audit: type=1804 audit(1677721084.728:5): pid=10193 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.5" name="/root/syzkaller-testdir3987902863/syzkaller.2BUprj/18/file0/bus" dev="loop5" ino=3 res=1 ====================================================== WARNING: possible circular locking dependency detected 4.14.307-syzkaller #0 Not tainted ------------------------------------------------------ syz-executor.0/10176 is trying to acquire lock: (&ovl_i_mutex_dir_key[depth]){++++}, at: [] iterate_dir+0x387/0x5e0 fs/readdir.c:43 but task is already holding lock: (sb_writers#3){.+.+}, at: [] sb_start_write include/linux/fs.h:1551 [inline] (sb_writers#3){.+.+}, at: [] mnt_want_write+0x3a/0xb0 fs/namespace.c:386 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (sb_writers#3){.+.+}: percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline] percpu_down_read include/linux/percpu-rwsem.h:59 [inline] __sb_start_write+0x64/0x260 fs/super.c:1342 sb_start_write include/linux/fs.h:1551 [inline] mnt_want_write+0x3a/0xb0 fs/namespace.c:386 ovl_xattr_set+0x4d/0x290 fs/overlayfs/inode.c:214 ovl_posix_acl_xattr_set+0x2b7/0x830 fs/overlayfs/super.c:762 __vfs_setxattr+0xdc/0x130 fs/xattr.c:150 __vfs_setxattr_noperm+0xfd/0x3d0 fs/xattr.c:181 __vfs_setxattr_locked+0x14d/0x250 fs/xattr.c:239 vfs_setxattr+0xcf/0x230 fs/xattr.c:256 setxattr+0x1a9/0x300 fs/xattr.c:523 path_setxattr+0x118/0x130 fs/xattr.c:542 SYSC_setxattr fs/xattr.c:557 [inline] SyS_setxattr+0x36/0x50 fs/xattr.c:553 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x5e/0xd3 -> #0 (&ovl_i_mutex_dir_key[depth]){++++}: lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 down_write_killable+0x37/0xb0 kernel/locking/rwsem.c:68 iterate_dir+0x387/0x5e0 fs/readdir.c:43 ovl_dir_read fs/overlayfs/readdir.c:306 [inline] ovl_dir_read_merged+0x2c5/0x430 fs/overlayfs/readdir.c:365 ovl_check_empty_dir+0x6e/0x200 fs/overlayfs/readdir.c:870 ovl_check_empty_and_clear+0x72/0xe0 fs/overlayfs/dir.c:306 ovl_rename+0x57d/0xe50 fs/overlayfs/dir.c:959 vfs_rename+0x560/0x1820 fs/namei.c:4498 SYSC_renameat2 fs/namei.c:4646 [inline] SyS_renameat2+0x95b/0xad0 fs/namei.c:4535 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x5e/0xd3 other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(sb_writers#3); lock(&ovl_i_mutex_dir_key[depth]); lock(sb_writers#3); lock(&ovl_i_mutex_dir_key[depth]); *** DEADLOCK *** 6 locks held by syz-executor.0/10176: #0: (sb_writers#14){.+.+}, at: [] sb_start_write include/linux/fs.h:1551 [inline] #0: (sb_writers#14){.+.+}, at: [] mnt_want_write+0x3a/0xb0 fs/namespace.c:386 #1: (&type->s_vfs_rename_key#2){+.+.}, at: [] lock_rename+0x54/0x280 fs/namei.c:2889 #2: (&ovl_i_mutex_dir_key[depth]#2/1){+.+.}, at: [] inode_lock_nested include/linux/fs.h:754 [inline] #2: (&ovl_i_mutex_dir_key[depth]#2/1){+.+.}, at: [] lock_rename+0x132/0x280 fs/namei.c:2900 #3: (&ovl_i_mutex_dir_key[depth]#2/2){+.+.}, at: [] inode_lock_nested include/linux/fs.h:754 [inline] #3: (&ovl_i_mutex_dir_key[depth]#2/2){+.+.}, at: [] lock_rename+0x166/0x280 fs/namei.c:2901 #4: (&ovl_i_mutex_dir_key[depth]#2){++++}, at: [] inode_lock include/linux/fs.h:719 [inline] #4: (&ovl_i_mutex_dir_key[depth]#2){++++}, at: [] vfs_rename+0xbd8/0x1820 fs/namei.c:4472 #5: (sb_writers#3){.+.+}, at: [] sb_start_write include/linux/fs.h:1551 [inline] #5: (sb_writers#3){.+.+}, at: [] mnt_want_write+0x3a/0xb0 fs/namespace.c:386 stack backtrace: CPU: 1 PID: 10176 Comm: syz-executor.0 Not tainted 4.14.307-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x281 lib/dump_stack.c:58 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258 check_prev_add kernel/locking/lockdep.c:1905 [inline] check_prevs_add kernel/locking/lockdep.c:2022 [inline] validate_chain kernel/locking/lockdep.c:2464 [inline] __lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 down_write_killable+0x37/0xb0 kernel/locking/rwsem.c:68 iterate_dir+0x387/0x5e0 fs/readdir.c:43 ovl_dir_read fs/overlayfs/readdir.c:306 [inline] ovl_dir_read_merged+0x2c5/0x430 fs/overlayfs/readdir.c:365 ovl_check_empty_dir+0x6e/0x200 fs/overlayfs/readdir.c:870 ovl_check_empty_and_clear+0x72/0xe0 fs/overlayfs/dir.c:306 ovl_rename+0x57d/0xe50 fs/overlayfs/dir.c:959 vfs_rename+0x560/0x1820 fs/namei.c:4498 SYSC_renameat2 fs/namei.c:4646 [inline] SyS_renameat2+0x95b/0xad0 fs/namei.c:4535 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x5e/0xd3 RIP: 0033:0x7fec366800f9 RSP: 002b:00007fec34bf2168 EFLAGS: 00000246 ORIG_RAX: 0000000000000052 RAX: ffffffffffffffda RBX: 00007fec3679ff80 RCX: 00007fec366800f9 RDX: 0000000000000000 RSI: 0000000020000440 RDI: 0000000020000100 RBP: 00007fec366dbae9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fff64591a2f R14: 00007fec34bf2300 R15: 0000000000022000 attempt to access beyond end of device loop5: rw=1, want=2064, limit=2048 REISERFS (device loop3): found reiserfs format "3.5" with non-standard journal netlink: 4 bytes leftover after parsing attributes in process `syz-executor.4'. REISERFS (device loop3): using ordered data mode reiserfs: using flush barriers REISERFS (device loop3): journal params: device loop3, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 audit: type=1804 audit(1677721085.498:6): pid=10226 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.5" name="/root/syzkaller-testdir3987902863/syzkaller.2BUprj/19/file0/bus" dev="loop5" ino=4 res=1 REISERFS (device loop3): checking transaction log (loop3) attempt to access beyond end of device loop5: rw=2049, want=2052, limit=2048 audit: type=1804 audit(1677721085.568:7): pid=10232 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.5" name="/root/syzkaller-testdir3987902863/syzkaller.2BUprj/19/file0/bus" dev="loop5" ino=4 res=1 REISERFS (device loop3): Using r5 hash to sort names reiserfs: enabling write barrier flush mode attempt to access beyond end of device REISERFS (device loop3): Created .reiserfs_priv - reserved for xattr storage. loop5: rw=1, want=2064, limit=2048 audit: type=1804 audit(1677721085.798:8): pid=10246 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.0" name="/root/syzkaller-testdir478819799/syzkaller.PYVf8e/28/file0/bus" dev="loop0" ino=5 res=1 audit: type=1804 audit(1677721085.848:9): pid=10254 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.5" name="/root/syzkaller-testdir3987902863/syzkaller.2BUprj/20/file0/bus" dev="loop5" ino=6 res=1 REISERFS (device loop3): found reiserfs format "3.5" with non-standard journal attempt to access beyond end of device loop2: rw=2049, want=2052, limit=2048 REISERFS (device loop3): using ordered data mode reiserfs: using flush barriers REISERFS (device loop3): journal params: device loop3, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 REISERFS (device loop3): checking transaction log (loop3) REISERFS (device loop3): Using r5 hash to sort names attempt to access beyond end of device loop5: rw=1, want=2064, limit=2048 audit: type=1804 audit(1677721085.868:10): pid=10280 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.0" name="/root/syzkaller-testdir478819799/syzkaller.PYVf8e/28/file0/bus" dev="loop0" ino=5 res=1 audit: type=1804 audit(1677721085.898:11): pid=10263 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.2" name="/root/syzkaller-testdir2883585358/syzkaller.G8SSJv/23/file0/bus" dev="loop2" ino=7 res=1 attempt to access beyond end of device audit: type=1804 audit(1677721085.908:12): pid=10295 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.5" name="/root/syzkaller-testdir3987902863/syzkaller.2BUprj/20/file0/bus" dev="loop5" ino=6 res=1 reiserfs: enabling write barrier flush mode REISERFS (device loop3): Created .reiserfs_priv - reserved for xattr storage. loop0: rw=1, want=2064, limit=2048 audit: type=1804 audit(1677721086.188:13): pid=10311 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.2" name="/root/syzkaller-testdir2883585358/syzkaller.G8SSJv/23/file0/bus" dev="loop2" ino=7 res=1 attempt to access beyond end of device loop5: rw=2049, want=2052, limit=2048 attempt to access beyond end of device loop5: rw=1, want=2064, limit=2048 REISERFS (device loop3): found reiserfs format "3.5" with non-standard journal REISERFS (device loop3): using ordered data mode reiserfs: using flush barriers REISERFS (device loop3): journal params: device loop3, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 attempt to access beyond end of device loop0: rw=1, want=2064, limit=2048 REISERFS (device loop3): checking transaction log (loop3) attempt to access beyond end of device REISERFS (device loop3): Using r5 hash to sort names loop2: rw=1, want=2064, limit=2048 reiserfs: enabling write barrier flush mode REISERFS (device loop3): Created .reiserfs_priv - reserved for xattr storage. attempt to access beyond end of device attempt to access beyond end of device loop2: rw=1, want=2064, limit=2048 loop0: rw=1, want=2064, limit=2048 Zero length message leads to an empty skb netlink: 2168 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 2168 bytes leftover after parsing attributes in process `syz-executor.2'. unregister_netdevice: waiting for ip6gre0 to become free. Usage count = -1 netlink: 2168 bytes leftover after parsing attributes in process `syz-executor.4'. netlink: 2168 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 2168 bytes leftover after parsing attributes in process `syz-executor.4'. netlink: 2168 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 2168 bytes leftover after parsing attributes in process `syz-executor.4'. IPv6: Can't replace route, no match found IPv6: Can't replace route, no match found REISERFS (device loop5): found reiserfs format "3.6" with non-standard journal hub 9-0:1.0: USB hub found IPv6: Can't replace route, no match found hub 9-0:1.0: 8 ports detected REISERFS (device loop5): using ordered data mode reiserfs: using flush barriers REISERFS (device loop5): journal params: device loop5, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 IPv6: Can't replace route, no match found REISERFS (device loop5): checking transaction log (loop5) hub 9-0:1.0: USB hub found hub 9-0:1.0: 8 ports detected REISERFS (device loop5): Using r5 hash to sort names REISERFS (device loop5): Created .reiserfs_priv - reserved for xattr storage. kauditd_printk_skb: 10 callbacks suppressed audit: type=1800 audit(1677721092.869:24): pid=11238 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.5" name="file0" dev="loop5" ino=5 res=0 audit: type=1804 audit(1677721092.889:25): pid=11238 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.5" name="/root/syzkaller-testdir3987902863/syzkaller.2BUprj/38/file1/file0" dev="loop5" ino=5 res=1 hub 9-0:1.0: USB hub found hub 9-0:1.0: 8 ports detected hub 9-0:1.0: USB hub found hub 9-0:1.0: 8 ports detected REISERFS (device loop5): found reiserfs format "3.6" with non-standard journal REISERFS (device loop5): using ordered data mode reiserfs: using flush barriers hub 9-0:1.0: USB hub found hub 9-0:1.0: 8 ports detected REISERFS (device loop5): journal params: device loop5, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 REISERFS (device loop5): checking transaction log (loop5) REISERFS (device loop5): Using r5 hash to sort names REISERFS (device loop5): Created .reiserfs_priv - reserved for xattr storage. audit: type=1800 audit(1677721093.369:26): pid=11313 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.5" name="file0" dev="loop5" ino=5 res=0 audit: type=1804 audit(1677721093.369:27): pid=11313 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.5" name="/root/syzkaller-testdir3987902863/syzkaller.2BUprj/39/file1/file0" dev="loop5" ino=5 res=1 hub 9-0:1.0: USB hub found hub 9-0:1.0: 8 ports detected REISERFS (device loop1): found reiserfs format "3.6" with non-standard journal REISERFS (device loop2): found reiserfs format "3.6" with non-standard journal REISERFS (device loop3): found reiserfs format "3.6" with non-standard journal REISERFS (device loop1): using ordered data mode REISERFS (device loop2): using ordered data mode REISERFS (device loop0): found reiserfs format "3.6" with non-standard journal REISERFS (device loop3): using ordered data mode reiserfs: using flush barriers reiserfs: using flush barriers REISERFS (device loop0): using ordered data mode REISERFS (device loop1): journal params: device loop1, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 REISERFS (device loop2): journal params: device loop2, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 reiserfs: using flush barriers reiserfs: using flush barriers REISERFS (device loop3): journal params: device loop3, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 REISERFS (device loop1): checking transaction log (loop1) REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 REISERFS (device loop2): checking transaction log (loop2) EXT4-fs (loop4): feature flags set on rev 0 fs, running e2fsck is recommended REISERFS (device loop5): found reiserfs format "3.6" with non-standard journal REISERFS (device loop5): using ordered data mode REISERFS (device loop3): checking transaction log (loop3) EXT4-fs (loop4): orphan cleanup on readonly fs reiserfs: using flush barriers Quota error (device loop4): v2_read_file_info: Can't read info structure REISERFS (device loop5): journal params: device loop5, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 REISERFS (device loop0): checking transaction log (loop0) EXT4-fs error (device loop4): ext4_mb_generate_buddy:754: group 0, block bitmap and bg descriptor inconsistent: 69 vs 41 free clusters REISERFS (device loop2): Using r5 hash to sort names REISERFS (device loop5): checking transaction log (loop5) REISERFS (device loop1): Using r5 hash to sort names REISERFS (device loop2): Created .reiserfs_priv - reserved for xattr storage. EXT4-fs error (device loop4): ext4_free_inode:286: comm syz-executor.4: reserved or nonexistent inode 3 REISERFS (device loop3): Using r5 hash to sort names REISERFS (device loop1): Created .reiserfs_priv - reserved for xattr storage. EXT4-fs warning (device loop4): ext4_enable_quotas:5780: Failed to enable quota tracking (type=-1, err=-5). Please run e2fsck to fix. REISERFS (device loop0): Using r5 hash to sort names REISERFS (device loop3): Created .reiserfs_priv - reserved for xattr storage. REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage. audit: type=1800 audit(1677721094.029:28): pid=11359 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.2" name="file0" dev="loop2" ino=5 res=0 EXT4-fs (loop4): Cannot turn on quotas: error -5 REISERFS (device loop5): Using r5 hash to sort names REISERFS (device loop5): Created .reiserfs_priv - reserved for xattr storage. EXT4-fs (loop4): mounted filesystem without journal. Opts: ,errors=continue audit: type=1804 audit(1677721094.039:29): pid=11359 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.2" name="/root/syzkaller-testdir2883585358/syzkaller.G8SSJv/43/file1/file0" dev="loop2" ino=5 res=1 audit: type=1800 audit(1677721094.079:30): pid=11358 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.1" name="file0" dev="loop1" ino=5 res=0 syz-executor.1 (11358) used greatest stack depth: 24232 bytes left audit: type=1804 audit(1677721094.089:31): pid=11358 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.1" name="/root/syzkaller-testdir3896945376/syzkaller.3DOp7r/52/file1/file0" dev="loop1" ino=5 res=1 syz-executor.0 (11364) used greatest stack depth: 24208 bytes left audit: type=1800 audit(1677721094.159:32): pid=11377 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.5" name="file0" dev="loop5" ino=5 res=0 REISERFS (device loop1): found reiserfs format "3.6" with non-standard journal REISERFS (device loop1): using ordered data mode REISERFS (device loop0): found reiserfs format "3.6" with non-standard journal reiserfs: using flush barriers REISERFS (device loop0): using ordered data mode REISERFS (device loop5): found reiserfs format "3.6" with non-standard journal