[v5.15] possible deadlock in hfsplus_find_init
0 views
Skip to first unread message
syzbot
Apr 6, 2023, 1:26:48 PM4/6/23
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: d86dfc4d95cd Linux 5.15.106
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=134ffffdc80000
kernel config: https://syzkaller.appspot.com/x/.config?x=639d55ab480652c5
dashboard link: https://syzkaller.appspot.com/bug?extid=5da1fef4d17e09c820db
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/b2a94107dd69/disk-d86dfc4d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/398f8d288cb9/vmlinux-d86dfc4d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/9b790c7e7c8c/Image-d86dfc4d.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+5da1fe...@syzkaller.appspotmail.com
loop3: detected capacity change from 0 to 1024
======================================================
WARNING: possible circular locking dependency detected
5.15.106-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.3/7029 is trying to acquire lock:
ffff0000d2e3cbd8 (&mm->mmap_lock){++++}-{3:3}, at: __might_fault+0xa0/0x128 mm/memory.c:5296
but task is already holding lock:
ffff0000cd7560b0 (&tree->tree_lock#2){+.+.}-{3:3}, at: hfsplus_find_init+0x144/0x1bc
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #3 (&tree->tree_lock#2){+.+.}-{3:3}:
__mutex_lock_common+0x194/0x2154 kernel/locking/mutex.c:596
__mutex_lock kernel/locking/mutex.c:729 [inline]
mutex_lock_nested+0xa4/0xf8 kernel/locking/mutex.c:743
hfsplus_file_truncate+0x6d4/0x9cc fs/hfsplus/extents.c:595
hfsplus_setattr+0x18c/0x25c fs/hfsplus/inode.c:267
notify_change+0xac4/0xd60 fs/attr.c:488
do_truncate+0x1c0/0x28c fs/open.c:65
handle_truncate fs/namei.c:3195 [inline]
do_open fs/namei.c:3542 [inline]
path_openat+0x20e8/0x26f0 fs/namei.c:3672
do_filp_open+0x1a8/0x3b4 fs/namei.c:3699
do_sys_openat2+0x128/0x3d8 fs/open.c:1211
do_sys_open fs/open.c:1227 [inline]
__do_sys_openat fs/open.c:1243 [inline]
__se_sys_openat fs/open.c:1238 [inline]
__arm64_sys_openat+0x1f0/0x240 fs/open.c:1238
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:596
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:614
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
-> #2 (&HFSPLUS_I(inode)->extents_lock){+.+.}-{3:3}:
__mutex_lock_common+0x194/0x2154 kernel/locking/mutex.c:596
__mutex_lock kernel/locking/mutex.c:729 [inline]
mutex_lock_nested+0xa4/0xf8 kernel/locking/mutex.c:743
hfsplus_get_block+0x2c4/0x1194 fs/hfsplus/extents.c:260
block_read_full_page+0x2a0/0xc4c fs/buffer.c:2290
hfsplus_readpage+0x28/0x38 fs/hfsplus/inode.c:28
read_pages+0x298/0x420 mm/readahead.c:145
page_cache_ra_unbounded+0x534/0x654 mm/readahead.c:239
do_page_cache_ra mm/readahead.c:269 [inline]
ondemand_readahead+0x62c/0xd0c mm/readahead.c:552
page_cache_sync_ra+0x130/0x180 mm/readahead.c:580
page_cache_sync_readahead include/linux/pagemap.h:833 [inline]
filemap_get_pages mm/filemap.c:2551 [inline]
filemap_read+0x52c/0x1bd4 mm/filemap.c:2634
generic_file_read_iter+0xa0/0x3c4 mm/filemap.c:2785
__kernel_read+0x488/0x8b0 fs/read_write.c:443
kernel_read+0xd8/0x1d4 fs/read_write.c:461
prepare_binprm fs/exec.c:1664 [inline]
search_binary_handler fs/exec.c:1718 [inline]
exec_binprm fs/exec.c:1775 [inline]
bprm_execve+0x740/0x1578 fs/exec.c:1844
do_execveat_common+0x668/0x814 fs/exec.c:1949
do_execve fs/exec.c:2019 [inline]
__do_sys_execve fs/exec.c:2095 [inline]
__se_sys_execve fs/exec.c:2090 [inline]
__arm64_sys_execve+0x98/0xb0 fs/exec.c:2090
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:596
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:614
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
-> #1 (mapping.invalidate_lock#5){.+.+}-{3:3}:
down_read+0xbc/0x11c kernel/locking/rwsem.c:1488
filemap_invalidate_lock_shared include/linux/fs.h:842 [inline]
filemap_fault+0x52c/0xf5c mm/filemap.c:3072
__do_fault+0x120/0x5d0 mm/memory.c:3871
do_read_fault mm/memory.c:4207 [inline]
do_fault mm/memory.c:4335 [inline]
handle_pte_fault mm/memory.c:4594 [inline]
__handle_mm_fault mm/memory.c:4729 [inline]
handle_mm_fault+0x21ec/0x33c4 mm/memory.c:4827
__do_page_fault arch/arm64/mm/fault.c:505 [inline]
do_page_fault+0x700/0xb60 arch/arm64/mm/fault.c:605
do_translation_fault+0xe8/0x138 arch/arm64/mm/fault.c:686
do_mem_abort+0x70/0x1d8 arch/arm64/mm/fault.c:819
el1_abort+0x3c/0x5c arch/arm64/kernel/entry-common.c:358
el1h_64_sync_handler+0x5c/0x98 arch/arm64/kernel/entry-common.c:409
el1h_64_sync+0x78/0x7c arch/arm64/kernel/entry.S:579
fault_in_readable+0x1b4/0x56c mm/gup.c:1793
fault_in_iov_iter_readable+0x130/0x1b0 lib/iov_iter.c:460
generic_perform_write+0x198/0x520 mm/filemap.c:3766
__generic_file_write_iter+0x230/0x454 mm/filemap.c:3903
generic_file_write_iter+0xb4/0x1b8 mm/filemap.c:3935
call_write_iter include/linux/fs.h:2103 [inline]
new_sync_write fs/read_write.c:507 [inline]
vfs_write+0x87c/0xb3c fs/read_write.c:594
ksys_write+0x15c/0x26c fs/read_write.c:647
__do_sys_write fs/read_write.c:659 [inline]
__se_sys_write fs/read_write.c:656 [inline]
__arm64_sys_write+0x7c/0x90 fs/read_write.c:656
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:596
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:614
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
-> #0 (&mm->mmap_lock){++++}-{3:3}:
check_prev_add kernel/locking/lockdep.c:3053 [inline]
check_prevs_add kernel/locking/lockdep.c:3172 [inline]
validate_chain kernel/locking/lockdep.c:3787 [inline]
__lock_acquire+0x32cc/0x7620 kernel/locking/lockdep.c:5011
lock_acquire+0x240/0x77c kernel/locking/lockdep.c:5622
__might_fault+0xc8/0x128 mm/memory.c:5297
filldir64+0x2bc/0x9e4 fs/readdir.c:335
dir_emit_dot include/linux/fs.h:3605 [inline]
hfsplus_readdir+0x398/0xf68 fs/hfsplus/dir.c:159
iterate_dir+0x1f4/0x4e4
__do_sys_getdents64 fs/readdir.c:369 [inline]
__se_sys_getdents64 fs/readdir.c:354 [inline]
__arm64_sys_getdents64+0x1c4/0x4c4 fs/readdir.c:354
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:596
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:614
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
other info that might help us debug this:
Chain exists of:
&mm->mmap_lock --> &HFSPLUS_I(inode)->extents_lock --> &tree->tree_lock#2
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&tree->tree_lock#2);
lock(&HFSPLUS_I(inode)->extents_lock);
lock(&tree->tree_lock#2);
lock(&mm->mmap_lock);
*** DEADLOCK ***
3 locks held by syz-executor.3/7029:
#0: ffff00011cc7bc70 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0xdc/0x108 fs/file.c:1073
#1: ffff0000c154b240 (&type->i_mutex_dir_key#22){++++}-{3:3}, at: iterate_dir+0x108/0x4e4 fs/readdir.c:55
#2: ffff0000cd7560b0 (&tree->tree_lock#2){+.+.}-{3:3}, at: hfsplus_find_init+0x144/0x1bc
stack backtrace:
CPU: 1 PID: 7029 Comm: syz-executor.3 Not tainted 5.15.106-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call trace:
dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
dump_stack+0x1c/0x58 lib/dump_stack.c:113
print_circular_bug+0x150/0x1b8 kernel/locking/lockdep.c:2011
check_noncircular+0x2cc/0x378 kernel/locking/lockdep.c:2133
check_prev_add kernel/locking/lockdep.c:3053 [inline]
check_prevs_add kernel/locking/lockdep.c:3172 [inline]
validate_chain kernel/locking/lockdep.c:3787 [inline]
__lock_acquire+0x32cc/0x7620 kernel/locking/lockdep.c:5011
lock_acquire+0x240/0x77c kernel/locking/lockdep.c:5622
__might_fault+0xc8/0x128 mm/memory.c:5297
filldir64+0x2bc/0x9e4 fs/readdir.c:335
dir_emit_dot include/linux/fs.h:3605 [inline]
hfsplus_readdir+0x398/0xf68 fs/hfsplus/dir.c:159
iterate_dir+0x1f4/0x4e4
__do_sys_getdents64 fs/readdir.c:369 [inline]
__se_sys_getdents64 fs/readdir.c:354 [inline]
__arm64_sys_getdents64+0x1c4/0x4c4 fs/readdir.c:354
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:596
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:614
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: d86dfc4d95cd Linux 5.15.106
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=134ffffdc80000
kernel config: https://syzkaller.appspot.com/x/.config?x=639d55ab480652c5
dashboard link: https://syzkaller.appspot.com/bug?extid=5da1fef4d17e09c820db
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/b2a94107dd69/disk-d86dfc4d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/398f8d288cb9/vmlinux-d86dfc4d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/9b790c7e7c8c/Image-d86dfc4d.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+5da1fe...@syzkaller.appspotmail.com
loop3: detected capacity change from 0 to 1024
======================================================
WARNING: possible circular locking dependency detected
5.15.106-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.3/7029 is trying to acquire lock:
ffff0000d2e3cbd8 (&mm->mmap_lock){++++}-{3:3}, at: __might_fault+0xa0/0x128 mm/memory.c:5296
but task is already holding lock:
ffff0000cd7560b0 (&tree->tree_lock#2){+.+.}-{3:3}, at: hfsplus_find_init+0x144/0x1bc
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #3 (&tree->tree_lock#2){+.+.}-{3:3}:
__mutex_lock_common+0x194/0x2154 kernel/locking/mutex.c:596
__mutex_lock kernel/locking/mutex.c:729 [inline]
mutex_lock_nested+0xa4/0xf8 kernel/locking/mutex.c:743
hfsplus_file_truncate+0x6d4/0x9cc fs/hfsplus/extents.c:595
hfsplus_setattr+0x18c/0x25c fs/hfsplus/inode.c:267
notify_change+0xac4/0xd60 fs/attr.c:488
do_truncate+0x1c0/0x28c fs/open.c:65
handle_truncate fs/namei.c:3195 [inline]
do_open fs/namei.c:3542 [inline]
path_openat+0x20e8/0x26f0 fs/namei.c:3672
do_filp_open+0x1a8/0x3b4 fs/namei.c:3699
do_sys_openat2+0x128/0x3d8 fs/open.c:1211
do_sys_open fs/open.c:1227 [inline]
__do_sys_openat fs/open.c:1243 [inline]
__se_sys_openat fs/open.c:1238 [inline]
__arm64_sys_openat+0x1f0/0x240 fs/open.c:1238
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:596
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:614
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
-> #2 (&HFSPLUS_I(inode)->extents_lock){+.+.}-{3:3}:
__mutex_lock_common+0x194/0x2154 kernel/locking/mutex.c:596
__mutex_lock kernel/locking/mutex.c:729 [inline]
mutex_lock_nested+0xa4/0xf8 kernel/locking/mutex.c:743
hfsplus_get_block+0x2c4/0x1194 fs/hfsplus/extents.c:260
block_read_full_page+0x2a0/0xc4c fs/buffer.c:2290
hfsplus_readpage+0x28/0x38 fs/hfsplus/inode.c:28
read_pages+0x298/0x420 mm/readahead.c:145
page_cache_ra_unbounded+0x534/0x654 mm/readahead.c:239
do_page_cache_ra mm/readahead.c:269 [inline]
ondemand_readahead+0x62c/0xd0c mm/readahead.c:552
page_cache_sync_ra+0x130/0x180 mm/readahead.c:580
page_cache_sync_readahead include/linux/pagemap.h:833 [inline]
filemap_get_pages mm/filemap.c:2551 [inline]
filemap_read+0x52c/0x1bd4 mm/filemap.c:2634
generic_file_read_iter+0xa0/0x3c4 mm/filemap.c:2785
__kernel_read+0x488/0x8b0 fs/read_write.c:443
kernel_read+0xd8/0x1d4 fs/read_write.c:461
prepare_binprm fs/exec.c:1664 [inline]
search_binary_handler fs/exec.c:1718 [inline]
exec_binprm fs/exec.c:1775 [inline]
bprm_execve+0x740/0x1578 fs/exec.c:1844
do_execveat_common+0x668/0x814 fs/exec.c:1949
do_execve fs/exec.c:2019 [inline]
__do_sys_execve fs/exec.c:2095 [inline]
__se_sys_execve fs/exec.c:2090 [inline]
__arm64_sys_execve+0x98/0xb0 fs/exec.c:2090
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:596
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:614
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
-> #1 (mapping.invalidate_lock#5){.+.+}-{3:3}:
down_read+0xbc/0x11c kernel/locking/rwsem.c:1488
filemap_invalidate_lock_shared include/linux/fs.h:842 [inline]
filemap_fault+0x52c/0xf5c mm/filemap.c:3072
__do_fault+0x120/0x5d0 mm/memory.c:3871
do_read_fault mm/memory.c:4207 [inline]
do_fault mm/memory.c:4335 [inline]
handle_pte_fault mm/memory.c:4594 [inline]
__handle_mm_fault mm/memory.c:4729 [inline]
handle_mm_fault+0x21ec/0x33c4 mm/memory.c:4827
__do_page_fault arch/arm64/mm/fault.c:505 [inline]
do_page_fault+0x700/0xb60 arch/arm64/mm/fault.c:605
do_translation_fault+0xe8/0x138 arch/arm64/mm/fault.c:686
do_mem_abort+0x70/0x1d8 arch/arm64/mm/fault.c:819
el1_abort+0x3c/0x5c arch/arm64/kernel/entry-common.c:358
el1h_64_sync_handler+0x5c/0x98 arch/arm64/kernel/entry-common.c:409
el1h_64_sync+0x78/0x7c arch/arm64/kernel/entry.S:579
fault_in_readable+0x1b4/0x56c mm/gup.c:1793
fault_in_iov_iter_readable+0x130/0x1b0 lib/iov_iter.c:460
generic_perform_write+0x198/0x520 mm/filemap.c:3766
__generic_file_write_iter+0x230/0x454 mm/filemap.c:3903
generic_file_write_iter+0xb4/0x1b8 mm/filemap.c:3935
call_write_iter include/linux/fs.h:2103 [inline]
new_sync_write fs/read_write.c:507 [inline]
vfs_write+0x87c/0xb3c fs/read_write.c:594
ksys_write+0x15c/0x26c fs/read_write.c:647
__do_sys_write fs/read_write.c:659 [inline]
__se_sys_write fs/read_write.c:656 [inline]
__arm64_sys_write+0x7c/0x90 fs/read_write.c:656
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:596
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:614
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
-> #0 (&mm->mmap_lock){++++}-{3:3}:
check_prev_add kernel/locking/lockdep.c:3053 [inline]
check_prevs_add kernel/locking/lockdep.c:3172 [inline]
validate_chain kernel/locking/lockdep.c:3787 [inline]
__lock_acquire+0x32cc/0x7620 kernel/locking/lockdep.c:5011
lock_acquire+0x240/0x77c kernel/locking/lockdep.c:5622
__might_fault+0xc8/0x128 mm/memory.c:5297
filldir64+0x2bc/0x9e4 fs/readdir.c:335
dir_emit_dot include/linux/fs.h:3605 [inline]
hfsplus_readdir+0x398/0xf68 fs/hfsplus/dir.c:159
iterate_dir+0x1f4/0x4e4
__do_sys_getdents64 fs/readdir.c:369 [inline]
__se_sys_getdents64 fs/readdir.c:354 [inline]
__arm64_sys_getdents64+0x1c4/0x4c4 fs/readdir.c:354
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:596
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:614
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
other info that might help us debug this:
Chain exists of:
&mm->mmap_lock --> &HFSPLUS_I(inode)->extents_lock --> &tree->tree_lock#2
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&tree->tree_lock#2);
lock(&HFSPLUS_I(inode)->extents_lock);
lock(&tree->tree_lock#2);
lock(&mm->mmap_lock);
*** DEADLOCK ***
3 locks held by syz-executor.3/7029:
#0: ffff00011cc7bc70 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0xdc/0x108 fs/file.c:1073
#1: ffff0000c154b240 (&type->i_mutex_dir_key#22){++++}-{3:3}, at: iterate_dir+0x108/0x4e4 fs/readdir.c:55
#2: ffff0000cd7560b0 (&tree->tree_lock#2){+.+.}-{3:3}, at: hfsplus_find_init+0x144/0x1bc
stack backtrace:
CPU: 1 PID: 7029 Comm: syz-executor.3 Not tainted 5.15.106-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call trace:
dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
dump_stack+0x1c/0x58 lib/dump_stack.c:113
print_circular_bug+0x150/0x1b8 kernel/locking/lockdep.c:2011
check_noncircular+0x2cc/0x378 kernel/locking/lockdep.c:2133
check_prev_add kernel/locking/lockdep.c:3053 [inline]
check_prevs_add kernel/locking/lockdep.c:3172 [inline]
validate_chain kernel/locking/lockdep.c:3787 [inline]
__lock_acquire+0x32cc/0x7620 kernel/locking/lockdep.c:5011
lock_acquire+0x240/0x77c kernel/locking/lockdep.c:5622
__might_fault+0xc8/0x128 mm/memory.c:5297
filldir64+0x2bc/0x9e4 fs/readdir.c:335
dir_emit_dot include/linux/fs.h:3605 [inline]
hfsplus_readdir+0x398/0xf68 fs/hfsplus/dir.c:159
iterate_dir+0x1f4/0x4e4
__do_sys_getdents64 fs/readdir.c:369 [inline]
__se_sys_getdents64 fs/readdir.c:354 [inline]
__arm64_sys_getdents64+0x1c4/0x4c4 fs/readdir.c:354
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:596
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:614
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
May 22, 2023, 1:48:10 PM5/22/23
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 9d6bde853685 Linux 5.15.112
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=15bbde19280000
kernel config: https://syzkaller.appspot.com/x/.config?x=a61e8195d8bdf36e
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1044d42e280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/b65d6c2ec328/disk-9d6bde85.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/cf811ebac37b/vmlinux-9d6bde85.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b2f32fdecf97/bzImage-9d6bde85.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/877d8836e285/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+5da1fe...@syzkaller.appspotmail.com
============================================
WARNING: possible recursive locking detected
5.15.112-syzkaller #0 Not tainted
--------------------------------------------
kworker/u4:2/154 is trying to acquire lock:
ffff888078b6a0b0 (&tree->tree_lock/1){+.+.}-{3:3}, at: hfsplus_find_init+0x146/0x1c0
but task is already holding lock:
ffff888078b6a0b0 (&tree->tree_lock/1){+.+.}-{3:3}, at: hfsplus_find_init+0x146/0x1c0
other info that might help us debug this:
lock(&tree->tree_lock/1);
lock(&tree->tree_lock/1);
*** DEADLOCK ***
May be due to missing lock nesting notation
5 locks held by kworker/u4:2/154:
#0: ffff888014184938 ((wq_completion)writeback){+.+.}-{0:0}, at: process_one_work+0x78a/0x10c0 kernel/workqueue.c:2280
#1: ffffc900010bfd20 ((work_completion)(&(&wb->dwork)->work)){+.+.}-{0:0}, at: process_one_work+0x7d0/0x10c0 kernel/workqueue.c:2282
#2: ffff8880157f2988 (&hip->extents_lock){+.+.}-{3:3}, at: hfsplus_ext_write_extent+0x8a/0x1f0 fs/hfsplus/extents.c:149
#3: ffff888078b6a0b0 (&tree->tree_lock/1){+.+.}-{3:3}, at: hfsplus_find_init+0x146/0x1c0
#4: ffff8880157f0108 (&HFSPLUS_I(inode)->extents_lock){+.+.}-{3:3}, at: hfsplus_file_extend+0x1d2/0x1b10 fs/hfsplus/extents.c:457
stack backtrace:
CPU: 0 PID: 154 Comm: kworker/u4:2 Not tainted 5.15.112-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023
Workqueue: writeback wb_workfn (flush-7:0)
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
print_deadlock_bug kernel/locking/lockdep.c:2946 [inline]
check_deadlock kernel/locking/lockdep.c:2989 [inline]
validate_chain+0x46cf/0x58b0 kernel/locking/lockdep.c:3774
__lock_acquire+0x1295/0x1ff0 kernel/locking/lockdep.c:5011
lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5622
__mutex_lock_common+0x1da/0x25a0 kernel/locking/mutex.c:596
__mutex_lock kernel/locking/mutex.c:729 [inline]
mutex_lock_nested+0x17/0x20 kernel/locking/mutex.c:743
hfsplus_find_init+0x146/0x1c0
hfsplus_ext_read_extent fs/hfsplus/extents.c:216 [inline]
hfsplus_file_extend+0x40a/0x1b10 fs/hfsplus/extents.c:461
hfsplus_bmap_reserve+0x101/0x4e0 fs/hfsplus/btree.c:357
__hfsplus_ext_write_extent+0x2a4/0x5b0 fs/hfsplus/extents.c:104
hfsplus_ext_write_extent_locked fs/hfsplus/extents.c:139 [inline]
hfsplus_ext_write_extent+0x166/0x1f0 fs/hfsplus/extents.c:150
hfsplus_write_inode+0x1e/0x5c0 fs/hfsplus/super.c:154
write_inode fs/fs-writeback.c:1478 [inline]
__writeback_single_inode+0x644/0xe30 fs/fs-writeback.c:1683
writeback_sb_inodes+0xbf0/0x1a50 fs/fs-writeback.c:1908
wb_writeback+0x451/0xc50 fs/fs-writeback.c:2082
wb_do_writeback fs/fs-writeback.c:2225 [inline]
wb_workfn+0x46c/0x1130 fs/fs-writeback.c:2266
process_one_work+0x8a1/0x10c0 kernel/workqueue.c:2307
worker_thread+0xaca/0x1280 kernel/workqueue.c:2454
kthread+0x3f6/0x4f0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
</TASK>
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: 9d6bde853685 Linux 5.15.112
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=15bbde19280000
kernel config: https://syzkaller.appspot.com/x/.config?x=a61e8195d8bdf36e
dashboard link: https://syzkaller.appspot.com/bug?extid=5da1fef4d17e09c820db
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=177cc039280000
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1044d42e280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/b65d6c2ec328/disk-9d6bde85.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/cf811ebac37b/vmlinux-9d6bde85.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b2f32fdecf97/bzImage-9d6bde85.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/877d8836e285/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+5da1fe...@syzkaller.appspotmail.com
WARNING: possible recursive locking detected
5.15.112-syzkaller #0 Not tainted
--------------------------------------------
kworker/u4:2/154 is trying to acquire lock:
ffff888078b6a0b0 (&tree->tree_lock/1){+.+.}-{3:3}, at: hfsplus_find_init+0x146/0x1c0
but task is already holding lock:
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
CPU0
lock(&tree->tree_lock/1);
lock(&tree->tree_lock/1);
*** DEADLOCK ***
May be due to missing lock nesting notation
5 locks held by kworker/u4:2/154:
#0: ffff888014184938 ((wq_completion)writeback){+.+.}-{0:0}, at: process_one_work+0x78a/0x10c0 kernel/workqueue.c:2280
#1: ffffc900010bfd20 ((work_completion)(&(&wb->dwork)->work)){+.+.}-{0:0}, at: process_one_work+0x7d0/0x10c0 kernel/workqueue.c:2282
#2: ffff8880157f2988 (&hip->extents_lock){+.+.}-{3:3}, at: hfsplus_ext_write_extent+0x8a/0x1f0 fs/hfsplus/extents.c:149
#3: ffff888078b6a0b0 (&tree->tree_lock/1){+.+.}-{3:3}, at: hfsplus_find_init+0x146/0x1c0
#4: ffff8880157f0108 (&HFSPLUS_I(inode)->extents_lock){+.+.}-{3:3}, at: hfsplus_file_extend+0x1d2/0x1b10 fs/hfsplus/extents.c:457
stack backtrace:
CPU: 0 PID: 154 Comm: kworker/u4:2 Not tainted 5.15.112-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023
Workqueue: writeback wb_workfn (flush-7:0)
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
print_deadlock_bug kernel/locking/lockdep.c:2946 [inline]
check_deadlock kernel/locking/lockdep.c:2989 [inline]
validate_chain+0x46cf/0x58b0 kernel/locking/lockdep.c:3774
__lock_acquire+0x1295/0x1ff0 kernel/locking/lockdep.c:5011
lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5622
__mutex_lock_common+0x1da/0x25a0 kernel/locking/mutex.c:596
__mutex_lock kernel/locking/mutex.c:729 [inline]
mutex_lock_nested+0x17/0x20 kernel/locking/mutex.c:743
hfsplus_find_init+0x146/0x1c0
hfsplus_ext_read_extent fs/hfsplus/extents.c:216 [inline]
hfsplus_file_extend+0x40a/0x1b10 fs/hfsplus/extents.c:461
hfsplus_bmap_reserve+0x101/0x4e0 fs/hfsplus/btree.c:357
__hfsplus_ext_write_extent+0x2a4/0x5b0 fs/hfsplus/extents.c:104
hfsplus_ext_write_extent_locked fs/hfsplus/extents.c:139 [inline]
hfsplus_ext_write_extent+0x166/0x1f0 fs/hfsplus/extents.c:150
hfsplus_write_inode+0x1e/0x5c0 fs/hfsplus/super.c:154
write_inode fs/fs-writeback.c:1478 [inline]
__writeback_single_inode+0x644/0xe30 fs/fs-writeback.c:1683
writeback_sb_inodes+0xbf0/0x1a50 fs/fs-writeback.c:1908
wb_writeback+0x451/0xc50 fs/fs-writeback.c:2082
wb_do_writeback fs/fs-writeback.c:2225 [inline]
wb_workfn+0x46c/0x1130 fs/fs-writeback.c:2266
process_one_work+0x8a1/0x10c0 kernel/workqueue.c:2307
worker_thread+0xaca/0x1280 kernel/workqueue.c:2454
kthread+0x3f6/0x4f0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
</TASK>
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
Reply all
Reply to author
Forward
0 new messages