====================================================== WARNING: possible circular locking dependency detected syzkaller #0 Not tainted ------------------------------------------------------ syz.1.174/5952 is trying to acquire lock: ffff0000f5a6dbe0 (&oi->ip_alloc_sem){+.+.}-{3:3}, at: ocfs2_try_remove_refcount_tree+0xb4/0x2e4 fs/ocfs2/refcounttree.c:932 but task is already holding lock: ffff0000f5a6dc78 (&oi->ip_xattr_sem){++++}-{3:3}, at: ocfs2_try_remove_refcount_tree+0xa8/0x2e4 fs/ocfs2/refcounttree.c:931 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #3 (&oi->ip_xattr_sem){++++}-{3:3}: down_read+0x64/0x300 kernel/locking/rwsem.c:1520 ocfs2_init_acl+0x264/0x61c fs/ocfs2/acl.c:365 ocfs2_mknod+0x12b0/0x218c fs/ocfs2/namei.c:410 ocfs2_mkdir+0x19c/0x51c fs/ocfs2/namei.c:657 vfs_mkdir+0x314/0x4d8 fs/namei.c:4114 do_mkdirat+0x1b8/0x3ec fs/namei.c:4139 __do_sys_mkdirat fs/namei.c:4154 [inline] __se_sys_mkdirat fs/namei.c:4152 [inline] __arm64_sys_mkdirat+0x90/0xa8 fs/namei.c:4152 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x290 arch/arm64/kernel/syscall.c:52 el0_svc_common+0x13c/0x258 arch/arm64/kernel/syscall.c:140 do_el0_svc+0x5c/0x134 arch/arm64/kernel/syscall.c:204 el0_svc+0x58/0x128 arch/arm64/kernel/entry-common.c:637 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585 -> #2 (&journal->j_trans_barrier){.+.+}-{3:3}: down_read+0x64/0x300 kernel/locking/rwsem.c:1520 ocfs2_start_trans+0x38c/0x6f4 fs/ocfs2/journal.c:374 ocfs2_shutdown_local_alloc+0x1a0/0x858 fs/ocfs2/localalloc.c:416 ocfs2_dismount_volume+0x1f4/0x95c fs/ocfs2/super.c:1882 ocfs2_put_super+0x108/0x390 fs/ocfs2/super.c:1609 generic_shutdown_super+0x138/0x32c fs/super.c:501 kill_block_super+0x78/0xe0 fs/super.c:1470 deactivate_locked_super+0xb4/0x128 fs/super.c:332 deactivate_super+0xe4/0x104 fs/super.c:363 cleanup_mnt+0x3a8/0x430 fs/namespace.c:1191 __cleanup_mnt+0x20/0x30 fs/namespace.c:1198 task_work_run+0x1f4/0x280 kernel/task_work.c:203 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] do_notify_resume+0x20f8/0x2c84 arch/arm64/kernel/signal.c:1151 prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:137 [inline] exit_to_user_mode arch/arm64/kernel/entry-common.c:142 [inline] el0_svc+0x98/0x128 arch/arm64/kernel/entry-common.c:638 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585 -> #1 (sb_internal#4){.+.+}-{0:0}: percpu_down_read include/linux/percpu-rwsem.h:51 [inline] __sb_start_write include/linux/fs.h:1891 [inline] sb_start_intwrite include/linux/fs.h:2013 [inline] ocfs2_start_trans+0x20c/0x6f4 fs/ocfs2/journal.c:372 ocfs2_orphan_for_truncate fs/ocfs2/file.c:392 [inline] ocfs2_truncate_file+0x5ec/0x14dc fs/ocfs2/file.c:496 ocfs2_setattr+0x12a0/0x1950 fs/ocfs2/file.c:1212 notify_change+0xb5c/0xe20 fs/attr.c:499 do_truncate+0x188/0x20c fs/open.c:65 do_coredump+0x1994/0x1c90 fs/coredump.c:801 get_signal+0xdfc/0x133c kernel/signal.c:2858 do_signal arch/arm64/kernel/signal.c:1095 [inline] do_notify_resume+0x2a8/0x2c84 arch/arm64/kernel/signal.c:1148 prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:137 [inline] exit_to_user_mode arch/arm64/kernel/entry-common.c:142 [inline] el0_da+0xb4/0x144 arch/arm64/kernel/entry-common.c:516 el0t_64_sync_handler+0x90/0xf0 arch/arm64/kernel/entry-common.c:658 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585 -> #0 (&oi->ip_alloc_sem){+.+.}-{3:3}: check_prev_add kernel/locking/lockdep.c:3090 [inline] check_prevs_add kernel/locking/lockdep.c:3209 [inline] validate_chain kernel/locking/lockdep.c:3825 [inline] __lock_acquire+0x27c8/0x6610 kernel/locking/lockdep.c:5049 lock_acquire+0x20c/0x638 kernel/locking/lockdep.c:5662 down_write+0x5c/0x88 kernel/locking/rwsem.c:1573 ocfs2_try_remove_refcount_tree+0xb4/0x2e4 fs/ocfs2/refcounttree.c:932 ocfs2_truncate_file+0xce0/0x14dc fs/ocfs2/file.c:517 ocfs2_setattr+0x12a0/0x1950 fs/ocfs2/file.c:1212 notify_change+0xb5c/0xe20 fs/attr.c:499 do_truncate+0x188/0x20c fs/open.c:65 do_coredump+0x1994/0x1c90 fs/coredump.c:801 get_signal+0xdfc/0x133c kernel/signal.c:2858 do_signal arch/arm64/kernel/signal.c:1095 [inline] do_notify_resume+0x2a8/0x2c84 arch/arm64/kernel/signal.c:1148 prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:137 [inline] exit_to_user_mode arch/arm64/kernel/entry-common.c:142 [inline] el0_da+0xb4/0x144 arch/arm64/kernel/entry-common.c:516 el0t_64_sync_handler+0x90/0xf0 arch/arm64/kernel/entry-common.c:658 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585 other info that might help us debug this: Chain exists of: &oi->ip_alloc_sem --> &journal->j_trans_barrier --> &oi->ip_xattr_sem Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&oi->ip_xattr_sem); lock(&journal->j_trans_barrier); lock(&oi->ip_xattr_sem); lock(&oi->ip_alloc_sem); *** DEADLOCK *** 2 locks held by syz.1.174/5952: #0: ffff0000f5a6df48 (&sb->s_type->i_mutex_key#28){+.+.}-{3:3}, at: inode_lock include/linux/fs.h:758 [inline] #0: ffff0000f5a6df48 (&sb->s_type->i_mutex_key#28){+.+.}-{3:3}, at: do_truncate+0x174/0x20c fs/open.c:63 #1: ffff0000f5a6dc78 (&oi->ip_xattr_sem){++++}-{3:3}, at: ocfs2_try_remove_refcount_tree+0xa8/0x2e4 fs/ocfs2/refcounttree.c:931 stack backtrace: CPU: 1 PID: 5952 Comm: syz.1.174 Not tainted syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/02/2026 Call trace: dump_backtrace+0x1c4/0x1f0 arch/arm64/kernel/stacktrace.c:158 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165 __dump_stack+0x30/0x40 lib/dump_stack.c:88 dump_stack_lvl+0xf4/0x15c lib/dump_stack.c:106 dump_stack+0x1c/0x5c lib/dump_stack.c:113 print_circular_bug+0x148/0x1b0 kernel/locking/lockdep.c:2048 check_noncircular+0x264/0x2f8 kernel/locking/lockdep.c:2170 check_prev_add kernel/locking/lockdep.c:3090 [inline] check_prevs_add kernel/locking/lockdep.c:3209 [inline] validate_chain kernel/locking/lockdep.c:3825 [inline] __lock_acquire+0x27c8/0x6610 kernel/locking/lockdep.c:5049 lock_acquire+0x20c/0x638 kernel/locking/lockdep.c:5662 down_write+0x5c/0x88 kernel/locking/rwsem.c:1573 ocfs2_try_remove_refcount_tree+0xb4/0x2e4 fs/ocfs2/refcounttree.c:932 ocfs2_truncate_file+0xce0/0x14dc fs/ocfs2/file.c:517 ocfs2_setattr+0x12a0/0x1950 fs/ocfs2/file.c:1212 notify_change+0xb5c/0xe20 fs/attr.c:499 do_truncate+0x188/0x20c fs/open.c:65 do_coredump+0x1994/0x1c90 fs/coredump.c:801 get_signal+0xdfc/0x133c kernel/signal.c:2858 do_signal arch/arm64/kernel/signal.c:1095 [inline] do_notify_resume+0x2a8/0x2c84 arch/arm64/kernel/signal.c:1148 prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:137 [inline] exit_to_user_mode arch/arm64/kernel/entry-common.c:142 [inline] el0_da+0xb4/0x144 arch/arm64/kernel/entry-common.c:516 el0t_64_sync_handler+0x90/0xf0 arch/arm64/kernel/entry-common.c:658 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585 ocfs2: Unmounting device (7,1) on (node local) VFS: Busy inodes after unmount of loop1 (ocfs2) ------------[ cut here ]------------ kernel BUG at fs/super.c:505! Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP Modules linked in: CPU: 0 PID: 5952 Comm: syz.1.174 Not tainted syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/02/2026 pstate: 62400005 (nZCv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--) pc : generic_shutdown_super+0x328/0x32c fs/super.c:503 lr : generic_shutdown_super+0x328/0x32c fs/super.c:503 sp : ffff800021817790 x29: ffff800021817790 x28: ffff0000d8a6ef00 x27: ffff0000d8a6ef00 x26: dfff800000000000 x25: 0000000000000002 x24: 1fffe0001b56fcfb x23: ffff0000dab7e7d8 x22: dfff800000000000 x21: ffff8000120758a0 x20: ffff8000159d9bc0 x19: ffff0000dab7e000 x18: 1fffe00033e7ff7e x17: ffff80001532d000 x16: ffff800008043b30 x15: 0000000000000000 x14: 0000000000000001 x13: 1ffff00004302e48 x12: 0000000000000000 x11: ff00800008315148 x10: 0000000000000000 x9 : 5a79b7a2f5ecb700 x8 : 5a79b7a2f5ecb700 x7 : 0000000000000001 x6 : 0000000000000001 x5 : ffff800021817258 x4 : ffff800015414e60 x3 : ffff80000831d018 x2 : 0000000000000001 x1 : 0000000100000000 x0 : 000000000000002f Call trace: generic_shutdown_super+0x328/0x32c fs/super.c:503 kill_block_super+0x78/0xe0 fs/super.c:1470 deactivate_locked_super+0xb4/0x128 fs/super.c:332 deactivate_super+0xe4/0x104 fs/super.c:363 cleanup_mnt+0x3a8/0x430 fs/namespace.c:1191 __cleanup_mnt+0x20/0x30 fs/namespace.c:1198 task_work_run+0x1f4/0x280 kernel/task_work.c:203 exit_task_work include/linux/task_work.h:39 [inline] do_exit+0x54c/0x19ac kernel/exit.c:881 do_group_exit+0x198/0x238 kernel/exit.c:1024 get_signal+0x11f4/0x133c kernel/signal.c:2872 do_signal arch/arm64/kernel/signal.c:1095 [inline] do_notify_resume+0x2a8/0x2c84 arch/arm64/kernel/signal.c:1148 prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:137 [inline] exit_to_user_mode arch/arm64/kernel/entry-common.c:142 [inline] el0_da+0xb4/0x144 arch/arm64/kernel/entry-common.c:516 el0t_64_sync_handler+0x90/0xf0 arch/arm64/kernel/entry-common.c:658 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585 Code: b0049cc0 91358000 911aa261 97d98752 (d4210000) ---[ end trace 0000000000000000 ]---