WARNING in ovl_real_fdget_meta

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit: c6dd78fc Merge branch 'x86-urgent-for-linus' of git://git...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1346d53fa00000
kernel config: https://syzkaller.appspot.com/x/.config?x=3c8985c08e1f9727
dashboard link: https://syzkaller.appspot.com/bug?extid=032bc63605089a199d30
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15855334600000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17fcc4c8600000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+032bc6...@syzkaller.appspotmail.com

------------[ cut here ]------------
WARNING: CPU: 1 PID: 8471 at fs/overlayfs/file.c:55 ovl_change_flags
fs/overlayfs/file.c:55 [inline]
WARNING: CPU: 1 PID: 8471 at fs/overlayfs/file.c:55
ovl_real_fdget_meta.cold+0x11/0x1e fs/overlayfs/file.c:106
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 8471 Comm: syz-executor111 Not tainted 5.2.0+ #71
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x16f/0x1f0 lib/dump_stack.c:113
panic+0x2dc/0x755 kernel/panic.c:219
__warn.cold+0x20/0x4c kernel/panic.c:576
report_bug+0x263/0x2b0 lib/bug.c:186
fixup_bug arch/x86/kernel/traps.c:179 [inline]
fixup_bug arch/x86/kernel/traps.c:174 [inline]
do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:272
do_invalid_op+0x37/0x50 arch/x86/kernel/traps.c:291
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1026
RIP: 0010:ovl_change_flags fs/overlayfs/file.c:55 [inline]
RIP: 0010:ovl_real_fdget_meta.cold+0x11/0x1e fs/overlayfs/file.c:106
Code: e9 b3 fd ff ff e8 0c 68 4f ff e9 fb fd ff ff e8 02 68 4f ff e9 15 fe
ff ff e8 b8 a6 15 ff 48 c7 c7 a0 45 b3 87 e8 c0 db ff fe <0f> 0b 41 bc fb
ff ff ff e9 68 c6 ff ff e8 9a a6 15 ff 48 c7 c7 a0
RSP: 0018:ffff8880a1bffdc0 EFLAGS: 00010286
RAX: 0000000000000024 RBX: 0000000004048000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff815b9de2 RDI: ffffed101437ffaa
RBP: ffff8880a1bffdf0 R08: 0000000000000024 R09: ffffed1015d26079
R10: ffffed1015d26078 R11: ffff8880ae9303c7 R12: 000000000000a000
R13: ffff88809bc592c0 R14: ffff88809bc59338 R15: ffff8880898e0460
ovl_real_fdget fs/overlayfs/file.c:113 [inline]
ovl_llseek+0x105/0x3b0 fs/overlayfs/file.c:163
vfs_llseek fs/read_write.c:300 [inline]
ksys_lseek+0x116/0x1b0 fs/read_write.c:313
__do_sys_lseek fs/read_write.c:324 [inline]
__se_sys_lseek fs/read_write.c:322 [inline]
__x64_sys_lseek+0x73/0xb0 fs/read_write.c:322
do_syscall_64+0xfd/0x6a0 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x441ce9
Code: e8 1c b4 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 eb 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffcff68e398 EFLAGS: 00000246 ORIG_RAX: 0000000000000008
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441ce9
RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000402af0 R14: 0000000000000000 R15: 0000000000000000
Kernel Offset: disabled
Rebooting in 86400 seconds..


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

[syzbot]

syzbot has bisected this bug to:

commit 387e3746d01c34457d6a73688acd90428725070b
Author: Amir Goldstein <amir...@gmail.com>
Date: Fri Jun 7 14:24:38 2019 +0000

locks: eliminate false positive conflicts for write lease

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=15a79594600000
start commit: c6dd78fc Merge branch 'x86-urgent-for-linus' of git://git...
git tree: upstream
final crash: https://syzkaller.appspot.com/x/report.txt?x=17a79594600000
console output: https://syzkaller.appspot.com/x/log.txt?x=13a79594600000

kernel config: https://syzkaller.appspot.com/x/.config?x=3c8985c08e1f9727
dashboard link: https://syzkaller.appspot.com/bug?extid=032bc63605089a199d30

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15855334600000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17fcc4c8600000

Reported-by: syzbot+032bc6...@syzkaller.appspotmail.com
Fixes: 387e3746d01c ("locks: eliminate false positive conflicts for write
lease")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

[Amir Goldstein]

The repro:
#{"repeat":true,"procs":1,"sandbox":"none","fault_call":-1,"cgroups":true,"close_fds":true,"tmpdir":true}
mkdir(&(0x7f0000000100)='./file0\x00', 0x0)
mkdirat$cgroup_root(0xffffffffffffff9c,
&(0x7f0000000000)='./cgroup.net/syz1\x00', 0x1ff)
mount$fuse(0x20000000, &(0x7f0000000140)='./file0\x00', 0x0, 0x1004, 0x0)
mount$overlay(0x400000, &(0x7f0000000100)='./file0\x00',
&(0x7f00000001c0)='overlay\x00', 0x0,
&(0x7f0000000040)=ANY=[@ANYBLOB=',lowerdir=.:file0'])
r0 = open(&(0x7f0000000500)='./file0\x00', 0x0, 0x0)
r1 = openat$cgroup_procs(r0, &(0x7f00000004c0)='cgroup.procs\x00', 0x48, 0x0)
dup3(r1, r0, 0x0)
fcntl$setlease(r0, 0x400, 0x1)
lseek(r0, 0x4, 0x0)

I though we would stop these family of overlapping layers fuzzers with:
146d62e5a586 ("ovl: detect overlapping layers")

But syzbot got the upper hand, because we do not check for overlapping layers
that cross fs boundary. Not sure if we should (?).

./ is a tmpfs dir and ./file0/ is some kind of fuse mount (?)
then after one cycle, ./file0/ itself is an overlapping overlay mount
(lowerdir=./:./file0/)
and after another cycle, ./file0/ is a nested overlapping overlayfs mount.
Fine. Whatever.

What I don't understand is if dup3 succeeds r0 should not be an overlayfs fd
and even if dup3 fails r0 should be an overlayfs directory fd (./file0/), so how
the hell did we get to ovl_llseek => ... ovl_change_flags() with this repro??

There is not a single regular file in this test.

Thanks,
Amir.

[Amir Goldstein]

No, we shouldn't care about that.
overlayfs doesn't follow cross-fs in underlying layers.

>
> ./ is a tmpfs dir and ./file0/ is some kind of fuse mount (?)
> then after one cycle, ./file0/ itself is an overlapping overlay mount
> (lowerdir=./:./file0/)
> and after another cycle, ./file0/ is a nested overlapping overlayfs mount.
> Fine. Whatever.

But damage can still be created if a lower overlayfs layer
overlaps with the another nested overlay lower underlying layer.
It actually shouldn't be too hard to add a guard also on the
nested overlay lower underlying layer inode.

>
> What I don't understand is if dup3 succeeds r0 should not be an overlayfs fd
> and even if dup3 fails r0 should be an overlayfs directory fd (./file0/), so how
> the hell did we get to ovl_llseek => ... ovl_change_flags() with this repro??
>
> There is not a single regular file in this test.
>

I was wrong here of course.
./file0/cgroup.procs is a regular overlayfs file (I was confused by the name)
which is later also exposed at ./file0/file0/cgroup.procs in the nested
overlay mount.

Still not sure about the rest of the way to ovl_change_flags() failure,
but I think I'll try to block this new syzbot overlap attack.

Thanks,
Amir.

[Amir Goldstein]

Here's a draft

#syz test: https://github.com/amir73il/linux.git ovl-check-nested-overlap

Thanks,
Amir.

[syzbot]

Hello,

syzbot tried to test the proposed patch but build/boot failed:

vmalloc)
[ 6.623186][ T1] TCP established hash table entries: 65536 (order: 7,
524288 bytes, vmalloc)
[ 6.629001][ T1] TCP bind hash table entries: 65536 (order: 10,
4194304 bytes, vmalloc)
[ 6.633571][ T1] TCP: Hash tables configured (established 65536 bind
65536)
[ 6.635510][ T1] UDP hash table entries: 4096 (order: 7, 655360
bytes, vmalloc)
[ 6.637367][ T1] UDP-Lite hash table entries: 4096 (order: 7, 655360
bytes, vmalloc)
[ 6.639861][ T1] NET: Registered protocol family 1
[ 6.642372][ T1] RPC: Registered named UNIX socket transport module.
[ 6.643458][ T1] RPC: Registered udp transport module.
[ 6.644319][ T1] RPC: Registered tcp transport module.
[ 6.645199][ T1] RPC: Registered tcp NFSv4.1 backchannel transport
module.
[ 6.647753][ T1] NET: Registered protocol family 44
[ 6.648732][ T1] pci 0000:00:00.0: Limiting direct PCI/PCI transfers
[ 6.649837][ T1] PCI: CLS 0 bytes, default 64
[ 6.654238][ T1] PCI-DMA: Using software bounce buffering for IO
(SWIOTLB)
[ 6.655433][ T1] software IO TLB: mapped [mem 0xaa800000-0xae800000]
(64MB)
[ 6.660080][ T1] RAPL PMU: API unit is 2^-32 Joules, 0 fixed
counters, 10737418240 ms ovfl timer
[ 6.663698][ T1] kvm: already loaded the other module
[ 6.664750][ T1] clocksource: tsc: mask: 0xffffffffffffffff
max_cycles: 0x212735223b2, max_idle_ns: 440795277976 ns
[ 6.666833][ T1] clocksource: Switched to clocksource tsc
[ 6.667884][ T1] mce: Machine check injector initialized
[ 6.672842][ T1] check: Scanning for low memory corruption every 60
seconds
[ 6.784695][ T1] Initialise system trusted keyrings
[ 6.786453][ T1] workingset: timestamp_bits=40 max_order=21
bucket_order=0
[ 6.788062][ T1] zbud: loaded
[ 6.793680][ T1] DLM installed
[ 6.795747][ T1] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[ 6.799822][ T1] FS-Cache: Netfs 'nfs' registered for caching
[ 6.802062][ T1] NFS: Registering the id_resolver key type
[ 6.803162][ T1] Key type id_resolver registered
[ 6.804299][ T1] Key type id_legacy registered
[ 6.805300][ T1] nfs4filelayout_init: NFSv4 File Layout Driver
Registering...
[ 6.806905][ T1] Installing knfsd (copyright (C) 1996
ok...@monad.swb.de).
[ 6.811461][ T1] ntfs: driver 2.1.32 [Flags: R/W].
[ 6.813297][ T1] fuse: init (API version 7.31)
[ 6.816259][ T1] JFS: nTxBlock = 8192, nTxLock = 65536
[ 6.826202][ T1] SGI XFS with ACLs, security attributes, realtime, no
debug enabled
[ 6.832172][ T1] 9p: Installing v9fs 9p2000 file system support
[ 6.833515][ T1] FS-Cache: Netfs '9p' registered for caching
[ 6.838070][ T1] gfs2: GFS2 installed
[ 6.841163][ T1] FS-Cache: Netfs 'ceph' registered for caching
[ 6.842969][ T1] ceph: loaded (mds proto 32)
[ 6.850819][ T1] NET: Registered protocol family 38
[ 6.852584][ T1] async_tx: api initialized (async)
[ 6.853585][ T1] Key type asymmetric registered
[ 6.854272][ T1] Asymmetric key parser 'x509' registered
[ 6.855126][ T1] Asymmetric key parser 'pkcs8' registered
[ 6.855903][ T1] Key type pkcs7_test registered
[ 6.856598][ T1] Asymmetric key parser 'tpm_parser' registered
[ 6.857618][ T1] Block layer SCSI generic (bsg) driver version 0.4
loaded (major 246)
[ 6.859381][ T1] io scheduler mq-deadline registered
[ 6.860444][ T1] io scheduler kyber registered
[ 6.861501][ T1] io scheduler bfq registered
[ 6.866618][ T1] input: Power Button as
/devices/LNXSYSTM:00/LNXPWRBN:00/input/input0
[ 6.869055][ T1] ACPI: Power Button [PWRF]
[ 6.870629][ T1] input: Sleep Button as
/devices/LNXSYSTM:00/LNXSLPBN:00/input/input1
[ 6.872202][ T1] ACPI: Sleep Button [SLPF]
[ 6.877520][ T1] ioatdma: Intel(R) QuickData Technology Driver 5.00
[ 6.889497][ T1] PCI Interrupt Link [LNKC] enabled at IRQ 11
[ 6.890599][ T1] virtio-pci 0000:00:03.0: virtio_pci: leaving for
legacy driver
[ 6.903444][ T1] PCI Interrupt Link [LNKD] enabled at IRQ 10
[ 6.904470][ T1] virtio-pci 0000:00:04.0: virtio_pci: leaving for
legacy driver
[ 7.222239][ T1] HDLC line discipline maxframe=4096
[ 7.223063][ T1] N_HDLC line discipline registered.
[ 7.223876][ T1] Serial: 8250/16550 driver, 4 ports, IRQ sharing
enabled
[ 7.247483][ T1] 00:03: ttyS0 at I/O 0x3f8 (irq = 4, base_baud =
115200) is a 16550A
[ 7.273815][ T1] 00:04: ttyS1 at I/O 0x2f8 (irq = 3, base_baud =
115200) is a 16550A
[ 7.299513][ T1] 00:05: ttyS2 at I/O 0x3e8 (irq = 6, base_baud =
115200) is a 16550A
[ 7.325004][ T1] 00:06: ttyS3 at I/O 0x2e8 (irq = 7, base_baud =
115200) is a 16550A
[ 7.335983][ T1] Non-volatile memory driver v1.3
[ 7.337472][ T1] Linux agpgart interface v0.103
[ 7.346738][ T1] [drm] Initialized vgem 1.0.0 20120112 for vgem on
minor 0
[ 7.349029][ T1] [drm] Supports vblank timestamp caching Rev 2
(21.10.2013).
[ 7.350502][ T1] [drm] Driver supports precise vblank timestamp query.
[ 7.354001][ T1] [drm] Initialized vkms 1.0.0 20180514 for vkms on
minor 1
[ 7.355696][ T1] usbcore: registered new interface driver udl
[ 7.404586][ T1] brd: module loaded
[ 7.438411][ T1] loop: module loaded
[ 7.503377][ T1] zram: Added device: zram0
[ 7.509773][ T1] null: module loaded
[ 7.515580][ T1] nfcsim 0.2 initialized
[ 7.518129][ T1] Loading iSCSI transport class v2.0-870.
[ 7.540589][ T1] scsi host0: Virtio SCSI HBA
[ 7.575807][ T1] st: Version 20160209, fixed bufsize 32768, s/g segs
256
[ 7.578700][ T329] kasan: CONFIG_KASAN_INLINE enabled
[ 7.580010][ T329] kasan: GPF could be caused by NULL-ptr deref or user
memory access
[ 7.580030][ T329] general protection fault: 0000 [#1] SMP KASAN
[ 7.582310][ T1] kobject: 'sd' (000000007348a90e): kobject_uevent_env
[ 7.583865][ T329] CPU: 1 PID: 329 Comm: kworker/u4:5 Not tainted
5.3.0-rc1+ #1
[ 7.586388][ T1] kobject: 'sd' (000000007348a90e): fill_kobj_path:
path = '/bus/scsi/drivers/sd'
[ 7.588218][ T329] Hardware name: Google Google Compute Engine/Google

Compute Engine, BIOS Google 01/01/2011

[ 7.588218][ T329] Workqueue: events_unbound async_run_entry_fn
[ 7.588218][ T329] RIP: 0010:dma_direct_max_mapping_size+0x7c/0x1a7
[ 7.588218][ T329] Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 23 01
00 00 49 8b 9c 24 38 03 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1
ea 03 <80> 3c 02 00 0f 85 0a 01 00 00 49 8d bc 24 48 03 00 00 48 8b 1b 48
[ 7.588218][ T329] RSP: 0000:ffff8880a8e9f768 EFLAGS: 00010246
[ 7.591132][ T1] kobject: 'sr' (000000004b6a2965):
kobject_add_internal: parent: 'drivers', set: 'drivers'
[ 7.588218][ T329] RAX: dffffc0000000000 RBX: 0000000000000000 RCX:
ffffffff816007b1
[ 7.595790][ T1] kobject: 'sr' (000000004b6a2965): kobject_uevent_env
[ 7.588218][ T329] RDX: 0000000000000000 RSI: ffffffff816007d0 RDI:
ffff8882195030b8
[ 7.602756][ T1] kobject: 'sr' (000000004b6a2965): fill_kobj_path:
path = '/bus/scsi/drivers/sr'
[ 7.588218][ T329] RBP: ffff8880a8e9f780 R08: ffff8880a8e8c000 R09:
ffffed10146244ec
[ 7.607121][ T1] kobject: 'scsi_generic' (000000007500b938):
kobject_add_internal: parent: 'class', set: 'class'
[ 7.588218][ T329] R10: ffffed10146244eb R11: ffff8880a312275f R12:
ffff888219502d80
[ 7.588218][ T329] R13: ffff888219502d80 R14: ffff88821930e4f0 R15:
0000000000000200
[ 7.588218][ T329] FS: 0000000000000000(0000)
GS:ffff8880ae900000(0000) knlGS:0000000000000000
[ 7.588218][ T329] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 7.588218][ T329] CR2: 0000000000000000 CR3: 0000000008c6d000 CR4:
00000000001406e0
[ 7.610920][ T1] kobject: 'scsi_generic' (000000007500b938):
kobject_uevent_env
[ 7.588218][ T329] Call Trace:
[ 7.615395][ T1] kobject: 'scsi_generic' (000000007500b938):
fill_kobj_path: path = '/class/scsi_generic'
[ 7.588218][ T329] dma_max_mapping_size+0xba/0x100
[ 7.621502][ T1] kobject: 'nvme-wq' (0000000069c1aed7):
kobject_add_internal: parent: 'workqueue', set: 'devices'
[ 7.620612][ T329] __scsi_init_queue+0x1cb/0x580
[ 7.624658][ T1] kobject: 'nvme-wq' (0000000069c1aed7):
kobject_uevent_env
[ 7.620612][ T329] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[ 7.628596][ T1] kobject: 'nvme-wq' (0000000069c1aed7):
kobject_uevent_env: uevent_suppress caused the event to drop!
[ 7.620612][ T329] scsi_mq_alloc_queue+0xd2/0x180
[ 7.632674][ T1] kobject: 'nvme-wq' (0000000069c1aed7):
kobject_uevent_env
[ 7.620612][ T329] scsi_alloc_sdev+0x837/0xc60
[ 7.635988][ T1] kobject: 'nvme-wq' (0000000069c1aed7):
fill_kobj_path: path = '/devices/virtual/workqueue/nvme-wq'
[ 7.620612][ T329] scsi_probe_and_add_lun+0x2440/0x39f0
[ 7.640733][ T1] kobject: 'nvme-reset-wq' (00000000e89bea04):
kobject_add_internal: parent: 'workqueue', set: 'devices'
[ 7.620612][ T329] ? __kasan_check_read+0x11/0x20
[ 7.643507][ T1] kobject: 'nvme-reset-wq' (00000000e89bea04):
kobject_uevent_env
[ 7.620612][ T329] ? mark_lock+0xc0/0x11e0
[ 7.647798][ T1] kobject: 'nvme-reset-wq' (00000000e89bea04):
kobject_uevent_env: uevent_suppress caused the event to drop!
[ 7.620612][ T329] ? scsi_alloc_sdev+0xc60/0xc60
[ 7.620612][ T329] ? mark_held_locks+0xa4/0xf0
[ 7.620612][ T329] ? _raw_spin_unlock_irqrestore+0x67/0xd0
[ 7.620612][ T329] ? __pm_runtime_resume+0x11b/0x180
[ 7.620612][ T329] ? _raw_spin_unlock_irqrestore+0x67/0xd0
[ 7.651058][ T1] kobject: 'nvme-reset-wq' (00000000e89bea04):
kobject_uevent_env
[ 7.620612][ T329] ? lockdep_hardirqs_on+0x418/0x5d0
[ 7.654901][ T1] kobject: 'nvme-reset-wq' (00000000e89bea04):
fill_kobj_path: path = '/devices/virtual/workqueue/nvme-reset-wq'
[ 7.620612][ T329] ? trace_hardirqs_on+0x67/0x220
[ 7.659728][ T1] kobject: 'nvme-delete-wq' (000000005f49ee41):
kobject_add_internal: parent: 'workqueue', set: 'devices'
[ 7.620612][ T329] ? __kasan_check_read+0x11/0x20
[ 7.662725][ T1] kobject: 'nvme-delete-wq' (000000005f49ee41):
kobject_uevent_env
[ 7.620612][ T329] ? __pm_runtime_resume+0x11b/0x180
[ 7.666955][ T1] kobject: 'nvme-delete-wq' (000000005f49ee41):
kobject_uevent_env: uevent_suppress caused the event to drop!
[ 7.620612][ T329] __scsi_scan_target+0x29a/0xfa0
[ 7.620612][ T329] ? __pm_runtime_resume+0x11b/0x180
[ 7.620612][ T329] ? __kasan_check_read+0x11/0x20
[ 7.620612][ T329] ? mark_lock+0xc0/0x11e0
[ 7.620612][ T329] ? scsi_probe_and_add_lun+0x39f0/0x39f0
[ 7.669473][ T1] kobject: 'nvme-delete-wq' (000000005f49ee41):
kobject_uevent_env
[ 7.620612][ T329] ? mark_held_locks+0xa4/0xf0
[ 7.672293][ T1] kobject: 'nvme-delete-wq' (000000005f49ee41):
fill_kobj_path: path = '/devices/virtual/workqueue/nvme-delete-wq'
[ 7.620612][ T329] ? _raw_spin_unlock_irqrestore+0x67/0xd0
[ 7.676309][ T1] kobject: 'nvme' (00000000c0971fdf):
kobject_add_internal: parent: 'class', set: 'class'
[ 7.620612][ T329] ? __pm_runtime_resume+0x11b/0x180
[ 7.680625][ T1] kobject: 'nvme' (00000000c0971fdf):
kobject_uevent_env
[ 7.620612][ T329] ? _raw_spin_unlock_irqrestore+0x67/0xd0
[ 7.684795][ T1] kobject: 'nvme' (00000000c0971fdf): fill_kobj_path:
path = '/class/nvme'
[ 7.620612][ T329] ? lockdep_hardirqs_on+0x418/0x5d0
[ 7.688010][ T1] kobject: 'nvme-subsystem' (00000000670d508f):
kobject_add_internal: parent: 'class', set: 'class'
[ 7.620612][ T329] ? trace_hardirqs_on+0x67/0x220
[ 7.620612][ T329] scsi_scan_channel.part.0+0x11a/0x190
[ 7.620612][ T329] scsi_scan_host_selected+0x313/0x450
[ 7.620612][ T329] ? scsi_scan_host+0x450/0x450
[ 7.620612][ T329] do_scsi_scan_host+0x1ef/0x260
[ 7.620612][ T329] ? scsi_scan_host+0x450/0x450
[ 7.692543][ T1] kobject: 'nvme-subsystem' (00000000670d508f):
kobject_uevent_env
[ 7.620612][ T329] do_scan_async+0x41/0x500
[ 7.695135][ T1] kobject: 'nvme-subsystem' (00000000670d508f):
fill_kobj_path: path = '/class/nvme-subsystem'
[ 7.620612][ T329] ? scsi_scan_host+0x450/0x450
[ 7.698176][ T1] kobject: 'nvme' (000000005d460dc8):
kobject_add_internal: parent: 'drivers', set: 'drivers'
[ 7.620612][ T329] async_run_entry_fn+0x124/0x570
[ 7.620612][ T329] process_one_work+0x9af/0x16d0
[ 7.620612][ T329] ? pwq_dec_nr_in_flight+0x320/0x320
[ 7.620612][ T329] ? lock_acquire+0x190/0x400
[ 7.701606][ T1] kobject: 'drivers' (00000000924ddeb2):
kobject_add_internal: parent: 'nvme', set: '<NULL>'
[ 7.620612][ T329] worker_thread+0x98/0xe40
[ 7.705786][ T1] kobject: 'nvme' (000000005d460dc8):
kobject_uevent_env
[ 7.620612][ T329] kthread+0x361/0x430
[ 7.709956][ T1] kobject: 'nvme' (000000005d460dc8): fill_kobj_path:
path = '/bus/pci/drivers/nvme'
[ 7.620612][ T329] ? process_one_work+0x16d0/0x16d0
[ 7.713199][ T1] kobject: 'ahci' (0000000029da3508):
kobject_add_internal: parent: 'drivers', set: 'drivers'
[ 7.620612][ T329] ? kthread_cancel_delayed_work_sync+0x20/0x20
[ 7.717072][ T1] kobject: 'drivers' (00000000357f3c8d):
kobject_add_internal: parent: 'ahci', set: '<NULL>'
[ 7.620612][ T329] ret_from_fork+0x24/0x30
[ 7.620612][ T329] Modules linked in:
[ 7.718371][ T329] ---[ end trace bbfdfa526202cca4 ]---
[ 7.721471][ T1] kobject: 'ahci' (0000000029da3508):
kobject_uevent_env
[ 7.722768][ T329] RIP: 0010:dma_direct_max_mapping_size+0x7c/0x1a7
[ 7.724195][ T1] kobject: 'ahci' (0000000029da3508): fill_kobj_path:
path = '/bus/pci/drivers/ahci'
[ 7.725517][ T329] Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 23 01
00 00 49 8b 9c 24 38 03 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1
ea 03 <80> 3c 02 00 0f 85 0a 01 00 00 49 8d bc 24 48 03 00 00 48 8b 1b 48
[ 7.727823][ T1] kobject: 'ata_piix' (000000002393ac60):
kobject_add_internal: parent: 'drivers', set: 'drivers'
[ 7.729067][ T329] RSP: 0000:ffff8880a8e9f768 EFLAGS: 00010246
[ 7.730452][ T1] kobject: 'drivers' (00000000071486d0):
kobject_add_internal: parent: 'ata_piix', set: '<NULL>'
[ 7.732312][ T329] RAX: dffffc0000000000 RBX: 0000000000000000 RCX:
ffffffff816007b1
[ 7.733561][ T1] kobject: 'ata_piix' (000000002393ac60):
kobject_uevent_env
[ 7.736086][ T329] RDX: 0000000000000000 RSI: ffffffff816007d0 RDI:
ffff8882195030b8
[ 7.737341][ T1] kobject: 'ata_piix' (000000002393ac60):
fill_kobj_path: path = '/bus/pci/drivers/ata_piix'
[ 7.739867][ T329] RBP: ffff8880a8e9f780 R08: ffff8880a8e8c000 R09:
ffffed10146244ec
[ 7.741306][ T1] kobject: 'pata_amd' (0000000066b08d7f):
kobject_add_internal: parent: 'drivers', set: 'drivers'
[ 7.742561][ T329] R10: ffffed10146244eb R11: ffff8880a312275f R12:
ffff888219502d80
[ 7.743976][ T1] kobject: 'drivers' (00000000b292806e):
kobject_add_internal: parent: 'pata_amd', set: '<NULL>'
[ 7.745038][ T329] R13: ffff888219502d80 R14: ffff88821930e4f0 R15:
0000000000000200
[ 7.747615][ T1] kobject: 'pata_amd' (0000000066b08d7f):
kobject_uevent_env
[ 7.748706][ T329] FS: 0000000000000000(0000)
GS:ffff8880ae900000(0000) knlGS:0000000000000000
[ 7.750475][ T1] kobject: 'pata_amd' (0000000066b08d7f):
fill_kobj_path: path = '/bus/pci/drivers/pata_amd'
[ 7.751516][ T329] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 7.753904][ T1] kobject: 'pata_oldpiix' (00000000cf9a5442):
kobject_add_internal: parent: 'drivers', set: 'drivers'
[ 7.755108][ T329] CR2: 0000000000000000 CR3: 0000000008c6d000 CR4:
00000000001406e0
[ 7.757783][ T1] kobject: 'drivers' (00000000ec356fca):
kobject_add_internal: parent: 'pata_oldpiix', set: '<NULL>'
[ 7.759296][ T329] Kernel panic - not syncing: Fatal exception
[ 7.761994][ T1] kobject: 'pata_oldpiix' (00000000cf9a5442):
kobject_uevent_env
[ 7.765044][ T329] Kernel Offset: disabled
[ 7.769264][ T329] Rebooting in 86400 seconds..


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=16eae0e8600000


Tested on:

commit: a4a6f143 ovl: detect overlapping layers with nested lower ..
git tree: https://github.com/amir73il/linux.git
ovl-check-nested-overlap
kernel config: https://syzkaller.appspot.com/x/.config?x=da585491c5226246

[syzbot]

Auto-closing this bug as obsolete.
No recent activity, existing reproducers are no longer triggering the issue.