device bridge1 entered promiscuous mode
overlayfs: missing 'lowerdir'
======================================================
WARNING: possible circular locking dependency detected
4.19.211-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.2/10136 is trying to acquire lock:
000000005b586282 ((wq_completion)"dio/%s"sb->s_id){+.+.}, at: flush_workqueue+0xe8/0x13e0 kernel/workqueue.c:2658
overlayfs: fs on './file0' does not support file handles, falling back to index=off,nfs_export=off.

but task is already holding lock:
000000001af3abea (&sb->s_type->i_mutex_key#10){+.+.}, at: inode_trylock include/linux/fs.h:768 [inline]
000000001af3abea (&sb->s_type->i_mutex_key#10){+.+.}, at: ext4_file_write_iter+0x21f/0xf20 fs/ext4/file.c:238

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #2 (&sb->s_type->i_mutex_key#10){+.+.}:
       inode_lock include/linux/fs.h:748 [inline]
       __generic_file_fsync+0xb0/0x1f0 fs/libfs.c:989
       ext4_sync_file+0xa35/0x1420 fs/ext4/fsync.c:118
       vfs_fsync_range+0x13a/0x220 fs/sync.c:197
       generic_write_sync include/linux/fs.h:2750 [inline]
       dio_complete+0x763/0xac0 fs/direct-io.c:329
       process_one_work+0x864/0x1570 kernel/workqueue.c:2153
FAT-fs (loop3): Unrecognized mount option "measure" or missing value
       worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
       kthread+0x33f/0x460 kernel/kthread.c:259
       ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

-> #1 ((work_completion)(&dio->complete_work)){+.+.}:
netlink: 12 bytes leftover after parsing attributes in process `syz-executor.1'.
       worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
       kthread+0x33f/0x460 kernel/kthread.c:259
       ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

-> #0 ((wq_completion)"dio/%s"sb->s_id){+.+.}:
       flush_workqueue+0x117/0x13e0 kernel/workqueue.c:2661
       drain_workqueue+0x1a5/0x460 kernel/workqueue.c:2826
       destroy_workqueue+0x75/0x790 kernel/workqueue.c:4183
       sb_init_dio_done_wq+0x72/0x90 fs/direct-io.c:634
       do_blockdev_direct_IO fs/direct-io.c:1285 [inline]
       __blockdev_direct_IO+0x5f55/0xef40 fs/direct-io.c:1419
       ext4_direct_IO_write fs/ext4/inode.c:3777 [inline]
       ext4_direct_IO+0xae4/0x1c50 fs/ext4/inode.c:3915
       generic_file_direct_write+0x208/0x4a0 mm/filemap.c:3073
       __generic_file_write_iter+0x2d0/0x610 mm/filemap.c:3252
       ext4_file_write_iter+0x2fe/0xf20 fs/ext4/file.c:272
       call_write_iter include/linux/fs.h:1821 [inline]
       aio_write+0x37f/0x5c0 fs/aio.c:1574
       __io_submit_one fs/aio.c:1858 [inline]
       io_submit_one+0xecd/0x20c0 fs/aio.c:1909
       __do_sys_io_submit fs/aio.c:1953 [inline]
       __se_sys_io_submit+0x11b/0x4a0 fs/aio.c:1924
       do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
       entry_SYSCALL_64_after_hwframe+0x49/0xbe

other info that might help us debug this:

Chain exists of:
  (wq_completion)"dio/%s"sb->s_id --> (work_completion)(&dio->complete_work) --> &sb->s_type->i_mutex_key#10

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&sb->s_type->i_mutex_key#10);
                               lock((work_completion)(&dio->complete_work));
                               lock(&sb->s_type->i_mutex_key#10);
  lock((wq_completion)"dio/%s"sb->s_id);

 *** DEADLOCK ***

1 lock held by syz-executor.2/10136:
 #0: 000000001af3abea (&sb->s_type->i_mutex_key#10){+.+.}, at: inode_trylock include/linux/fs.h:768 [inline]
 #0: 000000001af3abea (&sb->s_type->i_mutex_key#10){+.+.}, at: ext4_file_write_iter+0x21f/0xf20 fs/ext4/file.c:238

stack backtrace:
CPU: 1 PID: 10136 Comm: syz-executor.2 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1222
 check_prev_add kernel/locking/lockdep.c:1866 [inline]
 check_prevs_add kernel/locking/lockdep.c:1979 [inline]
 validate_chain kernel/locking/lockdep.c:2420 [inline]
 __lock_acquire+0x30c9/0x3ff0 kernel/locking/lockdep.c:3416
 lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3908
 flush_workqueue+0x117/0x13e0 kernel/workqueue.c:2661
 drain_workqueue+0x1a5/0x460 kernel/workqueue.c:2826
 destroy_workqueue+0x75/0x790 kernel/workqueue.c:4183
 sb_init_dio_done_wq+0x72/0x90 fs/direct-io.c:634
 do_blockdev_direct_IO fs/direct-io.c:1285 [inline]
 __blockdev_direct_IO+0x5f55/0xef40 fs/direct-io.c:1419
 ext4_direct_IO_write fs/ext4/inode.c:3777 [inline]
 ext4_direct_IO+0xae4/0x1c50 fs/ext4/inode.c:3915
 generic_file_direct_write+0x208/0x4a0 mm/filemap.c:3073
 __generic_file_write_iter+0x2d0/0x610 mm/filemap.c:3252
 ext4_file_write_iter+0x2fe/0xf20 fs/ext4/file.c:272
 call_write_iter include/linux/fs.h:1821 [inline]
 aio_write+0x37f/0x5c0 fs/aio.c:1574
 __io_submit_one fs/aio.c:1858 [inline]
 io_submit_one+0xecd/0x20c0 fs/aio.c:1909
 __do_sys_io_submit fs/aio.c:1953 [inline]
 __se_sys_io_submit+0x11b/0x4a0 fs/aio.c:1924
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f0ff45c8e99
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f0ff2f1d168 EFLAGS: 00000246 ORIG_RAX: 00000000000000d1
RAX: ffffffffffffffda RBX: 00007f0ff46dc030 RCX: 00007f0ff45c8e99
RDX: 0000000020000540 RSI: 0000000000001853 RDI: 00007f0ff46b7000
RBP: 00007f0ff4622ff1 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffea065815f R14: 00007f0ff2f1d300 R15: 0000000000022000
FAT-fs (loop0): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1)
overlayfs: missing 'lowerdir'
FAT-fs (loop3): Unrecognized mount option "measure" or missing value
overlayfs: fs on './file0' does not support file handles, falling back to index=off,nfs_export=off.
device bridge2 entered promiscuous mode
FS-Cache: Duplicate cookie detected
FS-Cache: O-cookie c=00000000c8b06539 [p=000000000cf79f39 fl=212 nc=0 na=0]
FS-Cache: O-cookie d=          (null) n=          (null)
FS-Cache: O-key=[16] '02000000000000000200010073680000'
FS-Cache: N-cookie c=00000000f88b91be [p=000000000cf79f39 fl=2 nc=0 na=1]
FS-Cache: N-cookie d=000000006cda2141 n=00000000c5683f68
FS-Cache: N-key=[16] '02000000000000000200010073680000'
netlink: 12 bytes leftover after parsing attributes in process `syz-executor.2'.
overlayfs: missing 'lowerdir'
FAT-fs (loop2): Unrecognized mount option "measure" or missing value
device bridge1 entered promiscuous mode
overlayfs: missing 'lowerdir'
overlayfs: missing 'lowerdir'
FAT-fs (loop4): Unrecognized mount option "measure" or missing value
FAT-fs (loop0): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1)
FAT-fs (loop3): Unrecognized mount option "measure" or missing value
overlayfs: fs on './file0' does not support file handles, falling back to index=off,nfs_export=off.
overlayfs: missing 'lowerdir'
overlayfs: fs on './file0' does not support file handles, falling back to index=off,nfs_export=off.
overlayfs: fs on './file0' does not support file handles, falling back to index=off,nfs_export=off.
gfs2: invalid mount option: lr
gfs2: can't parse mount arguments
[U] 
netlink: 12 bytes leftover after parsing attributes in process `syz-executor.4'.
FAT-fs (loop3): Unrecognized mount option "measure" or missing value
overlayfs: missing 'lowerdir'
overlayfs: fs on './file0' does not support file handles, falling back to index=off,nfs_export=off.
gfs2: invalid mount option: lr
gfs2: can't parse mount arguments
netlink: 12 bytes leftover after parsing attributes in process `syz-executor.4'.
netlink: 12 bytes leftover after parsing attributes in process `syz-executor.4'.
gfs2: invalid mount option: lr
gfs2: can't parse mount arguments
gfs2: invalid mount option: lr
gfs2: can't parse mount arguments
FAT-fs (loop3): Unrecognized mount option "measure" or missing value
overlayfs: missing 'lowerdir'
overlayfs: fs on './file0' does not support file handles, falling back to index=off,nfs_export=off.
list_del corruption, ffff88803d60f738->next is LIST_POISON1 (dead000000000100)
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:45!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 10377 Comm: syz-executor.2 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__list_del_entry_valid.cold+0x23/0x4a lib/list_debug.c:45
Code: e8 11 43 f7 ff 0f 0b 48 89 ee 48 c7 c7 40 e4 b3 88 e8 00 43 f7 ff 0f 0b 4c 89 ea 48 89 ee 48 c7 c7 80 e3 b3 88 e8 ec 42 f7 ff <0f> 0b 4c 89 e2 48 89 ee 48 c7 c7 e0 e3 b3 88 e8 d8 42 f7 ff 0f 0b
list_del corruption, ffff8880484c7738->next is LIST_POISON1 (dead000000000100)
RSP: 0018:ffff88803d60f610 EFLAGS: 00010086
------------[ cut here ]------------
RAX: 000000000000004e RBX: ffff88803d60f720 RCX: 0000000000000000
kernel BUG at lib/list_debug.c:45!
RDX: 0000000000035119 RSI: ffffffff814dff01 RDI: ffffed1007ac1eb4
RBP: ffff88803d60f738 R08: 000000000000004e R09: 0000000000000000
R10: 0000000000000005 R11: ffffffff8c66501b R12: dead000000000200
R13: dead000000000100 R14: ffff88803d60f740 R15: 0000000000000007
FS:  00007f0ff2f3e700(0000) GS:ffff8880ba000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fff2d2b1eac CR3: 00000000b1642000 CR4: 00000000003406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 __list_del_entry include/linux/list.h:117 [inline]
 list_del include/linux/list.h:125 [inline]
 __remove_wait_queue include/linux/wait.h:184 [inline]
 remove_wait_queue+0x2c/0x180 kernel/sched/wait.c:44
 tipc_send_group_bcast+0x317/0xa10 net/tipc/socket.c:1022
 __tipc_sendmsg+0xa2b/0x1320 net/tipc/socket.c:1314
 tipc_sendmsg+0x4c/0x70 net/tipc/socket.c:1279
 sock_sendmsg_nosec net/socket.c:651 [inline]
 sock_sendmsg+0xc3/0x120 net/socket.c:661
 ___sys_sendmsg+0x3b3/0x8e0 net/socket.c:2227
 __sys_sendmmsg+0x195/0x470 net/socket.c:2322
 __do_sys_sendmmsg net/socket.c:2351 [inline]
 __se_sys_sendmmsg net/socket.c:2348 [inline]
 __x64_sys_sendmmsg+0x99/0x100 net/socket.c:2348
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f0ff45c8e99
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f0ff2f3e168 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 00007f0ff46dbf60 RCX: 00007f0ff45c8e99
RDX: 0000000000000092 RSI: 00000000200030c0 RDI: 0000000000000003
RBP: 00007f0ff4622ff1 R08: 0000000000000000 R09: 0000000000000000
R10: 9200000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffea065815f R14: 00007f0ff2f3e300 R15: 0000000000022000
Modules linked in:
---[ end trace 6758f07ddcda1d2f ]---
invalid opcode: 0000 [#2] PREEMPT SMP KASAN
RIP: 0010:__list_del_entry_valid.cold+0x23/0x4a lib/list_debug.c:45
CPU: 1 PID: 10389 Comm: syz-executor.2 Tainted: G      D           4.19.211-syzkaller #0
Code: e8 11 43 f7 ff 0f 0b 48 89 ee 48 c7 c7 40 e4 b3 88 e8 00 43 f7 ff 0f 0b 4c 89 ea 48 89 ee 48 c7 c7 80 e3 b3 88 e8 ec 42 f7 ff <0f> 0b 4c 89 e2 48 89 ee 48 c7 c7 e0 e3 b3 88 e8 d8 42 f7 ff 0f 0b
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RSP: 0018:ffff88803d60f610 EFLAGS: 00010086
RIP: 0010:__list_del_entry_valid.cold+0x23/0x4a lib/list_debug.c:45
RAX: 000000000000004e RBX: ffff88803d60f720 RCX: 0000000000000000
Code: e8 11 43 f7 ff 0f 0b 48 89 ee 48 c7 c7 40 e4 b3 88 e8 00 43 f7 ff 0f 0b 4c 89 ea 48 89 ee 48 c7 c7 80 e3 b3 88 e8 ec 42 f7 ff <0f> 0b 4c 89 e2 48 89 ee 48 c7 c7 e0 e3 b3 88 e8 d8 42 f7 ff 0f 0b
RDX: 0000000000035119 RSI: ffffffff814dff01 RDI: ffffed1007ac1eb4
RSP: 0018:ffff8880484c7610 EFLAGS: 00010086
RBP: ffff88803d60f738 R08: 000000000000004e R09: 0000000000000000
RAX: 000000000000004e RBX: ffff8880484c7720 RCX: 0000000000000000
R10: 0000000000000005 R11: ffffffff8c66501b R12: dead000000000200
RDX: 0000000000040000 RSI: ffffffff814dff01 RDI: ffffed1009098eb4
R13: dead000000000100 R14: ffff88803d60f740 R15: 0000000000000007
RBP: ffff8880484c7738 R08: 000000000000004e R09: 0000000000000000
FS:  00007f0ff2f3e700(0000) GS:ffff8880ba000000(0000) knlGS:0000000000000000
R10: 0000000000000005 R11: ffffffff8c66505b R12: dead000000000200
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
R13: dead000000000100 R14: ffff8880484c7740 R15: 0000000000000007
CR2: 00007fff2d2b1eac CR3: 00000000b1642000 CR4: 00000000003406f0
FS:  00007f0ff2f1d700(0000) GS:ffff8880ba100000(0000) knlGS:0000000000000000
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
CR2: 0000001b30524000 CR3: 00000000b1642000 CR4: 00000000003406e0