overlayfs: failed to clone lowerpath ============================================ WARNING: possible recursive locking detected 4.19.211-syzkaller #0 Not tainted -------------------------------------------- overlayfs: failed to clone upperpath syz-executor.0/23712 is trying to acquire lock: 000000000b80ca9b (_xmit_ETHER#2){+.-.}, at: spin_lock include/linux/spinlock.h:329 [inline] 000000000b80ca9b (_xmit_ETHER#2){+.-.}, at: __netif_tx_lock include/linux/netdevice.h:3842 [inline] 000000000b80ca9b (_xmit_ETHER#2){+.-.}, at: sch_direct_xmit+0x254/0xf70 net/sched/sch_generic.c:330 but task is already holding lock: 000000001ebfa3fc (_xmit_ETHER#2){+.-.}, at: spin_lock include/linux/spinlock.h:329 [inline] 000000001ebfa3fc (_xmit_ETHER#2){+.-.}, at: __netif_tx_lock include/linux/netdevice.h:3842 [inline] 000000001ebfa3fc (_xmit_ETHER#2){+.-.}, at: sch_direct_xmit+0x254/0xf70 net/sched/sch_generic.c:330 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(_xmit_ETHER#2); lock(_xmit_ETHER#2); *** DEADLOCK *** May be due to missing lock nesting notation 14 locks held by syz-executor.0/23712: #0: 00000000a2277ad6 (rcu_read_lock){....}, at: l3mdev_l3_out include/net/l3mdev.h:172 [inline] #0: 00000000a2277ad6 (rcu_read_lock){....}, at: l3mdev_ip6_out include/net/l3mdev.h:193 [inline] #0: 00000000a2277ad6 (rcu_read_lock){....}, at: rawv6_send_hdrinc net/ipv6/raw.c:682 [inline] #0: 00000000a2277ad6 (rcu_read_lock){....}, at: rawv6_sendmsg+0x1e3d/0x36a0 net/ipv6/raw.c:947 #1: 00000000df9381ee (rcu_read_lock_bh){....}, at: lwtunnel_xmit_redirect include/net/lwtunnel.h:92 [inline] #1: 00000000df9381ee (rcu_read_lock_bh){....}, at: ip6_finish_output2+0x1f2/0x2290 net/ipv6/ip6_output.c:106 #2: 00000000df9381ee (rcu_read_lock_bh){....}, at: __dev_queue_xmit+0x1e2/0x2e00 net/core/dev.c:3773 #3: 00000000583170fb (&(&sch->seqlock)->rlock){+...}, at: spin_trylock include/linux/spinlock.h:339 [inline] #3: 00000000583170fb (&(&sch->seqlock)->rlock){+...}, at: qdisc_run_begin include/net/sch_generic.h:130 [inline] #3: 00000000583170fb (&(&sch->seqlock)->rlock){+...}, at: qdisc_run include/net/pkt_sched.h:119 [inline] #3: 00000000583170fb (&(&sch->seqlock)->rlock){+...}, at: __dev_xmit_skb net/core/dev.c:3451 [inline] #3: 00000000583170fb (&(&sch->seqlock)->rlock){+...}, at: __dev_queue_xmit+0x278b/0x2e00 net/core/dev.c:3807 #4: 0000000025a35cdb (dev->qdisc_running_key ?: &qdisc_running_key){+...}, at: neigh_resolve_output+0x55a/0x910 net/core/neighbour.c:1374 #5: 000000001ebfa3fc (_xmit_ETHER#2){+.-.}, at: spin_lock include/linux/spinlock.h:329 [inline] #5: 000000001ebfa3fc (_xmit_ETHER#2){+.-.}, at: __netif_tx_lock include/linux/netdevice.h:3842 [inline] #5: 000000001ebfa3fc (_xmit_ETHER#2){+.-.}, at: sch_direct_xmit+0x254/0xf70 net/sched/sch_generic.c:330 #6: 00000000938db9d4 (k-slock-AF_INET6){+.-.}, at: spin_trylock include/linux/spinlock.h:339 [inline] #6: 00000000938db9d4 (k-slock-AF_INET6){+.-.}, at: icmpv6_xmit_lock net/ipv6/icmp.c:119 [inline] #6: 00000000938db9d4 (k-slock-AF_INET6){+.-.}, at: icmp6_send+0x1086/0x22c0 net/ipv6/icmp.c:532 #7: 00000000a2277ad6 (rcu_read_lock){....}, at: icmp6_send+0x170b/0x22c0 net/ipv6/icmp.c:565 #8: 00000000df9381ee (rcu_read_lock_bh){....}, at: lwtunnel_xmit_redirect include/net/lwtunnel.h:92 [inline] #8: 00000000df9381ee (rcu_read_lock_bh){....}, at: ip6_finish_output2+0x1f2/0x2290 net/ipv6/ip6_output.c:106 #9: 00000000a2277ad6 (rcu_read_lock){....}, at: ip6_nd_hdr net/ipv6/ndisc.c:449 [inline] #9: 00000000a2277ad6 (rcu_read_lock){....}, at: ndisc_send_skb+0x857/0x1720 net/ipv6/ndisc.c:485 #10: 00000000df9381ee (rcu_read_lock_bh){....}, at: lwtunnel_xmit_redirect include/net/lwtunnel.h:92 [inline] #10: 00000000df9381ee (rcu_read_lock_bh){....}, at: ip6_finish_output2+0x1f2/0x2290 net/ipv6/ip6_output.c:106 #11: 00000000df9381ee (rcu_read_lock_bh){....}, at: __dev_queue_xmit+0x1e2/0x2e00 net/core/dev.c:3773 #12: 00000000bdbeee8e (&(&sch->seqlock)->rlock){+...}, at: spin_trylock include/linux/spinlock.h:339 [inline] #12: 00000000bdbeee8e (&(&sch->seqlock)->rlock){+...}, at: qdisc_run_begin include/net/sch_generic.h:130 [inline] #12: 00000000bdbeee8e (&(&sch->seqlock)->rlock){+...}, at: qdisc_run include/net/pkt_sched.h:119 [inline] #12: 00000000bdbeee8e (&(&sch->seqlock)->rlock){+...}, at: __dev_xmit_skb net/core/dev.c:3451 [inline] #12: 00000000bdbeee8e (&(&sch->seqlock)->rlock){+...}, at: __dev_queue_xmit+0x278b/0x2e00 net/core/dev.c:3807 #13: 000000007ae86ed5 (dev->qdisc_running_key ?: &qdisc_running_key){+...}, at: neigh_resolve_output+0x55a/0x910 net/core/neighbour.c:1374 stack backtrace: CPU: 1 PID: 23712 Comm: syz-executor.0 Not tainted 4.19.211-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 print_deadlock_bug kernel/locking/lockdep.c:1764 [inline] check_deadlock kernel/locking/lockdep.c:1808 [inline] validate_chain kernel/locking/lockdep.c:2404 [inline] __lock_acquire.cold+0x121/0x57e kernel/locking/lockdep.c:3416 lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3908 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144 spin_lock include/linux/spinlock.h:329 [inline] __netif_tx_lock include/linux/netdevice.h:3842 [inline] sch_direct_xmit+0x254/0xf70 net/sched/sch_generic.c:330 qdisc_restart net/sched/sch_generic.c:395 [inline] __qdisc_run+0x4d0/0x1640 net/sched/sch_generic.c:403 qdisc_run include/net/pkt_sched.h:120 [inline] __dev_xmit_skb net/core/dev.c:3451 [inline] __dev_queue_xmit+0x2102/0x2e00 net/core/dev.c:3807 neigh_resolve_output+0x55a/0x910 net/core/neighbour.c:1374 neigh_output include/net/neighbour.h:501 [inline] ip6_finish_output2+0x113d/0x2290 net/ipv6/ip6_output.c:120 ip6_finish_output+0x89b/0x10f0 net/ipv6/ip6_output.c:192 NF_HOOK_COND include/linux/netfilter.h:278 [inline] ip6_output+0x205/0x770 net/ipv6/ip6_output.c:209 dst_output include/net/dst.h:455 [inline] NF_HOOK include/linux/netfilter.h:289 [inline] ndisc_send_skb+0xa24/0x1720 net/ipv6/ndisc.c:491 ndisc_send_ns+0x51d/0x840 net/ipv6/ndisc.c:633 ndisc_solicit+0x2cd/0x500 net/ipv6/ndisc.c:725 neigh_probe+0xcc/0x110 net/core/neighbour.c:916 __neigh_event_send+0x387/0xf70 net/core/neighbour.c:1074 neigh_event_send include/net/neighbour.h:436 [inline] neigh_resolve_output+0x6d8/0x910 net/core/neighbour.c:1358 neigh_output include/net/neighbour.h:501 [inline] ip6_finish_output2+0x113d/0x2290 net/ipv6/ip6_output.c:120 ip6_finish_output+0x89b/0x10f0 net/ipv6/ip6_output.c:192 NF_HOOK_COND include/linux/netfilter.h:278 [inline] ip6_output+0x205/0x770 net/ipv6/ip6_output.c:209 dst_output include/net/dst.h:455 [inline] ip6_local_out+0xaf/0x170 net/ipv6/output_core.c:160 ip6_send_skb+0xb3/0x300 net/ipv6/ip6_output.c:1741 ip6_push_pending_frames+0xbd/0xe0 net/ipv6/ip6_output.c:1761 icmpv6_push_pending_frames+0x294/0x470 net/ipv6/icmp.c:288 icmp6_send+0x1c0f/0x22c0 net/ipv6/icmp.c:584 __icmpv6_send include/linux/icmpv6.h:28 [inline] icmpv6_send include/linux/icmpv6.h:49 [inline] ip6_link_failure+0x2d/0x4f0 net/ipv6/route.c:2297 dst_link_failure include/net/dst.h:438 [inline] ip_tunnel_xmit+0x19d2/0x3850 net/ipv4/ip_tunnel.c:796 erspan_xmit+0xd6e/0x27e0 net/ipv4/ip_gre.c:759 __netdev_start_xmit include/linux/netdevice.h:4349 [inline] netdev_start_xmit include/linux/netdevice.h:4363 [inline] xmit_one net/core/dev.c:3256 [inline] dev_hard_start_xmit+0x1a8/0x920 net/core/dev.c:3272 sch_direct_xmit+0x2d6/0xf70 net/sched/sch_generic.c:332 qdisc_restart net/sched/sch_generic.c:395 [inline] __qdisc_run+0x4d0/0x1640 net/sched/sch_generic.c:403 qdisc_run include/net/pkt_sched.h:120 [inline] __dev_xmit_skb net/core/dev.c:3451 [inline] __dev_queue_xmit+0x2102/0x2e00 net/core/dev.c:3807 neigh_resolve_output+0x55a/0x910 net/core/neighbour.c:1374 neigh_output include/net/neighbour.h:501 [inline] ip6_finish_output2+0x113d/0x2290 net/ipv6/ip6_output.c:120 ip6_finish_output+0x89b/0x10f0 net/ipv6/ip6_output.c:192 NF_HOOK_COND include/linux/netfilter.h:278 [inline] ip6_output+0x205/0x770 net/ipv6/ip6_output.c:209 dst_output include/net/dst.h:455 [inline] NF_HOOK include/linux/netfilter.h:289 [inline] rawv6_send_hdrinc net/ipv6/raw.c:692 [inline] rawv6_sendmsg+0x202c/0x36a0 net/ipv6/raw.c:947 inet_sendmsg+0x132/0x5a0 net/ipv4/af_inet.c:798 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg+0xc3/0x120 net/socket.c:661 sock_write_iter+0x287/0x3c0 net/socket.c:966 call_write_iter include/linux/fs.h:1821 [inline] new_sync_write fs/read_write.c:474 [inline] __vfs_write+0x51b/0x770 fs/read_write.c:487 vfs_write+0x1f3/0x540 fs/read_write.c:549 ksys_write+0x12b/0x2a0 fs/read_write.c:599 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7f27b26cf5a9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f27b1043168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007f27b27f0f80 RCX: 00007f27b26cf5a9 RDX: 0000000000000050 RSI: 0000000020000100 RDI: 0000000000000004 RBP: 00007f27b272a560 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffd2ea66e7f R14: 00007f27b1043300 R15: 0000000000022000 syz-executor.0 (23712) used greatest stack depth: 20824 bytes left IPv6: ADDRCONF(NETDEV_UP): bridge7: link is not ready device bridge7 entered promiscuous mode team0: Port device bridge7 added netlink: 'syz-executor.0': attribute type 14 has an invalid length. netlink: 'syz-executor.0': attribute type 14 has an invalid length. IPv6: ADDRCONF(NETDEV_UP): bridge8: link is not ready device bridge8 entered promiscuous mode team0: Port device bridge8 added netlink: 'syz-executor.0': attribute type 14 has an invalid length. netlink: 'syz-executor.0': attribute type 14 has an invalid length. IPv6: ADDRCONF(NETDEV_UP): bridge9: link is not ready device bridge9 entered promiscuous mode team0: Port device bridge9 added IPv6: ADDRCONF(NETDEV_UP): bridge13: link is not ready device bridge13 entered promiscuous mode team0: Port device bridge13 added IPv6: ADDRCONF(NETDEV_UP): bridge10: link is not ready device bridge10 entered promiscuous mode team0: Port device bridge10 added IPv6: ADDRCONF(NETDEV_UP): bridge14: link is not ready device bridge14 entered promiscuous mode team0: Port device bridge14 added IPv6: ADDRCONF(NETDEV_UP): bridge15: link is not ready new mount options do not match the existing superblock, will be ignored device bridge15 entered promiscuous mode team0: Port device bridge15 added new mount options do not match the existing superblock, will be ignored new mount options do not match the existing superblock, will be ignored new mount options do not match the existing superblock, will be ignored netlink: 24 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 120 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 120 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 120 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 120 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 120 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 120 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 'syz-executor.4': attribute type 7 has an invalid length. netlink: 'syz-executor.2': attribute type 7 has an invalid length. netlink: 'syz-executor.4': attribute type 7 has an invalid length. netlink: 'syz-executor.2': attribute type 7 has an invalid length. netlink: 'syz-executor.4': attribute type 7 has an invalid length. netlink: 'syz-executor.2': attribute type 7 has an invalid length.