./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1302738684 <...> Warning: Permanently added '10.128.1.172' (ED25519) to the list of known hosts. execve("./syz-executor1302738684", ["./syz-executor1302738684"], 0x7ffe97dc8a50 /* 10 vars */) = 0 brk(NULL) = 0x555571764000 brk(0x555571764d00) = 0x555571764d00 arch_prctl(ARCH_SET_FS, 0x555571764380) = 0 set_tid_address(0x555571764650) = 5083 set_robust_list(0x555571764660, 24) = 0 rseq(0x555571764ca0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor1302738684", 4096) = 28 getrandom("\x8b\x68\xd3\xc3\xcc\x34\x24\xea", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x555571764d00 brk(0x555571785d00) = 0x555571785d00 brk(0x555571786000) = 0x555571786000 mprotect(0x7f65c319f000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 memfd_create("syzkaller", 0) = 3 mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f65bac00000 write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 munmap(0x7f65bac00000, 138412032) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 ioctl(4, LOOP_SET_FD, 3) = 0 close(3) = 0 close(4) = 0 mkdir("./file2", 0777) = 0 [ 77.557007][ T5083] loop0: detected capacity change from 0 to 4096 mount("/dev/loop0", "./file2", "ntfs3", MS_POSIXACL|MS_LAZYTIME, "discard,nohidden,force,showmeta,sparse,iocharset=macceltic,iocharset=cp1250,gid=0x0000000000000000") = 0 openat(AT_FDCWD, "./file2", O_RDONLY|O_DIRECTORY) = 3 chdir("./file2") = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy) open("./bus", O_RDWR|O_CREAT|O_SYNC|O_NOATIME|FASYNC, 000) = 4 open("./bus", O_RDWR|O_CREAT|O_SYNC|O_DIRECT|O_NOATIME|0x3c, 000) = 5 mmap(0x20000000, 6291456, PROT_READ|PROT_WRITE|PROT_EXEC|PROT_SEM|PROT_GROWSUP|0x7ffff0, MAP_SHARED|MAP_FIXED|MAP_LOCKED|1< {fm_flags=FIEMAP_FLAG_SYNC, fm_mapped_extents=1, ...}) = 0 [ 77.651718][ T5083] [ 77.654100][ T5083] ====================================================== [ 77.661108][ T5083] WARNING: possible circular locking dependency detected [ 77.668123][ T5083] 6.9.0-rc5-syzkaller-00042-ge88c4cfcb7b8 #0 Not tainted [ 77.675141][ T5083] ------------------------------------------------------ [ 77.682190][ T5083] syz-executor130/5083 is trying to acquire lock: [ 77.688598][ T5083] ffff88807a9ef3e0 (mapping.invalidate_lock#3){.+.+}-{3:3}, at: filemap_fault+0x646/0x16a0 [ 77.698681][ T5083] [ 77.698681][ T5083] but task is already holding lock: [ 77.706043][ T5083] ffff888028038730 (&vma->vm_lock->lock){++++}-{3:3}, at: lock_vma_under_rcu+0x2f9/0x730 [ 77.715915][ T5083] [ 77.715915][ T5083] which lock already depends on the new lock. [ 77.715915][ T5083] [ 77.726317][ T5083] [ 77.726317][ T5083] the existing dependency chain (in reverse order) is: [ 77.735328][ T5083] [ 77.735328][ T5083] -> #3 (&vma->vm_lock->lock){++++}-{3:3}: [ 77.743333][ T5083] lock_acquire+0x1ed/0x550 [ 77.748405][ T5083] down_write+0x3a/0x50 [ 77.753124][ T5083] vma_link+0x2c6/0x550 [ 77.757835][ T5083] insert_vm_struct+0x1a3/0x260 [ 77.763259][ T5083] alloc_bprm+0x543/0xa00 [ 77.768145][ T5083] kernel_execve+0x99/0xa10 [ 77.773213][ T5083] kernel_init+0xe8/0x2b0 [ 77.778101][ T5083] ret_from_fork+0x4d/0x80 [ 77.783081][ T5083] ret_from_fork_asm+0x1a/0x30 [ 77.788401][ T5083] [ 77.788401][ T5083] -> #2 (&mm->mmap_lock){++++}-{3:3}: [ 77.796015][ T5083] lock_acquire+0x1ed/0x550 [ 77.801063][ T5083] __might_fault+0xc6/0x120 [ 77.806107][ T5083] _copy_to_user+0x2a/0xb0 [ 77.811067][ T5083] fiemap_fill_next_extent+0x235/0x410 [ 77.817073][ T5083] ni_fiemap+0xa5e/0x1230 [ 77.821933][ T5083] ntfs_fiemap+0x132/0x180 [ 77.826884][ T5083] do_vfs_ioctl+0x1c09/0x2e50 [ 77.832101][ T5083] __se_sys_ioctl+0x81/0x170 [ 77.837234][ T5083] do_syscall_64+0xf5/0x240 [ 77.842283][ T5083] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 77.848714][ T5083] [ 77.848714][ T5083] -> #1 (&ni->file.run_lock#3){++++}-{3:3}: [ 77.856836][ T5083] lock_acquire+0x1ed/0x550 [ 77.861869][ T5083] down_read+0xb1/0xa40 [ 77.866559][ T5083] attr_data_get_block+0x2e3/0x2e10 [ 77.872289][ T5083] ntfs_get_block_vbo+0x36a/0xd00 [ 77.877854][ T5083] do_mpage_readpage+0x829/0x1c80 [ 77.883399][ T5083] mpage_read_folio+0x108/0x1e0 [ 77.888778][ T5083] filemap_read_folio+0x1a2/0x790 [ 77.894338][ T5083] filemap_fault+0xed1/0x16a0 [ 77.899553][ T5083] __do_fault+0x137/0x460 [ 77.904422][ T5083] __handle_mm_fault+0x2361/0x7240 [ 77.910066][ T5083] handle_mm_fault+0x3c2/0x8a0 [ 77.915360][ T5083] exc_page_fault+0x446/0x8e0 [ 77.920565][ T5083] asm_exc_page_fault+0x26/0x30 [ 77.925941][ T5083] [ 77.925941][ T5083] -> #0 (mapping.invalidate_lock#3){.+.+}-{3:3}: [ 77.934476][ T5083] validate_chain+0x18cb/0x58e0 [ 77.939859][ T5083] __lock_acquire+0x1346/0x1fd0 [ 77.945322][ T5083] lock_acquire+0x1ed/0x550 [ 77.950348][ T5083] down_read+0xb1/0xa40 [ 77.955037][ T5083] filemap_fault+0x646/0x16a0 [ 77.960245][ T5083] __do_fault+0x137/0x460 [ 77.965110][ T5083] __handle_mm_fault+0x2361/0x7240 [ 77.970746][ T5083] handle_mm_fault+0x3c2/0x8a0 [ 77.976042][ T5083] exc_page_fault+0x446/0x8e0 [ 77.981257][ T5083] asm_exc_page_fault+0x26/0x30 [ 77.986643][ T5083] [ 77.986643][ T5083] other info that might help us debug this: [ 77.986643][ T5083] [ 77.996873][ T5083] Chain exists of: [ 77.996873][ T5083] mapping.invalidate_lock#3 --> &mm->mmap_lock --> &vma->vm_lock->lock [ 77.996873][ T5083] [ 78.011084][ T5083] Possible unsafe locking scenario: [ 78.011084][ T5083] [ 78.018532][ T5083] CPU0 CPU1 [ 78.023890][ T5083] ---- ---- [ 78.029245][ T5083] rlock(&vma->vm_lock->lock); [ 78.034100][ T5083] lock(&mm->mmap_lock); [ 78.041038][ T5083] lock(&vma->vm_lock->lock); [ 78.048324][ T5083] rlock(mapping.invalidate_lock#3); [ 78.053715][ T5083] [ 78.053715][ T5083] *** DEADLOCK *** [ 78.053715][ T5083] [ 78.061861][ T5083] 1 lock held by syz-executor130/5083: [ 78.067318][ T5083] #0: ffff888028038730 (&vma->vm_lock->lock){++++}-{3:3}, at: lock_vma_under_rcu+0x2f9/0x730 [ 78.077638][ T5083] [ 78.077638][ T5083] stack backtrace: [ 78.083533][ T5083] CPU: 0 PID: 5083 Comm: syz-executor130 Not tainted 6.9.0-rc5-syzkaller-00042-ge88c4cfcb7b8 #0 [ 78.093986][ T5083] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 [ 78.104045][ T5083] Call Trace: [ 78.107326][ T5083] [ 78.110259][ T5083] dump_stack_lvl+0x241/0x360 [ 78.114967][ T5083] ? __pfx_dump_stack_lvl+0x10/0x10 [ 78.120201][ T5083] ? srso_alias_return_thunk+0x5/0xfbef5 [ 78.125853][ T5083] ? print_circular_bug+0x130/0x1a0 [ 78.131069][ T5083] check_noncircular+0x36a/0x4a0 [ 78.136021][ T5083] ? __pfx_check_noncircular+0x10/0x10 [ 78.141490][ T5083] ? srso_alias_return_thunk+0x5/0xfbef5 [ 78.147133][ T5083] ? lockdep_lock+0x123/0x2b0 [ 78.151815][ T5083] ? srso_alias_return_thunk+0x5/0xfbef5 [ 78.157460][ T5083] ? _find_first_zero_bit+0xd4/0x100 [ 78.162777][ T5083] validate_chain+0x18cb/0x58e0 [ 78.167654][ T5083] ? count_memcg_event_mm+0x94/0x420 [ 78.172948][ T5083] ? __pfx_lock_release+0x10/0x10 [ 78.177994][ T5083] ? __pfx_validate_chain+0x10/0x10 [ 78.183210][ T5083] ? count_memcg_event_mm+0x94/0x420 [ 78.188500][ T5083] ? srso_alias_return_thunk+0x5/0xfbef5 [ 78.194144][ T5083] ? count_memcg_event_mm+0x3c2/0x420 [ 78.199522][ T5083] ? count_memcg_event_mm+0x94/0x420 [ 78.204811][ T5083] ? srso_alias_return_thunk+0x5/0xfbef5 [ 78.210463][ T5083] ? srso_alias_return_thunk+0x5/0xfbef5 [ 78.216119][ T5083] ? srso_alias_return_thunk+0x5/0xfbef5 [ 78.221766][ T5083] ? validate_chain+0x11b/0x58e0 [ 78.226714][ T5083] ? __pfx_validate_chain+0x10/0x10 [ 78.231984][ T5083] ? srso_alias_return_thunk+0x5/0xfbef5 [ 78.237739][ T5083] ? mark_lock+0x9a/0x350 [ 78.242079][ T5083] __lock_acquire+0x1346/0x1fd0 [ 78.246947][ T5083] lock_acquire+0x1ed/0x550 [ 78.251456][ T5083] ? filemap_fault+0x646/0x16a0 [ 78.256332][ T5083] ? __pfx_lock_acquire+0x10/0x10 [ 78.261362][ T5083] ? __pfx_lock_release+0x10/0x10 [ 78.266392][ T5083] ? __pfx___might_resched+0x10/0x10 [ 78.271696][ T5083] down_read+0xb1/0xa40 [ 78.275876][ T5083] ? filemap_fault+0x646/0x16a0 [ 78.280741][ T5083] ? __pfx_filemap_get_entry+0x10/0x10 [ 78.286218][ T5083] ? __pfx_down_read+0x10/0x10 [ 78.290993][ T5083] ? srso_alias_return_thunk+0x5/0xfbef5 [ 78.296643][ T5083] ? srso_alias_return_thunk+0x5/0xfbef5 [ 78.302292][ T5083] ? __filemap_get_folio+0x725/0xbb0 [ 78.307592][ T5083] filemap_fault+0x646/0x16a0 [ 78.312282][ T5083] ? __pfx_filemap_fault+0x10/0x10 [ 78.317404][ T5083] ? pte_offset_map_nolock+0x137/0x1f0 [ 78.322879][ T5083] ? srso_alias_return_thunk+0x5/0xfbef5 [ 78.328538][ T5083] __do_fault+0x137/0x460 [ 78.332890][ T5083] __handle_mm_fault+0x2361/0x7240 [ 78.338052][ T5083] ? mark_lock+0x9a/0x350 [ 78.342416][ T5083] ? lock_vma_under_rcu+0x2f9/0x730 [ 78.347635][ T5083] ? __pfx___handle_mm_fault+0x10/0x10 [ 78.353120][ T5083] ? __pfx_reacquire_held_locks+0x10/0x10 [ 78.358867][ T5083] ? srso_alias_return_thunk+0x5/0xfbef5 [ 78.364559][ T5083] ? mtree_range_walk+0x6fd/0x8e0 [ 78.369597][ T5083] ? lock_vma_under_rcu+0x18a/0x730 [ 78.374809][ T5083] ? __pfx_lock_release+0x10/0x10 [ 78.379836][ T5083] ? lock_vma_under_rcu+0x2f9/0x730 [ 78.385060][ T5083] ? lock_vma_under_rcu+0x18a/0x730 [ 78.390267][ T5083] ? __pfx_lock_vma_under_rcu+0x10/0x10 [ 78.395822][ T5083] handle_mm_fault+0x3c2/0x8a0 [ 78.400604][ T5083] exc_page_fault+0x446/0x8e0 [ 78.405307][ T5083] asm_exc_page_fault+0x26/0x30 [ 78.410163][ T5083] RIP: 0033:0x7f65c30d889f [ 78.414581][ T5083] Code: a7 c5 09 00 0f 11 04 25 89 00 00 20 48 8b 35 78 a8 0c 00 e8 53 42 03 00 b8 33 00 00 00 48 89 ee 31 d2 66 0f 6f 05 21 c5 09 00 <66> 89 04 25 44 f7 01 20 bf 10 10 00 20 48 b8 2e 2f 66 69 6c 65 32 [ 78.434187][ T5083] RSP: 002b:00007ffce9c3b740 EFLAGS: 00010246 [ 78.440263][ T5083] RAX: 0000000000000033 RBX: 00007f65c3155066 RCX: 00007f65c310caf9 memfd_create("syzkaller", 0) = 6 mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f65bac00000 write(6, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x02\x02\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x0f\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xff\x03\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x8f\x24\x2d\x5f\x49\x6d\x50\x0b\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 2097152) = 2097152 munmap(0x7f65bac00000, 138412032) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = -1 EBUSY (Device or resource busy) close(6) = 0 exit_group(0) = ? [ 78.448241][ T5083] RDX: 0000000000000000 RSI: 00007f65c315504b RDI: 0000000000000004 [ 78.456224][ T5083] RBP: 00007f65c315504b R08: 0000000000000000 R09: 0000000000000000 [ 78.464210][ T5083] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f65c3155510 [ 78.472189][ T5083] R13: 00007f65c3155055 R14: 23f2bfc581b02e40 R15: ad9a13bd00000000 [ 78.480183][ T5083] +++ exited with 0 +++