[syzbot] [udf?] WARNING in udf_free_blocks (3)

[syzbot <syzbot+6a680377e13041c19d50@syzkaller.appspotmail.com>]

Hello,

syzbot found the following issue on:

HEAD commit:    e771677c937d Merge tag 'for-linus-iommufd' of git://git.ke..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=135bffec580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=d4ababa576f9d171
dashboard link: https://syzkaller.appspot.com/bug?extid=6a680377e13041c19d50
compiler:       Debian clang version 22.1.6 (++20260514074242+fc4aad7b5db3-1~exp1~20260514074407.73), Debian LLD 22.1.6
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=10bcccfe580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14cfe3a1580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/24dc401a7e7b/disk-e771677c.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d8e85f151384/vmlinux-e771677c.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7072bfe66fc6/bzImage-e771677c.xz
mounted in repro #1: https://storage.googleapis.com/syzbot-assets/a7804ba81935/mount_0.gz
mounted in repro #2: https://storage.googleapis.com/syzbot-assets/c40d18e63806/mount_8.gz
  fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=15645b7a580000)

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6a680377e13041c19d50@syzkaller.appspotmail.com

------------[ cut here ]------------
rtmutex deadlock detected
WARNING: kernel/locking/rtmutex.c:1698 at rt_mutex_handle_deadlock+0x21/0xb0 kernel/locking/rtmutex.c:1698, CPU#1: syz.1.71/6167
Modules linked in:
CPU: 1 UID: 0 PID: 6167 Comm: syz.1.71 Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
RIP: 0010:rt_mutex_handle_deadlock+0x21/0xb0 kernel/locking/rtmutex.c:1698
Code: 90 90 90 90 90 90 90 90 90 41 57 41 56 41 55 41 54 53 83 ff dd 0f 85 81 00 00 00 48 89 f7 e8 e6 3f 01 00 48 8d 3d 2f 77 6c 04 <67> 48 0f b9 3a 4c 8d 3d 00 00 00 00 65 48 8b 1d 43 1f 4c 07 4c 8d
RSP: 0018:ffffc900047be8d0 EFLAGS: 00010286
RAX: 0000000080000000 RBX: 00000000ffffffdd RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff8ba7bb00 RDI: ffffffff8f8c97e0
RBP: ffffc900047bea80 R08: ffffffff8f892ef7 R09: 1ffffffff1f125de
R10: dffffc0000000000 R11: fffffbfff1f125df R12: 1ffff920008f7d28
R13: ffffffff8b201af2 R14: ffff88804d827110 R15: dffffc0000000000
FS:  00007fc2fb7de6c0(0000) GS:ffff88812625c000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f17bfbcda08 CR3: 000000002c6ba000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 __rt_mutex_slowlock kernel/locking/rtmutex.c:1760 [inline]
 __rt_mutex_slowlock_locked kernel/locking/rtmutex.c:1787 [inline]
 rt_mutex_slowlock+0x73c/0x780 kernel/locking/rtmutex.c:1827
 __rt_mutex_lock kernel/locking/rtmutex.c:1842 [inline]
 __mutex_lock_common kernel/locking/rtmutex_api.c:560 [inline]
 mutex_lock_nested+0x168/0x1d0 kernel/locking/rtmutex_api.c:578
 udf_table_free_blocks fs/udf/balloc.c:376 [inline]
 udf_free_blocks+0xa8c/0x1900 fs/udf/balloc.c:678
 udf_delete_aext+0x4f5/0xc00 fs/udf/inode.c:2381
 udf_table_prealloc_blocks fs/udf/balloc.c:544 [inline]
 udf_prealloc_blocks+0xbd4/0x10e0 fs/udf/balloc.c:702
 udf_prealloc_extents fs/udf/inode.c:1058 [inline]
 inode_getblk fs/udf/inode.c:916 [inline]
 udf_map_block+0x1e85/0x4280 fs/udf/inode.c:453
 __udf_get_block+0x52/0x250 fs/udf/inode.c:467
 __block_write_begin_int+0x6c2/0x1900 fs/buffer.c:2123
 block_write_begin+0x8d/0x120 fs/buffer.c:2234
 udf_write_begin+0x11a/0x270 fs/udf/inode.c:261
 generic_perform_write+0x2ad/0x8b0 mm/filemap.c:4336
 __generic_file_write_iter+0x1b1/0x240 mm/filemap.c:4450
 udf_file_write_iter+0x2a6/0x630 fs/udf/file.c:112
 iter_file_splice_write+0xa36/0x1240 fs/splice.c:736
 do_splice_from fs/splice.c:936 [inline]
 direct_splice_actor+0x104/0x160 fs/splice.c:1159
 splice_direct_to_actor+0x586/0xcc0 fs/splice.c:1103
 do_splice_direct_actor fs/splice.c:1202 [inline]
 do_splice_direct+0x19b/0x2a0 fs/splice.c:1228
 do_sendfile+0x540/0x7e0 fs/read_write.c:1371
 __do_sys_sendfile64 fs/read_write.c:1432 [inline]
 __se_sys_sendfile64+0x144/0x1a0 fs/read_write.c:1418
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fc2fc17ce59
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fc2fb7de028 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 00007fc2fc3f5fa0 RCX: 00007fc2fc17ce59
RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000004
RBP: 00007fc2fc212e6f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000800000009 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fc2fc3f6038 R14: 00007fc2fc3f5fa0 R15: 00007ffe10d9c6e8
 </TASK>
----------------
Code disassembly (best guess):
   0:	90                   	nop
   1:	90                   	nop
   2:	90                   	nop
   3:	90                   	nop
   4:	90                   	nop
   5:	90                   	nop
   6:	90                   	nop
   7:	90                   	nop
   8:	90                   	nop
   9:	41 57                	push   %r15
   b:	41 56                	push   %r14
   d:	41 55                	push   %r13
   f:	41 54                	push   %r12
  11:	53                   	push   %rbx
  12:	83 ff dd             	cmp    $0xffffffdd,%edi
  15:	0f 85 81 00 00 00    	jne    0x9c
  1b:	48 89 f7             	mov    %rsi,%rdi
  1e:	e8 e6 3f 01 00       	call   0x14009
  23:	48 8d 3d 2f 77 6c 04 	lea    0x46c772f(%rip),%rdi        # 0x46c7759
* 2a:	67 48 0f b9 3a       	ud1    (%edx),%rdi <-- trapping instruction
  2f:	4c 8d 3d 00 00 00 00 	lea    0x0(%rip),%r15        # 0x36
  36:	65 48 8b 1d 43 1f 4c 	mov    %gs:0x74c1f43(%rip),%rbx        # 0x74c1f81
  3d:	07
  3e:	4c                   	rex.WR
  3f:	8d                   	.byte 0x8d


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup