L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. ====================================================== WARNING: possible circular locking dependency detected 4.14.300-syzkaller #0 Not tainted ------------------------------------------------------ syz-executor.0/10483 is trying to acquire lock: (&sbi->alloc_mutex){+.+.}, at: [] hfsplus_block_free+0xc7/0x560 fs/hfsplus/bitmap.c:182 but task is already holding lock: (&tree->tree_lock/1){+.+.}, at: [] hfsplus_find_init+0x161/0x220 fs/hfsplus/bfind.c:33 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (&tree->tree_lock/1){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 hfsplus_find_init+0x161/0x220 fs/hfsplus/bfind.c:33 hfsplus_ext_read_extent+0x15f/0x9e0 fs/hfsplus/extents.c:216 hfsplus_get_block+0x23e/0x820 fs/hfsplus/extents.c:268 block_read_full_page+0x25e/0x8d0 fs/buffer.c:2316 do_read_cache_page+0x38e/0xc10 mm/filemap.c:2713 read_mapping_page include/linux/pagemap.h:398 [inline] hfsplus_block_allocate+0x189/0x910 fs/hfsplus/bitmap.c:37 hfsplus_file_extend+0x421/0xef0 fs/hfsplus/extents.c:463 hfsplus_get_block+0x15b/0x820 fs/hfsplus/extents.c:245 __block_write_begin_int+0x35c/0x11d0 fs/buffer.c:2038 __block_write_begin fs/buffer.c:2088 [inline] block_write_begin+0x58/0x270 fs/buffer.c:2147 cont_write_begin+0x4a3/0x740 fs/buffer.c:2497 hfsplus_write_begin+0x87/0x130 fs/hfsplus/inode.c:53 generic_perform_write+0x1d5/0x430 mm/filemap.c:3055 __generic_file_write_iter+0x227/0x590 mm/filemap.c:3180 generic_file_write_iter+0x36f/0x650 mm/filemap.c:3208 call_write_iter include/linux/fs.h:1780 [inline] new_sync_write fs/read_write.c:469 [inline] __vfs_write+0x44c/0x630 fs/read_write.c:482 vfs_write+0x17f/0x4d0 fs/read_write.c:544 SYSC_write fs/read_write.c:590 [inline] SyS_write+0xf2/0x210 fs/read_write.c:582 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x5e/0xd3 -> #1 (&HFSPLUS_I(inode)->extents_lock){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 hfsplus_get_block+0x1f9/0x820 fs/hfsplus/extents.c:260 block_read_full_page+0x25e/0x8d0 fs/buffer.c:2316 do_read_cache_page+0x38e/0xc10 mm/filemap.c:2713 read_mapping_page include/linux/pagemap.h:398 [inline] hfsplus_block_allocate+0x189/0x910 fs/hfsplus/bitmap.c:37 hfsplus_file_extend+0x421/0xef0 fs/hfsplus/extents.c:463 hfsplus_get_block+0x15b/0x820 fs/hfsplus/extents.c:245 __block_write_begin_int+0x35c/0x11d0 fs/buffer.c:2038 __block_write_begin fs/buffer.c:2088 [inline] block_write_begin+0x58/0x270 fs/buffer.c:2147 cont_write_begin+0x4a3/0x740 fs/buffer.c:2497 hfsplus_write_begin+0x87/0x130 fs/hfsplus/inode.c:53 generic_perform_write+0x1d5/0x430 mm/filemap.c:3055 __generic_file_write_iter+0x227/0x590 mm/filemap.c:3180 generic_file_write_iter+0x36f/0x650 mm/filemap.c:3208 call_write_iter include/linux/fs.h:1780 [inline] new_sync_write fs/read_write.c:469 [inline] __vfs_write+0x44c/0x630 fs/read_write.c:482 vfs_write+0x17f/0x4d0 fs/read_write.c:544 SYSC_write fs/read_write.c:590 [inline] SyS_write+0xf2/0x210 fs/read_write.c:582 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x5e/0xd3 ntfs: (device loop1): parse_options(): Unrecognized mount option ¥kÂRùmŽ$ªº5AxrûYÊÌ·KmCýråc. -> #0 (&sbi->alloc_mutex){+.+.}: lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 hfsplus_block_free+0xc7/0x560 fs/hfsplus/bitmap.c:182 hfsplus_free_extents+0x170/0x440 fs/hfsplus/extents.c:360 hfsplus_file_truncate+0xbc0/0xe80 fs/hfsplus/extents.c:585 hfsplus_delete_inode+0x160/0x1f0 fs/hfsplus/inode.c:431 hfsplus_unlink+0x48c/0x6b0 fs/hfsplus/dir.c:407 hfsplus_rename+0x9f/0x1d0 fs/hfsplus/dir.c:547 vfs_rename+0x560/0x1820 fs/namei.c:4498 SYSC_renameat2 fs/namei.c:4646 [inline] SyS_renameat2+0x95b/0xad0 fs/namei.c:4535 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x5e/0xd3 other info that might help us debug this: Chain exists of: &sbi->alloc_mutex --> &HFSPLUS_I(inode)->extents_lock --> &tree->tree_lock/1 Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&tree->tree_lock/1); lock(&HFSPLUS_I(inode)->extents_lock); lock(&tree->tree_lock/1); lock(&sbi->alloc_mutex); *** DEADLOCK *** 9 locks held by syz-executor.0/10483: #0: (sb_writers#14){.+.+}, at: [] sb_start_write include/linux/fs.h:1551 [inline] #0: (sb_writers#14){.+.+}, at: [] mnt_want_write+0x3a/0xb0 fs/namespace.c:386 #1: (&type->s_vfs_rename_key){+.+.}, at: [] lock_rename+0x54/0x280 fs/namei.c:2889 #2: (&type->i_mutex_dir_key#8/1){+.+.}, at: [] inode_lock_nested include/linux/fs.h:754 [inline] #2: (&type->i_mutex_dir_key#8/1){+.+.}, at: [] lock_rename+0x132/0x280 fs/namei.c:2900 #3: (&type->i_mutex_dir_key#8/2){+.+.}, at: [] inode_lock_nested include/linux/fs.h:754 [inline] #3: (&type->i_mutex_dir_key#8/2){+.+.}, at: [] lock_rename+0x166/0x280 fs/namei.c:2901 #4: (&sb->s_type->i_mutex_key#21){+.+.}, at: [] inode_lock include/linux/fs.h:719 [inline] #4: (&sb->s_type->i_mutex_key#21){+.+.}, at: [] lock_two_nondirectories+0xca/0xf0 fs/inode.c:989 #5: (&sb->s_type->i_mutex_key#21/4){+.+.}, at: [] inode_lock_nested include/linux/fs.h:754 [inline] #5: (&sb->s_type->i_mutex_key#21/4){+.+.}, at: [] lock_two_nondirectories+0xb2/0xf0 fs/inode.c:991 #6: (&sbi->vh_mutex){+.+.}, at: [] hfsplus_unlink+0x112/0x6b0 fs/hfsplus/dir.c:372 #7: (&HFSPLUS_I(inode)->extents_lock){+.+.}, at: [] hfsplus_file_truncate+0x1ba/0xe80 fs/hfsplus/extents.c:571 #8: (&tree->tree_lock/1){+.+.}, at: [] hfsplus_find_init+0x161/0x220 fs/hfsplus/bfind.c:33 stack backtrace: CPU: 1 PID: 10483 Comm: syz-executor.0 Not tainted 4.14.300-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x281 lib/dump_stack.c:58 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258 check_prev_add kernel/locking/lockdep.c:1905 [inline] check_prevs_add kernel/locking/lockdep.c:2022 [inline] validate_chain kernel/locking/lockdep.c:2464 [inline] __lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 hfsplus_block_free+0xc7/0x560 fs/hfsplus/bitmap.c:182 hfsplus_free_extents+0x170/0x440 fs/hfsplus/extents.c:360 hfsplus_file_truncate+0xbc0/0xe80 fs/hfsplus/extents.c:585 hfsplus_delete_inode+0x160/0x1f0 fs/hfsplus/inode.c:431 hfsplus_unlink+0x48c/0x6b0 fs/hfsplus/dir.c:407 hfsplus_rename+0x9f/0x1d0 fs/hfsplus/dir.c:547 vfs_rename+0x560/0x1820 fs/namei.c:4498 SYSC_renameat2 fs/namei.c:4646 [inline] SyS_renameat2+0x95b/0xad0 fs/namei.c:4535 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x5e/0xd3 hfsplus: unable to parse mount options print_req_error: I/O error, dev loop0, sector 0 ntfs: (device loop1): parse_options(): Unrecognized mount option ¥kÂRùmŽ$ªº5AxrûYÊÌ·KmCýråc. ntfs: (device loop1): parse_options(): Unrecognized mount option ¥kÂRùmŽ$ªº5AxrûYÊÌ·KmCýråc. JFS: charset not found JFS: charset not found JFS: charset not found audit: type=1804 audit(1670137535.728:2): pid=10916 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.3" name="/root/syzkaller-testdir3136106061/syzkaller.fFG1QZ/81/file0" dev="sda1" ino=13956 res=1 audit: type=1804 audit(1670137535.758:3): pid=10916 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.3" name="/root/syzkaller-testdir3136106061/syzkaller.fFG1QZ/81/file0" dev="sda1" ino=13956 res=1 caif:caif_disconnect_client(): nothing to disconnect audit: type=1804 audit(1670137537.788:4): pid=11313 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.1" name="/root/syzkaller-testdir4290191416/syzkaller.2wsQTH/114/file0" dev="sda1" ino=13987 res=1 netlink: 4 bytes leftover after parsing attributes in process `syz-executor.3'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor.3'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor.3'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor.3'. netlink: 28 bytes leftover after parsing attributes in process `syz-executor.2'. Bluetooth: hci0 command 0x0401 tx timeout netlink: 28 bytes leftover after parsing attributes in process `syz-executor.5'. caif:caif_disconnect_client(): nothing to disconnect netlink: 28 bytes leftover after parsing attributes in process `syz-executor.1'. team0: Invalid MTU 0 requested, hw min 68 netlink: 28 bytes leftover after parsing attributes in process `syz-executor.0'. caif:caif_disconnect_client(): nothing to disconnect audit: type=1804 audit(1670137539.919:5): pid=11778 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.4" name="/root/syzkaller-testdir4171529786/syzkaller.RJ4Dif/156/file0" dev="sda1" ino=14048 res=1 netlink: 4 bytes leftover after parsing attributes in process `syz-executor.2'. nbd: socks must be embedded in a SOCK_ITEM attr can: request_module (can-proto-0) failed. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.2'. mmap: syz-executor.5 (11835) uses deprecated remap_file_pages() syscall. See Documentation/vm/remap_file_pages.txt. device bridge_slave_1 left promiscuous mode bridge0: port 2(bridge_slave_1) entered disabled state bridge2: port 1(bridge_slave_1) entered blocking state bridge2: port 1(bridge_slave_1) entered disabled state Bluetooth: hci0 command 0x0401 tx timeout device bridge_slave_1 entered promiscuous mode device bridge_slave_1 left promiscuous mode bridge2: port 1(bridge_slave_1) entered disabled state bridge3: port 1(bridge_slave_1) entered blocking state EXT4-fs (loop3): Unsupported blocksize for fs encryption bridge3: port 1(bridge_slave_1) entered disabled state device bridge_slave_1 entered promiscuous mode print_req_error: I/O error, dev loop3, sector 0 Buffer I/O error on dev loop3, logical block 0, async page read print_req_error: I/O error, dev loop3, sector 6 Buffer I/O error on dev loop3, logical block 3, async page read audit: type=1800 audit(1670137541.229:6): pid=11909 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.3" name="bus" dev="sda1" ino=14060 res=0 EXT4-fs (loop3): Unsupported blocksize for fs encryption device bridge_slave_1 left promiscuous mode bridge3: port 1(bridge_slave_1) entered disabled state audit: type=1800 audit(1670137541.459:7): pid=11932 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.3" name="bus" dev="sda1" ino=14069 res=0 bridge4: port 1(bridge_slave_1) entered blocking state bridge4: port 1(bridge_slave_1) entered disabled state device bridge_slave_1 entered promiscuous mode EXT4-fs (loop3): Unsupported blocksize for fs encryption audit: type=1800 audit(1670137541.659:8): pid=11966 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.3" name="bus" dev="sda1" ino=13990 res=0 EXT4-fs (loop3): Unsupported blocksize for fs encryption print_req_error: I/O error, dev loop3, sector 0 EXT4-fs warning (device sda1): verify_group_input:146: Cannot add at group 4294967295 (only 16 groups) Buffer I/O error on dev loop3, logical block 0, async page read unregister_netdevice: waiting for ip6gre0 to become free. Usage count = -1 print_req_error: I/O error, dev loop3, sector 6 Buffer I/O error on dev loop3, logical block 3, async page read audit: type=1800 audit(1670137542.409:9): pid=12006 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.3" name="bus" dev="sda1" ino=14070 res=0