./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor392565478 <...> DUID 00:04:b0:cd:33:f9:4f:8a:55:45:4d:7b:3b:ee:3a:71:f0:8b forked to background, child pid 4659 [ 37.828306][ T4660] 8021q: adding VLAN 0 to HW filter on device bond0 [ 37.847690][ T4660] eql: remember to turn off Van-Jacobson compression on your slave devices Starting sshd: OK syzkaller Warning: Permanently added '10.128.1.179' (ECDSA) to the list of known hosts. execve("./syz-executor392565478", ["./syz-executor392565478"], 0x7ffdaf9825c0 /* 10 vars */) = 0 brk(NULL) = 0x555555af3000 brk(0x555555af3c40) = 0x555555af3c40 arch_prctl(ARCH_SET_FS, 0x555555af3300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 readlink("/proc/self/exe", "/root/syz-executor392565478", 4096) = 27 brk(0x555555b14c40) = 0x555555b14c40 brk(0x555555b15000) = 0x555555b15000 mprotect(0x7ffa0faf1000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 memfd_create("syzkaller", 0) = 3 mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ffa07637000 write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4194304) = 4194304 munmap(0x7ffa07637000, 4194304) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 syzkaller login: [ 65.010346][ T4995] memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL, pid=4995 'syz-executor392' ioctl(4, LOOP_SET_FD, 3) = 0 close(3) = 0 mkdir("./file0", 0777) = 0 [ 65.066285][ T4995] loop0: detected capacity change from 0 to 8192 [ 65.078898][ T4995] REISERFS warning: read_super_block: reiserfs filesystem is deprecated and scheduled to be removed from the kernel in 2025 [ 65.092001][ T4995] REISERFS (device loop0): found reiserfs format "3.5" with non-standard journal [ 65.101567][ T4995] REISERFS (device loop0): using ordered data mode [ 65.108230][ T4995] reiserfs: using flush barriers mount("/dev/loop0", "./file0", "reiserfs", MS_RDONLY|MS_DIRSYNC|MS_REC|MS_SILENT|MS_RELATIME|MS_STRICTATIME, "") = 0 openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 chdir("./file0") = 0 ioctl(4, LOOP_CLR_FD) = 0 close(4) = 0 mkdir(".", 0777) = -1 EEXIST (File exists) [ 65.114491][ T4995] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 [ 65.131208][ T4995] REISERFS (device loop0): checking transaction log (loop0) [ 65.140509][ T4995] REISERFS (device loop0): Using r5 hash to sort names [ 65.154558][ T4995] reiserfs: enabling write barrier flush mode mount(NULL, ".", 0x200000c0, MS_NODEV|MS_NOEXEC|MS_REMOUNT|MS_DIRSYNC|MS_NOATIME|MS_NODIRATIME|MS_SILENT|MS_UNBINDABLE|MS_PRIVATE|MS_RELATIME|MS_I_VERSION|MS_STRICTATIME, "") = 0 openat(AT_FDCWD, ".", O_RDONLY|O_DIRECTORY) = 4 chdir(".") = 0 openat(AT_FDCWD, ".", O_RDONLY) = 5 ioctl(5, FS_IOC_SETVERSION, 0) = -1 EFAULT (Bad address) [ 65.167201][ T4995] REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage. [ 65.182248][ T4995] [ 65.184622][ T4995] ====================================================== [ 65.191657][ T4995] WARNING: possible circular locking dependency detected [ 65.198671][ T4995] 6.4.0-rc3-syzkaller-00032-g933174ae28ba #0 Not tainted [ 65.205680][ T4995] ------------------------------------------------------ [ 65.212689][ T4995] syz-executor392/4995 is trying to acquire lock: [ 65.219095][ T4995] ffff888022309090 (&sbi->lock){+.+.}-{3:3}, at: reiserfs_write_lock+0x7a/0xd0 [ 65.228086][ T4995] [ 65.228086][ T4995] but task is already holding lock: [ 65.235442][ T4995] ffff8880759902e0 (&type->i_mutex_dir_key#6/1){+.+.}-{3:3}, at: do_unlinkat+0x26a/0x950 [ 65.245290][ T4995] [ 65.245290][ T4995] which lock already depends on the new lock. [ 65.245290][ T4995] [ 65.255687][ T4995] [ 65.255687][ T4995] the existing dependency chain (in reverse order) is: [ 65.264695][ T4995] [ 65.264695][ T4995] -> #2 (&type->i_mutex_dir_key#6/1){+.+.}-{3:3}: [ 65.273318][ T4995] lock_acquire+0x1e3/0x520 [ 65.278355][ T4995] down_write_nested+0x3d/0x50 [ 65.283650][ T4995] do_unlinkat+0x26a/0x950 [ 65.288596][ T4995] __x64_sys_unlinkat+0xce/0xf0 [ 65.293971][ T4995] do_syscall_64+0x41/0xc0 [ 65.298927][ T4995] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 65.305342][ T4995] [ 65.305342][ T4995] -> #1 (sb_writers#9){.+.+}-{0:0}: [ 65.312737][ T4995] lock_acquire+0x1e3/0x520 [ 65.317766][ T4995] sb_start_write+0x4d/0x1c0 [ 65.322877][ T4995] mnt_want_write_file+0x5e/0x1f0 [ 65.328422][ T4995] reiserfs_ioctl+0x174/0x340 [ 65.333622][ T4995] __se_sys_ioctl+0xf1/0x160 [ 65.338736][ T4995] do_syscall_64+0x41/0xc0 [ 65.343680][ T4995] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 65.350095][ T4995] [ 65.350095][ T4995] -> #0 (&sbi->lock){+.+.}-{3:3}: [ 65.357323][ T4995] validate_chain+0x166b/0x58e0 [ 65.362702][ T4995] __lock_acquire+0x1295/0x2000 [ 65.368180][ T4995] lock_acquire+0x1e3/0x520 [ 65.373207][ T4995] __mutex_lock_common+0x1d8/0x2530 [ 65.378955][ T4995] mutex_lock_nested+0x1b/0x20 [ 65.384244][ T4995] reiserfs_write_lock+0x7a/0xd0 [ 65.389726][ T4995] reiserfs_lookup+0x162/0x580 [ 65.395011][ T4995] lookup_one_qstr_excl+0x11b/0x250 [ 65.400732][ T4995] do_unlinkat+0x298/0x950 [ 65.405672][ T4995] __x64_sys_unlinkat+0xce/0xf0 [ 65.411049][ T4995] do_syscall_64+0x41/0xc0 [ 65.415997][ T4995] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 65.422414][ T4995] [ 65.422414][ T4995] other info that might help us debug this: [ 65.422414][ T4995] [ 65.432636][ T4995] Chain exists of: [ 65.432636][ T4995] &sbi->lock --> sb_writers#9 --> &type->i_mutex_dir_key#6/1 [ 65.432636][ T4995] [ 65.445955][ T4995] Possible unsafe locking scenario: [ 65.445955][ T4995] [ 65.453400][ T4995] CPU0 CPU1 [ 65.458764][ T4995] ---- ---- [ 65.464127][ T4995] lock(&type->i_mutex_dir_key#6/1); [ 65.469512][ T4995] lock(sb_writers#9); [ 65.476190][ T4995] lock(&type->i_mutex_dir_key#6/1); [ 65.484093][ T4995] lock(&sbi->lock); [ 65.488076][ T4995] [ 65.488076][ T4995] *** DEADLOCK *** [ 65.488076][ T4995] [ 65.496215][ T4995] 2 locks held by syz-executor392/4995: [ 65.501756][ T4995] #0: ffff88807d18c460 (sb_writers#9){.+.+}-{0:0}, at: mnt_want_write+0x3f/0x90 [ 65.510911][ T4995] #1: ffff8880759902e0 (&type->i_mutex_dir_key#6/1){+.+.}-{3:3}, at: do_unlinkat+0x26a/0x950 [ 65.521200][ T4995] [ 65.521200][ T4995] stack backtrace: [ 65.527083][ T4995] CPU: 0 PID: 4995 Comm: syz-executor392 Not tainted 6.4.0-rc3-syzkaller-00032-g933174ae28ba #0 [ 65.537505][ T4995] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/16/2023 [ 65.547558][ T4995] Call Trace: [ 65.550842][ T4995] [ 65.553774][ T4995] dump_stack_lvl+0x1e7/0x2d0 [ 65.558474][ T4995] ? nf_tcp_handle_invalid+0x650/0x650 [ 65.563944][ T4995] ? print_circular_bug+0x12b/0x1a0 [ 65.569152][ T4995] check_noncircular+0x2fe/0x3b0 [ 65.574103][ T4995] ? add_chain_block+0x850/0x850 [ 65.579049][ T4995] ? lockdep_lock+0x123/0x2b0 [ 65.583737][ T4995] ? deref_stack_reg+0x17c/0x210 [ 65.588676][ T4995] ? __lock_acquire+0x2000/0x2000 [ 65.593706][ T4995] ? _find_first_zero_bit+0xd4/0x100 [ 65.598994][ T4995] validate_chain+0x166b/0x58e0 [ 65.603864][ T4995] ? kernel_text_address+0xa3/0xe0 [ 65.608985][ T4995] ? unwind_get_return_address+0x4d/0x90 [ 65.614621][ T4995] ? reacquire_held_locks+0x660/0x660 [ 65.619999][ T4995] ? arch_stack_walk+0xf7/0x140 [ 65.624860][ T4995] ? stack_trace_save+0x117/0x1c0 [ 65.629893][ T4995] ? stack_trace_snprint+0xf0/0xf0 [ 65.635012][ T4995] ? check_noncircular+0x1e7/0x3b0 [ 65.640138][ T4995] ? mark_lock+0x9a/0x340 [ 65.644475][ T4995] __lock_acquire+0x1295/0x2000 [ 65.649340][ T4995] lock_acquire+0x1e3/0x520 [ 65.653861][ T4995] ? reiserfs_write_lock+0x7a/0xd0 [ 65.658985][ T4995] ? read_lock_is_recursive+0x20/0x20 [ 65.664366][ T4995] ? __might_sleep+0xc0/0xc0 [ 65.668963][ T4995] ? reacquire_held_locks+0x660/0x660 [ 65.674346][ T4995] __mutex_lock_common+0x1d8/0x2530 [ 65.679560][ T4995] ? reiserfs_write_lock+0x7a/0xd0 [ 65.684676][ T4995] ? __d_alloc+0x31/0x710 [ 65.689006][ T4995] ? do_unlinkat+0x298/0x950 [ 65.693602][ T4995] ? reiserfs_write_lock+0x7a/0xd0 [ 65.698720][ T4995] ? mutex_lock_io_nested+0x60/0x60 [ 65.703929][ T4995] ? __lock_acquire+0x1295/0x2000 [ 65.708967][ T4995] mutex_lock_nested+0x1b/0x20 [ 65.713737][ T4995] reiserfs_write_lock+0x7a/0xd0 [ 65.718680][ T4995] reiserfs_lookup+0x162/0x580 [ 65.723448][ T4995] ? reiserfs_init_priv_inode+0x150/0x150 [ 65.729184][ T4995] ? __lock_acquire+0x2000/0x2000 [ 65.734212][ T4995] ? do_raw_spin_lock+0x14d/0x3a0 [ 65.739247][ T4995] ? rcu_is_watching+0x15/0xb0 [ 65.744021][ T4995] ? _raw_spin_unlock+0x28/0x40 [ 65.748874][ T4995] ? d_alloc+0x198/0x1d0 [ 65.753120][ T4995] lookup_one_qstr_excl+0x11b/0x250 [ 65.758340][ T4995] do_unlinkat+0x298/0x950 [ 65.762872][ T4995] ? fsnotify_link_count+0xf0/0xf0 [ 65.768022][ T4995] ? strncpy_from_user+0x1a5/0x2e0 [ 65.773151][ T4995] ? syscall_enter_from_user_mode+0x32/0x230 [ 65.779145][ T4995] __x64_sys_unlinkat+0xce/0xf0 [ 65.784006][ T4995] do_syscall_64+0x41/0xc0 [ 65.788439][ T4995] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 65.794350][ T4995] RIP: 0033:0x7ffa0fa838f9 [ 65.798769][ T4995] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 unlinkat(5, "./file0", 0) = -1 ENOENT (No such file or directory) exit_group(0) = ? +++ exited with 0 +++ [ 65.818385][ T4995]