======================================================
WARNING: possible circular locking dependency detected
4.14.215-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.2/10787 is trying to acquire lock:
 (sb_writers#3){.+.+}, at: [<ffffffff8190364a>] sb_start_write include/linux/fs.h:1549 [inline]
 (sb_writers#3){.+.+}, at: [<ffffffff8190364a>] mnt_want_write+0x3a/0xb0 fs/namespace.c:386

but task is already holding lock:
 (&ovl_i_mutex_dir_key[depth]){++++}, at: [<ffffffff818c6192>] inode_lock include/linux/fs.h:719 [inline]
 (&ovl_i_mutex_dir_key[depth]){++++}, at: [<ffffffff818c6192>] do_last fs/namei.c:3331 [inline]
 (&ovl_i_mutex_dir_key[depth]){++++}, at: [<ffffffff818c6192>] path_openat+0xde2/0x2970 fs/namei.c:3569

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 (&ovl_i_mutex_dir_key[depth]){++++}:
       down_write_killable+0x37/0xb0 kernel/locking/rwsem.c:68
       iterate_dir+0x387/0x5e0 fs/readdir.c:43
       ovl_dir_read fs/overlayfs/readdir.c:306 [inline]
       ovl_dir_read_merged+0x2c5/0x430 fs/overlayfs/readdir.c:365
       ovl_check_empty_dir+0x6e/0x200 fs/overlayfs/readdir.c:870
       ovl_check_empty_and_clear+0x72/0xe0 fs/overlayfs/dir.c:306
       ovl_remove_and_whiteout fs/overlayfs/dir.c:647 [inline]
       ovl_do_remove+0x565/0xb90 fs/overlayfs/dir.c:775
       vfs_rmdir.part.0+0x144/0x390 fs/namei.c:3908
       vfs_rmdir fs/namei.c:3893 [inline]
       do_rmdir+0x334/0x3c0 fs/namei.c:3968
       do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x46/0xbb

-> #0 (sb_writers#3){.+.+}:
       lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
       percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline]
       percpu_down_read include/linux/percpu-rwsem.h:59 [inline]
       __sb_start_write+0x64/0x260 fs/super.c:1342
       sb_start_write include/linux/fs.h:1549 [inline]
       mnt_want_write+0x3a/0xb0 fs/namespace.c:386
       ovl_create_object+0x75/0x1d0 fs/overlayfs/dir.c:538
       lookup_open+0x77a/0x1750 fs/namei.c:3241
       do_last fs/namei.c:3334 [inline]
       path_openat+0xe08/0x2970 fs/namei.c:3569
       do_filp_open+0x179/0x3c0 fs/namei.c:3603
       do_sys_open+0x296/0x410 fs/open.c:1081
       do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x46/0xbb

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&ovl_i_mutex_dir_key[depth]);
                               lock(sb_writers#3);
                               lock(&ovl_i_mutex_dir_key[depth]);
  lock(sb_writers#3);

 *** DEADLOCK ***

2 locks held by syz-executor.2/10787:
 #0:  (sb_writers#14){.+.+}, at: [<ffffffff8190364a>] sb_start_write include/linux/fs.h:1549 [inline]
 #0:  (sb_writers#14){.+.+}, at: [<ffffffff8190364a>] mnt_want_write+0x3a/0xb0 fs/namespace.c:386
 #1:  (&ovl_i_mutex_dir_key[depth]){++++}, at: [<ffffffff818c6192>] inode_lock include/linux/fs.h:719 [inline]
 #1:  (&ovl_i_mutex_dir_key[depth]){++++}, at: [<ffffffff818c6192>] do_last fs/namei.c:3331 [inline]
 #1:  (&ovl_i_mutex_dir_key[depth]){++++}, at: [<ffffffff818c6192>] path_openat+0xde2/0x2970 fs/namei.c:3569

stack backtrace:
CPU: 1 PID: 10787 Comm: syz-executor.2 Not tainted 4.14.215-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x283 lib/dump_stack.c:58
 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258
 check_prev_add kernel/locking/lockdep.c:1905 [inline]
 check_prevs_add kernel/locking/lockdep.c:2022 [inline]
 validate_chain kernel/locking/lockdep.c:2464 [inline]
 __lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491
 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
 percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline]
 percpu_down_read include/linux/percpu-rwsem.h:59 [inline]
 __sb_start_write+0x64/0x260 fs/super.c:1342
 sb_start_write include/linux/fs.h:1549 [inline]
 mnt_want_write+0x3a/0xb0 fs/namespace.c:386
 ovl_create_object+0x75/0x1d0 fs/overlayfs/dir.c:538
 lookup_open+0x77a/0x1750 fs/namei.c:3241
 do_last fs/namei.c:3334 [inline]
 path_openat+0xe08/0x2970 fs/namei.c:3569
 do_filp_open+0x179/0x3c0 fs/namei.c:3603
 do_sys_open+0x296/0x410 fs/open.c:1081
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x45e219
RSP: 002b:00007ff0e0c19c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 000000000045e219
RDX: 000000000000275a RSI: 0000000020000080 RDI: 0000000000000004
RBP: 000000000119bfc8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000119bf8c
R13: 00007ffd4e71021f R14: 00007ff0e0c1a9c0 R15: 000000000119bf8c
overlayfs: upperdir is in-use by another mount, mount with '-o index=off' to override exclusive upperdir protection.
ADFS-fs error (device loop5): adfs_fill_super: unable to read superblock
ADFS-fs error (device loop5): adfs_fill_super: unable to read superblock
ADFS-fs error (device loop5): adfs_fill_super: unable to read superblock
ADFS-fs error (device loop5): adfs_fill_super: unable to read superblock
ADFS-fs error (device loop5): adfs_fill_super: unable to read superblock
input: syz1 as /devices/virtual/input/input7
input: syz1 as /devices/virtual/input/input9
input: syz1 as /devices/virtual/input/input10
input: syz1 as /devices/virtual/input/input11
input: syz1 as /devices/virtual/input/input12
input: syz1 as /devices/virtual/input/input13
input: syz1 as /devices/virtual/input/input14
audit: type=1800 audit(1610883685.426:2): pid=11112 uid=0 auid=0 ses=4 op="collect_data" cause="failed(directio)" comm="syz-executor.3" name="file0" dev="sda1" ino=15862 res=0
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
audit: type=1800 audit(1610883685.836:3): pid=11133 uid=0 auid=0 ses=4 op="collect_data" cause="failed(directio)" comm="syz-executor.3" name="file0" dev="sda1" ino=15862 res=0
audit: type=1800 audit(1610883685.876:4): pid=11137 uid=0 auid=0 ses=4 op="collect_data" cause="failed(directio)" comm="syz-executor.1" name="file0" dev="sda1" ino=15863 res=0
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
audit: type=1800 audit(1610883686.096:5): pid=11158 uid=0 auid=0 ses=4 op="collect_data" cause="failed(directio)" comm="syz-executor.3" name="file0" dev="sda1" ino=15862 res=0
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
audit: type=1800 audit(1610883686.166:6): pid=11163 uid=0 auid=0 ses=4 op="collect_data" cause="failed(directio)" comm="syz-executor.1" name="file0" dev="sda1" ino=15863 res=0
audit: type=1800 audit(1610883686.776:7): pid=11180 uid=0 auid=0 ses=4 op="collect_data" cause="failed(directio)" comm="syz-executor.3" name="file0" dev="sda1" ino=15862 res=0
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
audit: type=1800 audit(1610883686.806:8): pid=11181 uid=0 auid=0 ses=4 op="collect_data" cause="failed(directio)" comm="syz-executor.1" name="file0" dev="sda1" ino=15863 res=0
EXT4-fs (loop1): ext4_check_descriptors: Checksum for group 0 failed (60935!=0)
EXT4-fs (loop1): orphan cleanup on readonly fs
EXT4-fs error (device loop1): ext4_free_inode:286: comm syz-executor.1: reserved or nonexistent inode 3
EXT4-fs warning (device loop1): ext4_enable_quotas:5755: Failed to enable quota tracking (type=-1, err=-13). Please run e2fsck to fix.
EXT4-fs (loop1): Cannot turn on quotas: error -13
EXT4-fs (loop1): mounted filesystem without journal. Opts: ,errors=continue
hid-generic 0000:0000:0000.0001: item fetching failed at offset 0/1
UHID_CREATE from different security context by process 128 (syz-executor.3), this is not allowed.
hid-generic: probe of 0000:0000:0000.0001 failed with error -22
hid-generic 0000:0000:0000.0002: item fetching failed at offset 0/1
hid-generic: probe of 0000:0000:0000.0002 failed with error -22
hid-generic 0000:0000:0000.0003: item fetching failed at offset 0/1
hid-generic 0000:0000:0000.0004: item fetching failed at offset 0/1
hid-generic: probe of 0000:0000:0000.0003 failed with error -22
hid-generic: probe of 0000:0000:0000.0004 failed with error -22
hid-generic 0000:0000:0000.0005: item fetching failed at offset 0/1
hid-generic 0000:0000:0000.0006: item fetching failed at offset 0/1
hid-generic: probe of 0000:0000:0000.0005 failed with error -22
hid-generic: probe of 0000:0000:0000.0006 failed with error -22
hid-generic 0000:0000:0000.0007: item fetching failed at offset 0/1
hid-generic: probe of 0000:0000:0000.0007 failed with error -22
hid-generic 0000:0000:0000.0008: item fetching failed at offset 0/1
hid-generic: probe of 0000:0000:0000.0008 failed with error -22
audit: type=1804 audit(1610883688.026:9): pid=11319 uid=0 auid=0 ses=4 op="invalid_pcr" cause="ToMToU" comm="syz-executor.3" name="/root/syzkaller-testdir350348420/syzkaller.e7tflB/46/file0" dev="sda1" ino=15872 res=1