netlink: 'syz-executor.4': attribute type 4 has an invalid length. netlink: 'syz-executor.1': attribute type 4 has an invalid length. audit: type=1804 audit(1672821540.770:412): pid=29150 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.3" name="/root/syzkaller-testdir4210162367/syzkaller.po3tOW/538/file0/bus" dev="loop3" ino=4 res=1 ====================================================== WARNING: possible circular locking dependency detected 4.19.211-syzkaller #0 Not tainted ------------------------------------------------------ syz-executor.3/29150 is trying to acquire lock: 0000000001cc7d79 (&type->i_mutex_dir_key#12/3){+.+.}, at: inode_lock_nested include/linux/fs.h:783 [inline] 0000000001cc7d79 (&type->i_mutex_dir_key#12/3){+.+.}, at: open_xa_root fs/reiserfs/xattr.c:127 [inline] 0000000001cc7d79 (&type->i_mutex_dir_key#12/3){+.+.}, at: open_xa_dir+0x127/0x690 fs/reiserfs/xattr.c:152 but task is already holding lock: 00000000292fbef6 (&sb->s_type->i_mutex_key#28){+.+.}, at: inode_lock include/linux/fs.h:748 [inline] 00000000292fbef6 (&sb->s_type->i_mutex_key#28){+.+.}, at: chmod_common+0x14b/0x3f0 fs/open.c:554 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (&sb->s_type->i_mutex_key#28){+.+.}: inode_lock include/linux/fs.h:748 [inline] lock_two_nondirectories+0xec/0x110 fs/inode.c:1015 vfs_rename+0x3cb/0x1bc0 fs/namei.c:4453 do_renameat2+0xb59/0xc70 fs/namei.c:4629 __do_sys_renameat2 fs/namei.c:4664 [inline] __se_sys_renameat2 fs/namei.c:4661 [inline] __x64_sys_renameat2+0xba/0x150 fs/namei.c:4661 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe -> #1 (&type->i_mutex_dir_key#12/2){+.+.}: inode_lock_nested include/linux/fs.h:783 [inline] xattr_rmdir fs/reiserfs/xattr.c:106 [inline] delete_one_xattr+0x13d/0x2d0 fs/reiserfs/xattr.c:338 reiserfs_for_each_xattr+0x6e4/0x920 fs/reiserfs/xattr.c:311 reiserfs_delete_xattrs+0x1c/0x90 fs/reiserfs/xattr.c:364 reiserfs_evict_inode+0x2e3/0x540 fs/reiserfs/inode.c:53 evict+0x2ed/0x760 fs/inode.c:559 iput_final fs/inode.c:1555 [inline] iput+0x4f1/0x860 fs/inode.c:1581 dentry_unlink_inode+0x265/0x320 fs/dcache.c:374 d_delete+0x210/0x280 fs/dcache.c:2372 vfs_rmdir.part.0+0x28a/0x3d0 fs/namei.c:3895 vfs_rmdir fs/namei.c:3868 [inline] do_rmdir+0x3fd/0x490 fs/namei.c:3943 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe -> #0 (&type->i_mutex_dir_key#12/3){+.+.}: down_write_nested+0x36/0x90 kernel/locking/rwsem.c:192 inode_lock_nested include/linux/fs.h:783 [inline] open_xa_root fs/reiserfs/xattr.c:127 [inline] open_xa_dir+0x127/0x690 fs/reiserfs/xattr.c:152 xattr_lookup+0x21/0x3c0 fs/reiserfs/xattr.c:395 reiserfs_xattr_get+0x127/0xa50 fs/reiserfs/xattr.c:675 reiserfs_get_acl+0x57/0x610 fs/reiserfs/xattr_acl.c:209 get_acl.part.0+0xcd/0x1f0 fs/posix_acl.c:140 get_acl fs/posix_acl.c:111 [inline] posix_acl_chmod fs/posix_acl.c:564 [inline] posix_acl_chmod+0x1b6/0x380 fs/posix_acl.c:554 reiserfs_acl_chmod+0x158/0x1c0 fs/reiserfs/xattr_acl.c:402 reiserfs_setattr+0x7b2/0x1090 fs/reiserfs/inode.c:3424 notify_change+0x70b/0xfc0 fs/attr.c:334 chmod_common+0x1d9/0x3f0 fs/open.c:560 ksys_fchmod+0xc4/0x130 fs/open.c:579 __do_sys_fchmod fs/open.c:587 [inline] __se_sys_fchmod fs/open.c:585 [inline] __x64_sys_fchmod+0x53/0x80 fs/open.c:585 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe other info that might help us debug this: Chain exists of: &type->i_mutex_dir_key#12/3 --> &type->i_mutex_dir_key#12/2 --> &sb->s_type->i_mutex_key#28 Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&sb->s_type->i_mutex_key#28); lock(&type->i_mutex_dir_key#12/2); lock(&sb->s_type->i_mutex_key#28); lock(&type->i_mutex_dir_key#12/3); *** DEADLOCK *** 2 locks held by syz-executor.3/29150: #0: 000000001ff936b6 (sb_writers#24){.+.+}, at: sb_start_write include/linux/fs.h:1579 [inline] #0: 000000001ff936b6 (sb_writers#24){.+.+}, at: mnt_want_write+0x3a/0xb0 fs/namespace.c:360 #1: 00000000292fbef6 (&sb->s_type->i_mutex_key#28){+.+.}, at: inode_lock include/linux/fs.h:748 [inline] #1: 00000000292fbef6 (&sb->s_type->i_mutex_key#28){+.+.}, at: chmod_common+0x14b/0x3f0 fs/open.c:554 stack backtrace: CPU: 0 PID: 29150 Comm: syz-executor.3 Not tainted 4.19.211-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1222 check_prev_add kernel/locking/lockdep.c:1866 [inline] check_prevs_add kernel/locking/lockdep.c:1979 [inline] validate_chain kernel/locking/lockdep.c:2420 [inline] __lock_acquire+0x30c9/0x3ff0 kernel/locking/lockdep.c:3416 lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3908 down_write_nested+0x36/0x90 kernel/locking/rwsem.c:192 inode_lock_nested include/linux/fs.h:783 [inline] open_xa_root fs/reiserfs/xattr.c:127 [inline] open_xa_dir+0x127/0x690 fs/reiserfs/xattr.c:152 xattr_lookup+0x21/0x3c0 fs/reiserfs/xattr.c:395 reiserfs_xattr_get+0x127/0xa50 fs/reiserfs/xattr.c:675 reiserfs_get_acl+0x57/0x610 fs/reiserfs/xattr_acl.c:209 get_acl.part.0+0xcd/0x1f0 fs/posix_acl.c:140 get_acl fs/posix_acl.c:111 [inline] posix_acl_chmod fs/posix_acl.c:564 [inline] posix_acl_chmod+0x1b6/0x380 fs/posix_acl.c:554 reiserfs_acl_chmod+0x158/0x1c0 fs/reiserfs/xattr_acl.c:402 reiserfs_setattr+0x7b2/0x1090 fs/reiserfs/inode.c:3424 notify_change+0x70b/0xfc0 fs/attr.c:334 chmod_common+0x1d9/0x3f0 fs/open.c:560 ksys_fchmod+0xc4/0x130 fs/open.c:579 __do_sys_fchmod fs/open.c:587 [inline] __se_sys_fchmod fs/open.c:585 [inline] __x64_sys_fchmod+0x53/0x80 fs/open.c:585 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7f81f9d8d0c9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f81f82ff168 EFLAGS: 00000246 ORIG_RAX: 000000000000005b RAX: ffffffffffffffda RBX: 00007f81f9eacf80 RCX: 00007f81f9d8d0c9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005 RBP: 00007f81f9de8ae9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffc83a5824f R14: 00007f81f82ff300 R15: 0000000000022000 netlink: 'syz-executor.1': attribute type 4 has an invalid length. netlink: 'syz-executor.4': attribute type 4 has an invalid length. netlink: 'syz-executor.4': attribute type 4 has an invalid length. netlink: 'syz-executor.0': attribute type 4 has an invalid length. REISERFS (device loop3): found reiserfs format "3.6" with non-standard journal netlink: 'syz-executor.0': attribute type 4 has an invalid length. netlink: 'syz-executor.1': attribute type 4 has an invalid length. REISERFS (device loop2): found reiserfs format "3.6" with non-standard journal REISERFS (device loop3): using ordered data mode REISERFS (device loop2): using ordered data mode REISERFS (device loop3): journal params: device loop3, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 REISERFS (device loop2): journal params: device loop2, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 REISERFS (device loop2): checking transaction log (loop2) REISERFS (device loop3): checking transaction log (loop3) REISERFS (device loop2): Using r5 hash to sort names REISERFS (device loop2): Created .reiserfs_priv - reserved for xattr storage. REISERFS (device loop3): Using r5 hash to sort names REISERFS (device loop3): Created .reiserfs_priv - reserved for xattr storage. audit: type=1804 audit(1672821543.120:413): pid=29206 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.2" name="/root/syzkaller-testdir2931727965/syzkaller.lrLWTO/539/file0/bus" dev="loop2" ino=4 res=1 audit: type=1804 audit(1672821543.120:414): pid=29212 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.3" name="/root/syzkaller-testdir4210162367/syzkaller.po3tOW/539/file0/bus" dev="loop3" ino=4 res=1 REISERFS (device loop2): found reiserfs format "3.6" with non-standard journal REISERFS (device loop2): using ordered data mode REISERFS (device loop3): found reiserfs format "3.6" with non-standard journal REISERFS (device loop2): journal params: device loop2, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 REISERFS (device loop2): checking transaction log (loop2) REISERFS (device loop3): using ordered data mode REISERFS (device loop3): journal params: device loop3, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 REISERFS (device loop3): checking transaction log (loop3) REISERFS (device loop2): Using r5 hash to sort names REISERFS (device loop2): Created .reiserfs_priv - reserved for xattr storage. REISERFS (device loop3): Using r5 hash to sort names audit: type=1804 audit(1672821543.800:415): pid=29254 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.2" name="/root/syzkaller-testdir2931727965/syzkaller.lrLWTO/540/file0/bus" dev="loop2" ino=4 res=1 REISERFS (device loop3): Created .reiserfs_priv - reserved for xattr storage. audit: type=1804 audit(1672821543.920:416): pid=29249 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.3" name="/root/syzkaller-testdir4210162367/syzkaller.po3tOW/540/file0/bus" dev="loop3" ino=4 res=1 REISERFS (device loop2): found reiserfs format "3.6" with non-standard journal REISERFS (device loop2): using ordered data mode REISERFS (device loop2): journal params: device loop2, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 REISERFS (device loop2): checking transaction log (loop2) REISERFS (device loop3): found reiserfs format "3.6" with non-standard journal REISERFS (device loop3): using ordered data mode REISERFS (device loop3): journal params: device loop3, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 REISERFS (device loop2): Using r5 hash to sort names REISERFS (device loop2): Created .reiserfs_priv - reserved for xattr storage. REISERFS (device loop3): checking transaction log (loop3) audit: type=1804 audit(1672821544.440:417): pid=29295 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.2" name="/root/syzkaller-testdir2931727965/syzkaller.lrLWTO/541/file0/bus" dev="loop2" ino=4 res=1 REISERFS (device loop3): Using r5 hash to sort names REISERFS (device loop3): Created .reiserfs_priv - reserved for xattr storage. audit: type=1804 audit(1672821544.550:418): pid=29305 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.3" name="/root/syzkaller-testdir4210162367/syzkaller.po3tOW/541/file0/bus" dev="loop3" ino=4 res=1 block nbd2: Attempted send on invalid socket print_req_error: I/O error, dev nbd2, sector 128 gfs2: error 10 reading superblock block nbd2: Attempted send on invalid socket print_req_error: I/O error, dev nbd2, sector 128 gfs2: error 10 reading superblock ceph: device name is missing path (no : separator in w5T)`)YFnA@T<3ڂ$rcnHwC" -8/) ceph: device name is missing path (no : separator in w5T)`)YFnA@T<3ڂ$rcnHwC" -8/) ceph: device name is missing path (no : separator in w5T)`)YFnA@T<3ڂ$rcnHwC" -8/) block nbd2: Attempted send on invalid socket print_req_error: I/O error, dev nbd2, sector 128 gfs2: error 10 reading superblock ceph: device name is missing path (no : separator in w5T)`)YFnA@T<3ڂ$rcnHwC" -8/) ceph: device name is missing path (no : separator in w5T)`)YFnA@T<3ڂ$rcnHwC" -8/) ceph: device name is missing path (no : separator in w5T)`)YFnA@T<3ڂ$rcnHwC" -8/) ceph: device name is missing path (no : separator in w5T)`)YFnA@T<3ڂ$rcnHwC" -8/) IPVS: set_ctl: invalid protocol: 0 172.20.20.15:0 IPVS: set_ctl: invalid protocol: 0 172.20.20.15:0 IPVS: set_ctl: invalid protocol: 0 172.20.20.15:0 IPVS: set_ctl: invalid protocol: 0 172.20.20.15:0 netlink: 24 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.2'. new mount options do not match the existing superblock, will be ignored netlink: 24 bytes leftover after parsing attributes in process `syz-executor.2'. new mount options do not match the existing superblock, will be ignored netlink: 24 bytes leftover after parsing attributes in process `syz-executor.2'. new mount options do not match the existing superblock, will be ignored netlink: 24 bytes leftover after parsing attributes in process `syz-executor.2'. new mount options do not match the existing superblock, will be ignored netlink: 24 bytes leftover after parsing attributes in process `syz-executor.2'. new mount options do not match the existing superblock, will be ignored new mount options do not match the existing superblock, will be ignored new mount options do not match the existing superblock, will be ignored netlink: 24 bytes leftover after parsing attributes in process `syz-executor.1'. new mount options do not match the existing superblock, will be ignored netlink: 24 bytes leftover after parsing attributes in process `syz-executor.2'. new mount options do not match the existing superblock, will be ignored netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'. new mount options do not match the existing superblock, will be ignored netlink: 24 bytes leftover after parsing attributes in process `syz-executor.1'. overlayfs: failed to clone upperpath EXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue audit: type=1804 audit(1672821549.790:419): pid=29988 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.4" name="cgroup.controllers" dev="sda1" ino=14863 res=1 EXT4-fs error (device loop0): ext4_lookup:1611: inode #2: comm syz-executor.0: bad inode number: 12 overlayfs: failed to clone upperpath overlayfs: failed to clone upperpath XFS (loop5): Mounting V4 Filesystem XFS (loop5): Ending clean mount XFS (loop5): Unmounting Filesystem audit: type=1804 audit(1672821550.710:420): pid=30058 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.4" name="cgroup.controllers" dev="sda1" ino=14773 res=1 EXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue