bisecting fixing commit since dda0e2920330128e0dbdeb11c8f25031aa40b11c
building syzkaller on a8c6a3f8da30ccf825c6001c81a8adff21829c30
testing commit dda0e2920330128e0dbdeb11c8f25031aa40b11c with gcc (GCC) 8.1.0
kernel signature: 4862e9e4ecbecae274b4362ef1e7cc8d62d75e4b40e6613fa49b6af97a714818
run #0: crashed: possible deadlock in seq_read
run #1: crashed: possible deadlock in seq_read
run #2: crashed: possible deadlock in seq_read
run #3: crashed: possible deadlock in seq_read
run #4: crashed: possible deadlock in seq_read
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
testing current HEAD 033c4ea49a4ba7a2b13aabf3ec755557924a9cda
testing commit 033c4ea49a4ba7a2b13aabf3ec755557924a9cda with gcc (GCC) 8.1.0
kernel signature: 58b21f532d699567b3c90ba3c0269dfd375303152b149d748012ccf566ad53c7
run #0: crashed: possible deadlock in seq_read
run #1: crashed: possible deadlock in seq_read
run #2: crashed: possible deadlock in seq_read
run #3: OK
run #4: OK
run #5: OK
run #6: crashed: possible deadlock in seq_read
run #7: OK
run #8: OK
run #9: OK
revisions tested: 2, total time: 40m0.921045418s (build: 19m26.70869887s, test: 19m20.689935618s)
the crash still happens on HEAD
commit msg: Linux 4.19.122
crash: possible deadlock in seq_read
overlayfs: lowerdir is in-use as upperdir/workdir of another mount, mount with '-o index=off' to override exclusive upperdir protection.
audit: type=1800 audit(1589238593.872:11): pid=23895 uid=0 auid=0 ses=8 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="syz-executor.0" name="file0" dev="sda1" ino=15841 res=0
audit: type=1804 audit(1589238593.882:12): pid=23895 uid=0 auid=0 ses=8 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=open_writers comm="syz-executor.0" name="/root/syzkaller-testdir581353352/syzkaller.OOQ7ah/405/file0/file0" dev="sda1" ino=15841 res=1
overlayfs: filesystem on './file0' not supported as upperdir
======================================================
WARNING: possible circular locking dependency detected
4.19.122-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.0/23895 is trying to acquire lock:
00000000381e3dbb (&p->lock){+.+.}, at: seq_read+0x66/0x1000 fs/seq_file.c:161

but task is already holding lock:
0000000080979e87 (sb_writers#3){.+.+}, at: file_start_write include/linux/fs.h:2776 [inline]
0000000080979e87 (sb_writers#3){.+.+}, at: do_sendfile+0x81e/0xd00 fs/read_write.c:1446

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #3 (sb_writers#3){.+.+}:
       percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline]
       percpu_down_read include/linux/percpu-rwsem.h:59 [inline]
       __sb_start_write+0x17d/0x2a0 fs/super.c:1387
       sb_start_write include/linux/fs.h:1579 [inline]
       mnt_want_write+0x3c/0xa0 fs/namespace.c:360
       ovl_want_write+0x71/0x90 fs/overlayfs/util.c:24
       ovl_do_remove+0x18c/0xc00 fs/overlayfs/dir.c:843
       ovl_rmdir+0x11/0x20 fs/overlayfs/dir.c:893
       vfs_rmdir+0x149/0x3e0 fs/namei.c:3882
       do_rmdir+0x2af/0x350 fs/namei.c:3943
       __do_sys_rmdir fs/namei.c:3961 [inline]
       __se_sys_rmdir fs/namei.c:3959 [inline]
       __x64_sys_rmdir+0x31/0x40 fs/namei.c:3959
       do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293
       entry_SYSCALL_64_after_hwframe+0x49/0xbe

-> #2 (&ovl_i_mutex_dir_key[depth]){++++}:
       down_read+0x3b/0xb0 kernel/locking/rwsem.c:24
       inode_lock_shared include/linux/fs.h:758 [inline]
       lookup_slow+0x43/0x70 fs/namei.c:1688
       walk_component+0x694/0x2320 fs/namei.c:1811
       lookup_last fs/namei.c:2274 [inline]
       path_lookupat.isra.43+0x180/0x850 fs/namei.c:2319
       filename_lookup.part.57+0x160/0x360 fs/namei.c:2349
       filename_lookup fs/namei.c:2342 [inline]
       kern_path+0x2e/0x40 fs/namei.c:2435
       create_local_trace_uprobe+0x77/0x410 kernel/trace/trace_uprobe.c:1356
       perf_uprobe_init+0xe2/0x180 kernel/trace/trace_event_perf.c:317
       perf_uprobe_event_init+0xb2/0x130 kernel/events/core.c:8582
       perf_try_init_event+0xf9/0x290 kernel/events/core.c:9855
       perf_init_event kernel/events/core.c:9886 [inline]
       perf_event_alloc+0x13af/0x2990 kernel/events/core.c:10160
       __do_sys_perf_event_open+0x24a/0x20d0 kernel/events/core.c:10631
       __se_sys_perf_event_open kernel/events/core.c:10520 [inline]
       __x64_sys_perf_event_open+0xb9/0x140 kernel/events/core.c:10520
       do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293
       entry_SYSCALL_64_after_hwframe+0x49/0xbe

-> #1 (&sig->cred_guard_mutex){+.+.}:
       __mutex_lock_common kernel/locking/mutex.c:925 [inline]
       __mutex_lock+0xf5/0x1210 kernel/locking/mutex.c:1072
       mutex_lock_killable_nested+0x16/0x20 kernel/locking/mutex.c:1102
       do_io_accounting+0x1ee/0xa60 fs/proc/base.c:2738
       proc_tgid_io_accounting+0x14/0x20 fs/proc/base.c:2787
       proc_single_show+0xf3/0x170 fs/proc/base.c:755
       seq_read+0x3e2/0x1000 fs/seq_file.c:229
       do_loop_readv_writev fs/read_write.c:701 [inline]
       do_iter_read+0x362/0x560 fs/read_write.c:925
       vfs_readv+0xc9/0x130 fs/read_write.c:987
       kernel_readv fs/splice.c:362 [inline]
       default_file_splice_read+0x411/0x900 fs/splice.c:417
       do_splice_to+0xe3/0x120 fs/splice.c:881
       splice_direct_to_actor+0x296/0x870 fs/splice.c:959
       do_splice_direct+0x14c/0x270 fs/splice.c:1068
       do_sendfile+0x481/0xd00 fs/read_write.c:1447
       __do_sys_sendfile64 fs/read_write.c:1508 [inline]
       __se_sys_sendfile64 fs/read_write.c:1494 [inline]
       __x64_sys_sendfile64+0x198/0x1e0 fs/read_write.c:1494
       do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293
       entry_SYSCALL_64_after_hwframe+0x49/0xbe

-> #0 (&p->lock){+.+.}:
       lock_acquire+0x173/0x3d0 kernel/locking/lockdep.c:3907
       __mutex_lock_common kernel/locking/mutex.c:925 [inline]
       __mutex_lock+0xf5/0x1210 kernel/locking/mutex.c:1072
       mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087
       seq_read+0x66/0x1000 fs/seq_file.c:161
       proc_reg_read+0x1ab/0x240 fs/proc/inode.c:231
       do_loop_readv_writev fs/read_write.c:701 [inline]
       do_iter_read+0x362/0x560 fs/read_write.c:925
       vfs_readv+0xc9/0x130 fs/read_write.c:987
       kernel_readv fs/splice.c:362 [inline]
       default_file_splice_read+0x411/0x900 fs/splice.c:417
       do_splice_to+0xe3/0x120 fs/splice.c:881
       splice_direct_to_actor+0x296/0x870 fs/splice.c:959
       do_splice_direct+0x14c/0x270 fs/splice.c:1068
       do_sendfile+0x481/0xd00 fs/read_write.c:1447
       __do_sys_sendfile64 fs/read_write.c:1508 [inline]
       __se_sys_sendfile64 fs/read_write.c:1494 [inline]
       __x64_sys_sendfile64+0x198/0x1e0 fs/read_write.c:1494
       do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293
       entry_SYSCALL_64_after_hwframe+0x49/0xbe

other info that might help us debug this:

Chain exists of:
  &p->lock --> &ovl_i_mutex_dir_key[depth] --> sb_writers#3

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(sb_writers#3);
                               lock(&ovl_i_mutex_dir_key[depth]);
                               lock(sb_writers#3);
  lock(&p->lock);

 *** DEADLOCK ***

1 lock held by syz-executor.0/23895:
 #0: 0000000080979e87 (sb_writers#3){.+.+}, at: file_start_write include/linux/fs.h:2776 [inline]
 #0: 0000000080979e87 (sb_writers#3){.+.+}, at: do_sendfile+0x81e/0xd00 fs/read_write.c:1446

stack backtrace:
CPU: 1 PID: 23895 Comm: syz-executor.0 Not tainted 4.19.122-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x123/0x177 lib/dump_stack.c:118
overlayfs: filesystem on './file0' not supported as upperdir
 print_circular_bug.isra.34.cold.55+0x1bd/0x27d kernel/locking/lockdep.c:1221
 check_prev_add kernel/locking/lockdep.c:1865 [inline]
 check_prevs_add kernel/locking/lockdep.c:1978 [inline]
 validate_chain kernel/locking/lockdep.c:2419 [inline]
 __lock_acquire+0x30df/0x4980 kernel/locking/lockdep.c:3415
 lock_acquire+0x173/0x3d0 kernel/locking/lockdep.c:3907
 __mutex_lock_common kernel/locking/mutex.c:925 [inline]
 __mutex_lock+0xf5/0x1210 kernel/locking/mutex.c:1072
 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087
 seq_read+0x66/0x1000 fs/seq_file.c:161
 proc_reg_read+0x1ab/0x240 fs/proc/inode.c:231
 do_loop_readv_writev fs/read_write.c:701 [inline]
 do_iter_read+0x362/0x560 fs/read_write.c:925
 vfs_readv+0xc9/0x130 fs/read_write.c:987
 kernel_readv fs/splice.c:362 [inline]
 default_file_splice_read+0x411/0x900 fs/splice.c:417
 do_splice_to+0xe3/0x120 fs/splice.c:881
 splice_direct_to_actor+0x296/0x870 fs/splice.c:959
 do_splice_direct+0x14c/0x270 fs/splice.c:1068
 do_sendfile+0x481/0xd00 fs/read_write.c:1447
 __do_sys_sendfile64 fs/read_write.c:1508 [inline]
 __se_sys_sendfile64 fs/read_write.c:1494 [inline]
 __x64_sys_sendfile64+0x198/0x1e0 fs/read_write.c:1494
 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45c889
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f3bd31aec78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 00007f3bd31af6d4 RCX: 000000000045c889
RDX: 0000000000000000 RSI: 000000000000000a RDI: 0000000000000008
RBP: 000000000076bfa0 R08: 0000000000000000 R09: 0000000000000000
R10: 000000007fffffa7 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000008d4 R14: 00000000004cb7c6 R15: 000000000076bfac
overlayfs: filesystem on './file0' not supported as upperdir
overlayfs: './file0' not a directory
overlayfs: filesystem on './file0' not supported as upperdir
overlayfs: 'file0' not a directory
overlayfs: filesystem on './file0' not supported as upperdir
overlayfs: filesystem on './file0' not supported as upperdir
overlayfs: filesystem on './file0' not supported as upperdir
overlayfs: filesystem on './file0' not supported as upperdir
overlayfs: filesystem on './file0' not supported as upperdir
overlayfs: filesystem on './file0' not supported as upperdir
overlayfs: filesystem on './file0' not supported as upperdir
overlayfs: overlapping lowerdir path
overlayfs: filesystem on './file0' not supported as upperdir
overlayfs: filesystem on './file0' not supported as upperdir
overlayfs: filesystem on './file0' not supported as upperdir
overlayfs: overlapping lowerdir path
overlayfs: filesystem on './file0' not supported as upperdir
overlayfs: filesystem on './file0' not supported as upperdir
overlayfs: overlapping lowerdir path
overlayfs: filesystem on './file0' not supported as upperdir
overlayfs: filesystem on './file0' not supported as upperdir
overlayfs: filesystem on './file0' not supported as upperdir
overlayfs: filesystem on './file0' not supported as upperdir
overlayfs: filesystem on './file0' not supported as upperdir
overlayfs: filesystem on './file0' not supported as upperdir
overlayfs: filesystem on './file0' not supported as upperdir
overlayfs: filesystem on './file0' not supported as upperdir
overlayfs: filesystem on './file0' not supported as upperdir
overlayfs: filesystem on './file0' not supported as upperdir
overlayfs: filesystem on './file0' not supported as upperdir
overlayfs: filesystem on './file0' not supported as upperdir
overlayfs: filesystem on './file0' not supported as upperdir
overlayfs: filesystem on './file0' not supported as upperdir
overlayfs: filesystem on './file0' not supported as upperdir
overlayfs: filesystem on './file0' not supported as upperdir
overlayfs: filesystem on './file0' not supported as upperdir
overlayfs: filesystem on './file0' not supported as upperdir
overlayfs: overlapping lowerdir path