EXT4-fs error (device loop5): __ext4_fill_super:5505: inode #2: comm syz.5.80: iget: bogus i_mode (35755)
EXT4-fs (loop5): get root inode failed
EXT4-fs (loop5): mount failed
======================================================
WARNING: possible circular locking dependency detected
6.13.0-rc6-g2144da25584e #1 Not tainted
------------------------------------------------------
syz.6.75/4548 is trying to acquire lock:
ff110001359d14a0 (&oi->ip_alloc_sem){++++}-{4:4}, at: ocfs2_page_mkwrite+0x29c/0xca0 -new/fs/ocfs2/mmap.c:142

but task is already holding lock:
ff1100015e45c4f0 (sb_pagefaults#3){.+.+}-{0:0}, at: do_page_mkwrite+0x17d/0x380 -new/mm/memory.c:3176

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #2 (sb_pagefaults#3){.+.+}-{0:0}:
       percpu_down_read -new/include/linux/percpu-rwsem.h:51 [inline]
       __sb_start_write -new/include/linux/fs.h:1725 [inline]
       sb_start_pagefault -new/include/linux/fs.h:1890 [inline]
       ocfs2_page_mkwrite+0x17b/0xca0 -new/fs/ocfs2/mmap.c:122
       do_page_mkwrite+0x17d/0x380 -new/mm/memory.c:3176
       wp_page_shared -new/mm/memory.c:3577 [inline]
       do_wp_page+0x1041/0x2f40 -new/mm/memory.c:3727
       handle_pte_fault -new/mm/memory.c:5817 [inline]
       __handle_mm_fault+0xdb1/0x3020 -new/mm/memory.c:5944
       handle_mm_fault+0x2b8/0x6b0 -new/mm/memory.c:6112
       faultin_page -new/mm/gup.c:1196 [inline]
       __get_user_pages+0x599/0x3650 -new/mm/gup.c:1494
       __get_user_pages_locked -new/mm/gup.c:1760 [inline]
       faultin_page_range+0x248/0x950 -new/mm/gup.c:1984
       madvise_populate -new/mm/madvise.c:951 [inline]
       do_madvise+0x14dc/0x3f20 -new/mm/madvise.c:1681
       __do_sys_madvise -new/mm/madvise.c:1700 [inline]
       __se_sys_madvise -new/mm/madvise.c:1698 [inline]
       __x64_sys_madvise+0xa9/0x110 -new/mm/madvise.c:1698
       do_syscall_x64 -new/arch/x86/entry/common.c:52 [inline]
       do_syscall_64+0xc1/0x1d0 -new/arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

-> #1 (&mm->mmap_lock){++++}-{4:4}:
       __might_fault -new/mm/memory.c:6751 [inline]
       __might_fault+0x110/0x190 -new/mm/memory.c:6744
       _inline_copy_to_user -new/include/linux/uaccess.h:192 [inline]
       _copy_to_user+0x2d/0xd0 -new/lib/usercopy.c:26
       copy_to_user -new/include/linux/uaccess.h:225 [inline]
       fiemap_fill_next_extent+0x22c/0x390 -new/fs/ioctl.c:145
       ocfs2_fiemap+0x5fe/0xe10 -new/fs/ocfs2/extent_map.c:796
       ioctl_fiemap -new/fs/ioctl.c:220 [inline]
       do_vfs_ioctl+0x3a3/0x1840 -new/fs/ioctl.c:840
       __do_sys_ioctl -new/fs/ioctl.c:904 [inline]
       __se_sys_ioctl -new/fs/ioctl.c:892 [inline]
       __x64_sys_ioctl+0x11f/0x210 -new/fs/ioctl.c:892
       do_syscall_x64 -new/arch/x86/entry/common.c:52 [inline]
       do_syscall_64+0xc1/0x1d0 -new/arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

-> #0 (&oi->ip_alloc_sem){++++}-{4:4}:
       check_prev_add -new/kernel/locking/lockdep.c:3161 [inline]
       check_prevs_add -new/kernel/locking/lockdep.c:3280 [inline]
       validate_chain -new/kernel/locking/lockdep.c:3904 [inline]
       __lock_acquire+0x24a1/0x3b90 -new/kernel/locking/lockdep.c:5226
       lock_acquire -new/kernel/locking/lockdep.c:5849 [inline]
       lock_acquire+0x19b/0x520 -new/kernel/locking/lockdep.c:5814
       down_write+0x92/0x1f0 -new/kernel/locking/rwsem.c:1577
       ocfs2_page_mkwrite+0x29c/0xca0 -new/fs/ocfs2/mmap.c:142
       do_page_mkwrite+0x17d/0x380 -new/mm/memory.c:3176
       wp_page_shared -new/mm/memory.c:3577 [inline]
       do_wp_page+0x1041/0x2f40 -new/mm/memory.c:3727
       handle_pte_fault -new/mm/memory.c:5817 [inline]
       __handle_mm_fault+0xdb1/0x3020 -new/mm/memory.c:5944
       handle_mm_fault+0x2b8/0x6b0 -new/mm/memory.c:6112
       faultin_page -new/mm/gup.c:1196 [inline]
       __get_user_pages+0x599/0x3650 -new/mm/gup.c:1494
       __get_user_pages_locked -new/mm/gup.c:1760 [inline]
       faultin_page_range+0x248/0x950 -new/mm/gup.c:1984
       madvise_populate -new/mm/madvise.c:951 [inline]
       do_madvise+0x14dc/0x3f20 -new/mm/madvise.c:1681
       __do_sys_madvise -new/mm/madvise.c:1700 [inline]
       __se_sys_madvise -new/mm/madvise.c:1698 [inline]
       __x64_sys_madvise+0xa9/0x110 -new/mm/madvise.c:1698
       do_syscall_x64 -new/arch/x86/entry/common.c:52 [inline]
       do_syscall_64+0xc1/0x1d0 -new/arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

other info that might help us debug this:

Chain exists of:
  &oi->ip_alloc_sem --> &mm->mmap_lock --> sb_pagefaults#3

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  rlock(sb_pagefaults#3);
                               lock(&mm->mmap_lock);
                               lock(sb_pagefaults#3);
  lock(&oi->ip_alloc_sem);

 *** DEADLOCK ***

2 locks held by syz.6.75/4548:
 #0: ff11000128b927e0 (&mm->mmap_lock){++++}-{4:4}, at: mmap_read_lock -new/include/linux/mmap_lock.h:144 [inline]
 #0: ff11000128b927e0 (&mm->mmap_lock){++++}-{4:4}, at: do_madvise+0x2a5/0x3f20 -new/mm/madvise.c:1671
 #1: ff1100015e45c4f0 (sb_pagefaults#3){.+.+}-{0:0}, at: do_page_mkwrite+0x17d/0x380 -new/mm/memory.c:3176

stack backtrace:
CPU: 1 UID: 0 PID: 4548 Comm: syz.6.75 Not tainted 6.13.0-rc6-g2144da25584e #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack -new/lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0xca/0x120 -new/lib/dump_stack.c:120
 print_circular_bug+0x53f/0x820 -new/kernel/locking/lockdep.c:2074
 check_noncircular+0x2f9/0x3e0 -new/kernel/locking/lockdep.c:2206
 check_prev_add -new/kernel/locking/lockdep.c:3161 [inline]
 check_prevs_add -new/kernel/locking/lockdep.c:3280 [inline]
 validate_chain -new/kernel/locking/lockdep.c:3904 [inline]
 __lock_acquire+0x24a1/0x3b90 -new/kernel/locking/lockdep.c:5226
 lock_acquire -new/kernel/locking/lockdep.c:5849 [inline]
 lock_acquire+0x19b/0x520 -new/kernel/locking/lockdep.c:5814
 down_write+0x92/0x1f0 -new/kernel/locking/rwsem.c:1577
 ocfs2_page_mkwrite+0x29c/0xca0 -new/fs/ocfs2/mmap.c:142
 do_page_mkwrite+0x17d/0x380 -new/mm/memory.c:3176
 wp_page_shared -new/mm/memory.c:3577 [inline]
 do_wp_page+0x1041/0x2f40 -new/mm/memory.c:3727
 handle_pte_fault -new/mm/memory.c:5817 [inline]
 __handle_mm_fault+0xdb1/0x3020 -new/mm/memory.c:5944
 handle_mm_fault+0x2b8/0x6b0 -new/mm/memory.c:6112
 faultin_page -new/mm/gup.c:1196 [inline]
 __get_user_pages+0x599/0x3650 -new/mm/gup.c:1494
 __get_user_pages_locked -new/mm/gup.c:1760 [inline]
 faultin_page_range+0x248/0x950 -new/mm/gup.c:1984
 madvise_populate -new/mm/madvise.c:951 [inline]
 do_madvise+0x14dc/0x3f20 -new/mm/madvise.c:1681
 __do_sys_madvise -new/mm/madvise.c:1700 [inline]
 __se_sys_madvise -new/mm/madvise.c:1698 [inline]
 __x64_sys_madvise+0xa9/0x110 -new/mm/madvise.c:1698
 do_syscall_x64 -new/arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xc1/0x1d0 -new/arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fc830b4539d
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fc82f798b78 EFLAGS: 00000246 ORIG_RAX: 000000000000001c
RAX: ffffffffffffffda RBX: 00007fc830cfdf80 RCX: 00007fc830b4539d
RDX: 0000000000000017 RSI: 0000000000003000 RDI: 0000000020003000
RBP: 00007fc830bba584 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fc830cfdf80 R15: 00007fc82f798d40
 </TASK>
fuse: Bad value for 'rootmode'
loop5: detected capacity change from 0 to 32768
btrfs: Deprecated parameter 'usebackuproot'
BTRFS warning: 'usebackuproot' is deprecated, use 'rescue=usebackuproot' instead
BTRFS: device fsid db05bf05-c4f4-4d41-ba1f-eb57295b561b devid 1 transid 8 /dev/loop5 (7:5) scanned by syz.5.80 (4624)
BTRFS info (device loop5): first mount of filesystem db05bf05-c4f4-4d41-ba1f-eb57295b561b
BTRFS info (device loop5): using xxhash64 (xxhash64-generic) checksum algorithm
BTRFS info (device loop5): using free-space-tree
ocfs2: Unmounting device (7,6) on (node local)
BTRFS info (device loop5): rebuilding free space tree
BTRFS info (device loop5): last unmount of filesystem db05bf05-c4f4-4d41-ba1f-eb57295b561b
loop1: detected capacity change from 0 to 131072
loop3: detected capacity change from 0 to 131072
gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz"
gfs2: fsid=syz:syz: Now mounting FS (format 1801)...
XFS (loop3): Mounting V5 Filesystem 22c32dcc-57bc-4919-aeb7-102e166434d7
gfs2: fsid=syz:syz.0: journal 0 mapped with 3 extents in 0ms
gfs2: fsid=syz:syz.0: jid=0, already locked for use
gfs2: fsid=syz:syz.0: jid=0: Looking at journal...
gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 8ms
gfs2: fsid=syz:syz.0: jid=0: Done
gfs2: fsid=syz:syz.0: jid=1: Trying to acquire journal glock...
gfs2: fsid=syz:syz.0: jid=1: Looking at journal...
gfs2: fsid=syz:syz.0: journal 1 mapped with 1 extents in 0ms
gfs2: fsid=syz:syz.0: jid=1: Journal head lookup took 107ms
gfs2: fsid=syz:syz.0: jid=1: Done
gfs2: fsid=syz:syz.0: first mount done, others may mount
XFS (loop3): Ending clean mount
XFS (loop3): Unmounting Filesystem 22c32dcc-57bc-4919-aeb7-102e166434d7