====================================================== WARNING: possible circular locking dependency detected 4.13.0+ #70 Not tainted ------------------------------------------------------ loop0/18581 is trying to acquire lock: (&sb->s_type->i_mutex_key#9){++++}, at: [] inode_lock include/linux/fs.h:711 [inline] (&sb->s_type->i_mutex_key#9){++++}, at: [] shmem_fallocate+0x161/0x1180 mm/shmem.c:2823 but now in release context of a crosslock acquired at the following: ((complete)&ret.event){+.+.}, at: [] submit_bio_wait+0x15e/0x200 block/bio.c:949 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #4 ((complete)&ret.event){+.+.}: check_prevs_add kernel/locking/lockdep.c:2020 [inline] validate_chain kernel/locking/lockdep.c:2469 [inline] __lock_acquire+0x328f/0x4620 kernel/locking/lockdep.c:3498 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4002 complete_acquire include/linux/completion.h:39 [inline] __wait_for_common kernel/sched/completion.c:108 [inline] wait_for_common_io kernel/sched/completion.c:128 [inline] wait_for_completion_io+0xc8/0x770 kernel/sched/completion.c:176 submit_bio_wait+0x15e/0x200 block/bio.c:949 blkdev_issue_zeroout+0x13c/0x1d0 block/blk-lib.c:370 sb_issue_zeroout include/linux/blkdev.h:1369 [inline] ext4_init_inode_table+0x4fd/0xdb1 fs/ext4/ialloc.c:1420 ext4_run_li_request fs/ext4/super.c:2845 [inline] ext4_lazyinit_thread+0x81a/0xd40 fs/ext4/super.c:2939 kthread+0x39c/0x470 kernel/kthread.c:231 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431 -> #3 (&meta_group_info[i]->alloc_sem){++++}: check_prevs_add kernel/locking/lockdep.c:2020 [inline] validate_chain kernel/locking/lockdep.c:2469 [inline] __lock_acquire+0x328f/0x4620 kernel/locking/lockdep.c:3498 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4002 down_read+0x96/0x150 kernel/locking/rwsem.c:23 __ext4_new_inode+0x27fc/0x5200 fs/ext4/ialloc.c:1029 ext4_symlink+0x2d9/0xae0 fs/ext4/namei.c:3118 vfs_symlink+0x323/0x560 fs/namei.c:4107 SYSC_symlinkat fs/namei.c:4134 [inline] SyS_symlinkat fs/namei.c:4114 [inline] SYSC_symlink fs/namei.c:4147 [inline] SyS_symlink+0x134/0x200 fs/namei.c:4145 entry_SYSCALL_64_fastpath+0x1f/0xbe -> #2 (jbd2_handle){++++}: check_prevs_add kernel/locking/lockdep.c:2020 [inline] validate_chain kernel/locking/lockdep.c:2469 [inline] __lock_acquire+0x328f/0x4620 kernel/locking/lockdep.c:3498 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4002 start_this_handle+0x4b8/0x1080 fs/jbd2/transaction.c:390 jbd2__journal_start+0x389/0x9f0 fs/jbd2/transaction.c:444 __ext4_journal_start_sb+0x15f/0x550 fs/ext4/ext4_jbd2.c:80 __ext4_journal_start fs/ext4/ext4_jbd2.h:314 [inline] ext4_dirty_inode+0x56/0xa0 fs/ext4/inode.c:5879 __mark_inode_dirty+0x912/0x1170 fs/fs-writeback.c:2096 generic_update_time+0x1b2/0x270 fs/inode.c:1635 update_time fs/inode.c:1651 [inline] touch_atime+0x26d/0x2f0 fs/inode.c:1723 file_accessed include/linux/fs.h:2038 [inline] ext4_file_mmap+0x161/0x1b0 fs/ext4/file.c:367 call_mmap include/linux/fs.h:1750 [inline] mmap_region+0xa99/0x15a0 mm/mmap.c:1689 do_mmap+0x6a1/0xd50 mm/mmap.c:1467 do_mmap_pgoff include/linux/mm.h:2108 [inline] vm_mmap_pgoff+0x1de/0x280 mm/util.c:333 SYSC_mmap_pgoff mm/mmap.c:1517 [inline] SyS_mmap_pgoff+0x462/0x5f0 mm/mmap.c:1475 SYSC_mmap arch/x86/kernel/sys_x86_64.c:99 [inline] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:90 entry_SYSCALL_64_fastpath+0x1f/0xbe -> #1 (&mm->mmap_sem){++++}: check_prevs_add kernel/locking/lockdep.c:2020 [inline] validate_chain kernel/locking/lockdep.c:2469 [inline] __lock_acquire+0x328f/0x4620 kernel/locking/lockdep.c:3498 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4002 __might_fault+0x13a/0x1d0 mm/memory.c:4337 _copy_to_user+0x2c/0xc0 lib/usercopy.c:24 copy_to_user include/linux/uaccess.h:154 [inline] filldir+0x1a7/0x320 fs/readdir.c:196 dir_emit_dot include/linux/fs.h:3300 [inline] dir_emit_dots include/linux/fs.h:3311 [inline] dcache_readdir+0x12d/0x5e0 fs/libfs.c:192 iterate_dir+0x4b2/0x5d0 fs/readdir.c:51 SYSC_getdents fs/readdir.c:231 [inline] SyS_getdents+0x225/0x450 fs/readdir.c:212 entry_SYSCALL_64_fastpath+0x1f/0xbe -> #0 (&sb->s_type->i_mutex_key#9){++++}: down_write+0x87/0x120 kernel/locking/rwsem.c:53 inode_lock include/linux/fs.h:711 [inline] shmem_fallocate+0x161/0x1180 mm/shmem.c:2823 lo_discard drivers/block/loop.c:431 [inline] do_req_filebacked drivers/block/loop.c:527 [inline] loop_handle_cmd drivers/block/loop.c:1694 [inline] loop_queue_work+0x46f/0x3900 drivers/block/loop.c:1708 kthread_worker_fn+0x340/0x9b0 kernel/kthread.c:635 loop_kthread_worker_fn+0x51/0x60 drivers/block/loop.c:850 other info that might help us debug this: Chain exists of: &sb->s_type->i_mutex_key#9 --> &meta_group_info[i]->alloc_sem --> (complete)&ret.event Possible unsafe locking scenario by crosslock: CPU0 CPU1 ---- ---- lock(&meta_group_info[i]->alloc_sem); lock((complete)&ret.event); lock(&sb->s_type->i_mutex_key#9); unlock((complete)&ret.event); *** DEADLOCK *** 1 lock held by loop0/18581: #0: (&x->wait#14){..-.}, at: [] complete+0x18/0x80 kernel/sched/completion.c:34 stack backtrace: CPU: 1 PID: 18581 Comm: loop0 Not tainted 4.13.0+ #70 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:16 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:52 print_circular_bug+0x503/0x710 kernel/locking/lockdep.c:1259 check_prev_add+0x865/0x1520 kernel/locking/lockdep.c:1894 commit_xhlock kernel/locking/lockdep.c:5015 [inline] commit_xhlocks kernel/locking/lockdep.c:5059 [inline] lock_commit_crosslock+0xe73/0x1d10 kernel/locking/lockdep.c:5098 complete_release_commit include/linux/completion.h:49 [inline] complete+0x24/0x80 kernel/sched/completion.c:39 submit_bio_wait_endio+0x96/0xc0 block/bio.c:930 bio_endio+0x2ec/0x900 block/bio.c:1839 req_bio_endio block/blk-core.c:204 [inline] blk_update_request+0x2a0/0xe10 block/blk-core.c:2729 blk_mq_end_request+0x54/0x120 block/blk-mq.c:474 lo_complete_rq+0xbe/0x1f0 drivers/block/loop.c:460 __blk_mq_complete_request+0x396/0x6c0 block/blk-mq.c:515 blk_mq_complete_request+0x4f/0x60 block/blk-mq.c:535 loop_handle_cmd drivers/block/loop.c:1699 [inline] loop_queue_work+0x26b/0x3900 drivers/block/loop.c:1708 kthread_worker_fn+0x340/0x9b0 kernel/kthread.c:635 loop_kthread_worker_fn+0x51/0x60 drivers/block/loop.c:850 kthread+0x39c/0x470 kernel/kthread.c:231 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431 netlink: 6 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 6 bytes leftover after parsing attributes in process `syz-executor2'. skbuff: bad partial csum: csum=49149/21163 len=4778 skbuff: bad partial csum: csum=49149/21163 len=4778 sctp: [Deprecated]: syz-executor4 (pid 19532) Use of int in maxseg socket option. Use struct sctp_assoc_value instead sctp: [Deprecated]: syz-executor4 (pid 19532) Use of int in maxseg socket option. Use struct sctp_assoc_value instead QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl device gre0 entered promiscuous mode dccp_invalid_packet: P.Data Offset(172) too large dccp_invalid_packet: P.Data Offset(172) too large QAT: Invalid ioctl QAT: Invalid ioctl nla_parse: 2 callbacks suppressed netlink: 5 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor2'. RDS: rds_bind could not find a transport for 172.20.0.187, load rds_tcp or rds_rdma? TCP: request_sock_TCPv6: Possible SYN flooding on port 20009. Sending cookies. Check SNMP counters. tmpfs: No value for mount option 'ñ' tmpfs: No value for mount option 'ñ' sctp: [Deprecated]: syz-executor1 (pid 20208) Use of int in maxseg socket option. Use struct sctp_assoc_value instead netlink: 3 bytes leftover after parsing attributes in process `syz-executor5'. sctp: [Deprecated]: syz-executor1 (pid 20251) Use of int in maxseg socket option. Use struct sctp_assoc_value instead netlink: 3 bytes leftover after parsing attributes in process `syz-executor5'. sctp: [Deprecated]: syz-executor1 (pid 20313) Use of struct sctp_assoc_value in delayed_ack socket option. Use struct sctp_sack_info instead SELinux: unrecognized netlink message: protocol=0 nlmsg_type=14917 sclass=netlink_route_socket pig=20349 comm=syz-executor2 sg_write: data in/out 341795055/4048 bytes for SCSI command 0xbf-- guessing data in; program syz-executor6 not setting count and/or reply_len properly SELinux: unrecognized netlink message: protocol=0 nlmsg_type=14917 sclass=netlink_route_socket pig=20349 comm=syz-executor2 SELinux: unrecognized netlink message: protocol=6 nlmsg_type=3131 sclass=netlink_xfrm_socket pig=20386 comm=syz-executor2 SELinux: unrecognized netlink message: protocol=6 nlmsg_type=3131 sclass=netlink_xfrm_socket pig=20393 comm=syz-executor2 print_req_error: I/O error, dev loop0, sector 0 Buffer I/O error on dev loop0, logical block 0, lost async page write device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode print_req_error: I/O error, dev loop0, sector 0 Buffer I/O error on dev loop0, logical block 0, lost async page write netlink: 3 bytes leftover after parsing attributes in process `syz-executor2'. *** Guest State *** CR0: actual=0x0000000080000031, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode CR4: actual=0x0000000000002051, shadow=0x0000000000000000, gh_mask=fffffffffffff871 CR3 = 0x00000000fffbc000 RSP = 0x000000000000fffa RIP = 0x0000000000000000 RFLAGS=0x00033000 DR7 = 0x0000000000000400 Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 CS: sel=0x0000, attr=0x000f3, limit=0x0000ffff, base=0x0000000000000000 DS: sel=0x0000, attr=0x000f3, limit=0x0000ffff, base=0x0000000000000000 SS: sel=0x0000, attr=0x000f3, limit=0x0000ffff, base=0x0000000000000000 ES: sel=0x0000, attr=0x000f3, limit=0x0000ffff, base=0x0000000000000000 FS: sel=0x0000, attr=0x000f3, limit=0x0000ffff, base=0x0000000000000000 GS: sel=0x0000, attr=0x000f3, limit=0x0000ffff, base=0x0000000000000000 GDTR: limit=0x0000ffff, base=0x0000000000000000 LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000 IDTR: limit=0x0000ffff, base=0x0000000000000000 TR: sel=0x0000, attr=0x0008b, limit=0x00002088, base=0x0000000000000000 EFER = 0x0000000000000000 PAT = 0x0007040600070406 DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 Interruptibility = 00000000 ActivityState = 00000000 *** Host State *** RIP = 0xffffffff811b50df RSP = 0xffff8801c4faf4c8 CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 FSBase=00007fa8df064700 GSBase=ffff8801db200000 TRBase=ffff8801db323180 GDTBase=ffffffffff576000 IDTBase=ffffffffff57b000 CR0=0000000080050033 CR3=00000001d82c9000 CR4=00000000001426f0 Sysenter RSP=0000000000000000 CS:RIP=0010:ffffffff84d557f0 EFER = 0x0000000000000d01 PAT = 0x0000000000000000 *** Control State *** PinBased=0000003f CPUBased=b699edfa SecondaryExec=0000004a EntryControls=0000d1ff ExitControls=0023efff ExceptionBitmap=ffffbfff PFECmask=00000000 PFECmatch=00000000 VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 reason=80000021 qualification=0000000000000000 IDTVectoring: info=00000000 errcode=00000000 TSC Offset = 0xffffff81b4162b25 EPT pointer = 0x00000001c0beb01e dccp_invalid_packet: pskb_may_pull failed dccp_invalid_packet: pskb_may_pull failed dccp_invalid_packet: pskb_may_pull failed dccp_invalid_packet: pskb_may_pull failed netlink: 5 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor2'. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=35125 sclass=netlink_route_socket pig=20957 comm=syz-executor0 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=35125 sclass=netlink_route_socket pig=20966 comm=syz-executor0 netlink: 13 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 13 bytes leftover after parsing attributes in process `syz-executor2'. QAT: Invalid ioctl QAT: Invalid ioctl device lo entered promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 1 CPU: 0 PID: 21449 Comm: syz-executor4 Not tainted 4.13.0+ #70 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:16 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:52 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:31 slab_pre_alloc_hook mm/slab.h:422 [inline] slab_alloc_node mm/slab.c:3304 [inline] kmem_cache_alloc_node+0x56/0x760 mm/slab.c:3649 __alloc_skb+0xf1/0x740 net/core/skbuff.c:219 alloc_skb_fclone include/linux/skbuff.h:945 [inline] tipc_buf_acquire+0x2d/0xf0 net/tipc/msg.c:66 tipc_msg_build+0xf4/0x11b0 net/tipc/msg.c:264 __tipc_sendstream+0x5f3/0xc00 net/tipc/socket.c:1080 tipc_sendstream+0x50/0x70 net/tipc/socket.c:1039 sock_sendmsg_nosec net/socket.c:633 [inline] sock_sendmsg+0xca/0x110 net/socket.c:643 ___sys_sendmsg+0x322/0x8a0 net/socket.c:2035 __sys_sendmmsg+0x1e6/0x5f0 net/socket.c:2125 SYSC_sendmmsg net/socket.c:2156 [inline] SyS_sendmmsg+0x35/0x60 net/socket.c:2151 entry_SYSCALL_64_fastpath+0x1f/0xbe RIP: 0033:0x451e59 RSP: 002b:00007f9ba20a4c08 EFLAGS: 00000216 ORIG_RAX: 0000000000000133 RAX: ffffffffffffffda RBX: 00000000007180b0 RCX: 0000000000451e59 RDX: 0000000000000002 RSI: 0000000020e56e78 RDI: 0000000000000005 RBP: 00007f9ba20a4a10 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000216 R12: 00000000004b69f7 R13: 00007f9ba20a4b48 R14: 00000000004b6a07 R15: 0000000000000000 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 0 PID: 21553 Comm: syz-executor6 Not tainted 4.13.0+ #70 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:16 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:52 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:31 slab_pre_alloc_hook mm/slab.h:422 [inline] slab_alloc mm/slab.c:3383 [inline] __do_kmalloc mm/slab.c:3723 [inline] __kmalloc_track_caller+0x5f/0x760 mm/slab.c:3740 memdup_user+0x2c/0x90 mm/util.c:164 strndup_user+0x62/0xb0 mm/util.c:195 copy_mount_string fs/namespace.c:2688 [inline] SYSC_mount fs/namespace.c:2977 [inline] SyS_mount+0x3c/0x120 fs/namespace.c:2969 entry_SYSCALL_64_fastpath+0x1f/0xbe RIP: 0033:0x451e59 RSP: 002b:00007fa8df084c08 EFLAGS: 00000216 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 0000000000718000 RCX: 0000000000451e59 RDX: 0000000020fb5ffc RSI: 0000000020343ff8 RDI: 0000000020144000 RBP: 00007fa8df084a10 R08: 000000002000a000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000216 R12: 00000000004b69f7 R13: 00007fa8df084b48 R14: 00000000004b6a07 R15: 0000000000000000 netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'.