====================================================== WARNING: possible circular locking dependency detected 4.15.0-rc3+ #218 Not tainted ------------------------------------------------------ syz-executor5/17480 is trying to acquire lock: (&sb->s_type->i_mutex_key#10){++++}, at: [<000000005f246023>] inode_lock include/linux/fs.h:713 [inline] (&sb->s_type->i_mutex_key#10){++++}, at: [<000000005f246023>] generic_file_write_iter+0xdc/0x7a0 mm/filemap.c:3289 but task is already holding lock: (&pipe->mutex/1){+.+.}, at: [<0000000085e274af>] pipe_lock_nested fs/pipe.c:67 [inline] (&pipe->mutex/1){+.+.}, at: [<0000000085e274af>] pipe_lock+0x56/0x70 fs/pipe.c:75 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #6 (&pipe->mutex/1){+.+.}: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4004 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908 pipe_lock_nested fs/pipe.c:67 [inline] pipe_lock+0x56/0x70 fs/pipe.c:75 iter_file_splice_write+0x264/0xf30 fs/splice.c:699 do_splice_from fs/splice.c:851 [inline] do_splice fs/splice.c:1147 [inline] SYSC_splice fs/splice.c:1402 [inline] SyS_splice+0x7d5/0x1630 fs/splice.c:1382 entry_SYSCALL_64_fastpath+0x1f/0x96 -> #5 (sb_writers){.+.+}: try_to_wake_up+0xbc/0x1600 kernel/sched/core.c:1988 wake_up_process+0x10/0x20 kernel/sched/core.c:2151 wake_up_worker kernel/workqueue.c:839 [inline] insert_work+0x3ed/0x5d0 kernel/workqueue.c:1312 __queue_work+0x57e/0x1220 kernel/workqueue.c:1462 queue_work_on+0x16a/0x1c0 kernel/workqueue.c:1487 -> #4 ((completion)&req.done){+.+.}: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4004 complete_acquire include/linux/completion.h:40 [inline] __wait_for_common kernel/sched/completion.c:109 [inline] wait_for_common kernel/sched/completion.c:123 [inline] wait_for_completion+0xcb/0x7b0 kernel/sched/completion.c:144 devtmpfs_create_node+0x32b/0x4a0 drivers/base/devtmpfs.c:115 device_add+0x120f/0x1640 drivers/base/core.c:1824 device_create_groups_vargs+0x1f3/0x250 drivers/base/core.c:2430 device_create_vargs drivers/base/core.c:2470 [inline] device_create+0xda/0x110 drivers/base/core.c:2506 msr_device_create+0x26/0x40 arch/x86/kernel/msr.c:188 cpuhp_invoke_callback+0x2ea/0x1d20 kernel/cpu.c:182 cpuhp_thread_fun+0x48e/0x7e0 kernel/cpu.c:571 smpboot_thread_fn+0x450/0x7c0 kernel/smpboot.c:164 kthread+0x37a/0x440 kernel/kthread.c:238 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:441 -> #3 (cpuhp_state-up){+.+.}: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4004 cpuhp_lock_acquire kernel/cpu.c:85 [inline] cpuhp_invoke_ap_callback kernel/cpu.c:605 [inline] cpuhp_issue_call+0x1e5/0x520 kernel/cpu.c:1495 __cpuhp_setup_state_cpuslocked+0x282/0x600 kernel/cpu.c:1642 __cpuhp_setup_state+0xb0/0x140 kernel/cpu.c:1671 cpuhp_setup_state include/linux/cpuhotplug.h:201 [inline] page_writeback_init+0x4d/0x71 mm/page-writeback.c:2081 pagecache_init+0x48/0x4f mm/filemap.c:977 start_kernel+0x6bc/0x74f init/main.c:695 x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:378 x86_64_start_kernel+0x77/0x7a arch/x86/kernel/head64.c:359 secondary_startup_64+0xa5/0xb0 arch/x86/kernel/head_64.S:237 -> #2 (cpuhp_state_mutex){+.+.}: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4004 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908 __cpuhp_setup_state_cpuslocked+0x5b/0x600 kernel/cpu.c:1617 __cpuhp_setup_state+0xb0/0x140 kernel/cpu.c:1671 cpuhp_setup_state_nocalls include/linux/cpuhotplug.h:229 [inline] kvm_guest_init+0x1f3/0x20f arch/x86/kernel/kvm.c:528 setup_arch+0x17e8/0x1a02 arch/x86/kernel/setup.c:1266 start_kernel+0xa5/0x74f init/main.c:530 x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:378 x86_64_start_kernel+0x77/0x7a arch/x86/kernel/head64.c:359 secondary_startup_64+0xa5/0xb0 arch/x86/kernel/head_64.S:237 -> #1 (cpu_hotplug_lock.rw_sem){++++}: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4004 percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline] percpu_down_read include/linux/percpu-rwsem.h:59 [inline] cpus_read_lock+0x42/0x90 kernel/cpu.c:293 get_online_cpus include/linux/cpu.h:117 [inline] lru_add_drain_all+0xe/0x20 mm/swap.c:729 shmem_wait_for_pins mm/shmem.c:2672 [inline] shmem_add_seals+0x3df/0x1060 mm/shmem.c:2780 shmem_fcntl+0xfe/0x130 mm/shmem.c:2815 do_fcntl+0x73e/0x1160 fs/fcntl.c:421 SYSC_fcntl fs/fcntl.c:463 [inline] SyS_fcntl+0xdc/0x120 fs/fcntl.c:448 entry_SYSCALL_64_fastpath+0x1f/0x96 -> #0 (&sb->s_type->i_mutex_key#10){++++}: check_prevs_add kernel/locking/lockdep.c:2031 [inline] validate_chain kernel/locking/lockdep.c:2473 [inline] __lock_acquire+0x3498/0x47f0 kernel/locking/lockdep.c:3500 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4004 down_write+0x87/0x120 kernel/locking/rwsem.c:70 inode_lock include/linux/fs.h:713 [inline] generic_file_write_iter+0xdc/0x7a0 mm/filemap.c:3289 call_write_iter include/linux/fs.h:1772 [inline] do_iter_readv_writev+0x531/0x7f0 fs/read_write.c:653 do_iter_write+0x15a/0x540 fs/read_write.c:932 vfs_iter_write+0x77/0xb0 fs/read_write.c:945 iter_file_splice_write+0x7db/0xf30 fs/splice.c:749 do_splice_from fs/splice.c:851 [inline] do_splice fs/splice.c:1147 [inline] SYSC_splice fs/splice.c:1402 [inline] SyS_splice+0x7d5/0x1630 fs/splice.c:1382 entry_SYSCALL_64_fastpath+0x1f/0x96 other info that might help us debug this: Chain exists of: &sb->s_type->i_mutex_key#10 --> sb_writers --> &pipe->mutex/1 Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&pipe->mutex/1); lock(sb_writers); lock(&pipe->mutex/1); lock(&sb->s_type->i_mutex_key#10); *** DEADLOCK *** 2 locks held by syz-executor5/17480: #0: (sb_writers#6){.+.+}, at: [<0000000008ff5283>] file_start_write include/linux/fs.h:2715 [inline] #0: (sb_writers#6){.+.+}, at: [<0000000008ff5283>] do_splice fs/splice.c:1146 [inline] #0: (sb_writers#6){.+.+}, at: [<0000000008ff5283>] SYSC_splice fs/splice.c:1402 [inline] #0: (sb_writers#6){.+.+}, at: [<0000000008ff5283>] SyS_splice+0x1117/0x1630 fs/splice.c:1382 #1: (&pipe->mutex/1){+.+.}, at: [<0000000085e274af>] pipe_lock_nested fs/pipe.c:67 [inline] #1: (&pipe->mutex/1){+.+.}, at: [<0000000085e274af>] pipe_lock+0x56/0x70 fs/pipe.c:75 stack backtrace: CPU: 0 PID: 17480 Comm: syz-executor5 Not tainted 4.15.0-rc3+ #218 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 print_circular_bug+0x42d/0x610 kernel/locking/lockdep.c:1271 check_prev_add+0x666/0x15f0 kernel/locking/lockdep.c:1914 check_prevs_add kernel/locking/lockdep.c:2031 [inline] validate_chain kernel/locking/lockdep.c:2473 [inline] __lock_acquire+0x3498/0x47f0 kernel/locking/lockdep.c:3500 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4004 down_write+0x87/0x120 kernel/locking/rwsem.c:70 inode_lock include/linux/fs.h:713 [inline] generic_file_write_iter+0xdc/0x7a0 mm/filemap.c:3289 call_write_iter include/linux/fs.h:1772 [inline] do_iter_readv_writev+0x531/0x7f0 fs/read_write.c:653 do_iter_write+0x15a/0x540 fs/read_write.c:932 vfs_iter_write+0x77/0xb0 fs/read_write.c:945 iter_file_splice_write+0x7db/0xf30 fs/splice.c:749 do_splice_from fs/splice.c:851 [inline] do_splice fs/splice.c:1147 [inline] SYSC_splice fs/splice.c:1402 [inline] SyS_splice+0x7d5/0x1630 fs/splice.c:1382 entry_SYSCALL_64_fastpath+0x1f/0x96 RIP: 0033:0x452a39 RSP: 002b:00007f51da7f7c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000113 RAX: ffffffffffffffda RBX: 00000000007580d8 RCX: 0000000000452a39 RDX: 0000000000000013 RSI: 0000000000000000 RDI: 0000000000000016 RBP: 0000000000000589 R08: 00040400000007ff R09: 0000000000000002 R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f6578 R13: 00000000ffffffff R14: 00007f51da7f86d4 R15: 0000000000000009 device gre0 entered promiscuous mode encrypted_key: insufficient parameters specified encrypted_key: insufficient parameters specified device gre0 entered promiscuous mode netlink: 1 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 'syz-executor0': attribute type 2 has an invalid length. device lo entered promiscuous mode netlink: 'syz-executor0': attribute type 2 has an invalid length. kauditd_printk_skb: 715 callbacks suppressed audit: type=1326 audit(1513101449.733:3038): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=17947 comm="syz-executor2" exe="/root/syz-executor2" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x7ffc0000 audit: type=1326 audit(1513101449.740:3039): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=17947 comm="syz-executor2" exe="/root/syz-executor2" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x7ffc0000 audit: type=1326 audit(1513101449.768:3040): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=17947 comm="syz-executor2" exe="/root/syz-executor2" sig=0 arch=c000003e syscall=288 compat=0 ip=0x452a39 code=0x7ffc0000 audit: type=1326 audit(1513101449.769:3041): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=17947 comm="syz-executor2" exe="/root/syz-executor2" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x7ffc0000 audit: type=1326 audit(1513101449.769:3042): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=17947 comm="syz-executor2" exe="/root/syz-executor2" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x7ffc0000 audit: type=1326 audit(1513101449.770:3043): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=17947 comm="syz-executor2" exe="/root/syz-executor2" sig=0 arch=c000003e syscall=54 compat=0 ip=0x452a39 code=0x7ffc0000 audit: type=1326 audit(1513101449.771:3044): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=17947 comm="syz-executor2" exe="/root/syz-executor2" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x7ffc0000 audit: type=1326 audit(1513101449.771:3045): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=17947 comm="syz-executor2" exe="/root/syz-executor2" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x7ffc0000 audit: type=1326 audit(1513101449.775:3046): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=17947 comm="syz-executor2" exe="/root/syz-executor2" sig=0 arch=c000003e syscall=173 compat=0 ip=0x452a39 code=0x7ffc0000 audit: type=1326 audit(1513101449.775:3047): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=17947 comm="syz-executor2" exe="/root/syz-executor2" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x7ffc0000 binder: 17982:17987 ioctl 40046205 1 returned -22 encrypted_key: master key parameter 'duX(c5m{M`{]g_ÝH9m' is invalid binder: 17982:17987 transaction failed 29189/-22, size 64-48 line 2775 encrypted_key: master key parameter 'duX(c5m{M`{]g_ÝH9m' is invalid binder: 17982:18001 ioctl 40046205 1 returned -22 binder: 17982:17987 transaction failed 29189/-22, size 64-48 line 2775 QAT: Invalid ioctl Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable QAT: Invalid ioctl Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode RDS: rds_bind could not find a transport for 224.0.0.2, load rds_tcp or rds_rdma? sg_write: data in/out 327644/118 bytes for SCSI command 0xec-- guessing data in; program syz-executor6 not setting count and/or reply_len properly sg_write: data in/out 327644/118 bytes for SCSI command 0xec-- guessing data in; program syz-executor6 not setting count and/or reply_len properly device lo entered promiscuous mode nla_parse: 2 callbacks suppressed netlink: 18 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 18 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 11 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 'syz-executor1': attribute type 5 has an invalid length. netlink: 11 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 'syz-executor1': attribute type 5 has an invalid length. device gre0 entered promiscuous mode sctp: [Deprecated]: syz-executor6 (pid 18601) Use of struct sctp_assoc_value in delayed_ack socket option. Use struct sctp_sack_info instead sctp: [Deprecated]: syz-executor6 (pid 18623) Use of struct sctp_assoc_value in delayed_ack socket option. Use struct sctp_sack_info instead Started in network mode Own node address <224.1700.2439>, network identity 4711 device gre0 entered promiscuous mode netlink: 5 bytes leftover after parsing attributes in process `syz-executor1'. binder: BINDER_SET_CONTEXT_MGR already set binder: 18824:18838 ioctl 40046207 0 returned -16 netlink: 5 bytes leftover after parsing attributes in process `syz-executor1'. dccp_close: ABORT with 38 bytes unread netlink: 5 bytes leftover after parsing attributes in process `syz-executor3'. device gre0 entered promiscuous mode netlink: 5 bytes leftover after parsing attributes in process `syz-executor3'. device gre0 entered promiscuous mode netlink: 8 bytes leftover after parsing attributes in process `syz-executor4'. device syz6 entered promiscuous mode netlink: 8 bytes leftover after parsing attributes in process `syz-executor4'. IPv6: Can't replace route, no match found IPv6: Can't replace route, no match found device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode kauditd_printk_skb: 327 callbacks suppressed audit: type=1326 audit(1513101455.623:3375): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=19268 comm="syz-executor6" exe="/root/syz-executor6" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x7ffc0000 audit: type=1326 audit(1513101455.632:3376): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=19268 comm="syz-executor6" exe="/root/syz-executor6" sig=0 arch=c000003e syscall=85 compat=0 ip=0x452a39 code=0x7ffc0000 audit: type=1326 audit(1513101455.632:3377): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=19268 comm="syz-executor6" exe="/root/syz-executor6" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x7ffc0000 audit: type=1326 audit(1513101455.632:3378): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=19268 comm="syz-executor6" exe="/root/syz-executor6" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x7ffc0000 audit: type=1326 audit(1513101455.665:3379): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=19268 comm="syz-executor6" exe="/root/syz-executor6" sig=0 arch=c000003e syscall=16 compat=0 ip=0x452a39 code=0x7ffc0000 audit: type=1326 audit(1513101455.666:3380): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=19268 comm="syz-executor6" exe="/root/syz-executor6" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x7ffc0000 audit: type=1326 audit(1513101455.666:3381): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=19268 comm="syz-executor6" exe="/root/syz-executor6" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x7ffc0000 audit: type=1326 audit(1513101455.668:3382): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=19268 comm="syz-executor6" exe="/root/syz-executor6" sig=0 arch=c000003e syscall=55 compat=0 ip=0x452a39 code=0x7ffc0000 audit: type=1326 audit(1513101455.668:3383): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=19268 comm="syz-executor6" exe="/root/syz-executor6" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x7ffc0000 audit: type=1326 audit(1513101455.669:3384): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=19268 comm="syz-executor6" exe="/root/syz-executor6" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x7ffc0000 SELinux: unrecognized netlink message: protocol=6 nlmsg_type=770 sclass=netlink_xfrm_socket pig=19514 comm=syz-executor6 binder_alloc: 19445: binder_alloc_buf, no vma binder: 19445:19447 transaction failed 29189/-3, size 0-0 line 2890 SELinux: unrecognized netlink message: protocol=6 nlmsg_type=770 sclass=netlink_xfrm_socket pig=19518 comm=syz-executor6 binder: BINDER_SET_CONTEXT_MGR already set binder: 19445:19523 ioctl 40046207 0 returned -16 binder: 19445:19447 Release 1 refcount change on invalid ref 0 ret -22 binder_alloc: 19445: binder_alloc_buf, no vma binder: 19445:19447 transaction failed 29189/-3, size 0-0 line 2890 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189