====================================================== WARNING: possible circular locking dependency detected 4.19.167-syzkaller #0 Not tainted ------------------------------------------------------ syz-executor.2/31100 is trying to acquire lock: 00000000f28f30f0 (sb_writers#3){.+.+}, at: sb_start_write include/linux/fs.h:1579 [inline] 00000000f28f30f0 (sb_writers#3){.+.+}, at: mnt_want_write+0x3a/0xb0 fs/namespace.c:360 but task is already holding lock: 0000000088640685 (&ovl_i_mutex_dir_key[depth]){++++}, at: inode_lock include/linux/fs.h:748 [inline] 0000000088640685 (&ovl_i_mutex_dir_key[depth]){++++}, at: chmod_common+0x14b/0x3f0 fs/open.c:554 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #3 (&ovl_i_mutex_dir_key[depth]){++++}: inode_lock_shared include/linux/fs.h:758 [inline] do_last fs/namei.c:3326 [inline] path_openat+0x17ec/0x2df0 fs/namei.c:3537 do_filp_open+0x18c/0x3f0 fs/namei.c:3567 do_open_execat+0x11d/0x5b0 fs/exec.c:853 __do_execve_file+0x1a8b/0x2360 fs/exec.c:1770 do_execveat_common fs/exec.c:1879 [inline] do_execve+0x35/0x50 fs/exec.c:1896 __do_sys_execve fs/exec.c:1977 [inline] __se_sys_execve fs/exec.c:1972 [inline] __x64_sys_execve+0x7c/0xa0 fs/exec.c:1972 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe -> #2 (&sig->cred_guard_mutex){+.+.}: lock_trace fs/proc/base.c:402 [inline] proc_pid_stack+0x160/0x350 fs/proc/base.c:452 proc_single_show+0xeb/0x170 fs/proc/base.c:755 seq_read+0x4be/0x1160 fs/seq_file.c:229 do_loop_readv_writev fs/read_write.c:701 [inline] do_loop_readv_writev fs/read_write.c:688 [inline] do_iter_read+0x471/0x630 fs/read_write.c:925 vfs_readv+0xe5/0x150 fs/read_write.c:987 do_preadv fs/read_write.c:1071 [inline] __do_sys_preadv fs/read_write.c:1121 [inline] __se_sys_preadv fs/read_write.c:1116 [inline] __x64_sys_preadv+0x22b/0x310 fs/read_write.c:1116 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe -> #1 (&p->lock){+.+.}: seq_read+0x6b/0x1160 fs/seq_file.c:161 proc_reg_read+0x1bd/0x2d0 fs/proc/inode.c:231 do_loop_readv_writev fs/read_write.c:701 [inline] do_loop_readv_writev fs/read_write.c:688 [inline] do_iter_read+0x471/0x630 fs/read_write.c:925 vfs_readv+0xe5/0x150 fs/read_write.c:987 kernel_readv fs/splice.c:362 [inline] default_file_splice_read+0x457/0xa00 fs/splice.c:417 do_splice_to+0x10e/0x160 fs/splice.c:881 splice_direct_to_actor+0x2b9/0x8d0 fs/splice.c:959 do_splice_direct+0x1a7/0x270 fs/splice.c:1068 do_sendfile+0x550/0xc30 fs/read_write.c:1447 __do_sys_sendfile64 fs/read_write.c:1508 [inline] __se_sys_sendfile64+0x147/0x160 fs/read_write.c:1494 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe -> #0 (sb_writers#3){.+.+}: percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline] percpu_down_read include/linux/percpu-rwsem.h:59 [inline] __sb_start_write+0x6e/0x2a0 fs/super.c:1366 sb_start_write include/linux/fs.h:1579 [inline] mnt_want_write+0x3a/0xb0 fs/namespace.c:360 ovl_setattr+0xdd/0x920 fs/overlayfs/inode.c:30 notify_change+0x70b/0xfc0 fs/attr.c:334 chmod_common+0x1d9/0x3f0 fs/open.c:560 do_fchmodat+0xb5/0x140 fs/open.c:598 __do_sys_chmod fs/open.c:616 [inline] __se_sys_chmod fs/open.c:614 [inline] __x64_sys_chmod+0x58/0x80 fs/open.c:614 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe other info that might help us debug this: Chain exists of: sb_writers#3 --> &sig->cred_guard_mutex --> &ovl_i_mutex_dir_key[depth] Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&ovl_i_mutex_dir_key[depth]); lock(&sig->cred_guard_mutex); lock(&ovl_i_mutex_dir_key[depth]); lock(sb_writers#3); *** DEADLOCK *** 2 locks held by syz-executor.2/31100: #0: 000000009d0bd79c (sb_writers#22){.+.+}, at: sb_start_write include/linux/fs.h:1579 [inline] #0: 000000009d0bd79c (sb_writers#22){.+.+}, at: mnt_want_write+0x3a/0xb0 fs/namespace.c:360 #1: 0000000088640685 (&ovl_i_mutex_dir_key[depth]){++++}, at: inode_lock include/linux/fs.h:748 [inline] #1: 0000000088640685 (&ovl_i_mutex_dir_key[depth]){++++}, at: chmod_common+0x14b/0x3f0 fs/open.c:554 stack backtrace: CPU: 0 PID: 31100 Comm: syz-executor.2 Not tainted 4.19.167-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2fe lib/dump_stack.c:118 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1221 check_prev_add kernel/locking/lockdep.c:1865 [inline] check_prevs_add kernel/locking/lockdep.c:1978 [inline] validate_chain kernel/locking/lockdep.c:2419 [inline] __lock_acquire+0x30c9/0x3ff0 kernel/locking/lockdep.c:3415 lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3907 percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline] percpu_down_read include/linux/percpu-rwsem.h:59 [inline] __sb_start_write+0x6e/0x2a0 fs/super.c:1366 sb_start_write include/linux/fs.h:1579 [inline] mnt_want_write+0x3a/0xb0 fs/namespace.c:360 ovl_setattr+0xdd/0x920 fs/overlayfs/inode.c:30 notify_change+0x70b/0xfc0 fs/attr.c:334 chmod_common+0x1d9/0x3f0 fs/open.c:560 do_fchmodat+0xb5/0x140 fs/open.c:598 __do_sys_chmod fs/open.c:616 [inline] __se_sys_chmod fs/open.c:614 [inline] __x64_sys_chmod+0x58/0x80 fs/open.c:614 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45e219 Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fa1abb2cc68 EFLAGS: 00000246 ORIG_RAX: 000000000000005a RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 000000000045e219 RDX: 0000000000000000 RSI: 0000000000000132 RDI: 0000000020000180 RBP: 000000000119bfb8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000119bf8c R13: 00007ffeeae4976f R14: 00007fa1abb2d9c0 R15: 000000000119bf8c audit: type=1800 audit(1610805127.759:80): pid=31084 uid=0 auid=0 ses=4 subj==unconfined op=collect_data cause=failed comm="syz-executor.4" name="cpuset.memory_pressure" dev="sda1" ino=16476 res=0 overlayfs: workdir is in-use as upperdir/workdir of another mount, mount with '-o index=off' to override exclusive upperdir protection. overlayfs: missing 'lowerdir' overlayfs: unrecognized mount option "uppertir=./file1" or missing value overlayfs: unrecognized mount option "uppertir=./file1" or missing value overlayfs: missing 'lowerdir' overlayfs: missing 'lowerdir' overlayfs: workdir is in-use as upperdir/workdir of another mount, mount with '-o index=off' to override exclusive upperdir protection. overlayfs: failed to resolve './file0': -2 overlayfs: missing 'lowerdir' audit: type=1800 audit(1610805128.369:81): pid=31112 uid=0 auid=0 ses=4 subj==unconfined op=collect_data cause=failed comm="syz-executor.0" name="cpuset.memory_pressure" dev="sda1" ino=16383 res=0 audit: type=1800 audit(1610805128.559:82): pid=31150 uid=0 auid=0 ses=4 subj==unconfined op=collect_data cause=failed comm="syz-executor.4" name="cpuset.memory_pressure" dev="sda1" ino=16318 res=0 overlayfs: failed to resolve './file0': -2 overlayfs: missing 'lowerdir' overlayfs: workdir is in-use as upperdir/workdir of another mount, mount with '-o index=off' to override exclusive upperdir protection. overlayfs: failed to resolve './file0': -2 overlayfs: missing 'lowerdir' overlayfs: missing 'lowerdir' overlayfs: workdir is in-use as upperdir/workdir of another mount, mount with '-o index=off' to override exclusive upperdir protection. audit: type=1800 audit(1610805129.149:83): pid=31170 uid=0 auid=0 ses=4 subj==unconfined op=collect_data cause=failed comm="syz-executor.4" name="cpuset.memory_pressure" dev="sda1" ino=16429 res=0 Bluetooth: hci3: command 0x0406 tx timeout audit: type=1800 audit(1610805129.179:84): pid=31177 uid=0 auid=0 ses=4 subj==unconfined op=collect_data cause=failed comm="syz-executor.0" name="cpuset.memory_pressure" dev="sda1" ino=16363 res=0 overlayfs: missing 'lowerdir' overlayfs: workdir is in-use as upperdir/workdir of another mount, mount with '-o index=off' to override exclusive upperdir protection. overlayfs: missing 'lowerdir' overlayfs: missing 'workdir' overlayfs: missing 'workdir' overlayfs: workdir is in-use as upperdir/workdir of another mount, mount with '-o index=off' to override exclusive upperdir protection. overlayfs: missing 'lowerdir' overlayfs: missing 'workdir' audit: type=1800 audit(1610805130.149:85): pid=31259 uid=0 auid=0 ses=4 subj==unconfined op=collect_data cause=failed comm="syz-executor.0" name="cpuset.memory_pressure" dev="sda1" ino=16352 res=0 audit: type=1800 audit(1610805130.449:86): pid=31271 uid=0 auid=0 ses=4 subj==unconfined op=collect_data cause=failed comm="syz-executor.4" name="cpuset.memory_pressure" dev="sda1" ino=15756 res=0 overlayfs: failed to resolve './file': -2 overlayfs: missing 'lowerdir' overlayfs: unrecognized mount option "upÿÿÿÿir=./fil 1" or missing value overlayfs: unrecognized mount option "upÿÿÿÿir=./fil 1" or missing value overlayfs: missing 'lowerdir' overlayfs: failed to resolve './file': -2 overlayfs: unrecognized mount option "017777777777777777777770000000000000000000300000000000000000003" or missing value overlayfs: missing 'lowerdir' overlayfs: unrecognized mount option "017777777777777777777770000000000000000000300000000000000000003" or missing value overlayfs: failed to resolve './file': -2 overlayfs: missing 'lowerdir' audit: type=1800 audit(1610805131.000:87): pid=31286 uid=0 auid=0 ses=4 subj==unconfined op=collect_data cause=failed comm="syz-executor.0" name="cpuset.memory_pressure" dev="sda1" ino=16240 res=0 audit: type=1800 audit(1610805131.050:88): pid=31281 uid=0 auid=0 ses=4 subj==unconfined op=collect_data cause=failed comm="syz-executor.4" name="cpuset.memory_pressure" dev="sda1" ino=16415 res=0 overlayfs: missing 'lowerdir' overlayfs: unrecognized mount option "nfs_ex" or missing value overlayfs: unrecognized mount option "workdiÁ=./file0" or missing value overlayfs: unrecognized mount option "workdiÁ=./file0" or missing value overlayfs: missing 'lowerdir' overlayfs: unrecognized mount option "nfs_ex" or missing value overlayfs: missing 'lowerdir' overlayfs: unrecognized mount option "nfs_ex" or missing value overlayfs: missing 'lowerdir' overlayfs: unrecognized mount option "nfs_export" or missing value audit: type=1800 audit(1610805131.700:89): pid=31334 uid=0 auid=0 ses=4 subj==unconfined op=collect_data cause=failed comm="syz-executor.4" name="cpuset.memory_pressure" dev="sda1" ino=16597 res=0 audit: type=1800 audit(1610805131.750:90): pid=31344 uid=0 auid=0 ses=4 subj==unconfined op=collect_data cause=failed comm="syz-executor.0" name="cpuset.memory_pressure" dev="sda1" ino=16051 res=0 overlayfs: missing 'workdir' overlayfs: unrecognized mount option "nfs_export" or missing value overlayfs: missing 'workdir' overlayfs: unrecognized mount option "nfs_export" or missing value overlayfs: workdir is in-use as upperdir/workdir of another mount, mount with '-o index=off' to override exclusive upperdir protection. overlayfs: missing 'workdir' overlayfs: unrecognized mount option "nfs_export=o" or missing value overlayfs: failed to resolve './file': -2 overlayfs: unrecognized mount option "nfs_export=o" or missing value audit: type=1800 audit(1610805132.560:91): pid=31414 uid=0 auid=0 ses=4 subj==unconfined op=collect_data cause=failed comm="syz-executor.4" name="cpuset.memory_pressure" dev="sda1" ino=16881 res=0 audit: type=1800 audit(1610805132.590:92): pid=31429 uid=0 auid=0 ses=4 subj==unconfined op=collect_data cause=failed comm="syz-executor.0" name="cpuset.memory_pressure" dev="sda1" ino=16597 res=0 overlayfs: unrecognized mount option "nfs_export=o" or missing value overlayfs: failed to resolve './file': -2 overlayfs: failed to resolve './file1': -2 overlayfs: failed to resolve './file': -2 overlayfs: unrecognized mount option "nfs_ex" or missing value overlayfs: unrecognized mount option "nfs_ex" or missing value audit: type=1800 audit(1610805133.170:93): pid=31456 uid=0 auid=0 ses=4 subj==unconfined op=collect_data cause=failed comm="syz-executor.4" name="cpuset.memory_pressure" dev="sda1" ino=16542 res=0 overlayfs: upperdir is in-use as upperdir/workdir of another mount, mount with '-o index=off' to override exclusive upperdir protection. audit: type=1800 audit(1610805133.330:94): pid=31488 uid=0 auid=0 ses=4 subj==unconfined op=collect_data cause=failed comm="syz-executor.0" name="cpuset.memory_pressure" dev="sda1" ino=16555 res=0 overlayfs: unrecognized mount option "nfs_ex" or missing value overlayfs: failed to resolve './file0': -2 overlayfs: failed to resolve './file0': -2 overlayfs: unrecognized mount option "nfs_export" or missing value overlayfs: workdir is in-use as upperdir/workdir of another mount, mount with '-o index=off' to override exclusive upperdir protection. overlayfs: unrecognized mount option "nfs_export" or missing value overlayfs: upperdir is in-use as upperdir/workdir of another mount, mount with '-o index=off' to override exclusive upperdir protection. audit: type=1800 audit(1610805134.230:95): pid=31502 uid=0 auid=0 ses=4 subj==unconfined op=collect_data cause=failed comm="syz-executor.4" name="cpuset.memory_pressure" dev="sda1" ino=16220 res=0 overlayfs: unrecognized mount option "nfs_export" or missing value overlayfs: unrecognized mount option "lowerdiÀ=./bus" or missing value overlayfs: unrecognized mount option "lowerdiÀ=./bus" or missing value overlayfs: missing 'workdir' overlayfs: unrecognized mount option "nfs_export=o" or missing value overlayfs: unrecognized mount option "nfs_export=o" or missing value overlayfs: workdir is in-use as upperdir/workdir of another mount, mount with '-o index=off' to override exclusive upperdir protection. overlayfs: unrecognized mount option "nfs_export=o" or missing value overlayfs: workdir is in-use as upperdir/workdir of another mount, mount with '-o index=off' to override exclusive upperdir protection. overlayfs: workdir is in-use as upperdir/workdir of another mount, mount with '-o index=off' to override exclusive upperdir protection. overlayfs: workdir is in-use as upperdir/workdir of another mount, mount with '-o index=off' to override exclusive upperdir protection. kauditd_printk_skb: 2 callbacks suppressed audit: type=1800 audit(1610805135.730:98): pid=31643 uid=0 auid=0 ses=4 subj==unconfined op=collect_data cause=failed comm="syz-executor.4" name="cpuset.memory_pressure" dev="sda1" ino=16220 res=0 overlayfs: workdir is in-use as upperdir/workdir of another mount, mount with '-o index=off' to override exclusive upperdir protection. netlink: 'syz-executor.4': attribute type 46 has an invalid length. overlayfs: workdir is in-use as upperdir/workdir of another mount, mount with '-o index=off' to override exclusive upperdir protection. audit: type=1800 audit(1610805136.090:99): pid=31667 uid=0 auid=0 ses=4 subj==unconfined op=collect_data cause=failed comm="syz-executor.0" name="cpuset.memory_pressure" dev="sda1" ino=15892 res=0 overlayfs: workdir is in-use as upperdir/workdir of another mount, mount with '-o index=off' to override exclusive upperdir protection. audit: type=1800 audit(1610805136.590:100): pid=31700 uid=0 auid=0 ses=4 subj==unconfined op=collect_data cause=failed comm="syz-executor.0" name="cpuset.memory_pressure" dev="sda1" ino=16034 res=0 overlayfs: workdir is in-use as upperdir/workdir of another mount, mount with '-o index=off' to override exclusive upperdir protection.