syzbot

EXT4-fs: Warning: mounting with an experimental mount option 'dioread_nolock' for blocksize < PAGE_SIZE
======================================================
WARNING: possible circular locking dependency detected
syzkaller #0 Not tainted
------------------------------------------------------
syz.1.58/4765 is trying to acquire lock:
ffff0000cb8ccb98 (&sbi->s_writepages_rwsem){.+.+}-{0:0}, at: ext4_writepages+0x1b8/0x28b4 fs/ext4/inode.c:2715

but task is already holding lock:
ffff0000fac3a8e8 (&ei->xattr_sem){++++}-{3:3}, at: ext4_write_trylock_xattr fs/ext4/xattr.h:165 [inline]
ffff0000fac3a8e8 (&ei->xattr_sem){++++}-{3:3}, at: ext4_try_to_expand_extra_isize fs/ext4/inode.c:6024 [inline]
ffff0000fac3a8e8 (&ei->xattr_sem){++++}-{3:3}, at: __ext4_mark_inode_dirty+0x37c/0x784 fs/ext4/inode.c:6105

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 (&ei->xattr_sem){++++}-{3:3}:
       down_write+0x5c/0x88 kernel/locking/rwsem.c:1573
       ext4_write_lock_xattr fs/ext4/xattr.h:158 [inline]
       ext4_destroy_inline_data+0x30/0x114 fs/ext4/inline.c:1922
       ext4_writepages+0x430/0x28b4 fs/ext4/inode.c:2761
       do_writepages+0x2b0/0x504 mm/page-writeback.c:2491
       __writeback_single_inode+0x164/0x1554 fs/fs-writeback.c:1622
       writeback_sb_inodes+0x858/0x143c fs/fs-writeback.c:1913
       wb_writeback+0x414/0xfcc fs/fs-writeback.c:2087
       wb_do_writeback fs/fs-writeback.c:2230 [inline]
       wb_workfn+0x360/0xe18 fs/fs-writeback.c:2270
       process_one_work+0x7f8/0x13a4 kernel/workqueue.c:2292
       worker_thread+0x8c4/0xfec kernel/workqueue.c:2439
       kthread+0x250/0x2d8 kernel/kthread.c:376
       ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:850

-> #0 (&sbi->s_writepages_rwsem){.+.+}-{0:0}:
       check_prev_add kernel/locking/lockdep.c:3090 [inline]
       check_prevs_add kernel/locking/lockdep.c:3209 [inline]
       validate_chain kernel/locking/lockdep.c:3825 [inline]
       __lock_acquire+0x2880/0x6800 kernel/locking/lockdep.c:5049
       lock_acquire+0x20c/0x63c kernel/locking/lockdep.c:5662
       percpu_down_read+0x70/0x2a8 include/linux/percpu-rwsem.h:51
       ext4_writepages+0x1b8/0x28b4 fs/ext4/inode.c:2715
       do_writepages+0x2b0/0x504 mm/page-writeback.c:2491
       __writeback_single_inode+0x164/0x1554 fs/fs-writeback.c:1622
       writeback_single_inode+0x1cc/0x740 fs/fs-writeback.c:1743
       write_inode_now+0x150/0x1cc fs/fs-writeback.c:2786
       iput_final fs/inode.c:1821 [inline]
       iput+0x5bc/0x7e4 fs/inode.c:1860
       ext4_xattr_block_set+0x1454/0x2880 fs/ext4/xattr.c:2146
       ext4_xattr_move_to_block fs/ext4/xattr.c:2611 [inline]
       ext4_xattr_make_inode_space fs/ext4/xattr.c:2686 [inline]
       ext4_expand_extra_isize_ea+0xe5c/0x17ac fs/ext4/xattr.c:2774
       __ext4_expand_extra_isize+0x298/0x358 fs/ext4/inode.c:5984
       ext4_try_to_expand_extra_isize fs/ext4/inode.c:6027 [inline]
       __ext4_mark_inode_dirty+0x3e4/0x784 fs/ext4/inode.c:6105
       ext4_evict_inode+0xb64/0x1278 fs/ext4/inode.c:279
       evict+0x3e0/0x828 fs/inode.c:705
       iput_final fs/inode.c:1834 [inline]
       iput+0x754/0x7e4 fs/inode.c:1860
       ext4_process_orphan+0x240/0x2b4 fs/ext4/orphan.c:358
       ext4_orphan_cleanup+0x920/0x1060 fs/ext4/orphan.c:472
       __ext4_fill_super fs/ext4/super.c:5556 [inline]
       ext4_fill_super+0x6188/0x660c fs/ext4/super.c:5687
       get_tree_bdev+0x358/0x544 fs/super.c:1366
       ext4_get_tree+0x28/0x38 fs/ext4/super.c:5717
       vfs_get_tree+0x90/0x274 fs/super.c:1573
       do_new_mount+0x228/0x810 fs/namespace.c:3078
       path_mount+0x5bc/0xe80 fs/namespace.c:3408
       do_mount fs/namespace.c:3421 [inline]
       __do_sys_mount fs/namespace.c:3629 [inline]
       __se_sys_mount fs/namespace.c:3606 [inline]
       __arm64_sys_mount+0x49c/0x59c fs/namespace.c:3606
       __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
       invoke_syscall+0x98/0x2b4 arch/arm64/kernel/syscall.c:52
       el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
       do_el0_svc+0x58/0x130 arch/arm64/kernel/syscall.c:204
       el0_svc+0x58/0x128 arch/arm64/kernel/entry-common.c:637
       el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
       el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&ei->xattr_sem);
                               lock(&sbi->s_writepages_rwsem);
                               lock(&ei->xattr_sem);
  lock(&sbi->s_writepages_rwsem);

 *** DEADLOCK ***

3 locks held by syz.1.58/4765:
 #0: ffff0000cb8ca0e0 (&type->s_umount_key#26/1){+.+.}-{3:3}, at: alloc_super+0x1a4/0x800 fs/super.c:228
 #1: ffff0000cb8ca650 (sb_internal){.+.+}-{0:0}, at: __sb_start_write include/linux/fs.h:1891 [inline]
 #1: ffff0000cb8ca650 (sb_internal){.+.+}-{0:0}, at: sb_start_intwrite include/linux/fs.h:2013 [inline]
 #1: ffff0000cb8ca650 (sb_internal){.+.+}-{0:0}, at: ext4_evict_inode+0x3e0/0x1278 fs/ext4/inode.c:240
 #2: ffff0000fac3a8e8 (&ei->xattr_sem){++++}-{3:3}, at: ext4_write_trylock_xattr fs/ext4/xattr.h:165 [inline]
 #2: ffff0000fac3a8e8 (&ei->xattr_sem){++++}-{3:3}, at: ext4_try_to_expand_extra_isize fs/ext4/inode.c:6024 [inline]
 #2: ffff0000fac3a8e8 (&ei->xattr_sem){++++}-{3:3}, at: __ext4_mark_inode_dirty+0x37c/0x784 fs/ext4/inode.c:6105

stack backtrace:
CPU: 0 PID: 4765 Comm: syz.1.58 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/03/2025
Call trace:
 dump_backtrace+0x1c0/0x1ec arch/arm64/kernel/stacktrace.c:158
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
 __dump_stack+0x30/0x40 lib/dump_stack.c:88
 dump_stack_lvl+0xf4/0x15c lib/dump_stack.c:106
 dump_stack+0x1c/0x5c lib/dump_stack.c:113
 print_circular_bug+0x148/0x1b0 kernel/locking/lockdep.c:2048
 check_noncircular+0x264/0x2f8 kernel/locking/lockdep.c:2170
 check_prev_add kernel/locking/lockdep.c:3090 [inline]
 check_prevs_add kernel/locking/lockdep.c:3209 [inline]
 validate_chain kernel/locking/lockdep.c:3825 [inline]
 __lock_acquire+0x2880/0x6800 kernel/locking/lockdep.c:5049
 lock_acquire+0x20c/0x63c kernel/locking/lockdep.c:5662
 percpu_down_read+0x70/0x2a8 include/linux/percpu-rwsem.h:51
 ext4_writepages+0x1b8/0x28b4 fs/ext4/inode.c:2715
 do_writepages+0x2b0/0x504 mm/page-writeback.c:2491
 __writeback_single_inode+0x164/0x1554 fs/fs-writeback.c:1622
 writeback_single_inode+0x1cc/0x740 fs/fs-writeback.c:1743
 write_inode_now+0x150/0x1cc fs/fs-writeback.c:2786
 iput_final fs/inode.c:1821 [inline]
 iput+0x5bc/0x7e4 fs/inode.c:1860
 ext4_xattr_block_set+0x1454/0x2880 fs/ext4/xattr.c:2146
 ext4_xattr_move_to_block fs/ext4/xattr.c:2611 [inline]
 ext4_xattr_make_inode_space fs/ext4/xattr.c:2686 [inline]
 ext4_expand_extra_isize_ea+0xe5c/0x17ac fs/ext4/xattr.c:2774
 __ext4_expand_extra_isize+0x298/0x358 fs/ext4/inode.c:5984
 ext4_try_to_expand_extra_isize fs/ext4/inode.c:6027 [inline]
 __ext4_mark_inode_dirty+0x3e4/0x784 fs/ext4/inode.c:6105
 ext4_evict_inode+0xb64/0x1278 fs/ext4/inode.c:279
 evict+0x3e0/0x828 fs/inode.c:705
 iput_final fs/inode.c:1834 [inline]
 iput+0x754/0x7e4 fs/inode.c:1860
 ext4_process_orphan+0x240/0x2b4 fs/ext4/orphan.c:358
 ext4_orphan_cleanup+0x920/0x1060 fs/ext4/orphan.c:472
 __ext4_fill_super fs/ext4/super.c:5556 [inline]
 ext4_fill_super+0x6188/0x660c fs/ext4/super.c:5687
 get_tree_bdev+0x358/0x544 fs/super.c:1366
 ext4_get_tree+0x28/0x38 fs/ext4/super.c:5717
 vfs_get_tree+0x90/0x274 fs/super.c:1573
 do_new_mount+0x228/0x810 fs/namespace.c:3078
 path_mount+0x5bc/0xe80 fs/namespace.c:3408
 do_mount fs/namespace.c:3421 [inline]
 __do_sys_mount fs/namespace.c:3629 [inline]
 __se_sys_mount fs/namespace.c:3606 [inline]
 __arm64_sys_mount+0x49c/0x59c fs/namespace.c:3606
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2b4 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
 do_el0_svc+0x58/0x130 arch/arm64/kernel/syscall.c:204
 el0_svc+0x58/0x128 arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
EXT4-fs error (device loop1): ext4_xattr_inode_iget:401: inode #11: comm syz.1.58: iget: bad extra_isize 90 (inode size 256)
EXT4-fs (loop1): Remounting filesystem read-only
EXT4-fs error (device loop1): ext4_xattr_inode_iget:406: comm syz.1.58: error while reading EA inode 11 err=-117
EXT4-fs (loop1): Remounting filesystem read-only
EXT4-fs warning (device loop1): ext4_expand_extra_isize_ea:2800: Unable to expand inode 15. Delete some EAs or run e2fsck.
EXT4-fs error (device loop1): ext4_xattr_inode_iget:401: inode #11: comm syz.1.58: iget: bad extra_isize 90 (inode size 256)
EXT4-fs (loop1): Remounting filesystem read-only
EXT4-fs error (device loop1): ext4_xattr_inode_iget:406: comm syz.1.58: error while reading EA inode 11 err=-117
EXT4-fs (loop1): Remounting filesystem read-only
EXT4-fs error (device loop1): ext4_xattr_inode_iget:401: inode #18: comm syz.1.58: iget: bad extra_isize 90 (inode size 256)
EXT4-fs (loop1): Remounting filesystem read-only
EXT4-fs error (device loop1): ext4_xattr_inode_iget:406: comm syz.1.58: error while reading EA inode 18 err=-117
EXT4-fs (loop1): Remounting filesystem read-only
EXT4-fs error (device loop1): ext4_xattr_inode_iget:401: inode #18: comm syz.1.58: iget: bad extra_isize 90 (inode size 256)
EXT4-fs (loop1): Remounting filesystem read-only
EXT4-fs error (device loop1): ext4_xattr_inode_iget:406: comm syz.1.58: error while reading EA inode 18 err=-117
EXT4-fs (loop1): Remounting filesystem read-only
EXT4-fs (loop1): 1 orphan inode deleted