./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor4125843178 <...> forked to background, child pid 4668 [ 21.694812][ T4669] 8021q: adding VLAN 0 to HW filter on device bond0 [ 21.704412][ T4669] eql: remember to turn off Van-Jacobson compression on your slave devices Starting sshd: [ 21.941971][ T4743] sshd (4743) used greatest stack depth: 22632 bytes left OK syzkaller Warning: Permanently added '10.128.10.45' (ECDSA) to the list of known hosts. execve("./syz-executor4125843178", ["./syz-executor4125843178"], 0x7ffd30e53e60 /* 10 vars */) = 0 brk(NULL) = 0x555556111000 brk(0x555556111c40) = 0x555556111c40 arch_prctl(ARCH_SET_FS, 0x555556111300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 readlink("/proc/self/exe", "/root/syz-executor4125843178", 4096) = 28 brk(0x555556132c40) = 0x555556132c40 brk(0x555556133000) = 0x555556133000 mprotect(0x7f7593870000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 memfd_create("syzkaller", 0) = 3 mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f758b3b6000 write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4194304) = 4194304 munmap(0x7f758b3b6000, 4194304) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 ioctl(4, LOOP_SET_FD, 3) = 0 close(3) = 0 mkdir("./file0", 0777) = 0 syzkaller login: [ 43.160465][ T5000] memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL, pid=5000 'syz-executor412' [ 43.197540][ T5000] loop0: detected capacity change from 0 to 8192 [ 43.208809][ T5000] REISERFS warning: read_super_block: reiserfs filesystem is deprecated and scheduled to be removed from the kernel in 2025 [ 43.222221][ T5000] REISERFS (device loop0): found reiserfs format "3.5" with non-standard journal [ 43.231619][ T5000] REISERFS (device loop0): using ordered data mode [ 43.238294][ T5000] reiserfs: using flush barriers [ 43.245037][ T5000] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 mount("/dev/loop0", "./file0", "reiserfs", MS_RDONLY|MS_DIRSYNC|MS_REC|MS_SILENT|MS_RELATIME|MS_STRICTATIME, "") = 0 openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 chdir("./file0") = 0 ioctl(4, LOOP_CLR_FD) = 0 close(4) = 0 mkdir(".", 0777) = -1 EEXIST (File exists) mount(NULL, ".", 0x200000c0, MS_NODEV|MS_NOEXEC|MS_REMOUNT|MS_DIRSYNC|MS_NOATIME|MS_NODIRATIME|MS_SILENT|MS_UNBINDABLE|MS_PRIVATE|MS_RELATIME|MS_I_VERSION|MS_STRICTATIME, "") = 0 openat(AT_FDCWD, ".", O_RDONLY|O_DIRECTORY) = 4 chdir(".") = 0 openat(AT_FDCWD, ".", O_RDONLY) = 5 ioctl(5, FS_IOC_SETVERSION, 0) = -1 EFAULT (Bad address) [ 43.261621][ T5000] REISERFS (device loop0): checking transaction log (loop0) [ 43.271160][ T5000] REISERFS (device loop0): Using r5 hash to sort names [ 43.282816][ T5000] reiserfs: enabling write barrier flush mode [ 43.294810][ T5000] REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage. [ 43.308733][ T5000] [ 43.311088][ T5000] ====================================================== [ 43.318129][ T5000] WARNING: possible circular locking dependency detected [ 43.325127][ T5000] 6.4.0-syzkaller-00082-gc0a572d9d32f #0 Not tainted [ 43.331811][ T5000] ------------------------------------------------------ [ 43.338809][ T5000] syz-executor412/5000 is trying to acquire lock: [ 43.345198][ T5000] ffff888014ee3090 (&sbi->lock){+.+.}-{3:3}, at: reiserfs_write_lock+0x79/0x100 [ 43.354269][ T5000] [ 43.354269][ T5000] but task is already holding lock: [ 43.361639][ T5000] ffff888076eb82e0 (&type->i_mutex_dir_key#6/1){+.+.}-{3:3}, at: do_unlinkat+0x280/0x680 [ 43.371479][ T5000] [ 43.371479][ T5000] which lock already depends on the new lock. [ 43.371479][ T5000] [ 43.381870][ T5000] [ 43.381870][ T5000] the existing dependency chain (in reverse order) is: [ 43.390865][ T5000] [ 43.390865][ T5000] -> #2 (&type->i_mutex_dir_key#6/1){+.+.}-{3:3}: [ 43.399448][ T5000] down_write_nested+0x96/0x200 [ 43.404832][ T5000] do_unlinkat+0x280/0x680 [ 43.409756][ T5000] __x64_sys_unlinkat+0xc1/0x130 [ 43.415202][ T5000] do_syscall_64+0x39/0xb0 [ 43.420179][ T5000] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 43.426645][ T5000] [ 43.426645][ T5000] -> #1 (sb_writers#9){.+.+}-{0:0}: [ 43.434024][ T5000] mnt_want_write_file+0x98/0x5d0 [ 43.439604][ T5000] reiserfs_ioctl+0x1a8/0x330 [ 43.444821][ T5000] __x64_sys_ioctl+0x19d/0x210 [ 43.450130][ T5000] do_syscall_64+0x39/0xb0 [ 43.455057][ T5000] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 43.461491][ T5000] [ 43.461491][ T5000] -> #0 (&sbi->lock){+.+.}-{3:3}: [ 43.468680][ T5000] __lock_acquire+0x2fcd/0x5f30 [ 43.474060][ T5000] lock_acquire+0x1b1/0x520 [ 43.479068][ T5000] __mutex_lock+0x12f/0x1350 [ 43.484161][ T5000] reiserfs_write_lock+0x79/0x100 [ 43.489687][ T5000] reiserfs_lookup+0x175/0x610 [ 43.494954][ T5000] lookup_one_qstr_excl+0x11b/0x180 [ 43.500657][ T5000] do_unlinkat+0x298/0x680 [ 43.505578][ T5000] __x64_sys_unlinkat+0xc1/0x130 [ 43.511037][ T5000] do_syscall_64+0x39/0xb0 [ 43.515997][ T5000] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 43.522415][ T5000] [ 43.522415][ T5000] other info that might help us debug this: [ 43.522415][ T5000] [ 43.532639][ T5000] Chain exists of: [ 43.532639][ T5000] &sbi->lock --> sb_writers#9 --> &type->i_mutex_dir_key#6/1 [ 43.532639][ T5000] [ 43.545913][ T5000] Possible unsafe locking scenario: [ 43.545913][ T5000] [ 43.553336][ T5000] CPU0 CPU1 [ 43.558677][ T5000] ---- ---- [ 43.564015][ T5000] lock(&type->i_mutex_dir_key#6/1); [ 43.569374][ T5000] lock(sb_writers#9); [ 43.576035][ T5000] lock(&type->i_mutex_dir_key#6/1); [ 43.583907][ T5000] lock(&sbi->lock); [ 43.587888][ T5000] [ 43.587888][ T5000] *** DEADLOCK *** [ 43.587888][ T5000] [ 43.596009][ T5000] 2 locks held by syz-executor412/5000: [ 43.601525][ T5000] #0: ffff888078e96460 (sb_writers#9){.+.+}-{0:0}, at: do_unlinkat+0x190/0x680 [ 43.610559][ T5000] #1: ffff888076eb82e0 (&type->i_mutex_dir_key#6/1){+.+.}-{3:3}, at: do_unlinkat+0x280/0x680 [ 43.620811][ T5000] [ 43.620811][ T5000] stack backtrace: [ 43.626676][ T5000] CPU: 1 PID: 5000 Comm: syz-executor412 Not tainted 6.4.0-syzkaller-00082-gc0a572d9d32f #0 [ 43.636720][ T5000] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 [ 43.646752][ T5000] Call Trace: [ 43.650011][ T5000] [ 43.652918][ T5000] dump_stack_lvl+0xd9/0x150 [ 43.657489][ T5000] check_noncircular+0x25f/0x2e0 [ 43.662408][ T5000] ? print_circular_bug+0x730/0x730 [ 43.667589][ T5000] ? _find_first_zero_bit+0x94/0xb0 [ 43.672770][ T5000] ? __free_zapped_classes+0x300/0x300 [ 43.678210][ T5000] __lock_acquire+0x2fcd/0x5f30 [ 43.683043][ T5000] ? unwind_next_frame+0xdf3/0x1e30 [ 43.688221][ T5000] ? lockdep_hardirqs_on_prepare+0x410/0x410 [ 43.694186][ T5000] ? is_bpf_text_address+0x9d/0x1b0 [ 43.699369][ T5000] ? kernel_text_address+0x3d/0x80 [ 43.704467][ T5000] lock_acquire+0x1b1/0x520 [ 43.708964][ T5000] ? reiserfs_write_lock+0x79/0x100 [ 43.714151][ T5000] ? lock_sync+0x190/0x190 [ 43.718561][ T5000] __mutex_lock+0x12f/0x1350 [ 43.723139][ T5000] ? reiserfs_write_lock+0x79/0x100 [ 43.728319][ T5000] ? save_trace+0x3f/0xb20 [ 43.732720][ T5000] ? _find_first_zero_bit+0x94/0xb0 [ 43.737900][ T5000] ? reiserfs_write_lock+0x79/0x100 [ 43.743080][ T5000] ? mutex_lock_io_nested+0x11a0/0x11a0 [ 43.748609][ T5000] ? __lock_acquire+0x28bf/0x5f30 [ 43.753618][ T5000] reiserfs_write_lock+0x79/0x100 [ 43.758628][ T5000] reiserfs_lookup+0x175/0x610 [ 43.763370][ T5000] ? reiserfs_unlink+0x760/0x760 [ 43.768287][ T5000] ? find_held_lock+0x2d/0x110 [ 43.773030][ T5000] ? d_alloc+0x1bb/0x240 [ 43.777254][ T5000] ? do_raw_spin_unlock+0x175/0x230 [ 43.782432][ T5000] ? _raw_spin_unlock+0x28/0x40 [ 43.787266][ T5000] ? d_alloc+0x1c0/0x240 [ 43.791489][ T5000] lookup_one_qstr_excl+0x11b/0x180 [ 43.796666][ T5000] ? mnt_want_write+0x15b/0x420 [ 43.801524][ T5000] do_unlinkat+0x298/0x680 [ 43.805924][ T5000] ? __ia32_sys_rmdir+0x110/0x110 [ 43.810926][ T5000] ? getname_flags.part.0+0x1dd/0x4f0 [ 43.816280][ T5000] __x64_sys_unlinkat+0xc1/0x130 [ 43.821198][ T5000] do_syscall_64+0x39/0xb0 [ 43.825594][ T5000] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 43.831510][ T5000] RIP: 0033:0x7f75938028f9 [ 43.835905][ T5000] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 43.855497][ T5000] RSP: 002b:00007ffe67d53328 EFLAGS: 00000246 ORIG_RAX: 0000000000000107 unlinkat(5, "./file0", 0) = -1 ENOENT (No such file or directory) exit_group(0) = ? +++ exited with 0 +++ [ 4