====================================================== WARNING: possible circular locking dependency detected 4.20.0-rc1-next-20181109+ #110 Not tainted ------------------------------------------------------ kworker/0:1/25702 is trying to acquire lock: 000000008c73a0b9 (&sb->s_type->i_mutex_key#10){++++}, at: inode_lock include/linux/fs.h:764 [inline] 000000008c73a0b9 (&sb->s_type->i_mutex_key#10){++++}, at: __generic_file_fsync+0xb5/0x200 fs/libfs.c:999 but task is already holding lock: 000000007fed2d3a ((work_completion)(&dio->complete_work)){+.+.}, at: process_one_work+0xb9a/0x1c40 kernel/workqueue.c:2128 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 ((work_completion)(&dio->complete_work)){+.+.}: process_one_work+0xc0a/0x1c40 kernel/workqueue.c:2129 worker_thread+0x17f/0x1390 kernel/workqueue.c:2296 kthread+0x35a/0x440 kernel/kthread.c:246 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 -> #1 ((wq_completion)"dio/%s"sb->s_id){+.+.}: flush_workqueue+0x30a/0x1e10 kernel/workqueue.c:2655 drain_workqueue+0x2a9/0x640 kernel/workqueue.c:2820 destroy_workqueue+0xc6/0x9c0 kernel/workqueue.c:4155 __alloc_workqueue_key+0xe56/0x10a0 kernel/workqueue.c:4138 sb_init_dio_done_wq+0x37/0x90 fs/direct-io.c:623 dio_set_defer_completion fs/direct-io.c:646 [inline] get_more_blocks fs/direct-io.c:723 [inline] do_direct_IO+0x503a/0xc110 fs/direct-io.c:1001 do_blockdev_direct_IO+0x131e/0xa340 fs/direct-io.c:1333 __blockdev_direct_IO+0x9d/0xc6 fs/direct-io.c:1419 ext4_direct_IO_write fs/ext4/inode.c:3774 [inline] ext4_direct_IO+0xbdc/0x2220 fs/ext4/inode.c:3901 generic_file_direct_write+0x275/0x4b0 mm/filemap.c:3043 __generic_file_write_iter+0x2ff/0x630 mm/filemap.c:3222 ext4_file_write_iter+0x390/0x1420 fs/ext4/file.c:266 call_write_iter include/linux/fs.h:1867 [inline] aio_write+0x3b1/0x610 fs/aio.c:1562 io_submit_one+0xaa1/0xf80 fs/aio.c:1836 __do_sys_io_submit fs/aio.c:1917 [inline] __se_sys_io_submit fs/aio.c:1888 [inline] __x64_sys_io_submit+0x1ab/0x580 fs/aio.c:1888 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe -> #0 (&sb->s_type->i_mutex_key#10){++++}: lock_acquire+0x1ed/0x520 kernel/locking/lockdep.c:3844 down_write+0x8a/0x130 kernel/locking/rwsem.c:70 inode_lock include/linux/fs.h:764 [inline] __generic_file_fsync+0xb5/0x200 fs/libfs.c:999 ext4_sync_file+0xa45/0x1500 fs/ext4/fsync.c:120 vfs_fsync_range+0x140/0x220 fs/sync.c:197 generic_write_sync include/linux/fs.h:2799 [inline] dio_complete+0x75c/0x9e0 fs/direct-io.c:329 dio_aio_complete_work+0x20/0x30 fs/direct-io.c:341 process_one_work+0xc8b/0x1c40 kernel/workqueue.c:2153 worker_thread+0x17f/0x1390 kernel/workqueue.c:2296 kthread+0x35a/0x440 kernel/kthread.c:246 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 other info that might help us debug this: Chain exists of: &sb->s_type->i_mutex_key#10 --> (wq_completion)"dio/%s"sb->s_id --> (work_completion)(&dio->complete_work) Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock((work_completion)(&dio->complete_work)); lock((wq_completion)"dio/%s"sb->s_id); lock((work_completion)(&dio->complete_work)); lock(&sb->s_type->i_mutex_key#10); *** DEADLOCK *** 2 locks held by kworker/0:1/25702: #0: 000000001a2ac81d ((wq_completion)"dio/%s"sb->s_id){+.+.}, at: __write_once_size include/linux/compiler.h:209 [inline] #0: 000000001a2ac81d ((wq_completion)"dio/%s"sb->s_id){+.+.}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] #0: 000000001a2ac81d ((wq_completion)"dio/%s"sb->s_id){+.+.}, at: atomic64_set include/asm-generic/atomic-instrumented.h:855 [inline] #0: 000000001a2ac81d ((wq_completion)"dio/%s"sb->s_id){+.+.}, at: atomic_long_set include/asm-generic/atomic-long.h:40 [inline] #0: 000000001a2ac81d ((wq_completion)"dio/%s"sb->s_id){+.+.}, at: set_work_data kernel/workqueue.c:617 [inline] #0: 000000001a2ac81d ((wq_completion)"dio/%s"sb->s_id){+.+.}, at: set_work_pool_and_clear_pending kernel/workqueue.c:644 [inline] #0: 000000001a2ac81d ((wq_completion)"dio/%s"sb->s_id){+.+.}, at: process_one_work+0xb43/0x1c40 kernel/workqueue.c:2124 #1: 000000007fed2d3a ((work_completion)(&dio->complete_work)){+.+.}, at: process_one_work+0xb9a/0x1c40 kernel/workqueue.c:2128 stack backtrace: CPU: 0 PID: 25702 Comm: kworker/0:1 Not tainted 4.20.0-rc1-next-20181109+ #110 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: dio/sda1 dio_aio_complete_work Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x244/0x39d lib/dump_stack.c:113 print_circular_bug.isra.35.cold.56+0x1bd/0x27d kernel/locking/lockdep.c:1221 check_prev_add kernel/locking/lockdep.c:1863 [inline] check_prevs_add kernel/locking/lockdep.c:1976 [inline] validate_chain kernel/locking/lockdep.c:2347 [inline] __lock_acquire+0x3399/0x4c20 kernel/locking/lockdep.c:3341 lock_acquire+0x1ed/0x520 kernel/locking/lockdep.c:3844 down_write+0x8a/0x130 kernel/locking/rwsem.c:70 inode_lock include/linux/fs.h:764 [inline] __generic_file_fsync+0xb5/0x200 fs/libfs.c:999 ext4_sync_file+0xa45/0x1500 fs/ext4/fsync.c:120 vfs_fsync_range+0x140/0x220 fs/sync.c:197 generic_write_sync include/linux/fs.h:2799 [inline] dio_complete+0x75c/0x9e0 fs/direct-io.c:329 dio_aio_complete_work+0x20/0x30 fs/direct-io.c:341 process_one_work+0xc8b/0x1c40 kernel/workqueue.c:2153 worker_thread+0x17f/0x1390 kernel/workqueue.c:2296 kthread+0x35a/0x440 kernel/kthread.c:246 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 kobject: 'loop5' (000000001b99ee92): kobject_uevent_env kobject: 'loop5' (000000001b99ee92): fill_kobj_path: path = '/devices/virtual/block/loop5' kobject: 'loop5' (000000001b99ee92): kobject_uevent_env kobject: 'loop5' (000000001b99ee92): fill_kobj_path: path = '/devices/virtual/block/loop5' kobject: 'loop5' (000000001b99ee92): kobject_uevent_env kobject: 'loop5' (000000001b99ee92): fill_kobj_path: path = '/devices/virtual/block/loop5' kobject: 'loop5' (000000001b99ee92): kobject_uevent_env kobject: 'loop5' (000000001b99ee92): fill_kobj_path: path = '/devices/virtual/block/loop5' kobject: 'loop5' (000000001b99ee92): kobject_uevent_env kobject: 'loop5' (000000001b99ee92): fill_kobj_path: path = '/devices/virtual/block/loop5' kobject: 'loop5' (000000001b99ee92): kobject_uevent_env kobject: 'loop5' (000000001b99ee92): fill_kobj_path: path = '/devices/virtual/block/loop5' kobject: 'loop5' (000000001b99ee92): kobject_uevent_env kobject: 'loop5' (000000001b99ee92): fill_kobj_path: path = '/devices/virtual/block/loop5' kobject: 'loop5' (000000001b99ee92): kobject_uevent_env overlayfs: unrecognized mount option "Workdir=./buS" or missing value kobject: 'loop5' (000000001b99ee92): fill_kobj_path: path = '/devices/virtual/block/loop5' audit: type=1804 audit(2000000395.148:1003): pid=28822 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor1" name="bus" dev="sda1" ino=17192 res=1 audit: type=1804 audit(2000000395.198:1004): pid=28842 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor1" name="bus" dev="sda1" ino=17192 res=1 kobject: 'loop5' (000000001b99ee92): kobject_uevent_env kobject: 'loop5' (000000001b99ee92): fill_kobj_path: path = '/devices/virtual/block/loop5' audit: type=1804 audit(2000000395.348:1005): pid=28842 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor1" name="bus" dev="sda1" ino=17192 res=1 overlayfs: unrecognized mount option "Workdir=./buS" or missing value audit: type=1804 audit(2000000395.368:1006): pid=28844 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor1" name="bus" dev="sda1" ino=17192 res=1 audit: type=1804 audit(2000000395.398:1007): pid=28822 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor1" name="bus" dev="sda1" ino=17192 res=1 audit: type=1804 audit(2000000395.408:1008): pid=28822 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor1" name="bus" dev="sda1" ino=17192 res=1 kobject: 'loop5' (000000001b99ee92): kobject_uevent_env kobject: 'loop5' (000000001b99ee92): fill_kobj_path: path = '/devices/virtual/block/loop5' overlayfs: unrecognized mount option "Workdir=./buS" or missing value audit: type=1804 audit(2000000395.558:1009): pid=28860 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor1" name="bus" dev="sda1" ino=17183 res=1 audit: type=1804 audit(2000000395.598:1010): pid=28861 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor1" name="bus" dev="sda1" ino=17183 res=1 overlayfs: unrecognized mount option "Workdir=./buS" or missing value audit: type=1804 audit(2000000395.998:1011): pid=28869 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor1" name="bus" dev="sda1" ino=17191 res=1 overlayfs: unrecognized mount option "Workdir=./buS" or missing value kobject: 'loop5' (000000001b99ee92): kobject_uevent_env kobject: 'loop5' (000000001b99ee92): fill_kobj_path: path = '/devices/virtual/block/loop5' overlayfs: unrecognized mount option "Workdir=./buS" or missing value audit: type=1804 audit(2000000396.078:1012): pid=28879 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor1" name="bus" dev="sda1" ino=17191 res=1 kobject: 'loop5' (000000001b99ee92): kobject_uevent_env kobject: 'loop5' (000000001b99ee92): fill_kobj_path: path = '/devices/virtual/block/loop5' overlayfs: unrecognized mount option "Workdir=./buS" or missing value kobject: 'loop5' (000000001b99ee92): kobject_uevent_env overlayfs: unrecognized mount option "Workdir=./buS" or missing value kobject: 'loop5' (000000001b99ee92): fill_kobj_path: path = '/devices/virtual/block/loop5' overlayfs: unrecognized mount option "Workdir=./buS" or missing value overlayfs: unrecognized mount option "Workdir=./buS" or missing value overlayfs: unrecognized mount option "Workdir=./buS" or missing value overlayfs: unrecognized mount option "Workdir=./buS" or missing value overlayfs: unrecognized mount option "Workdir=./buS" or missing value kobject: 'loop5' (000000001b99ee92): kobject_uevent_env kobject: 'loop5' (000000001b99ee92): fill_kobj_path: path = '/devices/virtual/block/loop5' overlayfs: unrecognized mount option "Workdir=./buS" or missing value overlayfs: unrecognized mount option "Workdir=./buS" or missing value overlayfs: unrecognized mount option "Workdir=./buS" or missing value overlayfs: unrecognized mount option "Workdir=./buS" or missing value overlayfs: unrecognized mount option "Workdir=./buS" or missing value kobject: 'loop5' (000000001b99ee92): kobject_uevent_env kobject: 'loop5' (000000001b99ee92): fill_kobj_path: path = '/devices/virtual/block/loop5' overlayfs: unrecognized mount option "Workdir=./buS" or missing value overlayfs: unrecognized mount option "Workdir=./buS" or missing value kobject: 'loop5' (000000001b99ee92): kobject_uevent_env kobject: 'loop5' (000000001b99ee92): fill_kobj_path: path = '/devices/virtual/block/loop5' kobject: 'loop5' (000000001b99ee92): kobject_uevent_env kobject: 'loop5' (000000001b99ee92): fill_kobj_path: path = '/devices/virtual/block/loop5' kobject: 'loop5' (000000001b99ee92): kobject_uevent_env kobject: 'loop5' (000000001b99ee92): fill_kobj_path: path = '/devices/virtual/block/loop5' kobject: 'loop5' (000000001b99ee92): kobject_uevent_env kobject: 'loop5' (000000001b99ee92): fill_kobj_path: path = '/devices/virtual/block/loop5' kobject: 'loop5' (000000001b99ee92): kobject_uevent_env kobject: 'loop5' (000000001b99ee92): fill_kobj_path: path = '/devices/virtual/block/loop5' netlink: 12 bytes leftover after parsing attributes in process `syz-executor1'. kobject: 'loop5' (000000001b99ee92): kobject_uevent_env netlink: 12 bytes leftover after parsing attributes in process `syz-executor1'. kobject: 'loop5' (000000001b99ee92): fill_kobj_path: path = '/devices/virtual/block/loop5' netlink: 12 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 12 bytes leftover after parsing attributes in process `syz-executor1'. syz-executor3 invoked oom-killer: gfp_mask=0x7080c0(GFP_KERNEL_ACCOUNT|__GFP_ZERO), nodemask=(null), order=0, oom_score_adj=0 syz-executor3 cpuset=syz3 mems_allowed=0 kobject: 'loop5' (000000001b99ee92): kobject_uevent_env CPU: 0 PID: 6056 Comm: syz-executor3 Not tainted 4.20.0-rc1-next-20181109+ #110 kobject: 'loop5' (000000001b99ee92): fill_kobj_path: path = '/devices/virtual/block/loop5' Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x244/0x39d lib/dump_stack.c:113 dump_header+0x27b/0xf72 mm/oom_kill.c:441 oom_kill_process.cold.27+0x10/0x903 mm/oom_kill.c:953 out_of_memory+0xa7f/0x1430 mm/oom_kill.c:1120 mem_cgroup_out_of_memory+0x15e/0x210 mm/memcontrol.c:1386 mem_cgroup_oom mm/memcontrol.c:1703 [inline] try_charge+0xdcd/0x1720 mm/memcontrol.c:2260 memcg_kmem_charge_memcg+0x7c/0x120 mm/memcontrol.c:2568 memcg_kmem_charge+0x149/0x350 mm/memcontrol.c:2601 __alloc_pages_nodemask+0x89c/0xdd0 mm/page_alloc.c:4395 alloc_pages_current+0x173/0x350 mm/mempolicy.c:2080 alloc_pages include/linux/gfp.h:509 [inline] pmd_alloc_one arch/x86/include/asm/pgalloc.h:102 [inline] __pmd_alloc+0x3e/0x450 mm/memory.c:4007 pmd_alloc include/linux/mm.h:1847 [inline] copy_pmd_range mm/memory.c:886 [inline] copy_pud_range mm/memory.c:940 [inline] copy_p4d_range mm/memory.c:962 [inline] copy_page_range+0x1f6c/0x2ee0 mm/memory.c:1024 dup_mmap kernel/fork.c:585 [inline] dup_mm kernel/fork.c:1318 [inline] copy_mm kernel/fork.c:1373 [inline] copy_process+0x45ea/0x8790 kernel/fork.c:1917 _do_fork+0x1cb/0x11c0 kernel/fork.c:2216 __do_sys_clone kernel/fork.c:2323 [inline] __se_sys_clone kernel/fork.c:2317 [inline] __x64_sys_clone+0xbf/0x150 kernel/fork.c:2317 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x455b1a Code: f7 d8 64 89 04 25 d4 02 00 00 64 4c 8b 0c 25 10 00 00 00 31 d2 4d 8d 91 d0 02 00 00 31 f6 bf 11 00 20 01 b8 38 00 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 f5 00 00 00 85 c0 41 89 c5 0f 85 fc 00 00 RSP: 002b:00007ffd675f00c0 EFLAGS: 00000246 ORIG_RAX: 0000000000000038 RAX: ffffffffffffffda RBX: 00007ffd675f00c0 RCX: 0000000000455b1a RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011 RBP: 00007ffd675f0100 R08: 0000000000000001 R09: 0000000002298940 R10: 0000000002298c10 R11: 0000000000000246 R12: 0000000000000001 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000003 Task in /syz3 killed as a result of limit of /syz3 memory: usage 307176kB, limit 307200kB, failcnt 846 memory+swap: usage 0kB, limit 9007199254740988kB, failcnt 0 kmem: usage 0kB, limit 9007199254740988kB, failcnt 0 Memory cgroup stats for /syz3: cache:3020KB rss:269140KB rss_huge:256000KB shmem:996KB mapped_file:0KB dirty:0KB writeback:0KB swap:0KB inactive_anon:1032KB active_anon:269308KB inactive_file:0KB active_file:0KB unevictable:1784KB Memory cgroup out of memory: Kill process 15416 (syz-executor3) score 123 or sacrifice child Killed process 15417 (syz-executor3) total-vm:70336kB, anon-rss:2212kB, file-rss:32768kB, shmem-rss:0kB oom_reaper: reaped process 15417 (syz-executor3), now anon-rss:0kB, file-rss:32768kB, shmem-rss:0kB kobject: 'loop5' (000000001b99ee92): kobject_uevent_env kobject: 'loop5' (000000001b99ee92): fill_kobj_path: path = '/devices/virtual/block/loop5' kobject: 'loop5' (000000001b99ee92): kobject_uevent_env kobject: 'loop5' (000000001b99ee92): fill_kobj_path: path = '/devices/virtual/block/loop5' kobject: 'kvm' (0000000013bfa73f): kobject_uevent_env kobject: 'kvm' (0000000013bfa73f): fill_kobj_path: path = '/devices/virtual/misc/kvm' kobject: 'kvm' (0000000013bfa73f): kobject_uevent_env kobject: 'kvm' (0000000013bfa73f): fill_kobj_path: path = '/devices/virtual/misc/kvm' kobject: 'loop5' (000000001b99ee92): kobject_uevent_env kobject: 'loop5' (000000001b99ee92): fill_kobj_path: path = '/devices/virtual/block/loop5'