device bridge_slave_0 entered promiscuous mode
======================================================
WARNING: possible circular locking dependency detected
4.14.210-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.4/22184 is trying to acquire lock:
(&sig->cred_guard_mutex){+.+.}, at: [<ffffffff81a2cbcf>] lock_trace fs/proc/base.c:407 [inline]
(&sig->cred_guard_mutex){+.+.}, at: [<ffffffff81a2cbcf>] proc_pid_stack+0x13f/0x2f0 fs/proc/base.c:457
but task is already holding lock:
(&p->lock){+.+.}, at: [<ffffffff8190e9ea>] seq_read+0xba/0x1120 fs/seq_file.c:165
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #3 (&p->lock){+.+.}:
__mutex_lock_common kernel/locking/mutex.c:756 [inline]
__mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
seq_read+0xba/0x1120 fs/seq_file.c:165
kernfs_fop_read+0xd7/0x500 fs/kernfs/file.c:252
do_loop_readv_writev fs/read_write.c:695 [inline]
do_loop_readv_writev fs/read_write.c:682 [inline]
do_iter_read+0x3eb/0x5b0 fs/read_write.c:919
vfs_readv+0xc8/0x120 fs/read_write.c:981
kernel_readv fs/splice.c:361 [inline]
default_file_splice_read+0x418/0x910 fs/splice.c:416
do_splice_to+0xfb/0x140 fs/splice.c:880
splice_direct_to_actor+0x207/0x730 fs/splice.c:952
do_splice_direct+0x164/0x210 fs/splice.c:1061
do_sendfile+0x47f/0xb30 fs/read_write.c:1441
SYSC_sendfile64 fs/read_write.c:1502 [inline]
SyS_sendfile64+0xff/0x110 fs/read_write.c:1488
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
-> #2 (sb_writers#3){.+.+}:
percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline]
percpu_down_read include/linux/percpu-rwsem.h:59 [inline]
__sb_start_write+0x64/0x260 fs/super.c:1342
sb_start_write include/linux/fs.h:1549 [inline]
mnt_want_write+0x3a/0xb0 fs/namespace.c:386
ovl_do_remove+0x67/0xb90 fs/overlayfs/dir.c:759
vfs_rmdir.part.0+0x144/0x390 fs/namei.c:3908
vfs_rmdir fs/namei.c:3893 [inline]
do_rmdir+0x334/0x3c0 fs/namei.c:3968
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
-> #1 (&ovl_i_mutex_dir_key[depth]){++++}:
down_read+0x36/0x80 kernel/locking/rwsem.c:24
inode_lock_shared include/linux/fs.h:729 [inline]
do_last fs/namei.c:3333 [inline]
path_openat+0x149b/0x2970 fs/namei.c:3569
do_filp_open+0x179/0x3c0 fs/namei.c:3603
do_open_execat+0xd3/0x450 fs/exec.c:849
do_execveat_common+0x711/0x1f30 fs/exec.c:1755
do_execve fs/exec.c:1860 [inline]
SYSC_execve fs/exec.c:1941 [inline]
SyS_execve+0x3b/0x50 fs/exec.c:1936
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
-> #0 (&sig->cred_guard_mutex){+.+.}:
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__mutex_lock_common kernel/locking/mutex.c:756 [inline]
__mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
lock_trace fs/proc/base.c:407 [inline]
proc_pid_stack+0x13f/0x2f0 fs/proc/base.c:457
proc_single_show+0xe7/0x150 fs/proc/base.c:761
seq_read+0x4cf/0x1120 fs/seq_file.c:237
do_loop_readv_writev fs/read_write.c:695 [inline]
do_loop_readv_writev fs/read_write.c:682 [inline]
do_iter_read+0x3eb/0x5b0 fs/read_write.c:919
vfs_readv+0xc8/0x120 fs/read_write.c:981
do_preadv fs/read_write.c:1065 [inline]
SYSC_preadv fs/read_write.c:1115 [inline]
SyS_preadv+0x15a/0x200 fs/read_write.c:1110
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
other info that might help us debug this:
Chain exists of:
&sig->cred_guard_mutex --> sb_writers#3 --> &p->lock
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&p->lock);
lock(sb_writers#3);
lock(&p->lock);
lock(&sig->cred_guard_mutex);
*** DEADLOCK ***
1 lock held by syz-executor.4/22184:
#0: (&p->lock){+.+.}, at: [<ffffffff8190e9ea>] seq_read+0xba/0x1120 fs/seq_file.c:165
stack backtrace:
CPU: 1 PID: 22184 Comm: syz-executor.4 Not tainted 4.14.210-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x283 lib/dump_stack.c:58
print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258
check_prev_add kernel/locking/lockdep.c:1905 [inline]
check_prevs_add kernel/locking/lockdep.c:2022 [inline]
validate_chain kernel/locking/lockdep.c:2464 [inline]
__lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__mutex_lock_common kernel/locking/mutex.c:756 [inline]
__mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
lock_trace fs/proc/base.c:407 [inline]
proc_pid_stack+0x13f/0x2f0 fs/proc/base.c:457
proc_single_show+0xe7/0x150 fs/proc/base.c:761
seq_read+0x4cf/0x1120 fs/seq_file.c:237
do_loop_readv_writev fs/read_write.c:695 [inline]
do_loop_readv_writev fs/read_write.c:682 [inline]
do_iter_read+0x3eb/0x5b0 fs/read_write.c:919
vfs_readv+0xc8/0x120 fs/read_write.c:981
do_preadv fs/read_write.c:1065 [inline]
SYSC_preadv fs/read_write.c:1115 [inline]
SyS_preadv+0x15a/0x200 fs/read_write.c:1110
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x45de79
RSP: 002b:00007f5147d25c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000127
RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 000000000045de79
RDX: 0000000000000152 RSI: 00000000200017c0 RDI: 0000000000000003
RBP: 000000000118bf70 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118bf2c
R13: 00007ffdc167e0cf R14: 00007f5147d269c0 R15: 000000000118bf2c
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'.
device bridge0 entered promiscuous mode
device bridge0 left promiscuous mode
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.0'.
device bridge4 entered promiscuous mode
device bridge_slave_0 left promiscuous mode
bridge0: port 1(bridge_slave_0) entered disabled state
bridge4: port 1(bridge_slave_0) entered blocking state
bridge4: port 1(bridge_slave_0) entered disabled state
device bridge_slave_0 entered promiscuous mode
bridge4: port 1(bridge_slave_0) entered blocking state
bridge4: port 1(bridge_slave_0) entered forwarding state
device bridge0 entered promiscuous mode
device bridge0 left promiscuous mode
device bridge0 entered promiscuous mode
capability: warning: `syz-executor.0' uses 32-bit capabilities (legacy support in use)
device bridge0 left promiscuous mode
hub 9-0:1.0: USB hub found
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'.
hub 9-0:1.0: 8 ports detected
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'.
device bridge0 entered promiscuous mode
device bridge0 left promiscuous mode
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.0'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.0'.
device bridge0 entered promiscuous mode
device bridge0 left promiscuous mode
device bridge0 entered promiscuous mode
device bridge0 left promiscuous mode
device bridge0 entered promiscuous mode
device bridge0 left promiscuous mode
device bridge0 entered promiscuous mode
IPv6: ADDRCONF(NETDEV_UP): vlan2: link is not ready
bond1: vlan2 is up - this may be due to an out of date ifenslave
device bridge0 left promiscuous mode
device bridge0 entered promiscuous mode
device bridge0 left promiscuous mode
device bridge0 entered promiscuous mode
IPv6: ADDRCONF(NETDEV_UP): vlan2: link is not ready
bond1: vlan2 is up - this may be due to an out of date ifenslave
device bridge0 left promiscuous mode
nla_parse: 14 callbacks suppressed
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.0'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.0'.
device bridge0 entered promiscuous mode
device bridge0 left promiscuous mode
device bridge0 entered promiscuous mode
IPv6: ADDRCONF(NETDEV_UP): vlan2: link is not ready
bond1: vlan2 is up - this may be due to an out of date ifenslave
device bridge0 left promiscuous mode
IPv6: ADDRCONF(NETDEV_UP): vlan2: link is not ready
bond1: vlan2 is up - this may be due to an out of date ifenslave
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'.
IPv6: ADDRCONF(NETDEV_UP): vlan2: link is not ready
bond1: vlan2 is up - this may be due to an out of date ifenslave
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.0'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.0'.
IPv6: ADDRCONF(NETDEV_UP): vlan2: link is not ready
bond1: vlan2 is up - this may be due to an out of date ifenslave
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'.
IPv6: ADDRCONF(NETDEV_UP): vlan2: link is not ready
bond1: vlan2 is up - this may be due to an out of date ifenslave
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.0'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.0'.
IPv6: ADDRCONF(NETDEV_UP): vlan2: link is not ready
bond1: vlan2 is up - this may be due to an out of date ifenslave
IPv6: ADDRCONF(NETDEV_UP): vlan2: link is not ready
bond1: vlan2 is up - this may be due to an out of date ifenslave
IPv6: ADDRCONF(NETDEV_UP): vlan2: link is not ready
bond1: vlan2 is up - this may be due to an out of date ifenslave
IPv6: ADDRCONF(NETDEV_UP): vlan2: link is not ready
bond1: vlan2 is up - this may be due to an out of date ifenslave