[v6.6] possible deadlock in hfsplus_block_free (2)
0 views
Skip to first unread message
syzbot
Jan 7, 2026, 3:23:19 PM (2 days ago) Jan 7
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 5fa4793a2d2d Linux 6.6.119
git tree: linux-6.6.y
console output: https://syzkaller.appspot.com/x/log.txt?x=15c6019a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=691a6769a86ac817
dashboard link: https://syzkaller.appspot.com/bug?extid=b35758a5c31983215e19
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/63699875f1dd/disk-5fa4793a.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8506652fcb6f/vmlinux-5fa4793a.xz
kernel image: https://storage.googleapis.com/syzbot-assets/1b30ceed1710/bzImage-5fa4793a.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b35758...@syzkaller.appspotmail.com
loop4: detected capacity change from 0 to 1024
======================================================
WARNING: possible circular locking dependency detected
syzkaller #0 Not tainted
------------------------------------------------------
syz.4.178/6863 is trying to acquire lock:
ffff88807f3050f8 (&sbi->alloc_mutex){+.+.}-{3:3}, at: hfsplus_block_free+0xc3/0x4b0 fs/hfsplus/bitmap.c:182
but task is already holding lock:
ffff888077c087c8 (&HFSPLUS_I(inode)->extents_lock){+.+.}-{3:3}, at: hfsplus_file_truncate+0x293/0xb40 fs/hfsplus/extents.c:574
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&HFSPLUS_I(inode)->extents_lock){+.+.}-{3:3}:
__mutex_lock_common kernel/locking/mutex.c:603 [inline]
__mutex_lock+0x129/0xcc0 kernel/locking/mutex.c:747
hfsplus_get_block+0x39f/0x1530 fs/hfsplus/extents.c:260
block_read_full_folio+0x42e/0xf40 fs/buffer.c:2406
filemap_read_folio+0x167/0x760 mm/filemap.c:2420
do_read_cache_folio+0x470/0x7e0 mm/filemap.c:3804
do_read_cache_page+0x32/0x250 mm/filemap.c:3870
read_mapping_page include/linux/pagemap.h:892 [inline]
hfsplus_block_allocate+0xff/0x8e0 fs/hfsplus/bitmap.c:37
hfsplus_file_extend+0xae4/0x1990 fs/hfsplus/extents.c:466
hfsplus_get_block+0x412/0x1530 fs/hfsplus/extents.c:245
__block_write_begin_int+0x566/0x1ad0 fs/buffer.c:2124
__block_write_begin fs/buffer.c:2173 [inline]
block_write_begin+0x9a/0x1e0 fs/buffer.c:2234
cont_write_begin+0x5c8/0x7e0 fs/buffer.c:2591
hfsplus_write_begin+0x8b/0xd0 fs/hfsplus/inode.c:52
generic_perform_write+0x2fb/0x5b0 mm/filemap.c:4031
generic_file_write_iter+0xaf/0x2e0 mm/filemap.c:4152
call_write_iter include/linux/fs.h:2018 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x43b/0x940 fs/read_write.c:584
ksys_write+0x147/0x250 fs/read_write.c:637
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
-> #0 (&sbi->alloc_mutex){+.+.}-{3:3}:
check_prev_add kernel/locking/lockdep.c:3134 [inline]
check_prevs_add kernel/locking/lockdep.c:3253 [inline]
validate_chain kernel/locking/lockdep.c:3869 [inline]
__lock_acquire+0x2ddb/0x7c80 kernel/locking/lockdep.c:5137
lock_acquire+0x197/0x410 kernel/locking/lockdep.c:5754
__mutex_lock_common kernel/locking/mutex.c:603 [inline]
__mutex_lock+0x129/0xcc0 kernel/locking/mutex.c:747
hfsplus_block_free+0xc3/0x4b0 fs/hfsplus/bitmap.c:182
hfsplus_free_extents+0x10d/0xa50 fs/hfsplus/extents.c:360
hfsplus_file_truncate+0x735/0xb40 fs/hfsplus/extents.c:589
hfsplus_setattr+0x1c3/0x280 fs/hfsplus/inode.c:269
notify_change+0xb0d/0xe10 fs/attr.c:499
do_truncate+0x19b/0x220 fs/open.c:66
vfs_truncate+0x266/0x300 fs/open.c:112
do_sys_truncate+0xe0/0x1a0 fs/open.c:135
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&HFSPLUS_I(inode)->extents_lock);
lock(&sbi->alloc_mutex);
lock(&HFSPLUS_I(inode)->extents_lock);
lock(&sbi->alloc_mutex);
*** DEADLOCK ***
3 locks held by syz.4.178/6863:
#0: ffff88807afd0418 (sb_writers#15){.+.+}-{0:0}, at: mnt_want_write+0x41/0x90 fs/namespace.c:412
#1: ffff888077c089d0 (&sb->s_type->i_mutex_key#23){+.+.}-{3:3}, at: inode_lock include/linux/fs.h:804 [inline]
#1: ffff888077c089d0 (&sb->s_type->i_mutex_key#23){+.+.}-{3:3}, at: do_truncate+0x187/0x220 fs/open.c:64
#2: ffff888077c087c8 (&HFSPLUS_I(inode)->extents_lock){+.+.}-{3:3}, at: hfsplus_file_truncate+0x293/0xb40 fs/hfsplus/extents.c:574
stack backtrace:
CPU: 1 PID: 6863 Comm: syz.4.178 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
<TASK>
dump_stack_lvl+0x16c/0x230 lib/dump_stack.c:106
check_noncircular+0x2bd/0x3c0 kernel/locking/lockdep.c:2187
check_prev_add kernel/locking/lockdep.c:3134 [inline]
check_prevs_add kernel/locking/lockdep.c:3253 [inline]
validate_chain kernel/locking/lockdep.c:3869 [inline]
__lock_acquire+0x2ddb/0x7c80 kernel/locking/lockdep.c:5137
lock_acquire+0x197/0x410 kernel/locking/lockdep.c:5754
__mutex_lock_common kernel/locking/mutex.c:603 [inline]
__mutex_lock+0x129/0xcc0 kernel/locking/mutex.c:747
hfsplus_block_free+0xc3/0x4b0 fs/hfsplus/bitmap.c:182
hfsplus_free_extents+0x10d/0xa50 fs/hfsplus/extents.c:360
hfsplus_file_truncate+0x735/0xb40 fs/hfsplus/extents.c:589
hfsplus_setattr+0x1c3/0x280 fs/hfsplus/inode.c:269
notify_change+0xb0d/0xe10 fs/attr.c:499
do_truncate+0x19b/0x220 fs/open.c:66
vfs_truncate+0x266/0x300 fs/open.c:112
do_sys_truncate+0xe0/0x1a0 fs/open.c:135
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7fe03358f749
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fe0343de038 EFLAGS: 00000246 ORIG_RAX: 000000000000004c
RAX: ffffffffffffffda RBX: 00007fe0337e5fa0 RCX: 00007fe03358f749
RDX: 0000000000000000 RSI: 0200000080000000 RDI: 0000200000000080
RBP: 00007fe033613f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fe0337e6038 R14: 00007fe0337e5fa0 R15: 00007fff6bf83858
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 5fa4793a2d2d Linux 6.6.119
git tree: linux-6.6.y
console output: https://syzkaller.appspot.com/x/log.txt?x=15c6019a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=691a6769a86ac817
dashboard link: https://syzkaller.appspot.com/bug?extid=b35758a5c31983215e19
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/63699875f1dd/disk-5fa4793a.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8506652fcb6f/vmlinux-5fa4793a.xz
kernel image: https://storage.googleapis.com/syzbot-assets/1b30ceed1710/bzImage-5fa4793a.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b35758...@syzkaller.appspotmail.com
loop4: detected capacity change from 0 to 1024
======================================================
WARNING: possible circular locking dependency detected
syzkaller #0 Not tainted
------------------------------------------------------
syz.4.178/6863 is trying to acquire lock:
ffff88807f3050f8 (&sbi->alloc_mutex){+.+.}-{3:3}, at: hfsplus_block_free+0xc3/0x4b0 fs/hfsplus/bitmap.c:182
but task is already holding lock:
ffff888077c087c8 (&HFSPLUS_I(inode)->extents_lock){+.+.}-{3:3}, at: hfsplus_file_truncate+0x293/0xb40 fs/hfsplus/extents.c:574
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&HFSPLUS_I(inode)->extents_lock){+.+.}-{3:3}:
__mutex_lock_common kernel/locking/mutex.c:603 [inline]
__mutex_lock+0x129/0xcc0 kernel/locking/mutex.c:747
hfsplus_get_block+0x39f/0x1530 fs/hfsplus/extents.c:260
block_read_full_folio+0x42e/0xf40 fs/buffer.c:2406
filemap_read_folio+0x167/0x760 mm/filemap.c:2420
do_read_cache_folio+0x470/0x7e0 mm/filemap.c:3804
do_read_cache_page+0x32/0x250 mm/filemap.c:3870
read_mapping_page include/linux/pagemap.h:892 [inline]
hfsplus_block_allocate+0xff/0x8e0 fs/hfsplus/bitmap.c:37
hfsplus_file_extend+0xae4/0x1990 fs/hfsplus/extents.c:466
hfsplus_get_block+0x412/0x1530 fs/hfsplus/extents.c:245
__block_write_begin_int+0x566/0x1ad0 fs/buffer.c:2124
__block_write_begin fs/buffer.c:2173 [inline]
block_write_begin+0x9a/0x1e0 fs/buffer.c:2234
cont_write_begin+0x5c8/0x7e0 fs/buffer.c:2591
hfsplus_write_begin+0x8b/0xd0 fs/hfsplus/inode.c:52
generic_perform_write+0x2fb/0x5b0 mm/filemap.c:4031
generic_file_write_iter+0xaf/0x2e0 mm/filemap.c:4152
call_write_iter include/linux/fs.h:2018 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x43b/0x940 fs/read_write.c:584
ksys_write+0x147/0x250 fs/read_write.c:637
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
-> #0 (&sbi->alloc_mutex){+.+.}-{3:3}:
check_prev_add kernel/locking/lockdep.c:3134 [inline]
check_prevs_add kernel/locking/lockdep.c:3253 [inline]
validate_chain kernel/locking/lockdep.c:3869 [inline]
__lock_acquire+0x2ddb/0x7c80 kernel/locking/lockdep.c:5137
lock_acquire+0x197/0x410 kernel/locking/lockdep.c:5754
__mutex_lock_common kernel/locking/mutex.c:603 [inline]
__mutex_lock+0x129/0xcc0 kernel/locking/mutex.c:747
hfsplus_block_free+0xc3/0x4b0 fs/hfsplus/bitmap.c:182
hfsplus_free_extents+0x10d/0xa50 fs/hfsplus/extents.c:360
hfsplus_file_truncate+0x735/0xb40 fs/hfsplus/extents.c:589
hfsplus_setattr+0x1c3/0x280 fs/hfsplus/inode.c:269
notify_change+0xb0d/0xe10 fs/attr.c:499
do_truncate+0x19b/0x220 fs/open.c:66
vfs_truncate+0x266/0x300 fs/open.c:112
do_sys_truncate+0xe0/0x1a0 fs/open.c:135
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&HFSPLUS_I(inode)->extents_lock);
lock(&sbi->alloc_mutex);
lock(&HFSPLUS_I(inode)->extents_lock);
lock(&sbi->alloc_mutex);
*** DEADLOCK ***
3 locks held by syz.4.178/6863:
#0: ffff88807afd0418 (sb_writers#15){.+.+}-{0:0}, at: mnt_want_write+0x41/0x90 fs/namespace.c:412
#1: ffff888077c089d0 (&sb->s_type->i_mutex_key#23){+.+.}-{3:3}, at: inode_lock include/linux/fs.h:804 [inline]
#1: ffff888077c089d0 (&sb->s_type->i_mutex_key#23){+.+.}-{3:3}, at: do_truncate+0x187/0x220 fs/open.c:64
#2: ffff888077c087c8 (&HFSPLUS_I(inode)->extents_lock){+.+.}-{3:3}, at: hfsplus_file_truncate+0x293/0xb40 fs/hfsplus/extents.c:574
stack backtrace:
CPU: 1 PID: 6863 Comm: syz.4.178 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
<TASK>
dump_stack_lvl+0x16c/0x230 lib/dump_stack.c:106
check_noncircular+0x2bd/0x3c0 kernel/locking/lockdep.c:2187
check_prev_add kernel/locking/lockdep.c:3134 [inline]
check_prevs_add kernel/locking/lockdep.c:3253 [inline]
validate_chain kernel/locking/lockdep.c:3869 [inline]
__lock_acquire+0x2ddb/0x7c80 kernel/locking/lockdep.c:5137
lock_acquire+0x197/0x410 kernel/locking/lockdep.c:5754
__mutex_lock_common kernel/locking/mutex.c:603 [inline]
__mutex_lock+0x129/0xcc0 kernel/locking/mutex.c:747
hfsplus_block_free+0xc3/0x4b0 fs/hfsplus/bitmap.c:182
hfsplus_free_extents+0x10d/0xa50 fs/hfsplus/extents.c:360
hfsplus_file_truncate+0x735/0xb40 fs/hfsplus/extents.c:589
hfsplus_setattr+0x1c3/0x280 fs/hfsplus/inode.c:269
notify_change+0xb0d/0xe10 fs/attr.c:499
do_truncate+0x19b/0x220 fs/open.c:66
vfs_truncate+0x266/0x300 fs/open.c:112
do_sys_truncate+0xe0/0x1a0 fs/open.c:135
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7fe03358f749
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fe0343de038 EFLAGS: 00000246 ORIG_RAX: 000000000000004c
RAX: ffffffffffffffda RBX: 00007fe0337e5fa0 RCX: 00007fe03358f749
RDX: 0000000000000000 RSI: 0200000080000000 RDI: 0000200000000080
RBP: 00007fe033613f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fe0337e6038 R14: 00007fe0337e5fa0 R15: 00007fff6bf83858
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages