3320

stack backtrace:
CPU: 1 PID: 470 Comm: syz-executor.2 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1222
 check_prev_add kernel/locking/lockdep.c:1866 [inline]
 check_prevs_add kernel/locking/lockdep.c:1979 [inline]
 validate_chain kernel/locking/lockdep.c:2420 [inline]
 __lock_acquire+0x30c9/0x3ff0 kernel/locking/lockdep.c:3416
 lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3908
 flush_workqueue+0x117/0x13e0 kernel/workqueue.c:2661
 drain_workqueue+0x1a5/0x460 kernel/workqueue.c:2826
 destroy_workqueue+0x75/0x790 kernel/workqueue.c:4183
 __alloc_workqueue_key+0xb76/0xed0 kernel/workqueue.c:4160
 sb_init_dio_done_wq+0x34/0x90 fs/direct-io.c:623
 do_blockdev_direct_IO fs/direct-io.c:1285 [inline]
 __blockdev_direct_IO+0x5f55/0xef40 fs/direct-io.c:1419
 blockdev_direct_IO include/linux/fs.h:3059 [inline]
 fat_direct_IO+0x1d1/0x370 fs/fat/inode.c:282
 generic_file_direct_write+0x208/0x4a0 mm/filemap.c:3073
 __generic_file_write_iter+0x2d0/0x610 mm/filemap.c:3252
 generic_file_write_iter+0x3f8/0x730 mm/filemap.c:3323
 call_write_iter include/linux/fs.h:1821 [inline]
 aio_write+0x37f/0x5c0 fs/aio.c:1574
 __io_submit_one fs/aio.c:1858 [inline]
 io_submit_one+0xecd/0x20c0 fs/aio.c:1909
 __do_sys_io_submit fs/aio.c:1953 [inline]
 __se_sys_io_submit+0x11b/0x4a0 fs/aio.c:1924
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f8c3ec9c3c9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f8c3d5f0168 EFLAGS: 00000246 ORIG_RAX: 00000000000000d1
RAX: ffffffffffffffda RBX: 00007f8c3edaf050 RCX: 00007f8c3ec9c3c9
RDX: 0000000020000540 RSI: 0000000000001801 RDI: 00007f8c3ed8a000
RBP: 00007f8c3ecf733f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffe28eda28f R14: 00007f8c3d5f0300 R15: 0000000000022000
audit: type=1800 audit(1662914708.388:951): pid=530 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.3" name="file0" dev="sda1" ino=15638 res=0
netlink: 'syz-executor.1': attribute type 4 has an invalid length.
audit: type=1804 audit(1662914708.408:952): pid=530 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.3" name="/root/syzkaller-testdir781641616/syzkaller.ct42qk/2094/file0" dev="sda1" ino=15638 res=1
audit: type=1804 audit(1662914708.408:953): pid=530 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.3" name="/root/syzkaller-testdir781641616/syzkaller.ct42qk/2094/file0" dev="sda1" ino=15638 res=1
IPVS: ftp: loaded support on port[0] = 21
netlink: 'syz-executor.2': attribute type 4 has an invalid length.
IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready
netlink: 'syz-executor.2': attribute type 21 has an invalid length.
netlink: 'syz-executor.2': attribute type 21 has an invalid length.
hfs: unable to load iocharset "e"
hfs: unable to parse mount options
netlink: 'syz-executor.2': attribute type 21 has an invalid length.
hfs: unable to load iocharset "e"
hfs: unable to parse mount options
hfs: unable to load iocharset "e"
hfs: unable to parse mount options
hfs: unable to load iocharset "e"
hfs: unable to parse mount options
9pnet: Could not find request transport: xen
overlayfs: './file0' not a directory
9pnet: Could not find request transport: xen
overlayfs: './file0' not a directory
overlayfs: fs on './file0' does not support file handles, falling back to index=off,nfs_export=off.
9pnet: Could not find request transport: xen
FS-Cache: Duplicate cookie detected
FS-Cache: O-cookie c=0000000063f5eda1 [p=00000000dc95cdcd fl=212 nc=0 na=0]
FS-Cache: O-cookie d=          (null) n=          (null)
FS-Cache: O-key=[16] '02000000000000000200040072720000'
FS-Cache: N-cookie c=000000008d6aafc4 [p=00000000dc95cdcd fl=2 nc=0 na=1]
FS-Cache: N-cookie d=000000008f51c4f3 n=00000000b32e80b9
FS-Cache: N-key=[16] '02000000000000000200040072720000'
FS-Cache: Duplicate cookie detected
FS-Cache: O-cookie c=0000000063f5eda1 [p=00000000dc95cdcd fl=212 nc=0 na=0]
FS-Cache: O-cookie d=          (null) n=          (null)
FS-Cache: O-key=[16] '02000000000000000200040072720000'
FS-Cache: N-cookie c=000000006d6283cc [p=00000000dc95cdcd fl=2 nc=0 na=1]
FS-Cache: N-cookie d=000000008f51c4f3 n=0000000080f911b0
FS-Cache: N-key=[16] '02000000000000000200040072720000'
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
CPU: 1 PID: 1727 Comm: syz-executor.3 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
Call Trace:
FAULT_INJECTION: forcing a failure.
name fail_page_alloc, interval 1, probability 0, space 0, times 1
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
 fail_dump lib/fault-inject.c:51 [inline]
 should_fail.cold+0xa/0xf lib/fault-inject.c:149
 __should_failslab+0x115/0x180 mm/failslab.c:32
 should_failslab+0x5/0x10 mm/slab_common.c:1590
 slab_pre_alloc_hook mm/slab.h:424 [inline]
 slab_alloc mm/slab.c:3383 [inline]
 __do_kmalloc mm/slab.c:3725 [inline]
 __kmalloc_track_caller+0x2a6/0x3c0 mm/slab.c:3742
 memdup_user+0x22/0xb0 mm/util.c:160
 strndup_user+0x70/0x120 mm/util.c:217
 copy_mount_string fs/namespace.c:2726 [inline]
 ksys_mount+0x34/0x130 fs/namespace.c:3023
 __do_sys_mount fs/namespace.c:3052 [inline]
 __se_sys_mount fs/namespace.c:3049 [inline]
 __x64_sys_mount+0xba/0x150 fs/namespace.c:3049
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f6b748713c9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6b731e6168 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f6b74983f80 RCX: 00007f6b748713c9
RDX: 000000002015bffc RSI: 0000000020000240 RDI: 0000000000000000
RBP: 00007f6b731e61d0 R08: 0000000020000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 00007ffeee93c6ff R14: 00007f6b731e6300 R15: 0000000000022000
CPU: 0 PID: 1729 Comm: syz-executor.4 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
 fail_dump lib/fault-inject.c:51 [inline]
 should_fail.cold+0xa/0xf lib/fault-inject.c:149
 should_fail_alloc_page mm/page_alloc.c:3088 [inline]
 prepare_alloc_pages mm/page_alloc.c:4346 [inline]
 __alloc_pages_nodemask+0x239/0x2890 mm/page_alloc.c:4393
 __alloc_pages include/linux/gfp.h:496 [inline]
 __alloc_pages_node include/linux/gfp.h:509 [inline]
 alloc_pages_vma+0x461/0x780 mm/mempolicy.c:2154
 new_page+0x305/0x420 mm/mempolicy.c:1171
 unmap_and_move mm/migrate.c:1168 [inline]
 migrate_pages+0x528/0x2fe0 mm/migrate.c:1419
 do_mbind+0xaaf/0xd60 mm/mempolicy.c:1289
 kernel_mbind mm/mempolicy.c:1409 [inline]
 __do_sys_mbind mm/mempolicy.c:1416 [inline]
 __se_sys_mbind mm/mempolicy.c:1412 [inline]
 __x64_sys_mbind+0x235/0x290 mm/mempolicy.c:1412
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7fada151e3c9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fad9fe93168 EFLAGS: 00000246 ORIG_RAX: 00000000000000ed
RAX: ffffffffffffffda RBX: 00007fada1630f80 RCX: 00007fada151e3c9
RDX: 0000000000000000 RSI: 0000000000800000 RDI: 0000000020001000
RBP: 00007fad9fe931d0 R08: 0000000000000000 R09: 0000000000000002
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 00007fff82439e1f R14: 00007fad9fe93300 R15: 0000000000022000
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
CPU: 0 PID: 1751 Comm: syz-executor.3 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
 fail_dump lib/fault-inject.c:51 [inline]
 should_fail.cold+0xa/0xf lib/fault-inject.c:149
 __should_failslab+0x115/0x180 mm/failslab.c:32
 should_failslab+0x5/0x10 mm/slab_common.c:1590
 slab_pre_alloc_hook mm/slab.h:424 [inline]
 slab_alloc mm/slab.c:3383 [inline]
 kmem_cache_alloc_trace+0x284/0x380 mm/slab.c:3623
 kmalloc include/linux/slab.h:515 [inline]
 copy_mount_options+0x59/0x380 fs/namespace.c:2701
 ksys_mount+0x9b/0x130 fs/namespace.c:3033
 __do_sys_mount fs/namespace.c:3052 [inline]
 __se_sys_mount fs/namespace.c:3049 [inline]
 __x64_sys_mount+0xba/0x150 fs/namespace.c:3049
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f6b748713c9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6b731e6168 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f6b74983f80 RCX: 00007f6b748713c9
RDX: 000000002015bffc RSI: 0000000020000240 RDI: 0000000000000000
RBP: 00007f6b731e61d0 R08: 0000000020000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 00007ffeee93c6ff R14: 00007f6b731e6300 R15: 0000000000022000