======================================================
WARNING: possible circular locking dependency detected
syzkaller #0 Not tainted
------------------------------------------------------
syz.2.3540/19217 is trying to acquire lock:
ffff88806bcca9e0 (&ovl_i_mutex_dir_key[depth]){++++}-{4:4}, at: inode_lock_shared include/linux/fs.h:885 [inline]
ffff88806bcca9e0 (&ovl_i_mutex_dir_key[depth]){++++}-{4:4}, at: lookup_slow fs/namei.c:1824 [inline]
ffff88806bcca9e0 (&ovl_i_mutex_dir_key[depth]){++++}-{4:4}, at: walk_component+0x345/0x5b0 fs/namei.c:2129

but task is already holding lock:
ffffffff90657088 (rpcb_create_local_mutex){+.+.}-{4:4}, at: rpcb_create_local+0x100/0x270 net/sunrpc/rpcb_clnt.c:353

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #5 (rpcb_create_local_mutex){+.+.}-{4:4}:
       __mutex_lock_common kernel/locking/mutex.c:598 [inline]
       __mutex_lock+0x193/0x1060 kernel/locking/mutex.c:760
       rpcb_create_local+0x100/0x270 net/sunrpc/rpcb_clnt.c:353
       svc_rpcb_setup net/sunrpc/svc.c:425 [inline]
       svc_bind+0x1e8/0x260 net/sunrpc/svc.c:463
       nfsd_create_serv+0x2d2/0x480 fs/nfsd/nfssvc.c:642
       nfsd_nl_listener_set_doit+0xdd/0x1b10 fs/nfsd/nfsctl.c:1921
       genl_family_rcv_msg_doit+0x206/0x2f0 net/netlink/genetlink.c:1115
       genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
       genl_rcv_msg+0x55c/0x800 net/netlink/genetlink.c:1210
       netlink_rcv_skb+0x155/0x420 net/netlink/af_netlink.c:2552
       genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
       netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
       netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1346
       netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1896
       sock_sendmsg_nosec net/socket.c:714 [inline]
       __sock_sendmsg net/socket.c:729 [inline]
       ____sys_sendmsg+0xa95/0xc70 net/socket.c:2614
       ___sys_sendmsg+0x134/0x1d0 net/socket.c:2668
       __sys_sendmsg+0x16d/0x220 net/socket.c:2700
       do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
       __do_fast_syscall_32+0x7c/0x300 arch/x86/entry/syscall_32.c:306
       do_fast_syscall_32+0x32/0x80 arch/x86/entry/syscall_32.c:331
       entry_SYSENTER_compat_after_hwframe+0x84/0x8e

-> #4 (nfsd_mutex){+.+.}-{4:4}:
       __mutex_lock_common kernel/locking/mutex.c:598 [inline]
       __mutex_lock+0x193/0x1060 kernel/locking/mutex.c:760
       nfsd_nl_listener_set_doit+0xd5/0x1b10 fs/nfsd/nfsctl.c:1919
       genl_family_rcv_msg_doit+0x206/0x2f0 net/netlink/genetlink.c:1115
       genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
       genl_rcv_msg+0x55c/0x800 net/netlink/genetlink.c:1210
       netlink_rcv_skb+0x155/0x420 net/netlink/af_netlink.c:2552
       genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
       netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
       netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1346
       netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1896
       sock_sendmsg_nosec net/socket.c:714 [inline]
       __sock_sendmsg net/socket.c:729 [inline]
       ____sys_sendmsg+0xa95/0xc70 net/socket.c:2614
       ___sys_sendmsg+0x134/0x1d0 net/socket.c:2668
       __sys_sendmsg+0x16d/0x220 net/socket.c:2700
       do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
       __do_fast_syscall_32+0x7c/0x300 arch/x86/entry/syscall_32.c:306
       do_fast_syscall_32+0x32/0x80 arch/x86/entry/syscall_32.c:331
       entry_SYSENTER_compat_after_hwframe+0x84/0x8e

-> #3 (cb_lock){++++}-{4:4}:
       down_read+0x9b/0x480 kernel/locking/rwsem.c:1537
       genl_rcv+0x19/0x40 net/netlink/genetlink.c:1218
       netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
       netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1346
       netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1896
       sock_sendmsg_nosec net/socket.c:714 [inline]
       __sock_sendmsg net/socket.c:729 [inline]
       sock_sendmsg+0x3cc/0x470 net/socket.c:752
       splice_to_socket+0xaf6/0x1110 fs/splice.c:886
       do_splice_from fs/splice.c:938 [inline]
       do_splice+0x1475/0x1fc0 fs/splice.c:1351
       __do_splice+0x32a/0x360 fs/splice.c:1433
       __do_sys_splice fs/splice.c:1636 [inline]
       __se_sys_splice fs/splice.c:1618 [inline]
       __ia32_sys_splice+0x189/0x250 fs/splice.c:1618
       do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
       __do_fast_syscall_32+0x7c/0x300 arch/x86/entry/syscall_32.c:306
       do_fast_syscall_32+0x32/0x80 arch/x86/entry/syscall_32.c:331
       entry_SYSENTER_compat_after_hwframe+0x84/0x8e

-> #2 (&pipe->mutex){+.+.}-{4:4}:
       __mutex_lock_common kernel/locking/mutex.c:598 [inline]
       __mutex_lock+0x193/0x1060 kernel/locking/mutex.c:760
       pipe_lock fs/pipe.c:91 [inline]
       pipe_lock+0x64/0x80 fs/pipe.c:88
       iter_file_splice_write+0x1ea/0x12e0 fs/splice.c:683
       backing_file_splice_write+0x27f/0x890 fs/backing-file.c:315
       ovl_splice_write+0x38d/0x6c0 fs/overlayfs/file.c:440
       do_splice_from fs/splice.c:938 [inline]
       do_splice+0x1475/0x1fc0 fs/splice.c:1351
       __do_splice+0x32a/0x360 fs/splice.c:1433
       __do_sys_splice fs/splice.c:1636 [inline]
       __se_sys_splice fs/splice.c:1618 [inline]
       __ia32_sys_splice+0x189/0x250 fs/splice.c:1618
       do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
       __do_fast_syscall_32+0x7c/0x300 arch/x86/entry/syscall_32.c:306
       do_fast_syscall_32+0x32/0x80 arch/x86/entry/syscall_32.c:331
       entry_SYSENTER_compat_after_hwframe+0x84/0x8e

-> #1 (sb_writers#5){.+.+}-{0:0}:
       percpu_down_read_internal include/linux/percpu-rwsem.h:53 [inline]
       percpu_down_read_freezable include/linux/percpu-rwsem.h:83 [inline]
       __sb_start_write include/linux/fs.h:1799 [inline]
       sb_start_write include/linux/fs.h:1935 [inline]
       mnt_want_write+0x6f/0x450 fs/namespace.c:557
       ovl_create_object+0x12c/0x300 fs/overlayfs/dir.c:651
       lookup_open.isra.0+0x11d0/0x1580 fs/namei.c:3708
       open_last_lookups fs/namei.c:3807 [inline]
       path_openat+0x893/0x2cb0 fs/namei.c:4043
       do_filp_open+0x20b/0x470 fs/namei.c:4073
       do_sys_openat2+0x11b/0x1d0 fs/open.c:1435
       do_sys_open fs/open.c:1450 [inline]
       __do_compat_sys_open fs/open.c:1503 [inline]
       __se_compat_sys_open fs/open.c:1501 [inline]
       __ia32_compat_sys_open+0x146/0x1e0 fs/open.c:1501
       do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
       __do_fast_syscall_32+0x7c/0x300 arch/x86/entry/syscall_32.c:306
       do_fast_syscall_32+0x32/0x80 arch/x86/entry/syscall_32.c:331
       entry_SYSENTER_compat_after_hwframe+0x84/0x8e

-> #0 (&ovl_i_mutex_dir_key[depth]){++++}-{4:4}:
       check_prev_add kernel/locking/lockdep.c:3165 [inline]
       check_prevs_add kernel/locking/lockdep.c:3284 [inline]
       validate_chain kernel/locking/lockdep.c:3908 [inline]
       __lock_acquire+0x12a6/0x1ce0 kernel/locking/lockdep.c:5237
       lock_acquire kernel/locking/lockdep.c:5868 [inline]
       lock_acquire+0x179/0x350 kernel/locking/lockdep.c:5825
       down_read+0x9b/0x480 kernel/locking/rwsem.c:1537
       inode_lock_shared include/linux/fs.h:885 [inline]
       lookup_slow fs/namei.c:1824 [inline]
       walk_component+0x345/0x5b0 fs/namei.c:2129
       link_path_walk+0x627/0xe20 fs/namei.c:2497
       path_lookupat+0x15a/0x6d0 fs/namei.c:2653
       filename_lookup+0x224/0x5f0 fs/namei.c:2683
       kern_path+0x35/0x50 fs/namei.c:2816
       unix_find_bsd net/unix/af_unix.c:1236 [inline]
       unix_find_other+0x3d5/0xb50 net/unix/af_unix.c:1298
       unix_stream_connect+0x4cb/0x1a20 net/unix/af_unix.c:1699
       kernel_connect+0x104/0x180 net/socket.c:3656
       xs_local_finish_connecting net/sunrpc/xprtsock.c:2008 [inline]
       xs_local_setup_socket net/sunrpc/xprtsock.c:2041 [inline]
       xs_local_connect net/sunrpc/xprtsock.c:2095 [inline]
       xs_local_connect+0x5f5/0xd60 net/sunrpc/xprtsock.c:2074
       xprt_connect+0x7e4/0x9c0 net/sunrpc/xprt.c:948
       call_connect net/sunrpc/clnt.c:2160 [inline]
       call_connect+0x1d9/0x300 net/sunrpc/clnt.c:2137
       __rpc_execute+0x382/0x1220 net/sunrpc/sched.c:947
       rpc_execute+0x2e8/0x420 net/sunrpc/sched.c:1023
       rpc_run_task+0x4a4/0x660 net/sunrpc/clnt.c:1242
       rpc_call_null_helper+0x136/0x180 net/sunrpc/clnt.c:2878
       rpc_ping net/sunrpc/clnt.c:2895 [inline]
       rpc_ping+0xb4/0x150 net/sunrpc/clnt.c:2887
       rpc_create_xprt+0x387/0x440 net/sunrpc/clnt.c:476
       rpc_create+0x469/0x7f0 net/sunrpc/clnt.c:607
       rpcb_create_af_local+0x11b/0x310 net/sunrpc/rpcb_clnt.c:258
       rpcb_create_local_unix net/sunrpc/rpcb_clnt.c:291 [inline]
       rpcb_create_local+0x211/0x270 net/sunrpc/rpcb_clnt.c:358
       svc_rpcb_setup net/sunrpc/svc.c:425 [inline]
       svc_bind+0x1e8/0x260 net/sunrpc/svc.c:463
       nfsd_create_serv+0x2d2/0x480 fs/nfsd/nfssvc.c:642
       nfsd_nl_listener_set_doit+0xdd/0x1b10 fs/nfsd/nfsctl.c:1921
       genl_family_rcv_msg_doit+0x206/0x2f0 net/netlink/genetlink.c:1115
       genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
       genl_rcv_msg+0x55c/0x800 net/netlink/genetlink.c:1210
       netlink_rcv_skb+0x155/0x420 net/netlink/af_netlink.c:2552
       genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
       netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
       netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1346
       netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1896
       sock_sendmsg_nosec net/socket.c:714 [inline]
       __sock_sendmsg net/socket.c:729 [inline]
       ____sys_sendmsg+0xa95/0xc70 net/socket.c:2614
       ___sys_sendmsg+0x134/0x1d0 net/socket.c:2668
       __sys_sendmsg+0x16d/0x220 net/socket.c:2700
       do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
       __do_fast_syscall_32+0x7c/0x300 arch/x86/entry/syscall_32.c:306
       do_fast_syscall_32+0x32/0x80 arch/x86/entry/syscall_32.c:331
       entry_SYSENTER_compat_after_hwframe+0x84/0x8e

other info that might help us debug this:

Chain exists of:
  &ovl_i_mutex_dir_key[depth] --> nfsd_mutex --> rpcb_create_local_mutex

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(rpcb_create_local_mutex);
                               lock(nfsd_mutex);
                               lock(rpcb_create_local_mutex);
  rlock(&ovl_i_mutex_dir_key[depth]);

 *** DEADLOCK ***

3 locks held by syz.2.3540/19217:
 #0: ffffffff9042c210 (cb_lock){++++}-{4:4}, at: genl_rcv+0x19/0x40 net/netlink/genetlink.c:1218
 #1: ffffffff8e9da048 (nfsd_mutex){+.+.}-{4:4}, at: nfsd_nl_listener_set_doit+0xd5/0x1b10 fs/nfsd/nfsctl.c:1919
 #2: ffffffff90657088 (rpcb_create_local_mutex){+.+.}-{4:4}, at: rpcb_create_local+0x100/0x270 net/sunrpc/rpcb_clnt.c:353

stack backtrace:
CPU: 2 UID: 0 PID: 19217 Comm: syz.2.3540 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_circular_bug+0x275/0x350 kernel/locking/lockdep.c:2043
 check_noncircular+0x14c/0x170 kernel/locking/lockdep.c:2175
 check_prev_add kernel/locking/lockdep.c:3165 [inline]
 check_prevs_add kernel/locking/lockdep.c:3284 [inline]
 validate_chain kernel/locking/lockdep.c:3908 [inline]
 __lock_acquire+0x12a6/0x1ce0 kernel/locking/lockdep.c:5237
 lock_acquire kernel/locking/lockdep.c:5868 [inline]
 lock_acquire+0x179/0x350 kernel/locking/lockdep.c:5825
 down_read+0x9b/0x480 kernel/locking/rwsem.c:1537
 inode_lock_shared include/linux/fs.h:885 [inline]
 lookup_slow fs/namei.c:1824 [inline]
 walk_component+0x345/0x5b0 fs/namei.c:2129
 link_path_walk+0x627/0xe20 fs/namei.c:2497
 path_lookupat+0x15a/0x6d0 fs/namei.c:2653
 filename_lookup+0x224/0x5f0 fs/namei.c:2683
 kern_path+0x35/0x50 fs/namei.c:2816
 unix_find_bsd net/unix/af_unix.c:1236 [inline]
 unix_find_other+0x3d5/0xb50 net/unix/af_unix.c:1298
 unix_stream_connect+0x4cb/0x1a20 net/unix/af_unix.c:1699
 kernel_connect+0x104/0x180 net/socket.c:3656
 xs_local_finish_connecting net/sunrpc/xprtsock.c:2008 [inline]
 xs_local_setup_socket net/sunrpc/xprtsock.c:2041 [inline]
 xs_local_connect net/sunrpc/xprtsock.c:2095 [inline]
 xs_local_connect+0x5f5/0xd60 net/sunrpc/xprtsock.c:2074
 xprt_connect+0x7e4/0x9c0 net/sunrpc/xprt.c:948
 call_connect net/sunrpc/clnt.c:2160 [inline]
 call_connect+0x1d9/0x300 net/sunrpc/clnt.c:2137
 __rpc_execute+0x382/0x1220 net/sunrpc/sched.c:947
 rpc_execute+0x2e8/0x420 net/sunrpc/sched.c:1023
 rpc_run_task+0x4a4/0x660 net/sunrpc/clnt.c:1242
 rpc_call_null_helper+0x136/0x180 net/sunrpc/clnt.c:2878
 rpc_ping net/sunrpc/clnt.c:2895 [inline]
 rpc_ping+0xb4/0x150 net/sunrpc/clnt.c:2887
 rpc_create_xprt+0x387/0x440 net/sunrpc/clnt.c:476
 rpc_create+0x469/0x7f0 net/sunrpc/clnt.c:607
 rpcb_create_af_local+0x11b/0x310 net/sunrpc/rpcb_clnt.c:258
 rpcb_create_local_unix net/sunrpc/rpcb_clnt.c:291 [inline]
 rpcb_create_local+0x211/0x270 net/sunrpc/rpcb_clnt.c:358
 svc_rpcb_setup net/sunrpc/svc.c:425 [inline]
 svc_bind+0x1e8/0x260 net/sunrpc/svc.c:463
 nfsd_create_serv+0x2d2/0x480 fs/nfsd/nfssvc.c:642
 nfsd_nl_listener_set_doit+0xdd/0x1b10 fs/nfsd/nfsctl.c:1921
 genl_family_rcv_msg_doit+0x206/0x2f0 net/netlink/genetlink.c:1115
 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
 genl_rcv_msg+0x55c/0x800 net/netlink/genetlink.c:1210
 netlink_rcv_skb+0x155/0x420 net/netlink/af_netlink.c:2552
 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
 netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1346
 netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1896
 sock_sendmsg_nosec net/socket.c:714 [inline]
 __sock_sendmsg net/socket.c:729 [inline]
 ____sys_sendmsg+0xa95/0xc70 net/socket.c:2614
 ___sys_sendmsg+0x134/0x1d0 net/socket.c:2668
 __sys_sendmsg+0x16d/0x220 net/socket.c:2700
 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
 __do_fast_syscall_32+0x7c/0x300 arch/x86/entry/syscall_32.c:306
 do_fast_syscall_32+0x32/0x80 arch/x86/entry/syscall_32.c:331
 entry_SYSENTER_compat_after_hwframe+0x84/0x8e
RIP: 0023:0xf7f78579
Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00
RSP: 002b:00000000f546655c EFLAGS: 00000296 ORIG_RAX: 0000000000000172
RAX: ffffffffffffffda RBX: 0000000000000007 RCX: 0000000080000040
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 </TASK>
----------------
Code disassembly (best guess), 2 bytes skipped:
   0:	10 06                	adc    %al,(%rsi)
   2:	03 74 b4 01          	add    0x1(%rsp,%rsi,4),%esi
   6:	10 07                	adc    %al,(%rdi)
   8:	03 74 b0 01          	add    0x1(%rax,%rsi,4),%esi
   c:	10 08                	adc    %cl,(%rax)
   e:	03 74 d8 01          	add    0x1(%rax,%rbx,8),%esi
  1e:	00 51 52             	add    %dl,0x52(%rcx)
  21:	55                   	push   %rbp
  22:	89 e5                	mov    %esp,%ebp
  24:	0f 34                	sysenter
  26:	cd 80                	int    $0x80
* 28:	5d                   	pop    %rbp <-- trapping instruction
  29:	5a                   	pop    %rdx
  2a:	59                   	pop    %rcx
  2b:	c3                   	ret
  2c:	90                   	nop
  2d:	90                   	nop
  2e:	90                   	nop
  2f:	90                   	nop
  30:	8d b4 26 00 00 00 00 	lea    0x0(%rsi,%riz,1),%esi
  37:	8d b4 26 00 00 00 00 	lea    0x0(%rsi,%riz,1),%esi