====================================================== WARNING: possible circular locking dependency detected overlayfs: fs on 'file0' does not support file handles, falling back to index=off. 4.14.307-syzkaller #0 Not tainted ------------------------------------------------------ syz-executor.1/9649 is trying to acquire lock: (sb_writers#6){.+.+}, at: [] sb_start_write include/linux/fs.h:1551 [inline] (sb_writers#6){.+.+}, at: [] mnt_want_write+0x3a/0xb0 fs/namespace.c:386 but task is already holding lock: (&ovl_i_mutex_dir_key[depth]){++++}, at: [] inode_lock include/linux/fs.h:719 [inline] (&ovl_i_mutex_dir_key[depth]){++++}, at: [] do_last fs/namei.c:3331 [inline] (&ovl_i_mutex_dir_key[depth]){++++}, at: [] path_openat+0xde2/0x2970 fs/namei.c:3571 overlayfs: fs on './file0' does not support file handles, falling back to index=off. which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&ovl_i_mutex_dir_key[depth]){++++}: down_write_killable+0x37/0xb0 kernel/locking/rwsem.c:68 overlayfs: fs on 'file0' does not support file handles, falling back to index=off. iterate_dir+0x387/0x5e0 fs/readdir.c:43 ovl_dir_read fs/overlayfs/readdir.c:306 [inline] ovl_dir_read_merged+0x2c5/0x430 fs/overlayfs/readdir.c:365 ovl_check_empty_dir+0x6e/0x200 fs/overlayfs/readdir.c:870 ovl_check_empty_and_clear+0x72/0xe0 fs/overlayfs/dir.c:306 ovl_rename+0x57d/0xe50 fs/overlayfs/dir.c:959 vfs_rename+0x560/0x1820 fs/namei.c:4498 SYSC_renameat2 fs/namei.c:4646 [inline] SyS_renameat2+0x95b/0xad0 fs/namei.c:4535 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x5e/0xd3 -> #0 (sb_writers#6){.+.+}: lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 overlayfs: fs on './file0' does not support file handles, falling back to index=off. percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline] percpu_down_read include/linux/percpu-rwsem.h:59 [inline] __sb_start_write+0x64/0x260 fs/super.c:1342 sb_start_write include/linux/fs.h:1551 [inline] mnt_want_write+0x3a/0xb0 fs/namespace.c:386 ovl_create_object+0x75/0x1d0 fs/overlayfs/dir.c:538 lookup_open+0x77a/0x1750 fs/namei.c:3241 do_last fs/namei.c:3334 [inline] path_openat+0xe08/0x2970 fs/namei.c:3571 do_filp_open+0x179/0x3c0 fs/namei.c:3605 do_sys_open+0x296/0x410 fs/open.c:1081 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x5e/0xd3 other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&ovl_i_mutex_dir_key[depth]); lock(sb_writers#6); lock(&ovl_i_mutex_dir_key[depth]); lock(sb_writers#6); overlayfs: fs on 'file0' does not support file handles, falling back to index=off. *** DEADLOCK *** 2 locks held by syz-executor.1/9649: #0: (sb_writers#13){.+.+}, at: [] sb_start_write include/linux/fs.h:1551 [inline] #0: (sb_writers#13){.+.+}, at: [] mnt_want_write+0x3a/0xb0 fs/namespace.c:386 #1: (&ovl_i_mutex_dir_key[depth]){++++}, at: [] inode_lock include/linux/fs.h:719 [inline] #1: (&ovl_i_mutex_dir_key[depth]){++++}, at: [] do_last fs/namei.c:3331 [inline] #1: (&ovl_i_mutex_dir_key[depth]){++++}, at: [] path_openat+0xde2/0x2970 fs/namei.c:3571 overlayfs: fs on './file0' does not support file handles, falling back to index=off. stack backtrace: CPU: 1 PID: 9649 Comm: syz-executor.1 Not tainted 4.14.307-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x281 lib/dump_stack.c:58 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258 check_prev_add kernel/locking/lockdep.c:1905 [inline] check_prevs_add kernel/locking/lockdep.c:2022 [inline] validate_chain kernel/locking/lockdep.c:2464 [inline] __lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline] percpu_down_read include/linux/percpu-rwsem.h:59 [inline] __sb_start_write+0x64/0x260 fs/super.c:1342 sb_start_write include/linux/fs.h:1551 [inline] mnt_want_write+0x3a/0xb0 fs/namespace.c:386 ovl_create_object+0x75/0x1d0 fs/overlayfs/dir.c:538 lookup_open+0x77a/0x1750 fs/namei.c:3241 do_last fs/namei.c:3334 [inline] path_openat+0xe08/0x2970 fs/namei.c:3571 do_filp_open+0x179/0x3c0 fs/namei.c:3605 do_sys_open+0x296/0x410 fs/open.c:1081 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x5e/0xd3 RIP: 0033:0x7fa7600ef0f9 RSP: 002b:00007fa75e661168 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 00007fa76020ef80 RCX: 00007fa7600ef0f9 RDX: 000000000000275a RSI: 0000000020000240 RDI: ffffffffffffff9c RBP: 00007fa76014aae9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fff07fd54bf R14: 00007fa75e661300 R15: 0000000000022000 ntfs: (device loop4): read_ntfs_boot_sector(): Primary boot sector is invalid. overlayfs: fs on 'file0' does not support file handles, falling back to index=off. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.5'. overlayfs: fs on 'file0' does not support file handles, falling back to index=off. overlayfs: fs on './file0' does not support file handles, falling back to index=off. overlayfs: fs on 'file0' does not support file handles, falling back to index=off. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.5'. overlayfs: fs on './file0' does not support file handles, falling back to index=off. overlayfs: fs on 'file0' does not support file handles, falling back to index=off. overlayfs: fs on './file0' does not support file handles, falling back to index=off. overlayfs: fs on 'file0' does not support file handles, falling back to index=off. overlayfs: fs on './file0' does not support file handles, falling back to index=off. L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. overlayfs: fs on 'file0' does not support file handles, falling back to index=off. overlayfs: fs on './file0' does not support file handles, falling back to index=off. overlayfs: fs on 'file0' does not support file handles, falling back to index=off. overlayfs: fs on './file0' does not support file handles, falling back to index=off. overlayfs: fs on 'file0' does not support file handles, falling back to index=off. overlayfs: fs on './file0' does not support file handles, falling back to index=off. device hsr_slave_0 left promiscuous mode netlink: 12 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 12 bytes leftover after parsing attributes in process `syz-executor.0'. TCP: request_sock_TCP: Possible SYN flooding on port 2. Sending cookies. Check SNMP counters. device bond1 entered promiscuous mode 8021q: adding VLAN 0 to HW filter on device batadv1 device batadv1 entered promiscuous mode bond1: Enslaving batadv1 as an active interface with an up link bond1 (unregistering): Releasing backup interface batadv1 device batadv1 left promiscuous mode bond1 (unregistering): Released all slaves device hsr_slave_1 left promiscuous mode netlink: 24 bytes leftover after parsing attributes in process `syz-executor.5'. HTB: quantum of class FFFF0000 is big. Consider r2q change. HTB: quantum of class FFFF0000 is big. Consider r2q change. netlink: 12 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 12 bytes leftover after parsing attributes in process `syz-executor.0'. device bond1 entered promiscuous mode netlink: 24 bytes leftover after parsing attributes in process `syz-executor.5'. 8021q: adding VLAN 0 to HW filter on device batadv2 device batadv2 entered promiscuous mode bond1: Enslaving batadv2 as an active interface with an up link HTB: quantum of class FFFF0000 is big. Consider r2q change. HTB: quantum of class FFFF0000 is big. Consider r2q change. bond1 (unregistering): Releasing backup interface batadv2 device batadv2 left promiscuous mode bond1 (unregistering): Released all slaves TCP: request_sock_TCP: Possible SYN flooding on port 2. Sending cookies. Check SNMP counters. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.5'. HTB: quantum of class FFFF0000 is big. Consider r2q change. HTB: quantum of class FFFF0000 is big. Consider r2q change. netlink: 12 bytes leftover after parsing attributes in process `syz-executor.2'. device bond1 entered promiscuous mode netlink: 24 bytes leftover after parsing attributes in process `syz-executor.5'. netlink: 12 bytes leftover after parsing attributes in process `syz-executor.0'. device bond1 entered promiscuous mode 8021q: adding VLAN 0 to HW filter on device batadv1 device batadv1 entered promiscuous mode bond1: Enslaving batadv1 as an active interface with an up link 8021q: adding VLAN 0 to HW filter on device batadv3 device batadv3 entered promiscuous mode bond1: Enslaving batadv3 as an active interface with an up link HTB: quantum of class FFFF0000 is big. Consider r2q change. bond1 (unregistering): Releasing backup interface batadv1 device batadv1 left promiscuous mode bond1 (unregistering): Released all slaves HTB: quantum of class FFFF0000 is big. Consider r2q change. bond1 (unregistering): Releasing backup interface batadv3 device batadv3 left promiscuous mode bond1 (unregistering): Released all slaves HTB: quantum of class FFFF0000 is big. Consider r2q change. HTB: quantum of class FFFF0000 is big. Consider r2q change. HTB: quantum of class FFFF0000 is big. Consider r2q change. HTB: quantum of class FFFF0000 is big. Consider r2q change. HTB: quantum of class FFFF0000 is big. Consider r2q change. HTB: quantum of class FFFF0000 is big. Consider r2q change. HTB: quantum of class FFFF0000 is big. Consider r2q change. HTB: quantum of class FFFF0000 is big. Consider r2q change. HTB: quantum of class FFFF0000 is big. Consider r2q change. HTB: quantum of class FFFF0000 is big. Consider r2q change. HTB: quantum of class FFFF0000 is big. Consider r2q change. HTB: quantum of class FFFF0000 is big. Consider r2q change.