Re: [syzbot] [udf?] possible deadlock in udf_free_blocks

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit:    cdd30ebb1b9f module: Convert symbol namespace to string li..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12eeb0df980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=91c852e3d1d7c1a6
dashboard link: https://syzkaller.appspot.com/bug?extid=d472c32c5dd4cd2fb5c5
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=117440f8580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1659b5e8580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/e7e1e116ea6e/disk-cdd30ebb.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/76410fd02a13/vmlinux-cdd30ebb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/60bcdb55dd9c/bzImage-cdd30ebb.xz
mounted in repro #1: https://storage.googleapis.com/syzbot-assets/559ad34ed532/mount_0.gz
mounted in repro #2: https://storage.googleapis.com/syzbot-assets/90c832beabca/mount_9.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d472c32c5dd4cd2fb5c5@xxxxxxxxxxxxxxxxxxxxxxxxx

============================================
WARNING: possible recursive locking detected
6.13.0-rc1-syzkaller-00002-gcdd30ebb1b9f #0 Not tainted
--------------------------------------------
syz-executor233/6288 is trying to acquire lock:
ffff888033753d28 (&sbi->s_alloc_mutex){+.+.}-{4:4}, at: udf_table_free_blocks fs/udf/balloc.c:375 [inline]
ffff888033753d28 (&sbi->s_alloc_mutex){+.+.}-{4:4}, at: udf_free_blocks+0x9ff/0x2270 fs/udf/balloc.c:677

but task is already holding lock:
ffff888033753d28 (&sbi->s_alloc_mutex){+.+.}-{4:4}, at: udf_table_new_block fs/udf/balloc.c:581 [inline]
ffff888033753d28 (&sbi->s_alloc_mutex){+.+.}-{4:4}, at: udf_new_block+0xf81/0x21c0 fs/udf/balloc.c:725

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(&sbi->s_alloc_mutex);
  lock(&sbi->s_alloc_mutex);

 *** DEADLOCK ***

 May be due to missing lock nesting notation

4 locks held by syz-executor233/6288:
 #0: ffff88807972e420 (sb_writers#11){.+.+}-{0:0}, at: direct_splice_actor+0x49/0x220 fs/splice.c:1163
 #1: ffff8880669baf40 (&sb->s_type->i_mutex_key#18){+.+.}-{4:4}, at: inode_lock include/linux/fs.h:818 [inline]
 #1: ffff8880669baf40 (&sb->s_type->i_mutex_key#18){+.+.}-{4:4}, at: udf_file_write_iter+0x6f/0x660 fs/udf/file.c:95
 #2: ffff8880669bad70 (&ei->i_data_sem#2){++++}-{4:4}, at: udf_map_block+0x3b7/0x5340 fs/udf/inode.c:439
 #3: ffff888033753d28 (&sbi->s_alloc_mutex){+.+.}-{4:4}, at: udf_table_new_block fs/udf/balloc.c:581 [inline]
 #3: ffff888033753d28 (&sbi->s_alloc_mutex){+.+.}-{4:4}, at: udf_new_block+0xf81/0x21c0 fs/udf/balloc.c:725

stack backtrace:
CPU: 1 UID: 0 PID: 6288 Comm: syz-executor233 Not tainted 6.13.0-rc1-syzkaller-00002-gcdd30ebb1b9f #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_deadlock_bug+0x483/0x620 kernel/locking/lockdep.c:3037
 check_deadlock kernel/locking/lockdep.c:3089 [inline]
 validate_chain+0x15e2/0x5920 kernel/locking/lockdep.c:3891
 __lock_acquire+0x1397/0x2100 kernel/locking/lockdep.c:5226
 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849
 __mutex_lock_common kernel/locking/mutex.c:585 [inline]
 __mutex_lock+0x1ac/0xee0 kernel/locking/mutex.c:735
 udf_table_free_blocks fs/udf/balloc.c:375 [inline]
 udf_free_blocks+0x9ff/0x2270 fs/udf/balloc.c:677
 udf_delete_aext+0x70a/0xed0 fs/udf/inode.c:2372
 udf_table_new_block fs/udf/balloc.c:645 [inline]
 udf_new_block+0x18ba/0x21c0 fs/udf/balloc.c:725
 inode_getblk fs/udf/inode.c:894 [inline]
 udf_map_block+0x1c9a/0x5340 fs/udf/inode.c:447
 __udf_get_block+0x126/0x410 fs/udf/inode.c:461
 __block_write_begin_int+0x50c/0x1a70 fs/buffer.c:2116
 block_write_begin+0x8f/0x120 fs/buffer.c:2226
 udf_write_begin+0x104/0x350 fs/udf/inode.c:256
 generic_perform_write+0x344/0x6d0 mm/filemap.c:4055
 __generic_file_write_iter+0x1b5/0x230 mm/filemap.c:4153
 udf_file_write_iter+0x2fc/0x660 fs/udf/file.c:111
 iter_file_splice_write+0xbfa/0x1510 fs/splice.c:743
 do_splice_from fs/splice.c:941 [inline]
 direct_splice_actor+0x11b/0x220 fs/splice.c:1164
 splice_direct_to_actor+0x586/0xc80 fs/splice.c:1108
 do_splice_direct_actor fs/splice.c:1207 [inline]
 do_splice_direct+0x289/0x3e0 fs/splice.c:1233
 do_sendfile+0x564/0x8a0 fs/read_write.c:1363
 __do_sys_sendfile64 fs/read_write.c:1424 [inline]
 __se_sys_sendfile64+0x17c/0x1e0 fs/read_write.c:1410
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f912262ca29
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 1f 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f9121dd6168 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 00007f91226b4708 RCX: 00007f912262ca29
RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000005
RBP: 00007f91226b4700 R08: 00007f9121dd66c0 R09: 0000000000000000
R10: 0000000800000009 R11: 0000000000000246 R12: 00007f91226b470c
R13: 0000000000000016 R14: 00007ffe6add21b0 R15: 00007ffe6add2298
 </TASK>


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.