[hfsplus?] possible deadlock in hfsplus_find_init
4 views
Skip to first unread message
syzbot
Dec 27, 2022, 2:37:45 PM12/27/22
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: c4215ee4771b Linux 4.14.302
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1689e268480000
kernel config: https://syzkaller.appspot.com/x/.config?x=4a9988fe055c9527
dashboard link: https://syzkaller.appspot.com/bug?extid=0a5f47bad7259db05d4d
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c93ba055d204/disk-c4215ee4.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/bfbc929a33c1/vmlinux-c4215ee4.xz
kernel image: https://storage.googleapis.com/syzbot-assets/444658051770/bzImage-c4215ee4.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+0a5f47...@syzkaller.appspotmail.com
gfs2: fsid=loop3: Trying to join cluster "lock_nolock", "loop3"
gfs2: fsid=loop3: Now mounting FS...
======================================================
gfs2: fsid=loop3.0: journal 0 mapped with 3 extents
WARNING: possible circular locking dependency detected
4.14.302-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.4/10102 is trying to acquire lock:
(&tree->tree_lock/1){+.+.}, at: [<ffffffff81d40441>] hfsplus_find_init+0x161/0x220 fs/hfsplus/bfind.c:33
but task is already holding lock:
gfs2: fsid=loop3.0: jid=0, already locked for use
(&HFSPLUS_I(inode)->extents_lock){+.+.}, at: [<ffffffff81d2e009>] hfsplus_get_block+0x1f9/0x820 fs/hfsplus/extents.c:260
which lock already depends on the new lock.
gfs2: fsid=loop3.0: jid=0: Looking at journal...
the existing dependency chain (in reverse order) is:
-> #2 (&HFSPLUS_I(inode)->extents_lock){+.+.}:
__mutex_lock_common kernel/locking/mutex.c:756 [inline]
__mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
gfs2: fsid=loop3.0: jid=0: Done
hfsplus_get_block+0x1f9/0x820 fs/hfsplus/extents.c:260
block_read_full_page+0x25e/0x8d0 fs/buffer.c:2316
gfs2: fsid=loop3.0: first mount done, others may mount
do_read_cache_page+0x38e/0xc10 mm/filemap.c:2713
read_mapping_page include/linux/pagemap.h:398 [inline]
hfsplus_block_allocate+0x189/0x910 fs/hfsplus/bitmap.c:37
hfsplus_file_extend+0x421/0xef0 fs/hfsplus/extents.c:463
hfsplus_get_block+0x15b/0x820 fs/hfsplus/extents.c:245
__block_write_begin_int+0x35c/0x11d0 fs/buffer.c:2038
__block_write_begin fs/buffer.c:2088 [inline]
block_write_begin+0x58/0x270 fs/buffer.c:2147
cont_write_begin+0x4a3/0x740 fs/buffer.c:2497
hfsplus_write_begin+0x87/0x130 fs/hfsplus/inode.c:53
cont_expand_zero fs/buffer.c:2424 [inline]
cont_write_begin+0x296/0x740 fs/buffer.c:2487
hfsplus_write_begin+0x87/0x130 fs/hfsplus/inode.c:53
generic_perform_write+0x1d5/0x430 mm/filemap.c:3055
__generic_file_write_iter+0x227/0x590 mm/filemap.c:3180
generic_file_write_iter+0x36f/0x650 mm/filemap.c:3208
call_write_iter include/linux/fs.h:1780 [inline]
aio_write+0x2ed/0x560 fs/aio.c:1553
io_submit_one fs/aio.c:1641 [inline]
do_io_submit+0x847/0x1570 fs/aio.c:1709
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x5e/0xd3
-> #1 (&sbi->alloc_mutex){+.+.}:
__mutex_lock_common kernel/locking/mutex.c:756 [inline]
__mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
hfsplus_block_free+0xc7/0x560 fs/hfsplus/bitmap.c:182
hfsplus_free_extents+0x320/0x440 fs/hfsplus/extents.c:371
hfsplus_file_truncate+0xbc0/0xe80 fs/hfsplus/extents.c:585
hfsplus_file_release+0xbc/0x1e0 fs/hfsplus/inode.c:234
__fput+0x25f/0x7a0 fs/file_table.c:210
task_work_run+0x11f/0x190 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0xa44/0x2850 kernel/exit.c:868
do_group_exit+0x100/0x2e0 kernel/exit.c:965
get_signal+0x38d/0x1ca0 kernel/signal.c:2412
do_signal+0x7c/0x1550 arch/x86/kernel/signal.c:792
exit_to_usermode_loop+0x160/0x200 arch/x86/entry/common.c:160
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x5e/0xd3
-> #0 (&tree->tree_lock/1){+.+.}:
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__mutex_lock_common kernel/locking/mutex.c:756 [inline]
__mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
hfsplus_find_init+0x161/0x220 fs/hfsplus/bfind.c:33
hfsplus_ext_read_extent+0x15f/0x9e0 fs/hfsplus/extents.c:216
hfsplus_get_block+0x23e/0x820 fs/hfsplus/extents.c:268
block_read_full_page+0x25e/0x8d0 fs/buffer.c:2316
do_read_cache_page+0x38e/0xc10 mm/filemap.c:2713
read_mapping_page include/linux/pagemap.h:398 [inline]
hfsplus_block_allocate+0x189/0x910 fs/hfsplus/bitmap.c:37
hfsplus_file_extend+0x421/0xef0 fs/hfsplus/extents.c:463
hfsplus_get_block+0x15b/0x820 fs/hfsplus/extents.c:245
__block_write_begin_int+0x35c/0x11d0 fs/buffer.c:2038
__block_write_begin fs/buffer.c:2088 [inline]
block_write_begin+0x58/0x270 fs/buffer.c:2147
cont_write_begin+0x4a3/0x740 fs/buffer.c:2497
hfsplus_write_begin+0x87/0x130 fs/hfsplus/inode.c:53
cont_expand_zero fs/buffer.c:2424 [inline]
cont_write_begin+0x296/0x740 fs/buffer.c:2487
hfsplus_write_begin+0x87/0x130 fs/hfsplus/inode.c:53
generic_perform_write+0x1d5/0x430 mm/filemap.c:3055
__generic_file_write_iter+0x227/0x590 mm/filemap.c:3180
generic_file_write_iter+0x36f/0x650 mm/filemap.c:3208
call_write_iter include/linux/fs.h:1780 [inline]
aio_write+0x2ed/0x560 fs/aio.c:1553
io_submit_one fs/aio.c:1641 [inline]
do_io_submit+0x847/0x1570 fs/aio.c:1709
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x5e/0xd3
other info that might help us debug this:
Chain exists of:
&tree->tree_lock/1 --> &sbi->alloc_mutex --> &HFSPLUS_I(inode)->extents_lock
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&HFSPLUS_I(inode)->extents_lock);
lock(&sbi->alloc_mutex);
lock(&HFSPLUS_I(inode)->extents_lock);
lock(&tree->tree_lock/1);
*** DEADLOCK ***
5 locks held by syz-executor.4/10102:
#0: (sb_writers#13){.+.+}, at: [<ffffffff81985ff8>] file_start_write include/linux/fs.h:2714 [inline]
#0: (sb_writers#13){.+.+}, at: [<ffffffff81985ff8>] aio_write+0x408/0x560 fs/aio.c:1552
#1: (&sb->s_type->i_mutex_key#21){+.+.}, at: [<ffffffff816940f9>] inode_lock include/linux/fs.h:719 [inline]
#1: (&sb->s_type->i_mutex_key#21){+.+.}, at: [<ffffffff816940f9>] generic_file_write_iter+0x99/0x650 mm/filemap.c:3205
#2: (&hip->extents_lock){+.+.}, at: [<ffffffff81d2d0a8>] hfsplus_file_extend+0x188/0xef0 fs/hfsplus/extents.c:452
#3: (&sbi->alloc_mutex){+.+.}, at: [<ffffffff81d456c2>] hfsplus_block_allocate+0xd2/0x910 fs/hfsplus/bitmap.c:35
#4: (&HFSPLUS_I(inode)->extents_lock){+.+.}, at: [<ffffffff81d2e009>] hfsplus_get_block+0x1f9/0x820 fs/hfsplus/extents.c:260
stack backtrace:
CPU: 0 PID: 10102 Comm: syz-executor.4 Not tainted 4.14.302-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x281 lib/dump_stack.c:58
print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258
check_prev_add kernel/locking/lockdep.c:1905 [inline]
check_prevs_add kernel/locking/lockdep.c:2022 [inline]
validate_chain kernel/locking/lockdep.c:2464 [inline]
__lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__mutex_lock_common kernel/locking/mutex.c:756 [inline]
__mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
hfsplus_find_init+0x161/0x220 fs/hfsplus/bfind.c:33
hfsplus_ext_read_extent+0x15f/0x9e0 fs/hfsplus/extents.c:216
hfsplus_get_block+0x23e/0x820 fs/hfsplus/extents.c:268
block_read_full_page+0x25e/0x8d0 fs/buffer.c:2316
do_read_cache_page+0x38e/0xc10 mm/filemap.c:2713
read_mapping_page include/linux/pagemap.h:398 [inline]
hfsplus_block_allocate+0x189/0x910 fs/hfsplus/bitmap.c:37
hfsplus_file_extend+0x421/0xef0 fs/hfsplus/extents.c:463
hfsplus_get_block+0x15b/0x820 fs/hfsplus/extents.c:245
__block_write_begin_int+0x35c/0x11d0 fs/buffer.c:2038
__block_write_begin fs/buffer.c:2088 [inline]
block_write_begin+0x58/0x270 fs/buffer.c:2147
cont_write_begin+0x4a3/0x740 fs/buffer.c:2497
hfsplus_write_begin+0x87/0x130 fs/hfsplus/inode.c:53
cont_expand_zero fs/buffer.c:2424 [inline]
cont_write_begin+0x296/0x740 fs/buffer.c:2487
hfsplus_write_begin+0x87/0x130 fs/hfsplus/inode.c:53
generic_perform_write+0x1d5/0x430 mm/filemap.c:3055
__generic_file_write_iter+0x227/0x590 mm/filemap.c:3180
generic_file_write_iter+0x36f/0x650 mm/filemap.c:3208
call_write_iter include/linux/fs.h:1780 [inline]
aio_write+0x2ed/0x560 fs/aio.c:1553
io_submit_one fs/aio.c:1641 [inline]
do_io_submit+0x847/0x1570 fs/aio.c:1709
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x5e/0xd3
RIP: 0033:0x7fa39de8b0a9
RSP: 002b:00007fa39c3fd168 EFLAGS: 00000246 ORIG_RAX: 00000000000000d1
RAX: ffffffffffffffda RBX: 00007fa39dfaaf80 RCX: 00007fa39de8b0a9
RDX: 0000000020000540 RSI: 0000000000000004 RDI: 00007fa39403d000
RBP: 00007fa39dee6ae9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffce1e70a5f R14: 00007fa39c3fd300 R15: 0000000000022000
audit: type=1800 audit(1672169809.706:2): pid=10129 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.5" name="file0" dev="sda1" ino=13950 res=0
audit: type=1804 audit(1672169809.706:3): pid=10129 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.5" name="/root/syzkaller-testdir2834575914/syzkaller.zEf7Wl/19/file0" dev="sda1" ino=13950 res=1
audit: type=1804 audit(1672169809.706:4): pid=10129 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="ToMToU" comm="syz-executor.5" name="/root/syzkaller-testdir2834575914/syzkaller.zEf7Wl/19/file0" dev="sda1" ino=13950 res=1
gfs2: fsid=loop3: Trying to join cluster "lock_nolock", "loop3"
gfs2: fsid=loop3: Now mounting FS...
gfs2: fsid=loop3.0: journal 0 mapped with 3 extents
gfs2: fsid=loop3.0: jid=0, already locked for use
gfs2: fsid=loop3.0: jid=0: Looking at journal...
gfs2: fsid=loop3.0: jid=0: Done
gfs2: fsid=loop3.0: first mount done, others may mount
audit: type=1800 audit(1672169810.556:5): pid=10214 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.5" name="file0" dev="sda1" ino=13981 res=0
audit: type=1804 audit(1672169810.566:6): pid=10214 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.5" name="/root/syzkaller-testdir2834575914/syzkaller.zEf7Wl/20/file0" dev="sda1" ino=13981 res=1
audit: type=1804 audit(1672169810.576:7): pid=10214 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="ToMToU" comm="syz-executor.5" name="/root/syzkaller-testdir2834575914/syzkaller.zEf7Wl/20/file0" dev="sda1" ino=13981 res=1
audit: type=1800 audit(1672169811.436:8): pid=10257 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.5" name="file0" dev="sda1" ino=14005 res=0
audit: type=1804 audit(1672169811.446:9): pid=10257 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.5" name="/root/syzkaller-testdir2834575914/syzkaller.zEf7Wl/21/file0" dev="sda1" ino=14005 res=1
audit: type=1804 audit(1672169811.446:10): pid=10257 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="ToMToU" comm="syz-executor.5" name="/root/syzkaller-testdir2834575914/syzkaller.zEf7Wl/21/file0" dev="sda1" ino=14005 res=1
audit: type=1800 audit(1672169812.317:11): pid=10302 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.5" name="file0" dev="sda1" ino=14004 res=0
IPVS: ftp: loaded support on port[0] = 21
ptrace attach of ""[10387] was attempted by "/root/syz-executor.1 exec"[10385]
ptrace attach of ""[10391] was attempted by "/root/syz-executor.1 exec"[10389]
ptrace attach of ""[10404] was attempted by "/root/syz-executor.1 exec"[10399]
kauditd_printk_skb: 9 callbacks suppressed
audit: type=1800 audit(1672169814.917:21): pid=10377 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.4" name="bus" dev="sda1" ino=14055 res=0
audit: type=1804 audit(1672169814.947:22): pid=10377 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.4" name="/root/syzkaller-testdir3557652580/syzkaller.Ozm02S/33/bus" dev="sda1" ino=14055 res=1
ptrace attach of ""[10415] was attempted by "/root/syz-executor.1 exec"[10412]
ptrace attach of ""[10420] was attempted by "/root/syz-executor.4 exec"[10417]
ptrace attach of ""[10423] was attempted by "/root/syz-executor.1 exec"[10421]
ptrace attach of ""[10430] was attempted by "/root/syz-executor.4 exec"[10427]
ptrace attach of ""[10431] was attempted by "/root/syz-executor.1 exec"[10425]
ptrace attach of ""[10437] was attempted by "/root/syz-executor.4 exec"[10433]
ptrace attach of ""[10439] was attempted by "/root/syz-executor.1 exec"[10435]
block nbd0: shutting down sockets
xt_physdev: using --physdev-out and --physdev-is-out are only supported in the FORWARD and POSTROUTING chains with bridged traffic.
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.5'.
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.5'.
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.5'.
F2FS-fs (loop0): invalid crc value
F2FS-fs (loop0): Found nat_bits in checkpoint
F2FS-fs (loop0): sanity_check_inode: inode (ino=3) has corrupted i_extra_isize: 24, max: 12
F2FS-fs (loop0): Failed to read root inode
F2FS-fs (loop0): invalid crc value
F2FS-fs (loop0): Found nat_bits in checkpoint
F2FS-fs (loop0): sanity_check_inode: inode (ino=3) has corrupted i_extra_isize: 24, max: 12
F2FS-fs (loop0): Failed to read root inode
audit: type=1804 audit(1672169818.068:23): pid=10570 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.0" name="/root/syzkaller-testdir553912054/syzkaller.b647Y4/49/bus" dev="sda1" ino=14105 res=1
audit: type=1804 audit(1672169818.198:24): pid=10621 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="ToMToU" comm="syz-executor.0" name="/root/syzkaller-testdir553912054/syzkaller.b647Y4/49/bus" dev="sda1" ino=14105 res=1
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.5'.
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: c4215ee4771b Linux 4.14.302
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1689e268480000
kernel config: https://syzkaller.appspot.com/x/.config?x=4a9988fe055c9527
dashboard link: https://syzkaller.appspot.com/bug?extid=0a5f47bad7259db05d4d
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c93ba055d204/disk-c4215ee4.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/bfbc929a33c1/vmlinux-c4215ee4.xz
kernel image: https://storage.googleapis.com/syzbot-assets/444658051770/bzImage-c4215ee4.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+0a5f47...@syzkaller.appspotmail.com
gfs2: fsid=loop3: Trying to join cluster "lock_nolock", "loop3"
gfs2: fsid=loop3: Now mounting FS...
======================================================
gfs2: fsid=loop3.0: journal 0 mapped with 3 extents
WARNING: possible circular locking dependency detected
4.14.302-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.4/10102 is trying to acquire lock:
(&tree->tree_lock/1){+.+.}, at: [<ffffffff81d40441>] hfsplus_find_init+0x161/0x220 fs/hfsplus/bfind.c:33
but task is already holding lock:
gfs2: fsid=loop3.0: jid=0, already locked for use
(&HFSPLUS_I(inode)->extents_lock){+.+.}, at: [<ffffffff81d2e009>] hfsplus_get_block+0x1f9/0x820 fs/hfsplus/extents.c:260
which lock already depends on the new lock.
gfs2: fsid=loop3.0: jid=0: Looking at journal...
the existing dependency chain (in reverse order) is:
-> #2 (&HFSPLUS_I(inode)->extents_lock){+.+.}:
__mutex_lock_common kernel/locking/mutex.c:756 [inline]
__mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
gfs2: fsid=loop3.0: jid=0: Done
hfsplus_get_block+0x1f9/0x820 fs/hfsplus/extents.c:260
block_read_full_page+0x25e/0x8d0 fs/buffer.c:2316
gfs2: fsid=loop3.0: first mount done, others may mount
do_read_cache_page+0x38e/0xc10 mm/filemap.c:2713
read_mapping_page include/linux/pagemap.h:398 [inline]
hfsplus_block_allocate+0x189/0x910 fs/hfsplus/bitmap.c:37
hfsplus_file_extend+0x421/0xef0 fs/hfsplus/extents.c:463
hfsplus_get_block+0x15b/0x820 fs/hfsplus/extents.c:245
__block_write_begin_int+0x35c/0x11d0 fs/buffer.c:2038
__block_write_begin fs/buffer.c:2088 [inline]
block_write_begin+0x58/0x270 fs/buffer.c:2147
cont_write_begin+0x4a3/0x740 fs/buffer.c:2497
hfsplus_write_begin+0x87/0x130 fs/hfsplus/inode.c:53
cont_expand_zero fs/buffer.c:2424 [inline]
cont_write_begin+0x296/0x740 fs/buffer.c:2487
hfsplus_write_begin+0x87/0x130 fs/hfsplus/inode.c:53
generic_perform_write+0x1d5/0x430 mm/filemap.c:3055
__generic_file_write_iter+0x227/0x590 mm/filemap.c:3180
generic_file_write_iter+0x36f/0x650 mm/filemap.c:3208
call_write_iter include/linux/fs.h:1780 [inline]
aio_write+0x2ed/0x560 fs/aio.c:1553
io_submit_one fs/aio.c:1641 [inline]
do_io_submit+0x847/0x1570 fs/aio.c:1709
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x5e/0xd3
-> #1 (&sbi->alloc_mutex){+.+.}:
__mutex_lock_common kernel/locking/mutex.c:756 [inline]
__mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
hfsplus_block_free+0xc7/0x560 fs/hfsplus/bitmap.c:182
hfsplus_free_extents+0x320/0x440 fs/hfsplus/extents.c:371
hfsplus_file_truncate+0xbc0/0xe80 fs/hfsplus/extents.c:585
hfsplus_file_release+0xbc/0x1e0 fs/hfsplus/inode.c:234
__fput+0x25f/0x7a0 fs/file_table.c:210
task_work_run+0x11f/0x190 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0xa44/0x2850 kernel/exit.c:868
do_group_exit+0x100/0x2e0 kernel/exit.c:965
get_signal+0x38d/0x1ca0 kernel/signal.c:2412
do_signal+0x7c/0x1550 arch/x86/kernel/signal.c:792
exit_to_usermode_loop+0x160/0x200 arch/x86/entry/common.c:160
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x5e/0xd3
-> #0 (&tree->tree_lock/1){+.+.}:
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__mutex_lock_common kernel/locking/mutex.c:756 [inline]
__mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
hfsplus_find_init+0x161/0x220 fs/hfsplus/bfind.c:33
hfsplus_ext_read_extent+0x15f/0x9e0 fs/hfsplus/extents.c:216
hfsplus_get_block+0x23e/0x820 fs/hfsplus/extents.c:268
block_read_full_page+0x25e/0x8d0 fs/buffer.c:2316
do_read_cache_page+0x38e/0xc10 mm/filemap.c:2713
read_mapping_page include/linux/pagemap.h:398 [inline]
hfsplus_block_allocate+0x189/0x910 fs/hfsplus/bitmap.c:37
hfsplus_file_extend+0x421/0xef0 fs/hfsplus/extents.c:463
hfsplus_get_block+0x15b/0x820 fs/hfsplus/extents.c:245
__block_write_begin_int+0x35c/0x11d0 fs/buffer.c:2038
__block_write_begin fs/buffer.c:2088 [inline]
block_write_begin+0x58/0x270 fs/buffer.c:2147
cont_write_begin+0x4a3/0x740 fs/buffer.c:2497
hfsplus_write_begin+0x87/0x130 fs/hfsplus/inode.c:53
cont_expand_zero fs/buffer.c:2424 [inline]
cont_write_begin+0x296/0x740 fs/buffer.c:2487
hfsplus_write_begin+0x87/0x130 fs/hfsplus/inode.c:53
generic_perform_write+0x1d5/0x430 mm/filemap.c:3055
__generic_file_write_iter+0x227/0x590 mm/filemap.c:3180
generic_file_write_iter+0x36f/0x650 mm/filemap.c:3208
call_write_iter include/linux/fs.h:1780 [inline]
aio_write+0x2ed/0x560 fs/aio.c:1553
io_submit_one fs/aio.c:1641 [inline]
do_io_submit+0x847/0x1570 fs/aio.c:1709
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x5e/0xd3
other info that might help us debug this:
Chain exists of:
&tree->tree_lock/1 --> &sbi->alloc_mutex --> &HFSPLUS_I(inode)->extents_lock
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&HFSPLUS_I(inode)->extents_lock);
lock(&sbi->alloc_mutex);
lock(&HFSPLUS_I(inode)->extents_lock);
lock(&tree->tree_lock/1);
*** DEADLOCK ***
5 locks held by syz-executor.4/10102:
#0: (sb_writers#13){.+.+}, at: [<ffffffff81985ff8>] file_start_write include/linux/fs.h:2714 [inline]
#0: (sb_writers#13){.+.+}, at: [<ffffffff81985ff8>] aio_write+0x408/0x560 fs/aio.c:1552
#1: (&sb->s_type->i_mutex_key#21){+.+.}, at: [<ffffffff816940f9>] inode_lock include/linux/fs.h:719 [inline]
#1: (&sb->s_type->i_mutex_key#21){+.+.}, at: [<ffffffff816940f9>] generic_file_write_iter+0x99/0x650 mm/filemap.c:3205
#2: (&hip->extents_lock){+.+.}, at: [<ffffffff81d2d0a8>] hfsplus_file_extend+0x188/0xef0 fs/hfsplus/extents.c:452
#3: (&sbi->alloc_mutex){+.+.}, at: [<ffffffff81d456c2>] hfsplus_block_allocate+0xd2/0x910 fs/hfsplus/bitmap.c:35
#4: (&HFSPLUS_I(inode)->extents_lock){+.+.}, at: [<ffffffff81d2e009>] hfsplus_get_block+0x1f9/0x820 fs/hfsplus/extents.c:260
stack backtrace:
CPU: 0 PID: 10102 Comm: syz-executor.4 Not tainted 4.14.302-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x281 lib/dump_stack.c:58
print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258
check_prev_add kernel/locking/lockdep.c:1905 [inline]
check_prevs_add kernel/locking/lockdep.c:2022 [inline]
validate_chain kernel/locking/lockdep.c:2464 [inline]
__lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__mutex_lock_common kernel/locking/mutex.c:756 [inline]
__mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
hfsplus_find_init+0x161/0x220 fs/hfsplus/bfind.c:33
hfsplus_ext_read_extent+0x15f/0x9e0 fs/hfsplus/extents.c:216
hfsplus_get_block+0x23e/0x820 fs/hfsplus/extents.c:268
block_read_full_page+0x25e/0x8d0 fs/buffer.c:2316
do_read_cache_page+0x38e/0xc10 mm/filemap.c:2713
read_mapping_page include/linux/pagemap.h:398 [inline]
hfsplus_block_allocate+0x189/0x910 fs/hfsplus/bitmap.c:37
hfsplus_file_extend+0x421/0xef0 fs/hfsplus/extents.c:463
hfsplus_get_block+0x15b/0x820 fs/hfsplus/extents.c:245
__block_write_begin_int+0x35c/0x11d0 fs/buffer.c:2038
__block_write_begin fs/buffer.c:2088 [inline]
block_write_begin+0x58/0x270 fs/buffer.c:2147
cont_write_begin+0x4a3/0x740 fs/buffer.c:2497
hfsplus_write_begin+0x87/0x130 fs/hfsplus/inode.c:53
cont_expand_zero fs/buffer.c:2424 [inline]
cont_write_begin+0x296/0x740 fs/buffer.c:2487
hfsplus_write_begin+0x87/0x130 fs/hfsplus/inode.c:53
generic_perform_write+0x1d5/0x430 mm/filemap.c:3055
__generic_file_write_iter+0x227/0x590 mm/filemap.c:3180
generic_file_write_iter+0x36f/0x650 mm/filemap.c:3208
call_write_iter include/linux/fs.h:1780 [inline]
aio_write+0x2ed/0x560 fs/aio.c:1553
io_submit_one fs/aio.c:1641 [inline]
do_io_submit+0x847/0x1570 fs/aio.c:1709
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x5e/0xd3
RIP: 0033:0x7fa39de8b0a9
RSP: 002b:00007fa39c3fd168 EFLAGS: 00000246 ORIG_RAX: 00000000000000d1
RAX: ffffffffffffffda RBX: 00007fa39dfaaf80 RCX: 00007fa39de8b0a9
RDX: 0000000020000540 RSI: 0000000000000004 RDI: 00007fa39403d000
RBP: 00007fa39dee6ae9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffce1e70a5f R14: 00007fa39c3fd300 R15: 0000000000022000
audit: type=1800 audit(1672169809.706:2): pid=10129 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.5" name="file0" dev="sda1" ino=13950 res=0
audit: type=1804 audit(1672169809.706:3): pid=10129 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.5" name="/root/syzkaller-testdir2834575914/syzkaller.zEf7Wl/19/file0" dev="sda1" ino=13950 res=1
audit: type=1804 audit(1672169809.706:4): pid=10129 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="ToMToU" comm="syz-executor.5" name="/root/syzkaller-testdir2834575914/syzkaller.zEf7Wl/19/file0" dev="sda1" ino=13950 res=1
gfs2: fsid=loop3: Trying to join cluster "lock_nolock", "loop3"
gfs2: fsid=loop3: Now mounting FS...
gfs2: fsid=loop3.0: journal 0 mapped with 3 extents
gfs2: fsid=loop3.0: jid=0, already locked for use
gfs2: fsid=loop3.0: jid=0: Looking at journal...
gfs2: fsid=loop3.0: jid=0: Done
gfs2: fsid=loop3.0: first mount done, others may mount
audit: type=1800 audit(1672169810.556:5): pid=10214 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.5" name="file0" dev="sda1" ino=13981 res=0
audit: type=1804 audit(1672169810.566:6): pid=10214 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.5" name="/root/syzkaller-testdir2834575914/syzkaller.zEf7Wl/20/file0" dev="sda1" ino=13981 res=1
audit: type=1804 audit(1672169810.576:7): pid=10214 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="ToMToU" comm="syz-executor.5" name="/root/syzkaller-testdir2834575914/syzkaller.zEf7Wl/20/file0" dev="sda1" ino=13981 res=1
audit: type=1800 audit(1672169811.436:8): pid=10257 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.5" name="file0" dev="sda1" ino=14005 res=0
audit: type=1804 audit(1672169811.446:9): pid=10257 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.5" name="/root/syzkaller-testdir2834575914/syzkaller.zEf7Wl/21/file0" dev="sda1" ino=14005 res=1
audit: type=1804 audit(1672169811.446:10): pid=10257 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="ToMToU" comm="syz-executor.5" name="/root/syzkaller-testdir2834575914/syzkaller.zEf7Wl/21/file0" dev="sda1" ino=14005 res=1
audit: type=1800 audit(1672169812.317:11): pid=10302 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.5" name="file0" dev="sda1" ino=14004 res=0
IPVS: ftp: loaded support on port[0] = 21
ptrace attach of ""[10387] was attempted by "/root/syz-executor.1 exec"[10385]
ptrace attach of ""[10391] was attempted by "/root/syz-executor.1 exec"[10389]
ptrace attach of ""[10404] was attempted by "/root/syz-executor.1 exec"[10399]
kauditd_printk_skb: 9 callbacks suppressed
audit: type=1800 audit(1672169814.917:21): pid=10377 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.4" name="bus" dev="sda1" ino=14055 res=0
audit: type=1804 audit(1672169814.947:22): pid=10377 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.4" name="/root/syzkaller-testdir3557652580/syzkaller.Ozm02S/33/bus" dev="sda1" ino=14055 res=1
ptrace attach of ""[10415] was attempted by "/root/syz-executor.1 exec"[10412]
ptrace attach of ""[10420] was attempted by "/root/syz-executor.4 exec"[10417]
ptrace attach of ""[10423] was attempted by "/root/syz-executor.1 exec"[10421]
ptrace attach of ""[10430] was attempted by "/root/syz-executor.4 exec"[10427]
ptrace attach of ""[10431] was attempted by "/root/syz-executor.1 exec"[10425]
ptrace attach of ""[10437] was attempted by "/root/syz-executor.4 exec"[10433]
ptrace attach of ""[10439] was attempted by "/root/syz-executor.1 exec"[10435]
block nbd0: shutting down sockets
xt_physdev: using --physdev-out and --physdev-is-out are only supported in the FORWARD and POSTROUTING chains with bridged traffic.
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.5'.
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.5'.
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.5'.
F2FS-fs (loop0): invalid crc value
F2FS-fs (loop0): Found nat_bits in checkpoint
F2FS-fs (loop0): sanity_check_inode: inode (ino=3) has corrupted i_extra_isize: 24, max: 12
F2FS-fs (loop0): Failed to read root inode
F2FS-fs (loop0): invalid crc value
F2FS-fs (loop0): Found nat_bits in checkpoint
F2FS-fs (loop0): sanity_check_inode: inode (ino=3) has corrupted i_extra_isize: 24, max: 12
F2FS-fs (loop0): Failed to read root inode
audit: type=1804 audit(1672169818.068:23): pid=10570 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.0" name="/root/syzkaller-testdir553912054/syzkaller.b647Y4/49/bus" dev="sda1" ino=14105 res=1
audit: type=1804 audit(1672169818.198:24): pid=10621 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="ToMToU" comm="syz-executor.0" name="/root/syzkaller-testdir553912054/syzkaller.b647Y4/49/bus" dev="sda1" ino=14105 res=1
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.5'.
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Dec 29, 2022, 8:03:54 PM12/29/22
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: c4215ee4771b Linux 4.14.302
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=17fca3e4480000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15eb0968480000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c93ba055d204/disk-c4215ee4.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/bfbc929a33c1/vmlinux-c4215ee4.xz
kernel image: https://storage.googleapis.com/syzbot-assets/444658051770/bzImage-c4215ee4.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/f820273c3724/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+0a5f47...@syzkaller.appspotmail.com
======================================================
audit: type=1800 audit(1672362127.158:2): pid=7994 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor377" name="bus" dev="loop0" ino=25 res=0
audit: type=1800 audit(1672362127.188:3): pid=7994 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor377" name="file1" dev="loop0" ino=20 res=0
======================================================
which lock already depends on the new lock.
hfsplus_bmap_reserve+0x26e/0x410 fs/hfsplus/btree.c:357
__hfsplus_ext_write_extent+0x415/0x560 fs/hfsplus/extents.c:104
__hfsplus_ext_cache_extent fs/hfsplus/extents.c:186 [inline]
hfsplus_ext_read_extent+0x81a/0x9e0 fs/hfsplus/extents.c:218
hfsplus_file_extend+0x616/0xef0 fs/hfsplus/extents.c:456
hfsplus_setattr+0x139/0x310 fs/hfsplus/inode.c:258
notify_change+0x56b/0xd10 fs/attr.c:315
do_truncate+0xff/0x1a0 fs/open.c:63
do_sys_ftruncate.constprop.0+0x3a3/0x480 fs/open.c:205
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x5e/0xd3
-> #0 (&tree->tree_lock/1){+.+.}:
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__mutex_lock_common kernel/locking/mutex.c:756 [inline]
__mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
hfsplus_find_init+0x161/0x220 fs/hfsplus/bfind.c:33
hfsplus_file_truncate+0x25b/0xe80 fs/hfsplus/extents.c:577
hfsplus_setattr+0x182/0x310 fs/hfsplus/inode.c:264
notify_change+0x56b/0xd10 fs/attr.c:315
do_truncate+0xff/0x1a0 fs/open.c:63
do_sys_ftruncate.constprop.0+0x3a3/0x480 fs/open.c:205
#0: (sb_writers#10){.+.+}, at: [<ffffffff81867ecb>] sb_start_write include/linux/fs.h:1551 [inline]
#0: (sb_writers#10){.+.+}, at: [<ffffffff81867ecb>] do_sys_ftruncate.constprop.0+0x1fb/0x480 fs/open.c:200
#1: (&sb->s_type->i_mutex_key#17){+.+.}, at: [<ffffffff818674b0>] inode_lock include/linux/fs.h:719 [inline]
#1: (&sb->s_type->i_mutex_key#17){+.+.}, at: [<ffffffff818674b0>] do_truncate+0xf0/0x1a0 fs/open.c:61
#2: (&HFSPLUS_I(inode)->extents_lock){+.+.}, at: [<ffffffff81d2e7ea>] hfsplus_file_truncate+0x1ba/0xe80 fs/hfsplus/extents.c:571
stack backtrace:
CPU: 1 PID: 7994 Comm: syz-executor377 Not tainted 4.14.302-syzkaller #0
hfsplus_setattr+0x182/0x310 fs/hfsplus/inode.c:264
notify_change+0x56b/0xd10 fs/attr.c:315
do_truncate+0xff/0x1a0 fs/open.c:63
do_sys_ftruncate.constprop.0+0x3a3/0x480 fs/open.c:205
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x5e/0xd3
RIP: 0033:0x7f87deec67e9
RSP: 002b:00007ffd1fa83b08 EFLAGS: 00000246 ORIG_RAX: 000000000000004d
HEAD commit: c4215ee4771b Linux 4.14.302
git tree: linux-4.14.y
kernel config: https://syzkaller.appspot.com/x/.config?x=4a9988fe055c9527
dashboard link: https://syzkaller.appspot.com/bug?extid=0a5f47bad7259db05d4d
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1002faa2480000
dashboard link: https://syzkaller.appspot.com/bug?extid=0a5f47bad7259db05d4d
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15eb0968480000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c93ba055d204/disk-c4215ee4.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/bfbc929a33c1/vmlinux-c4215ee4.xz
kernel image: https://storage.googleapis.com/syzbot-assets/444658051770/bzImage-c4215ee4.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+0a5f47...@syzkaller.appspotmail.com
audit: type=1800 audit(1672362127.158:2): pid=7994 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor377" name="bus" dev="loop0" ino=25 res=0
audit: type=1800 audit(1672362127.188:3): pid=7994 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor377" name="file1" dev="loop0" ino=20 res=0
======================================================
WARNING: possible circular locking dependency detected
4.14.302-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor377/7994 is trying to acquire lock:
4.14.302-syzkaller #0 Not tainted
------------------------------------------------------
(&tree->tree_lock/1){+.+.}, at: [<ffffffff81d40441>] hfsplus_find_init+0x161/0x220 fs/hfsplus/bfind.c:33
but task is already holding lock:
(&HFSPLUS_I(inode)->extents_lock){+.+.}, at: [<ffffffff81d2e7ea>] hfsplus_file_truncate+0x1ba/0xe80 fs/hfsplus/extents.c:571
but task is already holding lock:
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&HFSPLUS_I(inode)->extents_lock){+.+.}:
__mutex_lock_common kernel/locking/mutex.c:756 [inline]
__mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
hfsplus_file_extend+0x188/0xef0 fs/hfsplus/extents.c:452
__mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
hfsplus_bmap_reserve+0x26e/0x410 fs/hfsplus/btree.c:357
__hfsplus_ext_write_extent+0x415/0x560 fs/hfsplus/extents.c:104
__hfsplus_ext_cache_extent fs/hfsplus/extents.c:186 [inline]
hfsplus_ext_read_extent+0x81a/0x9e0 fs/hfsplus/extents.c:218
hfsplus_file_extend+0x616/0xef0 fs/hfsplus/extents.c:456
hfsplus_get_block+0x15b/0x820 fs/hfsplus/extents.c:245
__block_write_begin_int+0x35c/0x11d0 fs/buffer.c:2038
__block_write_begin fs/buffer.c:2088 [inline]
block_write_begin+0x58/0x270 fs/buffer.c:2147
cont_write_begin+0x4a3/0x740 fs/buffer.c:2497
hfsplus_write_begin+0x87/0x130 fs/hfsplus/inode.c:53
cont_expand_zero fs/buffer.c:2424 [inline]
cont_write_begin+0x296/0x740 fs/buffer.c:2487
hfsplus_write_begin+0x87/0x130 fs/hfsplus/inode.c:53
generic_cont_expand_simple+0xe1/0x130 fs/buffer.c:2388
__block_write_begin_int+0x35c/0x11d0 fs/buffer.c:2038
__block_write_begin fs/buffer.c:2088 [inline]
block_write_begin+0x58/0x270 fs/buffer.c:2147
cont_write_begin+0x4a3/0x740 fs/buffer.c:2497
hfsplus_write_begin+0x87/0x130 fs/hfsplus/inode.c:53
cont_expand_zero fs/buffer.c:2424 [inline]
cont_write_begin+0x296/0x740 fs/buffer.c:2487
hfsplus_write_begin+0x87/0x130 fs/hfsplus/inode.c:53
hfsplus_setattr+0x139/0x310 fs/hfsplus/inode.c:258
notify_change+0x56b/0xd10 fs/attr.c:315
do_truncate+0xff/0x1a0 fs/open.c:63
do_sys_ftruncate.constprop.0+0x3a3/0x480 fs/open.c:205
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x5e/0xd3
-> #0 (&tree->tree_lock/1){+.+.}:
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__mutex_lock_common kernel/locking/mutex.c:756 [inline]
__mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
hfsplus_find_init+0x161/0x220 fs/hfsplus/bfind.c:33
hfsplus_setattr+0x182/0x310 fs/hfsplus/inode.c:264
notify_change+0x56b/0xd10 fs/attr.c:315
do_truncate+0xff/0x1a0 fs/open.c:63
do_sys_ftruncate.constprop.0+0x3a3/0x480 fs/open.c:205
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x5e/0xd3
other info that might help us debug this:
entry_SYSCALL_64_after_hwframe+0x5e/0xd3
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&HFSPLUS_I(inode)->extents_lock);
lock(&tree->tree_lock/1);
CPU0 CPU1
---- ----
lock(&HFSPLUS_I(inode)->extents_lock);
lock(&HFSPLUS_I(inode)->extents_lock);
lock(&tree->tree_lock/1);
*** DEADLOCK ***
3 locks held by syz-executor377/7994:
lock(&tree->tree_lock/1);
*** DEADLOCK ***
#0: (sb_writers#10){.+.+}, at: [<ffffffff81867ecb>] sb_start_write include/linux/fs.h:1551 [inline]
#0: (sb_writers#10){.+.+}, at: [<ffffffff81867ecb>] do_sys_ftruncate.constprop.0+0x1fb/0x480 fs/open.c:200
#1: (&sb->s_type->i_mutex_key#17){+.+.}, at: [<ffffffff818674b0>] inode_lock include/linux/fs.h:719 [inline]
#1: (&sb->s_type->i_mutex_key#17){+.+.}, at: [<ffffffff818674b0>] do_truncate+0xf0/0x1a0 fs/open.c:61
#2: (&HFSPLUS_I(inode)->extents_lock){+.+.}, at: [<ffffffff81d2e7ea>] hfsplus_file_truncate+0x1ba/0xe80 fs/hfsplus/extents.c:571
stack backtrace:
CPU: 1 PID: 7994 Comm: syz-executor377 Not tainted 4.14.302-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x281 lib/dump_stack.c:58
print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258
check_prev_add kernel/locking/lockdep.c:1905 [inline]
check_prevs_add kernel/locking/lockdep.c:2022 [inline]
validate_chain kernel/locking/lockdep.c:2464 [inline]
__lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__mutex_lock_common kernel/locking/mutex.c:756 [inline]
__mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
hfsplus_find_init+0x161/0x220 fs/hfsplus/bfind.c:33
hfsplus_file_truncate+0x25b/0xe80 fs/hfsplus/extents.c:577
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x281 lib/dump_stack.c:58
print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258
check_prev_add kernel/locking/lockdep.c:1905 [inline]
check_prevs_add kernel/locking/lockdep.c:2022 [inline]
validate_chain kernel/locking/lockdep.c:2464 [inline]
__lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__mutex_lock_common kernel/locking/mutex.c:756 [inline]
__mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
hfsplus_find_init+0x161/0x220 fs/hfsplus/bfind.c:33
hfsplus_setattr+0x182/0x310 fs/hfsplus/inode.c:264
notify_change+0x56b/0xd10 fs/attr.c:315
do_truncate+0xff/0x1a0 fs/open.c:63
do_sys_ftruncate.constprop.0+0x3a3/0x480 fs/open.c:205
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x5e/0xd3
RIP: 0033:0x7f87deec67e9
RSP: 002b:00007ffd1fa83b08 EFLAGS: 00000246 ORIG_RAX: 000000000000004d
Reply all
Reply to author
Forward
0 new messages