====================================================== WARNING: possible circular locking dependency detected 4.19.211-syzkaller #0 Not tainted ------------------------------------------------------ syz-executor.5/17014 is trying to acquire lock: 00000000cdd284d4 (&ovl_i_mutex_key[depth]){+.+.}, at: inode_lock include/linux/fs.h:748 [inline] 00000000cdd284d4 (&ovl_i_mutex_key[depth]){+.+.}, at: ovl_write_iter+0x148/0xb40 fs/overlayfs/file.c:270 but task is already holding lock: 000000001c97839f (&pipe->mutex/1){+.+.}, at: pipe_lock_nested fs/pipe.c:77 [inline] 000000001c97839f (&pipe->mutex/1){+.+.}, at: pipe_lock fs/pipe.c:85 [inline] 000000001c97839f (&pipe->mutex/1){+.+.}, at: pipe_wait+0x1bd/0x1e0 fs/pipe.c:133 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (&pipe->mutex/1){+.+.}: pipe_lock_nested fs/pipe.c:77 [inline] pipe_lock+0x63/0x80 fs/pipe.c:85 iter_file_splice_write+0x183/0xbb0 fs/splice.c:700 do_splice_from fs/splice.c:852 [inline] do_splice fs/splice.c:1154 [inline] __do_sys_splice fs/splice.c:1428 [inline] __se_sys_splice+0xfe7/0x16d0 fs/splice.c:1408 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe -> #1 (sb_writers#3){.+.+}: sb_start_write include/linux/fs.h:1579 [inline] mnt_want_write+0x3a/0xb0 fs/namespace.c:360 ovl_setattr+0xdd/0x920 fs/overlayfs/inode.c:30 notify_change+0x70b/0xfc0 fs/attr.c:334 do_truncate+0x134/0x1f0 fs/open.c:63 handle_truncate fs/namei.c:3009 [inline] do_last fs/namei.c:3427 [inline] path_openat+0x2308/0x2df0 fs/namei.c:3537 do_filp_open+0x18c/0x3f0 fs/namei.c:3567 do_sys_open+0x3b3/0x520 fs/open.c:1085 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe -> #0 (&ovl_i_mutex_key[depth]){+.+.}: down_write+0x34/0x90 kernel/locking/rwsem.c:70 inode_lock include/linux/fs.h:748 [inline] ovl_write_iter+0x148/0xb40 fs/overlayfs/file.c:270 call_write_iter include/linux/fs.h:1821 [inline] new_sync_write fs/read_write.c:474 [inline] __vfs_write+0x51b/0x770 fs/read_write.c:487 __kernel_write+0x109/0x370 fs/read_write.c:506 write_pipe_buf+0x153/0x1f0 fs/splice.c:798 splice_from_pipe_feed fs/splice.c:503 [inline] __splice_from_pipe+0x389/0x800 fs/splice.c:627 splice_from_pipe fs/splice.c:662 [inline] default_file_splice_write+0xd8/0x180 fs/splice.c:810 do_splice_from fs/splice.c:852 [inline] do_splice fs/splice.c:1154 [inline] __do_sys_splice fs/splice.c:1428 [inline] __se_sys_splice+0xfe7/0x16d0 fs/splice.c:1408 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe other info that might help us debug this: Chain exists of: &ovl_i_mutex_key[depth] --> sb_writers#3 --> &pipe->mutex/1 Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&pipe->mutex/1); lock(sb_writers#3); lock(&pipe->mutex/1); lock(&ovl_i_mutex_key[depth]); *** DEADLOCK *** 2 locks held by syz-executor.5/17014: #0: 00000000fd2378bc (sb_writers#27){.+.+}, at: file_start_write include/linux/fs.h:2779 [inline] #0: 00000000fd2378bc (sb_writers#27){.+.+}, at: do_splice fs/splice.c:1153 [inline] #0: 00000000fd2378bc (sb_writers#27){.+.+}, at: __do_sys_splice fs/splice.c:1428 [inline] #0: 00000000fd2378bc (sb_writers#27){.+.+}, at: __se_sys_splice+0x11de/0x16d0 fs/splice.c:1408 #1: 000000001c97839f (&pipe->mutex/1){+.+.}, at: pipe_lock_nested fs/pipe.c:77 [inline] #1: 000000001c97839f (&pipe->mutex/1){+.+.}, at: pipe_lock fs/pipe.c:85 [inline] #1: 000000001c97839f (&pipe->mutex/1){+.+.}, at: pipe_wait+0x1bd/0x1e0 fs/pipe.c:133 stack backtrace: CPU: 1 PID: 17014 Comm: syz-executor.5 Not tainted 4.19.211-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1222 check_prev_add kernel/locking/lockdep.c:1866 [inline] check_prevs_add kernel/locking/lockdep.c:1979 [inline] validate_chain kernel/locking/lockdep.c:2420 [inline] __lock_acquire+0x30c9/0x3ff0 kernel/locking/lockdep.c:3416 lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3908 down_write+0x34/0x90 kernel/locking/rwsem.c:70 inode_lock include/linux/fs.h:748 [inline] ovl_write_iter+0x148/0xb40 fs/overlayfs/file.c:270 call_write_iter include/linux/fs.h:1821 [inline] new_sync_write fs/read_write.c:474 [inline] __vfs_write+0x51b/0x770 fs/read_write.c:487 __kernel_write+0x109/0x370 fs/read_write.c:506 write_pipe_buf+0x153/0x1f0 fs/splice.c:798 splice_from_pipe_feed fs/splice.c:503 [inline] __splice_from_pipe+0x389/0x800 fs/splice.c:627 splice_from_pipe fs/splice.c:662 [inline] default_file_splice_write+0xd8/0x180 fs/splice.c:810 do_splice_from fs/splice.c:852 [inline] do_splice fs/splice.c:1154 [inline] __do_sys_splice fs/splice.c:1428 [inline] __se_sys_splice+0xfe7/0x16d0 fs/splice.c:1408 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7f1244cf00f9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f1243262168 EFLAGS: 00000246 ORIG_RAX: 0000000000000113 RAX: ffffffffffffffda RBX: 00007f1244e0ff80 RCX: 00007f1244cf00f9 RDX: 0000000000000005 RSI: 0000000000000000 RDI: 0000000000000004 RBP: 00007f1244d4bae9 R08: 000000000000fdef R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffd4dd460df R14: 00007f1243262300 R15: 0000000000022000 netlink: 4 bytes leftover after parsing attributes in process `syz-executor.0'. nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. netlink: 28 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 76 bytes leftover after parsing attributes in process `syz-executor.0'. BTRFS info (device loop4): enabling inode map caching BTRFS warning (device loop4): excessive commit interval 622039222 device bond0 entered promiscuous mode device bond_slave_0 entered promiscuous mode device bond_slave_1 entered promiscuous mode device bridge10 entered promiscuous mode BTRFS info (device loop4): force zlib compression, level 3 device bridge11 entered promiscuous mode device bridge12 entered promiscuous mode 8021q: adding VLAN 0 to HW filter on device macvlan2 BTRFS info (device loop4): using free space tree device bond0 left promiscuous mode device bond_slave_0 left promiscuous mode device bond_slave_1 left promiscuous mode device bridge10 left promiscuous mode device bridge11 left promiscuous mode device bridge12 left promiscuous mode BTRFS info (device loop4): has skinny extents overlayfs: failed to resolve './file1': -2 netlink: 4 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 28 bytes leftover after parsing attributes in process `syz-executor.0'. Bluetooth: hci2: command 0x0406 tx timeout Bluetooth: hci3: command 0x0406 tx timeout Bluetooth: hci4: command 0x0406 tx timeout Bluetooth: hci5: command 0x0406 tx timeout Bluetooth: hci0: command 0x0406 tx timeout Bluetooth: hci1: command 0x0406 tx timeout netlink: 4 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 28 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 76 bytes leftover after parsing attributes in process `syz-executor.0'. nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. device bond0 entered promiscuous mode device bond_slave_0 entered promiscuous mode device bond_slave_1 entered promiscuous mode device bridge10 entered promiscuous mode device bridge11 entered promiscuous mode device bridge12 entered promiscuous mode 8021q: adding VLAN 0 to HW filter on device macvlan2 device bond0 left promiscuous mode device bond_slave_0 left promiscuous mode device bond_slave_1 left promiscuous mode device bridge10 left promiscuous mode device bridge11 left promiscuous mode device bridge12 left promiscuous mode device bond0 entered promiscuous mode device bond_slave_0 entered promiscuous mode device bond_slave_1 entered promiscuous mode 8021q: adding VLAN 0 to HW filter on device macvlan2 device bond0 left promiscuous mode device bond_slave_0 left promiscuous mode device bond_slave_1 left promiscuous mode device bond0 entered promiscuous mode device bond_slave_0 entered promiscuous mode device bond_slave_1 entered promiscuous mode 8021q: adding VLAN 0 to HW filter on device macvlan2 device bond0 left promiscuous mode device bond_slave_0 left promiscuous mode device bond_slave_1 left promiscuous mode netlink: 4 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor.4'. device bond0 entered promiscuous mode device bond_slave_0 entered promiscuous mode device bond_slave_1 entered promiscuous mode device bridge10 entered promiscuous mode device bridge11 entered promiscuous mode device bridge12 entered promiscuous mode 8021q: adding VLAN 0 to HW filter on device macvlan2 device bond0 left promiscuous mode device bond_slave_0 left promiscuous mode device bond_slave_1 left promiscuous mode device bridge10 left promiscuous mode device bridge11 left promiscuous mode device bridge12 left promiscuous mode IPVS: ftp: loaded support on port[0] = 21 device bond0 entered promiscuous mode device bond_slave_0 entered promiscuous mode device bond_slave_1 entered promiscuous mode device bridge10 entered promiscuous mode device bridge11 entered promiscuous mode device bridge12 entered promiscuous mode 8021q: adding VLAN 0 to HW filter on device macvlan2 device bond0 left promiscuous mode device bond_slave_0 left promiscuous mode device bond_slave_1 left promiscuous mode device bridge10 left promiscuous mode device bridge11 left promiscuous mode device bridge12 left promiscuous mode REISERFS (device loop3): found reiserfs format "3.5" with non-standard journal REISERFS (device loop3): using ordered data mode reiserfs: using flush barriers REISERFS (device loop3): journal params: device loop3, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 device vxlan0 entered promiscuous mode REISERFS (device loop3): checking transaction log (loop3) REISERFS (device loop3): Using r5 hash to sort names reiserfs: enabling write barrier flush mode REISERFS (device loop3): Created .reiserfs_priv - reserved for xattr storage. IPVS: ftp: loaded support on port[0] = 21 REISERFS (device loop3): found reiserfs format "3.5" with non-standard journal IPVS: ftp: loaded support on port[0] = 21 REISERFS (device loop3): found reiserfs format "3.5" with non-standard journal REISERFS (device loop3): using ordered data mode reiserfs: using flush barriers REISERFS (device loop3): journal params: device loop3, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 REISERFS (device loop3): checking transaction log (loop3) REISERFS (device loop3): Using r5 hash to sort names reiserfs: enabling write barrier flush mode REISERFS (device loop3): Created .reiserfs_priv - reserved for xattr storage. nla_parse: 47 callbacks suppressed netlink: 4 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 28 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 76 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 28 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 76 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 28 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 76 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor.2'.