overlayfs: missing 'lowerdir'
EXT4-fs error (device loop2): ext4_orphan_get:1265: comm syz-executor.2: bad orphan inode 1
======================================================
WARNING: possible circular locking dependency detected
4.14.259-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.3/9767 is trying to acquire lock:
 ("dio/%s"sb->s_id){+.+.}, at: [<ffffffff8135b5bb>] flush_workqueue+0xcb/0x1310 kernel/workqueue.c:2622

but task is already holding lock:
 (&sb->s_type->i_mutex_key#21){+.+.}, at: [<ffffffff81691649>] inode_lock include/linux/fs.h:719 [inline]
 (&sb->s_type->i_mutex_key#21){+.+.}, at: [<ffffffff81691649>] generic_file_write_iter+0x99/0x650 mm/filemap.c:3205

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #2 (&sb->s_type->i_mutex_key#21){+.+.}:
       down_write+0x34/0x90 kernel/locking/rwsem.c:54
       inode_lock include/linux/fs.h:719 [inline]
       __generic_file_fsync+0x9e/0x190 fs/libfs.c:989
       fat_file_fsync+0x73/0x1f0 fs/fat/file.c:165
       vfs_fsync_range+0x103/0x260 fs/sync.c:196
       generic_write_sync include/linux/fs.h:2684 [inline]
       dio_complete+0x561/0x8d0 fs/direct-io.c:330
       process_one_work+0x793/0x14a0 kernel/workqueue.c:2117
       worker_thread+0x5cc/0xff0 kernel/workqueue.c:2251
       kthread+0x30d/0x420 kernel/kthread.c:232
       ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404

-> #1 ((&dio->complete_work)){+.+.}:
       process_one_work+0x736/0x14a0 kernel/workqueue.c:2093
       worker_thread+0x5cc/0xff0 kernel/workqueue.c:2251
       kthread+0x30d/0x420 kernel/kthread.c:232
       ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404

-> #0 ("dio/%s"sb->s_id){+.+.}:
       lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
       flush_workqueue+0xfa/0x1310 kernel/workqueue.c:2625
       drain_workqueue+0x177/0x3e0 kernel/workqueue.c:2790
       destroy_workqueue+0x71/0x710 kernel/workqueue.c:4116
       __alloc_workqueue_key+0xd50/0x1080 kernel/workqueue.c:4093
       sb_init_dio_done_wq+0x34/0x80 fs/direct-io.c:624
       do_blockdev_direct_IO fs/direct-io.c:1287 [inline]
       __blockdev_direct_IO+0x3df1/0xdcb0 fs/direct-io.c:1423
       blockdev_direct_IO include/linux/fs.h:2994 [inline]
       fat_direct_IO+0x19b/0x320 fs/fat/inode.c:275
       generic_file_direct_write+0x1df/0x420 mm/filemap.c:2958
       __generic_file_write_iter+0x2a2/0x590 mm/filemap.c:3137
       generic_file_write_iter+0x36f/0x650 mm/filemap.c:3208
       call_write_iter include/linux/fs.h:1780 [inline]
       aio_write+0x2ed/0x560 fs/aio.c:1553
       io_submit_one fs/aio.c:1641 [inline]
       do_io_submit+0x847/0x1570 fs/aio.c:1709
       do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x46/0xbb

other info that might help us debug this:

Chain exists of:
  "dio/%s"sb->s_id --> (&dio->complete_work) --> &sb->s_type->i_mutex_key#21

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&sb->s_type->i_mutex_key#21);
                               lock((&dio->complete_work));
                               lock(&sb->s_type->i_mutex_key#21);
  lock("dio/%s"sb->s_id);

 *** DEADLOCK ***

2 locks held by syz-executor.3/9767:
 #0:  (sb_writers#13){.+.+}, at: [<ffffffff81982518>] file_start_write include/linux/fs.h:2714 [inline]
 #0:  (sb_writers#13){.+.+}, at: [<ffffffff81982518>] aio_write+0x408/0x560 fs/aio.c:1552
 #1:  (&sb->s_type->i_mutex_key#21){+.+.}, at: [<ffffffff81691649>] inode_lock include/linux/fs.h:719 [inline]
 #1:  (&sb->s_type->i_mutex_key#21){+.+.}, at: [<ffffffff81691649>] generic_file_write_iter+0x99/0x650 mm/filemap.c:3205

stack backtrace:
CPU: 0 PID: 9767 Comm: syz-executor.3 Not tainted 4.14.259-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x281 lib/dump_stack.c:58
 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258
 check_prev_add kernel/locking/lockdep.c:1905 [inline]
 check_prevs_add kernel/locking/lockdep.c:2022 [inline]
 validate_chain kernel/locking/lockdep.c:2464 [inline]
 __lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491
 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
 flush_workqueue+0xfa/0x1310 kernel/workqueue.c:2625
 drain_workqueue+0x177/0x3e0 kernel/workqueue.c:2790
 destroy_workqueue+0x71/0x710 kernel/workqueue.c:4116
 __alloc_workqueue_key+0xd50/0x1080 kernel/workqueue.c:4093
 sb_init_dio_done_wq+0x34/0x80 fs/direct-io.c:624
 do_blockdev_direct_IO fs/direct-io.c:1287 [inline]
 __blockdev_direct_IO+0x3df1/0xdcb0 fs/direct-io.c:1423
 blockdev_direct_IO include/linux/fs.h:2994 [inline]
 fat_direct_IO+0x19b/0x320 fs/fat/inode.c:275
 generic_file_direct_write+0x1df/0x420 mm/filemap.c:2958
 __generic_file_write_iter+0x2a2/0x590 mm/filemap.c:3137
 generic_file_write_iter+0x36f/0x650 mm/filemap.c:3208
 call_write_iter include/linux/fs.h:1780 [inline]
 aio_write+0x2ed/0x560 fs/aio.c:1553
 io_submit_one fs/aio.c:1641 [inline]
 do_io_submit+0x847/0x1570 fs/aio.c:1709
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x7fe6e459de99
RSP: 002b:00007fe6e2f13168 EFLAGS: 00000246 ORIG_RAX: 00000000000000d1
RAX: ffffffffffffffda RBX: 00007fe6e46b0f60 RCX: 00007fe6e459de99
RDX: 0000000020000540 RSI: 0000000000001801 RDI: 00007fe6e468c000
RBP: 00007fe6e45f7ff1 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fff7bfb565f R14: 00007fe6e2f13300 R15: 0000000000022000
EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue
gfs2: gfs2 mount does not exist
EXT4-fs (loop2): VFS: Can't find ext4 filesystem
gfs2: gfs2 mount does not exist
EXT4-fs error (device loop2): ext4_orphan_get:1265: comm syz-executor.2: bad orphan inode 1
EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue
gfs2: gfs2 mount does not exist
netlink: 32 bytes leftover after parsing attributes in process `syz-executor.4'.
x_tables: ip6_tables: TCPOPTSTRIP target: only valid in mangle table, not filter
batman_adv: batadv0: Interface deactivated: batadv_slave_1
netlink: 32 bytes leftover after parsing attributes in process `syz-executor.4'.
x_tables: ip6_tables: TCPOPTSTRIP target: only valid in mangle table, not filter
IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready
chnl_net:chnl_net_open(): err: Unable to register and open device, Err:-19
caif:caif_disconnect_client(): nothing to disconnect
audit: type=1804 audit(1640442217.357:10): pid=9999 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.5" name="/root/syzkaller-testdir395793595/syzkaller.UlQcrb/7/bus" dev="sda1" ino=13932 res=1
chnl_net:chnl_flowctrl_cb(): NET flowctrl func called flow: CLOSE/DEINIT
chnl_net:chnl_net_open(): state disconnected
A link change request failed with some changes committed already. Interface caif0 may have been left with an inconsistent configuration, please check.
netlink: 32 bytes leftover after parsing attributes in process `syz-executor.4'.
audit: type=1800 audit(1640442217.537:11): pid=10024 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.4" name="bus" dev="sda1" ino=13934 res=0
IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready
chnl_net:chnl_net_open(): err: Unable to register and open device, Err:-19
caif:caif_disconnect_client(): nothing to disconnect
chnl_net:chnl_flowctrl_cb(): NET flowctrl func called flow: CLOSE/DEINIT
chnl_net:chnl_net_open(): state disconnected
A link change request failed with some changes committed already. Interface caif0 may have been left with an inconsistent configuration, please check.
kauditd_printk_skb: 2 callbacks suppressed
audit: type=1800 audit(1640442219.107:14): pid=10106 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.3" name="bus" dev="sda1" ino=13956 res=0
audit: type=1800 audit(1640442219.137:15): pid=10105 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.4" name="bus" dev="sda1" ino=13934 res=0
IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready
chnl_net:chnl_net_open(): err: Unable to register and open device, Err:-19
caif:caif_disconnect_client(): nothing to disconnect
chnl_net:chnl_flowctrl_cb(): NET flowctrl func called flow: CLOSE/DEINIT
chnl_net:chnl_net_open(): state disconnected
A link change request failed with some changes committed already. Interface caif0 may have been left with an inconsistent configuration, please check.
ieee80211 phy2: Selected rate control algorithm 'minstrel_ht'
IPVS: ftp: loaded support on port[0] = 21
Zero length message leads to an empty skb
ieee80211 phy2: hwaddr 02:00:00:00:02:00 registered
audit: type=1804 audit(1640442219.407:16): pid=10147 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.5" name="/root/syzkaller-testdir395793595/syzkaller.UlQcrb/9/bus" dev="sda1" ino=13926 res=1
ieee80211 phy3: Selected rate control algorithm 'minstrel_ht'
ieee80211 phy3: hwaddr 02:00:00:00:03:00 registered
audit: type=1800 audit(1640442220.027:17): pid=10266 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.4" name="bus" dev="sda1" ino=13978 res=0
IPVS: ftp: loaded support on port[0] = 21
ieee80211 phy4: Selected rate control algorithm 'minstrel_ht'
audit: type=1800 audit(1640442220.067:18): pid=10272 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.3" name="bus" dev="sda1" ino=13980 res=0
ieee80211 phy4: hwaddr 02:00:00:00:04:00 registered
ieee80211 phy5: Selected rate control algorithm 'minstrel_ht'
audit: type=1800 audit(1640442220.277:19): pid=10327 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.3" name="bus" dev="sda1" ino=13977 res=0
ieee80211 phy5: hwaddr 02:00:00:00:05:00 registered
IPVS: ftp: loaded support on port[0] = 21
ieee80211 phy6: Selected rate control algorithm 'minstrel_ht'
audit: type=1800 audit(1640442220.447:20): pid=10373 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.3" name="bus" dev="sda1" ino=13967 res=0
ieee80211 phy6: hwaddr 02:00:00:00:06:00 registered
ieee80211 phy7: Selected rate control algorithm 'minstrel_ht'
IPVS: ftp: loaded support on port[0] = 21
ieee80211 phy7: hwaddr 02:00:00:00:07:00 registered
ieee80211 phy8: Selected rate control algorithm 'minstrel_ht'
audit: type=1800 audit(1640442220.917:21): pid=10501 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.5" name="bus" dev="sda1" ino=13980 res=0
print_req_error: I/O error, dev loop3, sector 36028797018963960
audit: type=1800 audit(1640442220.937:22): pid=10501 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.5" name="bus" dev="sda1" ino=13980 res=0
NILFS (loop3): unable to read secondary superblock (blocksize = 1024)
NILFS (loop3): couldn't find nilfs on the device
ieee80211 phy8: hwaddr 02:00:00:00:08:00 registered
ieee80211 phy9: Selected rate control algorithm 'minstrel_ht'
print_req_error: I/O error, dev loop3, sector 36028797018963960
ieee80211 phy9: hwaddr 02:00:00:00:09:00 registered
NILFS (loop3): unable to read secondary superblock (blocksize = 1024)
SQUASHFS error: lzo decompression failed, data probably corrupt
NILFS (loop3): couldn't find nilfs on the device
SQUASHFS error: squashfs_read_data failed to read block 0x60
SQUASHFS error: Unable to read fragment cache entry [60]
SQUASHFS error: Unable to read page, block 60, size 1f
audit: type=1800 audit(1640442221.167:23): pid=10555 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.5" name="bus" dev="sda1" ino=13976 res=0
SQUASHFS error: Unable to read fragment cache entry [60]
SQUASHFS error: Unable to read page, block 60, size 1f
print_req_error: I/O error, dev loop0, sector 36028797018963960
NILFS (loop0): unable to read secondary superblock (blocksize = 1024)
print_req_error: I/O error, dev loop3, sector 36028797018963960
NILFS (loop3): unable to read secondary superblock (blocksize = 1024)
NILFS (loop0): couldn't find nilfs on the device
NILFS (loop3): couldn't find nilfs on the device
ieee80211 phy10: Selected rate control algorithm 'minstrel_ht'
print_req_error: I/O error, dev loop3, sector 36028797018963960
NILFS (loop3): unable to read secondary superblock (blocksize = 1024)
NILFS (loop3): couldn't find nilfs on the device
ieee80211 phy10: hwaddr 02:00:00:00:0a:00 registered
EXT4-fs: Warning: mounting with data=journal disables delayed allocation and O_DIRECT support!
print_req_error: I/O error, dev loop3, sector 36028797018963960
NILFS (loop3): unable to read secondary superblock (blocksize = 1024)
NILFS (loop3): couldn't find nilfs on the device
EXT4-fs (loop1): unsupported descriptor size 22848
print_req_error: I/O error, dev loop3, sector 36028797018963960
NILFS (loop3): unable to read secondary superblock (blocksize = 1024)
NILFS (loop3): couldn't find nilfs on the device
SQUASHFS error: lzo decompression failed, data probably corrupt
SQUASHFS error: squashfs_read_data failed to read block 0x60
print_req_error: I/O error, dev loop3, sector 36028797018963960
NILFS (loop3): unable to read secondary superblock (blocksize = 1024)
SQUASHFS error: Unable to read fragment cache entry [60]
NILFS (loop3): couldn't find nilfs on the device
SQUASHFS error: Unable to read page, block 60, size 1f
SQUASHFS error: Unable to read fragment cache entry [60]
SQUASHFS error: Unable to read page, block 60, size 1f
print_req_error: I/O error, dev loop3, sector 36028797018963960
NILFS (loop3): unable to read secondary superblock (blocksize = 1024)
NILFS (loop3): couldn't find nilfs on the device
print_req_error: I/O error, dev loop3, sector 36028797018963960
NILFS (loop3): unable to read secondary superblock (blocksize = 1024)
NILFS (loop3): couldn't find nilfs on the device
NILFS (loop3): unable to read secondary superblock (blocksize = 1024)
NILFS (loop3): couldn't find nilfs on the device
NILFS (loop3): unable to read secondary superblock (blocksize = 1024)
NILFS (loop3): couldn't find nilfs on the device
NILFS (loop3): unable to read secondary superblock (blocksize = 1024)
NILFS (loop3): couldn't find nilfs on the device
ieee80211 phy11: Selected rate control algorithm 'minstrel_ht'
IPVS: ftp: loaded support on port[0] = 21
NILFS (loop3): unable to read secondary superblock (blocksize = 1024)
NILFS (loop3): couldn't find nilfs on the device
SQUASHFS error: lzo decompression failed, data probably corrupt
SQUASHFS error: squashfs_read_data failed to read block 0x60
SQUASHFS error: Unable to read fragment cache entry [60]
ieee80211 phy11: hwaddr 02:00:00:00:0b:00 registered
SQUASHFS error: Unable to read page, block 60, size 1f
SQUASHFS error: Unable to read fragment cache entry [60]
SQUASHFS error: Unable to read page, block 60, size 1f
IPVS: ftp: loaded support on port[0] = 21
ieee80211 phy12: Selected rate control algorithm 'minstrel_ht'
ieee80211 phy12: hwaddr 02:00:00:00:0c:00 registered
ieee80211 phy13: Selected rate control algorithm 'minstrel_ht'
ieee80211 phy13: hwaddr 02:00:00:00:0d:00 registered
ieee80211 phy14: Selected rate control algorithm 'minstrel_ht'
ieee80211 phy14: hwaddr 02:00:00:00:0e:00 registered
ieee80211 phy15: Selected rate control algorithm 'minstrel_ht'
ieee80211 phy15: hwaddr 02:00:00:00:0f:00 registered
hfs: can't find a HFS filesystem on dev loop5
ieee80211 phy16: Selected rate control algorithm 'minstrel_ht'
ieee80211 phy16: hwaddr 02:00:00:00:10:00 registered
ieee80211 phy17: Selected rate control algorithm 'minstrel_ht'
hid-generic 0000:0000:0000.0001: item fetching failed at offset 0/1
hid-generic: probe of 0000:0000:0000.0001 failed with error -22
ieee80211 phy17: hwaddr 02:00:00:00:11:00 registered
IPVS: set_ctl: invalid protocol: 0 172.20.20.187:0
xt_l2tp: invalid flags combination: 0
PM: Marking nosave pages: [mem 0x00000000-0x00000fff]
PM: Marking nosave pages: [mem 0x0009f000-0x000fffff]
PM: Marking nosave pages: [mem 0xbfffd000-0xffffffff]
PM: Basic memory bitmaps created
PM: Basic memory bitmaps freed
ieee80211 phy18: Selected rate control algorithm 'minstrel_ht'
ieee80211 phy18: hwaddr 02:00:00:00:12:00 registered
ieee80211 phy19: Selected rate control algorithm 'minstrel_ht'
ieee80211 phy19: hwaddr 02:00:00:00:13:00 registered
ieee80211 phy20: Selected rate control algorithm 'minstrel_ht'
ieee80211 phy20: hwaddr 02:00:00:00:14:00 registered
ieee80211 phy21: Selected rate control algorithm 'minstrel_ht'
ieee80211 phy21: hwaddr 02:00:00:00:15:00 registered
ieee80211 phy22: Selected rate control algorithm 'minstrel_ht'
ieee80211 phy22: hwaddr 02:00:00:00:16:00 registered
ieee80211 phy23: Selected rate control algorithm 'minstrel_ht'
ieee80211 phy23: hwaddr 02:00:00:00:17:00 registered
ieee80211 phy24: Selected rate control algorithm 'minstrel_ht'
IPVS: set_ctl: invalid protocol: 0 127.0.0.1:0
x_tables: ip_tables: rpfilter match: used from hooks PREROUTING/FORWARD, but only valid from PREROUTING
ieee80211 phy24: hwaddr 02:00:00:00:18:00 registered
ieee80211 phy25: Selected rate control algorithm 'minstrel_ht'
ieee80211 phy25: hwaddr 02:00:00:00:19:00 registered
ieee80211 phy26: Selected rate control algorithm 'minstrel_ht'
ieee80211 phy26: hwaddr 02:00:00:00:1a:00 registered