[hfs?] possible deadlock in hfs_find_init
7 views
Skip to first unread message
syzbot
Dec 30, 2022, 1:08:39 AM12/30/22
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14dea25c480000
kernel config: https://syzkaller.appspot.com/x/.config?x=9b9277b418617afe
dashboard link: https://syzkaller.appspot.com/bug?extid=2558fca67e009a16ff7a
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/98c0bdb4abb3/disk-3f8a27f9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ea228ff02669/vmlinux-3f8a27f9.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2558fc...@syzkaller.appspotmail.com
======================================================
WARNING: possible circular locking dependency detected
4.19.211-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.5/21334 is trying to acquire lock:
hub 9-0:1.0: USB hub found
00000000aa626d6b (&mm->mmap_sem){++++}, at: __might_fault+0xef/0x1d0 mm/memory.c:4771
but task is already holding lock:
0000000004dee158 (&tree->tree_lock#2){+.+.}, at: hfs_find_init+0x1c5/0x230 fs/hfs/bfind.c:30
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #8 (&tree->tree_lock#2){+.+.}:
hfs_find_init+0x1c5/0x230 fs/hfs/bfind.c:30
hfs_write_inode+0x221/0x930 fs/hfs/inode.c:452
write_inode fs/fs-writeback.c:1244 [inline]
__writeback_single_inode+0x733/0x11d0 fs/fs-writeback.c:1442
writeback_sb_inodes+0x537/0xef0 fs/fs-writeback.c:1647
wb_writeback+0x28d/0xcc0 fs/fs-writeback.c:1820
wb_do_writeback fs/fs-writeback.c:1965 [inline]
wb_workfn+0x29b/0x1250 fs/fs-writeback.c:2006
process_one_work+0x864/0x1570 kernel/workqueue.c:2153
worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
kthread+0x33f/0x460 kernel/kthread.c:259
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
-> #7 ((work_completion)(&(&wb->dwork)->work)){+.+.}:
wb_shutdown+0x172/0x210 mm/backing-dev.c:374
bdi_unregister+0x169/0x610 mm/backing-dev.c:946
del_gendisk+0x7f6/0xa80 block/genhd.c:788
loop_remove drivers/block/loop.c:2066 [inline]
loop_control_ioctl drivers/block/loop.c:2165 [inline]
loop_control_ioctl+0x3b1/0x480 drivers/block/loop.c:2131
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:501 [inline]
do_vfs_ioctl+0xcdb/0x12e0 fs/ioctl.c:688
ksys_ioctl+0x9b/0xc0 fs/ioctl.c:705
__do_sys_ioctl fs/ioctl.c:712 [inline]
__se_sys_ioctl fs/ioctl.c:710 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:710
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
-> #6 (loop_ctl_mutex){+.+.}:
lo_open+0x19/0xd0 drivers/block/loop.c:1771
__blkdev_get+0x372/0x1480 fs/block_dev.c:1494
blkdev_get+0xb0/0x940 fs/block_dev.c:1627
blkdev_open+0x202/0x290 fs/block_dev.c:1788
do_dentry_open+0x4aa/0x1160 fs/open.c:796
do_last fs/namei.c:3421 [inline]
path_openat+0x793/0x2df0 fs/namei.c:3537
do_filp_open+0x18c/0x3f0 fs/namei.c:3567
do_sys_open+0x3b3/0x520 fs/open.c:1085
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
-> #5 (&bdev->bd_mutex){+.+.}:
blkdev_put+0x30/0x520 fs/block_dev.c:1839
btrfs_close_bdev fs/btrfs/volumes.c:1033 [inline]
btrfs_close_one_device fs/btrfs/volumes.c:1057 [inline]
close_fs_devices.part.0+0x24d/0x8e0 fs/btrfs/volumes.c:1085
close_fs_devices fs/btrfs/volumes.c:1117 [inline]
btrfs_close_devices+0x95/0x1f0 fs/btrfs/volumes.c:1103
open_ctree+0x26b/0x61e0 fs/btrfs/disk-io.c:3326
btrfs_fill_super fs/btrfs/super.c:1209 [inline]
btrfs_mount_root+0x12e5/0x1830 fs/btrfs/super.c:1613
mount_fs+0xa3/0x310 fs/super.c:1261
vfs_kern_mount.part.0+0x68/0x470 fs/namespace.c:961
vfs_kern_mount+0x3c/0x60 fs/namespace.c:951
btrfs_mount+0x23a/0xaa0 fs/btrfs/super.c:1681
mount_fs+0xa3/0x310 fs/super.c:1261
vfs_kern_mount.part.0+0x68/0x470 fs/namespace.c:961
vfs_kern_mount fs/namespace.c:951 [inline]
do_new_mount fs/namespace.c:2492 [inline]
do_mount+0x115c/0x2f50 fs/namespace.c:2822
ksys_mount+0xcf/0x130 fs/namespace.c:3038
__do_sys_mount fs/namespace.c:3052 [inline]
__se_sys_mount fs/namespace.c:3049 [inline]
__x64_sys_mount+0xba/0x150 fs/namespace.c:3049
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
-> #4 (&fs_devs->device_list_mutex){+.+.}:
btrfs_run_dev_stats+0xbb/0xa80 fs/btrfs/volumes.c:7111
commit_cowonly_roots+0x1ce/0xc30 fs/btrfs/transaction.c:1172
btrfs_commit_transaction+0x94a/0x2480 fs/btrfs/transaction.c:2218
btrfs_clear_free_space_tree+0x69d/0xa50 fs/btrfs/free-space-tree.c:1255
open_ctree.cold+0x30/0xc3d fs/btrfs/disk-io.c:3203
btrfs_fill_super fs/btrfs/super.c:1209 [inline]
btrfs_mount_root+0x12e5/0x1830 fs/btrfs/super.c:1613
mount_fs+0xa3/0x310 fs/super.c:1261
vfs_kern_mount.part.0+0x68/0x470 fs/namespace.c:961
vfs_kern_mount+0x3c/0x60 fs/namespace.c:951
btrfs_mount+0x23a/0xaa0 fs/btrfs/super.c:1681
mount_fs+0xa3/0x310 fs/super.c:1261
vfs_kern_mount.part.0+0x68/0x470 fs/namespace.c:961
vfs_kern_mount fs/namespace.c:951 [inline]
do_new_mount fs/namespace.c:2492 [inline]
do_mount+0x115c/0x2f50 fs/namespace.c:2822
ksys_mount+0xcf/0x130 fs/namespace.c:3038
__do_sys_mount fs/namespace.c:3052 [inline]
__se_sys_mount fs/namespace.c:3049 [inline]
__x64_sys_mount+0xba/0x150 fs/namespace.c:3049
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
-> #3 (&fs_info->tree_log_mutex){+.+.}:
btrfs_commit_transaction+0x8c2/0x2480 fs/btrfs/transaction.c:2176
btrfs_clear_free_space_tree+0x69d/0xa50 fs/btrfs/free-space-tree.c:1255
open_ctree.cold+0x30/0xc3d fs/btrfs/disk-io.c:3203
btrfs_fill_super fs/btrfs/super.c:1209 [inline]
btrfs_mount_root+0x12e5/0x1830 fs/btrfs/super.c:1613
mount_fs+0xa3/0x310 fs/super.c:1261
vfs_kern_mount.part.0+0x68/0x470 fs/namespace.c:961
vfs_kern_mount+0x3c/0x60 fs/namespace.c:951
btrfs_mount+0x23a/0xaa0 fs/btrfs/super.c:1681
mount_fs+0xa3/0x310 fs/super.c:1261
vfs_kern_mount.part.0+0x68/0x470 fs/namespace.c:961
vfs_kern_mount fs/namespace.c:951 [inline]
do_new_mount fs/namespace.c:2492 [inline]
do_mount+0x115c/0x2f50 fs/namespace.c:2822
ksys_mount+0xcf/0x130 fs/namespace.c:3038
__do_sys_mount fs/namespace.c:3052 [inline]
__se_sys_mount fs/namespace.c:3049 [inline]
__x64_sys_mount+0xba/0x150 fs/namespace.c:3049
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
-> #2 (&fs_info->reloc_mutex){+.+.}:
btrfs_commit_transaction+0x80b/0x2480 fs/btrfs/transaction.c:2120
btrfs_clear_free_space_tree+0x69d/0xa50 fs/btrfs/free-space-tree.c:1255
open_ctree.cold+0x30/0xc3d fs/btrfs/disk-io.c:3203
btrfs_fill_super fs/btrfs/super.c:1209 [inline]
btrfs_mount_root+0x12e5/0x1830 fs/btrfs/super.c:1613
mount_fs+0xa3/0x310 fs/super.c:1261
vfs_kern_mount.part.0+0x68/0x470 fs/namespace.c:961
vfs_kern_mount+0x3c/0x60 fs/namespace.c:951
btrfs_mount+0x23a/0xaa0 fs/btrfs/super.c:1681
mount_fs+0xa3/0x310 fs/super.c:1261
vfs_kern_mount.part.0+0x68/0x470 fs/namespace.c:961
vfs_kern_mount fs/namespace.c:951 [inline]
do_new_mount fs/namespace.c:2492 [inline]
do_mount+0x115c/0x2f50 fs/namespace.c:2822
ksys_mount+0xcf/0x130 fs/namespace.c:3038
__do_sys_mount fs/namespace.c:3052 [inline]
__se_sys_mount fs/namespace.c:3049 [inline]
__x64_sys_mount+0xba/0x150 fs/namespace.c:3049
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
-> #1 (sb_internal#2){.+.+}:
sb_start_intwrite include/linux/fs.h:1626 [inline]
start_transaction+0xa37/0xf90 fs/btrfs/transaction.c:528
btrfs_dirty_inode+0xe3/0x210 fs/btrfs/inode.c:6165
btrfs_update_time+0x33b/0x3d0 fs/btrfs/inode.c:6207
update_time fs/inode.c:1675 [inline]
touch_atime+0x23c/0x2a0 fs/inode.c:1746
file_accessed include/linux/fs.h:2123 [inline]
btrfs_file_mmap+0x11b/0x160 fs/btrfs/file.c:2274
call_mmap include/linux/fs.h:1826 [inline]
mmap_region+0xc94/0x16b0 mm/mmap.c:1757
do_mmap+0x8e8/0x1080 mm/mmap.c:1530
do_mmap_pgoff include/linux/mm.h:2329 [inline]
vm_mmap_pgoff+0x197/0x200 mm/util.c:357
ksys_mmap_pgoff+0x298/0x5a0 mm/mmap.c:1580
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
-> #0 (&mm->mmap_sem){++++}:
__might_fault mm/memory.c:4772 [inline]
__might_fault+0x152/0x1d0 mm/memory.c:4757
_copy_to_user+0x29/0x100 lib/usercopy.c:25
copy_to_user include/linux/uaccess.h:155 [inline]
filldir64+0x26e/0x430 fs/readdir.c:324
dir_emit_dot include/linux/fs.h:3432 [inline]
hfs_readdir+0x352/0xc50 fs/hfs/dir.c:72
iterate_dir+0x473/0x5c0 fs/readdir.c:51
ksys_getdents64+0x175/0x2b0 fs/readdir.c:357
__do_sys_getdents64 fs/readdir.c:376 [inline]
__se_sys_getdents64 fs/readdir.c:373 [inline]
__x64_sys_getdents64+0x6f/0xb0 fs/readdir.c:373
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
other info that might help us debug this:
Chain exists of:
&mm->mmap_sem --> (work_completion)(&(&wb->dwork)->work) --> &tree->tree_lock#2
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&tree->tree_lock#2);
lock((work_completion)(&(&wb->dwork)->work));
lock(&tree->tree_lock#2);
lock(&mm->mmap_sem);
*** DEADLOCK ***
3 locks held by syz-executor.5/21334:
#0: 00000000be635601 (&f->f_pos_lock){+.+.}, at: __fdget_pos+0x26f/0x310 fs/file.c:767
#1: 00000000c3fa7e06 (&type->i_mutex_dir_key#15){++++}, at: iterate_dir+0xd2/0x5c0 fs/readdir.c:41
#2: 0000000004dee158 (&tree->tree_lock#2){+.+.}, at: hfs_find_init+0x1c5/0x230 fs/hfs/bfind.c:30
stack backtrace:
CPU: 0 PID: 21334 Comm: syz-executor.5 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1222
check_prev_add kernel/locking/lockdep.c:1866 [inline]
check_prevs_add kernel/locking/lockdep.c:1979 [inline]
validate_chain kernel/locking/lockdep.c:2420 [inline]
__lock_acquire+0x30c9/0x3ff0 kernel/locking/lockdep.c:3416
lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3908
__might_fault mm/memory.c:4772 [inline]
__might_fault+0x152/0x1d0 mm/memory.c:4757
_copy_to_user+0x29/0x100 lib/usercopy.c:25
copy_to_user include/linux/uaccess.h:155 [inline]
filldir64+0x26e/0x430 fs/readdir.c:324
dir_emit_dot include/linux/fs.h:3432 [inline]
hfs_readdir+0x352/0xc50 fs/hfs/dir.c:72
iterate_dir+0x473/0x5c0 fs/readdir.c:51
ksys_getdents64+0x175/0x2b0 fs/readdir.c:357
__do_sys_getdents64 fs/readdir.c:376 [inline]
__se_sys_getdents64 fs/readdir.c:373 [inline]
__x64_sys_getdents64+0x6f/0xb0 fs/readdir.c:373
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f65c23730a9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f65b84cc168 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 00007f65c2493050 RCX: 00007f65c23730a9
RDX: 00000000000000e1 RSI: 0000000020000340 RDI: 0000000000000009
RBP: 00007f65c23ceae9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffcbfbb447f R14: 00007f65b84cc300 R15: 0000000000022000
hub 9-0:1.0: 8 ports detected
Unknown ioctl -1072131211
Unknown ioctl -1072131211
hub 9-0:1.0: USB hub found
hub 9-0:1.0: 8 ports detected
hub 9-0:1.0: USB hub found
hub 9-0:1.0: 8 ports detected
hub 9-0:1.0: USB hub found
hub 9-0:1.0: 8 ports detected
hub 9-0:1.0: USB hub found
kauditd_printk_skb: 1 callbacks suppressed
audit: type=1800 audit(1672380498.116:143): pid=21487 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.4" name="file0" dev="sda1" ino=15233 res=0
hub 9-0:1.0: 8 ports detected
netlink: 'syz-executor.4': attribute type 6 has an invalid length.
ieee80211 �,��: Selected rate control algorithm 'minstrel_ht'
hub 9-0:1.0: USB hub found
9pnet: Insufficient options for proto=fd
hub 9-0:1.0: 8 ports detected
hub 9-0:1.0: USB hub found
audit: type=1800 audit(1672380498.556:144): pid=21553 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.4" name="file0" dev="sda1" ino=16374 res=0
hub 9-0:1.0: 8 ports detected
netlink: 'syz-executor.4': attribute type 6 has an invalid length.
audit: type=1800 audit(1672380499.006:145): pid=21600 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.5" name="file0" dev="sda1" ino=16741 res=0
hub 9-0:1.0: USB hub found
ieee80211 �,��: Selected rate control algorithm 'minstrel_ht'
hub 9-0:1.0: 8 ports detected
audit: type=1800 audit(1672380499.046:146): pid=21604 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.4" name="file0" dev="sda1" ino=16321 res=0
netlink: 'syz-executor.4': attribute type 6 has an invalid length.
netlink: 'syz-executor.5': attribute type 6 has an invalid length.
9pnet: Insufficient options for proto=fd
9pnet: Insufficient options for proto=fd
hub 9-0:1.0: USB hub found
hub 9-0:1.0: 8 ports detected
ieee80211 �,��: Selected rate control algorithm 'minstrel_ht'
hub 9-0:1.0: USB hub found
hub 9-0:1.0: 8 ports detected
ieee80211 �,��: Selected rate control algorithm 'minstrel_ht'
hub 9-0:1.0: USB hub found
hub 9-0:1.0: 8 ports detected
audit: type=1800 audit(1672380499.956:147): pid=21711 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.5" name="file0" dev="sda1" ino=15537 res=0
netlink: 'syz-executor.5': attribute type 6 has an invalid length.
hub 9-0:1.0: USB hub found
hub 9-0:1.0: 8 ports detected
9pnet: Insufficient options for proto=fd
ieee80211 �,��: Selected rate control algorithm 'minstrel_ht'
hub 9-0:1.0: USB hub found
hub 9-0:1.0: 8 ports detected
hub 9-0:1.0: USB hub found
hub 9-0:1.0: 8 ports detected
hub 9-0:1.0: USB hub found
hub 9-0:1.0: 8 ports detected
audit: type=1800 audit(1672380500.526:148): pid=21803 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.5" name="file0" dev="sda1" ino=16375 res=0
netlink: 'syz-executor.5': attribute type 6 has an invalid length.
hub 9-0:1.0: USB hub found
hub 9-0:1.0: 8 ports detected
9pnet: Insufficient options for proto=fd
ieee80211 �,��: Selected rate control algorithm 'minstrel_ht'
audit: type=1800 audit(1672380501.266:149): pid=21857 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.5" name="file0" dev="sda1" ino=16337 res=0
hub 9-0:1.0: USB hub found
hub 9-0:1.0: 8 ports detected
netlink: 'syz-executor.5': attribute type 6 has an invalid length.
9pnet: Insufficient options for proto=fd
hub 9-0:1.0: USB hub found
hub 9-0:1.0: 8 ports detected
audit: type=1800 audit(1672380502.026:150): pid=21915 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.5" name="file0" dev="sda1" ino=16772 res=0
hub 9-0:1.0: USB hub found
netlink: 'syz-executor.5': attribute type 6 has an invalid length.
hub 9-0:1.0: 8 ports detected
ieee80211 �,��: Selected rate control algorithm 'minstrel_ht'
9pnet: Insufficient options for proto=fd
audit: type=1800 audit(1672380502.976:151): pid=21993 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.5" name="file0" dev="sda1" ino=16337 res=0
ieee80211 �,��: Selected rate control algorithm 'minstrel_ht'
netlink: 'syz-executor.5': attribute type 6 has an invalid length.
hub 9-0:1.0: USB hub found
hub 9-0:1.0: 8 ports detected
9pnet: Insufficient options for proto=fd
hub 9-0:1.0: USB hub found
hub 9-0:1.0: 8 ports detected
audit: type=1800 audit(1672380503.376:152): pid=22052 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.5" name="file0" dev="sda1" ino=16764 res=0
netlink: 'syz-executor.5': attribute type 6 has an invalid length.
9pnet: Insufficient options for proto=fd
hub 9-0:1.0: USB hub found
ieee80211 phy31: Selected rate control algorithm 'minstrel_ht'
hub 9-0:1.0: 8 ports detected
audit: type=1800 audit(1672380503.956:153): pid=22093 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.5" name="file0" dev="sda1" ino=16785 res=0
netlink: 'syz-executor.5': attribute type 6 has an invalid length.
hub 9-0:1.0: USB hub found
hub 9-0:1.0: 8 ports detected
9pnet: Insufficient options for proto=fd
audit: type=1800 audit(1672380504.766:154): pid=22128 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.5" name="file0" dev="sda1" ino=16799 res=0
ieee80211 phy32: Selected rate control algorithm 'minstrel_ht'
netlink: 'syz-executor.5': attribute type 6 has an invalid length.
hub 9-0:1.0: USB hub found
audit: type=1800 audit(1672380505.686:155): pid=22188 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.5" name="file0" dev="sda1" ino=16813 res=0
ieee80211 phy33: Selected rate control algorithm 'minstrel_ht'
hub 9-0:1.0: 8 ports detected
netlink: 'syz-executor.5': attribute type 6 has an invalid length.
hub 9-0:1.0: USB hub found
hub 9-0:1.0: 8 ports detected
hub 9-0:1.0: USB hub found
hub 9-0:1.0: 8 ports detected
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14dea25c480000
kernel config: https://syzkaller.appspot.com/x/.config?x=9b9277b418617afe
dashboard link: https://syzkaller.appspot.com/bug?extid=2558fca67e009a16ff7a
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/98c0bdb4abb3/disk-3f8a27f9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ea228ff02669/vmlinux-3f8a27f9.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2558fc...@syzkaller.appspotmail.com
======================================================
WARNING: possible circular locking dependency detected
4.19.211-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.5/21334 is trying to acquire lock:
hub 9-0:1.0: USB hub found
00000000aa626d6b (&mm->mmap_sem){++++}, at: __might_fault+0xef/0x1d0 mm/memory.c:4771
but task is already holding lock:
0000000004dee158 (&tree->tree_lock#2){+.+.}, at: hfs_find_init+0x1c5/0x230 fs/hfs/bfind.c:30
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #8 (&tree->tree_lock#2){+.+.}:
hfs_find_init+0x1c5/0x230 fs/hfs/bfind.c:30
hfs_write_inode+0x221/0x930 fs/hfs/inode.c:452
write_inode fs/fs-writeback.c:1244 [inline]
__writeback_single_inode+0x733/0x11d0 fs/fs-writeback.c:1442
writeback_sb_inodes+0x537/0xef0 fs/fs-writeback.c:1647
wb_writeback+0x28d/0xcc0 fs/fs-writeback.c:1820
wb_do_writeback fs/fs-writeback.c:1965 [inline]
wb_workfn+0x29b/0x1250 fs/fs-writeback.c:2006
process_one_work+0x864/0x1570 kernel/workqueue.c:2153
worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
kthread+0x33f/0x460 kernel/kthread.c:259
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
-> #7 ((work_completion)(&(&wb->dwork)->work)){+.+.}:
wb_shutdown+0x172/0x210 mm/backing-dev.c:374
bdi_unregister+0x169/0x610 mm/backing-dev.c:946
del_gendisk+0x7f6/0xa80 block/genhd.c:788
loop_remove drivers/block/loop.c:2066 [inline]
loop_control_ioctl drivers/block/loop.c:2165 [inline]
loop_control_ioctl+0x3b1/0x480 drivers/block/loop.c:2131
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:501 [inline]
do_vfs_ioctl+0xcdb/0x12e0 fs/ioctl.c:688
ksys_ioctl+0x9b/0xc0 fs/ioctl.c:705
__do_sys_ioctl fs/ioctl.c:712 [inline]
__se_sys_ioctl fs/ioctl.c:710 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:710
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
-> #6 (loop_ctl_mutex){+.+.}:
lo_open+0x19/0xd0 drivers/block/loop.c:1771
__blkdev_get+0x372/0x1480 fs/block_dev.c:1494
blkdev_get+0xb0/0x940 fs/block_dev.c:1627
blkdev_open+0x202/0x290 fs/block_dev.c:1788
do_dentry_open+0x4aa/0x1160 fs/open.c:796
do_last fs/namei.c:3421 [inline]
path_openat+0x793/0x2df0 fs/namei.c:3537
do_filp_open+0x18c/0x3f0 fs/namei.c:3567
do_sys_open+0x3b3/0x520 fs/open.c:1085
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
-> #5 (&bdev->bd_mutex){+.+.}:
blkdev_put+0x30/0x520 fs/block_dev.c:1839
btrfs_close_bdev fs/btrfs/volumes.c:1033 [inline]
btrfs_close_one_device fs/btrfs/volumes.c:1057 [inline]
close_fs_devices.part.0+0x24d/0x8e0 fs/btrfs/volumes.c:1085
close_fs_devices fs/btrfs/volumes.c:1117 [inline]
btrfs_close_devices+0x95/0x1f0 fs/btrfs/volumes.c:1103
open_ctree+0x26b/0x61e0 fs/btrfs/disk-io.c:3326
btrfs_fill_super fs/btrfs/super.c:1209 [inline]
btrfs_mount_root+0x12e5/0x1830 fs/btrfs/super.c:1613
mount_fs+0xa3/0x310 fs/super.c:1261
vfs_kern_mount.part.0+0x68/0x470 fs/namespace.c:961
vfs_kern_mount+0x3c/0x60 fs/namespace.c:951
btrfs_mount+0x23a/0xaa0 fs/btrfs/super.c:1681
mount_fs+0xa3/0x310 fs/super.c:1261
vfs_kern_mount.part.0+0x68/0x470 fs/namespace.c:961
vfs_kern_mount fs/namespace.c:951 [inline]
do_new_mount fs/namespace.c:2492 [inline]
do_mount+0x115c/0x2f50 fs/namespace.c:2822
ksys_mount+0xcf/0x130 fs/namespace.c:3038
__do_sys_mount fs/namespace.c:3052 [inline]
__se_sys_mount fs/namespace.c:3049 [inline]
__x64_sys_mount+0xba/0x150 fs/namespace.c:3049
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
-> #4 (&fs_devs->device_list_mutex){+.+.}:
btrfs_run_dev_stats+0xbb/0xa80 fs/btrfs/volumes.c:7111
commit_cowonly_roots+0x1ce/0xc30 fs/btrfs/transaction.c:1172
btrfs_commit_transaction+0x94a/0x2480 fs/btrfs/transaction.c:2218
btrfs_clear_free_space_tree+0x69d/0xa50 fs/btrfs/free-space-tree.c:1255
open_ctree.cold+0x30/0xc3d fs/btrfs/disk-io.c:3203
btrfs_fill_super fs/btrfs/super.c:1209 [inline]
btrfs_mount_root+0x12e5/0x1830 fs/btrfs/super.c:1613
mount_fs+0xa3/0x310 fs/super.c:1261
vfs_kern_mount.part.0+0x68/0x470 fs/namespace.c:961
vfs_kern_mount+0x3c/0x60 fs/namespace.c:951
btrfs_mount+0x23a/0xaa0 fs/btrfs/super.c:1681
mount_fs+0xa3/0x310 fs/super.c:1261
vfs_kern_mount.part.0+0x68/0x470 fs/namespace.c:961
vfs_kern_mount fs/namespace.c:951 [inline]
do_new_mount fs/namespace.c:2492 [inline]
do_mount+0x115c/0x2f50 fs/namespace.c:2822
ksys_mount+0xcf/0x130 fs/namespace.c:3038
__do_sys_mount fs/namespace.c:3052 [inline]
__se_sys_mount fs/namespace.c:3049 [inline]
__x64_sys_mount+0xba/0x150 fs/namespace.c:3049
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
-> #3 (&fs_info->tree_log_mutex){+.+.}:
btrfs_commit_transaction+0x8c2/0x2480 fs/btrfs/transaction.c:2176
btrfs_clear_free_space_tree+0x69d/0xa50 fs/btrfs/free-space-tree.c:1255
open_ctree.cold+0x30/0xc3d fs/btrfs/disk-io.c:3203
btrfs_fill_super fs/btrfs/super.c:1209 [inline]
btrfs_mount_root+0x12e5/0x1830 fs/btrfs/super.c:1613
mount_fs+0xa3/0x310 fs/super.c:1261
vfs_kern_mount.part.0+0x68/0x470 fs/namespace.c:961
vfs_kern_mount+0x3c/0x60 fs/namespace.c:951
btrfs_mount+0x23a/0xaa0 fs/btrfs/super.c:1681
mount_fs+0xa3/0x310 fs/super.c:1261
vfs_kern_mount.part.0+0x68/0x470 fs/namespace.c:961
vfs_kern_mount fs/namespace.c:951 [inline]
do_new_mount fs/namespace.c:2492 [inline]
do_mount+0x115c/0x2f50 fs/namespace.c:2822
ksys_mount+0xcf/0x130 fs/namespace.c:3038
__do_sys_mount fs/namespace.c:3052 [inline]
__se_sys_mount fs/namespace.c:3049 [inline]
__x64_sys_mount+0xba/0x150 fs/namespace.c:3049
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
-> #2 (&fs_info->reloc_mutex){+.+.}:
btrfs_commit_transaction+0x80b/0x2480 fs/btrfs/transaction.c:2120
btrfs_clear_free_space_tree+0x69d/0xa50 fs/btrfs/free-space-tree.c:1255
open_ctree.cold+0x30/0xc3d fs/btrfs/disk-io.c:3203
btrfs_fill_super fs/btrfs/super.c:1209 [inline]
btrfs_mount_root+0x12e5/0x1830 fs/btrfs/super.c:1613
mount_fs+0xa3/0x310 fs/super.c:1261
vfs_kern_mount.part.0+0x68/0x470 fs/namespace.c:961
vfs_kern_mount+0x3c/0x60 fs/namespace.c:951
btrfs_mount+0x23a/0xaa0 fs/btrfs/super.c:1681
mount_fs+0xa3/0x310 fs/super.c:1261
vfs_kern_mount.part.0+0x68/0x470 fs/namespace.c:961
vfs_kern_mount fs/namespace.c:951 [inline]
do_new_mount fs/namespace.c:2492 [inline]
do_mount+0x115c/0x2f50 fs/namespace.c:2822
ksys_mount+0xcf/0x130 fs/namespace.c:3038
__do_sys_mount fs/namespace.c:3052 [inline]
__se_sys_mount fs/namespace.c:3049 [inline]
__x64_sys_mount+0xba/0x150 fs/namespace.c:3049
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
-> #1 (sb_internal#2){.+.+}:
sb_start_intwrite include/linux/fs.h:1626 [inline]
start_transaction+0xa37/0xf90 fs/btrfs/transaction.c:528
btrfs_dirty_inode+0xe3/0x210 fs/btrfs/inode.c:6165
btrfs_update_time+0x33b/0x3d0 fs/btrfs/inode.c:6207
update_time fs/inode.c:1675 [inline]
touch_atime+0x23c/0x2a0 fs/inode.c:1746
file_accessed include/linux/fs.h:2123 [inline]
btrfs_file_mmap+0x11b/0x160 fs/btrfs/file.c:2274
call_mmap include/linux/fs.h:1826 [inline]
mmap_region+0xc94/0x16b0 mm/mmap.c:1757
do_mmap+0x8e8/0x1080 mm/mmap.c:1530
do_mmap_pgoff include/linux/mm.h:2329 [inline]
vm_mmap_pgoff+0x197/0x200 mm/util.c:357
ksys_mmap_pgoff+0x298/0x5a0 mm/mmap.c:1580
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
-> #0 (&mm->mmap_sem){++++}:
__might_fault mm/memory.c:4772 [inline]
__might_fault+0x152/0x1d0 mm/memory.c:4757
_copy_to_user+0x29/0x100 lib/usercopy.c:25
copy_to_user include/linux/uaccess.h:155 [inline]
filldir64+0x26e/0x430 fs/readdir.c:324
dir_emit_dot include/linux/fs.h:3432 [inline]
hfs_readdir+0x352/0xc50 fs/hfs/dir.c:72
iterate_dir+0x473/0x5c0 fs/readdir.c:51
ksys_getdents64+0x175/0x2b0 fs/readdir.c:357
__do_sys_getdents64 fs/readdir.c:376 [inline]
__se_sys_getdents64 fs/readdir.c:373 [inline]
__x64_sys_getdents64+0x6f/0xb0 fs/readdir.c:373
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
other info that might help us debug this:
Chain exists of:
&mm->mmap_sem --> (work_completion)(&(&wb->dwork)->work) --> &tree->tree_lock#2
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&tree->tree_lock#2);
lock((work_completion)(&(&wb->dwork)->work));
lock(&tree->tree_lock#2);
lock(&mm->mmap_sem);
*** DEADLOCK ***
3 locks held by syz-executor.5/21334:
#0: 00000000be635601 (&f->f_pos_lock){+.+.}, at: __fdget_pos+0x26f/0x310 fs/file.c:767
#1: 00000000c3fa7e06 (&type->i_mutex_dir_key#15){++++}, at: iterate_dir+0xd2/0x5c0 fs/readdir.c:41
#2: 0000000004dee158 (&tree->tree_lock#2){+.+.}, at: hfs_find_init+0x1c5/0x230 fs/hfs/bfind.c:30
stack backtrace:
CPU: 0 PID: 21334 Comm: syz-executor.5 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1222
check_prev_add kernel/locking/lockdep.c:1866 [inline]
check_prevs_add kernel/locking/lockdep.c:1979 [inline]
validate_chain kernel/locking/lockdep.c:2420 [inline]
__lock_acquire+0x30c9/0x3ff0 kernel/locking/lockdep.c:3416
lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3908
__might_fault mm/memory.c:4772 [inline]
__might_fault+0x152/0x1d0 mm/memory.c:4757
_copy_to_user+0x29/0x100 lib/usercopy.c:25
copy_to_user include/linux/uaccess.h:155 [inline]
filldir64+0x26e/0x430 fs/readdir.c:324
dir_emit_dot include/linux/fs.h:3432 [inline]
hfs_readdir+0x352/0xc50 fs/hfs/dir.c:72
iterate_dir+0x473/0x5c0 fs/readdir.c:51
ksys_getdents64+0x175/0x2b0 fs/readdir.c:357
__do_sys_getdents64 fs/readdir.c:376 [inline]
__se_sys_getdents64 fs/readdir.c:373 [inline]
__x64_sys_getdents64+0x6f/0xb0 fs/readdir.c:373
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f65c23730a9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f65b84cc168 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 00007f65c2493050 RCX: 00007f65c23730a9
RDX: 00000000000000e1 RSI: 0000000020000340 RDI: 0000000000000009
RBP: 00007f65c23ceae9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffcbfbb447f R14: 00007f65b84cc300 R15: 0000000000022000
hub 9-0:1.0: 8 ports detected
Unknown ioctl -1072131211
Unknown ioctl -1072131211
hub 9-0:1.0: USB hub found
hub 9-0:1.0: 8 ports detected
hub 9-0:1.0: USB hub found
hub 9-0:1.0: 8 ports detected
hub 9-0:1.0: USB hub found
hub 9-0:1.0: 8 ports detected
hub 9-0:1.0: USB hub found
kauditd_printk_skb: 1 callbacks suppressed
audit: type=1800 audit(1672380498.116:143): pid=21487 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.4" name="file0" dev="sda1" ino=15233 res=0
hub 9-0:1.0: 8 ports detected
netlink: 'syz-executor.4': attribute type 6 has an invalid length.
ieee80211 �,��: Selected rate control algorithm 'minstrel_ht'
hub 9-0:1.0: USB hub found
9pnet: Insufficient options for proto=fd
hub 9-0:1.0: 8 ports detected
hub 9-0:1.0: USB hub found
audit: type=1800 audit(1672380498.556:144): pid=21553 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.4" name="file0" dev="sda1" ino=16374 res=0
hub 9-0:1.0: 8 ports detected
netlink: 'syz-executor.4': attribute type 6 has an invalid length.
audit: type=1800 audit(1672380499.006:145): pid=21600 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.5" name="file0" dev="sda1" ino=16741 res=0
hub 9-0:1.0: USB hub found
ieee80211 �,��: Selected rate control algorithm 'minstrel_ht'
hub 9-0:1.0: 8 ports detected
audit: type=1800 audit(1672380499.046:146): pid=21604 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.4" name="file0" dev="sda1" ino=16321 res=0
netlink: 'syz-executor.4': attribute type 6 has an invalid length.
netlink: 'syz-executor.5': attribute type 6 has an invalid length.
9pnet: Insufficient options for proto=fd
9pnet: Insufficient options for proto=fd
hub 9-0:1.0: USB hub found
hub 9-0:1.0: 8 ports detected
ieee80211 �,��: Selected rate control algorithm 'minstrel_ht'
hub 9-0:1.0: USB hub found
hub 9-0:1.0: 8 ports detected
ieee80211 �,��: Selected rate control algorithm 'minstrel_ht'
hub 9-0:1.0: USB hub found
hub 9-0:1.0: 8 ports detected
audit: type=1800 audit(1672380499.956:147): pid=21711 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.5" name="file0" dev="sda1" ino=15537 res=0
netlink: 'syz-executor.5': attribute type 6 has an invalid length.
hub 9-0:1.0: USB hub found
hub 9-0:1.0: 8 ports detected
9pnet: Insufficient options for proto=fd
ieee80211 �,��: Selected rate control algorithm 'minstrel_ht'
hub 9-0:1.0: USB hub found
hub 9-0:1.0: 8 ports detected
hub 9-0:1.0: USB hub found
hub 9-0:1.0: 8 ports detected
hub 9-0:1.0: USB hub found
hub 9-0:1.0: 8 ports detected
audit: type=1800 audit(1672380500.526:148): pid=21803 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.5" name="file0" dev="sda1" ino=16375 res=0
netlink: 'syz-executor.5': attribute type 6 has an invalid length.
hub 9-0:1.0: USB hub found
hub 9-0:1.0: 8 ports detected
9pnet: Insufficient options for proto=fd
ieee80211 �,��: Selected rate control algorithm 'minstrel_ht'
audit: type=1800 audit(1672380501.266:149): pid=21857 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.5" name="file0" dev="sda1" ino=16337 res=0
hub 9-0:1.0: USB hub found
hub 9-0:1.0: 8 ports detected
netlink: 'syz-executor.5': attribute type 6 has an invalid length.
9pnet: Insufficient options for proto=fd
hub 9-0:1.0: USB hub found
hub 9-0:1.0: 8 ports detected
audit: type=1800 audit(1672380502.026:150): pid=21915 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.5" name="file0" dev="sda1" ino=16772 res=0
hub 9-0:1.0: USB hub found
netlink: 'syz-executor.5': attribute type 6 has an invalid length.
hub 9-0:1.0: 8 ports detected
ieee80211 �,��: Selected rate control algorithm 'minstrel_ht'
9pnet: Insufficient options for proto=fd
audit: type=1800 audit(1672380502.976:151): pid=21993 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.5" name="file0" dev="sda1" ino=16337 res=0
ieee80211 �,��: Selected rate control algorithm 'minstrel_ht'
netlink: 'syz-executor.5': attribute type 6 has an invalid length.
hub 9-0:1.0: USB hub found
hub 9-0:1.0: 8 ports detected
9pnet: Insufficient options for proto=fd
hub 9-0:1.0: USB hub found
hub 9-0:1.0: 8 ports detected
audit: type=1800 audit(1672380503.376:152): pid=22052 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.5" name="file0" dev="sda1" ino=16764 res=0
netlink: 'syz-executor.5': attribute type 6 has an invalid length.
9pnet: Insufficient options for proto=fd
hub 9-0:1.0: USB hub found
ieee80211 phy31: Selected rate control algorithm 'minstrel_ht'
hub 9-0:1.0: 8 ports detected
audit: type=1800 audit(1672380503.956:153): pid=22093 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.5" name="file0" dev="sda1" ino=16785 res=0
netlink: 'syz-executor.5': attribute type 6 has an invalid length.
hub 9-0:1.0: USB hub found
hub 9-0:1.0: 8 ports detected
9pnet: Insufficient options for proto=fd
audit: type=1800 audit(1672380504.766:154): pid=22128 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.5" name="file0" dev="sda1" ino=16799 res=0
ieee80211 phy32: Selected rate control algorithm 'minstrel_ht'
netlink: 'syz-executor.5': attribute type 6 has an invalid length.
hub 9-0:1.0: USB hub found
audit: type=1800 audit(1672380505.686:155): pid=22188 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.5" name="file0" dev="sda1" ino=16813 res=0
ieee80211 phy33: Selected rate control algorithm 'minstrel_ht'
hub 9-0:1.0: 8 ports detected
netlink: 'syz-executor.5': attribute type 6 has an invalid length.
hub 9-0:1.0: USB hub found
hub 9-0:1.0: 8 ports detected
hub 9-0:1.0: USB hub found
hub 9-0:1.0: 8 ports detected
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Jan 29, 2023, 12:41:50 AM1/29/23
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=12a95de1480000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15060879480000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/98c0bdb4abb3/disk-3f8a27f9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ea228ff02669/vmlinux-3f8a27f9.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/fbecb9b7657a/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2558fc...@syzkaller.appspotmail.com
IPVS: ftp: loaded support on port[0] = 21
============================================
WARNING: possible recursive locking detected
000000008d64b6c6 (&tree->tree_lock/1){+.+.}, at: hfs_find_init+0x17e/0x230 fs/hfs/bfind.c:33
but task is already holding lock:
000000008d64b6c6 (&tree->tree_lock/1){+.+.}, at: hfs_find_init+0x17e/0x230 fs/hfs/bfind.c:33
other info that might help us debug this:
lock(&tree->tree_lock/1);
lock(&tree->tree_lock/1);
*** DEADLOCK ***
May be due to missing lock nesting notation
4 locks held by kworker/u4:4/1530:
#0: 00000000a9ed9130 ((wq_completion)"writeback"){+.+.}, at: process_one_work+0x767/0x1570 kernel/workqueue.c:2124
#1: 00000000dc3b79d5 ((work_completion)(&(&wb->dwork)->work)){+.+.}, at: process_one_work+0x79c/0x1570 kernel/workqueue.c:2128
#2: 000000008d64b6c6 (&tree->tree_lock/1){+.+.}, at: hfs_find_init+0x17e/0x230 fs/hfs/bfind.c:33
#3: 0000000083ad5da7 (&HFS_I(tree->inode)->extents_lock){+.+.}, at: hfs_extend_file+0x93/0xac0 fs/hfs/extent.c:397
stack backtrace:
CPU: 1 PID: 1530 Comm: kworker/u4:4 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023
Workqueue: writeback wb_workfn (flush-7:0)
check_deadlock kernel/locking/lockdep.c:1808 [inline]
validate_chain kernel/locking/lockdep.c:2404 [inline]
__lock_acquire.cold+0x121/0x57e kernel/locking/lockdep.c:3416
lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3908
__mutex_lock_common kernel/locking/mutex.c:937 [inline]
__mutex_lock+0xd7/0x1190 kernel/locking/mutex.c:1078
hfs_find_init+0x17e/0x230 fs/hfs/bfind.c:33
hfs_ext_read_extent+0x191/0xa20 fs/hfs/extent.c:200
hfs_extend_file+0x4a0/0xac0 fs/hfs/extent.c:401
hfs_bmap_reserve+0x241/0x390 fs/hfs/btree.c:231
__hfs_ext_write_extent+0x3c1/0x510 fs/hfs/extent.c:121
hfs_ext_write_extent fs/hfs/extent.c:144 [inline]
hfs_ext_write_extent+0x1a2/0x1f0 fs/hfs/extent.c:135
hfs_write_inode+0x8f/0x930 fs/hfs/inode.c:426
HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=9b9277b418617afe
dashboard link: https://syzkaller.appspot.com/bug?extid=2558fca67e009a16ff7a
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=147f7495480000
dashboard link: https://syzkaller.appspot.com/bug?extid=2558fca67e009a16ff7a
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15060879480000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/98c0bdb4abb3/disk-3f8a27f9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ea228ff02669/vmlinux-3f8a27f9.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2558fc...@syzkaller.appspotmail.com
============================================
WARNING: possible recursive locking detected
4.19.211-syzkaller #0 Not tainted
--------------------------------------------
kworker/u4:4/1530 is trying to acquire lock:
--------------------------------------------
000000008d64b6c6 (&tree->tree_lock/1){+.+.}, at: hfs_find_init+0x17e/0x230 fs/hfs/bfind.c:33
but task is already holding lock:
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
CPU0
lock(&tree->tree_lock/1);
lock(&tree->tree_lock/1);
*** DEADLOCK ***
May be due to missing lock nesting notation
4 locks held by kworker/u4:4/1530:
#0: 00000000a9ed9130 ((wq_completion)"writeback"){+.+.}, at: process_one_work+0x767/0x1570 kernel/workqueue.c:2124
#1: 00000000dc3b79d5 ((work_completion)(&(&wb->dwork)->work)){+.+.}, at: process_one_work+0x79c/0x1570 kernel/workqueue.c:2128
#2: 000000008d64b6c6 (&tree->tree_lock/1){+.+.}, at: hfs_find_init+0x17e/0x230 fs/hfs/bfind.c:33
#3: 0000000083ad5da7 (&HFS_I(tree->inode)->extents_lock){+.+.}, at: hfs_extend_file+0x93/0xac0 fs/hfs/extent.c:397
stack backtrace:
CPU: 1 PID: 1530 Comm: kworker/u4:4 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023
Workqueue: writeback wb_workfn (flush-7:0)
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
print_deadlock_bug kernel/locking/lockdep.c:1764 [inline]
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
check_deadlock kernel/locking/lockdep.c:1808 [inline]
validate_chain kernel/locking/lockdep.c:2404 [inline]
__lock_acquire.cold+0x121/0x57e kernel/locking/lockdep.c:3416
lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3908
__mutex_lock_common kernel/locking/mutex.c:937 [inline]
__mutex_lock+0xd7/0x1190 kernel/locking/mutex.c:1078
hfs_find_init+0x17e/0x230 fs/hfs/bfind.c:33
hfs_ext_read_extent+0x191/0xa20 fs/hfs/extent.c:200
hfs_extend_file+0x4a0/0xac0 fs/hfs/extent.c:401
hfs_bmap_reserve+0x241/0x390 fs/hfs/btree.c:231
__hfs_ext_write_extent+0x3c1/0x510 fs/hfs/extent.c:121
hfs_ext_write_extent fs/hfs/extent.c:144 [inline]
hfs_ext_write_extent+0x1a2/0x1f0 fs/hfs/extent.c:135
hfs_write_inode+0x8f/0x930 fs/hfs/inode.c:426
Reply all
Reply to author
Forward
0 new messages