hub 9-0:1.0: USB hub found
hub 9-0:1.0: 8 ports detected
======================================================
WARNING: possible circular locking dependency detected
4.14.232-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.4/22339 is trying to acquire lock:
 (&sig->cred_guard_mutex){+.+.}, at: [<ffffffff81a03109>] do_io_accounting fs/proc/base.c:2725 [inline]
 (&sig->cred_guard_mutex){+.+.}, at: [<ffffffff81a03109>] proc_tgid_io_accounting+0x1b9/0x7a0 fs/proc/base.c:2774

but task is already holding lock:
 (&p->lock){+.+.}, at: [<ffffffff818e979a>] seq_read+0xba/0x1120 fs/seq_file.c:165

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #3 (&p->lock){+.+.}:
       __mutex_lock_common kernel/locking/mutex.c:756 [inline]
       __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
       seq_read+0xba/0x1120 fs/seq_file.c:165
       do_loop_readv_writev fs/read_write.c:695 [inline]
       do_loop_readv_writev fs/read_write.c:682 [inline]
       do_iter_read+0x3eb/0x5b0 fs/read_write.c:919
       vfs_readv+0xc8/0x120 fs/read_write.c:981
       kernel_readv fs/splice.c:361 [inline]
       default_file_splice_read+0x418/0x910 fs/splice.c:416
       do_splice_to+0xfb/0x140 fs/splice.c:880
       splice_direct_to_actor+0x207/0x730 fs/splice.c:952
       do_splice_direct+0x164/0x210 fs/splice.c:1061
       do_sendfile+0x47f/0xb30 fs/read_write.c:1441
       SYSC_sendfile64 fs/read_write.c:1502 [inline]
       SyS_sendfile64+0xff/0x110 fs/read_write.c:1488
       do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x46/0xbb

-> #2 (sb_writers#3){.+.+}:
       percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline]
       percpu_down_read include/linux/percpu-rwsem.h:59 [inline]
       __sb_start_write+0x64/0x260 fs/super.c:1342
hub 9-0:1.0: USB hub found
       sb_start_write include/linux/fs.h:1549 [inline]
       mnt_want_write+0x3a/0xb0 fs/namespace.c:386
hub 9-0:1.0: 8 ports detected
       ovl_do_remove+0x67/0xb90 fs/overlayfs/dir.c:759
       vfs_rmdir.part.0+0x144/0x390 fs/namei.c:3908
       vfs_rmdir fs/namei.c:3893 [inline]
       do_rmdir+0x334/0x3c0 fs/namei.c:3968
       do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x46/0xbb

-> #1 (&ovl_i_mutex_dir_key[depth]){++++}:
       down_read+0x36/0x80 kernel/locking/rwsem.c:24
       inode_lock_shared include/linux/fs.h:729 [inline]
       do_last fs/namei.c:3333 [inline]
       path_openat+0x149b/0x2970 fs/namei.c:3569
       do_filp_open+0x179/0x3c0 fs/namei.c:3603
       do_open_execat+0xd3/0x450 fs/exec.c:849
       do_execveat_common+0x711/0x1f30 fs/exec.c:1755
       do_execve fs/exec.c:1860 [inline]
       SYSC_execve fs/exec.c:1941 [inline]
       SyS_execve+0x3b/0x50 fs/exec.c:1936
       do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x46/0xbb

-> #0 (&sig->cred_guard_mutex){+.+.}:
       lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
       __mutex_lock_common kernel/locking/mutex.c:756 [inline]
       __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
       do_io_accounting fs/proc/base.c:2725 [inline]
       proc_tgid_io_accounting+0x1b9/0x7a0 fs/proc/base.c:2774
       proc_single_show+0xe7/0x150 fs/proc/base.c:761
       seq_read+0x4cf/0x1120 fs/seq_file.c:237
       __vfs_read+0xe4/0x620 fs/read_write.c:411
       vfs_read+0x139/0x340 fs/read_write.c:447
       SYSC_read fs/read_write.c:574 [inline]
       SyS_read+0xf2/0x210 fs/read_write.c:567
       do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x46/0xbb

other info that might help us debug this:

Chain exists of:
  &sig->cred_guard_mutex --> sb_writers#3 --> &p->lock

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&p->lock);
                               lock(sb_writers#3);
                               lock(&p->lock);
  lock(&sig->cred_guard_mutex);

 *** DEADLOCK ***

2 locks held by syz-executor.4/22339:
 #0:  (&f->f_pos_lock){+.+.}, at: [<ffffffff818d39ab>] __fdget_pos+0x1fb/0x2b0 fs/file.c:769
 #1:  (&p->lock){+.+.}, at: [<ffffffff818e979a>] seq_read+0xba/0x1120 fs/seq_file.c:165

stack backtrace:
CPU: 0 PID: 22339 Comm: syz-executor.4 Not tainted 4.14.232-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x281 lib/dump_stack.c:58
 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258
 check_prev_add kernel/locking/lockdep.c:1905 [inline]
 check_prevs_add kernel/locking/lockdep.c:2022 [inline]
 validate_chain kernel/locking/lockdep.c:2464 [inline]
 __lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491
 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
 __mutex_lock_common kernel/locking/mutex.c:756 [inline]
 __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
 do_io_accounting fs/proc/base.c:2725 [inline]
 proc_tgid_io_accounting+0x1b9/0x7a0 fs/proc/base.c:2774
 proc_single_show+0xe7/0x150 fs/proc/base.c:761
 seq_read+0x4cf/0x1120 fs/seq_file.c:237
 __vfs_read+0xe4/0x620 fs/read_write.c:411
 vfs_read+0x139/0x340 fs/read_write.c:447
 SYSC_read fs/read_write.c:574 [inline]
 SyS_read+0xf2/0x210 fs/read_write.c:567
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x4665f9
RSP: 002b:00007f51e7822188 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 00000000004665f9
RDX: 0000000000002020 RSI: 0000000020000000 RDI: 0000000000000005
RBP: 00000000004bfce1 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf60
R13: 00007fff1a6a813f R14: 00007f51e7822300 R15: 0000000000022000
capability: warning: `syz-executor.4' uses 32-bit capabilities (legacy support in use)
audit: type=1804 audit(1619884520.716:153): pid=22403 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.3" name="/root/syzkaller-testdir403113708/syzkaller.mqK2PD/121/bus" dev="sda1" ino=14926 res=1
audit: type=1804 audit(1619884521.726:154): pid=22454 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.3" name="/root/syzkaller-testdir403113708/syzkaller.mqK2PD/122/bus" dev="sda1" ino=14926 res=1
device bridge2 entered promiscuous mode
ip_tables: iptables: counters copy to user failed while replacing table
device bridge3 entered promiscuous mode
ip_tables: iptables: counters copy to user failed while replacing table
netlink: 156 bytes leftover after parsing attributes in process `syz-executor.3'.
device bridge4 entered promiscuous mode
device bridge5 entered promiscuous mode
device bridge6 entered promiscuous mode
xt_CT: netfilter: NOTRACK target is deprecated, use CT instead or upgrade iptables
ip6_tables: ip6tables: counters copy to user failed while replacing table
device bridge7 entered promiscuous mode
device bridge8 entered promiscuous mode
audit: type=1804 audit(1619884525.756:155): pid=22604 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="ToMToU" comm="syz-executor.3" name="/root/syzkaller-testdir403113708/syzkaller.mqK2PD/130/file0/bus" dev="ramfs" ino=60760 res=1
device bridge9 entered promiscuous mode
device bridge10 entered promiscuous mode
device bridge11 entered promiscuous mode
device bridge12 entered promiscuous mode
device bridge13 entered promiscuous mode
device bridge1 entered promiscuous mode
tmpfs: No value for mount option 'ê¡úF9â£A¤ò»ôœ'
tmpfs: No value for mount option 'ê¡úF9â£A¤ò»ôœ'
device bridge14 entered promiscuous mode
tmpfs: No value for mount option '‚¸\l(‘¢^Ã«en:Ëª¦-Møà—Í'z²¬B”$ðúÇ…ÿ¿«6m3ã|ÒØ!ùWëÓÛëU‡µÇú·[…)8½¤Ý¼œ{¦Ý‘ ºŸ²©‘Íëâ×ÉÉKš3O'
device bridge15 entered promiscuous mode