======================================================
WARNING: possible circular locking dependency detected
4.19.211-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.5/17014 is trying to acquire lock:
00000000cdd284d4 (&ovl_i_mutex_key[depth]){+.+.}, at: inode_lock include/linux/fs.h:748 [inline]
00000000cdd284d4 (&ovl_i_mutex_key[depth]){+.+.}, at: ovl_write_iter+0x148/0xb40 fs/overlayfs/file.c:270

but task is already holding lock:
000000001c97839f (&pipe->mutex/1){+.+.}, at: pipe_lock_nested fs/pipe.c:77 [inline]
000000001c97839f (&pipe->mutex/1){+.+.}, at: pipe_lock fs/pipe.c:85 [inline]
000000001c97839f (&pipe->mutex/1){+.+.}, at: pipe_wait+0x1bd/0x1e0 fs/pipe.c:133

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #2 (&pipe->mutex/1){+.+.}:
       pipe_lock_nested fs/pipe.c:77 [inline]
       pipe_lock+0x63/0x80 fs/pipe.c:85
       iter_file_splice_write+0x183/0xbb0 fs/splice.c:700
       do_splice_from fs/splice.c:852 [inline]
       do_splice fs/splice.c:1154 [inline]
       __do_sys_splice fs/splice.c:1428 [inline]
       __se_sys_splice+0xfe7/0x16d0 fs/splice.c:1408
       do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
       entry_SYSCALL_64_after_hwframe+0x49/0xbe

-> #1 (sb_writers#3){.+.+}:
       sb_start_write include/linux/fs.h:1579 [inline]
       mnt_want_write+0x3a/0xb0 fs/namespace.c:360
       ovl_setattr+0xdd/0x920 fs/overlayfs/inode.c:30
       notify_change+0x70b/0xfc0 fs/attr.c:334
       do_truncate+0x134/0x1f0 fs/open.c:63
       handle_truncate fs/namei.c:3009 [inline]
       do_last fs/namei.c:3427 [inline]
       path_openat+0x2308/0x2df0 fs/namei.c:3537
       do_filp_open+0x18c/0x3f0 fs/namei.c:3567
       do_sys_open+0x3b3/0x520 fs/open.c:1085
       do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
       entry_SYSCALL_64_after_hwframe+0x49/0xbe

-> #0 (&ovl_i_mutex_key[depth]){+.+.}:
       down_write+0x34/0x90 kernel/locking/rwsem.c:70
       inode_lock include/linux/fs.h:748 [inline]
       ovl_write_iter+0x148/0xb40 fs/overlayfs/file.c:270
       call_write_iter include/linux/fs.h:1821 [inline]
       new_sync_write fs/read_write.c:474 [inline]
       __vfs_write+0x51b/0x770 fs/read_write.c:487
       __kernel_write+0x109/0x370 fs/read_write.c:506
       write_pipe_buf+0x153/0x1f0 fs/splice.c:798
       splice_from_pipe_feed fs/splice.c:503 [inline]
       __splice_from_pipe+0x389/0x800 fs/splice.c:627
       splice_from_pipe fs/splice.c:662 [inline]
       default_file_splice_write+0xd8/0x180 fs/splice.c:810
       do_splice_from fs/splice.c:852 [inline]
       do_splice fs/splice.c:1154 [inline]
       __do_sys_splice fs/splice.c:1428 [inline]
       __se_sys_splice+0xfe7/0x16d0 fs/splice.c:1408
       do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
       entry_SYSCALL_64_after_hwframe+0x49/0xbe

other info that might help us debug this:

Chain exists of:
  &ovl_i_mutex_key[depth] --> sb_writers#3 --> &pipe->mutex/1

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&pipe->mutex/1);
                               lock(sb_writers#3);
                               lock(&pipe->mutex/1);
  lock(&ovl_i_mutex_key[depth]);

 *** DEADLOCK ***

2 locks held by syz-executor.5/17014:
 #0: 00000000fd2378bc (sb_writers#27){.+.+}, at: file_start_write include/linux/fs.h:2779 [inline]
 #0: 00000000fd2378bc (sb_writers#27){.+.+}, at: do_splice fs/splice.c:1153 [inline]
 #0: 00000000fd2378bc (sb_writers#27){.+.+}, at: __do_sys_splice fs/splice.c:1428 [inline]
 #0: 00000000fd2378bc (sb_writers#27){.+.+}, at: __se_sys_splice+0x11de/0x16d0 fs/splice.c:1408
 #1: 000000001c97839f (&pipe->mutex/1){+.+.}, at: pipe_lock_nested fs/pipe.c:77 [inline]
 #1: 000000001c97839f (&pipe->mutex/1){+.+.}, at: pipe_lock fs/pipe.c:85 [inline]
 #1: 000000001c97839f (&pipe->mutex/1){+.+.}, at: pipe_wait+0x1bd/0x1e0 fs/pipe.c:133

stack backtrace:
CPU: 1 PID: 17014 Comm: syz-executor.5 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1222
 check_prev_add kernel/locking/lockdep.c:1866 [inline]
 check_prevs_add kernel/locking/lockdep.c:1979 [inline]
 validate_chain kernel/locking/lockdep.c:2420 [inline]
 __lock_acquire+0x30c9/0x3ff0 kernel/locking/lockdep.c:3416
 lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3908
 down_write+0x34/0x90 kernel/locking/rwsem.c:70
 inode_lock include/linux/fs.h:748 [inline]
 ovl_write_iter+0x148/0xb40 fs/overlayfs/file.c:270
 call_write_iter include/linux/fs.h:1821 [inline]
 new_sync_write fs/read_write.c:474 [inline]
 __vfs_write+0x51b/0x770 fs/read_write.c:487
 __kernel_write+0x109/0x370 fs/read_write.c:506
 write_pipe_buf+0x153/0x1f0 fs/splice.c:798
 splice_from_pipe_feed fs/splice.c:503 [inline]
 __splice_from_pipe+0x389/0x800 fs/splice.c:627
 splice_from_pipe fs/splice.c:662 [inline]
 default_file_splice_write+0xd8/0x180 fs/splice.c:810
 do_splice_from fs/splice.c:852 [inline]
 do_splice fs/splice.c:1154 [inline]
 __do_sys_splice fs/splice.c:1428 [inline]
 __se_sys_splice+0xfe7/0x16d0 fs/splice.c:1408
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f1244cf00f9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f1243262168 EFLAGS: 00000246 ORIG_RAX: 0000000000000113
RAX: ffffffffffffffda RBX: 00007f1244e0ff80 RCX: 00007f1244cf00f9
RDX: 0000000000000005 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 00007f1244d4bae9 R08: 000000000000fdef R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffd4dd460df R14: 00007f1243262300 R15: 0000000000022000
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.0'.
nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead.
netlink: 28 bytes leftover after parsing attributes in process `syz-executor.0'.
netlink: 76 bytes leftover after parsing attributes in process `syz-executor.0'.
BTRFS info (device loop4): enabling inode map caching
BTRFS warning (device loop4): excessive commit interval 622039222
device bond0 entered promiscuous mode
device bond_slave_0 entered promiscuous mode
device bond_slave_1 entered promiscuous mode
device bridge10 entered promiscuous mode
BTRFS info (device loop4): force zlib compression, level 3
device bridge11 entered promiscuous mode
device bridge12 entered promiscuous mode
8021q: adding VLAN 0 to HW filter on device macvlan2
BTRFS info (device loop4): using free space tree
device bond0 left promiscuous mode
device bond_slave_0 left promiscuous mode
device bond_slave_1 left promiscuous mode
device bridge10 left promiscuous mode
device bridge11 left promiscuous mode
device bridge12 left promiscuous mode
BTRFS info (device loop4): has skinny extents
overlayfs: failed to resolve './file1': -2
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.0'.
netlink: 28 bytes leftover after parsing attributes in process `syz-executor.0'.
Bluetooth: hci2: command 0x0406 tx timeout
Bluetooth: hci3: command 0x0406 tx timeout
Bluetooth: hci4: command 0x0406 tx timeout
Bluetooth: hci5: command 0x0406 tx timeout
Bluetooth: hci0: command 0x0406 tx timeout
Bluetooth: hci1: command 0x0406 tx timeout
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.0'.
netlink: 28 bytes leftover after parsing attributes in process `syz-executor.0'.
netlink: 76 bytes leftover after parsing attributes in process `syz-executor.0'.
nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead.
nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead.
device bond0 entered promiscuous mode
device bond_slave_0 entered promiscuous mode
device bond_slave_1 entered promiscuous mode
device bridge10 entered promiscuous mode
device bridge11 entered promiscuous mode
device bridge12 entered promiscuous mode
8021q: adding VLAN 0 to HW filter on device macvlan2
device bond0 left promiscuous mode
device bond_slave_0 left promiscuous mode
device bond_slave_1 left promiscuous mode
device bridge10 left promiscuous mode
device bridge11 left promiscuous mode
device bridge12 left promiscuous mode
device bond0 entered promiscuous mode
device bond_slave_0 entered promiscuous mode
device bond_slave_1 entered promiscuous mode
8021q: adding VLAN 0 to HW filter on device macvlan2
device bond0 left promiscuous mode
device bond_slave_0 left promiscuous mode
device bond_slave_1 left promiscuous mode
device bond0 entered promiscuous mode
device bond_slave_0 entered promiscuous mode
device bond_slave_1 entered promiscuous mode
8021q: adding VLAN 0 to HW filter on device macvlan2
device bond0 left promiscuous mode
device bond_slave_0 left promiscuous mode
device bond_slave_1 left promiscuous mode
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.2'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.4'.
device bond0 entered promiscuous mode
device bond_slave_0 entered promiscuous mode
device bond_slave_1 entered promiscuous mode
device bridge10 entered promiscuous mode
device bridge11 entered promiscuous mode
device bridge12 entered promiscuous mode
8021q: adding VLAN 0 to HW filter on device macvlan2
device bond0 left promiscuous mode
device bond_slave_0 left promiscuous mode
device bond_slave_1 left promiscuous mode
device bridge10 left promiscuous mode
device bridge11 left promiscuous mode
device bridge12 left promiscuous mode
IPVS: ftp: loaded support on port[0] = 21
device bond0 entered promiscuous mode
device bond_slave_0 entered promiscuous mode
device bond_slave_1 entered promiscuous mode
device bridge10 entered promiscuous mode
device bridge11 entered promiscuous mode
device bridge12 entered promiscuous mode
8021q: adding VLAN 0 to HW filter on device macvlan2
device bond0 left promiscuous mode
device bond_slave_0 left promiscuous mode
device bond_slave_1 left promiscuous mode
device bridge10 left promiscuous mode
device bridge11 left promiscuous mode
device bridge12 left promiscuous mode
REISERFS (device loop3): found reiserfs format "3.5" with non-standard journal
REISERFS (device loop3): using ordered data mode
reiserfs: using flush barriers
REISERFS (device loop3): journal params: device loop3, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30
device vxlan0 entered promiscuous mode
REISERFS (device loop3): checking transaction log (loop3)
REISERFS (device loop3): Using r5 hash to sort names
reiserfs: enabling write barrier flush mode
REISERFS (device loop3): Created .reiserfs_priv - reserved for xattr storage.
IPVS: ftp: loaded support on port[0] = 21
REISERFS (device loop3): found reiserfs format "3.5" with non-standard journal
IPVS: ftp: loaded support on port[0] = 21
REISERFS (device loop3): found reiserfs format "3.5" with non-standard journal
REISERFS (device loop3): using ordered data mode
reiserfs: using flush barriers
REISERFS (device loop3): journal params: device loop3, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30
REISERFS (device loop3): checking transaction log (loop3)
REISERFS (device loop3): Using r5 hash to sort names
reiserfs: enabling write barrier flush mode
REISERFS (device loop3): Created .reiserfs_priv - reserved for xattr storage.
nla_parse: 47 callbacks suppressed
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.2'.
netlink: 28 bytes leftover after parsing attributes in process `syz-executor.2'.
netlink: 76 bytes leftover after parsing attributes in process `syz-executor.2'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.2'.
netlink: 28 bytes leftover after parsing attributes in process `syz-executor.2'.
netlink: 76 bytes leftover after parsing attributes in process `syz-executor.2'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.2'.
netlink: 28 bytes leftover after parsing attributes in process `syz-executor.2'.
netlink: 76 bytes leftover after parsing attributes in process `syz-executor.2'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.2'.