./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2496172799 <...> Warning: Permanently added '10.128.0.195' (ECDSA) to the list of known hosts. execve("./syz-executor2496172799", ["./syz-executor2496172799"], 0x7ffc25e23cc0 /* 10 vars */) = 0 brk(NULL) = 0x555555a6b000 brk(0x555555a6bc40) = 0x555555a6bc40 arch_prctl(ARCH_SET_FS, 0x555555a6b300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 readlink("/proc/self/exe", "/root/syz-executor2496172799", 4096) = 28 brk(0x555555a8cc40) = 0x555555a8cc40 brk(0x555555a8d000) = 0x555555a8d000 mprotect(0x7f7f8f8af000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 openat(AT_FDCWD, "cgroup.controllers", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 3 [ 60.686737][ T26] audit: type=1400 audit(1670394819.903:75): avc: denied { execmem } for pid=3633 comm="syz-executor249" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 ioctl(3, _IOC(_IOC_WRITE, 0x66, 0x2b, 0x4), 0x20000000) = 0 openat(AT_FDCWD, "cgroup.controllers", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 4 [ 60.692055][ T3633] warning: checkpointing journal with EXT4_IOC_CHECKPOINT_FLAG_ZEROOUT can be slow [ 60.765207][ T3633] [ 60.776800][ T3633] ====================================================== [ 60.783809][ T3633] WARNING: possible circular locking dependency detected [ 60.790809][ T3633] 6.1.0-rc8-syzkaller-00014-g8ed710da2873 #0 Not tainted [ 60.797819][ T3633] ------------------------------------------------------ [ 60.804821][ T3633] syz-executor249/3633 is trying to acquire lock: [ 60.811214][ T3633] ffff88814b618170 (&journal->j_barrier){+.+.}-{3:3}, at: jbd2_journal_lock_updates+0x162/0x310 [ 60.821671][ T3633] [ 60.821671][ T3633] but task is already holding lock: [ 60.829015][ T3633] ffff88814b616b98 (&sbi->s_writepages_rwsem){++++}-{0:0}, at: ext4_change_inode_journal_flag+0x17c/0x530 [ 60.840314][ T3633] [ 60.840314][ T3633] which lock already depends on the new lock. [ 60.840314][ T3633] [ 60.850699][ T3633] [ 60.850699][ T3633] the existing dependency chain (in reverse order) is: [ 60.859694][ T3633] [ 60.859694][ T3633] -> #4 (&sbi->s_writepages_rwsem){++++}-{0:0}: [ 60.868101][ T3633] percpu_down_write+0x53/0x390 [ 60.873465][ T3633] ext4_change_inode_journal_flag+0x17c/0x530 [ 60.880049][ T3633] ext4_fileattr_set+0xdf0/0x1950 [ 60.885591][ T3633] vfs_fileattr_set+0x7f9/0xbe0 [ 60.890957][ T3633] do_vfs_ioctl+0xfa8/0x1600 [ 60.896062][ T3633] __x64_sys_ioctl+0x10c/0x210 [ 60.901345][ T3633] do_syscall_64+0x39/0xb0 [ 60.906285][ T3633] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 60.912691][ T3633] [ 60.912691][ T3633] -> #3 (mapping.invalidate_lock){++++}-{3:3}: [ 60.921010][ T3633] down_write+0x94/0x220 [ 60.925762][ T3633] ext4_setattr+0x734/0x2b30 [ 60.930876][ T3633] notify_change+0xcd4/0x1440 [ 60.936083][ T3633] do_truncate+0x140/0x200 [ 60.941024][ T3633] do_sys_ftruncate+0x53a/0x730 [ 60.946389][ T3633] do_syscall_64+0x39/0xb0 [ 60.951319][ T3633] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 60.957745][ T3633] [ 60.957745][ T3633] -> #2 (&sb->s_type->i_mutex_key#7){++++}-{3:3}: [ 60.966341][ T3633] down_read+0x9c/0x450 [ 60.971007][ T3633] ext4_bmap+0x52/0x470 [ 60.975667][ T3633] bmap+0xae/0x120 [ 60.979894][ T3633] jbd2_journal_bmap+0xac/0x180 [ 60.985266][ T3633] jbd2_journal_flush+0x853/0xc00 [ 60.990799][ T3633] __ext4_ioctl+0xb09/0x4a30 [ 60.995902][ T3633] __x64_sys_ioctl+0x197/0x210 [ 61.001176][ T3633] do_syscall_64+0x39/0xb0 [ 61.006097][ T3633] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 61.012503][ T3633] [ 61.012503][ T3633] -> #1 (&journal->j_checkpoint_mutex){+.+.}-{3:3}: [ 61.021254][ T3633] mutex_lock_io_nested+0x143/0x11a0 [ 61.027051][ T3633] jbd2_journal_flush+0x19e/0xc00 [ 61.032586][ T3633] __ext4_ioctl+0xb09/0x4a30 [ 61.037681][ T3633] __x64_sys_ioctl+0x197/0x210 [ 61.042955][ T3633] do_syscall_64+0x39/0xb0 [ 61.047876][ T3633] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 61.054278][ T3633] [ 61.054278][ T3633] -> #0 (&journal->j_barrier){+.+.}-{3:3}: [ 61.062247][ T3633] __lock_acquire+0x2a43/0x56d0 [ 61.067612][ T3633] lock_acquire+0x1e3/0x630 [ 61.072630][ T3633] __mutex_lock+0x12f/0x1360 [ 61.077722][ T3633] jbd2_journal_lock_updates+0x162/0x310 [ 61.083867][ T3633] ext4_change_inode_journal_flag+0x184/0x530 [ 61.090438][ T3633] ext4_fileattr_set+0xdf0/0x1950 [ 61.095972][ T3633] vfs_fileattr_set+0x7f9/0xbe0 [ 61.101339][ T3633] do_vfs_ioctl+0xfa8/0x1600 [ 61.106455][ T3633] __x64_sys_ioctl+0x10c/0x210 [ 61.111735][ T3633] do_syscall_64+0x39/0xb0 [ 61.116654][ T3633] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 61.123055][ T3633] [ 61.123055][ T3633] other info that might help us debug this: [ 61.123055][ T3633] [ 61.133265][ T3633] Chain exists of: [ 61.133265][ T3633] &journal->j_barrier --> mapping.invalidate_lock --> &sbi->s_writepages_rwsem [ 61.133265][ T3633] [ 61.148099][ T3633] Possible unsafe locking scenario: [ 61.148099][ T3633] [ 61.155525][ T3633] CPU0 CPU1 [ 61.160870][ T3633] ---- ---- [ 61.166216][ T3633] lock(&sbi->s_writepages_rwsem); [ 61.171396][ T3633] lock(mapping.invalidate_lock); [ 61.179005][ T3633] lock(&sbi->s_writepages_rwsem); [ 61.186701][ T3633] lock(&journal->j_barrier); [ 61.191445][ T3633] [ 61.191445][ T3633] *** DEADLOCK *** [ 61.191445][ T3633] [ 61.199565][ T3633] 4 locks held by syz-executor249/3633: [ 61.205087][ T3633] #0: ffff88814b614460 (sb_writers#5){.+.+}-{0:0}, at: do_vfs_ioctl+0xf6d/0x1600 [ 61.214300][ T3633] #1: ffff88806d570480 (&sb->s_type->i_mutex_key#7){++++}-{3:3}, at: vfs_fileattr_set+0x14c/0xbe0 [ 61.224987][ T3633] #2: ffff88806d570620 (mapping.invalidate_lock){++++}-{3:3}, at: ext4_change_inode_journal_flag+0x123/0x530 [ 61.236622][ T3633] #3: ffff88814b616b98 (&sbi->s_writepages_rwsem){++++}-{0:0}, at: ext4_change_inode_journal_flag+0x17c/0x530 [ 61.248342][ T3633] [ 61.248342][ T3633] stack backtrace: [ 61.254208][ T3633] CPU: 1 PID: 3633 Comm: syz-executor249 Not tainted 6.1.0-rc8-syzkaller-00014-g8ed710da2873 #0 [ 61.264601][ T3633] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 61.274638][ T3633] Call Trace: [ 61.277901][ T3633] [ 61.280819][ T3633] dump_stack_lvl+0xd1/0x138 [ 61.285401][ T3633] check_noncircular+0x25f/0x2e0 [ 61.290331][ T3633] ? print_circular_bug+0x1e0/0x1e0 [ 61.295517][ T3633] ? check_irq_usage+0x186/0xab0 [ 61.300445][ T3633] ? check_path.constprop.0+0x50/0x50 [ 61.305805][ T3633] ? _raw_spin_unlock_irqrestore+0x54/0x70 [ 61.311600][ T3633] ? print_shortest_lock_dependencies_backwards+0x80/0x80 [ 61.318698][ T3633] __lock_acquire+0x2a43/0x56d0 [ 61.323537][ T3633] ? lockdep_hardirqs_on_prepare+0x410/0x410 [ 61.329509][ T3633] ? mark_lock.part.0+0xee/0x1910 [ 61.334525][ T3633] lock_acquire+0x1e3/0x630 [ 61.339020][ T3633] ? jbd2_journal_lock_updates+0x162/0x310 [ 61.344819][ T3633] ? lock_release+0x810/0x810 [ 61.349483][ T3633] ? find_held_lock+0x2d/0x110 [ 61.354235][ T3633] __mutex_lock+0x12f/0x1360 [ 61.358818][ T3633] ? jbd2_journal_lock_updates+0x162/0x310 [ 61.364614][ T3633] ? jbd2_journal_lock_updates+0x162/0x310 [ 61.370415][ T3633] ? mutex_lock_io_nested+0x11a0/0x11a0 [ 61.375945][ T3633] ? jbd2_journal_lock_updates+0x154/0x310 [ 61.381752][ T3633] ? lock_downgrade+0x6e0/0x6e0 [ 61.386602][ T3633] ? do_raw_read_unlock+0x70/0x70 [ 61.391645][ T3633] jbd2_journal_lock_updates+0x162/0x310 [ 61.397278][ T3633] ? jbd2_journal_wait_updates+0x240/0x240 [ 61.403080][ T3633] ? _find_next_bit+0x11b/0x140 [ 61.407928][ T3633] ext4_change_inode_journal_flag+0x184/0x530 [ 61.413989][ T3633] ext4_fileattr_set+0xdf0/0x1950 [ 61.419005][ T3633] ? ext4_fileattr_get+0x280/0x280 [ 61.424107][ T3633] ? down_write+0x157/0x220 [ 61.428599][ T3633] ? memset+0x24/0x50 [ 61.432573][ T3633] ? fileattr_fill_flags+0x27f/0x320 [ 61.437849][ T3633] vfs_fileattr_set+0x7f9/0xbe0 [ 61.442689][ T3633] ? ioctl_file_clone+0x100/0x100 [ 61.447704][ T3633] ? memset+0x24/0x50 [ 61.451675][ T3633] do_vfs_ioctl+0xfa8/0x1600 [ 61.456257][ T3633] ? vfs_fileattr_set+0xbe0/0xbe0 [ 61.461281][ T3633] ? inode_has_perm+0x1a2/0x220 [ 61.466146][ T3633] ? selinux_bprm_committing_creds+0x700/0x700 [ 61.472291][ T3633] ? do_one_initcall+0x560/0x780 [ 61.477225][ T3633] ? lock_downgrade+0x6e0/0x6e0 [ 61.482071][ T3633] ? selinux_file_ioctl+0xb5/0x280 [ 61.487172][ T3633] __x64_sys_ioctl+0x10c/0x210 [ 61.491931][ T3633] do_syscall_64+0x39/0xb0 [ 61.496341][ T3633] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 61.502233][ T3633] RIP: 0033:0x7f7f8f842b89 [ 61.506639][ T3633] Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 61.526960][ T3633] RSP: 002b:00007ffc89c8efd8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 61.535358][ T3633] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7f8f842b89 [ 61.543317][ T3633] RDX: 0000000020000040 RSI: 0000000040086602 RDI: 0000000000000004 [ 61.551272][ T3633] RBP: 00007f7f8f806d30 R08: 0000000000000000 R09: 0000000000000000 [ 61.559227][ T3633] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f7f8f806dc0 ioctl(4, FS_IOC_SETFLAGS, [FS_JOURNAL_DATA_FL|FS_NOTAIL_FL]) = 0 exit_group(0) = ? +++ exited with 0 +++ [ 61.567182][ T363