====================================================== WARNING: possible circular locking dependency detected 4.14.307-syzkaller #0 Not tainted ------------------------------------------------------ syz-executor.2/9822 is trying to acquire lock: (sb_writers#3){.+.+}, at: [] sb_start_write include/linux/fs.h:1551 [inline] (sb_writers#3){.+.+}, at: [] mnt_want_write+0x3a/0xb0 fs/namespace.c:386 but task is already holding lock: (&ovl_i_mutex_dir_key[depth]#2){++++}, at: [] inode_lock include/linux/fs.h:719 [inline] (&ovl_i_mutex_dir_key[depth]#2){++++}, at: [] do_last fs/namei.c:3331 [inline] (&ovl_i_mutex_dir_key[depth]#2){++++}, at: [] path_openat+0xde2/0x2970 fs/namei.c:3571 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&ovl_i_mutex_dir_key[depth]#2){++++}: down_write_killable+0x37/0xb0 kernel/locking/rwsem.c:68 iterate_dir+0x387/0x5e0 fs/readdir.c:43 ovl_dir_read fs/overlayfs/readdir.c:306 [inline] ovl_dir_read_merged+0x2c5/0x430 fs/overlayfs/readdir.c:365 ovl_check_empty_dir+0x6e/0x200 fs/overlayfs/readdir.c:870 ovl_check_empty_and_clear+0x72/0xe0 fs/overlayfs/dir.c:306 ovl_rename+0x57d/0xe50 fs/overlayfs/dir.c:959 vfs_rename+0x560/0x1820 fs/namei.c:4498 SYSC_renameat2 fs/namei.c:4646 [inline] SyS_renameat2+0x95b/0xad0 fs/namei.c:4535 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x5e/0xd3 -> #0 (sb_writers#3){.+.+}: lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline] percpu_down_read include/linux/percpu-rwsem.h:59 [inline] __sb_start_write+0x64/0x260 fs/super.c:1342 sb_start_write include/linux/fs.h:1551 [inline] mnt_want_write+0x3a/0xb0 fs/namespace.c:386 ovl_create_object+0x75/0x1d0 fs/overlayfs/dir.c:538 lookup_open+0x77a/0x1750 fs/namei.c:3241 do_last fs/namei.c:3334 [inline] path_openat+0xe08/0x2970 fs/namei.c:3571 do_filp_open+0x179/0x3c0 fs/namei.c:3605 do_sys_open+0x296/0x410 fs/open.c:1081 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x5e/0xd3 other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&ovl_i_mutex_dir_key[depth]#2); lock(sb_writers#3); lock(&ovl_i_mutex_dir_key[depth]#2); lock(sb_writers#3); *** DEADLOCK *** 2 locks held by syz-executor.2/9822: #0: (sb_writers#13){.+.+}, at: [] sb_start_write include/linux/fs.h:1551 [inline] #0: (sb_writers#13){.+.+}, at: [] mnt_want_write+0x3a/0xb0 fs/namespace.c:386 #1: (&ovl_i_mutex_dir_key[depth]#2){++++}, at: [] inode_lock include/linux/fs.h:719 [inline] #1: (&ovl_i_mutex_dir_key[depth]#2){++++}, at: [] do_last fs/namei.c:3331 [inline] #1: (&ovl_i_mutex_dir_key[depth]#2){++++}, at: [] path_openat+0xde2/0x2970 fs/namei.c:3571 stack backtrace: CPU: 1 PID: 9822 Comm: syz-executor.2 Not tainted 4.14.307-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x281 lib/dump_stack.c:58 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258 check_prev_add kernel/locking/lockdep.c:1905 [inline] check_prevs_add kernel/locking/lockdep.c:2022 [inline] validate_chain kernel/locking/lockdep.c:2464 [inline] __lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline] percpu_down_read include/linux/percpu-rwsem.h:59 [inline] __sb_start_write+0x64/0x260 fs/super.c:1342 sb_start_write include/linux/fs.h:1551 [inline] mnt_want_write+0x3a/0xb0 fs/namespace.c:386 ovl_create_object+0x75/0x1d0 fs/overlayfs/dir.c:538 lookup_open+0x77a/0x1750 fs/namei.c:3241 do_last fs/namei.c:3334 [inline] path_openat+0xe08/0x2970 fs/namei.c:3571 do_filp_open+0x179/0x3c0 fs/namei.c:3605 do_sys_open+0x296/0x410 fs/open.c:1081 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x5e/0xd3 RIP: 0033:0x7f57f1a3e0f9 RSP: 002b:00007f57eff6e168 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 RAX: ffffffffffffffda RBX: 00007f57f1b5e120 RCX: 00007f57f1a3e0f9 RDX: 0000000000000000 RSI: 0000000000181042 RDI: 0000000020000000 RBP: 00007f57f1a99ae9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffcd6dfcd5f R14: 00007f57eff6e300 R15: 0000000000022000 IPVS: ftp: loaded support on port[0] = 21 xt_l2tp: missing protocol rule (udp|l2tpip) xt_l2tp: missing protocol rule (udp|l2tpip) xt_l2tp: missing protocol rule (udp|l2tpip) xt_l2tp: missing protocol rule (udp|l2tpip) L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. kvm: emulating exchange as write syz-executor.5 uses obsolete (PF_INET,SOCK_PACKET) usb usb9: usbfs: interface 0 claimed by hub while 'syz-executor.2' sets config #1 mmap: syz-executor.0 (10373) uses deprecated remap_file_pages() syscall. See Documentation/vm/remap_file_pages.txt. BTRFS: device fsid 24c7a497-3402-47dd-bef8-82358f5f30e0 devid 1 transid 8 /dev/loop1 BTRFS info (device loop1): enabling inode map caching BTRFS info (device loop1): trying to use backup root at mount time BTRFS info (device loop1): use zlib compression BTRFS info (device loop1): enabling ssd optimizations BTRFS info (device loop1): using spread ssd allocation scheme BTRFS info (device loop1): using free space tree BTRFS info (device loop1): has skinny extents audit: type=1800 audit(1677343173.727:16): pid=10366 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.1" name="bus" dev="loop1" ino=263 res=0 audit: type=1800 audit(1677343173.727:17): pid=10366 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.1" name="bus" dev="loop1" ino=263 res=0 BTRFS info (device loop3): enabling inode map caching BTRFS info (device loop3): trying to use backup root at mount time BTRFS info (device loop3): use zlib compression BTRFS info (device loop3): enabling ssd optimizations BTRFS info (device loop3): using spread ssd allocation scheme BTRFS info (device loop3): using free space tree BTRFS info (device loop3): has skinny extents audit: type=1800 audit(1677343174.507:18): pid=10476 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.3" name="bus" dev="loop3" ino=263 res=0 audit: type=1800 audit(1677343174.537:19): pid=10476 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.3" name="bus" dev="loop3" ino=263 res=0 audit: type=1800 audit(1677343174.597:20): pid=10495 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.1" name="bus" dev="loop3" ino=263 res=0 audit: type=1800 audit(1677343174.597:21): pid=10495 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.1" name="bus" dev="loop3" ino=263 res=0 audit: type=1800 audit(1677343174.647:22): pid=10516 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.2" name="bus" dev="loop3" ino=263 res=0 audit: type=1800 audit(1677343174.647:23): pid=10516 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.2" name="bus" dev="loop3" ino=263 res=0 audit: type=1800 audit(1677343174.677:24): pid=10484 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.5" name="bus" dev="loop3" ino=263 res=0 audit: type=1800 audit(1677343174.687:25): pid=10484 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.5" name="bus" dev="loop3" ino=263 res=0 BTRFS info (device loop1): enabling inode map caching BTRFS info (device loop1): trying to use backup root at mount time BTRFS info (device loop1): use zlib compression BTRFS info (device loop1): enabling ssd optimizations BTRFS info (device loop1): using spread ssd allocation scheme BTRFS info (device loop1): using free space tree BTRFS info (device loop1): has skinny extents