====================================================== WARNING: possible circular locking dependency detected 4.19.211-syzkaller #0 Not tainted netlink: 12 bytes leftover after parsing attributes in process `syz-executor.3'. ------------------------------------------------------ syz-executor.1/10169 is trying to acquire lock: 00000000db4bf2a6 (&sig->cred_guard_mutex){+.+.}, at: lock_trace fs/proc/base.c:402 [inline] 00000000db4bf2a6 (&sig->cred_guard_mutex){+.+.}, at: proc_pid_personality+0x4a/0x170 fs/proc/base.c:2938 but task is already holding lock: 0000000065b3eb64 (&p->lock){+.+.}, at: seq_read+0x6b/0x11c0 fs/seq_file.c:164 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #3 (&p->lock){+.+.}: seq_read+0x6b/0x11c0 fs/seq_file.c:164 proc_reg_read+0x1bd/0x2d0 fs/proc/inode.c:231 do_loop_readv_writev fs/read_write.c:701 [inline] do_loop_readv_writev fs/read_write.c:688 [inline] do_iter_read+0x471/0x630 fs/read_write.c:925 vfs_readv+0xe5/0x150 fs/read_write.c:987 kernel_readv fs/splice.c:362 [inline] default_file_splice_read+0x457/0xa00 fs/splice.c:417 do_splice_to+0x10e/0x160 fs/splice.c:881 splice_direct_to_actor+0x2b9/0x8d0 fs/splice.c:959 do_splice_direct+0x1a7/0x270 fs/splice.c:1068 do_sendfile+0x550/0xc30 fs/read_write.c:1447 __do_sys_sendfile64 fs/read_write.c:1508 [inline] __se_sys_sendfile64+0x147/0x160 fs/read_write.c:1494 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe -> #2 (sb_writers#3){.+.+}: sb_start_write include/linux/fs.h:1579 [inline] mnt_want_write+0x3a/0xb0 fs/namespace.c:360 ovl_setattr+0xdd/0x920 fs/overlayfs/inode.c:30 notify_change+0x70b/0xfc0 fs/attr.c:334 chown_common+0x4a9/0x550 fs/open.c:651 do_fchownat+0x126/0x1e0 fs/open.c:681 __do_sys_lchown fs/open.c:706 [inline] __se_sys_lchown fs/open.c:704 [inline] __x64_sys_lchown+0x7a/0xc0 fs/open.c:704 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe -> #1 (&ovl_i_mutex_dir_key[depth]){++++}: inode_lock_shared include/linux/fs.h:758 [inline] do_last fs/namei.c:3326 [inline] path_openat+0x17ec/0x2df0 fs/namei.c:3537 do_filp_open+0x18c/0x3f0 fs/namei.c:3567 do_open_execat+0x11d/0x5b0 fs/exec.c:853 __do_execve_file+0x1a8b/0x2360 fs/exec.c:1770 do_execveat_common fs/exec.c:1879 [inline] do_execve+0x35/0x50 fs/exec.c:1896 __do_sys_execve fs/exec.c:1977 [inline] __se_sys_execve fs/exec.c:1972 [inline] __x64_sys_execve+0x7c/0xa0 fs/exec.c:1972 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe -> #0 (&sig->cred_guard_mutex){+.+.}: __mutex_lock_common kernel/locking/mutex.c:937 [inline] __mutex_lock+0xd7/0x1190 kernel/locking/mutex.c:1078 lock_trace fs/proc/base.c:402 [inline] proc_pid_personality+0x4a/0x170 fs/proc/base.c:2938 proc_single_show+0xeb/0x170 fs/proc/base.c:755 seq_read+0x4e0/0x11c0 fs/seq_file.c:232 do_loop_readv_writev fs/read_write.c:701 [inline] do_loop_readv_writev fs/read_write.c:688 [inline] do_iter_read+0x471/0x630 fs/read_write.c:925 vfs_readv+0xe5/0x150 fs/read_write.c:987 kernel_readv fs/splice.c:362 [inline] default_file_splice_read+0x457/0xa00 fs/splice.c:417 do_splice_to+0x10e/0x160 fs/splice.c:881 splice_direct_to_actor+0x2b9/0x8d0 fs/splice.c:959 do_splice_direct+0x1a7/0x270 fs/splice.c:1068 do_sendfile+0x550/0xc30 fs/read_write.c:1447 __do_sys_sendfile64 fs/read_write.c:1508 [inline] __se_sys_sendfile64+0x147/0x160 fs/read_write.c:1494 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe other info that might help us debug this: overlayfs: fs on './file0' does not support file handles, falling back to index=off,nfs_export=off. Chain exists of: &sig->cred_guard_mutex --> sb_writers#3 --> &p->lock Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&p->lock); lock(sb_writers#3); lock(&p->lock); lock(&sig->cred_guard_mutex); *** DEADLOCK *** 2 locks held by syz-executor.1/10169: #0: 00000000501e929b (sb_writers#3){.+.+}, at: file_start_write include/linux/fs.h:2779 [inline] #0: 00000000501e929b (sb_writers#3){.+.+}, at: do_sendfile+0x97d/0xc30 fs/read_write.c:1446 #1: 0000000065b3eb64 (&p->lock){+.+.}, at: seq_read+0x6b/0x11c0 fs/seq_file.c:164 stack backtrace: CPU: 1 PID: 10169 Comm: syz-executor.1 Not tainted 4.19.211-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1222 check_prev_add kernel/locking/lockdep.c:1866 [inline] check_prevs_add kernel/locking/lockdep.c:1979 [inline] validate_chain kernel/locking/lockdep.c:2420 [inline] __lock_acquire+0x30c9/0x3ff0 kernel/locking/lockdep.c:3416 lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3908 __mutex_lock_common kernel/locking/mutex.c:937 [inline] __mutex_lock+0xd7/0x1190 kernel/locking/mutex.c:1078 lock_trace fs/proc/base.c:402 [inline] proc_pid_personality+0x4a/0x170 fs/proc/base.c:2938 proc_single_show+0xeb/0x170 fs/proc/base.c:755 seq_read+0x4e0/0x11c0 fs/seq_file.c:232 do_loop_readv_writev fs/read_write.c:701 [inline] do_loop_readv_writev fs/read_write.c:688 [inline] do_iter_read+0x471/0x630 fs/read_write.c:925 vfs_readv+0xe5/0x150 fs/read_write.c:987 kernel_readv fs/splice.c:362 [inline] default_file_splice_read+0x457/0xa00 fs/splice.c:417 do_splice_to+0x10e/0x160 fs/splice.c:881 splice_direct_to_actor+0x2b9/0x8d0 fs/splice.c:959 do_splice_direct+0x1a7/0x270 fs/splice.c:1068 do_sendfile+0x550/0xc30 fs/read_write.c:1447 __do_sys_sendfile64 fs/read_write.c:1508 [inline] __se_sys_sendfile64+0x147/0x160 fs/read_write.c:1494 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7f01be585049 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f01bcefa168 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 RAX: ffffffffffffffda RBX: 00007f01be697f60 RCX: 00007f01be585049 RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000005 RBP: 00007f01be5df08d R08: 0000000000000000 R09: 0000000000000000 R10: 000000000000f6c4 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffd684df35f R14: 00007f01bcefa300 R15: 0000000000022000 F2FS-fs (loop5): Magic Mismatch, valid(0xf2f52010) - read(0x0) netlink: 12 bytes leftover after parsing attributes in process `syz-executor.3'. F2FS-fs (loop5): Can't find valid F2FS filesystem in 2th superblock F2FS-fs (loop5): invalid crc value F2FS-fs (loop5): Failed to initialize F2FS segment manager F2FS-fs (loop5): Magic Mismatch, valid(0xf2f52010) - read(0x0) F2FS-fs (loop5): Can't find valid F2FS filesystem in 2th superblock F2FS-fs (loop5): invalid crc value F2FS-fs (loop5): Failed to initialize F2FS segment manager overlayfs: fs on './file0' does not support file handles, falling back to index=off,nfs_export=off. netlink: 12 bytes leftover after parsing attributes in process `syz-executor.3'. F2FS-fs (loop5): Magic Mismatch, valid(0xf2f52010) - read(0x0) F2FS-fs (loop5): Can't find valid F2FS filesystem in 2th superblock overlayfs: './file0' not a directory mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium IPVS: ftp: loaded support on port[0] = 21 netlink: 'syz-executor.4': attribute type 4 has an invalid length. netlink: 'syz-executor.4': attribute type 4 has an invalid length. netlink: 'syz-executor.4': attribute type 4 has an invalid length. mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'. netlink: 'syz-executor.4': attribute type 4 has an invalid length. IPVS: ftp: loaded support on port[0] = 21 netlink: 'syz-executor.4': attribute type 4 has an invalid length. netlink: 'syz-executor.4': attribute type 4 has an invalid length. IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'. (unnamed net_device) (uninitialized): ARP monitoring cannot be used with MII monitoring netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.2'. IPVS: ftp: loaded support on port[0] = 21 (unnamed net_device) (uninitialized): ARP monitoring cannot be used with MII monitoring device macvtap1 entered promiscuous mode netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 'syz-executor.4': attribute type 4 has an invalid length. device macvtap1 entered promiscuous mode netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.2'. audit: type=1800 audit(1647393099.129:573): pid=12065 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed comm="syz-executor.1" name="SYSV00000000" dev="hugetlbfs" ino=21758610 res=0 (unnamed net_device) (uninitialized): ARP monitoring cannot be used with MII monitoring audit: type=1800 audit(1647393099.139:574): pid=12065 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed comm="syz-executor.1" name="SYSV00000000" dev="hugetlbfs" ino=21791379 res=0 netlink: 24 bytes leftover after parsing attributes in process `syz-executor.4'. audit: type=1800 audit(1647393099.199:575): pid=12085 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed comm="syz-executor.1" name="SYSV00000000" dev="hugetlbfs" ino=21824148 res=0 netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'. audit: type=1800 audit(1647393099.219:576): pid=12085 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed comm="syz-executor.1" name="SYSV00000000" dev="hugetlbfs" ino=21856917 res=0 device macvtap1 entered promiscuous mode audit: type=1800 audit(1647393099.299:577): pid=12102 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed comm="syz-executor.1" name="SYSV00000000" dev="hugetlbfs" ino=21889686 res=0 audit: type=1800 audit(1647393099.339:578): pid=12102 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed comm="syz-executor.1" name="SYSV00000000" dev="hugetlbfs" ino=21922455 res=0 netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.4'. device macvtap1 entered promiscuous mode netlink: 24 bytes leftover after parsing attributes in process `syz-executor.4'. overlayfs: failed to resolve './file0äâ«Ô'·­C…Æ>c': -2 device macvtap1 entered promiscuous mode netlink: 24 bytes leftover after parsing attributes in process `syz-executor.4'. overlayfs: failed to resolve './file0äâ«Ô'·­C…Æ>c': -2 device macvtap1 entered promiscuous mode device macvtap2 entered promiscuous mode device macvtap3 entered promiscuous mode tmpfs: No value for mount option './file1' device macvtap4 entered promiscuous mode overlayfs: failed to resolve './file0äâ«Ô'·­C…Æ>c': -2 device macvtap5 entered promiscuous mode IPVS: ftp: loaded support on port[0] = 21 tmpfs: No value for mount option './file1' overlayfs: failed to resolve './file0äâ«Ô'·­C…Æ>c': -2 device macvtap6 entered promiscuous mode IPVS: ftp: loaded support on port[0] = 21 device macvtap7 entered promiscuous mode base_sock_release(000000000383c0cb) sk=00000000c0ecf05e IPVS: ftp: loaded support on port[0] = 21 device macvtap8 entered promiscuous mode base_sock_release(0000000006293fda) sk=00000000d49e7e41 base_sock_release(000000002b9b645d) sk=00000000ba07b46e base_sock_release(00000000eee176ae) sk=000000003eff6d6a base_sock_release(00000000b1adf7cf) sk=000000004ce10cd4 base_sock_release(00000000c7816ef5) sk=000000004a6f57a0 base_sock_release(00000000beb6771f) sk=000000000f23602b base_sock_release(00000000f1f4d36f) sk=000000006892a8df base_sock_release(00000000617ff3e4) sk=00000000adf21f2f base_sock_release(000000005b92e822) sk=00000000824c57a8 base_sock_release(00000000fd991f59) sk=0000000064570cdb base_sock_release(00000000bdb929c3) sk=00000000af59e483 base_sock_release(000000007ac89e18) sk=000000007ab8d2aa base_sock_release(00000000367110b6) sk=00000000641de0b2 base_sock_release(000000000be4f6af) sk=000000005f92d346 base_sock_release(000000004853a299) sk=00000000b3f1cecf base_sock_release(00000000692b11d3) sk=0000000004c60eb1 base_sock_release(00000000031b563e) sk=0000000084b10903 base_sock_release(00000000b286afe7) sk=00000000b42dacc2 base_sock_release(00000000d9758623) sk=00000000f857de9f base_sock_release(0000000091eecca6) sk=0000000048513741 base_sock_release(000000003073bb3a) sk=000000007d7becd3 base_sock_release(000000007c86f491) sk=00000000c6b8664c base_sock_release(00000000db39c877) sk=00000000c678bc3b base_sock_release(00000000d447d2bc) sk=0000000045bd29b5 base_sock_release(00000000ffd6294f) sk=000000009e3031f5 base_sock_release(0000000006eeea0f) sk=000000009c17e1b4 base_sock_release(00000000c3760889) sk=00000000082a8918 base_sock_release(000000007a092b18) sk=0000000005d8b437 base_sock_release(0000000057d296de) sk=000000009859a6bc base_sock_release(000000000ffa4909) sk=00000000dd0c0529 base_sock_release(000000008532839a) sk=00000000b50f7124 base_sock_release(00000000a35fa3a7) sk=000000001026ccd0 base_sock_release(0000000000ac24be) sk=0000000015bd9108 base_sock_release(00000000b0c28b72) sk=00000000ee12d1b4 base_sock_release(000000002107bf77) sk=00000000cca9bb04 base_sock_release(000000009bb9273d) sk=000000008977e348 base_sock_release(00000000f44c53f2) sk=00000000f4940893 base_sock_release(0000000026600741) sk=00000000a9af5c8b base_sock_release(000000002e8479bc) sk=000000009cca4777 base_sock_release(000000005a69c251) sk=00000000c260df85 base_sock_release(000000008a98abad) sk=000000007f35a074 base_sock_release(000000006228ea23) sk=000000008ffab068 base_sock_release(00000000136b3fc4) sk=000000008cd83d6e base_sock_release(00000000dff08839) sk=000000005a325a99 base_sock_release(000000009c3bdb65) sk=00000000dfbe425a base_sock_release(00000000f9ec5fed) sk=000000001057ffa4 base_sock_release(000000004501c6e7) sk=00000000fc9ea411 base_sock_release(000000008ef849b3) sk=000000006ee1187b base_sock_release(000000003ea79504) sk=0000000049bd531f base_sock_release(000000003dbf04ac) sk=0000000084e05a10 base_sock_release(00000000b1147e11) sk=000000001d0284d8 base_sock_release(00000000a251dc63) sk=000000005dbf80e6 base_sock_release(00000000d48e5402) sk=00000000756303c3 base_sock_release(00000000e6a9ac13) sk=000000009f15017c base_sock_release(0000000022453505) sk=000000005a90568c base_sock_release(000000004285b9d6) sk=000000002d52af3e base_sock_release(0000000084d13ddd) sk=00000000a6e99b89 base_sock_release(00000000e376394b) sk=0000000098e67842 base_sock_release(000000004667031c) sk=00000000d294550a base_sock_release(00000000bca3db25) sk=00000000ef486088 base_sock_release(0000000014a25a2c) sk=00000000e5f70e2b base_sock_release(000000002d399683) sk=00000000119cab30 base_sock_release(00000000966efa08) sk=000000006585def8 base_sock_release(000000001ffb5ad7) sk=000000002d2377d9 base_sock_release(000000000f8691e6) sk=000000009902e015 device macvtap9 entered promiscuous mode IPVS: ftp: loaded support on port[0] = 21 base_sock_release(00000000a45b998d) sk=00000000c9949e56