======================================================
WARNING: possible circular locking dependency detected
4.14.232-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.5/31377 is trying to acquire lock:
 (&oi->lock){+.+.}, at: [<ffffffff8230d3f0>] ovl_copy_up_start+0x40/0xe0 fs/overlayfs/util.c:318

but task is already holding lock:
 (sb_writers#3){.+.+}, at: [<ffffffff818dc80a>] sb_start_write include/linux/fs.h:1549 [inline]
 (sb_writers#3){.+.+}, at: [<ffffffff818dc80a>] mnt_want_write+0x3a/0xb0 fs/namespace.c:386

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #2 (sb_writers#3){.+.+}:
       percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline]
       percpu_down_read include/linux/percpu-rwsem.h:59 [inline]
       __sb_start_write+0x64/0x260 fs/super.c:1342
       sb_start_write include/linux/fs.h:1549 [inline]
       mnt_want_write+0x3a/0xb0 fs/namespace.c:386
       ovl_do_remove+0x67/0xb90 fs/overlayfs/dir.c:759
       vfs_rmdir.part.0+0x144/0x390 fs/namei.c:3908
       vfs_rmdir fs/namei.c:3893 [inline]
       do_rmdir+0x334/0x3c0 fs/namei.c:3968
       do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x46/0xbb

-> #1 (&ovl_i_mutex_dir_key[depth]#2){++++}:
       down_read+0x36/0x80 kernel/locking/rwsem.c:24
       inode_lock_shared include/linux/fs.h:729 [inline]
       lookup_slow+0x129/0x400 fs/namei.c:1674
       lookup_one_len_unlocked+0x3a0/0x410 fs/namei.c:2595
       ovl_lower_positive+0x184/0x350 fs/overlayfs/namei.c:783
       ovl_do_remove+0x12a/0xb90 fs/overlayfs/dir.c:772
       vfs_unlink+0x230/0x470 fs/namei.c:4027
       do_unlinkat+0x30c/0x5c0 fs/namei.c:4092
       do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x46/0xbb

-> #0 (&oi->lock){+.+.}:
       lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
       __mutex_lock_common kernel/locking/mutex.c:756 [inline]
       __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
       ovl_copy_up_start+0x40/0xe0 fs/overlayfs/util.c:318
       ovl_copy_up_one+0x21f/0x910 fs/overlayfs/copy_up.c:631
       ovl_copy_up_flags+0xd5/0x120 fs/overlayfs/copy_up.c:686
       ovl_nlink_start+0x383/0x460 fs/overlayfs/util.c:518
       ovl_do_remove+0xd4/0xb90 fs/overlayfs/dir.c:767
       vfs_unlink+0x230/0x470 fs/namei.c:4027
       do_unlinkat+0x30c/0x5c0 fs/namei.c:4092
       do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x46/0xbb

other info that might help us debug this:

Chain exists of:
  &oi->lock --> &ovl_i_mutex_dir_key[depth]#2 --> sb_writers#3

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(sb_writers#3);
                               lock(&ovl_i_mutex_dir_key[depth]#2);
                               lock(sb_writers#3);
  lock(&oi->lock);

 *** DEADLOCK ***

4 locks held by syz-executor.5/31377:
 #0:  (sb_writers#13){.+.+}, at: [<ffffffff818dc80a>] sb_start_write include/linux/fs.h:1549 [inline]
 #0:  (sb_writers#13){.+.+}, at: [<ffffffff818dc80a>] mnt_want_write+0x3a/0xb0 fs/namespace.c:386
 #1:  (&ovl_i_mutex_dir_key[depth]#2/1){+.+.}, at: [<ffffffff818a4c51>] inode_lock_nested include/linux/fs.h:754 [inline]
 #1:  (&ovl_i_mutex_dir_key[depth]#2/1){+.+.}, at: [<ffffffff818a4c51>] do_unlinkat+0x201/0x5c0 fs/namei.c:4078
 #2:  (&ovl_i_mutex_key[depth]#2){+.+.}, at: [<ffffffff81896440>] inode_lock include/linux/fs.h:719 [inline]
 #2:  (&ovl_i_mutex_key[depth]#2){+.+.}, at: [<ffffffff81896440>] vfs_unlink+0xc0/0x470 fs/namei.c:4018
 #3:  (sb_writers#3){.+.+}, at: [<ffffffff818dc80a>] sb_start_write include/linux/fs.h:1549 [inline]
 #3:  (sb_writers#3){.+.+}, at: [<ffffffff818dc80a>] mnt_want_write+0x3a/0xb0 fs/namespace.c:386

stack backtrace:
CPU: 0 PID: 31377 Comm: syz-executor.5 Not tainted 4.14.232-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x281 lib/dump_stack.c:58
 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258
 check_prev_add kernel/locking/lockdep.c:1905 [inline]
 check_prevs_add kernel/locking/lockdep.c:2022 [inline]
 validate_chain kernel/locking/lockdep.c:2464 [inline]
 __lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491
 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
 __mutex_lock_common kernel/locking/mutex.c:756 [inline]
 __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
 ovl_copy_up_start+0x40/0xe0 fs/overlayfs/util.c:318
 ovl_copy_up_one+0x21f/0x910 fs/overlayfs/copy_up.c:631
 ovl_copy_up_flags+0xd5/0x120 fs/overlayfs/copy_up.c:686
 ovl_nlink_start+0x383/0x460 fs/overlayfs/util.c:518
 ovl_do_remove+0xd4/0xb90 fs/overlayfs/dir.c:767
 vfs_unlink+0x230/0x470 fs/namei.c:4027
 do_unlinkat+0x30c/0x5c0 fs/namei.c:4092
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x4665f9
RSP: 002b:00007f292c750188 EFLAGS: 00000246 ORIG_RAX: 0000000000000057
RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 00000000004665f9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000000
RBP: 00000000004bfce1 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf60
R13: 00007ffd5ed9eaff R14: 00007f292c750300 R15: 0000000000022000
audit: type=1804 audit(1619863068.968:99): pid=31405 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.2" name="/root/syzkaller-testdir537659893/syzkaller.qvEHQh/11/bus" dev="sda1" ino=15507 res=1
overlayfs: unrecognized mount option "nfs_export=on" or missing value
overlayfs: upperdir is in-use by another mount, mount with '-o index=off' to override exclusive upperdir protection.
BTRFS error (device loop4): bad tree block start 0 5308416
BTRFS error (device loop4): open_ctree failed
BTRFS info (device loop4): disabling disk space caching
BTRFS info (device loop4): force zlib compression
BTRFS info (device loop4): turning on flush-on-commit
BTRFS info (device loop4): has skinny extents
BTRFS error (device loop4): open_ctree failed
BTRFS info (device loop4): disabling disk space caching
BTRFS info (device loop4): force zlib compression
BTRFS info (device loop4): turning on flush-on-commit
overlayfs: unrecognized mount option "nfs_export=on" or missing value
BTRFS info (device loop4): has skinny extents
audit: type=1804 audit(1619863070.478:100): pid=31489 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.2" name="/root/syzkaller-testdir537659893/syzkaller.qvEHQh/12/bus" dev="sda1" ino=14467 res=1
BTRFS warning (device loop4): loop4 checksum verify failed on 5308416 wanted 77626DAF found B32957FE level 0
overlayfs: upperdir is in-use by another mount, mount with '-o index=off' to override exclusive upperdir protection.
BTRFS error (device loop4): open_ctree failed
BTRFS info (device loop4): disabling disk space caching
BTRFS info (device loop4): force zlib compression
BTRFS info (device loop4): turning on flush-on-commit
BTRFS info (device loop4): has skinny extents
overlayfs: unrecognized mount option "nfs_export=on" or missing value
BTRFS warning (device loop4): loop4 checksum verify failed on 5308416 wanted 77626DAF found B32957FE level 0
audit: type=1800 audit(1619863071.118:101): pid=31561 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.3" name="bus" dev="sda1" ino=14004 res=0
audit: type=1804 audit(1619863071.128:102): pid=31561 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.3" name="/root/syzkaller-testdir308496743/syzkaller.RLFd8V/421/bus" dev="sda1" ino=14004 res=1
overlayfs: unrecognized mount option "nfs_export=on" or missing value
BTRFS error (device loop4): open_ctree failed
BTRFS info (device loop4): disabling disk space caching
BTRFS info (device loop4): force zlib compression
BTRFS info (device loop4): turning on flush-on-commit
BTRFS info (device loop4): has skinny extents
BTRFS error (device loop4): open_ctree failed
overlayfs: unrecognized mount option "nfs_export=on" or missing value
IPVS: ftp: loaded support on port[0] = 21
BTRFS info (device loop0): disabling disk space caching
BTRFS info (device loop0): force zlib compression
audit: type=1804 audit(1619863071.778:103): pid=31561 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.3" name="/root/syzkaller-testdir308496743/syzkaller.RLFd8V/421/bus" dev="sda1" ino=14004 res=1
BTRFS info (device loop0): turning on flush-on-commit
audit: type=1804 audit(1619863071.778:104): pid=31550 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="ToMToU" comm="syz-executor.3" name="/root/syzkaller-testdir308496743/syzkaller.RLFd8V/421/bus" dev="sda1" ino=14004 res=1
BTRFS info (device loop0): has skinny extents
overlayfs: unrecognized mount option "nfs_export=on" or missing value
IPVS: ftp: loaded support on port[0] = 21
overlayfs: unrecognized mount option "nfs_export=on" or missing value
BTRFS error (device loop0): bad tree block start 0 5296128
BTRFS error (device loop0): open_ctree failed
BTRFS info (device loop0): disabling disk space caching
BTRFS info (device loop0): force zlib compression
BTRFS info (device loop0): turning on flush-on-commit
BTRFS info (device loop0): has skinny extents
overlayfs: unrecognized mount option "nfs_export=on" or missing value
BTRFS error (device loop0): bad tree block start 0 5296128
BTRFS error (device loop0): open_ctree failed
BTRFS info (device loop0): disabling disk space caching
BTRFS info (device loop0): force zlib compression
BTRFS info (device loop0): turning on flush-on-commit
BTRFS info (device loop0): has skinny extents
BTRFS error (device loop0): bad tree block start 0 5296128
BTRFS error (device loop0): open_ctree failed
BTRFS info (device loop0): disabling disk space caching
BTRFS info (device loop0): force zlib compression
BTRFS info (device loop0): turning on flush-on-commit
BTRFS info (device loop0): has skinny extents
BTRFS error (device loop0): open_ctree failed
overlayfs: unrecognized mount option "nfs_export=on" or missing value
BTRFS info (device loop4): disabling disk space caching
BTRFS info (device loop4): force zlib compression
BTRFS info (device loop4): turning on flush-on-commit
BTRFS info (device loop4): has skinny extents
overlayfs: unrecognized mount option "nfs_export=on" or missing value
overlayfs: unrecognized mount option "nfs_export=on" or missing value
BTRFS warning (device loop4): loop4 checksum verify failed on 5308416 wanted 77626DAF found B32957FE level 0
overlayfs: unrecognized mount option "nfs_export=on" or missing value
BTRFS error (device loop4): open_ctree failed
BTRFS info (device loop4): disabling disk space caching
BTRFS info (device loop4): force zlib compression
BTRFS info (device loop4): turning on flush-on-commit
BTRFS info (device loop4): has skinny extents
overlayfs: unrecognized mount option "nfs_export=on" or missing value
BTRFS warning (device loop4): loop4 checksum verify failed on 5308416 wanted 77626DAF found B32957FE level 0
BTRFS error (device loop4): open_ctree failed
BTRFS info (device loop4): disabling disk space caching
BTRFS info (device loop4): force zlib compression
BTRFS info (device loop4): turning on flush-on-commit
BTRFS info (device loop4): has skinny extents
BTRFS error (device loop4): open_ctree failed
BTRFS info (device loop4): disabling disk space caching
BTRFS info (device loop4): force zlib compression
BTRFS info (device loop4): turning on flush-on-commit
BTRFS info (device loop4): has skinny extents
BTRFS error (device loop4): open_ctree failed
overlayfs: unrecognized mount option "nfs_export=on" or missing value
BTRFS info (device loop0): disabling disk space caching
BTRFS info (device loop0): force zlib compression
BTRFS info (device loop0): turning on flush-on-commit
BTRFS info (device loop0): has skinny extents
overlayfs: failed to resolve './file1': -2
overlayfs: failed to resolve './file1': -2
BTRFS error (device loop0): bad tree block start 0 5296128
overlayfs: failed to resolve './file1': -2
BTRFS error (device loop0): open_ctree failed
BTRFS info (device loop0): disabling disk space caching
BTRFS info (device loop0): force zlib compression
BTRFS info (device loop0): turning on flush-on-commit
BTRFS info (device loop0): has skinny extents
overlayfs: failed to resolve './file0': -2
BTRFS error (device loop0): bad tree block start 0 5296128
BTRFS error (device loop0): open_ctree failed
BTRFS info (device loop0): disabling disk space caching
BTRFS info (device loop0): force zlib compression
BTRFS info (device loop0): turning on flush-on-commit
BTRFS info (device loop0): has skinny extents
overlayfs: failed to resolve './file0': -2
BTRFS error (device loop0): bad tree block start 0 5296128
BTRFS error (device loop0): open_ctree failed
BTRFS info (device loop0): disabling disk space caching
BTRFS info (device loop0): force zlib compression
BTRFS info (device loop0): turning on flush-on-commit
BTRFS info (device loop0): has skinny extents
BTRFS error (device loop0): open_ctree failed
BTRFS info (device loop4): disabling disk space caching
BTRFS info (device loop4): force zlib compression
overlayfs: failed to resolve './file0': -2
BTRFS info (device loop4): turning on flush-on-commit
BTRFS info (device loop4): has skinny extents
BTRFS warning (device loop4): loop4 checksum verify failed on 5308416 wanted 77626DAF found B32957FE level 0
BTRFS error (device loop4): open_ctree failed
BTRFS info (device loop4): disabling disk space caching
BTRFS info (device loop4): force zlib compression
BTRFS info (device loop4): turning on flush-on-commit
BTRFS info (device loop4): has skinny extents
BTRFS warning (device loop4): loop4 checksum verify failed on 5308416 wanted 77626DAF found B32957FE level 0
BTRFS error (device loop4): open_ctree failed
BTRFS info (device loop4): disabling disk space caching
BTRFS info (device loop4): force zlib compression
BTRFS info (device loop4): turning on flush-on-commit
BTRFS info (device loop4): has skinny extents
BTRFS error (device loop4): open_ctree failed
BTRFS info (device loop4): disabling disk space caching
BTRFS info (device loop4): force zlib compression
BTRFS info (device loop4): turning on flush-on-commit
BTRFS info (device loop4): has skinny extents
BTRFS error (device loop4): open_ctree failed
BTRFS info (device loop3): disabling disk space caching
BTRFS info (device loop3): force zlib compression
BTRFS info (device loop3): turning on flush-on-commit
BTRFS info (device loop3): has skinny extents
BTRFS error (device loop3): bad tree block start 0 5296128
BTRFS error (device loop3): open_ctree failed
BTRFS info (device loop3): disabling disk space caching
BTRFS info (device loop3): force zlib compression
BTRFS info (device loop3): turning on flush-on-commit
BTRFS info (device loop3): has skinny extents
BTRFS error (device loop3): bad tree block start 0 5296128
BTRFS error (device loop3): open_ctree failed
BTRFS info (device loop3): disabling disk space caching
BTRFS info (device loop3): force zlib compression
BTRFS info (device loop3): turning on flush-on-commit
BTRFS info (device loop3): has skinny extents
BTRFS error (device loop3): open_ctree failed
BTRFS info (device loop3): disabling disk space caching
BTRFS info (device loop3): force zlib compression
BTRFS info (device loop3): turning on flush-on-commit
BTRFS info (device loop3): has skinny extents
BTRFS error (device loop3): open_ctree failed
BTRFS info (device loop4): disabling disk space caching
BTRFS info (device loop4): force zlib compression
BTRFS info (device loop4): turning on flush-on-commit
BTRFS info (device loop4): has skinny extents
overlayfs: failed to resolve './file0': -2
overlayfs: failed to resolve './file0': -2
overlayfs: failed to resolve './file0': -2
BTRFS warning (device loop4): loop4 checksum verify failed on 5308416 wanted 77626DAF found B32957FE level 0
BTRFS error (device loop4): open_ctree failed
BTRFS info (device loop4): disabling disk space caching
BTRFS info (device loop4): force zlib compression
BTRFS info (device loop4): turning on flush-on-commit
BTRFS info (device loop4): has skinny extents
overlayfs: failed to resolve './file1': -2
BTRFS warning (device loop4): loop4 checksum verify failed on 5308416 wanted 77626DAF found B32957FE level 0
BTRFS error (device loop4): open_ctree failed
BTRFS info (device loop4): disabling disk space caching
BTRFS info (device loop4): force zlib compression
BTRFS info (device loop4): turning on flush-on-commit
BTRFS info (device loop4): has skinny extents
BTRFS warning (device loop4): loop4 checksum verify failed on 5308416 wanted 77626DAF found B32957FE level 0
BTRFS error (device loop4): open_ctree failed
BTRFS info (device loop4): disabling disk space caching
BTRFS info (device loop4): force zlib compression
BTRFS info (device loop4): turning on flush-on-commit
BTRFS info (device loop4): has skinny extents
BTRFS error (device loop4): open_ctree failed
overlayfs: failed to resolve './file1': -2
BTRFS info (device loop3): disabling disk space caching
BTRFS info (device loop3): force zlib compression
BTRFS info (device loop3): turning on flush-on-commit