From: syzbot <syzbot+5d19358d7eb30ffb0cc5@syzkaller.appspotmail.com>
To: jack@suse.com, linux-ext4@vger.kernel.org,
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com,
tytso@mit.edu
Subject: Re: [syzbot] [ext4?] possible deadlock in wait_transaction_locked (3)
Date: Sun, 22 Feb 2026 12:59:33 -0800 [thread overview]
Message-ID: <699b6e35.a70a0220.2c38d7.0182.GAE@google.com> (raw)
In-Reply-To: <6953bc09.050a0220.329c0f.0592.GAE@google.com>
syzbot has found a reproducer for the following issue on:
HEAD commit: 32a92f8c8932 Convert more 'alloc_obj' cases to default GFP..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16a7d95a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=35a2f9886a9bccfa
dashboard link: https://syzkaller.appspot.com/bug?extid=5d19358d7eb30ffb0cc5
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1543055a580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=104f8006580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/1c446301a138/disk-32a92f8c.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/245be1b900af/vmlinux-32a92f8c.xz
kernel image: https://storage.googleapis.com/syzbot-assets/16e0d6bc53db/bzImage-32a92f8c.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/1c55fb38005a/mount_0.gz
fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=14a3a55a580000)
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+5d19358d7eb30ffb0cc5@syzkaller.appspotmail.com
======================================================
WARNING: possible circular locking dependency detected
syzkaller #0 Not tainted
------------------------------------------------------
kworker/u8:11/1186 is trying to acquire lock:
ffff888036d5ebb0 (jbd2_handle){++++}-{0:0}, at: wait_transaction_locked+0x1a9/0x280 fs/jbd2/transaction.c:151
but task is already holding lock:
ffff888036d52c58 (&sbi->s_writepages_rwsem){++++}-{0:0}, at: percpu_down_read include/linux/percpu-rwsem.h:77 [inline]
ffff888036d52c58 (&sbi->s_writepages_rwsem){++++}-{0:0}, at: ext4_writepages_down_read fs/ext4/ext4.h:1813 [inline]
ffff888036d52c58 (&sbi->s_writepages_rwsem){++++}-{0:0}, at: ext4_writepages+0x205/0x3b0 fs/ext4/inode.c:3018
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #2 (&sbi->s_writepages_rwsem){++++}-{0:0}:
percpu_down_read_internal+0x48/0x1d0 include/linux/percpu-rwsem.h:53
percpu_down_read include/linux/percpu-rwsem.h:77 [inline]
ext4_writepages_down_read fs/ext4/ext4.h:1813 [inline]
ext4_writepages+0x205/0x3b0 fs/ext4/inode.c:3018
do_writepages+0x32e/0x550 mm/page-writeback.c:2554
__writeback_single_inode+0x133/0x11a0 fs/fs-writeback.c:1749
writeback_single_inode+0x488/0xd60 fs/fs-writeback.c:1868
write_inode_now+0x1c2/0x290 fs/fs-writeback.c:2953
iput_final fs/inode.c:1956 [inline]
iput+0x8c1/0xe80 fs/inode.c:2015
ext4_xattr_block_set+0x1fd4/0x2ad0 fs/ext4/xattr.c:2204
ext4_xattr_move_to_block fs/ext4/xattr.c:2669 [inline]
ext4_xattr_make_inode_space fs/ext4/xattr.c:2744 [inline]
ext4_expand_extra_isize_ea+0x12cf/0x1ea0 fs/ext4/xattr.c:2832
__ext4_expand_extra_isize+0x30d/0x400 fs/ext4/inode.c:6297
ext4_try_to_expand_extra_isize fs/ext4/inode.c:6340 [inline]
__ext4_mark_inode_dirty+0x45c/0x730 fs/ext4/inode.c:6418
ext4_evict_inode+0x7a1/0xeb0 fs/ext4/inode.c:255
evict+0x61e/0xb10 fs/inode.c:846
ext4_orphan_cleanup+0xc38/0x1470 fs/ext4/orphan.c:472
__ext4_fill_super fs/ext4/super.c:5668 [inline]
ext4_fill_super+0x5a0b/0x6320 fs/ext4/super.c:5791
get_tree_bdev_flags+0x431/0x4f0 fs/super.c:1694
vfs_get_tree+0x92/0x2a0 fs/super.c:1754
fc_mount fs/namespace.c:1193 [inline]
do_new_mount_fc fs/namespace.c:3760 [inline]
do_new_mount+0x341/0xd30 fs/namespace.c:3836
do_mount fs/namespace.c:4159 [inline]
__do_sys_mount fs/namespace.c:4348 [inline]
__se_sys_mount+0x31d/0x420 fs/namespace.c:4325
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #1 (&ei->xattr_sem){++++}-{4:4}:
down_write+0x3a/0x50 kernel/locking/rwsem.c:1590
ext4_write_lock_xattr fs/ext4/xattr.h:157 [inline]
ext4_xattr_set_handle+0x19c/0x14c0 fs/ext4/xattr.c:2372
ext4_initxattrs+0x9f/0x110 fs/ext4/xattr_security.c:44
security_inode_init_security+0x296/0x3d0 security/security.c:1344
__ext4_new_inode+0x332f/0x3d20 fs/ext4/ialloc.c:1324
ext4_create+0x233/0x470 fs/ext4/namei.c:2820
lookup_open fs/namei.c:4483 [inline]
open_last_lookups fs/namei.c:4583 [inline]
path_openat+0x13b4/0x38a0 fs/namei.c:4827
do_file_open+0x23e/0x4a0 fs/namei.c:4859
do_sys_openat2+0x113/0x200 fs/open.c:1366
do_sys_open fs/open.c:1372 [inline]
__do_sys_openat fs/open.c:1388 [inline]
__se_sys_openat fs/open.c:1383 [inline]
__x64_sys_openat+0x138/0x170 fs/open.c:1383
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #0 (jbd2_handle){++++}-{0:0}:
check_prev_add kernel/locking/lockdep.c:3165 [inline]
check_prevs_add kernel/locking/lockdep.c:3284 [inline]
validate_chain kernel/locking/lockdep.c:3908 [inline]
__lock_acquire+0x15a5/0x2cf0 kernel/locking/lockdep.c:5237
lock_acquire+0xf0/0x2e0 kernel/locking/lockdep.c:5868
wait_transaction_locked+0x1c2/0x280 fs/jbd2/transaction.c:151
add_transaction_credits fs/jbd2/transaction.c:222 [inline]
start_this_handle+0x7dc/0x2290 fs/jbd2/transaction.c:403
jbd2__journal_start+0x2c0/0x5b0 fs/jbd2/transaction.c:501
__ext4_journal_start_sb+0x203/0x620 fs/ext4/ext4_jbd2.c:114
__ext4_journal_start fs/ext4/ext4_jbd2.h:242 [inline]
ext4_do_writepages+0xf97/0x46e0 fs/ext4/inode.c:2907
ext4_writepages+0x241/0x3b0 fs/ext4/inode.c:3019
do_writepages+0x32e/0x550 mm/page-writeback.c:2554
__writeback_single_inode+0x133/0x11a0 fs/fs-writeback.c:1749
writeback_sb_inodes+0x944/0x1970 fs/fs-writeback.c:2040
__writeback_inodes_wb+0x111/0x240 fs/fs-writeback.c:2117
wb_writeback+0x46a/0xb70 fs/fs-writeback.c:2228
wb_check_old_data_flush fs/fs-writeback.c:2332 [inline]
wb_do_writeback fs/fs-writeback.c:2385 [inline]
wb_workfn+0xb52/0xf60 fs/fs-writeback.c:2413
process_one_work kernel/workqueue.c:3275 [inline]
process_scheduled_works+0xb02/0x1830 kernel/workqueue.c:3358
worker_thread+0xa50/0xfc0 kernel/workqueue.c:3439
kthread+0x388/0x470 kernel/kthread.c:467
ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
other info that might help us debug this:
Chain exists of:
jbd2_handle --> &ei->xattr_sem --> &sbi->s_writepages_rwsem
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
rlock(&sbi->s_writepages_rwsem);
lock(&ei->xattr_sem);
lock(&sbi->s_writepages_rwsem);
lock(jbd2_handle);
*** DEADLOCK ***
4 locks held by kworker/u8:11/1186:
#0: ffff88801f6af138 ((wq_completion)writeback){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3250 [inline]
#0: ffff88801f6af138 ((wq_completion)writeback){+.+.}-{0:0}, at: process_scheduled_works+0x9ea/0x1830 kernel/workqueue.c:3358
#1: ffffc90006487c40 ((work_completion)(&(&wb->dwork)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3251 [inline]
#1: ffffc90006487c40 ((work_completion)(&(&wb->dwork)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa25/0x1830 kernel/workqueue.c:3358
#2: ffff888036d540d0 (&type->s_umount_key#32){++++}-{4:4}, at: super_trylock_shared+0x20/0xf0 fs/super.c:565
#3: ffff888036d52c58 (&sbi->s_writepages_rwsem){++++}-{0:0}, at: percpu_down_read include/linux/percpu-rwsem.h:77 [inline]
#3: ffff888036d52c58 (&sbi->s_writepages_rwsem){++++}-{0:0}, at: ext4_writepages_down_read fs/ext4/ext4.h:1813 [inline]
#3: ffff888036d52c58 (&sbi->s_writepages_rwsem){++++}-{0:0}, at: ext4_writepages+0x205/0x3b0 fs/ext4/inode.c:3018
stack backtrace:
CPU: 1 UID: 0 PID: 1186 Comm: kworker/u8:11 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Workqueue: writeback wb_workfn (flush-8:0)
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_circular_bug+0x2e1/0x300 kernel/locking/lockdep.c:2043
check_noncircular+0x12e/0x150 kernel/locking/lockdep.c:2175
check_prev_add kernel/locking/lockdep.c:3165 [inline]
check_prevs_add kernel/locking/lockdep.c:3284 [inline]
validate_chain kernel/locking/lockdep.c:3908 [inline]
__lock_acquire+0x15a5/0x2cf0 kernel/locking/lockdep.c:5237
lock_acquire+0xf0/0x2e0 kernel/locking/lockdep.c:5868
wait_transaction_locked+0x1c2/0x280 fs/jbd2/transaction.c:151
add_transaction_credits fs/jbd2/transaction.c:222 [inline]
start_this_handle+0x7dc/0x2290 fs/jbd2/transaction.c:403
jbd2__journal_start+0x2c0/0x5b0 fs/jbd2/transaction.c:501
__ext4_journal_start_sb+0x203/0x620 fs/ext4/ext4_jbd2.c:114
__ext4_journal_start fs/ext4/ext4_jbd2.h:242 [inline]
ext4_do_writepages+0xf97/0x46e0 fs/ext4/inode.c:2907
ext4_writepages+0x241/0x3b0 fs/ext4/inode.c:3019
do_writepages+0x32e/0x550 mm/page-writeback.c:2554
__writeback_single_inode+0x133/0x11a0 fs/fs-writeback.c:1749
writeback_sb_inodes+0x944/0x1970 fs/fs-writeback.c:2040
__writeback_inodes_wb+0x111/0x240 fs/fs-writeback.c:2117
wb_writeback+0x46a/0xb70 fs/fs-writeback.c:2228
wb_check_old_data_flush fs/fs-writeback.c:2332 [inline]
wb_do_writeback fs/fs-writeback.c:2385 [inline]
wb_workfn+0xb52/0xf60 fs/fs-writeback.c:2413
process_one_work kernel/workqueue.c:3275 [inline]
process_scheduled_works+0xb02/0x1830 kernel/workqueue.c:3358
worker_thread+0xa50/0xfc0 kernel/workqueue.c:3439
kthread+0x388/0x470 kernel/kthread.c:467
ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
next prev parent reply other threads:[~2026-02-22 20:59 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-30 11:48 [syzbot] [ext4?] possible deadlock in wait_transaction_locked (3) syzbot
2026-02-22 20:59 ` syzbot [this message]
2026-02-23 4:21 ` Hillf Danton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=699b6e35.a70a0220.2c38d7.0182.GAE@google.com \
--to=syzbot+5d19358d7eb30ffb0cc5@syzkaller.appspotmail.com \
--cc=jack@suse.com \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox