audit: type=1804 audit(1558163064.704:55): pid=16867 uid=0 auid=4294967295 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 op=invalid_pcr cause=open_writers comm="syz-executor.4" name="/root/syzkaller-testdir491535868/syzkaller.3ntjNi/509/file0" dev="sda1" ino=16823 res=1 ====================================================== WARNING: possible circular locking dependency detected 4.19.44 #16 Not tainted ------------------------------------------------------ syz-executor.4/16876 is trying to acquire lock: 000000009e432073 (&acct->lock#2){+.+.}, at: acct_pin_kill+0x27/0x100 kernel/acct.c:173 but task is already holding lock: 000000000f176db1 (sb_writers#4){.+.+}, at: sb_start_write include/linux/fs.h:1578 [inline] 000000000f176db1 (sb_writers#4){.+.+}, at: mnt_want_write+0x3f/0xc0 fs/namespace.c:360 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (sb_writers#4){.+.+}: percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline] percpu_down_read include/linux/percpu-rwsem.h:59 [inline] __sb_start_write+0x20b/0x360 fs/super.c:1387 sb_start_write include/linux/fs.h:1578 [inline] mnt_want_write+0x3f/0xc0 fs/namespace.c:360 ovl_want_write+0x76/0xa0 fs/overlayfs/util.c:24 ovl_link+0x7c/0x2d5 fs/overlayfs/dir.c:674 vfs_link+0x79f/0xb60 fs/namei.c:4240 do_linkat+0x550/0x770 fs/namei.c:4308 __do_sys_link fs/namei.c:4337 [inline] __se_sys_link fs/namei.c:4335 [inline] __x64_sys_link+0x61/0x80 fs/namei.c:4335 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe -> #1 (&ovl_i_mutex_key[depth]){+.+.}: down_write+0x38/0x90 kernel/locking/rwsem.c:70 inode_lock include/linux/fs.h:747 [inline] ovl_write_iter+0x148/0xc20 fs/overlayfs/file.c:231 call_write_iter include/linux/fs.h:1820 [inline] new_sync_write fs/read_write.c:474 [inline] __vfs_write+0x587/0x810 fs/read_write.c:487 __kernel_write+0x110/0x390 fs/read_write.c:506 do_acct_process+0xd37/0x1150 kernel/acct.c:520 slow_acct_process kernel/acct.c:579 [inline] acct_process+0x568/0x61e kernel/acct.c:605 do_exit+0x17be/0x2fa0 kernel/exit.c:866 do_group_exit+0x135/0x370 kernel/exit.c:979 __do_sys_exit_group kernel/exit.c:990 [inline] __se_sys_exit_group kernel/exit.c:988 [inline] __x64_sys_exit_group+0x44/0x50 kernel/exit.c:988 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe -> #0 (&acct->lock#2){+.+.}: lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3900 __mutex_lock_common kernel/locking/mutex.c:925 [inline] __mutex_lock+0xf7/0x1300 kernel/locking/mutex.c:1072 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087 acct_pin_kill+0x27/0x100 kernel/acct.c:173 pin_kill+0x18a/0x860 fs/fs_pin.c:50 acct_on+0x574/0x790 kernel/acct.c:254 __do_sys_acct kernel/acct.c:286 [inline] __se_sys_acct kernel/acct.c:273 [inline] __x64_sys_acct+0xae/0x200 kernel/acct.c:273 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe other info that might help us debug this: Chain exists of: &acct->lock#2 --> &ovl_i_mutex_key[depth] --> sb_writers#4 Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(sb_writers#4); lock(&ovl_i_mutex_key[depth]); lock(sb_writers#4); lock(&acct->lock#2); *** DEADLOCK *** 2 locks held by syz-executor.4/16876: #0: 00000000febcbdc7 (acct_on_mutex){+.+.}, at: __do_sys_acct kernel/acct.c:285 [inline] #0: 00000000febcbdc7 (acct_on_mutex){+.+.}, at: __se_sys_acct kernel/acct.c:273 [inline] #0: 00000000febcbdc7 (acct_on_mutex){+.+.}, at: __x64_sys_acct+0xa6/0x200 kernel/acct.c:273 #1: 000000000f176db1 (sb_writers#4){.+.+}, at: sb_start_write include/linux/fs.h:1578 [inline] #1: 000000000f176db1 (sb_writers#4){.+.+}, at: mnt_want_write+0x3f/0xc0 fs/namespace.c:360 stack backtrace: CPU: 1 PID: 16876 Comm: syz-executor.4 Not tainted 4.19.44 #16 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x172/0x1f0 lib/dump_stack.c:113 print_circular_bug.isra.0.cold+0x1cc/0x28f kernel/locking/lockdep.c:1221 check_prev_add kernel/locking/lockdep.c:1861 [inline] check_prevs_add kernel/locking/lockdep.c:1974 [inline] validate_chain kernel/locking/lockdep.c:2415 [inline] __lock_acquire+0x2e6d/0x48f0 kernel/locking/lockdep.c:3411 lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3900 __mutex_lock_common kernel/locking/mutex.c:925 [inline] __mutex_lock+0xf7/0x1300 kernel/locking/mutex.c:1072 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087 acct_pin_kill+0x27/0x100 kernel/acct.c:173 pin_kill+0x18a/0x860 fs/fs_pin.c:50 acct_on+0x574/0x790 kernel/acct.c:254 __do_sys_acct kernel/acct.c:286 [inline] __se_sys_acct kernel/acct.c:273 [inline] __x64_sys_acct+0xae/0x200 kernel/acct.c:273 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x458da9 Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fe4d29d7c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a3 RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000458da9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000100 RBP: 000000000073c040 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe4d29d86d4 R13: 00000000004beccc R14: 00000000004cfc70 R15: 00000000ffffffff Process accounting resumed Process accounting resumed Process accounting resumed Process accounting resumed Process accounting resumed Process accounting resumed Process accounting resumed Process accounting resumed Process accounting resumed Process accounting resumed Process accounting resumed Process accounting resumed Process accounting resumed Process accounting resumed