[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 30.012248] kauditd_printk_skb: 7 callbacks suppressed [ 30.012260] audit: type=1800 audit(1543335569.105:29): pid=5897 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 30.039505] audit: type=1800 audit(1543335569.105:30): pid=5897 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.15.201' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 55.052583] overlayfs: filesystem on './file0' not supported as upperdir [ 55.062397] [ 55.064028] ====================================================== [ 55.070321] WARNING: possible circular locking dependency detected [ 55.076631] 4.20.0-rc4+ #131 Not tainted [ 55.080667] ------------------------------------------------------ [ 55.086961] syz-executor434/6054 is trying to acquire lock: [ 55.092655] 00000000595178f7 (&ovl_i_mutex_key[depth]){+.+.}, at: ovl_write_iter+0x151/0xd10 [ 55.101240] [ 55.101240] but task is already holding lock: [ 55.107196] 000000009c3db120 (&pipe->mutex/1){+.+.}, at: pipe_lock+0x6e/0x80 [ 55.114374] [ 55.114374] which lock already depends on the new lock. [ 55.114374] [ 55.122668] [ 55.122668] the existing dependency chain (in reverse order) is: [ 55.130284] [ 55.130284] -> #2 (&pipe->mutex/1){+.+.}: [ 55.135924] __mutex_lock+0x166/0x16f0 [ 55.140330] mutex_lock_nested+0x16/0x20 [ 55.144893] pipe_lock+0x6e/0x80 [ 55.148762] iter_file_splice_write+0x27d/0x1050 [ 55.154023] do_splice+0x64a/0x1430 [ 55.158149] __x64_sys_splice+0x2c1/0x330 [ 55.162799] do_syscall_64+0x1b9/0x820 [ 55.167186] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.172871] [ 55.172871] -> #1 (sb_writers#3){.+.+}: [ 55.178317] __sb_start_write+0x214/0x370 [ 55.182966] mnt_want_write+0x3f/0xc0 [ 55.187282] ovl_want_write+0x76/0xa0 [ 55.191584] ovl_setattr+0x10b/0xaf0 [ 55.195798] notify_change+0xbde/0x1110 [ 55.200278] do_truncate+0x1bd/0x2d0 [ 55.204511] path_openat+0x375f/0x5150 [ 55.208899] do_filp_open+0x255/0x380 [ 55.213202] do_sys_open+0x568/0x700 [ 55.217416] __x64_sys_openat+0x9d/0x100 [ 55.221986] do_syscall_64+0x1b9/0x820 [ 55.226374] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.232060] [ 55.232060] -> #0 (&ovl_i_mutex_key[depth]){+.+.}: [ 55.238457] lock_acquire+0x1ed/0x520 [ 55.242761] down_write+0x8a/0x130 [ 55.246808] ovl_write_iter+0x151/0xd10 [ 55.251309] __vfs_write+0x6b8/0x9f0 [ 55.255528] __kernel_write+0x10c/0x370 [ 55.260005] write_pipe_buf+0x180/0x240 [ 55.264488] __splice_from_pipe+0x38b/0x7c0 [ 55.269309] splice_from_pipe+0x1ec/0x340 [ 55.274058] default_file_splice_write+0x3c/0x90 [ 55.279314] do_splice+0x64a/0x1430 [ 55.283439] __x64_sys_splice+0x2c1/0x330 [ 55.288089] do_syscall_64+0x1b9/0x820 [ 55.292480] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.298180] [ 55.298180] other info that might help us debug this: [ 55.298180] [ 55.306302] Chain exists of: [ 55.306302] &ovl_i_mutex_key[depth] --> sb_writers#3 --> &pipe->mutex/1 [ 55.306302] [ 55.317590] Possible unsafe locking scenario: [ 55.317590] [ 55.323626] CPU0 CPU1 [ 55.328271] ---- ---- [ 55.332916] lock(&pipe->mutex/1); [ 55.336521] lock(sb_writers#3); [ 55.342471] lock(&pipe->mutex/1); [ 55.348607] lock(&ovl_i_mutex_key[depth]); [ 55.352996] [ 55.352996] *** DEADLOCK *** [ 55.352996] [ 55.359040] 2 locks held by syz-executor434/6054: [ 55.363859] #0: 00000000a6c3f649 (sb_writers#8){.+.+}, at: do_splice+0xd2e/0x1430 [ 55.371561] #1: 000000009c3db120 (&pipe->mutex/1){+.+.}, at: pipe_lock+0x6e/0x80 [ 55.379176] [ 55.379176] stack backtrace: [ 55.383673] CPU: 0 PID: 6054 Comm: syz-executor434 Not tainted 4.20.0-rc4+ #131 [ 55.391098] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.400443] Call Trace: [ 55.403018] dump_stack+0x244/0x39d [ 55.406635] ? dump_stack_print_info.cold.1+0x20/0x20 [ 55.411846] ? vprintk_func+0x85/0x181 [ 55.415719] print_circular_bug.isra.35.cold.54+0x1bd/0x27d [ 55.421411] ? save_trace+0xe0/0x290 [ 55.425107] __lock_acquire+0x3399/0x4c20 [ 55.429239] ? mark_held_locks+0x130/0x130 [ 55.433457] ? __lock_acquire+0x62f/0x4c20 [ 55.437676] ? mark_held_locks+0x130/0x130 [ 55.441894] ? perf_trace_sched_process_exec+0x860/0x860 [ 55.447341] ? do_raw_spin_unlock+0xa7/0x330 [ 55.451731] ? zap_class+0x640/0x640 [ 55.455438] ? __might_sleep+0x95/0x190 [ 55.459398] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 55.464919] ? futex_wait_queue_me+0x55d/0x840 [ 55.469500] ? find_held_lock+0x36/0x1c0 [ 55.473541] ? mutex_spin_on_owner+0x2e3/0x540 [ 55.478106] ? __lock_is_held+0xb5/0x140 [ 55.482153] lock_acquire+0x1ed/0x520 [ 55.485938] ? ovl_write_iter+0x151/0xd10 [ 55.490067] ? lock_release+0xa00/0xa00 [ 55.494024] ? perf_trace_sched_process_exec+0x860/0x860 [ 55.499461] ? kasan_check_write+0x14/0x20 [ 55.503680] down_write+0x8a/0x130 [ 55.507205] ? ovl_write_iter+0x151/0xd10 [ 55.511337] ? down_read+0x120/0x120 [ 55.515044] ? rcu_softirq_qs+0x20/0x20 [ 55.519006] ? futex_wake+0x304/0x760 [ 55.522804] ovl_write_iter+0x151/0xd10 [ 55.526794] ? __mutex_lock+0x85e/0x16f0 [ 55.530856] ? pipe_lock+0x6e/0x80 [ 55.534376] ? ovl_compat_ioctl+0x70/0x70 [ 55.538507] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 55.544027] ? iov_iter_init+0xe5/0x210 [ 55.547992] __vfs_write+0x6b8/0x9f0 [ 55.551703] ? zap_class+0x640/0x640 [ 55.555399] ? kernel_read+0x120/0x120 [ 55.559274] ? __lock_is_held+0xb5/0x140 [ 55.563319] ? find_held_lock+0x36/0x1c0 [ 55.567367] __kernel_write+0x10c/0x370 [ 55.571322] write_pipe_buf+0x180/0x240 [ 55.575272] ? do_splice_direct+0x420/0x420 [ 55.579577] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 55.585093] ? splice_from_pipe_next.part.11+0x296/0x340 [ 55.590529] __splice_from_pipe+0x38b/0x7c0 [ 55.594828] ? do_splice_direct+0x420/0x420 [ 55.599136] splice_from_pipe+0x1ec/0x340 [ 55.603267] ? do_splice_direct+0x420/0x420 [ 55.607565] ? splice_shrink_spd+0xd0/0xd0 [ 55.611802] ? rcu_read_lock_sched_held+0x14f/0x180 [ 55.616801] default_file_splice_write+0x3c/0x90 [ 55.621540] ? generic_splice_sendpage+0x50/0x50 [ 55.626274] do_splice+0x64a/0x1430 [ 55.629883] ? kmem_cache_free+0x24f/0x290 [ 55.634097] ? opipe_prep.part.14+0x3b0/0x3b0 [ 55.638571] __x64_sys_splice+0x2c1/0x330 [ 55.642706] do_syscall_64+0x1b9/0x820 [ 55.646578] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 55.651923] ? syscall_return_slowpath+0x5e0/0x5e0 [ 55.656836] ? trace_hardirqs_on_caller+0x310/0x310 [ 55.661837] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 55.666836] ? post_copy_siginfo_from_user.isra.25.part.26+0x250/0x250 [ 55.673500] ? __switch_to_asm+0x40/0x70 [ 55.677539] ? __switch_to_asm+0x34/0x70 [ 55.681583] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 55.686407] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.691576] RIP: 0033:0x445809 [ 55.694749] Code: e8 6c b6 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 12 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 55.713652] RSP: 002b:00007f82236fad98 EFLAGS: 00000212 ORIG_RAX: 0000000000000113 [ 55.721345] RAX: ffffffffffffffda RBX: 00000000006dac68 RCX: 0000000000445809 [ 55.728593] RDX: 000000000000000a RSI: 0000000000000000 RDI: 0000000000000007 [ 55.735844] RBP: 00000000006dac60 R08: 000100000000000a R09: 0000000000000007 [ 55.743095] R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006dac6c [ 55.750345] R13: 0030656c69662f2e R14: 652e79726f6d656d R15: 00000000006dad4c