From: syzbot <syzbot+ddde294b94666bb51266@syzkaller.appspotmail.com>
To: jlbec@evilplan.org, joseph.qi@linux.alibaba.com,
linux-kernel@vger.kernel.org, mark@fasheh.com,
ocfs2-devel@lists.linux.dev, syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [ocfs2?] possible deadlock in ocfs2_remove_inode (2)
Date: Tue, 09 Jun 2026 14:26:26 -0700 [thread overview]
Message-ID: <6a288502.39669fcc.33b062.00a5.GAE@google.com> (raw)
In-Reply-To: <678e8256.050a0220.303755.0081.GAE@google.com>
syzbot has found a reproducer for the following issue on:
HEAD commit: 2d3090a8aeb5 Merge tag 'v7.1-p5' of git://git.kernel.org/p..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13d090ae580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f9e42545d0c4344f
dashboard link: https://syzkaller.appspot.com/bug?extid=ddde294b94666bb51266
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=157bb0ae580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15c4e0ae580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/a3b55b39a1ae/disk-2d3090a8.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/e28dc81f5c8b/vmlinux-2d3090a8.xz
kernel image: https://storage.googleapis.com/syzbot-assets/979afa9a8a33/bzImage-2d3090a8.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/9da69034f0c7/mount_0.gz
fsck result: OK (log: https://syzkaller.appspot.com/x/fsck.log?x=11c4e0ae580000)
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ddde294b94666bb51266@syzkaller.appspotmail.com
======================================================
WARNING: possible circular locking dependency detected
syzkaller #0 Not tainted
------------------------------------------------------
syz-executor/5782 is trying to acquire lock:
ffff8880712c6ba0 (&ocfs2_sysfile_lock_key[INODE_ALLOC_SYSTEM_INODE]){+.+.}-{4:4}, at: inode_lock include/linux/fs.h:1029 [inline]
ffff8880712c6ba0 (&ocfs2_sysfile_lock_key[INODE_ALLOC_SYSTEM_INODE]){+.+.}-{4:4}, at: ocfs2_remove_inode+0x15b/0x860 fs/ocfs2/inode.c:733
but task is already holding lock:
ffff88805a4f89a0 (&ocfs2_sysfile_lock_key[ORPHAN_DIR_SYSTEM_INODE]){+.+.}-{4:4}, at: inode_lock include/linux/fs.h:1029 [inline]
ffff88805a4f89a0 (&ocfs2_sysfile_lock_key[ORPHAN_DIR_SYSTEM_INODE]){+.+.}-{4:4}, at: ocfs2_wipe_inode+0x2ce/0x1250 fs/ocfs2/inode.c:854
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #2 (&ocfs2_sysfile_lock_key[ORPHAN_DIR_SYSTEM_INODE]){+.+.}-{4:4}:
down_write+0x8b/0x1f0 kernel/locking/rwsem.c:1625
inode_lock include/linux/fs.h:1029 [inline]
ocfs2_del_inode_from_orphan+0x112/0x700 fs/ocfs2/namei.c:2728
ocfs2_dio_end_io_write+0x711/0x1130 fs/ocfs2/aops.c:2379
ocfs2_dio_end_io+0x136/0x2c0 fs/ocfs2/aops.c:2418
dio_complete+0x224/0x950 fs/direct-io.c:281
__blockdev_direct_IO+0x2a2d/0x33d0 fs/direct-io.c:1303
ocfs2_direct_IO+0x263/0x360 fs/ocfs2/aops.c:2455
generic_file_direct_write+0x198/0x410 mm/filemap.c:4259
__generic_file_write_iter+0x11b/0x240 mm/filemap.c:4428
ocfs2_file_write_iter+0xdbb/0x2240 fs/ocfs2/file.c:2476
iter_file_splice_write+0x830/0x10a0 fs/splice.c:736
do_splice_from fs/splice.c:936 [inline]
direct_splice_actor+0x192/0x6c0 fs/splice.c:1159
splice_direct_to_actor+0x345/0xa30 fs/splice.c:1103
do_splice_direct_actor fs/splice.c:1202 [inline]
do_splice_direct+0x174/0x240 fs/splice.c:1228
do_sendfile+0xadc/0xe20 fs/read_write.c:1372
__do_sys_sendfile64 fs/read_write.c:1433 [inline]
__se_sys_sendfile64 fs/read_write.c:1419 [inline]
__x64_sys_sendfile64+0x1d8/0x220 fs/read_write.c:1419
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #1 (&ocfs2_sysfile_lock_key[EXTENT_ALLOC_SYSTEM_INODE]){+.+.}-{4:4}:
down_write+0x8b/0x1f0 kernel/locking/rwsem.c:1625
inode_lock include/linux/fs.h:1029 [inline]
ocfs2_reserve_suballoc_bits+0x11c/0x4b50 fs/ocfs2/suballoc.c:882
ocfs2_reserve_new_metadata_blocks+0x506/0xbe0 fs/ocfs2/suballoc.c:1078
ocfs2_mknod+0xead/0x27b0 fs/ocfs2/namei.c:351
ocfs2_create+0xf4/0x450 fs/ocfs2/namei.c:677
lookup_open.isra.0+0xc47/0x11b0 fs/namei.c:4511
open_last_lookups fs/namei.c:4611 [inline]
path_openat+0x2291/0x31a0 fs/namei.c:4855
do_file_open+0x20e/0x430 fs/namei.c:4887
do_sys_openat2+0x10d/0x1e0 fs/open.c:1364
do_sys_open fs/open.c:1370 [inline]
__do_sys_openat fs/open.c:1386 [inline]
__se_sys_openat fs/open.c:1381 [inline]
__x64_sys_openat+0x12d/0x210 fs/open.c:1381
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #0 (&ocfs2_sysfile_lock_key[INODE_ALLOC_SYSTEM_INODE]){+.+.}-{4:4}:
check_prev_add kernel/locking/lockdep.c:3165 [inline]
check_prevs_add kernel/locking/lockdep.c:3284 [inline]
validate_chain kernel/locking/lockdep.c:3908 [inline]
__lock_acquire+0x14b8/0x2630 kernel/locking/lockdep.c:5237
lock_acquire kernel/locking/lockdep.c:5868 [inline]
lock_acquire+0x1b1/0x370 kernel/locking/lockdep.c:5825
down_write+0x8b/0x1f0 kernel/locking/rwsem.c:1625
inode_lock include/linux/fs.h:1029 [inline]
ocfs2_remove_inode+0x15b/0x860 fs/ocfs2/inode.c:733
ocfs2_wipe_inode+0x6dd/0x1250 fs/ocfs2/inode.c:896
ocfs2_delete_inode fs/ocfs2/inode.c:1157 [inline]
ocfs2_evict_inode+0x7f9/0x1550 fs/ocfs2/inode.c:1299
evict+0x3c2/0xad0 fs/inode.c:841
iput_final fs/inode.c:1960 [inline]
iput.part.0+0x605/0xf50 fs/inode.c:2009
iput+0x35/0x40 fs/inode.c:1975
d_delete_notify include/linux/fsnotify.h:377 [inline]
vfs_rmdir fs/namei.c:5389 [inline]
vfs_rmdir+0x5c8/0x8a0 fs/namei.c:5349
filename_rmdir+0x31a/0x5c0 fs/namei.c:5431
__do_sys_unlinkat fs/namei.c:5606 [inline]
__se_sys_unlinkat fs/namei.c:5599 [inline]
__x64_sys_unlinkat+0xf5/0x130 fs/namei.c:5599
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
other info that might help us debug this:
Chain exists of:
&ocfs2_sysfile_lock_key[INODE_ALLOC_SYSTEM_INODE] --> &ocfs2_sysfile_lock_key[EXTENT_ALLOC_SYSTEM_INODE] --> &ocfs2_sysfile_lock_key[ORPHAN_DIR_SYSTEM_INODE]
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&ocfs2_sysfile_lock_key[ORPHAN_DIR_SYSTEM_INODE]);
lock(&ocfs2_sysfile_lock_key[EXTENT_ALLOC_SYSTEM_INODE]);
lock(&ocfs2_sysfile_lock_key[ORPHAN_DIR_SYSTEM_INODE]);
lock(&ocfs2_sysfile_lock_key[INODE_ALLOC_SYSTEM_INODE]);
*** DEADLOCK ***
4 locks held by syz-executor/5782:
#0: ffff888037c18410 (sb_writers#12){.+.+}-{0:0}, at: filename_rmdir+0x1ff/0x5c0 fs/namei.c:5420
#1: ffff8880712c25a0 (&type->i_mutex_dir_key#8/1){+.+.}-{4:4}, at: inode_lock_nested include/linux/fs.h:1074 [inline]
#1: ffff8880712c25a0 (&type->i_mutex_dir_key#8/1){+.+.}-{4:4}, at: __start_dirop fs/namei.c:2914 [inline]
#1: ffff8880712c25a0 (&type->i_mutex_dir_key#8/1){+.+.}-{4:4}, at: start_dirop fs/namei.c:2938 [inline]
#1: ffff8880712c25a0 (&type->i_mutex_dir_key#8/1){+.+.}-{4:4}, at: filename_rmdir+0x258/0x5c0 fs/namei.c:5424
#2: ffff8880355b8bc0 (&osb->nfs_sync_rwlock){.+.+}-{4:4}, at: ocfs2_nfs_sync_lock+0xe4/0x2e0 fs/ocfs2/dlmglue.c:2875
#3: ffff88805a4f89a0 (&ocfs2_sysfile_lock_key[ORPHAN_DIR_SYSTEM_INODE]){+.+.}-{4:4}, at: inode_lock include/linux/fs.h:1029 [inline]
#3: ffff88805a4f89a0 (&ocfs2_sysfile_lock_key[ORPHAN_DIR_SYSTEM_INODE]){+.+.}-{4:4}, at: ocfs2_wipe_inode+0x2ce/0x1250 fs/ocfs2/inode.c:854
stack backtrace:
CPU: 1 UID: 0 PID: 5782 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
print_circular_bug.cold+0x178/0x1c7 kernel/locking/lockdep.c:2043
check_noncircular+0x146/0x160 kernel/locking/lockdep.c:2175
check_prev_add kernel/locking/lockdep.c:3165 [inline]
check_prevs_add kernel/locking/lockdep.c:3284 [inline]
validate_chain kernel/locking/lockdep.c:3908 [inline]
__lock_acquire+0x14b8/0x2630 kernel/locking/lockdep.c:5237
lock_acquire kernel/locking/lockdep.c:5868 [inline]
lock_acquire+0x1b1/0x370 kernel/locking/lockdep.c:5825
down_write+0x8b/0x1f0 kernel/locking/rwsem.c:1625
inode_lock include/linux/fs.h:1029 [inline]
ocfs2_remove_inode+0x15b/0x860 fs/ocfs2/inode.c:733
ocfs2_wipe_inode+0x6dd/0x1250 fs/ocfs2/inode.c:896
ocfs2_delete_inode fs/ocfs2/inode.c:1157 [inline]
ocfs2_evict_inode+0x7f9/0x1550 fs/ocfs2/inode.c:1299
evict+0x3c2/0xad0 fs/inode.c:841
iput_final fs/inode.c:1960 [inline]
iput.part.0+0x605/0xf50 fs/inode.c:2009
iput+0x35/0x40 fs/inode.c:1975
d_delete_notify include/linux/fsnotify.h:377 [inline]
vfs_rmdir fs/namei.c:5389 [inline]
vfs_rmdir+0x5c8/0x8a0 fs/namei.c:5349
filename_rmdir+0x31a/0x5c0 fs/namei.c:5431
__do_sys_unlinkat fs/namei.c:5606 [inline]
__se_sys_unlinkat fs/namei.c:5599 [inline]
__x64_sys_unlinkat+0xf5/0x130 fs/namei.c:5599
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x115/0x870 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f7319b9bf77
Code: 77 01 c3 48 c7 c2 e8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 b8 07 01 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffc0104e08 EFLAGS: 00000207 ORIG_RAX: 0000000000000107
RAX: ffffffffffffffda RBX: 0000000000000065 RCX: 00007f7319b9bf77
RDX: 0000000000000200 RSI: 00007fffc0105fb0 RDI: 00000000ffffff9c
RBP: 00007f7319c321ca R08: 0000000000018550 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000207 R12: 00007fffc0105fb0
R13: 00007f7319c321ca R14: 000000000001aa05 R15: 00007fffc0108170
</TASK>
ocfs2: Unmounting device (7,0) on (node local)
ocfs2: Unmounting device (7,0) on (node local)
ocfs2: Unmounting device (7,0) on (node local)
ocfs2: Unmounting device (7,0) on (node local)
ocfs2: Unmounting device (7,0) on (node local)
ocfs2: Unmounting device (7,0) on (node local)
ocfs2: Unmounting device (7,0) on (node local)
ocfs2: Unmounting device (7,0) on (node local)
ocfs2: Unmounting device (7,0) on (node local)
ocfs2: Unmounting device (7,0) on (node local)
ocfs2: Unmounting device (7,0) on (node local)
ocfs2: Unmounting device (7,0) on (node local)
ocfs2: Unmounting device (7,0) on (node local)
ocfs2: Unmounting device (7,0) on (node local)
ocfs2: Unmounting device (7,0) on (node local)
ocfs2: Unmounting device (7,0) on (node local)
ocfs2: Unmounting device (7,0) on (node local)
ocfs2: Unmounting device (7,0) on (node local)
ocfs2: Unmounting device (7,0) on (node local)
ocfs2: Unmounting device (7,0) on (node local)
ocfs2: Unmounting device (7,0) on (node local)
ocfs2: Unmounting device (7,0) on (node local)
ocfs2: Unmounting device (7,0) on (node local)
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
prev parent reply other threads:[~2026-06-09 21:26 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-20 17:05 [syzbot] [ocfs2?] possible deadlock in ocfs2_remove_inode (2) syzbot
2026-06-09 21:26 ` syzbot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6a288502.39669fcc.33b062.00a5.GAE@google.com \
--to=syzbot+ddde294b94666bb51266@syzkaller.appspotmail.com \
--cc=jlbec@evilplan.org \
--cc=joseph.qi@linux.alibaba.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mark@fasheh.com \
--cc=ocfs2-devel@lists.linux.dev \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.