====================================================== WARNING: possible circular locking dependency detected 4.19.211-syzkaller #0 Not tainted ------------------------------------------------------ syz-executor.5/15728 is trying to acquire lock: 00000000d148239b (&sig->cred_guard_mutex){+.+.}, at: lock_trace fs/proc/base.c:402 [inline] 00000000d148239b (&sig->cred_guard_mutex){+.+.}, at: proc_pid_stack+0x160/0x350 fs/proc/base.c:452 but task is already holding lock: 00000000b68c500c (&p->lock){+.+.}, at: seq_read+0x6b/0x11c0 fs/seq_file.c:164 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #3 (&p->lock){+.+.}: seq_read+0x6b/0x11c0 fs/seq_file.c:164 proc_reg_read+0x1bd/0x2d0 fs/proc/inode.c:231 do_loop_readv_writev fs/read_write.c:701 [inline] do_loop_readv_writev fs/read_write.c:688 [inline] do_iter_read+0x471/0x630 fs/read_write.c:925 vfs_readv+0xe5/0x150 fs/read_write.c:987 kernel_readv fs/splice.c:362 [inline] default_file_splice_read+0x457/0xa00 fs/splice.c:417 do_splice_to+0x10e/0x160 fs/splice.c:881 splice_direct_to_actor+0x2b9/0x8d0 fs/splice.c:959 do_splice_direct+0x1a7/0x270 fs/splice.c:1068 do_sendfile+0x550/0xc30 fs/read_write.c:1447 capability: warning: `syz-executor.0' uses deprecated v2 capabilities in a way that may be insecure __do_sys_sendfile64 fs/read_write.c:1508 [inline] __se_sys_sendfile64+0x147/0x160 fs/read_write.c:1494 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe -> #2 (sb_writers#3){.+.+}: nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. sb_start_write include/linux/fs.h:1579 [inline] mnt_want_write+0x3a/0xb0 fs/namespace.c:360 ovl_xattr_set+0x53/0x600 fs/overlayfs/inode.c:338 ovl_posix_acl_xattr_set+0x347/0x9a0 fs/overlayfs/super.c:917 __vfs_setxattr+0x10e/0x170 fs/xattr.c:149 __vfs_setxattr_noperm+0x11a/0x420 fs/xattr.c:180 __vfs_setxattr_locked+0x176/0x250 fs/xattr.c:238 vfs_setxattr+0xe5/0x270 fs/xattr.c:255 setxattr+0x23d/0x330 fs/xattr.c:520 path_setxattr+0x170/0x190 fs/xattr.c:539 __do_sys_lsetxattr fs/xattr.c:561 [inline] __se_sys_lsetxattr fs/xattr.c:557 [inline] __x64_sys_lsetxattr+0xbd/0x150 fs/xattr.c:557 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe -> #1 (&ovl_i_mutex_dir_key[depth]){++++}: inode_lock_shared include/linux/fs.h:758 [inline] do_last fs/namei.c:3326 [inline] path_openat+0x17ec/0x2df0 fs/namei.c:3537 do_filp_open+0x18c/0x3f0 fs/namei.c:3567 do_open_execat+0x11d/0x5b0 fs/exec.c:853 __do_execve_file+0x1a8b/0x2360 fs/exec.c:1770 do_execveat_common fs/exec.c:1879 [inline] do_execve+0x35/0x50 fs/exec.c:1896 __do_sys_execve fs/exec.c:1977 [inline] __se_sys_execve fs/exec.c:1972 [inline] __x64_sys_execve+0x7c/0xa0 fs/exec.c:1972 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe -> #0 (&sig->cred_guard_mutex){+.+.}: __mutex_lock_common kernel/locking/mutex.c:937 [inline] __mutex_lock+0xd7/0x1190 kernel/locking/mutex.c:1078 lock_trace fs/proc/base.c:402 [inline] proc_pid_stack+0x160/0x350 fs/proc/base.c:452 proc_single_show+0xeb/0x170 fs/proc/base.c:755 seq_read+0x4e0/0x11c0 fs/seq_file.c:232 do_loop_readv_writev fs/read_write.c:701 [inline] do_loop_readv_writev fs/read_write.c:688 [inline] do_iter_read+0x471/0x630 fs/read_write.c:925 vfs_readv+0xe5/0x150 fs/read_write.c:987 do_preadv fs/read_write.c:1071 [inline] __do_sys_preadv fs/read_write.c:1121 [inline] __se_sys_preadv fs/read_write.c:1116 [inline] __x64_sys_preadv+0x22b/0x310 fs/read_write.c:1116 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe other info that might help us debug this: Chain exists of: &sig->cred_guard_mutex --> sb_writers#3 --> &p->lock Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&p->lock); lock(sb_writers#3); lock(&p->lock); lock(&sig->cred_guard_mutex); *** DEADLOCK *** 1 lock held by syz-executor.5/15728: #0: 00000000b68c500c (&p->lock){+.+.}, at: seq_read+0x6b/0x11c0 fs/seq_file.c:164 stack backtrace: CPU: 0 PID: 15728 Comm: syz-executor.5 Not tainted 4.19.211-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1222 check_prev_add kernel/locking/lockdep.c:1866 [inline] check_prevs_add kernel/locking/lockdep.c:1979 [inline] validate_chain kernel/locking/lockdep.c:2420 [inline] __lock_acquire+0x30c9/0x3ff0 kernel/locking/lockdep.c:3416 lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3908 __mutex_lock_common kernel/locking/mutex.c:937 [inline] __mutex_lock+0xd7/0x1190 kernel/locking/mutex.c:1078 lock_trace fs/proc/base.c:402 [inline] proc_pid_stack+0x160/0x350 fs/proc/base.c:452 proc_single_show+0xeb/0x170 fs/proc/base.c:755 seq_read+0x4e0/0x11c0 fs/seq_file.c:232 do_loop_readv_writev fs/read_write.c:701 [inline] do_loop_readv_writev fs/read_write.c:688 [inline] do_iter_read+0x471/0x630 fs/read_write.c:925 vfs_readv+0xe5/0x150 fs/read_write.c:987 do_preadv fs/read_write.c:1071 [inline] __do_sys_preadv fs/read_write.c:1121 [inline] __se_sys_preadv fs/read_write.c:1116 [inline] __x64_sys_preadv+0x22b/0x310 fs/read_write.c:1116 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7f2f679a4409 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f2f66319168 EFLAGS: 00000246 ORIG_RAX: 0000000000000127 RAX: ffffffffffffffda RBX: 00007f2f67ab6f80 RCX: 00007f2f679a4409 RDX: 0000000000000218 RSI: 00000000200017c0 RDI: 0000000000000004 RBP: 00007f2f679ff367 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fff1f21fcff R14: 00007f2f66319300 R15: 0000000000022000 sit: non-ECT from 0.0.0.0 with TOS=0x2 EXT4-fs (loop4): unsupported descriptor size 16384 batman_adv: batadv0: Interface deactivated: batadv_slave_1 batman_adv: batadv0: Removing interface: batadv_slave_1 device bridge_slave_1 left promiscuous mode bridge0: port 2(bridge_slave_1) entered disabled state device bridge_slave_0 left promiscuous mode bridge0: port 1(bridge_slave_0) entered disabled state device veth1_macvtap left promiscuous mode device veth0_macvtap left promiscuous mode device veth1_vlan left promiscuous mode device veth0_vlan left promiscuous mode device hsr_slave_1 left promiscuous mode device hsr_slave_0 left promiscuous mode team0 (unregistering): Port device team_slave_1 removed team0 (unregistering): Port device team_slave_0 removed bond0 (unregistering): Releasing backup interface bond_slave_1 bond0 (unregistering): Releasing backup interface bond_slave_0 bond0 (unregistering): Released all slaves IPVS: ftp: loaded support on port[0] = 21 chnl_net:caif_netlink_parms(): no params data found bridge0: port 1(bridge_slave_0) entered blocking state bridge0: port 1(bridge_slave_0) entered disabled state device bridge_slave_0 entered promiscuous mode bridge0: port 2(bridge_slave_1) entered blocking state bridge0: port 2(bridge_slave_1) entered disabled state device bridge_slave_1 entered promiscuous mode bond0: Enslaving bond_slave_0 as an active interface with an up link bond0: Enslaving bond_slave_1 as an active interface with an up link IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready team0: Port device team_slave_0 added IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready team0: Port device team_slave_1 added batman_adv: batadv0: Adding interface: batadv_slave_0 batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active batman_adv: batadv0: Adding interface: batadv_slave_1 batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready device hsr_slave_0 entered promiscuous mode device hsr_slave_1 entered promiscuous mode IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready bridge0: port 2(bridge_slave_1) entered blocking state bridge0: port 2(bridge_slave_1) entered forwarding state bridge0: port 1(bridge_slave_0) entered blocking state bridge0: port 1(bridge_slave_0) entered forwarding state 8021q: adding VLAN 0 to HW filter on device bond0 IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready bridge0: port 1(bridge_slave_0) entered disabled state bridge0: port 2(bridge_slave_1) entered disabled state IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready 8021q: adding VLAN 0 to HW filter on device team0 IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready bridge0: port 1(bridge_slave_0) entered blocking state bridge0: port 1(bridge_slave_0) entered forwarding state IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready bridge0: port 2(bridge_slave_1) entered blocking state bridge0: port 2(bridge_slave_1) entered forwarding state IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready 8021q: adding VLAN 0 to HW filter on device batadv0 IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready Bluetooth: hci6: command 0x0409 tx timeout IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth1_vlan: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready device veth0_vlan entered promiscuous mode device veth1_vlan entered promiscuous mode IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth1_macvtap: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready device veth0_macvtap entered promiscuous mode IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready device veth1_macvtap entered promiscuous mode IPv6: ADDRCONF(NETDEV_UP): macsec0: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready batman_adv: batadv0: Interface activated: batadv_slave_0 IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready batman_adv: batadv0: Interface activated: batadv_slave_1 IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready ieee80211 phy53: Selected rate control algorithm 'minstrel_ht' IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 ieee80211 phy54: Selected rate control algorithm 'minstrel_ht' IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready EXT4-fs (loop4): unsupported descriptor size 16384 EXT4-fs (loop3): mounted filesystem without journal. Opts: ,errors=continue nla_parse: 1 callbacks suppressed netlink: 136 bytes leftover after parsing attributes in process `syz-executor.3'. device bond_slave_0 entered promiscuous mode device bond_slave_1 entered promiscuous mode device macsec1 entered promiscuous mode device bond0 entered promiscuous mode EXT4-fs (loop3): mounted filesystem without journal. Opts: ,errors=continue netlink: 136 bytes leftover after parsing attributes in process `syz-executor.3'. netlink: 136 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 136 bytes leftover after parsing attributes in process `syz-executor.2'. EXT4-fs (loop3): mounted filesystem without journal. Opts: ,errors=continue netlink: 136 bytes leftover after parsing attributes in process `syz-executor.3'. Bluetooth: hci6: command 0x041b tx timeout EXT4-fs (loop1): mounted filesystem without journal. Opts: ,errors=continue netlink: 136 bytes leftover after parsing attributes in process `syz-executor.2'. EXT4-fs error (device sda1): mb_free_blocks:1452: group 5, inode 14918: block 164896:freeing already freed block (bit 1056); block bitmap corrupt. EXT4-fs error (device sda1): ext4_mb_generate_buddy:744: group 5, block bitmap and bg descriptor inconsistent: 17356 vs 17357 free clusters EXT4-fs (sda1): pa 00000000ade3d1f6: logic 0, phys. 164896, len 32 EXT4-fs error (device sda1): ext4_mb_release_inode_pa:3864: group 5, free 16, pa_free 15 EXT4-fs (loop1): mounted filesystem without journal. Opts: ,errors=continue netlink: 'syz-executor.3': attribute type 10 has an invalid length. EXT4-fs (loop1): mounted filesystem without journal. Opts: ,errors=continue 8021q: adding VLAN 0 to HW filter on device team0 bond0: Enslaving team0 as an active interface with an up link netlink: 'syz-executor.3': attribute type 10 has an invalid length. bond0: Releasing backup interface team0