netlink: 12 bytes leftover after parsing attributes in process `syz-executor.2'.
loop0: rw=0, want=2180, limit=2176
overlayfs: maximum fs stacking depth exceeded
usb usb9: usbfs: interface 0 claimed by hub while 'syz-executor.1' sets config #0
======================================================
WARNING: possible circular locking dependency detected
4.14.256-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.1/9792 is trying to acquire lock:
 (&oi->lock){+.+.}, at: [<ffffffff8230fd50>] ovl_copy_up_start+0x40/0xe0 fs/overlayfs/util.c:318

but task is already holding lock:
 (sb_writers#6){.+.+}, at: [<ffffffff818de18a>] sb_start_write include/linux/fs.h:1549 [inline]
 (sb_writers#6){.+.+}, at: [<ffffffff818de18a>] mnt_want_write+0x3a/0xb0 fs/namespace.c:386

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #2 (sb_writers#6){.+.+}:
       percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline]
       percpu_down_read include/linux/percpu-rwsem.h:59 [inline]
       __sb_start_write+0x64/0x260 fs/super.c:1342
       sb_start_write include/linux/fs.h:1549 [inline]
       mnt_want_write+0x3a/0xb0 fs/namespace.c:386
       ovl_xattr_set+0x4d/0x290 fs/overlayfs/inode.c:214
       __vfs_setxattr+0xdc/0x130 fs/xattr.c:150
       __vfs_setxattr_noperm+0xfd/0x3d0 fs/xattr.c:181
       __vfs_setxattr_locked+0x14d/0x250 fs/xattr.c:239
       vfs_setxattr+0xcf/0x230 fs/xattr.c:256
       setxattr+0x1a9/0x300 fs/xattr.c:523
       path_setxattr+0x118/0x130 fs/xattr.c:542
       SYSC_lsetxattr fs/xattr.c:564 [inline]
       SyS_lsetxattr+0x33/0x40 fs/xattr.c:560
       do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x46/0xbb

-> #1 (&ovl_i_mutex_dir_key[depth]#2){++++}:
       down_read+0x36/0x80 kernel/locking/rwsem.c:24
       inode_lock_shared include/linux/fs.h:729 [inline]
       lookup_slow+0x129/0x400 fs/namei.c:1674
       lookup_one_len_unlocked+0x3a0/0x410 fs/namei.c:2595
       ovl_lower_positive+0x184/0x350 fs/overlayfs/namei.c:783
       ovl_do_remove+0x12a/0xb90 fs/overlayfs/dir.c:772
       vfs_unlink+0x230/0x470 fs/namei.c:4027
       do_unlinkat+0x30c/0x5c0 fs/namei.c:4092
       do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x46/0xbb

-> #0 (&oi->lock){+.+.}:
       lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
       __mutex_lock_common kernel/locking/mutex.c:756 [inline]
       __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
       ovl_copy_up_start+0x40/0xe0 fs/overlayfs/util.c:318
       ovl_copy_up_one+0x21f/0x910 fs/overlayfs/copy_up.c:631
       ovl_copy_up_flags+0xd5/0x120 fs/overlayfs/copy_up.c:686
       ovl_create_or_link+0xa2/0x1200 fs/overlayfs/dir.c:476
       ovl_create_object+0x17b/0x1d0 fs/overlayfs/dir.c:550
       lookup_open+0x77a/0x1750 fs/namei.c:3241
       do_last fs/namei.c:3334 [inline]
       path_openat+0xe08/0x2970 fs/namei.c:3569
       do_filp_open+0x179/0x3c0 fs/namei.c:3603
       do_sys_open+0x296/0x410 fs/open.c:1081
       do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x46/0xbb

other info that might help us debug this:

Chain exists of:
  &oi->lock --> &ovl_i_mutex_dir_key[depth]#2 --> sb_writers#6

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(sb_writers#6);
                               lock(&ovl_i_mutex_dir_key[depth]#2);
                               lock(sb_writers#6);
  lock(&oi->lock);

 *** DEADLOCK ***

3 locks held by syz-executor.1/9792:
 #0:  (sb_writers#14){.+.+}, at: [<ffffffff818de18a>] sb_start_write include/linux/fs.h:1549 [inline]
 #0:  (sb_writers#14){.+.+}, at: [<ffffffff818de18a>] mnt_want_write+0x3a/0xb0 fs/namespace.c:386
 #1:  (&ovl_i_mutex_dir_key[depth]#2){++++}, at: [<ffffffff818a0c32>] inode_lock include/linux/fs.h:719 [inline]
 #1:  (&ovl_i_mutex_dir_key[depth]#2){++++}, at: [<ffffffff818a0c32>] do_last fs/namei.c:3331 [inline]
 #1:  (&ovl_i_mutex_dir_key[depth]#2){++++}, at: [<ffffffff818a0c32>] path_openat+0xde2/0x2970 fs/namei.c:3569
 #2:  (sb_writers#6){.+.+}, at: [<ffffffff818de18a>] sb_start_write include/linux/fs.h:1549 [inline]
 #2:  (sb_writers#6){.+.+}, at: [<ffffffff818de18a>] mnt_want_write+0x3a/0xb0 fs/namespace.c:386

stack backtrace:
CPU: 1 PID: 9792 Comm: syz-executor.1 Not tainted 4.14.256-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x281 lib/dump_stack.c:58
 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258
ntfs: (device loop0): ntfs_end_buffer_async_read(): Buffer I/O error, logical block 0x883.
 check_prev_add kernel/locking/lockdep.c:1905 [inline]
 check_prevs_add kernel/locking/lockdep.c:2022 [inline]
 validate_chain kernel/locking/lockdep.c:2464 [inline]
 __lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491
attempt to access beyond end of device
 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
loop0: rw=0, want=2181, limit=2176
 __mutex_lock_common kernel/locking/mutex.c:756 [inline]
 __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
attempt to access beyond end of device
 ovl_copy_up_start+0x40/0xe0 fs/overlayfs/util.c:318
loop0: rw=0, want=2182, limit=2176
 ovl_copy_up_one+0x21f/0x910 fs/overlayfs/copy_up.c:631
attempt to access beyond end of device
loop0: rw=0, want=2183, limit=2176
 ovl_copy_up_flags+0xd5/0x120 fs/overlayfs/copy_up.c:686
 ovl_create_or_link+0xa2/0x1200 fs/overlayfs/dir.c:476
attempt to access beyond end of device
loop0: rw=0, want=2184, limit=2176
 ovl_create_object+0x17b/0x1d0 fs/overlayfs/dir.c:550
 lookup_open+0x77a/0x1750 fs/namei.c:3241
 do_last fs/namei.c:3334 [inline]
 path_openat+0xe08/0x2970 fs/namei.c:3569
 do_filp_open+0x179/0x3c0 fs/namei.c:3603
 do_sys_open+0x296/0x410 fs/open.c:1081
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x7f02b4bc8ae9
RSP: 002b:00007f02b3b1d188 EFLAGS: 00000246 ORIG_RAX: 0000000000000055
RAX: ffffffffffffffda RBX: 00007f02b4cdc028 RCX: 00007f02b4bc8ae9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000280
RBP: 00007f02b4c22ff7 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffd089f463f R14: 00007f02b3b1d300 R15: 0000000000022000
overlayfs: filesystem on './bus' not supported as upperdir
tmpfs: Bad value 'defZo­=relative:/
2' for mount option 'mpol'
EXT4-fs (loop5): mounted filesystem without journal. Opts: ,errors=continue
netlink: 40 bytes leftover after parsing attributes in process `syz-executor.4'.
tmpfs: Bad value 'defZo­=relative:/
2' for mount option 'mpol'
caif:caif_disconnect_client(): nothing to disconnect
netlink: 40 bytes leftover after parsing attributes in process `syz-executor.4'.
caif:caif_disconnect_client(): nothing to disconnect
usb usb9: usbfs: interface 0 claimed by hub while 'syz-executor.1' sets config #0
usb usb9: usbfs: interface 0 claimed by hub while 'syz-executor.5' sets config #0
usb usb9: usbfs: interface 0 claimed by hub while 'syz-executor.0' sets config #0
usb usb9: usbfs: interface 0 claimed by hub while 'syz-executor.1' sets config #0
overlayfs: fs on 'file0' does not support file handles, falling back to index=off.
usb usb9: usbfs: interface 0 claimed by hub while 'syz-executor.0' sets config #0
overlayfs: fs on './file0' does not support file handles, falling back to index=off.
EXT4-fs (loop2): Unrecognized mount option "U¢[Šîst® ?=sdßPYV¹0.m¥Þ" or missing value
======================================================
WARNING: the mand mount option is being deprecated and
         will be removed in v5.15!
======================================================
usb usb9: usbfs: interface 0 claimed by hub while 'syz-executor.0' sets config #0
overlayfs: fs on '.' does not support file handles, falling back to index=off.
EXT4-fs (loop2): Unrecognized mount option "U¢[Šîst® ?=sdßPYV¹0.m¥Þ" or missing value
overlayfs: 'file0' not a directory
EXT4-fs (loop1): mounted filesystem without journal. Opts: ,errors=continue
overlayfs: filesystem on './bus' not supported as upperdir
print_req_error: I/O error, dev loop2, sector 0
Buffer I/O error on dev loop2, logical block 0, async page read
print_req_error: I/O error, dev loop2, sector 4
Buffer I/O error on dev loop2, logical block 2, async page read
print_req_error: I/O error, dev loop2, sector 6
Buffer I/O error on dev loop2, logical block 3, async page read
Dev loop0: unable to read RDB block 1
 loop0: unable to read partition table
overlayfs: failed to resolve './file0': -2
loop0: partition table beyond EOD, truncated
loop_reread_partitions: partition scan of loop0 () failed (rc=-5)
usb usb9: usbfs: interface 0 claimed by hub while 'syz-executor.0' sets config #0
Dev loop0: unable to read RDB block 1
BTRFS: device fsid 9fd069f9-9b51-4f58-b143-43c07f72f4a9 devid 1 transid 7 /dev/loop1
overlayfs: fs on 'file0' does not support file handles, falling back to index=off.
 loop0: unable to read partition table
overlayfs: fs on './file0' does not support file handles, falling back to index=off.
BTRFS error (device loop1): superblock checksum mismatch
loop0: partition table beyond EOD, truncated
overlayfs: fs on './file0' does not support file handles, falling back to index=off.
Dev loop0: unable to read RDB block 1
 loop0: unable to read partition table
loop_reread_partitions: partition scan of loop0 () failed (rc=-5)
BTRFS error (device loop1): open_ctree failed
loop0: partition table beyond EOD, truncated
overlayfs: filesystem on './bus' not supported as upperdir
BTRFS error (device loop1): superblock checksum mismatch
ip_tables: iptables: counters copy to user failed while replacing table
overlayfs: filesystem on './bus' not supported as upperdir
overlayfs: fs on '.' does not support file handles, falling back to index=off.
BTRFS error (device loop1): open_ctree failed
ip_tables: iptables: counters copy to user failed while replacing table
ISO 9660 Extensions: Microsoft Joliet Level 3
overlayfs: 'file0' not a directory
ISOFS: Interleaved files not (yet) supported.
ISOFS: File unit size != 0 for ISO file (17792).
L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details.
usb usb9: usbfs: interface 0 claimed by hub while 'syz-executor.0' sets config #1
usb usb9: usbfs: interface 0 claimed by hub while 'syz-executor.4' sets config #0
usb usb9: usbfs: interface 0 claimed by hub while 'syz-executor.0' sets config #0
usb usb9: usbfs: interface 0 claimed by hub while 'syz-executor.4' sets config #0
usb usb9: usbfs: interface 0 claimed by hub while 'syz-executor.0' sets config #1
VFS: could not find a valid V7 on loop0.
VFS: could not find a valid V7 on loop0.
VFS: Can't find a Minix filesystem V1 | V2 | V3 on device loop1.
VFS: Can't find a Minix filesystem V1 | V2 | V3 on device loop1.
usb usb9: usbfs: interface 0 claimed by hub while 'syz-executor.1' sets config #0
usb usb9: usbfs: interface 0 claimed by hub while 'syz-executor.5' sets config #0
BTRFS: device label  devid 1 transid 7 /dev/loop1
EXT4-fs (loop4): mounted filesystem without journal. Opts: ,errors=continue
BTRFS error (device loop1): superblock checksum mismatch
: renamed from caif0
chnl_net:chnl_net_open(): err: Unable to register and open device, Err:-19
caif:caif_disconnect_client(): nothing to disconnect
BTRFS error (device loop1): open_ctree failed
chnl_net:chnl_flowctrl_cb(): NET flowctrl func called flow: CLOSE/DEINIT
chnl_net:chnl_net_open(): state disconnected
usb usb9: usbfs: interface 0 claimed by hub while 'syz-executor.1' sets config #0
A link change request failed with some changes committed already. Interface  may have been left with an inconsistent configuration, please check.
overlayfs: unrecognized mount option "uppeh{sk†Lrdir=./bus" or missing value
jfs: Unrecognized mount option "subj_type=uidêì¡	MâFüôZäþØ°jvFhëC™UmQ÷Û°ý&ôÞû‘XB"FúÓ\I_ÄôiÙ½lë(1(Y=zõÆ¾3ý^}åêÑÜèmúè ª?G‹øÀëtyKø;ù¿l(8çkÞè—p©¨/™(þ†xIb«øƒ/Ó/3ù/[Û˜}U®" or missing value
usb usb9: usbfs: interface 0 claimed by hub while 'syz-executor.1' sets config #0
overlayfs: unrecognized mount option "uppeh{sk†Lrdir=./bus" or missing value
chnl_net:chnl_net_open(): err: Unable to register and open device, Err:-19
caif:caif_disconnect_client(): nothing to disconnect
chnl_net:chnl_flowctrl_cb(): NET flowctrl func called flow: CLOSE/DEINIT
chnl_net:chnl_net_open(): state disconnected
jfs: Unrecognized mount option "subj_type=uidêì¡	MâFüôZäþØ°jvFhëC™UmQ÷Û°ý&ôÞû‘XB"FúÓ\I_ÄôiÙ½lë(1(Y=zõÆ¾3ý^}åêÑÜèmúè ª?G‹øÀëtyKø;ù¿l(8çkÞè—p©¨/™(þ†xIb«øƒ/Ó/3ù/[Û˜}U®" or missing value
A link change request failed with some changes committed already. Interface  may have been left with an inconsistent configuration, please check.
netlink: 10 bytes leftover after parsing attributes in process `syz-executor.2'.
bridge0: port 1(bridge_slave_0) entered disabled state
sd 0:0:1:0: [sg0] tag#526 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK
sd 0:0:1:0: [sg0] tag#526 CDB: opcode=0xe5 (vendor)
sd 0:0:1:0: [sg0] tag#526 CDB[00]: e5 f4 32 73 2f 4e 09 6d 26 e2 c7 35 d1 35 12 1c
sd 0:0:1:0: [sg0] tag#526 CDB[10]: 92 1b da 40 b8 58 5b a8 d4 7d 34 f3 90 4c f1 2d
sd 0:0:1:0: [sg0] tag#526 CDB[20]: ba
bridge0: port 2(bridge_slave_1) entered disabled state
usb usb9: usbfs: interface 0 claimed by hub while 'syz-executor.4' sets config #0
usb usb9: usbfs: interface 0 claimed by hub while 'syz-executor.2' sets config #0
sd 0:0:1:0: [sg0] tag#526 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK
sd 0:0:1:0: [sg0] tag#526 CDB: opcode=0xe5 (vendor)
sd 0:0:1:0: [sg0] tag#526 CDB[00]: e5 f4 32 73 2f 4e 09 6d 26 e2 c7 35 d1 35 12 1c
sd 0:0:1:0: [sg0] tag#526 CDB[10]: 92 1b da 40 b8 58 5b a8 d4 7d 34 f3 90 4c f1 2d
sd 0:0:1:0: [sg0] tag#526 CDB[20]: ba
xt_connlimit: cannot load conntrack support for address family 2
BTRFS error (device loop0): superblock checksum mismatch
BTRFS error (device loop0): open_ctree failed
BTRFS error (device loop0): superblock checksum mismatch
BTRFS error (device loop0): open_ctree failed
usb usb9: usbfs: interface 0 claimed by hub while 'syz-executor.4' sets config #0
ntfs: volume version 3.1.
usb usb9: usbfs: interface 0 claimed by hub while 'syz-executor.4' sets config #0
usb usb9: usbfs: interface 0 claimed by hub while 'syz-executor.4' sets config #0
jfs: Unrecognized mount option "" or missing value
jfs: Unrecognized mount option "" or missing value
usb usb9: usbfs: interface 0 claimed by hub while 'syz-executor.4' sets config #0
usb usb9: usbfs: interface 0 claimed by hub while 'syz-executor.4' sets config #0
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
FAT-fs (loop5): Unrecognized mount option "nfs=n‰µ5ÝÅ" or missing value
hub 9-0:1.0: USB hub found
hub 9-0:1.0: 8 ports detected
ip6_tables: ip6tables: counters copy to user failed while replacing table
ip6_tables: ip6tables: counters copy to user failed while replacing table
overlayfs: fs on './file0' does not support file handles, falling back to index=off.
overlayfs: filesystem on './bus' not supported as upperdir
overlayfs: fs on '.' does not support file handles, falling back to index=off.
overlayfs: 'file0' not a directory
__ntfs_error: 17 callbacks suppressed
ntfs: (device loop4): check_mft_mirror(): Incomplete multi sector transfer detected in mft record 3.
ntfs: (device loop4): load_system_files(): $MFTMirr does not match $MFT.  Mounting read-only.  Run ntfsfix and/or chkdsk.
ntfs: (device loop4): map_mft_record_page(): Mft record 0x3 is corrupt.  Run chkdsk.
ntfs: (device loop4): map_mft_record(): Failed with error code 5.
device bridge_slave_1 left promiscuous mode
ntfs: (device loop4): ntfs_read_locked_inode(): Failed with error code -5.  Marking corrupt inode 0x3 as bad.  Run chkdsk.
bridge0: port 2(bridge_slave_1) entered disabled state
ntfs: (device loop4): load_system_files(): Failed to load $Volume.
ntfs: (device loop4): ntfs_fill_super(): Failed to load system files.
device bridge_slave_0 left promiscuous mode
audit: type=1804 audit(1638767382.818:8): pid=10605 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.5" name="/root/syzkaller-testdir657964424/syzkaller.OA1DTE/28/file1/bus" dev="loop5" ino=5 res=1
ntfs: (device loop4): check_mft_mirror(): Incomplete multi sector transfer detected in mft record 3.
bridge0: port 1(bridge_slave_0) entered disabled state
attempt to access beyond end of device
loop5: rw=2049, want=90, limit=87
Buffer I/O error on dev loop5, logical block 44, lost async page write
attempt to access beyond end of device
ntfs: (device loop4): load_system_files(): $MFTMirr does not match $MFT.  Mounting read-only.  Run ntfsfix and/or chkdsk.
loop5: rw=2049, want=98, limit=87
attempt to access beyond end of device
loop5: rw=2049, want=100, limit=87
8021q: adding VLAN 0 to HW filter on device batadv1
EXT4-fs (loop5): filesystem too large to mount safely on this system
EXT4-fs (loop5): filesystem too large to mount safely on this system
f2fs_msg: 14 callbacks suppressed
F2FS-fs (loop0): Found nat_bits in checkpoint
overlayfs: fs on 'file0' does not support file handles, falling back to index=off.
F2FS-fs (loop0): sanity_check_inode: inode (ino=3) has corrupted i_extra_isize: 24, max: 12
device dummy0 entered promiscuous mode
F2FS-fs (loop0): Failed to read root inode
squashfs: SQUASHFS error: unable to read inode lookup table
team0: Device macvtap1 failed to register rx_handler
overlayfs: fs on './file0' does not support file handles, falling back to index=off.
device dummy0 left promiscuous mode
F2FS-fs (loop0): Found nat_bits in checkpoint
squashfs: SQUASHFS error: unable to read inode lookup table
F2FS-fs (loop0): sanity_check_inode: inode (ino=3) has corrupted i_extra_isize: 24, max: 12
F2FS-fs (loop0): Failed to read root inode
overlayfs: filesystem on './bus' not supported as upperdir
device dummy0 entered promiscuous mode
team0: Device macvtap1 failed to register rx_handler
F2FS-fs (loop0): Found nat_bits in checkpoint
device dummy0 left promiscuous mode
F2FS-fs (loop0): sanity_check_inode: inode (ino=3) has corrupted i_extra_isize: 24, max: 12
F2FS-fs (loop0): Failed to read root inode
F2FS-fs (loop0): Failed to initialize F2FS segment manager
netlink: 96 bytes leftover after parsing attributes in process `syz-executor.1'.
BTRFS: device fsid 9fd069f9-9b51-4f58-b143-43c07f72f4a9 devid 1 transid 7 /dev/loop0
netlink: 96 bytes leftover after parsing attributes in process `syz-executor.1'.
BTRFS error (device loop0): superblock checksum mismatch
BTRFS error (device loop0): open_ctree failed
syz-executor.4 (10742): drop_caches: 2
9pnet: p9_fd_create_unix (10794): problem connecting socket: éq‰Y’3aK: -111
syz-executor.4 (10736): drop_caches: 2
BTRFS error (device loop0): superblock checksum mismatch
BTRFS error (device loop0): open_ctree failed
netlink: 96 bytes leftover after parsing attributes in process `syz-executor.4'.
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'.
netlink: 96 bytes leftover after parsing attributes in process `syz-executor.4'.
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'.
team0: Device ipip0 is of different type
vhci_hcd: invalid port number 255
vhci_hcd: default hub control req: 4014 v0002 i00ff l225
vhci_hcd: invalid port number 255
vhci_hcd: default hub control req: 4014 v0002 i00ff l225
device bridge0 entered promiscuous mode
device bridge1 entered promiscuous mode