./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor702218694 <...> Warning: Permanently added '10.128.0.239' (ECDSA) to the list of known hosts. execve("./syz-executor702218694", ["./syz-executor702218694"], 0x7ffc72defe40 /* 10 vars */) = 0 brk(NULL) = 0x555556c73000 brk(0x555556c73c40) = 0x555556c73c40 arch_prctl(ARCH_SET_FS, 0x555556c73300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 readlink("/proc/self/exe", "/root/syz-executor702218694", 4096) = 27 brk(0x555556c94c40) = 0x555556c94c40 brk(0x555556c95000) = 0x555556c95000 mprotect(0x7f070a6b0000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 openat(AT_FDCWD, ".log", O_RDONLY|O_CREAT|O_LARGEFILE, 000) = 3 ioctl(3, _IOC(_IOC_WRITE, 0x66, 0x2b, 0x4), 0x200000c0) = 0 open("./file0", O_WRONLY|O_CREAT|O_EXCL|O_NOCTTY|O_TRUNC|O_SYNC|O_DIRECT|O_NOFOLLOW|FASYNC, 000) = 4 [ 53.655649][ T26] audit: type=1400 audit(1673301391.954:75): avc: denied { execmem } for pid=5055 comm="syz-executor702" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 53.711055][ T5055] [ 53.713395][ T5055] ====================================================== [ 53.720400][ T5055] WARNING: possible circular locking dependency detected [ 53.727499][ T5055] 6.2.0-rc3-syzkaller-00008-g1fe4fd6f5cad #0 Not tainted [ 53.734511][ T5055] ------------------------------------------------------ [ 53.741532][ T5055] syz-executor702/5055 is trying to acquire lock: [ 53.747926][ T5055] ffff88814b99c170 (&journal->j_barrier){+.+.}-{3:3}, at: jbd2_journal_lock_updates+0x162/0x310 [ 53.758559][ T5055] [ 53.758559][ T5055] but task is already holding lock: [ 53.765914][ T5055] ffff888029ef2b98 (&sbi->s_writepages_rwsem){++++}-{0:0}, at: ext4_change_inode_journal_flag+0x180/0x550 [ 53.777217][ T5055] [ 53.777217][ T5055] which lock already depends on the new lock. [ 53.777217][ T5055] [ 53.787617][ T5055] [ 53.787617][ T5055] the existing dependency chain (in reverse order) is: [ 53.796629][ T5055] [ 53.796629][ T5055] -> #4 (&sbi->s_writepages_rwsem){++++}-{0:0}: [ 53.805054][ T5055] percpu_down_write+0x53/0x390 [ 53.810423][ T5055] ext4_change_inode_journal_flag+0x180/0x550 [ 53.817001][ T5055] ext4_fileattr_set+0xe78/0x1a50 [ 53.822537][ T5055] vfs_fileattr_set+0x7f9/0xbe0 [ 53.827903][ T5055] do_vfs_ioctl+0xf8d/0x15b0 [ 53.833031][ T5055] __x64_sys_ioctl+0x10c/0x210 [ 53.838320][ T5055] do_syscall_64+0x39/0xb0 [ 53.843253][ T5055] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 53.849662][ T5055] [ 53.849662][ T5055] -> #3 (mapping.invalidate_lock){++++}-{3:3}: [ 53.857992][ T5055] down_write+0x94/0x220 [ 53.862750][ T5055] ext4_setattr+0x75a/0x2be0 [ 53.867850][ T5055] notify_change+0xca7/0x1420 [ 53.873035][ T5055] do_truncate+0x143/0x200 [ 53.877960][ T5055] do_sys_ftruncate+0x51f/0x710 [ 53.883332][ T5055] do_syscall_64+0x39/0xb0 [ 53.888255][ T5055] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 53.894666][ T5055] [ 53.894666][ T5055] -> #2 (&sb->s_type->i_mutex_key#7){++++}-{3:3}: [ 53.903467][ T5055] down_read+0x9c/0x450 [ 53.908156][ T5055] ext4_bmap+0x52/0x470 [ 53.912831][ T5055] bmap+0xae/0x120 [ 53.917072][ T5055] jbd2_journal_bmap+0xac/0x180 [ 53.923650][ T5055] jbd2_journal_flush+0x853/0xc00 [ 53.929189][ T5055] __ext4_ioctl+0xb01/0x4b60 [ 53.934383][ T5055] __x64_sys_ioctl+0x197/0x210 [ 53.939657][ T5055] do_syscall_64+0x39/0xb0 [ 53.944587][ T5055] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 53.950992][ T5055] [ 53.950992][ T5055] -> #1 (&journal->j_checkpoint_mutex){+.+.}-{3:3}: [ 53.959770][ T5055] mutex_lock_io_nested+0x143/0x11a0 [ 53.965603][ T5055] jbd2_journal_flush+0x19e/0xc00 [ 53.971141][ T5055] __ext4_ioctl+0xb01/0x4b60 [ 53.976239][ T5055] __x64_sys_ioctl+0x197/0x210 [ 53.981536][ T5055] do_syscall_64+0x39/0xb0 [ 53.986564][ T5055] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 53.993072][ T5055] [ 53.993072][ T5055] -> #0 (&journal->j_barrier){+.+.}-{3:3}: [ 54.001131][ T5055] __lock_acquire+0x2a43/0x56d0 [ 54.006531][ T5055] lock_acquire+0x1e3/0x630 [ 54.011558][ T5055] __mutex_lock+0x12f/0x1360 [ 54.016656][ T5055] jbd2_journal_lock_updates+0x162/0x310 [ 54.022805][ T5055] ext4_change_inode_journal_flag+0x188/0x550 [ 54.029383][ T5055] ext4_fileattr_set+0xe78/0x1a50 [ 54.034916][ T5055] vfs_fileattr_set+0x7f9/0xbe0 [ 54.040303][ T5055] do_vfs_ioctl+0xf8d/0x15b0 [ 54.046400][ T5055] __x64_sys_ioctl+0x10c/0x210 [ 54.051688][ T5055] do_syscall_64+0x39/0xb0 [ 54.056617][ T5055] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 54.063026][ T5055] [ 54.063026][ T5055] other info that might help us debug this: [ 54.063026][ T5055] [ 54.073239][ T5055] Chain exists of: [ 54.073239][ T5055] &journal->j_barrier --> mapping.invalidate_lock --> &sbi->s_writepages_rwsem [ 54.073239][ T5055] [ 54.088627][ T5055] Possible unsafe locking scenario: [ 54.088627][ T5055] [ 54.096325][ T5055] CPU0 CPU1 [ 54.101690][ T5055] ---- ---- [ 54.107126][ T5055] lock(&sbi->s_writepages_rwsem); [ 54.112497][ T5055] lock(mapping.invalidate_lock); [ 54.120898][ T5055] lock(&sbi->s_writepages_rwsem); [ 54.128622][ T5055] lock(&journal->j_barrier); [ 54.133723][ T5055] [ 54.133723][ T5055] *** DEADLOCK *** [ 54.133723][ T5055] [ 54.141856][ T5055] 4 locks held by syz-executor702/5055: [ 54.147395][ T5055] #0: ffff888029eba460 (sb_writers#5){.+.+}-{0:0}, at: do_vfs_ioctl+0xf52/0x15b0 [ 54.156630][ T5055] #1: ffff88806fa364c0 (&sb->s_type->i_mutex_key#7){++++}-{3:3}, at: vfs_fileattr_set+0x14c/0xbe0 [ 54.167326][ T5055] #2: ffff88806fa36660 (mapping.invalidate_lock){++++}-{3:3}, at: ext4_change_inode_journal_flag+0x127/0x550 [ 54.178989][ T5055] #3: ffff888029ef2b98 (&sbi->s_writepages_rwsem){++++}-{0:0}, at: ext4_change_inode_journal_flag+0x180/0x550 [ 54.190841][ T5055] [ 54.190841][ T5055] stack backtrace: [ 54.196744][ T5055] CPU: 1 PID: 5055 Comm: syz-executor702 Not tainted 6.2.0-rc3-syzkaller-00008-g1fe4fd6f5cad #0 [ 54.207151][ T5055] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 54.217194][ T5055] Call Trace: [ 54.220547][ T5055] [ 54.223481][ T5055] dump_stack_lvl+0xd1/0x138 [ 54.228074][ T5055] check_noncircular+0x25f/0x2e0 [ 54.233010][ T5055] ? print_circular_bug+0x1e0/0x1e0 [ 54.238403][ T5055] ? check_irq_usage+0x186/0xab0 [ 54.243354][ T5055] ? check_path.constprop.0+0x50/0x50 [ 54.248735][ T5055] ? _raw_spin_unlock_irqrestore+0x54/0x70 [ 54.254576][ T5055] ? print_shortest_lock_dependencies_backwards+0x80/0x80 [ 54.261900][ T5055] __lock_acquire+0x2a43/0x56d0 [ 54.266876][ T5055] ? lockdep_hardirqs_on_prepare+0x410/0x410 [ 54.272882][ T5055] ? mark_lock.part.0+0xee/0x1910 [ 54.277921][ T5055] lock_acquire+0x1e3/0x630 [ 54.282610][ T5055] ? jbd2_journal_lock_updates+0x162/0x310 [ 54.288418][ T5055] ? lock_release+0x810/0x810 [ 54.293092][ T5055] ? find_held_lock+0x2d/0x110 [ 54.297849][ T5055] __mutex_lock+0x12f/0x1360 [ 54.302432][ T5055] ? jbd2_journal_lock_updates+0x162/0x310 [ 54.308322][ T5055] ? jbd2_journal_lock_updates+0x162/0x310 [ 54.314128][ T5055] ? mutex_lock_io_nested+0x11a0/0x11a0 [ 54.319666][ T5055] ? jbd2_journal_lock_updates+0x154/0x310 [ 54.325574][ T5055] ? lock_downgrade+0x6e0/0x6e0 [ 54.330435][ T5055] ? do_raw_read_unlock+0x70/0x70 [ 54.335450][ T5055] jbd2_journal_lock_updates+0x162/0x310 [ 54.341083][ T5055] ? jbd2_journal_wait_updates+0x240/0x240 [ 54.346886][ T5055] ? _find_next_bit+0x11b/0x140 [ 54.351732][ T5055] ext4_change_inode_journal_flag+0x188/0x550 [ 54.357792][ T5055] ? __ext4_journal_stop+0x10b/0x1f0 [ 54.363079][ T5055] ext4_fileattr_set+0xe78/0x1a50 [ 54.368097][ T5055] ? ext4_fileattr_get+0x280/0x280 [ 54.373198][ T5055] ? down_write+0x157/0x220 [ 54.377878][ T5055] ? memset+0x24/0x50 [ 54.381870][ T5055] ? fileattr_fill_flags+0x27f/0x320 [ 54.387162][ T5055] vfs_fileattr_set+0x7f9/0xbe0 [ 54.392017][ T5055] ? ioctl_file_clone+0x100/0x100 [ 54.397038][ T5055] ? memset+0x24/0x50 [ 54.401021][ T5055] do_vfs_ioctl+0xf8d/0x15b0 [ 54.405618][ T5055] ? vfs_fileattr_set+0xbe0/0xbe0 [ 54.410639][ T5055] ? inode_has_perm+0x1a2/0x220 [ 54.415483][ T5055] ? selinux_bprm_committing_creds+0x700/0x700 [ 54.421628][ T5055] ? do_one_initcall+0x570/0x790 [ 54.426558][ T5055] ? lock_downgrade+0x6e0/0x6e0 [ 54.431407][ T5055] ? selinux_file_ioctl+0xb5/0x280 [ 54.436523][ T5055] __x64_sys_ioctl+0x10c/0x210 [ 54.441279][ T5055] do_syscall_64+0x39/0xb0 [ 54.445686][ T5055] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 54.451574][ T5055] RIP: 0033:0x7f070a643be9 [ 54.455985][ T5055] Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 54.475582][ T5055] RSP: 002b:00007ffff55c0628 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 54.483989][ T5055] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f070a643be9 [ 54.491947][ T5055] RDX: 0000000020000080 RSI: 0000000040086602 RDI: 0000000000000004 [ 54.499907][ T5055] RBP: 00007f070a607d90 R08: 0000000000000000 R09: 0000000000000000 ioctl(4, FS_IOC_SETFLAGS, [FS_JOURNAL_DATA_FL]) = 0 exit_group(0) = ? +++ exited with 0 +++ [ 54.507865][ T5055] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f07