tmpfs: Bad value '00000000000000060928' for mount option 'uid'
overlayfs: fs on './file0' does not support file handles, falling back to index=off.
======================================================
WARNING: possible circular locking dependency detected
overlayfs: fs on './file0' does not support file handles, falling back to index=off.
4.14.217-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.1/30493 is trying to acquire lock:
 (&oi->lock){+.+.}, at: [<ffffffff822f90e0>] ovl_copy_up_start+0x40/0xe0 fs/overlayfs/util.c:318

but task is already holding lock:
tmpfs: Bad value '00000000000000060928' for mount option 'uid'
 (sb_writers#3){.+.+}, at: [<ffffffff818d947a>] sb_start_write include/linux/fs.h:1549 [inline]
 (sb_writers#3){.+.+}, at: [<ffffffff818d947a>] mnt_want_write+0x3a/0xb0 fs/namespace.c:386

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #2 (sb_writers#3){.+.+}:
       percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline]
       percpu_down_read include/linux/percpu-rwsem.h:59 [inline]
       __sb_start_write+0x64/0x260 fs/super.c:1342
       sb_start_write include/linux/fs.h:1549 [inline]
       mnt_want_write+0x3a/0xb0 fs/namespace.c:386
       ovl_create_object+0x75/0x1d0 fs/overlayfs/dir.c:538
       lookup_open+0x77a/0x1750 fs/namei.c:3241
       do_last fs/namei.c:3334 [inline]
       path_openat+0xe08/0x2970 fs/namei.c:3569
       do_filp_open+0x179/0x3c0 fs/namei.c:3603
       do_sys_open+0x296/0x410 fs/open.c:1081
       do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
overlayfs: fs on './file0' does not support file handles, falling back to index=off.
       entry_SYSCALL_64_after_hwframe+0x46/0xbb

-> #1 (&ovl_i_mutex_dir_key[depth]){++++}:
       down_read+0x36/0x80 kernel/locking/rwsem.c:24
       inode_lock_shared include/linux/fs.h:729 [inline]
       lookup_slow+0x129/0x400 fs/namei.c:1674
       lookup_one_len_unlocked+0x3a0/0x410 fs/namei.c:2595
tmpfs: Bad value '00000000000000060928' for mount option 'uid'
       ovl_lower_positive+0x184/0x350 fs/overlayfs/namei.c:783
       ovl_rename+0x47c/0xf10 fs/overlayfs/dir.c:968
       vfs_rename+0x560/0x1820 fs/namei.c:4496
       SYSC_renameat2 fs/namei.c:4644 [inline]
       SyS_renameat2+0x95b/0xad0 fs/namei.c:4533
tmpfs: Bad value '00000000000000060928' for mount option 'uid'
       do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x46/0xbb

-> #0 (&oi->lock){+.+.}:
       lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
       __mutex_lock_common kernel/locking/mutex.c:756 [inline]
       __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
       ovl_copy_up_start+0x40/0xe0 fs/overlayfs/util.c:318
       ovl_copy_up_one+0x21f/0x910 fs/overlayfs/copy_up.c:630
       ovl_copy_up_flags+0xd5/0x120 fs/overlayfs/copy_up.c:685
       ovl_rename+0x164/0xf10 fs/overlayfs/dir.c:939
       vfs_rename+0x560/0x1820 fs/namei.c:4496
       SYSC_renameat2 fs/namei.c:4644 [inline]
       SyS_renameat2+0x95b/0xad0 fs/namei.c:4533
       do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x46/0xbb

other info that might help us debug this:

Chain exists of:
  &oi->lock --> &ovl_i_mutex_dir_key[depth] --> sb_writers#3

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(sb_writers#3);
                               lock(&ovl_i_mutex_dir_key[depth]);
                               lock(sb_writers#3);
  lock(&oi->lock);

 *** DEADLOCK ***

7 locks held by syz-executor.1/30493:
 #0:  (sb_writers#17){.+.+}, at: [<ffffffff818d947a>] sb_start_write include/linux/fs.h:1549 [inline]
 #0:  (sb_writers#17){.+.+}, at: [<ffffffff818d947a>] mnt_want_write+0x3a/0xb0 fs/namespace.c:386
 #1:  (&type->s_vfs_rename_key#3){+.+.}, at: [<ffffffff8188ae74>] lock_rename+0x54/0x280 fs/namei.c:2889
 #2:  (&ovl_i_mutex_dir_key[depth]#2/1){+.+.}, at: [<ffffffff8188af52>] inode_lock_nested include/linux/fs.h:754 [inline]
 #2:  (&ovl_i_mutex_dir_key[depth]#2/1){+.+.}, at: [<ffffffff8188af52>] lock_rename+0x132/0x280 fs/namei.c:2900
 #3:  (&ovl_i_mutex_dir_key[depth]#2/2){+.+.}, at: [<ffffffff8188af86>] inode_lock_nested include/linux/fs.h:754 [inline]
 #3:  (&ovl_i_mutex_dir_key[depth]#2/2){+.+.}, at: [<ffffffff8188af86>] lock_rename+0x166/0x280 fs/namei.c:2901
 #4:  (&ovl_i_mutex_key[depth]){+.+.}, at: [<ffffffff818c444a>] inode_lock include/linux/fs.h:719 [inline]
 #4:  (&ovl_i_mutex_key[depth]){+.+.}, at: [<ffffffff818c444a>] lock_two_nondirectories+0xca/0xf0 fs/inode.c:990
 #5:  (&ovl_i_mutex_key[depth]/4){+.+.}, at: [<ffffffff818c4432>] inode_lock_nested include/linux/fs.h:754 [inline]
 #5:  (&ovl_i_mutex_key[depth]/4){+.+.}, at: [<ffffffff818c4432>] lock_two_nondirectories+0xb2/0xf0 fs/inode.c:992
 #6:  (sb_writers#3){.+.+}, at: [<ffffffff818d947a>] sb_start_write include/linux/fs.h:1549 [inline]
 #6:  (sb_writers#3){.+.+}, at: [<ffffffff818d947a>] mnt_want_write+0x3a/0xb0 fs/namespace.c:386

stack backtrace:
CPU: 0 PID: 30493 Comm: syz-executor.1 Not tainted 4.14.217-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x281 lib/dump_stack.c:58
 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258
 check_prev_add kernel/locking/lockdep.c:1905 [inline]
 check_prevs_add kernel/locking/lockdep.c:2022 [inline]
 validate_chain kernel/locking/lockdep.c:2464 [inline]
 __lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491
 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
 __mutex_lock_common kernel/locking/mutex.c:756 [inline]
 __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
 ovl_copy_up_start+0x40/0xe0 fs/overlayfs/util.c:318
 ovl_copy_up_one+0x21f/0x910 fs/overlayfs/copy_up.c:630
 ovl_copy_up_flags+0xd5/0x120 fs/overlayfs/copy_up.c:685
 ovl_rename+0x164/0xf10 fs/overlayfs/dir.c:939
 vfs_rename+0x560/0x1820 fs/namei.c:4496
 SYSC_renameat2 fs/namei.c:4644 [inline]
 SyS_renameat2+0x95b/0xad0 fs/namei.c:4533
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x45e219
RSP: 002b:00007f7c4e23bc68 EFLAGS: 00000246 ORIG_RAX: 0000000000000052
RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 000000000045e219
RDX: 0000000000000000 RSI: 0000000020000440 RDI: 0000000020000100
RBP: 000000000119bfb8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000119bf8c
R13: 00007fff9a47649f R14: 00007f7c4e23c9c0 R15: 000000000119bf8c
overlayfs: fs on './file0' does not support file handles, falling back to index=off.
overlayfs: fs on './file0' does not support file handles, falling back to index=off.
overlayfs: fs on './file0' does not support file handles, falling back to index=off.
overlayfs: fs on './file0' does not support file handles, falling back to index=off.
tmpfs: Bad value '00000000000000060928' for mount option 'uid'
tmpfs: Bad value '00000000000000060928' for mount option 'uid'
tmpfs: Bad value '00000000000000060928' for mount option 'uid'
tmpfs: Bad value '00000000000000060928' for mount option 'uid'
overlayfs: fs on './file0' does not support file handles, falling back to index=off.
tmpfs: Bad value '00000000000000060928' for mount option 'uid'
overlayfs: fs on './file0' does not support file handles, falling back to index=off.
overlayfs: fs on './file0' does not support file handles, falling back to index=off.
tmpfs: Bad value '00000000000000060928' for mount option 'uid'
tmpfs: Bad value '00000000000000060928' for mount option 'uid'
bridge0: port 3(team0) entered blocking state
bridge0: port 3(team0) entered disabled state
device team0 entered promiscuous mode
device team_slave_0 entered promiscuous mode
device team_slave_1 entered promiscuous mode
netlink: 12 bytes leftover after parsing attributes in process `syz-executor.5'.
device team0 left promiscuous mode
device team_slave_0 left promiscuous mode
device team_slave_1 left promiscuous mode
bridge0: port 3(team0) entered disabled state
netlink: 12 bytes leftover after parsing attributes in process `syz-executor.5'.
bridge0: port 3(team0) entered blocking state
bridge0: port 3(team0) entered disabled state
device team0 entered promiscuous mode
device team_slave_0 entered promiscuous mode
device team_slave_1 entered promiscuous mode
netlink: 12 bytes leftover after parsing attributes in process `syz-executor.5'.
device team0 left promiscuous mode
device team_slave_0 left promiscuous mode
device team_slave_1 left promiscuous mode
bridge0: port 3(team0) entered disabled state
bridge0: port 3(team0) entered blocking state
bridge0: port 3(team0) entered disabled state
device team0 entered promiscuous mode
device team_slave_0 entered promiscuous mode
device team_slave_1 entered promiscuous mode
netlink: 12 bytes leftover after parsing attributes in process `syz-executor.5'.
netlink: 12 bytes leftover after parsing attributes in process `syz-executor.5'.
device team0 left promiscuous mode
device team_slave_0 left promiscuous mode
device team_slave_1 left promiscuous mode
bridge0: port 3(team0) entered disabled state
bridge0: port 3(team0) entered blocking state
bridge0: port 3(team0) entered disabled state
device team0 entered promiscuous mode
device team_slave_0 entered promiscuous mode
device team_slave_1 entered promiscuous mode
netlink: 12 bytes leftover after parsing attributes in process `syz-executor.4'.
device team0 left promiscuous mode
device team_slave_0 left promiscuous mode
device team_slave_1 left promiscuous mode
bridge0: port 3(team0) entered disabled state
bridge0: port 3(team0) entered blocking state
bridge0: port 3(team0) entered disabled state
device team0 entered promiscuous mode
device team_slave_0 entered promiscuous mode
device team_slave_1 entered promiscuous mode
netlink: 12 bytes leftover after parsing attributes in process `syz-executor.4'.
netlink: 12 bytes leftover after parsing attributes in process `syz-executor.4'.
ptrace attach of "/root/syz-executor.0"[31259] was attempted by "/root/syz-executor.0"[31263]
ntfs: volume version 3.1.
ntfs: volume version 3.1.
ldm_parse_privhead(): Cannot find PRIVHEAD structure. LDM database is corrupt. Aborting.
ldm_validate_privheads(): Cannot find PRIVHEAD 1.
 loop2: p1 p2 < p5 p6 p7 p8 p9 p10 p11 p12 p13 p14 p15 p16 p17 p18 p19 p20 p21 p22 p23 p24 p25 p26 p27 p28 p29 p30 p31 p32 p33 p34 p35 p36 p37 p38 p39 p40 p41 p42 p43 p44 p45 p46 p47 p48 p49 p50 p51 p52 p53 p54 p55 p56 p57 p58 p59 p60 p61 p62 p63 p64 p65 p66 p67 p68 p69 p70 p71 p72 p73 p74 p75 p76 p77 p78 p79 p80 p81 p82 p83 p84 p85 p86 p87 p88 p89 p90 p91 p92 p93 p94 p95 p96 p97 p98 p99 p100 p101 p102 p103 p104 p105 p106 p107 p108 p109 p110 p111 p112 p113 p114 p115 p116 p117 p118 p119 p120 p121 p122 p123 p124 p125 p126 p127 p128 p129 p130 p131 p132 p133 p134 p135 p136 p137 p138 p139 p140 p141 p142 p143 p144 p145 p146 p147 p148 p149 p150 p151 p152 p153 p154 p155 p156 p157 p158 p159 p160 p161 p162 p163 p164 p165 p166 p167 p168 p169 p170 p171 p172 p173 p174 p175 p176 p177 p178 p179 p180 p181 p182 p183 p184 p185 p186 p187 p188 p189 p190 p191 p192 p193 p194 p195 p196 p197 p198 p199 p200 p201 p202 p203 p204 p205 p206 p207 p208 p209 p210 p211 p212 p213 p214 p215 p216 p217 p218 p21