./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2733711498 <...> DUID 00:04:02:40:b4:1b:63:80:2c:d1:41:b7:a3:cb:95:3e:6a:64 [ 22.497012][ T4691] 8021q: adding VLAN 0 to HW filter on device bond0 forked to background, child pid 4690 [ 22.509934][ T4691] eql: remember to turn off Van-Jacobson compression on your slave devices Starting sshd: OK syzkaller Warning: Permanently added '10.128.1.52' (ED25519) to the list of known hosts. execve("./syz-executor2733711498", ["./syz-executor2733711498"], 0x7fffbbee83f0 /* 10 vars */) = 0 brk(NULL) = 0x5555557a0000 brk(0x5555557a0d00) = 0x5555557a0d00 arch_prctl(ARCH_SET_FS, 0x5555557a0380) = 0 set_tid_address(0x5555557a0650) = 5027 set_robust_list(0x5555557a0660, 24) = 0 rseq(0x5555557a0ca0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor2733711498", 4096) = 28 getrandom("\x92\xee\xa1\xb3\x09\x57\x0f\x91", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x5555557a0d00 brk(0x5555557c1d00) = 0x5555557c1d00 brk(0x5555557c2000) = 0x5555557c2000 mprotect(0x7f8564c00000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 memfd_create("syzkaller", 0) = 3 mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f855c74b000 syzkaller login: [ 46.071486][ T5027] memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL, pid=5027 'syz-executor273' write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 20699119) = 20699119 munmap(0x7f855c74b000, 20699119) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 ioctl(4, LOOP_SET_FD, 3) = 0 close(3) = 0 mkdir("./file0", 0777) = 0 mount("/dev/loop0", "./file0", "f2fs", 0, "nolazytime,data_flush,noinline_xattr,jqfmt=vfsv1,") = 0 openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 chdir("./file0") = 0 ioctl(4, LOOP_CLR_FD) = 0 close(4) = 0 mkdir("./file1", 000) = 0 mkdirat(AT_FDCWD, "./file0", 000) = 0 mkdirat(AT_FDCWD, "./bus", 000) = 0 [ 46.205678][ T5027] loop0: detected capacity change from 0 to 40427 [ 46.220466][ T5027] F2FS-fs (loop0): Found nat_bits in checkpoint [ 46.240902][ T5027] F2FS-fs (loop0): Mounted with checkpoint version = 48b305e5 [ 46.267233][ T5027] [ 46.269588][ T5027] ====================================================== [ 46.276603][ T5027] WARNING: possible circular locking dependency detected [ 46.283590][ T5027] 6.5.0-rc5-syzkaller-00353-gae545c3283dc #0 Not tainted [ 46.290585][ T5027] ------------------------------------------------------ [ 46.297594][ T5027] syz-executor273/5027 is trying to acquire lock: [ 46.303979][ T5027] ffff888077fe1fb0 (&fi->i_sem){+.+.}-{3:3}, at: f2fs_add_inline_entry+0x300/0x6f0 [ 46.313276][ T5027] [ 46.313276][ T5027] but task is already holding lock: [ 46.320613][ T5027] ffff888077fe07c8 (&fi->i_xattr_sem){.+.+}-{3:3}, at: f2fs_add_dentry+0x92/0x230 [ 46.329802][ T5027] [ 46.329802][ T5027] which lock already depends on the new lock. [ 46.329802][ T5027] [ 46.340202][ T5027] [ 46.340202][ T5027] the existing dependency chain (in reverse order) is: [ 46.349208][ T5027] [ 46.349208][ T5027] -> #1 (&fi->i_xattr_sem){.+.+}-{3:3}: [ 46.356930][ T5027] down_read+0x9c/0x470 [ 46.361603][ T5027] f2fs_getxattr+0xb1e/0x12c0 [ 46.366779][ T5027] __f2fs_get_acl+0x5a/0x900 [ 46.371868][ T5027] f2fs_init_acl+0x15c/0xb30 [ 46.376982][ T5027] f2fs_init_inode_metadata+0x159/0x1290 [ 46.383110][ T5027] f2fs_add_regular_entry+0x79e/0xb90 [ 46.389064][ T5027] f2fs_add_dentry+0x1de/0x230 [ 46.394350][ T5027] f2fs_do_add_link+0x190/0x280 [ 46.399697][ T5027] f2fs_mkdir+0x377/0x620 [ 46.404536][ T5027] vfs_mkdir+0x532/0x7e0 [ 46.409281][ T5027] do_mkdirat+0x2a9/0x330 [ 46.414103][ T5027] __x64_sys_mkdir+0xf2/0x140 [ 46.419278][ T5027] do_syscall_64+0x38/0xb0 [ 46.424205][ T5027] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 46.430597][ T5027] [ 46.430597][ T5027] -> #0 (&fi->i_sem){+.+.}-{3:3}: [ 46.437775][ T5027] __lock_acquire+0x2e3d/0x5de0 [ 46.443140][ T5027] lock_acquire+0x1ae/0x510 [ 46.448164][ T5027] down_write+0x93/0x200 [ 46.452930][ T5027] f2fs_add_inline_entry+0x300/0x6f0 [ 46.458712][ T5027] f2fs_add_dentry+0xa6/0x230 [ 46.464058][ T5027] f2fs_do_add_link+0x190/0x280 [ 46.469408][ T5027] f2fs_mkdir+0x377/0x620 [ 46.474248][ T5027] vfs_mkdir+0x532/0x7e0 [ 46.478987][ T5027] ovl_mkdir_real+0xb5/0x370 [ 46.484084][ T5027] ovl_workdir_create+0x3de/0x820 [ 46.489604][ T5027] ovl_fill_super+0xdab/0x6180 [ 46.494865][ T5027] vfs_get_super+0xf9/0x290 [ 46.499867][ T5027] vfs_get_tree+0x88/0x350 [ 46.504793][ T5027] path_mount+0x1492/0x1ed0 [ 46.509794][ T5027] __x64_sys_mount+0x293/0x310 [ 46.515052][ T5027] do_syscall_64+0x38/0xb0 [ 46.519966][ T5027] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 46.526446][ T5027] [ 46.526446][ T5027] other info that might help us debug this: [ 46.526446][ T5027] [ 46.536650][ T5027] Possible unsafe locking scenario: [ 46.536650][ T5027] [ 46.544072][ T5027] CPU0 CPU1 [ 46.549434][ T5027] ---- ---- [ 46.554772][ T5027] rlock(&fi->i_xattr_sem); [ 46.559339][ T5027] lock(&fi->i_sem); [ 46.565815][ T5027] lock(&fi->i_xattr_sem); [ 46.572839][ T5027] lock(&fi->i_sem); [ 46.576816][ T5027] [ 46.576816][ T5027] *** DEADLOCK *** [ 46.576816][ T5027] [ 46.584930][ T5027] 5 locks held by syz-executor273/5027: [ 46.590449][ T5027] #0: ffff88807ce500e0 (&type->s_umount_key#42/1){+.+.}-{3:3}, at: alloc_super+0x22e/0xb40 [ 46.600519][ T5027] #1: ffff88807cd0a410 (sb_writers#9){.+.+}-{0:0}, at: ovl_fill_super+0xd7c/0x6180 [ 46.609893][ T5027] #2: ffff888077fe0150 (&type->i_mutex_dir_key#6/1){+.+.}-{3:3}, at: ovl_workdir_create+0x13e/0x820 [ 46.620755][ T5027] #3: ffff8880209803b0 (&sbi->cp_rwsem){.+.+}-{3:3}, at: f2fs_mkdir+0x293/0x620 [ 46.629954][ T5027] #4: ffff888077fe07c8 (&fi->i_xattr_sem){.+.+}-{3:3}, at: f2fs_add_dentry+0x92/0x230 [ 46.639582][ T5027] [ 46.639582][ T5027] stack backtrace: [ 46.645442][ T5027] CPU: 0 PID: 5027 Comm: syz-executor273 Not tainted 6.5.0-rc5-syzkaller-00353-gae545c3283dc #0 [ 46.655827][ T5027] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 [ 46.665863][ T5027] Call Trace: [ 46.669122][ T5027] [ 46.672062][ T5027] dump_stack_lvl+0xd9/0x1b0 [ 46.676637][ T5027] check_noncircular+0x311/0x3f0 [ 46.681567][ T5027] ? print_circular_bug+0x750/0x750 [ 46.686744][ T5027] ? lockdep_hardirqs_on_prepare+0x410/0x410 [ 46.692706][ T5027] __lock_acquire+0x2e3d/0x5de0 [ 46.697642][ T5027] ? lockdep_hardirqs_on_prepare+0x410/0x410 [ 46.703601][ T5027] lock_acquire+0x1ae/0x510 [ 46.708088][ T5027] ? f2fs_add_inline_entry+0x300/0x6f0 [ 46.713524][ T5027] ? lock_sync+0x190/0x190 [ 46.717940][ T5027] ? __filemap_get_folio+0x1e7/0x990 [ 46.723221][ T5027] ? preempt_count_sub+0x150/0x150 [ 46.728318][ T5027] down_write+0x93/0x200 [ 46.732545][ T5027] ? f2fs_add_inline_entry+0x300/0x6f0 [ 46.737990][ T5027] ? down_write_killable_nested+0x250/0x250 [ 46.743866][ T5027] ? f2fs_room_for_filename+0xa6/0xc0 [ 46.749220][ T5027] f2fs_add_inline_entry+0x300/0x6f0 [ 46.754487][ T5027] ? f2fs_try_convert_inline_dir+0x3d0/0x3d0 [ 46.760447][ T5027] f2fs_add_dentry+0xa6/0x230 [ 46.765102][ T5027] f2fs_do_add_link+0x190/0x280 [ 46.769933][ T5027] ? f2fs_add_dentry+0x230/0x230 [ 46.774848][ T5027] ? f2fs_mkdir+0x11e/0x620 [ 46.779332][ T5027] ? f2fs_dquot_initialize+0x117/0x2f0 [ 46.784765][ T5027] f2fs_mkdir+0x377/0x620 [ 46.789161][ T5027] ? bpf_lsm_inode_mkdir+0x9/0x10 [ 46.794159][ T5027] ? security_inode_mkdir+0xdd/0x110 [ 46.799420][ T5027] vfs_mkdir+0x532/0x7e0 [ 46.803639][ T5027] ovl_mkdir_real+0xb5/0x370 [ 46.808212][ T5027] ovl_workdir_create+0x3de/0x820 [ 46.813297][ T5027] ? ovl_do_rename.constprop.0+0x270/0x270 [ 46.819077][ T5027] ? lock_sync+0x190/0x190 [ 46.823473][ T5027] ? __mnt_want_write+0x217/0x300 [ 46.828474][ T5027] ovl_fill_super+0xdab/0x6180 [ 46.833223][ T5027] ? ovl_check_layer.part.0+0x1b0/0x1b0 [ 46.838746][ T5027] ? reacquire_held_locks+0x4b0/0x4b0 [ 46.844107][ T5027] ? down_write+0x14f/0x200 [ 46.848606][ T5027] ? down_write_killable_nested+0x250/0x250 [ 46.854480][ T5027] ? up_write+0x1b3/0x510 [ 46.858795][ T5027] ? sget_fc+0x65f/0x860 [ 46.863021][ T5027] ? vfs_get_super+0xf9/0x290 [ 46.867684][ T5027] vfs_get_super+0xf9/0x290 [ 46.872168][ T5027] ? ovl_check_layer.part.0+0x1b0/0x1b0 [ 46.877695][ T5027] vfs_get_tree+0x88/0x350 [ 46.882088][ T5027] path_mount+0x1492/0x1ed0 [ 46.886568][ T5027] ? kmem_cache_free+0xf0/0x490 [ 46.891396][ T5027] ? finish_automount+0xa50/0xa50 [ 46.896398][ T5027] ? putname+0x101/0x140 [ 46.900617][ T5027] __x64_sys_mount+0x293/0x310 [ 46.905441][ T5027] ? copy_mnt_ns+0xb60/0xb60 [ 46.910006][ T5027] ? lockdep_hardirqs_on+0x7d/0x100 [ 46.915184][ T5027] ? _raw_spin_unlock_irq+0x2e/0x50 [ 46.920367][ T5027] ? ptrace_notify+0xf4/0x130 [ 46.925023][ T5027] do_syscall_64+0x38/0xb0 [ 46.929421][ T5027] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 46.935303][ T5027] RIP: 0033:0x7f8564b88739 [ 46.939868][ T5027] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 46.959458][ T5027] RSP: 002b:00007ffe8112e1a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 mount(NULL, "./bus", "overlay", 0, "workdir=./file1,lowerdir=./file0,upperdir=./bus,index=on") = 0 exit_group(0) = ? +++ exited with 0 +++ [ 46.967848][ T5027] RAX: ffff