./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2768635517 <...> Warning: Permanently added '10.128.0.81' (ED25519) to the list of known hosts. execve("./syz-executor2768635517", ["./syz-executor2768635517"], 0x7ffd3d640c20 /* 10 vars */) = 0 brk(NULL) = 0x555557384000 brk(0x555557384d00) = 0x555557384d00 arch_prctl(ARCH_SET_FS, 0x555557384380) = 0 set_tid_address(0x555557384650) = 5024 set_robust_list(0x555557384660, 24) = 0 rseq(0x555557384ca0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor2768635517", 4096) = 28 getrandom("\xe2\xc4\xba\xa7\x6c\xb8\x92\x97", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x555557384d00 brk(0x5555573a5d00) = 0x5555573a5d00 brk(0x5555573a6000) = 0x5555573a6000 mprotect(0x7fc667f06000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 memfd_create("syzkaller", 0) = 3 mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc65fa51000 [ 40.684456][ T5024] memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL, pid=5024 'syz-executor276' write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 20699119) = 20699119 munmap(0x7fc65fa51000, 20699119) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 ioctl(4, LOOP_SET_FD, 3) = 0 close(3) = 0 mkdir("./bus", 0777) = 0 [ 40.811774][ T5024] loop0: detected capacity change from 0 to 40427 [ 40.822777][ T5024] F2FS-fs (loop0): Invalid log_blocksize (268), supports only 12 [ 40.830627][ T5024] F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock [ 40.843105][ T5024] F2FS-fs (loop0): Found nat_bits in checkpoint mount("/dev/loop0", "./bus", "f2fs", 0, "nobarrier,quota,noflush_merge,quota,flush_merge,nodiscard,active_logs=4,noextent_cache,user_xattr,ac"...) = 0 openat(AT_FDCWD, "./bus", O_RDONLY|O_DIRECTORY) = 3 chdir("./bus") = 0 ioctl(4, LOOP_CLR_FD) = 0 close(4) = 0 openat(AT_FDCWD, "./file1", O_RDWR|O_CREAT|O_TRUNC|O_NONBLOCK|O_SYNC|FASYNC, 000) = 4 [ 40.868500][ T5024] F2FS-fs (loop0): Try to recover 1th superblock, ret: 0 [ 40.875679][ T5024] F2FS-fs (loop0): Mounted with checkpoint version = 48b305e5 [ 40.890811][ T5024] [ 40.893164][ T5024] ====================================================== [ 40.900196][ T5024] WARNING: possible circular locking dependency detected [ 40.907220][ T5024] 6.5.0-rc1-syzkaller-00152-g4b810bf037e5 #0 Not tainted [ 40.914220][ T5024] ------------------------------------------------------ [ 40.921220][ T5024] syz-executor276/5024 is trying to acquire lock: [ 40.927620][ T5024] ffff888074e310a0 (&fi->i_xattr_sem){.+.+}-{3:3}, at: f2fs_getxattr+0xb1e/0x12c0 [ 40.936825][ T5024] [ 40.936825][ T5024] but task is already holding lock: [ 40.944163][ T5024] ffff888074e31fb0 (&fi->i_sem){+.+.}-{3:3}, at: f2fs_do_tmpfile+0x22/0x1d0 [ 40.952843][ T5024] [ 40.952843][ T5024] which lock already depends on the new lock. [ 40.952843][ T5024] [ 40.963219][ T5024] [ 40.963219][ T5024] the existing dependency chain (in reverse order) is: [ 40.972213][ T5024] [ 40.972213][ T5024] -> #1 (&fi->i_sem){+.+.}-{3:3}: [ 40.979410][ T5024] down_write+0x93/0x200 [ 40.984164][ T5024] f2fs_add_inline_entry+0x300/0x6f0 [ 40.989952][ T5024] f2fs_add_dentry+0xa6/0x230 [ 40.995134][ T5024] f2fs_do_add_link+0x190/0x280 [ 41.000485][ T5024] f2fs_create+0x3b3/0x650 [ 41.005401][ T5024] lookup_open.isra.0+0x1049/0x1360 [ 41.011097][ T5024] path_openat+0x931/0x29c0 [ 41.016131][ T5024] do_filp_open+0x1de/0x430 [ 41.021225][ T5024] do_sys_openat2+0x176/0x1e0 [ 41.026406][ T5024] __x64_sys_openat+0x175/0x210 [ 41.031757][ T5024] do_syscall_64+0x38/0xb0 [ 41.036699][ T5024] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 41.043106][ T5024] [ 41.043106][ T5024] -> #0 (&fi->i_xattr_sem){.+.+}-{3:3}: [ 41.050933][ T5024] __lock_acquire+0x2e3d/0x5de0 [ 41.056296][ T5024] lock_acquire+0x1ae/0x510 [ 41.061308][ T5024] down_read+0x9c/0x470 [ 41.065975][ T5024] f2fs_getxattr+0xb1e/0x12c0 [ 41.071171][ T5024] __f2fs_get_acl+0x5a/0x900 [ 41.076268][ T5024] f2fs_init_acl+0x15c/0xb30 [ 41.081392][ T5024] f2fs_init_inode_metadata+0x159/0x1290 [ 41.087531][ T5024] f2fs_do_tmpfile+0x31/0x1d0 [ 41.092730][ T5024] __f2fs_tmpfile+0x1e6/0x460 [ 41.097918][ T5024] f2fs_ioc_start_atomic_write+0xc8e/0x1270 [ 41.104419][ T5024] __f2fs_ioctl+0x24f5/0xa0f0 [ 41.109600][ T5024] f2fs_ioctl+0x192/0x220 [ 41.114439][ T5024] __x64_sys_ioctl+0x18f/0x210 [ 41.119709][ T5024] do_syscall_64+0x38/0xb0 [ 41.124632][ T5024] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 41.131050][ T5024] [ 41.131050][ T5024] other info that might help us debug this: [ 41.131050][ T5024] [ 41.141294][ T5024] Possible unsafe locking scenario: [ 41.141294][ T5024] [ 41.148749][ T5024] CPU0 CPU1 [ 41.154092][ T5024] ---- ---- [ 41.159612][ T5024] lock(&fi->i_sem); [ 41.163669][ T5024] lock(&fi->i_xattr_sem); [ 41.170670][ T5024] lock(&fi->i_sem); [ 41.177161][ T5024] rlock(&fi->i_xattr_sem); [ 41.181727][ T5024] [ 41.181727][ T5024] *** DEADLOCK *** [ 41.181727][ T5024] [ 41.189848][ T5024] 5 locks held by syz-executor276/5024: [ 41.195399][ T5024] #0: ffff888029f64410 (sb_writers#9){.+.+}-{0:0}, at: f2fs_ioc_start_atomic_write+0x1b1/0x1270 [ 41.205920][ T5024] #1: ffff888074e31300 (&sb->s_type->i_mutex_key#15){+.+.}-{3:3}, at: f2fs_ioc_start_atomic_write+0x1f2/0x1270 [ 41.217986][ T5024] #2: ffff888074e318e0 (&fi->i_gc_rwsem[WRITE]){+.+.}-{3:3}, at: f2fs_ioc_start_atomic_write+0x2ee/0x1270 [ 41.229387][ T5024] #3: ffff888021f383b0 (&sbi->cp_rwsem){.+.+}-{3:3}, at: __f2fs_tmpfile+0x1bb/0x460 [ 41.238946][ T5024] #4: ffff888074e31fb0 (&fi->i_sem){+.+.}-{3:3}, at: f2fs_do_tmpfile+0x22/0x1d0 [ 41.248062][ T5024] [ 41.248062][ T5024] stack backtrace: [ 41.253925][ T5024] CPU: 0 PID: 5024 Comm: syz-executor276 Not tainted 6.5.0-rc1-syzkaller-00152-g4b810bf037e5 #0 [ 41.264319][ T5024] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023 [ 41.274360][ T5024] Call Trace: [ 41.277624][ T5024] [ 41.280535][ T5024] dump_stack_lvl+0xd9/0x1b0 [ 41.285203][ T5024] check_noncircular+0x311/0x3f0 [ 41.290131][ T5024] ? print_circular_bug+0x750/0x750 [ 41.295322][ T5024] ? kasan_save_stack+0x43/0x50 [ 41.300162][ T5024] __lock_acquire+0x2e3d/0x5de0 [ 41.305001][ T5024] ? lockdep_hardirqs_on_prepare+0x410/0x410 [ 41.310978][ T5024] ? mark_lock+0x105/0x1950 [ 41.315472][ T5024] ? print_usage_bug.part.0+0x670/0x670 [ 41.321005][ T5024] ? mark_lock+0x105/0x1950 [ 41.325501][ T5024] lock_acquire+0x1ae/0x510 [ 41.329993][ T5024] ? f2fs_getxattr+0xb1e/0x12c0 [ 41.334828][ T5024] ? lock_sync+0x190/0x190 [ 41.339231][ T5024] ? preempt_count_sub+0x150/0x150 [ 41.344335][ T5024] ? reacquire_held_locks+0x4b0/0x4b0 [ 41.349699][ T5024] down_read+0x9c/0x470 [ 41.353865][ T5024] ? f2fs_getxattr+0xb1e/0x12c0 [ 41.358700][ T5024] ? down_write+0x200/0x200 [ 41.363191][ T5024] ? percpu_counter_add_batch+0x112/0x1f0 [ 41.368905][ T5024] ? lockdep_hardirqs_on+0x7d/0x100 [ 41.374096][ T5024] f2fs_getxattr+0xb1e/0x12c0 [ 41.378762][ T5024] ? f2fs_init_security+0x40/0x40 [ 41.383773][ T5024] __f2fs_get_acl+0x5a/0x900 [ 41.388348][ T5024] ? f2fs_new_node_page+0xe50/0xe50 [ 41.393529][ T5024] f2fs_init_acl+0x15c/0xb30 [ 41.398102][ T5024] ? lock_sync+0x190/0x190 [ 41.402504][ T5024] f2fs_init_inode_metadata+0x159/0x1290 [ 41.408121][ T5024] ? preempt_count_sub+0x150/0x150 [ 41.413221][ T5024] ? f2fs_do_make_empty_dir+0x1d0/0x1d0 [ 41.418750][ T5024] ? down_write+0x14f/0x200 [ 41.423239][ T5024] ? down_write_killable_nested+0x250/0x250 [ 41.429119][ T5024] ? do_raw_spin_unlock+0x173/0x230 [ 41.434311][ T5024] f2fs_do_tmpfile+0x31/0x1d0 [ 41.438971][ T5024] __f2fs_tmpfile+0x1e6/0x460 [ 41.443630][ T5024] f2fs_ioc_start_atomic_write+0xc8e/0x1270 [ 41.449506][ T5024] ? tomoyo_path_number_perm+0x220/0x590 [ 41.455127][ T5024] __f2fs_ioctl+0x24f5/0xa0f0 [ 41.459790][ T5024] ? tomoyo_path_number_perm+0x190/0x590 [ 41.465426][ T5024] ? tomoyo_execute_permission+0x4a0/0x4a0 [ 41.471222][ T5024] ? lock_acquire+0x1ae/0x510 [ 41.475888][ T5024] ? f2fs_precache_extents+0x230/0x230 [ 41.481332][ T5024] ? do_vfs_ioctl+0x379/0x1910 [ 41.486090][ T5024] ? vfs_fileattr_set+0xbf0/0xbf0 [ 41.491107][ T5024] ? find_held_lock+0x2d/0x110 [ 41.495857][ T5024] f2fs_ioctl+0x192/0x220 [ 41.500182][ T5024] ? __f2fs_ioctl+0xa0f0/0xa0f0 [ 41.505107][ T5024] __x64_sys_ioctl+0x18f/0x210 [ 41.509866][ T5024] do_syscall_64+0x38/0xb0 [ 41.514318][ T5024] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 41.520424][ T5024] RIP: 0033:0x7fc667e8e7b9 [ 41.524817][ T5024] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 41.544413][ T5024] RSP: 002b:00007ffc355c81d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 41.552812][ T5024] RAX: ffffffffffffffda RBX: 00007ffc355c83a8 RCX: 00007fc667e8e7b9 [ 41.560774][ T5024] RDX: 0000000000000000 RSI: 000000000000f501 RDI: 0000000000000004 ioctl(4, F2FS_IOC_START_ATOMIC_WRITE, 0) = 0 exit_group(0) = ? +++ exited with 0 +++ [ 41.568752][ T5024] RBP: 00007fc6