From: syzbot <syzbot+d4e3aadc5bd19f7e71ff@syzkaller.appspotmail.com>
To: amir73il@gmail.com, linux-kernel@vger.kernel.org,
linux-unionfs@vger.kernel.org, miklos@szeredi.hu,
syzkaller-bugs@googlegroups.com
Subject: [syzbot] [overlayfs?] possible deadlock in ovl_copy_up_start (5)
Date: Wed, 17 Jun 2026 14:09:34 -0700 [thread overview]
Message-ID: <6a330d0e.6d5abbec.a50f.0020.GAE@google.com> (raw)
Hello,
syzbot found the following issue on:
HEAD commit: 596d152bc5e3 Merge branch 'for-next/core' into for-kernelci
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=10aba8ae580000
kernel config: https://syzkaller.appspot.com/x/.config?x=eb40ba923a822433
dashboard link: https://syzkaller.appspot.com/bug?extid=d4e3aadc5bd19f7e71ff
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/32d15acc8c01/disk-596d152b.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/83b3d8d84761/vmlinux-596d152b.xz
kernel image: https://storage.googleapis.com/syzbot-assets/8edfcc3bf911/Image-596d152b.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d4e3aadc5bd19f7e71ff@syzkaller.appspotmail.com
======================================================
WARNING: possible circular locking dependency detected
syzkaller #0 Tainted: G L
------------------------------------------------------
syz.3.611/8517 is trying to acquire lock:
ffff0000eee140f8 (&ovl_i_lock_key[depth]){+.+.}-{4:4}, at: ovl_inode_lock_interruptible fs/overlayfs/overlayfs.h:705 [inline]
ffff0000eee140f8 (&ovl_i_lock_key[depth]){+.+.}-{4:4}, at: ovl_copy_up_start+0x58/0x264 fs/overlayfs/util.c:735
but task is already holding lock:
ffff0000eee13d88 (&ovl_i_mutex_key[depth]/4){+.+.}-{4:4}, at: inode_lock_nested include/linux/fs.h:1074 [inline]
ffff0000eee13d88 (&ovl_i_mutex_key[depth]/4){+.+.}-{4:4}, at: lock_two_nondirectories+0xe8/0x148 fs/inode.c:1256
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #2 (&ovl_i_mutex_key[depth]/4){+.+.}-{4:4}:
__lock_release kernel/locking/lockdep.c:5574 [inline]
lock_release+0x178/0x3b0 kernel/locking/lockdep.c:5889
up_write+0x3c/0x5d8 kernel/locking/rwsem.c:1681
inode_unlock include/linux/fs.h:1039 [inline]
unlock_two_nondirectories+0x60/0x118 fs/inode.c:1269
ext4_move_extents+0x468/0x3580 fs/ext4/move_extent.c:656
__ext4_ioctl fs/ext4/ioctl.c:1657 [inline]
ext4_ioctl+0x2a14/0x4234 fs/ext4/ioctl.c:1922
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__arm64_sys_ioctl+0x14c/0x1c4 fs/ioctl.c:583
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49
el0_svc_common+0xe8/0x23c arch/arm64/kernel/syscall.c:121
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:140
el0_svc+0x64/0x260 arch/arm64/kernel/entry-common.c:736
el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:755
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594
-> #1 (sb_writers#3){.+.+}-{0:0}:
percpu_down_read_internal include/linux/percpu-rwsem.h:53 [inline]
percpu_down_read_freezable include/linux/percpu-rwsem.h:83 [inline]
__sb_start_write include/linux/fs/super.h:19 [inline]
sb_start_write include/linux/fs/super.h:125 [inline]
ovl_start_write+0xf0/0x324 fs/overlayfs/util.c:32
ovl_do_copy_up fs/overlayfs/copy_up.c:977 [inline]
ovl_copy_up_one fs/overlayfs/copy_up.c:1189 [inline]
ovl_copy_up_flags+0x980/0x28a4 fs/overlayfs/copy_up.c:1243
ovl_maybe_copy_up+0x108/0x148 fs/overlayfs/copy_up.c:1272
ovl_open+0x12c/0x2c0 fs/overlayfs/file.c:211
do_dentry_open+0x5c4/0xfc8 fs/open.c:947
vfs_open+0x44/0x2d4 fs/open.c:1079
do_open fs/namei.c:4699 [inline]
path_openat+0x2234/0x2a6c fs/namei.c:4858
do_file_open+0x1c4/0x2e4 fs/namei.c:4887
do_sys_openat2+0x114/0x1e8 fs/open.c:1364
do_sys_open+0xac/0xdc fs/open.c:1370
__do_sys_openat fs/open.c:1386 [inline]
__se_sys_openat fs/open.c:1381 [inline]
__arm64_sys_openat+0x9c/0xb8 fs/open.c:1381
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49
el0_svc_common+0xe8/0x23c arch/arm64/kernel/syscall.c:121
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:140
el0_svc+0x64/0x260 arch/arm64/kernel/entry-common.c:736
el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:755
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594
-> #0 (&ovl_i_lock_key[depth]){+.+.}-{4:4}:
check_prev_add kernel/locking/lockdep.c:3165 [inline]
check_prevs_add kernel/locking/lockdep.c:3284 [inline]
validate_chain kernel/locking/lockdep.c:3908 [inline]
__lock_acquire+0x1780/0x2f44 kernel/locking/lockdep.c:5237
lock_acquire+0x140/0x368 kernel/locking/lockdep.c:5868
__mutex_lock_common kernel/locking/mutex.c:646 [inline]
__mutex_lock+0x160/0xef8 kernel/locking/mutex.c:820
mutex_lock_interruptible_nested+0x24/0x30 kernel/locking/mutex.c:898
ovl_inode_lock_interruptible fs/overlayfs/overlayfs.h:705 [inline]
ovl_copy_up_start+0x58/0x264 fs/overlayfs/util.c:735
ovl_copy_up_one fs/overlayfs/copy_up.c:1182 [inline]
ovl_copy_up_flags+0x768/0x28a4 fs/overlayfs/copy_up.c:1243
ovl_copy_up+0x24/0x34 fs/overlayfs/copy_up.c:1282
ovl_rename_start fs/overlayfs/dir.c:1176 [inline]
ovl_rename+0x2d8/0xfec fs/overlayfs/dir.c:1363
vfs_rename+0xa78/0xd48 fs/namei.c:6064
filename_renameat2+0x66c/0x730 fs/namei.c:6182
__do_sys_renameat2 fs/namei.c:6211 [inline]
__se_sys_renameat2 fs/namei.c:6206 [inline]
__arm64_sys_renameat2+0xe4/0x114 fs/namei.c:6206
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49
el0_svc_common+0xe8/0x23c arch/arm64/kernel/syscall.c:121
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:140
el0_svc+0x64/0x260 arch/arm64/kernel/entry-common.c:736
el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:755
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594
other info that might help us debug this:
Chain exists of:
&ovl_i_lock_key[depth] --> sb_writers#3 --> &ovl_i_mutex_key[depth]/4
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&ovl_i_mutex_key[depth]/4);
lock(sb_writers#3);
lock(&ovl_i_mutex_key[depth]/4);
lock(&ovl_i_lock_key[depth]);
*** DEADLOCK ***
5 locks held by syz.3.611/8517:
#0: ffff00010bddc410 (sb_writers#17){.+.+}-{0:0}, at: mnt_want_write+0x44/0x9c fs/namespace.c:493
#1: ffff00010bddc718 (&type->s_vfs_rename_key#3){+.+.}-{4:4}, at: lock_rename fs/namei.c:3791 [inline]
#1: ffff00010bddc718 (&type->s_vfs_rename_key#3){+.+.}-{4:4}, at: __start_renaming+0xec/0x33c fs/namei.c:3880
#2: ffff0000eee14300 (&ovl_i_mutex_dir_key[depth]/1){+.+.}-{4:4}, at: inode_lock_nested include/linux/fs.h:1074 [inline]
#2: ffff0000eee14300 (&ovl_i_mutex_dir_key[depth]/1){+.+.}-{4:4}, at: lock_two_directories+0x19c/0x214 fs/namei.c:3767
#3: ffff0000eee13810 (&ovl_i_mutex_dir_key[depth]/5){+.+.}-{4:4}, at: inode_lock_nested include/linux/fs.h:1074 [inline]
#3: ffff0000eee13810 (&ovl_i_mutex_dir_key[depth]/5){+.+.}-{4:4}, at: lock_two_directories+0x1c4/0x214 fs/namei.c:3768
#4: ffff0000eee13d88 (&ovl_i_mutex_key[depth]/4){+.+.}-{4:4}, at: inode_lock_nested include/linux/fs.h:1074 [inline]
#4: ffff0000eee13d88 (&ovl_i_mutex_key[depth]/4){+.+.}-{4:4}, at: lock_two_nondirectories+0xe8/0x148 fs/inode.c:1256
stack backtrace:
CPU: 1 UID: 0 PID: 8517 Comm: syz.3.611 Tainted: G L syzkaller #0 PREEMPT
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Call trace:
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C)
__dump_stack+0x30/0x40 lib/dump_stack.c:94
dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
dump_stack+0x1c/0x28 lib/dump_stack.c:129
print_circular_bug+0x328/0x330 kernel/locking/lockdep.c:2043
check_noncircular+0x158/0x174 kernel/locking/lockdep.c:2175
check_prev_add kernel/locking/lockdep.c:3165 [inline]
check_prevs_add kernel/locking/lockdep.c:3284 [inline]
validate_chain kernel/locking/lockdep.c:3908 [inline]
__lock_acquire+0x1780/0x2f44 kernel/locking/lockdep.c:5237
lock_acquire+0x140/0x368 kernel/locking/lockdep.c:5868
__mutex_lock_common kernel/locking/mutex.c:646 [inline]
__mutex_lock+0x160/0xef8 kernel/locking/mutex.c:820
mutex_lock_interruptible_nested+0x24/0x30 kernel/locking/mutex.c:898
ovl_inode_lock_interruptible fs/overlayfs/overlayfs.h:705 [inline]
ovl_copy_up_start+0x58/0x264 fs/overlayfs/util.c:735
ovl_copy_up_one fs/overlayfs/copy_up.c:1182 [inline]
ovl_copy_up_flags+0x768/0x28a4 fs/overlayfs/copy_up.c:1243
ovl_copy_up+0x24/0x34 fs/overlayfs/copy_up.c:1282
ovl_rename_start fs/overlayfs/dir.c:1176 [inline]
ovl_rename+0x2d8/0xfec fs/overlayfs/dir.c:1363
vfs_rename+0xa78/0xd48 fs/namei.c:6064
filename_renameat2+0x66c/0x730 fs/namei.c:6182
__do_sys_renameat2 fs/namei.c:6211 [inline]
__se_sys_renameat2 fs/namei.c:6206 [inline]
__arm64_sys_renameat2+0xe4/0x114 fs/namei.c:6206
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49
el0_svc_common+0xe8/0x23c arch/arm64/kernel/syscall.c:121
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:140
el0_svc+0x64/0x260 arch/arm64/kernel/entry-common.c:736
el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:755
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
reply other threads:[~2026-06-17 21:09 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6a330d0e.6d5abbec.a50f.0020.GAE@google.com \
--to=syzbot+d4e3aadc5bd19f7e71ff@syzkaller.appspotmail.com \
--cc=amir73il@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-unionfs@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.