syzbot

loop0: detected capacity change from 0 to 512
======================================================
WARNING: possible circular locking dependency detected
syzkaller #0 Not tainted
------------------------------------------------------
syz.0.17/4426 is trying to acquire lock:
ffff8880799a4b98 (&sbi->s_writepages_rwsem){.+.+}-{0:0}, at: ext4_writepages+0x1c0/0x2e50 fs/ext4/inode.c:2715

but task is already holding lock:
ffff88806bcc5b10 (&ei->xattr_sem){++++}-{3:3}, at: ext4_write_trylock_xattr fs/ext4/xattr.h:162 [inline]
ffff88806bcc5b10 (&ei->xattr_sem){++++}-{3:3}, at: ext4_try_to_expand_extra_isize fs/ext4/inode.c:6020 [inline]
ffff88806bcc5b10 (&ei->xattr_sem){++++}-{3:3}, at: __ext4_mark_inode_dirty+0x3fe/0x770 fs/ext4/inode.c:6101

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #2 (&ei->xattr_sem){++++}-{3:3}:
       down_read+0x42/0x2d0 kernel/locking/rwsem.c:1520
       ext4_setattr+0x92a/0x19f0 fs/ext4/inode.c:5515
       notify_change+0xc74/0xf40 fs/attr.c:499
       chown_common+0x486/0x620 fs/open.c:736
       do_fchownat+0x164/0x270 fs/open.c:767
       __do_sys_chown fs/open.c:787 [inline]
       __se_sys_chown fs/open.c:785 [inline]
       __x64_sys_chown+0x7e/0x90 fs/open.c:785
       do_syscall_x64 arch/x86/entry/common.c:51 [inline]
       do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
       entry_SYSCALL_64_after_hwframe+0x68/0xd2

-> #1 (jbd2_handle){++++}-{0:0}:
       start_this_handle+0x1f49/0x2150 fs/jbd2/transaction.c:463
       jbd2__journal_start+0x2b7/0x5a0 fs/jbd2/transaction.c:520
       __ext4_journal_start_sb+0x187/0x3d0 fs/ext4/ext4_jbd2.c:105
       __ext4_journal_start fs/ext4/ext4_jbd2.h:326 [inline]
       ext4_writepages+0xde7/0x2e50 fs/ext4/inode.c:2838
       do_writepages+0x3b7/0x610 mm/page-writeback.c:2491
       filemap_fdatawrite_wbc+0x11e/0x180 mm/filemap.c:388
       __filemap_fdatawrite_range mm/filemap.c:421 [inline]
       file_write_and_wait_range+0x137/0x200 mm/filemap.c:774
       ext4_sync_file+0x23b/0xca0 fs/ext4/fsync.c:151
       vfs_fsync_range fs/sync.c:188 [inline]
       vfs_fsync fs/sync.c:202 [inline]
       do_fsync fs/sync.c:212 [inline]
       __do_sys_fsync fs/sync.c:220 [inline]
       __se_sys_fsync fs/sync.c:218 [inline]
       __x64_sys_fsync+0x1a5/0x1e0 fs/sync.c:218
       do_syscall_x64 arch/x86/entry/common.c:51 [inline]
       do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
       entry_SYSCALL_64_after_hwframe+0x68/0xd2

-> #0 (&sbi->s_writepages_rwsem){.+.+}-{0:0}:
       check_prev_add kernel/locking/lockdep.c:3090 [inline]
       check_prevs_add kernel/locking/lockdep.c:3209 [inline]
       validate_chain kernel/locking/lockdep.c:3825 [inline]
       __lock_acquire+0x2cf8/0x7c50 kernel/locking/lockdep.c:5049
       lock_acquire+0x1b4/0x490 kernel/locking/lockdep.c:5662
       percpu_down_read+0x44/0x1a0 include/linux/percpu-rwsem.h:51
       ext4_writepages+0x1c0/0x2e50 fs/ext4/inode.c:2715
       do_writepages+0x3b7/0x610 mm/page-writeback.c:2491
       __writeback_single_inode+0x156/0x1160 fs/fs-writeback.c:1622
       writeback_single_inode+0x221/0x8b0 fs/fs-writeback.c:1743
       write_inode_now+0x15d/0x1d0 fs/fs-writeback.c:2780
       iput_final fs/inode.c:1821 [inline]
       iput+0x613/0x980 fs/inode.c:1860
       ext4_xattr_block_set+0x2736/0x32a0 fs/ext4/xattr.c:2158
       ext4_xattr_move_to_block fs/ext4/xattr.c:2626 [inline]
       ext4_xattr_make_inode_space fs/ext4/xattr.c:2701 [inline]
       ext4_expand_extra_isize_ea+0x109b/0x19b0 fs/ext4/xattr.c:2793
       __ext4_expand_extra_isize+0x301/0x3e0 fs/ext4/inode.c:5980
       ext4_try_to_expand_extra_isize fs/ext4/inode.c:6023 [inline]
       __ext4_mark_inode_dirty+0x47f/0x770 fs/ext4/inode.c:6101
       ext4_evict_inode+0xa73/0x1100 fs/ext4/inode.c:279
       evict+0x485/0x870 fs/inode.c:705
       ext4_orphan_cleanup+0xbd3/0x1400 fs/ext4/orphan.c:470
       __ext4_fill_super fs/ext4/super.c:5530 [inline]
       ext4_fill_super+0x7bdf/0x8150 fs/ext4/super.c:5661
       get_tree_bdev+0x3f1/0x610 fs/super.c:1366
       vfs_get_tree+0x88/0x270 fs/super.c:1573
       do_new_mount+0x24a/0xa40 fs/namespace.c:3078
       do_mount fs/namespace.c:3421 [inline]
       __do_sys_mount fs/namespace.c:3629 [inline]
       __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:3606
       do_syscall_x64 arch/x86/entry/common.c:51 [inline]
       do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
       entry_SYSCALL_64_after_hwframe+0x68/0xd2

other info that might help us debug this:

Chain exists of:
  &sbi->s_writepages_rwsem --> jbd2_handle --> &ei->xattr_sem

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&ei->xattr_sem);
                               lock(jbd2_handle);
                               lock(&ei->xattr_sem);
  lock(&sbi->s_writepages_rwsem);

 *** DEADLOCK ***

3 locks held by syz.0.17/4426:
 #0: ffff8880799a20e0 (&type->s_umount_key#27/1){+.+.}-{3:3}, at: alloc_super+0x1fa/0x930 fs/super.c:228
 #1: ffff8880799a2650 (sb_internal){.+.+}-{0:0}, at: __sb_start_write include/linux/fs.h:1891 [inline]
 #1: ffff8880799a2650 (sb_internal){.+.+}-{0:0}, at: sb_start_intwrite include/linux/fs.h:2013 [inline]
 #1: ffff8880799a2650 (sb_internal){.+.+}-{0:0}, at: ext4_evict_inode+0x436/0x1100 fs/ext4/inode.c:240
 #2: ffff88806bcc5b10 (&ei->xattr_sem){++++}-{3:3}, at: ext4_write_trylock_xattr fs/ext4/xattr.h:162 [inline]
 #2: ffff88806bcc5b10 (&ei->xattr_sem){++++}-{3:3}, at: ext4_try_to_expand_extra_isize fs/ext4/inode.c:6020 [inline]
 #2: ffff88806bcc5b10 (&ei->xattr_sem){++++}-{3:3}, at: __ext4_mark_inode_dirty+0x3fe/0x770 fs/ext4/inode.c:6101

stack backtrace:
CPU: 0 PID: 4426 Comm: syz.0.17 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x168/0x22e lib/dump_stack.c:106
 check_noncircular+0x274/0x310 kernel/locking/lockdep.c:2170
 check_prev_add kernel/locking/lockdep.c:3090 [inline]
 check_prevs_add kernel/locking/lockdep.c:3209 [inline]
 validate_chain kernel/locking/lockdep.c:3825 [inline]
 __lock_acquire+0x2cf8/0x7c50 kernel/locking/lockdep.c:5049
 lock_acquire+0x1b4/0x490 kernel/locking/lockdep.c:5662
 percpu_down_read+0x44/0x1a0 include/linux/percpu-rwsem.h:51
 ext4_writepages+0x1c0/0x2e50 fs/ext4/inode.c:2715
 do_writepages+0x3b7/0x610 mm/page-writeback.c:2491
 __writeback_single_inode+0x156/0x1160 fs/fs-writeback.c:1622
 writeback_single_inode+0x221/0x8b0 fs/fs-writeback.c:1743
 write_inode_now+0x15d/0x1d0 fs/fs-writeback.c:2780
 iput_final fs/inode.c:1821 [inline]
 iput+0x613/0x980 fs/inode.c:1860
 ext4_xattr_block_set+0x2736/0x32a0 fs/ext4/xattr.c:2158
 ext4_xattr_move_to_block fs/ext4/xattr.c:2626 [inline]
 ext4_xattr_make_inode_space fs/ext4/xattr.c:2701 [inline]
 ext4_expand_extra_isize_ea+0x109b/0x19b0 fs/ext4/xattr.c:2793
 __ext4_expand_extra_isize+0x301/0x3e0 fs/ext4/inode.c:5980
 ext4_try_to_expand_extra_isize fs/ext4/inode.c:6023 [inline]
 __ext4_mark_inode_dirty+0x47f/0x770 fs/ext4/inode.c:6101
 ext4_evict_inode+0xa73/0x1100 fs/ext4/inode.c:279
 evict+0x485/0x870 fs/inode.c:705
 ext4_orphan_cleanup+0xbd3/0x1400 fs/ext4/orphan.c:470
 __ext4_fill_super fs/ext4/super.c:5530 [inline]
 ext4_fill_super+0x7bdf/0x8150 fs/ext4/super.c:5661
 get_tree_bdev+0x3f1/0x610 fs/super.c:1366
 vfs_get_tree+0x88/0x270 fs/super.c:1573
 do_new_mount+0x24a/0xa40 fs/namespace.c:3078
 do_mount fs/namespace.c:3421 [inline]
 __do_sys_mount fs/namespace.c:3629 [inline]
 __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:3606
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f12dfd90eea
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc63d70aa8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ffc63d70b30 RCX: 00007f12dfd90eea
RDX: 0000200000000180 RSI: 00002000000001c0 RDI: 00007ffc63d70af0
RBP: 0000200000000180 R08: 00007ffc63d70b30 R09: 0000000000800700
R10: 0000000000800700 R11: 0000000000000246 R12: 00002000000001c0
R13: 00007ffc63d70af0 R14: 000000000000046f R15: 000000000000002c
 </TASK>
EXT4-fs error (device loop0): ext4_xattr_inode_iget:404: inode #11: comm syz.0.17: iget: bad extra_isize 90 (inode size 256)
EXT4-fs (loop0): Remounting filesystem read-only
EXT4-fs error (device loop0): ext4_xattr_inode_iget:409: comm syz.0.17: error while reading EA inode 11 err=-117
EXT4-fs (loop0): Remounting filesystem read-only
EXT4-fs warning (device loop0): ext4_expand_extra_isize_ea:2819: Unable to expand inode 15. Delete some EAs or run e2fsck.
EXT4-fs error (device loop0): ext4_xattr_inode_iget:404: inode #11: comm syz.0.17: iget: bad extra_isize 90 (inode size 256)
EXT4-fs (loop0): Remounting filesystem read-only
EXT4-fs error (device loop0): ext4_xattr_inode_iget:409: comm syz.0.17: error while reading EA inode 11 err=-117
EXT4-fs (loop0): Remounting filesystem read-only
EXT4-fs error (device loop0): ext4_xattr_inode_iget:404: inode #18: comm syz.0.17: iget: bad extra_isize 90 (inode size 256)
EXT4-fs (loop0): Remounting filesystem read-only
EXT4-fs error (device loop0): ext4_xattr_inode_iget:409: comm syz.0.17: error while reading EA inode 18 err=-117
EXT4-fs (loop0): Remounting filesystem read-only
EXT4-fs error (device loop0): ext4_xattr_inode_iget:404: inode #18: comm syz.0.17: iget: bad extra_isize 90 (inode size 256)
EXT4-fs (loop0): Remounting filesystem read-only
EXT4-fs error (device loop0): ext4_xattr_inode_iget:409: comm syz.0.17: error while reading EA inode 18 err=-117
EXT4-fs (loop0): Remounting filesystem read-only
EXT4-fs (loop0): 1 orphan inode deleted
EXT4-fs (loop0): mounted filesystem without journal. Quota mode: none.