./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3291846026 <...> DUID 00:04:92:3d:a4:bf:d8:99:95:1d:d2:9f:0e:34:7d:20:a7:e6 forked to background, child pid 4696 [ 34.064198][ T4697] 8021q: adding VLAN 0 to HW filter on device bond0 [ 34.075409][ T4697] eql: remember to turn off Van-Jacobson compression on your slave devices Starting sshd: OK syzkaller Warning: Permanently added '10.128.0.14' (ED25519) to the list of known hosts. execve("./syz-executor3291846026", ["./syz-executor3291846026"], 0x7fff6efef7f0 /* 10 vars */) = 0 brk(NULL) = 0x555556e25000 brk(0x555556e25e00) = 0x555556e25e00 arch_prctl(ARCH_SET_FS, 0x555556e25480) = 0 set_tid_address(0x555556e25750) = 5027 set_robust_list(0x555556e25760, 24) = 0 rseq(0x555556e25da0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor3291846026", 4096) = 28 getrandom("\xb7\xa4\x13\x3a\x8c\x21\x71\x86", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x555556e25e00 brk(0x555556e46e00) = 0x555556e46e00 brk(0x555556e47000) = 0x555556e47000 mprotect(0x7fcc0aeab000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 rt_sigaction(SIGRTMIN, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=0}, NULL, 8) = 0 rt_sigaction(SIGSEGV, {sa_handler=0x7fcc0ae05c10, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7fcc0ae0cf60}, NULL, 8) = 0 rt_sigaction(SIGBUS, {sa_handler=0x7fcc0ae05c10, sa_mask=[], sa_flags=SA_RESTORER|SA_NODEFER|SA_SIGINFO, sa_restorer=0x7fcc0ae0cf60}, NULL, 8) = 0 mkdir("./file0", 0777) = 0 --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=NULL} --- mount(NULL, "./file0", "tmpfs", 0, "huge=always,size=0") = 0 chdir("./file0") = 0 openat(AT_FDCWD, "cpuacct.usage_percpu", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 3 openat(AT_FDCWD, "cpuacct.usage_percpu", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 4 mmap(0x20000000, 12288, PROT_READ, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0x20000000 ftruncate(4, 35193) = 0 --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_ACCERR, si_addr=0x20000180} --- prctl(PR_SET_NAME, "") = 0 syzkaller login: [ 57.546761][ T5027] [ 57.549107][ T5027] ====================================================== [ 57.556102][ T5027] WARNING: possible circular locking dependency detected [ 57.563100][ T5027] 6.5.0-rc1-next-20230714-syzkaller #0 Not tainted [ 57.569577][ T5027] ------------------------------------------------------ [ 57.576572][ T5027] /5027 is trying to acquire lock: [ 57.581664][ T5027] ffff88807dbd8758 (&info->lock){....}-{2:2}, at: shmem_uncharge+0x28/0x2b0 [ 57.590359][ T5027] [ 57.590359][ T5027] but task is already holding lock: [ 57.597702][ T5027] ffff88801526c068 (&lruvec->lru_lock){....}-{2:2}, at: folio_lruvec_lock+0x1ba/0x3b0 [ 57.607256][ T5027] [ 57.607256][ T5027] which lock already depends on the new lock. [ 57.607256][ T5027] [ 57.617724][ T5027] [ 57.617724][ T5027] the existing dependency chain (in reverse order) is: [ 57.626717][ T5027] [ 57.626717][ T5027] -> #3 (&lruvec->lru_lock){....}-{2:2}: [ 57.634517][ T5027] _raw_spin_lock+0x2e/0x40 [ 57.639548][ T5027] folio_lruvec_lock+0x1ba/0x3b0 [ 57.644999][ T5027] split_huge_page_to_list+0x103b/0x49e0 [ 57.651177][ T5027] truncate_inode_partial_folio+0x544/0x760 [ 57.657603][ T5027] shmem_undo_range+0x723/0x1190 [ 57.663865][ T5027] shmem_setattr+0xd43/0x1050 [ 57.669071][ T5027] notify_change+0x742/0x11c0 [ 57.674281][ T5027] do_truncate+0x15c/0x220 [ 57.679227][ T5027] do_sys_ftruncate+0x6a2/0x790 [ 57.684816][ T5027] do_syscall_64+0x38/0xb0 [ 57.689762][ T5027] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 57.696187][ T5027] [ 57.696187][ T5027] -> #2 (&xa->xa_lock#7){..-.}-{2:2}: [ 57.703760][ T5027] _raw_spin_lock_irq+0x36/0x50 [ 57.709137][ T5027] filemap_remove_folio+0xbf/0x250 [ 57.714785][ T5027] truncate_inode_folio+0x49/0x70 [ 57.720339][ T5027] shmem_undo_range+0x363/0x1190 [ 57.725815][ T5027] shmem_evict_inode+0x334/0xb10 [ 57.731286][ T5027] evict+0x2ed/0x6b0 [ 57.735719][ T5027] iput.part.0+0x55e/0x7a0 [ 57.740675][ T5027] iput+0x5c/0x80 [ 57.744847][ T5027] dentry_unlink_inode+0x292/0x430 [ 57.750538][ T5027] __dentry_kill+0x3b8/0x640 [ 57.755663][ T5027] dput+0x703/0xfd0 [ 57.760001][ T5027] do_renameat2+0xc4c/0xdc0 [ 57.765044][ T5027] __x64_sys_rename+0x81/0xa0 [ 57.770272][ T5027] do_syscall_64+0x38/0xb0 [ 57.775230][ T5027] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 57.781669][ T5027] [ 57.781669][ T5027] -> #1 (&sb->s_type->i_lock_key){+.+.}-{2:2}: [ 57.790025][ T5027] _raw_spin_lock+0x2e/0x40 [ 57.795059][ T5027] inode_sub_bytes+0x28/0x100 [ 57.800269][ T5027] __dquot_free_space+0x8f7/0xaf0 [ 57.805830][ T5027] shmem_recalc_inode+0x196/0x350 [ 57.811480][ T5027] shmem_undo_range+0x558/0x1190 [ 57.816947][ T5027] shmem_evict_inode+0x334/0xb10 [ 57.822416][ T5027] evict+0x2ed/0x6b0 [ 57.826840][ T5027] iput.part.0+0x55e/0x7a0 [ 57.831786][ T5027] iput+0x5c/0x80 [ 57.835948][ T5027] dentry_unlink_inode+0x292/0x430 [ 57.841602][ T5027] __dentry_kill+0x3b8/0x640 [ 57.846804][ T5027] dput+0x703/0xfd0 [ 57.851136][ T5027] do_renameat2+0xc4c/0xdc0 [ 57.856168][ T5027] __x64_sys_rename+0x81/0xa0 [ 57.861376][ T5027] do_syscall_64+0x38/0xb0 [ 57.866323][ T5027] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 57.872745][ T5027] [ 57.872745][ T5027] -> #0 (&info->lock){....}-{2:2}: [ 57.880052][ T5027] __lock_acquire+0x2e3d/0x5de0 [ 57.885434][ T5027] lock_acquire+0x1ae/0x510 [ 57.890469][ T5027] _raw_spin_lock_irqsave+0x3a/0x50 [ 57.896206][ T5027] shmem_uncharge+0x28/0x2b0 [ 57.901344][ T5027] split_huge_page_to_list+0x3832/0x49e0 [ 57.908052][ T5027] truncate_inode_partial_folio+0x544/0x760 [ 57.914475][ T5027] shmem_undo_range+0x723/0x1190 [ 57.919944][ T5027] shmem_setattr+0xd43/0x1050 [ 57.925151][ T5027] notify_change+0x742/0x11c0 [ 57.930361][ T5027] do_truncate+0x15c/0x220 [ 57.935309][ T5027] do_sys_ftruncate+0x6a2/0x790 [ 57.940693][ T5027] do_syscall_64+0x38/0xb0 [ 57.945639][ T5027] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 57.952064][ T5027] [ 57.952064][ T5027] other info that might help us debug this: [ 57.952064][ T5027] [ 57.962338][ T5027] Chain exists of: [ 57.962338][ T5027] &info->lock --> &xa->xa_lock#7 --> &lruvec->lru_lock [ 57.962338][ T5027] [ 57.975226][ T5027] Possible unsafe locking scenario: [ 57.975226][ T5027] [ 57.982674][ T5027] CPU0 CPU1 [ 57.988035][ T5027] ---- ---- [ 57.993397][ T5027] lock(&lruvec->lru_lock); [ 57.997990][ T5027] lock(&xa->xa_lock#7); [ 58.004847][ T5027] lock(&lruvec->lru_lock); [ 58.011958][ T5027] lock(&info->lock); [ 58.016043][ T5027] [ 58.016043][ T5027] *** DEADLOCK *** [ 58.016043][ T5027] [ 58.024179][ T5027] 5 locks held by /5027: [ 58.028417][ T5027] #0: ffff8880762b4410 (sb_writers#5){.+.+}-{0:0}, at: do_syscall_64+0x38/0xb0 [ 58.037503][ T5027] #1: ffff88807dbd8a50 (&sb->s_type->i_mutex_key#12){+.+.}-{3:3}, at: do_truncate+0x14b/0x220 [ 58.047899][ T5027] #2: ffff88807dbd8cf0 (&mapping->i_mmap_rwsem){++++}-{3:3}, at: split_huge_page_to_list+0x7d5/0x49e0 [ 58.059065][ T5027] #3: ffff88807dbd8b60 (&xa->xa_lock#7){..-.}-{2:2}, at: split_huge_page_to_list+0x980/0x49e0 [ 58.069452][ T5027] #4: ffff88801526c068 (&lruvec->lru_lock){....}-{2:2}, at: folio_lruvec_lock+0x1ba/0x3b0 [ 58.079495][ T5027] [ 58.079495][ T5027] stack backtrace: [ 58.085376][ T5027] CPU: 0 PID: 5027 Comm: Not tainted 6.5.0-rc1-next-20230714-syzkaller #0 [ 58.093967][ T5027] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023 [ 58.104021][ T5027] Call Trace: [ 58.107300][ T5027] [ 58.110233][ T5027] dump_stack_lvl+0xd9/0x1b0 [ 58.114838][ T5027] check_noncircular+0x311/0x3f0 [ 58.119791][ T5027] ? print_circular_bug+0x750/0x750 [ 58.125005][ T5027] ? save_trace+0x4e/0xb30 [ 58.129429][ T5027] ? _find_first_zero_bit+0x94/0xb0 [ 58.134639][ T5027] __lock_acquire+0x2e3d/0x5de0 [ 58.139509][ T5027] ? lockdep_hardirqs_on_prepare+0x410/0x410 [ 58.145507][ T5027] ? lockdep_hardirqs_on_prepare+0x410/0x410 [ 58.151507][ T5027] ? lockdep_hardirqs_on_prepare+0x410/0x410 [ 58.157543][ T5027] ? preempt_count_sub+0x150/0x150 [ 58.162689][ T5027] lock_acquire+0x1ae/0x510 [ 58.167229][ T5027] ? shmem_uncharge+0x28/0x2b0 [ 58.172018][ T5027] ? lock_sync+0x190/0x190 [ 58.176460][ T5027] ? lock_sync+0x190/0x190 [ 58.180912][ T5027] ? page_cpupid_xchg_last+0xc5/0x130 [ 58.186323][ T5027] _raw_spin_lock_irqsave+0x3a/0x50 [ 58.191542][ T5027] ? shmem_uncharge+0x28/0x2b0 [ 58.196326][ T5027] shmem_uncharge+0x28/0x2b0 [ 58.200930][ T5027] split_huge_page_to_list+0x3832/0x49e0 [ 58.206590][ T5027] ? can_split_folio+0x3f0/0x3f0 [ 58.211552][ T5027] ? folio_flags.constprop.0+0x56/0x150 [ 58.217126][ T5027] ? folio_flags.constprop.0+0x56/0x150 [ 58.222711][ T5027] truncate_inode_partial_folio+0x544/0x760 [ 58.228688][ T5027] shmem_undo_range+0x723/0x1190 [ 58.233660][ T5027] ? shmem_get_partial_folio+0x330/0x330 [ 58.239337][ T5027] ? setattr_prepare+0x140/0x9b0 [ 58.244301][ T5027] shmem_setattr+0xd43/0x1050 [ 58.249004][ T5027] ? shmem_evict_inode+0xb10/0xb10 [ 58.254136][ T5027] notify_change+0x742/0x11c0 [ 58.258835][ T5027] do_truncate+0x15c/0x220 [ 58.263281][ T5027] ? file_open_root+0x450/0x450 [ 58.268149][ T5027] ? common_perm_cond+0x242/0x850 [ 58.273199][ T5027] do_sys_ftruncate+0x6a2/0x790 [ 58.278071][ T5027] do_syscall_64+0x38/0xb0 [ 58.282514][ T5027] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 58.288456][ T5027] RIP: 0033:0x7fcc0ae38b99 [ 58.292902][ T5027] Code: 48 83 c4 28 c3 e8 67 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 58.312520][ T5027] RSP: 002b:00007ffcd4272e58 EFLAGS: 00000246 ORIG_RAX: 000000000000004d [ 58.321462][ T5027] RAX: ffffffffffffffda RBX: 00007ffcd4272e60 RCX: 00007fcc0ae38b99 [ 58.329438][ T5027] RDX: 00007fcc0ae38b99 RSI: 0000000000008979 RDI: 0000000000000003 [ 58.337411][ T5027] RBP: 00007ffcd4272e68 R08: 00007fcc0ae05c10 R09: 00007fcc0ae05c10 ftruncate(3, 35193) = 0 exit_group(0) = ? +++ exited with 0 +++ [ 58.345383][ T5027] R10: 0000000000000000 R11: 000000