====================================================== WARNING: possible circular locking dependency detected 4.15.0-rc1+ #197 Not tainted ------------------------------------------------------ syz-executor3/21456 is trying to acquire lock: (&sb->s_type->i_mutex_key#10){++++}, at: [] inode_lock include/linux/fs.h:713 [inline] (&sb->s_type->i_mutex_key#10){++++}, at: [] generic_file_write_iter+0xdc/0x7a0 mm/filemap.c:3289 but task is already holding lock: (&pipe->mutex/1){+.+.}, at: [] pipe_lock_nested fs/pipe.c:67 [inline] (&pipe->mutex/1){+.+.}, at: [] pipe_lock fs/pipe.c:75 [inline] (&pipe->mutex/1){+.+.}, at: [] pipe_wait+0x1e6/0x280 fs/pipe.c:123 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #6 (&pipe->mutex/1){+.+.}: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4004 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908 pipe_lock_nested fs/pipe.c:67 [inline] pipe_lock+0x56/0x70 fs/pipe.c:75 iter_file_splice_write+0x264/0xf30 fs/splice.c:699 do_splice_from fs/splice.c:851 [inline] do_splice fs/splice.c:1147 [inline] SYSC_splice fs/splice.c:1402 [inline] SyS_splice+0x7d5/0x1630 fs/splice.c:1382 entry_SYSCALL_64_fastpath+0x1f/0x96 -> #5 (sb_writers){.+.+}: inode_lock_nested include/linux/fs.h:748 [inline] filename_create+0x192/0x520 fs/namei.c:3634 -> #4 ((completion)&req.done){+.+.}: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4004 complete_acquire include/linux/completion.h:40 [inline] __wait_for_common kernel/sched/completion.c:109 [inline] wait_for_common kernel/sched/completion.c:123 [inline] wait_for_completion+0xcb/0x7b0 kernel/sched/completion.c:144 devtmpfs_create_node+0x32b/0x4a0 drivers/base/devtmpfs.c:115 device_add+0x120f/0x1640 drivers/base/core.c:1824 device_create_groups_vargs+0x1f3/0x250 drivers/base/core.c:2430 device_create_vargs drivers/base/core.c:2470 [inline] device_create+0xda/0x110 drivers/base/core.c:2506 msr_device_create+0x26/0x40 arch/x86/kernel/msr.c:188 cpuhp_invoke_callback+0x2ea/0x1d20 kernel/cpu.c:182 cpuhp_thread_fun+0x48e/0x7e0 kernel/cpu.c:571 smpboot_thread_fn+0x450/0x7c0 kernel/smpboot.c:164 kthread+0x37a/0x440 kernel/kthread.c:238 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:441 -> #3 (cpuhp_state-up){+.+.}: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4004 cpuhp_lock_acquire kernel/cpu.c:85 [inline] cpuhp_invoke_ap_callback kernel/cpu.c:605 [inline] cpuhp_issue_call+0x1e5/0x520 kernel/cpu.c:1495 __cpuhp_setup_state_cpuslocked+0x282/0x600 kernel/cpu.c:1642 __cpuhp_setup_state+0xb0/0x140 kernel/cpu.c:1671 cpuhp_setup_state include/linux/cpuhotplug.h:201 [inline] page_writeback_init+0x4d/0x71 mm/page-writeback.c:2084 pagecache_init+0x48/0x4f mm/filemap.c:977 start_kernel+0x6bc/0x74f init/main.c:690 x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:378 x86_64_start_kernel+0x77/0x7a arch/x86/kernel/head64.c:359 secondary_startup_64+0xa5/0xb0 arch/x86/kernel/head_64.S:237 -> #2 (cpuhp_state_mutex){+.+.}: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4004 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908 __cpuhp_setup_state_cpuslocked+0x5b/0x600 kernel/cpu.c:1617 __cpuhp_setup_state+0xb0/0x140 kernel/cpu.c:1671 cpuhp_setup_state_nocalls include/linux/cpuhotplug.h:229 [inline] kvm_guest_init+0x1f3/0x20f arch/x86/kernel/kvm.c:528 setup_arch+0x17e8/0x1a02 arch/x86/kernel/setup.c:1266 start_kernel+0xa5/0x74f init/main.c:530 x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:378 x86_64_start_kernel+0x77/0x7a arch/x86/kernel/head64.c:359 secondary_startup_64+0xa5/0xb0 arch/x86/kernel/head_64.S:237 -> #1 (cpu_hotplug_lock.rw_sem){++++}: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4004 percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline] percpu_down_read include/linux/percpu-rwsem.h:59 [inline] cpus_read_lock+0x42/0x90 kernel/cpu.c:293 get_online_cpus include/linux/cpu.h:117 [inline] lru_add_drain_all+0xe/0x20 mm/swap.c:729 shmem_wait_for_pins mm/shmem.c:2672 [inline] shmem_add_seals+0x3df/0x1060 mm/shmem.c:2780 shmem_fcntl+0xfe/0x130 mm/shmem.c:2815 do_fcntl+0x73e/0x1160 fs/fcntl.c:421 SYSC_fcntl fs/fcntl.c:463 [inline] SyS_fcntl+0xdc/0x120 fs/fcntl.c:448 entry_SYSCALL_64_fastpath+0x1f/0x96 -> #0 (&sb->s_type->i_mutex_key#10){++++}: check_prevs_add kernel/locking/lockdep.c:2031 [inline] validate_chain kernel/locking/lockdep.c:2473 [inline] __lock_acquire+0x3498/0x47f0 kernel/locking/lockdep.c:3500 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4004 down_write+0x87/0x120 kernel/locking/rwsem.c:70 inode_lock include/linux/fs.h:713 [inline] generic_file_write_iter+0xdc/0x7a0 mm/filemap.c:3289 call_write_iter include/linux/fs.h:1772 [inline] do_iter_readv_writev+0x531/0x7f0 fs/read_write.c:653 do_iter_write+0x15a/0x540 fs/read_write.c:932 vfs_iter_write+0x77/0xb0 fs/read_write.c:945 iter_file_splice_write+0x7db/0xf30 fs/splice.c:749 do_splice_from fs/splice.c:851 [inline] do_splice fs/splice.c:1147 [inline] SYSC_splice fs/splice.c:1402 [inline] SyS_splice+0x7d5/0x1630 fs/splice.c:1382 entry_SYSCALL_64_fastpath+0x1f/0x96 other info that might help us debug this: Chain exists of: &sb->s_type->i_mutex_key#10 --> sb_writers --> &pipe->mutex/1 Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&pipe->mutex/1); lock(sb_writers); lock(&pipe->mutex/1); lock(&sb->s_type->i_mutex_key#10); *** DEADLOCK *** 2 locks held by syz-executor3/21456: #0: (sb_writers#5){.+.+}, at: [] file_start_write include/linux/fs.h:2715 [inline] #0: (sb_writers#5){.+.+}, at: [] do_splice fs/splice.c:1146 [inline] #0: (sb_writers#5){.+.+}, at: [] SYSC_splice fs/splice.c:1402 [inline] #0: (sb_writers#5){.+.+}, at: [] SyS_splice+0x1117/0x1630 fs/splice.c:1382 #1: (&pipe->mutex/1){+.+.}, at: [] pipe_lock_nested fs/pipe.c:67 [inline] #1: (&pipe->mutex/1){+.+.}, at: [] pipe_lock fs/pipe.c:75 [inline] #1: (&pipe->mutex/1){+.+.}, at: [] pipe_wait+0x1e6/0x280 fs/pipe.c:123 stack backtrace: CPU: 0 PID: 21456 Comm: syz-executor3 Not tainted 4.15.0-rc1+ #197 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 print_circular_bug+0x42d/0x610 kernel/locking/lockdep.c:1271 check_prev_add+0x666/0x15f0 kernel/locking/lockdep.c:1914 check_prevs_add kernel/locking/lockdep.c:2031 [inline] validate_chain kernel/locking/lockdep.c:2473 [inline] __lock_acquire+0x3498/0x47f0 kernel/locking/lockdep.c:3500 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4004 down_write+0x87/0x120 kernel/locking/rwsem.c:70 inode_lock include/linux/fs.h:713 [inline] generic_file_write_iter+0xdc/0x7a0 mm/filemap.c:3289 call_write_iter include/linux/fs.h:1772 [inline] do_iter_readv_writev+0x531/0x7f0 fs/read_write.c:653 do_iter_write+0x15a/0x540 fs/read_write.c:932 vfs_iter_write+0x77/0xb0 fs/read_write.c:945 iter_file_splice_write+0x7db/0xf30 fs/splice.c:749 do_splice_from fs/splice.c:851 [inline] do_splice fs/splice.c:1147 [inline] SYSC_splice fs/splice.c:1402 [inline] SyS_splice+0x7d5/0x1630 fs/splice.c:1382 entry_SYSCALL_64_fastpath+0x1f/0x96 RIP: 0033:0x4529d9 RSP: 002b:00007f246c53bc58 EFLAGS: 00000212 ORIG_RAX: 0000000000000113 RAX: ffffffffffffffda RBX: 0000000000758020 RCX: 00000000004529d9 RDX: 0000000000000015 RSI: 0000000000000000 RDI: 0000000000000016 RBP: 00000000000003e0 R08: 0000000000000006 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f2da0 R13: 00000000ffffffff R14: 00007f246c53c6d4 R15: 0000000000000000 device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode netlink: 17 bytes leftover after parsing attributes in process `syz-executor6'. device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode netlink: 17 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 17 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 17 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor7'. IPv6: NLM_F_REPLACE set, but no existing node found! netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=21917 comm=syz-executor7 IPv6: NLM_F_REPLACE set, but no existing node found! SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=21977 comm=syz-executor7 IPv6: NLM_F_REPLACE set, but no existing node found! IPv6: NLM_F_REPLACE set, but no existing node found! do_dccp_getsockopt: sockopt(PACKET_SIZE) is deprecated: fix your app SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=22012 comm=syz-executor3 IPv6: NLM_F_REPLACE set, but no existing node found! do_dccp_getsockopt: sockopt(PACKET_SIZE) is deprecated: fix your app do_dccp_getsockopt: sockopt(PACKET_SIZE) is deprecated: fix your app SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=22034 comm=syz-executor7 do_dccp_getsockopt: sockopt(PACKET_SIZE) is deprecated: fix your app print_req_error: 232 callbacks suppressed print_req_error: I/O error, dev loop4, sector 0 buffer_io_error: 232 callbacks suppressed Buffer I/O error on dev loop4, logical block 0, lost async page write print_req_error: I/O error, dev loop4, sector 0 Buffer I/O error on dev loop4, logical block 0, lost async page write print_req_error: I/O error, dev loop4, sector 0 Buffer I/O error on dev loop4, logical block 0, lost async page write ALSA: seq fatal error: cannot create timer (-19) sctp: [Deprecated]: syz-executor2 (pid 22370) Use of int in maxseg socket option. Use struct sctp_assoc_value instead sctp: [Deprecated]: syz-executor2 (pid 22388) Use of int in maxseg socket option. Use struct sctp_assoc_value instead device gre0 entered promiscuous mode sctp: [Deprecated]: syz-executor2 (pid 22408) Use of int in maxseg socket option. Use struct sctp_assoc_value instead device gre0 left promiscuous mode sctp: [Deprecated]: syz-executor2 (pid 22416) Use of int in maxseg socket option. Use struct sctp_assoc_value instead device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 left promiscuous mode device gre0 left promiscuous mode device gre0 left promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode sctp: [Deprecated]: syz-executor3 (pid 22481) Use of int in maxseg socket option. Use struct sctp_assoc_value instead sctp: [Deprecated]: syz-executor3 (pid 22492) Use of int in maxseg socket option. Use struct sctp_assoc_value instead sctp: [Deprecated]: syz-executor4 (pid 22502) Use of int in maxseg socket option. Use struct sctp_assoc_value instead sctp: [Deprecated]: syz-executor4 (pid 22531) Use of int in maxseg socket option. Use struct sctp_assoc_value instead SELinux: unrecognized netlink message: protocol=0 nlmsg_type=27654 sclass=netlink_route_socket pig=22509 comm=syz-executor1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=27654 sclass=netlink_route_socket pig=22509 comm=syz-executor1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=27654 sclass=netlink_route_socket pig=22587 comm=syz-executor1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=27654 sclass=netlink_route_socket pig=22587 comm=syz-executor1 QAT: Invalid ioctl QAT: Invalid ioctl device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode 9pnet_virtio: no channels available for device ./file0 9pnet_virtio: no channels available for device ./file0 nla_parse: 31 callbacks suppressed netlink: 8 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor5'. device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode Bearer <> rejected, not supported in standalone mode netlink: 2 bytes leftover after parsing attributes in process `syz-executor7'. Bearer <> rejected, not supported in standalone mode netlink: 2 bytes leftover after parsing attributes in process `syz-executor7'. Bearer <> rejected, not supported in standalone mode Bearer <> rejected, not supported in standalone mode netlink: 2 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor7'. QAT: Invalid ioctl QAT: Invalid ioctl device gre0 entered promiscuous mode