audit: type=1804 audit(1560971952.247:206): pid=25648 uid=0 auid=4294967295 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 op="invalid_pcr" cause="open_writers" comm="syz-executor.0" name="/root/syzkaller-testdir670356471/syzkaller.cYqrd0/899/bus" dev="sda1" ino=17413 res=1
======================================================
WARNING: possible circular locking dependency detected
4.14.128 #22 Not tainted
------------------------------------------------------
kworker/0:2/3145 is trying to acquire lock:
 (&sb->s_type->i_mutex_key#9){++++}, at: [<ffffffff8195d04b>] inode_lock include/linux/fs.h:718 [inline]
 (&sb->s_type->i_mutex_key#9){++++}, at: [<ffffffff8195d04b>] __generic_file_fsync+0xab/0x1a0 fs/libfs.c:981

but task is already holding lock:
 ((&dio->complete_work)){+.+.}, at: [<ffffffff813cd68b>] process_one_work+0x7ab/0x1600 kernel/workqueue.c:2089
audit: type=1804 audit(1560971952.287:207): pid=25648 uid=0 auid=4294967295 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 op="invalid_pcr" cause="ToMToU" comm="syz-executor.0" name="/root/syzkaller-testdir670356471/syzkaller.cYqrd0/899/bus" dev="sda1" ino=17413 res=1

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #2 ((&dio->complete_work)){+.+.}:
       lock_acquire+0x16f/0x430 kernel/locking/lockdep.c:3991
       process_one_work+0x803/0x1600 kernel/workqueue.c:2090
       worker_thread+0x5d9/0x1050 kernel/workqueue.c:2248
       kthread+0x319/0x430 kernel/kthread.c:232
       ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404

-> #1 ("dio/%s"sb->s_id){+.+.}:
       lock_acquire+0x16f/0x430 kernel/locking/lockdep.c:3991
       flush_workqueue+0x109/0x1400 kernel/workqueue.c:2616
       drain_workqueue+0x177/0x3e0 kernel/workqueue.c:2781
       destroy_workqueue+0x21/0x620 kernel/workqueue.c:4088
       __alloc_workqueue_key+0xb94/0xec0 kernel/workqueue.c:4071
       sb_init_dio_done_wq+0x39/0x80 fs/direct-io.c:624
       dio_set_defer_completion fs/direct-io.c:647 [inline]
       get_more_blocks fs/direct-io.c:725 [inline]
       do_direct_IO fs/direct-io.c:1003 [inline]
       do_blockdev_direct_IO+0x2229/0x7fd0 fs/direct-io.c:1336
       __blockdev_direct_IO+0xa1/0xca fs/direct-io.c:1422
       ext4_direct_IO_write fs/ext4/inode.c:3697 [inline]
       ext4_direct_IO+0x70d/0x1890 fs/ext4/inode.c:3827
       generic_file_direct_write+0x1e7/0x430 mm/filemap.c:2927
       __generic_file_write_iter+0x2bc/0x5b0 mm/filemap.c:3106
       ext4_file_write_iter+0x89f/0xe90 fs/ext4/file.c:264
       call_write_iter include/linux/fs.h:1777 [inline]
       aio_write+0x2c7/0x4f0 fs/aio.c:1553
       io_submit_one fs/aio.c:1641 [inline]
       do_io_submit+0x996/0x13f0 fs/aio.c:1709
       SYSC_io_submit fs/aio.c:1734 [inline]
       SyS_io_submit+0x28/0x30 fs/aio.c:1731
       do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x42/0xb7

-> #0 (&sb->s_type->i_mutex_key#9){++++}:
       check_prev_add kernel/locking/lockdep.c:1901 [inline]
       check_prevs_add kernel/locking/lockdep.c:2018 [inline]
       validate_chain kernel/locking/lockdep.c:2460 [inline]
       __lock_acquire+0x2c89/0x45e0 kernel/locking/lockdep.c:3487
       lock_acquire+0x16f/0x430 kernel/locking/lockdep.c:3991
       down_write+0x38/0x90 kernel/locking/rwsem.c:54
       inode_lock include/linux/fs.h:718 [inline]
       __generic_file_fsync+0xab/0x1a0 fs/libfs.c:981
       ext4_sync_file+0x755/0x12d0 fs/ext4/fsync.c:120
       vfs_fsync_range+0x10e/0x260 fs/sync.c:196
       generic_write_sync include/linux/fs.h:2675 [inline]
       dio_complete+0x397/0x860 fs/direct-io.c:330
       dio_aio_complete_work+0x20/0x30 fs/direct-io.c:342
       process_one_work+0x863/0x1600 kernel/workqueue.c:2114
       worker_thread+0x5d9/0x1050 kernel/workqueue.c:2248
       kthread+0x319/0x430 kernel/kthread.c:232
       ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404

other info that might help us debug this:

Chain exists of:
  &sb->s_type->i_mutex_key#9 --> "dio/%s"sb->s_id --> (&dio->complete_work)

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock((&dio->complete_work));
                               lock("dio/%s"sb->s_id);
                               lock((&dio->complete_work));
  lock(&sb->s_type->i_mutex_key#9);

 *** DEADLOCK ***

2 locks held by kworker/0:2/3145:
 #0:  ("dio/%s"sb->s_id){+.+.}, at: [<ffffffff813cd64e>] work_static include/linux/workqueue.h:199 [inline]
 #0:  ("dio/%s"sb->s_id){+.+.}, at: [<ffffffff813cd64e>] set_work_data kernel/workqueue.c:619 [inline]
 #0:  ("dio/%s"sb->s_id){+.+.}, at: [<ffffffff813cd64e>] set_work_pool_and_clear_pending kernel/workqueue.c:646 [inline]
 #0:  ("dio/%s"sb->s_id){+.+.}, at: [<ffffffff813cd64e>] process_one_work+0x76e/0x1600 kernel/workqueue.c:2085
 #1:  ((&dio->complete_work)){+.+.}, at: [<ffffffff813cd68b>] process_one_work+0x7ab/0x1600 kernel/workqueue.c:2089

stack backtrace:
CPU: 0 PID: 3145 Comm: kworker/0:2 Not tainted 4.14.128 #22
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: dio/sda1 dio_aio_complete_work
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x138/0x19c lib/dump_stack.c:53
 print_circular_bug.isra.0.cold+0x1cc/0x28f kernel/locking/lockdep.c:1258
 check_prev_add kernel/locking/lockdep.c:1901 [inline]
 check_prevs_add kernel/locking/lockdep.c:2018 [inline]
 validate_chain kernel/locking/lockdep.c:2460 [inline]
 __lock_acquire+0x2c89/0x45e0 kernel/locking/lockdep.c:3487
 lock_acquire+0x16f/0x430 kernel/locking/lockdep.c:3991
kobject: 'loop2' (ffff8880a4997760): kobject_uevent_env
 down_write+0x38/0x90 kernel/locking/rwsem.c:54
 inode_lock include/linux/fs.h:718 [inline]
 __generic_file_fsync+0xab/0x1a0 fs/libfs.c:981
kobject: 'loop2' (ffff8880a4997760): fill_kobj_path: path = '/devices/virtual/block/loop2'
 ext4_sync_file+0x755/0x12d0 fs/ext4/fsync.c:120
 vfs_fsync_range+0x10e/0x260 fs/sync.c:196
 generic_write_sync include/linux/fs.h:2675 [inline]
 dio_complete+0x397/0x860 fs/direct-io.c:330
 dio_aio_complete_work+0x20/0x30 fs/direct-io.c:342
 process_one_work+0x863/0x1600 kernel/workqueue.c:2114
 worker_thread+0x5d9/0x1050 kernel/workqueue.c:2248
 kthread+0x319/0x430 kernel/kthread.c:232
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
kobject: 'loop1' (ffff8880a49536e0): kobject_uevent_env
kobject: 'loop1' (ffff8880a49536e0): fill_kobj_path: path = '/devices/virtual/block/loop1'
kobject: 'loop2' (ffff8880a4997760): kobject_uevent_env
kobject: 'loop2' (ffff8880a4997760): fill_kobj_path: path = '/devices/virtual/block/loop2'
audit: type=1400 audit(1560971952.997:208): avc:  denied  { relabelto } for  pid=25667 comm="syz-executor.2" name="memory.events" dev="sda1" ino=17122 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=file permissive=1
kobject: 'loop1' (ffff8880a49536e0): kobject_uevent_env
audit: type=1400 audit(1560971953.007:209): avc:  denied  { setattr } for  pid=25667 comm="syz-executor.2" path="/root/syzkaller-testdir843499043/syzkaller.hXaPV5/663/memory.events" dev="sda1" ino=17122 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=file permissive=1
kobject: 'loop1' (ffff8880a49536e0): fill_kobj_path: path = '/devices/virtual/block/loop1'
kobject: 'bluetooth' (ffff8880a52f0b00): kobject_add_internal: parent: 'virtual', set: '(null)'
kobject: 'hci0' (ffff88806268ad68): kobject_add_internal: parent: 'bluetooth', set: 'devices'
kobject: 'hci0' (ffff88806268ad68): kobject_uevent_env
kobject: 'hci0' (ffff88806268ad68): fill_kobj_path: path = '/devices/virtual/bluetooth/hci0'
kobject: 'loop1' (ffff8880a49536e0): kobject_uevent_env
kobject: 'loop1' (ffff8880a49536e0): fill_kobj_path: path = '/devices/virtual/block/loop1'
kobject: 'rfkill7' (ffff888091007728): kobject_add_internal: parent: 'hci0', set: 'devices'
kobject: 'rfkill7' (ffff888091007728): kobject_uevent_env
kobject: 'rfkill7' (ffff888091007728): fill_kobj_path: path = '/devices/virtual/bluetooth/hci0/rfkill7'
kobject: 'rfkill7' (ffff888091007728): kobject_uevent_env
kobject: 'rfkill7' (ffff888091007728): fill_kobj_path: path = '/devices/virtual/bluetooth/hci0/rfkill7'
audit: type=1400 audit(1560971953.717:210): avc:  denied  { sys_ptrace } for  pid=25620 comm="ps" capability=19  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=cap_userns permissive=1
kobject: 'rfkill7' (ffff888091007728): kobject_cleanup, parent           (null)
kobject: 'rfkill7' (ffff888091007728): calling ktype release
kobject: 'rfkill7': free name
audit: type=1400 audit(1560971953.837:211): avc:  denied  { unlink } for  pid=7105 comm="syz-executor.2" name="memory.events" dev="sda1" ino=17122 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=file permissive=1
kobject: 'hci0' (ffff88806268ad68): kobject_uevent_env
kobject: 'hci0' (ffff88806268ad68): fill_kobj_path: path = '/devices/virtual/bluetooth/hci0'
kobject: 'bluetooth' (ffff8880a52f0b00): kobject_cleanup, parent           (null)
kobject: 'loop2' (ffff8880a4997760): kobject_uevent_env
kobject: 'bluetooth' (ffff8880a52f0b00): calling ktype release
kobject: 'loop2' (ffff8880a4997760): fill_kobj_path: path = '/devices/virtual/block/loop2'
kobject: 'bluetooth': free name
kobject: 'hci0' (ffff88806268ad68): kobject_cleanup, parent           (null)
kobject: 'hci0' (ffff88806268ad68): calling ktype release
kobject: 'hci0': free name
kobject: 'loop0' (ffff8880a48fcde0): kobject_uevent_env
kobject: 'loop0' (ffff8880a48fcde0): fill_kobj_path: path = '/devices/virtual/block/loop0'
kobject: 'loop0' (ffff8880a48fcde0): kobject_uevent_env
kobject: 'loop0' (ffff8880a48fcde0): fill_kobj_path: path = '/devices/virtual/block/loop0'
kobject: 'loop1' (ffff8880a49536e0): kobject_uevent_env
kobject: 'loop1' (ffff8880a49536e0): fill_kobj_path: path = '/devices/virtual/block/loop1'
kobject: 'loop1' (ffff8880a49536e0): kobject_uevent_env
kobject: 'loop1' (ffff8880a49536e0): fill_kobj_path: path = '/devices/virtual/block/loop1'
kobject: 'loop0' (ffff8880a48fcde0): kobject_uevent_env
kobject: 'loop0' (ffff8880a48fcde0): fill_kobj_path: path = '/devices/virtual/block/loop0'
kobject: 'loop0' (ffff8880a48fcde0): kobject_uevent_env
kobject: 'loop0' (ffff8880a48fcde0): fill_kobj_path: path = '/devices/virtual/block/loop0'
kobject: 'loop0' (ffff8880a48fcde0): kobject_uevent_env
kobject: 'loop0' (ffff8880a48fcde0): fill_kobj_path: path = '/devices/virtual/block/loop0'
kobject: 'loop2' (ffff8880a4997760): kobject_uevent_env
kobject: 'loop2' (ffff8880a4997760): fill_kobj_path: path = '/devices/virtual/block/loop2'
kobject: 'loop1' (ffff8880a49536e0): kobject_uevent_env
kobject: 'loop1' (ffff8880a49536e0): fill_kobj_path: path = '/devices/virtual/block/loop1'
kobject: 'loop0' (ffff8880a48fcde0): kobject_uevent_env
kobject: 'loop0' (ffff8880a48fcde0): fill_kobj_path: path = '/devices/virtual/block/loop0'
kobject: 'loop1' (ffff8880a49536e0): kobject_uevent_env
kobject: 'loop1' (ffff8880a49536e0): fill_kobj_path: path = '/devices/virtual/block/loop1'
kobject: 'loop1' (ffff8880a49536e0): kobject_uevent_env
kobject: 'loop1' (ffff8880a49536e0): fill_kobj_path: path = '/devices/virtual/block/loop1'
kobject: 'loop0' (ffff8880a48fcde0): kobject_uevent_env
kobject: 'loop0' (ffff8880a48fcde0): fill_kobj_path: path = '/devices/virtual/block/loop0'
kobject: 'loop1' (ffff8880a49536e0): kobject_uevent_env
kobject: 'loop1' (ffff8880a49536e0): fill_kobj_path: path = '/devices/virtual/block/loop1'
kobject: 'loop0' (ffff8880a48fcde0): kobject_uevent_env
kobject: 'loop0' (ffff8880a48fcde0): fill_kobj_path: path = '/devices/virtual/block/loop0'
kobject: 'loop2' (ffff8880a4997760): kobject_uevent_env
kobject: 'loop1' (ffff8880a49536e0): kobject_uevent_env
kobject: 'loop1' (ffff8880a49536e0): fill_kobj_path: path = '/devices/virtual/block/loop1'
kobject: 'loop2' (ffff8880a4997760): fill_kobj_path: path = '/devices/virtual/block/loop2'
kobject: 'loop1' (ffff8880a49536e0): kobject_uevent_env
kobject: 'loop1' (ffff8880a49536e0): fill_kobj_path: path = '/devices/virtual/block/loop1'
kobject: 'loop0' (ffff8880a48fcde0): kobject_uevent_env
kobject: 'loop0' (ffff8880a48fcde0): fill_kobj_path: path = '/devices/virtual/block/loop0'
kobject: 'loop2' (ffff8880a4997760): kobject_uevent_env
kobject: 'loop1' (ffff8880a49536e0): kobject_uevent_env
kobject: 'loop2' (ffff8880a4997760): fill_kobj_path: path = '/devices/virtual/block/loop2'
kobject: 'loop1' (ffff8880a49536e0): fill_kobj_path: path = '/devices/virtual/block/loop1'
kobject: 'loop0' (ffff8880a48fcde0): kobject_uevent_env
kobject: 'loop0' (ffff8880a48fcde0): fill_kobj_path: path = '/devices/virtual/block/loop0'
kobject: 'loop1' (ffff8880a49536e0): kobject_uevent_env
kobject: 'loop1' (ffff8880a49536e0): fill_kobj_path: path = '/devices/virtual/block/loop1'
kobject: 'loop0' (ffff8880a48fcde0): kobject_uevent_env
kobject: 'loop0' (ffff8880a48fcde0): fill_kobj_path: path = '/devices/virtual/block/loop0'
kobject: 'loop1' (ffff8880a49536e0): kobject_uevent_env
kobject: 'loop1' (ffff8880a49536e0): fill_kobj_path: path = '/devices/virtual/block/loop1'
kobject: 'loop2' (ffff8880a4997760): kobject_uevent_env
kobject: 'loop2' (ffff8880a4997760): fill_kobj_path: path = '/devices/virtual/block/loop2'
kobject: 'loop0' (ffff8880a48fcde0): kobject_uevent_env
kobject: 'loop0' (ffff8880a48fcde0): fill_kobj_path: path = '/devices/virtual/block/loop0'
kobject: 'loop1' (ffff8880a49536e0): kobject_uevent_env
kobject: 'loop1' (ffff8880a49536e0): fill_kobj_path: path = '/devices/virtual/block/loop1'
kobject: 'loop1' (ffff8880a49536e0): kobject_uevent_env
kobject: 'loop1' (ffff8880a49536e0): fill_kobj_path: path = '/devices/virtual/block/loop1'
kobject: 'loop0' (ffff8880a48fcde0): kobject_uevent_env
kobject: 'loop0' (ffff8880a48fcde0): fill_kobj_path: path = '/devices/virtual/block/loop0'
kobject: 'loop1' (ffff8880a49536e0): kobject_uevent_env
kobject: 'loop1' (ffff8880a49536e0): fill_kobj_path: path = '/devices/virtual/block/loop1'
kobject: 'loop0' (ffff8880a48fcde0): kobject_uevent_env
kobject: 'loop0' (ffff8880a48fcde0): fill_kobj_path: path = '/devices/virtual/block/loop0'
kobject: 'loop2' (ffff8880a4997760): kobject_uevent_env
kobject: 'loop2' (ffff8880a4997760): fill_kobj_path: path = '/devices/virtual/block/loop2'
kobject: 'loop1' (ffff8880a49536e0): kobject_uevent_env
kobject: 'loop1' (ffff8880a49536e0): fill_kobj_path: path = '/devices/virtual/block/loop1'
kobject: 'loop1' (ffff8880a49536e0): kobject_uevent_env
kobject: 'loop0' (ffff8880a48fcde0): kobject_uevent_env
kobject: 'loop0' (ffff8880a48fcde0): fill_kobj_path: path = '/devices/virtual/block/loop0'
kobject: 'loop1' (ffff8880a49536e0): fill_kobj_path: path = '/devices/virtual/block/loop1'
kobject: 'loop0' (ffff8880a48fcde0): kobject_uevent_env
kobject: 'loop0' (ffff8880a48fcde0): fill_kobj_path: path = '/devices/virtual/block/loop0'
kobject: 'loop1' (ffff8880a49536e0): kobject_uevent_env
kobject: 'loop1' (ffff8880a49536e0): fill_kobj_path: path = '/devices/virtual/block/loop1'
kobject: 'loop2' (ffff8880a4997760): kobject_uevent_env
kobject: 'loop2' (ffff8880a4997760): fill_kobj_path: path = '/devices/virtual/block/loop2'
kobject: 'loop0' (ffff8880a48fcde0): kobject_uevent_env
kobject: 'loop0' (ffff8880a48fcde0): fill_kobj_path: path = '/devices/virtual/block/loop0'
kobject: 'loop1' (ffff8880a49536e0): kobject_uevent_env
kobject: 'loop1' (ffff8880a49536e0): fill_kobj_path: path = '/devices/virtual/block/loop1'
kobject: 'loop1' (ffff8880a49536e0): kobject_uevent_env
kobject: 'loop1' (ffff8880a49536e0): fill_kobj_path: path = '/devices/virtual/block/loop1'
kobject: 'loop0' (ffff8880a48fcde0): kobject_uevent_env
kobject: 'loop0' (ffff8880a48fcde0): fill_kobj_path: path = '/devices/virtual/block/loop0'
kobject: 'loop1' (ffff8880a49536e0): kobject_uevent_env
kobject: 'loop1' (ffff8880a49536e0): fill_kobj_path: path = '/devices/virtual/block/loop1'
kobject: 'loop1' (ffff8880a49536e0): kobject_uevent_env
audit: type=1400 audit(1560971962.217:212): avc:  denied  { mac_admin } for  pid=26033 comm="syz-executor.4" capability=33  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=capability2 permissive=1