syzbot

loop0: detected capacity change from 0 to 512
======================================================
WARNING: possible circular locking dependency detected
syzkaller #0 Not tainted
------------------------------------------------------
syz.0.17/4426 is trying to acquire lock:
ffff88801dbecb98 (&sbi->s_writepages_rwsem){.+.+}-{0:0}, at: ext4_writepages+0x1c0/0x2e50 fs/ext4/inode.c:2715

but task is already holding lock:
ffff88805d5a9ee0 (&ei->xattr_sem){++++}-{3:3}, at: ext4_write_trylock_xattr fs/ext4/xattr.h:162 [inline]
ffff88805d5a9ee0 (&ei->xattr_sem){++++}-{3:3}, at: ext4_try_to_expand_extra_isize fs/ext4/inode.c:6020 [inline]
ffff88805d5a9ee0 (&ei->xattr_sem){++++}-{3:3}, at: __ext4_mark_inode_dirty+0x3fe/0x770 fs/ext4/inode.c:6101

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #2 (&ei->xattr_sem){++++}-{3:3}:
       down_read+0x42/0x2d0 kernel/locking/rwsem.c:1520
       ext4_setattr+0x92a/0x19f0 fs/ext4/inode.c:5515
       notify_change+0xc74/0xf40 fs/attr.c:499
       chown_common+0x486/0x620 fs/open.c:736
       do_fchownat+0x164/0x270 fs/open.c:767
       __do_sys_chown fs/open.c:787 [inline]
       __se_sys_chown fs/open.c:785 [inline]
       __x64_sys_chown+0x7e/0x90 fs/open.c:785
       do_syscall_x64 arch/x86/entry/common.c:51 [inline]
       do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
       entry_SYSCALL_64_after_hwframe+0x68/0xd2

-> #1 (jbd2_handle){++++}-{0:0}:
       start_this_handle+0x1f49/0x2150 fs/jbd2/transaction.c:463
       jbd2__journal_start+0x2b7/0x5a0 fs/jbd2/transaction.c:520
       __ext4_journal_start_sb+0x187/0x3d0 fs/ext4/ext4_jbd2.c:105
       __ext4_journal_start fs/ext4/ext4_jbd2.h:326 [inline]
       ext4_writepages+0xde7/0x2e50 fs/ext4/inode.c:2838
       do_writepages+0x3b7/0x610 mm/page-writeback.c:2491
       filemap_fdatawrite_wbc+0x11e/0x180 mm/filemap.c:388
       __filemap_fdatawrite_range mm/filemap.c:421 [inline]
       file_write_and_wait_range+0x137/0x200 mm/filemap.c:774
       ext4_sync_file+0x23b/0xca0 fs/ext4/fsync.c:151
       vfs_fsync_range fs/sync.c:188 [inline]
       vfs_fsync fs/sync.c:202 [inline]
       do_fsync fs/sync.c:212 [inline]
       __do_sys_fsync fs/sync.c:220 [inline]
       __se_sys_fsync fs/sync.c:218 [inline]
       __x64_sys_fsync+0x1a5/0x1e0 fs/sync.c:218
       do_syscall_x64 arch/x86/entry/common.c:51 [inline]
       do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
       entry_SYSCALL_64_after_hwframe+0x68/0xd2

-> #0 (&sbi->s_writepages_rwsem){.+.+}-{0:0}:
       check_prev_add kernel/locking/lockdep.c:3090 [inline]
       check_prevs_add kernel/locking/lockdep.c:3209 [inline]
       validate_chain kernel/locking/lockdep.c:3825 [inline]
       __lock_acquire+0x2cf8/0x7c50 kernel/locking/lockdep.c:5049
       lock_acquire+0x1b4/0x490 kernel/locking/lockdep.c:5662
       percpu_down_read+0x44/0x1a0 include/linux/percpu-rwsem.h:51
       ext4_writepages+0x1c0/0x2e50 fs/ext4/inode.c:2715
       do_writepages+0x3b7/0x610 mm/page-writeback.c:2491
       __writeback_single_inode+0x156/0x1160 fs/fs-writeback.c:1622
       writeback_single_inode+0x221/0x8b0 fs/fs-writeback.c:1743
       write_inode_now+0x15d/0x1d0 fs/fs-writeback.c:2780
       iput_final fs/inode.c:1821 [inline]
       iput+0x613/0x980 fs/inode.c:1860
       ext4_xattr_block_set+0x2736/0x32a0 fs/ext4/xattr.c:2158
       ext4_xattr_move_to_block fs/ext4/xattr.c:2626 [inline]
       ext4_xattr_make_inode_space fs/ext4/xattr.c:2701 [inline]
       ext4_expand_extra_isize_ea+0x109b/0x19b0 fs/ext4/xattr.c:2793
       __ext4_expand_extra_isize+0x301/0x3e0 fs/ext4/inode.c:5980
       ext4_try_to_expand_extra_isize fs/ext4/inode.c:6023 [inline]
       __ext4_mark_inode_dirty+0x47f/0x770 fs/ext4/inode.c:6101
       ext4_evict_inode+0xa73/0x1100 fs/ext4/inode.c:279
       evict+0x485/0x870 fs/inode.c:705
       ext4_orphan_cleanup+0xbd3/0x1400 fs/ext4/orphan.c:470
       __ext4_fill_super fs/ext4/super.c:5530 [inline]
       ext4_fill_super+0x7bdf/0x8150 fs/ext4/super.c:5661
       get_tree_bdev+0x3f1/0x610 fs/super.c:1366
       vfs_get_tree+0x88/0x270 fs/super.c:1573
       do_new_mount+0x24a/0xa40 fs/namespace.c:3078
       do_mount fs/namespace.c:3421 [inline]
       __do_sys_mount fs/namespace.c:3629 [inline]
       __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:3606
       do_syscall_x64 arch/x86/entry/common.c:51 [inline]
       do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
       entry_SYSCALL_64_after_hwframe+0x68/0xd2

other info that might help us debug this:

Chain exists of:
  &sbi->s_writepages_rwsem --> jbd2_handle --> &ei->xattr_sem

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&ei->xattr_sem);
                               lock(jbd2_handle);
                               lock(&ei->xattr_sem);
  lock(&sbi->s_writepages_rwsem);

 *** DEADLOCK ***

3 locks held by syz.0.17/4426:
 #0: ffff888018b7c0e0 (&type->s_umount_key#27/1){+.+.}-{3:3}, at: alloc_super+0x1fa/0x930 fs/super.c:228
 #1: ffff888018b7c650 (sb_internal){.+.+}-{0:0}, at: __sb_start_write include/linux/fs.h:1891 [inline]
 #1: ffff888018b7c650 (sb_internal){.+.+}-{0:0}, at: sb_start_intwrite include/linux/fs.h:2013 [inline]
 #1: ffff888018b7c650 (sb_internal){.+.+}-{0:0}, at: ext4_evict_inode+0x436/0x1100 fs/ext4/inode.c:240
 #2: ffff88805d5a9ee0 (&ei->xattr_sem){++++}-{3:3}, at: ext4_write_trylock_xattr fs/ext4/xattr.h:162 [inline]
 #2: ffff88805d5a9ee0 (&ei->xattr_sem){++++}-{3:3}, at: ext4_try_to_expand_extra_isize fs/ext4/inode.c:6020 [inline]
 #2: ffff88805d5a9ee0 (&ei->xattr_sem){++++}-{3:3}, at: __ext4_mark_inode_dirty+0x3fe/0x770 fs/ext4/inode.c:6101

stack backtrace:
CPU: 0 PID: 4426 Comm: syz.0.17 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x168/0x22e lib/dump_stack.c:106
 check_noncircular+0x274/0x310 kernel/locking/lockdep.c:2170
 check_prev_add kernel/locking/lockdep.c:3090 [inline]
 check_prevs_add kernel/locking/lockdep.c:3209 [inline]
 validate_chain kernel/locking/lockdep.c:3825 [inline]
 __lock_acquire+0x2cf8/0x7c50 kernel/locking/lockdep.c:5049
 lock_acquire+0x1b4/0x490 kernel/locking/lockdep.c:5662
 percpu_down_read+0x44/0x1a0 include/linux/percpu-rwsem.h:51
 ext4_writepages+0x1c0/0x2e50 fs/ext4/inode.c:2715
 do_writepages+0x3b7/0x610 mm/page-writeback.c:2491
 __writeback_single_inode+0x156/0x1160 fs/fs-writeback.c:1622
 writeback_single_inode+0x221/0x8b0 fs/fs-writeback.c:1743
 write_inode_now+0x15d/0x1d0 fs/fs-writeback.c:2780
 iput_final fs/inode.c:1821 [inline]
 iput+0x613/0x980 fs/inode.c:1860
 ext4_xattr_block_set+0x2736/0x32a0 fs/ext4/xattr.c:2158
 ext4_xattr_move_to_block fs/ext4/xattr.c:2626 [inline]
 ext4_xattr_make_inode_space fs/ext4/xattr.c:2701 [inline]
 ext4_expand_extra_isize_ea+0x109b/0x19b0 fs/ext4/xattr.c:2793
 __ext4_expand_extra_isize+0x301/0x3e0 fs/ext4/inode.c:5980
 ext4_try_to_expand_extra_isize fs/ext4/inode.c:6023 [inline]
 __ext4_mark_inode_dirty+0x47f/0x770 fs/ext4/inode.c:6101
 ext4_evict_inode+0xa73/0x1100 fs/ext4/inode.c:279
 evict+0x485/0x870 fs/inode.c:705
 ext4_orphan_cleanup+0xbd3/0x1400 fs/ext4/orphan.c:470
 __ext4_fill_super fs/ext4/super.c:5530 [inline]
 ext4_fill_super+0x7bdf/0x8150 fs/ext4/super.c:5661
 get_tree_bdev+0x3f1/0x610 fs/super.c:1366
 vfs_get_tree+0x88/0x270 fs/super.c:1573
 do_new_mount+0x24a/0xa40 fs/namespace.c:3078
 do_mount fs/namespace.c:3421 [inline]
 __do_sys_mount fs/namespace.c:3629 [inline]
 __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:3606
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f1f24190e6a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe22d840b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ffe22d84140 RCX: 00007f1f24190e6a
RDX: 0000200000000180 RSI: 00002000000001c0 RDI: 00007ffe22d84100
RBP: 0000200000000180 R08: 00007ffe22d84140 R09: 0000000000800700
R10: 0000000000800700 R11: 0000000000000246 R12: 00002000000001c0
R13: 00007ffe22d84100 R14: 000000000000046f R15: 0000200000000200
 </TASK>
------------[ cut here ]------------
EA inode 11 i_nlink=2
WARNING: CPU: 1 PID: 4426 at fs/ext4/xattr.c:1022 ext4_xattr_inode_update_ref+0x4be/0x520 fs/ext4/xattr.c:1020
Modules linked in:
CPU: 1 PID: 4426 Comm: syz.0.17 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
RIP: 0010:ext4_xattr_inode_update_ref+0x4be/0x520 fs/ext4/xattr.c:1020
Code: 8d 7d 40 4c 89 f8 48 c1 e8 03 42 80 3c 30 00 74 08 4c 89 ff e8 63 ef 9c ff 49 8b 37 48 c7 c7 40 91 a0 8a 89 da e8 32 e5 18 ff <0f> 0b 49 be 00 00 00 00 00 fc ff df 4c 8b 6c 24 10 4c 8b 7c 24 08
RSP: 0018:ffffc90003237200 EFLAGS: 00010246
RAX: 101b97e28a611400 RBX: 0000000000000002 RCX: ffff88807a728000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000002
RBP: ffffc900032372e8 R08: dffffc0000000000 R09: fffff52000646dd1
R10: fffff52000646dd1 R11: 1ffff92000646dd0 R12: ffffc90003237260
R13: ffff88805d5e2ad0 R14: dffffc0000000000 R15: ffff88805d5e2b10
FS:  0000555555bb2500(0000) GS:ffff8880b8f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f5853175000 CR3: 000000007e5c1000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 ext4_xattr_inode_dec_ref fs/ext4/xattr.c:1045 [inline]
 ext4_xattr_set_entry+0xb33/0x1e90 fs/ext4/xattr.c:1683
 ext4_xattr_ibody_set+0x250/0x690 fs/ext4/xattr.c:2230
 ext4_xattr_move_to_block fs/ext4/xattr.c:2633 [inline]
 ext4_xattr_make_inode_space fs/ext4/xattr.c:2701 [inline]
 ext4_expand_extra_isize_ea+0x10e5/0x19b0 fs/ext4/xattr.c:2793
 __ext4_expand_extra_isize+0x301/0x3e0 fs/ext4/inode.c:5980
 ext4_try_to_expand_extra_isize fs/ext4/inode.c:6023 [inline]
 __ext4_mark_inode_dirty+0x47f/0x770 fs/ext4/inode.c:6101
 ext4_evict_inode+0xa73/0x1100 fs/ext4/inode.c:279
 evict+0x485/0x870 fs/inode.c:705
 ext4_orphan_cleanup+0xbd3/0x1400 fs/ext4/orphan.c:470
 __ext4_fill_super fs/ext4/super.c:5530 [inline]
 ext4_fill_super+0x7bdf/0x8150 fs/ext4/super.c:5661
 get_tree_bdev+0x3f1/0x610 fs/super.c:1366
 vfs_get_tree+0x88/0x270 fs/super.c:1573
 do_new_mount+0x24a/0xa40 fs/namespace.c:3078
 do_mount fs/namespace.c:3421 [inline]
 __do_sys_mount fs/namespace.c:3629 [inline]
 __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:3606
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f1f24190e6a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe22d840b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ffe22d84140 RCX: 00007f1f24190e6a
RDX: 0000200000000180 RSI: 00002000000001c0 RDI: 00007ffe22d84100
RBP: 0000200000000180 R08: 00007ffe22d84140 R09: 0000000000800700
R10: 0000000000800700 R11: 0000000000000246 R12: 00002000000001c0
R13: 00007ffe22d84100 R14: 000000000000046f R15: 0000200000000200
 </TASK>