device bridge_slave_0 entered promiscuous mode ====================================================== WARNING: possible circular locking dependency detected 4.14.210-syzkaller #0 Not tainted ------------------------------------------------------ syz-executor.4/22184 is trying to acquire lock: (&sig->cred_guard_mutex){+.+.}, at: [] lock_trace fs/proc/base.c:407 [inline] (&sig->cred_guard_mutex){+.+.}, at: [] proc_pid_stack+0x13f/0x2f0 fs/proc/base.c:457 but task is already holding lock: (&p->lock){+.+.}, at: [] seq_read+0xba/0x1120 fs/seq_file.c:165 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #3 (&p->lock){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 seq_read+0xba/0x1120 fs/seq_file.c:165 kernfs_fop_read+0xd7/0x500 fs/kernfs/file.c:252 do_loop_readv_writev fs/read_write.c:695 [inline] do_loop_readv_writev fs/read_write.c:682 [inline] do_iter_read+0x3eb/0x5b0 fs/read_write.c:919 vfs_readv+0xc8/0x120 fs/read_write.c:981 kernel_readv fs/splice.c:361 [inline] default_file_splice_read+0x418/0x910 fs/splice.c:416 do_splice_to+0xfb/0x140 fs/splice.c:880 splice_direct_to_actor+0x207/0x730 fs/splice.c:952 do_splice_direct+0x164/0x210 fs/splice.c:1061 do_sendfile+0x47f/0xb30 fs/read_write.c:1441 SYSC_sendfile64 fs/read_write.c:1502 [inline] SyS_sendfile64+0xff/0x110 fs/read_write.c:1488 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb -> #2 (sb_writers#3){.+.+}: percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline] percpu_down_read include/linux/percpu-rwsem.h:59 [inline] __sb_start_write+0x64/0x260 fs/super.c:1342 sb_start_write include/linux/fs.h:1549 [inline] mnt_want_write+0x3a/0xb0 fs/namespace.c:386 ovl_do_remove+0x67/0xb90 fs/overlayfs/dir.c:759 vfs_rmdir.part.0+0x144/0x390 fs/namei.c:3908 vfs_rmdir fs/namei.c:3893 [inline] do_rmdir+0x334/0x3c0 fs/namei.c:3968 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb -> #1 (&ovl_i_mutex_dir_key[depth]){++++}: down_read+0x36/0x80 kernel/locking/rwsem.c:24 inode_lock_shared include/linux/fs.h:729 [inline] do_last fs/namei.c:3333 [inline] path_openat+0x149b/0x2970 fs/namei.c:3569 do_filp_open+0x179/0x3c0 fs/namei.c:3603 do_open_execat+0xd3/0x450 fs/exec.c:849 do_execveat_common+0x711/0x1f30 fs/exec.c:1755 do_execve fs/exec.c:1860 [inline] SYSC_execve fs/exec.c:1941 [inline] SyS_execve+0x3b/0x50 fs/exec.c:1936 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb -> #0 (&sig->cred_guard_mutex){+.+.}: lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 lock_trace fs/proc/base.c:407 [inline] proc_pid_stack+0x13f/0x2f0 fs/proc/base.c:457 proc_single_show+0xe7/0x150 fs/proc/base.c:761 seq_read+0x4cf/0x1120 fs/seq_file.c:237 do_loop_readv_writev fs/read_write.c:695 [inline] do_loop_readv_writev fs/read_write.c:682 [inline] do_iter_read+0x3eb/0x5b0 fs/read_write.c:919 vfs_readv+0xc8/0x120 fs/read_write.c:981 do_preadv fs/read_write.c:1065 [inline] SYSC_preadv fs/read_write.c:1115 [inline] SyS_preadv+0x15a/0x200 fs/read_write.c:1110 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb other info that might help us debug this: Chain exists of: &sig->cred_guard_mutex --> sb_writers#3 --> &p->lock Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&p->lock); lock(sb_writers#3); lock(&p->lock); lock(&sig->cred_guard_mutex); *** DEADLOCK *** 1 lock held by syz-executor.4/22184: #0: (&p->lock){+.+.}, at: [] seq_read+0xba/0x1120 fs/seq_file.c:165 stack backtrace: CPU: 1 PID: 22184 Comm: syz-executor.4 Not tainted 4.14.210-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x283 lib/dump_stack.c:58 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258 check_prev_add kernel/locking/lockdep.c:1905 [inline] check_prevs_add kernel/locking/lockdep.c:2022 [inline] validate_chain kernel/locking/lockdep.c:2464 [inline] __lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 lock_trace fs/proc/base.c:407 [inline] proc_pid_stack+0x13f/0x2f0 fs/proc/base.c:457 proc_single_show+0xe7/0x150 fs/proc/base.c:761 seq_read+0x4cf/0x1120 fs/seq_file.c:237 do_loop_readv_writev fs/read_write.c:695 [inline] do_loop_readv_writev fs/read_write.c:682 [inline] do_iter_read+0x3eb/0x5b0 fs/read_write.c:919 vfs_readv+0xc8/0x120 fs/read_write.c:981 do_preadv fs/read_write.c:1065 [inline] SYSC_preadv fs/read_write.c:1115 [inline] SyS_preadv+0x15a/0x200 fs/read_write.c:1110 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb RIP: 0033:0x45de79 RSP: 002b:00007f5147d25c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000127 RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 000000000045de79 RDX: 0000000000000152 RSI: 00000000200017c0 RDI: 0000000000000003 RBP: 000000000118bf70 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118bf2c R13: 00007ffdc167e0cf R14: 00007f5147d269c0 R15: 000000000118bf2c netlink: 4 bytes leftover after parsing attributes in process `syz-executor.1'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'. device bridge0 entered promiscuous mode device bridge0 left promiscuous mode netlink: 4 bytes leftover after parsing attributes in process `syz-executor.0'. device bridge4 entered promiscuous mode device bridge_slave_0 left promiscuous mode bridge0: port 1(bridge_slave_0) entered disabled state bridge4: port 1(bridge_slave_0) entered blocking state bridge4: port 1(bridge_slave_0) entered disabled state device bridge_slave_0 entered promiscuous mode bridge4: port 1(bridge_slave_0) entered blocking state bridge4: port 1(bridge_slave_0) entered forwarding state device bridge0 entered promiscuous mode device bridge0 left promiscuous mode device bridge0 entered promiscuous mode capability: warning: `syz-executor.0' uses 32-bit capabilities (legacy support in use) device bridge0 left promiscuous mode hub 9-0:1.0: USB hub found netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'. hub 9-0:1.0: 8 ports detected netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'. device bridge0 entered promiscuous mode device bridge0 left promiscuous mode netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor.0'. device bridge0 entered promiscuous mode device bridge0 left promiscuous mode device bridge0 entered promiscuous mode device bridge0 left promiscuous mode device bridge0 entered promiscuous mode device bridge0 left promiscuous mode device bridge0 entered promiscuous mode IPv6: ADDRCONF(NETDEV_UP): vlan2: link is not ready bond1: vlan2 is up - this may be due to an out of date ifenslave device bridge0 left promiscuous mode device bridge0 entered promiscuous mode device bridge0 left promiscuous mode device bridge0 entered promiscuous mode IPv6: ADDRCONF(NETDEV_UP): vlan2: link is not ready bond1: vlan2 is up - this may be due to an out of date ifenslave device bridge0 left promiscuous mode nla_parse: 14 callbacks suppressed netlink: 8 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor.0'. device bridge0 entered promiscuous mode device bridge0 left promiscuous mode device bridge0 entered promiscuous mode IPv6: ADDRCONF(NETDEV_UP): vlan2: link is not ready bond1: vlan2 is up - this may be due to an out of date ifenslave device bridge0 left promiscuous mode IPv6: ADDRCONF(NETDEV_UP): vlan2: link is not ready bond1: vlan2 is up - this may be due to an out of date ifenslave netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'. IPv6: ADDRCONF(NETDEV_UP): vlan2: link is not ready bond1: vlan2 is up - this may be due to an out of date ifenslave netlink: 8 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor.0'. IPv6: ADDRCONF(NETDEV_UP): vlan2: link is not ready bond1: vlan2 is up - this may be due to an out of date ifenslave netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'. IPv6: ADDRCONF(NETDEV_UP): vlan2: link is not ready bond1: vlan2 is up - this may be due to an out of date ifenslave netlink: 8 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor.0'. IPv6: ADDRCONF(NETDEV_UP): vlan2: link is not ready bond1: vlan2 is up - this may be due to an out of date ifenslave IPv6: ADDRCONF(NETDEV_UP): vlan2: link is not ready bond1: vlan2 is up - this may be due to an out of date ifenslave IPv6: ADDRCONF(NETDEV_UP): vlan2: link is not ready bond1: vlan2 is up - this may be due to an out of date ifenslave IPv6: ADDRCONF(NETDEV_UP): vlan2: link is not ready bond1: vlan2 is up - this may be due to an out of date ifenslave