hub 9-0:1.0: USB hub found hub 9-0:1.0: 8 ports detected ====================================================== WARNING: possible circular locking dependency detected 4.14.232-syzkaller #0 Not tainted ------------------------------------------------------ syz-executor.4/22339 is trying to acquire lock: (&sig->cred_guard_mutex){+.+.}, at: [] do_io_accounting fs/proc/base.c:2725 [inline] (&sig->cred_guard_mutex){+.+.}, at: [] proc_tgid_io_accounting+0x1b9/0x7a0 fs/proc/base.c:2774 but task is already holding lock: (&p->lock){+.+.}, at: [] seq_read+0xba/0x1120 fs/seq_file.c:165 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #3 (&p->lock){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 seq_read+0xba/0x1120 fs/seq_file.c:165 do_loop_readv_writev fs/read_write.c:695 [inline] do_loop_readv_writev fs/read_write.c:682 [inline] do_iter_read+0x3eb/0x5b0 fs/read_write.c:919 vfs_readv+0xc8/0x120 fs/read_write.c:981 kernel_readv fs/splice.c:361 [inline] default_file_splice_read+0x418/0x910 fs/splice.c:416 do_splice_to+0xfb/0x140 fs/splice.c:880 splice_direct_to_actor+0x207/0x730 fs/splice.c:952 do_splice_direct+0x164/0x210 fs/splice.c:1061 do_sendfile+0x47f/0xb30 fs/read_write.c:1441 SYSC_sendfile64 fs/read_write.c:1502 [inline] SyS_sendfile64+0xff/0x110 fs/read_write.c:1488 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb -> #2 (sb_writers#3){.+.+}: percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline] percpu_down_read include/linux/percpu-rwsem.h:59 [inline] __sb_start_write+0x64/0x260 fs/super.c:1342 hub 9-0:1.0: USB hub found sb_start_write include/linux/fs.h:1549 [inline] mnt_want_write+0x3a/0xb0 fs/namespace.c:386 hub 9-0:1.0: 8 ports detected ovl_do_remove+0x67/0xb90 fs/overlayfs/dir.c:759 vfs_rmdir.part.0+0x144/0x390 fs/namei.c:3908 vfs_rmdir fs/namei.c:3893 [inline] do_rmdir+0x334/0x3c0 fs/namei.c:3968 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb -> #1 (&ovl_i_mutex_dir_key[depth]){++++}: down_read+0x36/0x80 kernel/locking/rwsem.c:24 inode_lock_shared include/linux/fs.h:729 [inline] do_last fs/namei.c:3333 [inline] path_openat+0x149b/0x2970 fs/namei.c:3569 do_filp_open+0x179/0x3c0 fs/namei.c:3603 do_open_execat+0xd3/0x450 fs/exec.c:849 do_execveat_common+0x711/0x1f30 fs/exec.c:1755 do_execve fs/exec.c:1860 [inline] SYSC_execve fs/exec.c:1941 [inline] SyS_execve+0x3b/0x50 fs/exec.c:1936 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb -> #0 (&sig->cred_guard_mutex){+.+.}: lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 do_io_accounting fs/proc/base.c:2725 [inline] proc_tgid_io_accounting+0x1b9/0x7a0 fs/proc/base.c:2774 proc_single_show+0xe7/0x150 fs/proc/base.c:761 seq_read+0x4cf/0x1120 fs/seq_file.c:237 __vfs_read+0xe4/0x620 fs/read_write.c:411 vfs_read+0x139/0x340 fs/read_write.c:447 SYSC_read fs/read_write.c:574 [inline] SyS_read+0xf2/0x210 fs/read_write.c:567 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb other info that might help us debug this: Chain exists of: &sig->cred_guard_mutex --> sb_writers#3 --> &p->lock Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&p->lock); lock(sb_writers#3); lock(&p->lock); lock(&sig->cred_guard_mutex); *** DEADLOCK *** 2 locks held by syz-executor.4/22339: #0: (&f->f_pos_lock){+.+.}, at: [] __fdget_pos+0x1fb/0x2b0 fs/file.c:769 #1: (&p->lock){+.+.}, at: [] seq_read+0xba/0x1120 fs/seq_file.c:165 stack backtrace: CPU: 0 PID: 22339 Comm: syz-executor.4 Not tainted 4.14.232-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x281 lib/dump_stack.c:58 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258 check_prev_add kernel/locking/lockdep.c:1905 [inline] check_prevs_add kernel/locking/lockdep.c:2022 [inline] validate_chain kernel/locking/lockdep.c:2464 [inline] __lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 do_io_accounting fs/proc/base.c:2725 [inline] proc_tgid_io_accounting+0x1b9/0x7a0 fs/proc/base.c:2774 proc_single_show+0xe7/0x150 fs/proc/base.c:761 seq_read+0x4cf/0x1120 fs/seq_file.c:237 __vfs_read+0xe4/0x620 fs/read_write.c:411 vfs_read+0x139/0x340 fs/read_write.c:447 SYSC_read fs/read_write.c:574 [inline] SyS_read+0xf2/0x210 fs/read_write.c:567 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb RIP: 0033:0x4665f9 RSP: 002b:00007f51e7822188 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 00000000004665f9 RDX: 0000000000002020 RSI: 0000000020000000 RDI: 0000000000000005 RBP: 00000000004bfce1 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf60 R13: 00007fff1a6a813f R14: 00007f51e7822300 R15: 0000000000022000 capability: warning: `syz-executor.4' uses 32-bit capabilities (legacy support in use) audit: type=1804 audit(1619884520.716:153): pid=22403 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.3" name="/root/syzkaller-testdir403113708/syzkaller.mqK2PD/121/bus" dev="sda1" ino=14926 res=1 audit: type=1804 audit(1619884521.726:154): pid=22454 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.3" name="/root/syzkaller-testdir403113708/syzkaller.mqK2PD/122/bus" dev="sda1" ino=14926 res=1 device bridge2 entered promiscuous mode ip_tables: iptables: counters copy to user failed while replacing table device bridge3 entered promiscuous mode ip_tables: iptables: counters copy to user failed while replacing table netlink: 156 bytes leftover after parsing attributes in process `syz-executor.3'. device bridge4 entered promiscuous mode device bridge5 entered promiscuous mode device bridge6 entered promiscuous mode xt_CT: netfilter: NOTRACK target is deprecated, use CT instead or upgrade iptables ip6_tables: ip6tables: counters copy to user failed while replacing table device bridge7 entered promiscuous mode device bridge8 entered promiscuous mode audit: type=1804 audit(1619884525.756:155): pid=22604 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="ToMToU" comm="syz-executor.3" name="/root/syzkaller-testdir403113708/syzkaller.mqK2PD/130/file0/bus" dev="ramfs" ino=60760 res=1 device bridge9 entered promiscuous mode device bridge10 entered promiscuous mode device bridge11 entered promiscuous mode device bridge12 entered promiscuous mode device bridge13 entered promiscuous mode device bridge1 entered promiscuous mode tmpfs: No value for mount option 'F9A' tmpfs: No value for mount option 'F9A' device bridge14 entered promiscuous mode tmpfs: No value for mount option '\l(^ëen:˪-M'zB$Dž6m3|!WU[)8ݼ{ݑK3O' device bridge15 entered promiscuous mode