REISERFS (device loop1): journal params: device loop1, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 REISERFS (device loop1): checking transaction log (loop1) REISERFS (device loop1): Using r5 hash to sort names REISERFS (device loop1): Created .reiserfs_priv - reserved for xattr storage. ====================================================== WARNING: possible circular locking dependency detected 4.14.302-syzkaller #0 Not tainted ------------------------------------------------------ syz-executor.1/9539 is trying to acquire lock: (&journal->j_mutex){+.+.}, at: [] reiserfs_mutex_lock_safe fs/reiserfs/reiserfs.h:816 [inline] (&journal->j_mutex){+.+.}, at: [] lock_journal fs/reiserfs/journal.c:537 [inline] (&journal->j_mutex){+.+.}, at: [] do_journal_begin_r+0x26b/0xde0 fs/reiserfs/journal.c:3054 but task is already holding lock: (sb_writers#14){.+.+}, at: [] sb_start_write include/linux/fs.h:1551 [inline] (sb_writers#14){.+.+}, at: [] mnt_want_write_file+0xfd/0x3b0 fs/namespace.c:497 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (sb_writers#14){.+.+}: percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline] percpu_down_read include/linux/percpu-rwsem.h:59 [inline] __sb_start_write+0x64/0x260 fs/super.c:1342 sb_start_write include/linux/fs.h:1551 [inline] mnt_want_write_file+0xfd/0x3b0 fs/namespace.c:497 reiserfs_ioctl+0x18e/0x8b0 fs/reiserfs/ioctl.c:110 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:500 [inline] do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684 SYSC_ioctl fs/ioctl.c:701 [inline] SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x5e/0xd3 -> #1 (&sbi->lock){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 reiserfs_write_lock_nested+0x59/0xd0 fs/reiserfs/lock.c:78 reiserfs_mutex_lock_safe fs/reiserfs/reiserfs.h:817 [inline] lock_journal fs/reiserfs/journal.c:537 [inline] do_journal_begin_r+0x276/0xde0 fs/reiserfs/journal.c:3054 journal_begin+0x162/0x3d0 fs/reiserfs/journal.c:3262 reiserfs_fill_super+0x18f4/0x2990 fs/reiserfs/super.c:2117 mount_bdev+0x2b3/0x360 fs/super.c:1134 mount_fs+0x92/0x2a0 fs/super.c:1237 vfs_kern_mount.part.0+0x5b/0x470 fs/namespace.c:1046 vfs_kern_mount fs/namespace.c:1036 [inline] do_new_mount fs/namespace.c:2572 [inline] do_mount+0xe65/0x2a30 fs/namespace.c:2905 SYSC_mount fs/namespace.c:3121 [inline] SyS_mount+0xa8/0x120 fs/namespace.c:3098 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x5e/0xd3 -> #0 (&journal->j_mutex){+.+.}: lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 reiserfs_mutex_lock_safe fs/reiserfs/reiserfs.h:816 [inline] lock_journal fs/reiserfs/journal.c:537 [inline] do_journal_begin_r+0x26b/0xde0 fs/reiserfs/journal.c:3054 journal_begin+0x162/0x3d0 fs/reiserfs/journal.c:3262 reiserfs_dirty_inode+0xd9/0x200 fs/reiserfs/super.c:716 __mark_inode_dirty+0x11e/0xf40 fs/fs-writeback.c:2134 mark_inode_dirty include/linux/fs.h:2026 [inline] reiserfs_ioctl+0x6f6/0x8b0 fs/reiserfs/ioctl.c:118 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:500 [inline] do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684 SYSC_ioctl fs/ioctl.c:701 [inline] SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x5e/0xd3 other info that might help us debug this: Chain exists of: &journal->j_mutex --> &sbi->lock --> sb_writers#14 Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(sb_writers#14); lock(&sbi->lock); lock(sb_writers#14); lock(&journal->j_mutex); *** DEADLOCK *** 1 lock held by syz-executor.1/9539: #0: (sb_writers#14){.+.+}, at: [] sb_start_write include/linux/fs.h:1551 [inline] #0: (sb_writers#14){.+.+}, at: [] mnt_want_write_file+0xfd/0x3b0 fs/namespace.c:497 stack backtrace: CPU: 1 PID: 9539 Comm: syz-executor.1 Not tainted 4.14.302-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 F2FS-fs (loop3): Wrong SIT boundary, start(1536) end(2560) blocks(63488) Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x281 lib/dump_stack.c:58 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258 check_prev_add kernel/locking/lockdep.c:1905 [inline] check_prevs_add kernel/locking/lockdep.c:2022 [inline] validate_chain kernel/locking/lockdep.c:2464 [inline] __lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491 F2FS-fs (loop3): Can't find valid F2FS filesystem in 2th superblock lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 F2FS-fs (loop3): Found nat_bits in checkpoint __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 reiserfs_mutex_lock_safe fs/reiserfs/reiserfs.h:816 [inline] lock_journal fs/reiserfs/journal.c:537 [inline] do_journal_begin_r+0x26b/0xde0 fs/reiserfs/journal.c:3054 journal_begin+0x162/0x3d0 fs/reiserfs/journal.c:3262 reiserfs_dirty_inode+0xd9/0x200 fs/reiserfs/super.c:716 __mark_inode_dirty+0x11e/0xf40 fs/fs-writeback.c:2134 mark_inode_dirty include/linux/fs.h:2026 [inline] reiserfs_ioctl+0x6f6/0x8b0 fs/reiserfs/ioctl.c:118 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:500 [inline] do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684 SYSC_ioctl fs/ioctl.c:701 [inline] SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x5e/0xd3 RIP: 0033:0x7fb98b8fd0d9 RSP: 002b:00007fb989e6f168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fb98ba1cf80 RCX: 00007fb98b8fd0d9 RDX: 0000000020000380 RSI: 0000000040087602 RDI: 0000000000000004 RBP: 00007fb98b958ae9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fff4b77a2af R14: 00007fb989e6f300 R15: 0000000000022000 F2FS-fs (loop3): Try to recover 2th superblock, ret: 0 F2FS-fs (loop3): Mounted with checkpoint version = 753bd00b FAT-fs (loop0): Directory bread(block 196) failed FAT-fs (loop0): Directory bread(block 197) failed FAT-fs (loop0): Directory bread(block 198) failed FAT-fs (loop0): Directory bread(block 199) failed FAT-fs (loop0): Directory bread(block 200) failed FAT-fs (loop0): Directory bread(block 201) failed FAT-fs (loop0): Directory bread(block 202) failed FAT-fs (loop0): Directory bread(block 203) failed FAT-fs (loop0): mounting with "discard" option, but the device does not support discard netlink: 12 bytes leftover after parsing attributes in process `syz-executor.2'. device bridge_slave_1 left promiscuous mode bridge0: port 2(bridge_slave_1) entered disabled state bridge0: port 2(bridge_slave_1) entered disabled state bridge0: port 1(bridge_slave_0) entered disabled state device bridge_slave_1 left promiscuous mode bridge0: port 2(bridge_slave_1) entered disabled state device bridge_slave_0 left promiscuous mode bridge0: port 1(bridge_slave_0) entered disabled state TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. device bond1 entered promiscuous mode device batadv1 entered promiscuous mode TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. ISO 9660 Extensions: Microsoft Joliet Level 3 ISOFS: changing to secondary root L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. XFS (loop4): Superblock has unknown read-only compatible features (0x8) enabled. XFS (loop4): Attempted to mount read-only compatible filesystem read-write. XFS (loop4): Filesystem can only be safely mounted read only. XFS (loop4): SB validate failed with error -22. audit: type=1800 audit(1671670009.479:2): pid=10245 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.4" name="bus" dev="sda1" ino=14074 res=0 audit: type=1800 audit(1671670009.549:3): pid=10280 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.4" name="bus" dev="sda1" ino=14074 res=0 TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. syz-executor.0 (10256) used greatest stack depth: 23472 bytes left