overlayfs: fs on './file0' does not support file handles, falling back to index=off. overlayfs: fs on '.' does not support file handles, falling back to index=off. overlayfs: filesystem on './bus' not supported as upperdir overlayfs: 'file0' not a directory ====================================================== WARNING: possible circular locking dependency detected 4.14.228-syzkaller #0 Not tainted ------------------------------------------------------ syz-executor.1/28781 is trying to acquire lock: (&ovl_i_mutex_dir_key[depth]#2){++++}, at: [] inode_lock_shared include/linux/fs.h:729 [inline] (&ovl_i_mutex_dir_key[depth]#2){++++}, at: [] do_last fs/namei.c:3333 [inline] (&ovl_i_mutex_dir_key[depth]#2){++++}, at: [] path_openat+0x149b/0x2970 fs/namei.c:3569 but task is already holding lock: (&sig->cred_guard_mutex){+.+.}, at: [] prepare_bprm_creds fs/exec.c:1404 [inline] (&sig->cred_guard_mutex){+.+.}, at: [] do_execveat_common+0x319/0x1f30 fs/exec.c:1748 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #4 (&sig->cred_guard_mutex){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 lock_trace fs/proc/base.c:407 [inline] proc_pid_syscall+0xa7/0x2a0 fs/proc/base.c:639 proc_single_show+0xe7/0x150 fs/proc/base.c:761 seq_read+0x4cf/0x1120 fs/seq_file.c:237 __vfs_read+0xe4/0x620 fs/read_write.c:411 vfs_read+0x139/0x340 fs/read_write.c:447 SYSC_read fs/read_write.c:574 [inline] SyS_read+0xf2/0x210 fs/read_write.c:567 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb -> #3 (&p->lock){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 seq_read+0xba/0x1120 fs/seq_file.c:165 proc_reg_read+0xee/0x1a0 fs/proc/inode.c:217 do_loop_readv_writev fs/read_write.c:695 [inline] do_loop_readv_writev fs/read_write.c:682 [inline] do_iter_read+0x3eb/0x5b0 fs/read_write.c:919 vfs_readv+0xc8/0x120 fs/read_write.c:981 kernel_readv fs/splice.c:361 [inline] default_file_splice_read+0x418/0x910 fs/splice.c:416 do_splice_to+0xfb/0x140 fs/splice.c:880 splice_direct_to_actor+0x207/0x730 fs/splice.c:952 do_splice_direct+0x164/0x210 fs/splice.c:1061 do_sendfile+0x47f/0xb30 fs/read_write.c:1441 SYSC_sendfile64 fs/read_write.c:1502 [inline] SyS_sendfile64+0xff/0x110 fs/read_write.c:1488 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb -> #2 (sb_writers#3){.+.+}: percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline] percpu_down_read include/linux/percpu-rwsem.h:59 [inline] __sb_start_write+0x64/0x260 fs/super.c:1342 sb_start_write include/linux/fs.h:1549 [inline] mnt_want_write+0x3a/0xb0 fs/namespace.c:386 ovl_do_remove+0x67/0xb90 fs/overlayfs/dir.c:759 vfs_rmdir.part.0+0x144/0x390 fs/namei.c:3908 vfs_rmdir fs/namei.c:3893 [inline] do_rmdir+0x334/0x3c0 fs/namei.c:3968 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb -> #1 (&ovl_i_mutex_dir_key[depth]){++++}: down_read+0x36/0x80 kernel/locking/rwsem.c:24 inode_lock_shared include/linux/fs.h:729 [inline] lookup_slow+0x129/0x400 fs/namei.c:1674 lookup_one_len_unlocked+0x3a0/0x410 fs/namei.c:2595 ovl_lookup_single+0x33/0x6d0 fs/overlayfs/namei.c:208 ovl_lookup_layer+0x2ef/0x3d0 fs/overlayfs/namei.c:265 ovl_lookup+0x5d9/0x1120 fs/overlayfs/namei.c:670 lookup_slow+0x20a/0x400 fs/namei.c:1696 walk_component+0x6a1/0xbc0 fs/namei.c:1825 link_path_walk+0x823/0x10a0 fs/namei.c:2154 path_lookupat+0xcb/0x780 fs/namei.c:2342 filename_lookup+0x18a/0x510 fs/namei.c:2377 user_path_at include/linux/namei.h:57 [inline] do_sys_truncate.part.0+0x78/0xf0 fs/open.c:141 do_sys_truncate fs/open.c:137 [inline] SYSC_truncate fs/open.c:155 [inline] SyS_truncate+0x23/0x40 fs/open.c:153 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb -> #0 (&ovl_i_mutex_dir_key[depth]#2){++++}: lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 down_read+0x36/0x80 kernel/locking/rwsem.c:24 inode_lock_shared include/linux/fs.h:729 [inline] do_last fs/namei.c:3333 [inline] path_openat+0x149b/0x2970 fs/namei.c:3569 do_filp_open+0x179/0x3c0 fs/namei.c:3603 do_open_execat+0xd3/0x450 fs/exec.c:849 do_execveat_common+0x711/0x1f30 fs/exec.c:1755 do_execve fs/exec.c:1860 [inline] SYSC_execve fs/exec.c:1941 [inline] SyS_execve+0x3b/0x50 fs/exec.c:1936 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb other info that might help us debug this: Chain exists of: &ovl_i_mutex_dir_key[depth]#2 --> &p->lock --> &sig->cred_guard_mutex Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&sig->cred_guard_mutex); lock(&p->lock); lock(&sig->cred_guard_mutex); lock(&ovl_i_mutex_dir_key[depth]#2); *** DEADLOCK *** 1 lock held by syz-executor.1/28781: #0: (&sig->cred_guard_mutex){+.+.}, at: [] prepare_bprm_creds fs/exec.c:1404 [inline] #0: (&sig->cred_guard_mutex){+.+.}, at: [] do_execveat_common+0x319/0x1f30 fs/exec.c:1748 stack backtrace: CPU: 0 PID: 28781 Comm: syz-executor.1 Not tainted 4.14.228-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x281 lib/dump_stack.c:58 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258 check_prev_add kernel/locking/lockdep.c:1905 [inline] check_prevs_add kernel/locking/lockdep.c:2022 [inline] validate_chain kernel/locking/lockdep.c:2464 [inline] __lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 down_read+0x36/0x80 kernel/locking/rwsem.c:24 inode_lock_shared include/linux/fs.h:729 [inline] do_last fs/namei.c:3333 [inline] path_openat+0x149b/0x2970 fs/namei.c:3569 do_filp_open+0x179/0x3c0 fs/namei.c:3603 do_open_execat+0xd3/0x450 fs/exec.c:849 do_execveat_common+0x711/0x1f30 fs/exec.c:1755 do_execve fs/exec.c:1860 [inline] SYSC_execve fs/exec.c:1941 [inline] SyS_execve+0x3b/0x50 fs/exec.c:1936 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb RIP: 0033:0x466459 RSP: 002b:00007f5076f1e188 EFLAGS: 00000246 ORIG_RAX: 000000000000003b RAX: ffffffffffffffda RBX: 000000000056c158 RCX: 0000000000466459 RDX: 00000000200008c0 RSI: 0000000020000600 RDI: 00000000200004c0 RBP: 00000000004bf9fb R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056c158 R13: 00007fff7df5e65f R14: 00007f5076f1e300 R15: 0000000000022000 net_ratelimit: 10 callbacks suppressed ip_tables: iptables: counters copy to user failed while replacing table FAT-fs (loop5): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1) ieee80211 M: Selected rate control algorithm 'minstrel_ht' kauditd_printk_skb: 7 callbacks suppressed audit: type=1804 audit(1617388471.943:142): pid=28789 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.5" name="/root/syzkaller-testdir098327429/syzkaller.vGoXOS/2187/file0/bus" dev="loop5" ino=122 res=1 ieee80211 M: hwaddr 02:00:00:00:02:00 registered EXT4-fs warning (device loop3): ext4_enable_quotas:5758: Failed to enable quota tracking (type=-1, err=-22). Please run e2fsck to fix. IPVS: ftp: loaded support on port[0] = 21 EXT4-fs (loop3): mount failed audit: type=1804 audit(1617388472.033:143): pid=28789 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="ToMToU" comm="syz-executor.5" name="/root/syzkaller-testdir098327429/syzkaller.vGoXOS/2187/file0/bus" dev="loop5" ino=122 res=1 FAT-fs (loop5): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1) ieee80211 phy3: Selected rate control algorithm 'minstrel_ht' audit: type=1804 audit(1617388472.043:144): pid=28817 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.5" name="/root/syzkaller-testdir098327429/syzkaller.vGoXOS/2187/file0/bus" dev="loop5" ino=122 res=1 ieee80211 phy3: hwaddr 02:00:00:00:03:00 registered ieee80211 phy4: Selected rate control algorithm 'minstrel_ht' ieee80211 phy4: hwaddr 02:00:00:00:04:00 registered sp0: Synchronizing with TNC sp0: Synchronizing with TNC ieee80211 phy5: Selected rate control algorithm 'minstrel_ht' EXT4-fs (loop3): mounting ext2 file system using the ext4 subsystem EXT4-fs warning (device loop3): ext4_update_dynamic_rev:793: updating to rev 1 because of new feature flag, running e2fsck is recommended ieee80211 phy5: hwaddr 02:00:00:00:05:00 registered EXT4-fs (loop3): mounted filesystem without journal. Opts: ,errors=continue netlink: 28 bytes leftover after parsing attributes in process `syz-executor.3'. IPv6: NLM_F_CREATE should be specified when creating new route IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE IPv6: NLM_F_CREATE should be set when creating new route ieee80211 phy6: Selected rate control algorithm 'minstrel_ht' ieee80211 phy6: hwaddr 02:00:00:00:06:00 registered netlink: 28 bytes leftover after parsing attributes in process `syz-executor.3'. IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE Process accounting resumed Process accounting resumed IPVS: ftp: loaded support on port[0] = 21 IPVS: ftp: loaded support on port[0] = 21 ieee80211 phy7: Selected rate control algorithm 'minstrel_ht' MTD: Attempt to mount non-MTD device "/dev/loop0" romfs: Mounting image 'rom 5f663c08' through the block layer audit: type=1800 audit(1617388475.863:145): pid=29099 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed" comm="syz-executor.0" name="file0" dev="loop0" ino=128 res=0 EXT4-fs error (device loop5): ext4_orphan_get:1266: comm syz-executor.5: bad orphan inode 17 netlink: 28 bytes leftover after parsing attributes in process `syz-executor.3'. ieee80211 phy7: hwaddr 02:00:00:00:07:00 registered ext4_test_bit(bit=16, block=4) = 0 IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE EXT4-fs (loop5): mounted filesystem without journal. Opts: auto_da_alloc,grpquota,nodiscard,nouid32,,errors=continue team0: Cannot enslave team device to itself bridge0: port 1(team0) entered blocking state bridge0: port 1(team0) entered disabled state device team0 entered promiscuous mode device team_slave_0 entered promiscuous mode device team_slave_1 entered promiscuous mode bridge0: port 1(team0) entered blocking state bridge0: port 1(team0) entered forwarding state overlayfs: unrecognized mount option "01777777777777777777777" or missing value ieee80211 phy8: Selected rate control algorithm 'minstrel_ht' ieee80211 phy8: hwaddr 02:00:00:00:08:00 registered overlayfs: unrecognized mount option "01777777777777777777777" or missing value overlayfs: filesystem on './bus' not supported as upperdir EXT4-fs error (device loop5): ext4_orphan_get:1266: comm syz-executor.5: bad orphan inode 17 ieee80211 phy9: Selected rate control algorithm 'minstrel_ht' ext4_test_bit(bit=16, block=4) = 0 EXT4-fs (loop5): mounted filesystem without journal. Opts: auto_da_alloc,grpquota,nodiscard,nouid32,,errors=continue ieee80211 phy9: hwaddr 02:00:00:00:09:00 registered ieee80211 phy10: Selected rate control algorithm 'minstrel_ht' EXT4-fs error (device loop5): ext4_orphan_get:1266: comm syz-executor.5: bad orphan inode 17 overlayfs: missing 'lowerdir' ieee80211 phy10: hwaddr 02:00:00:00:0a:00 registered ext4_test_bit(bit=16, block=4) = 0 ieee80211 phy11: Selected rate control algorithm 'minstrel_ht' EXT4-fs (loop5): mounted filesystem without journal. Opts: auto_da_alloc,grpquota,nodiscard,nouid32,,errors=continue overlayfs: 'file0' not a directory ieee80211 phy11: hwaddr 02:00:00:00:0b:00 registered overlayfs: missing 'lowerdir' ieee80211 phy12: Selected rate control algorithm 'minstrel_ht' ieee80211 phy12: hwaddr 02:00:00:00:0c:00 registered ieee80211 phy13: Selected rate control algorithm 'minstrel_ht' ieee80211 phy13: hwaddr 02:00:00:00:0d:00 registered EXT4-fs error (device loop5): ext4_orphan_get:1266: comm syz-executor.5: bad orphan inode 17 ext4_test_bit(bit=16, block=4) = 0 EXT4-fs (loop5): mounted filesystem without journal. Opts: auto_da_alloc,grpquota,nodiscard,nouid32,,errors=continue netlink: 28 bytes leftover after parsing attributes in process `syz-executor.3'. ieee80211 phy14: Selected rate control algorithm 'minstrel_ht' EXT4-fs error (device loop5): ext4_orphan_get:1266: comm syz-executor.5: bad orphan inode 17 device syz_tun entered promiscuous mode ieee80211 phy14: hwaddr 02:00:00:00:0e:00 registered ext4_test_bit(bit=16, block=4) = 0 EXT4-fs (loop5): mounted filesystem without journal. Opts: auto_da_alloc,grpquota,nodiscard,nouid32,,errors=continue ieee80211 phy15: Selected rate control algorithm 'minstrel_ht' ieee80211 phy15: hwaddr 02:00:00:00:0f:00 registered device syz_tun left promiscuous mode netlink: 28 bytes leftover after parsing attributes in process `syz-executor.3'. device syz_tun entered promiscuous mode device syz_tun left promiscuous mode ieee80211 phy16: Selected rate control algorithm 'minstrel_ht' ieee80211 phy16: hwaddr 02:00:00:00:10:00 registered bpf: check failed: parse error EXT4-fs error (device loop5): ext4_orphan_get:1266: comm syz-executor.5: bad orphan inode 17 ext4_test_bit(bit=16, block=4) = 0 EXT4-fs (loop5): mounted filesystem without journal. Opts: auto_da_alloc,grpquota,nodiscard,nouid32,,errors=continue bpf: check failed: parse error ieee80211 phy17: Selected rate control algorithm 'minstrel_ht' ieee80211 phy17: hwaddr 02:00:00:00:11:00 registered ieee80211 phy18: Selected rate control algorithm 'minstrel_ht' EXT4-fs error (device loop5): ext4_orphan_get:1266: comm syz-executor.5: bad orphan inode 17 ieee80211 phy18: hwaddr 02:00:00:00:12:00 registered ext4_test_bit(bit=16, block=4) = 0 EXT4-fs (loop5): mounted filesystem without journal. Opts: auto_da_alloc,grpquota,nodiscard,nouid32,,errors=continue ieee80211 phy19: Selected rate control algorithm 'minstrel_ht' ieee80211 phy19: hwaddr 02:00:00:00:13:00 registered ieee80211 phy20: Selected rate control algorithm 'minstrel_ht' ieee80211 phy20: hwaddr 02:00:00:00:14:00 registered netlink: 1010 bytes leftover after parsing attributes in process `syz-executor.3'. ieee80211 phy21: Selected rate control algorithm 'minstrel_ht' ieee80211 phy21: hwaddr 02:00:00:00:15:00 registered netlink: 1010 bytes leftover after parsing attributes in process `syz-executor.3'. ieee80211 phy22: Selected rate control algorithm 'minstrel_ht' EXT4-fs error (device loop5): ext4_orphan_get:1266: comm syz-executor.5: bad orphan inode 17 ext4_test_bit(bit=16, block=4) = 0 EXT4-fs (loop5): mounted filesystem without journal. Opts: auto_da_alloc,grpquota,nodiscard,nouid32,,errors=continue ieee80211 phy22: hwaddr 02:00:00:00:16:00 registered ieee80211 phy23: Selected rate control algorithm 'minstrel_ht' REISERFS warning (device loop3): sh-2021 reiserfs_fill_super: can not find reiserfs on loop3 ieee80211 phy23: hwaddr 02:00:00:00:17:00 registered ieee80211 phy24: Selected rate control algorithm 'minstrel_ht' REISERFS warning (device loop3): sh-2021 reiserfs_fill_super: can not find reiserfs on loop3 ieee80211 phy24: hwaddr 02:00:00:00:18:00 registered EXT4-fs error (device loop5): ext4_orphan_get:1266: comm syz-executor.5: bad orphan inode 17 ieee80211 phy25: Selected rate control algorithm 'minstrel_ht' EXT4-fs error (device loop4): ext4_orphan_get:1266: comm syz-executor.4: bad orphan inode 17 ieee80211 phy25: hwaddr 02:00:00:00:19:00 registered ext4_test_bit(bit=16, block=4) = 0 EXT4-fs (loop4): mounted filesystem without journal. Opts: auto_da_alloc,grpquota,nodiscard,nouid32,,errors=continue ext4_test_bit(bit=16, block=4) = 0 EXT4-fs (loop5): mounted filesystem without journal. Opts: auto_da_alloc,grpquota,nodiscard,nouid32,,errors=continue ieee80211 phy26: Selected rate control algorithm 'minstrel_ht' ieee80211 phy26: hwaddr 02:00:00:00:1a:00 registered ieee80211 phy27: Selected rate control algorithm 'minstrel_ht' ieee80211 phy27: hwaddr 02:00:00:00:1b:00 registered ieee80211 phy28: Selected rate control algorithm 'minstrel_ht' ieee80211 phy28: hwaddr 02:00:00:00:1c:00 registered ieee80211 phy29: Selected rate control algorithm 'minstrel_ht' EXT4-fs error (device loop5): ext4_orphan_get:1266: comm syz-executor.5: bad orphan inode 17 ieee80211 phy29: hwaddr 02:00:00:00:1d:00 registered ext4_test_bit(bit=16, block=4) = 0 EXT4-fs error (device loop4): ext4_orphan_get:1266: comm syz-executor.4: bad orphan inode 17 ieee80211 phy30: Selected rate control algorithm 'minstrel_ht' EXT4-fs (loop5): mounted filesystem without journal. Opts: auto_da_alloc,grpquota,nodiscard,nouid32,,errors=continue ieee80211 phy30: hwaddr 02:00:00:00:1e:00 registered ext4_test_bit(bit=16, block=4) = 0 EXT4-fs (loop4): mounted filesystem without journal. Opts: auto_da_alloc,grpquota,nodiscard,nouid32,,errors=continue ieee80211 phy31: Selected rate control algorithm 'minstrel_ht' ieee80211 phy31: hwaddr 02:00:00:00:1f:00 registered ieee80211 phy32: Selected rate control algorithm 'minstrel_ht' ieee80211 phy32: hwaddr 02:00:00:00:20:00 registered ieee80211 phy33: Selected rate control algorithm 'minstrel_ht' ieee80211 phy33: hwaddr 02:00:00:00:21:00 registered ieee80211 phy34: Selected rate control algorithm 'minstrel_ht' EXT4-fs error (device loop5): ext4_orphan_get:1266: comm syz-executor.5: bad orphan inode 17 ext4_test_bit(bit=16, block=4) = 0 ieee80211 phy34: hwaddr 02:00:00:00:22:00 registered EXT4-fs (loop5): mounted filesystem without journal. Opts: auto_da_alloc,grpquota,nodiscard,nouid32,,errors=continue ieee80211 phy35: Selected rate control algorithm 'minstrel_ht'