======================================================
[ INFO: possible circular locking dependency detected ]
4.9.95-g142d4b5 #7 Not tainted
-------------------------------------------------------
syz-executor4/23978 is trying to acquire lock:
(&ndev->lock){++--..}, at: [<ffffffff835e39c5>] __ipv6_dev_mc_dec+0x45/0x320 net/ipv6/mcast.c:928
but task is already holding lock:
(&tbl->lock){++-...}, at: [<ffffffff830a6d7e>] neigh_ifdown+0x3e/0x250 net/core/neighbour.c:255
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756
__raw_write_lock_bh include/linux/rwlock_api_smp.h:203 [inline]
_raw_write_lock_bh+0x3a/0x50 kernel/locking/spinlock.c:319
__neigh_create+0x7a9/0x1b20 net/core/neighbour.c:492
neigh_create include/net/neighbour.h:313 [inline]
ip6_neigh_lookup+0x777/0xa60 net/ipv6/route.c:217
dst_neigh_lookup include/net/dst.h:475 [inline]
fib6_age+0x23d/0x370 net/ipv6/ip6_fib.c:1793
fib6_clean_node+0x1f0/0x4c0 net/ipv6/ip6_fib.c:1654
fib6_walk_continue+0x3e5/0x640 net/ipv6/ip6_fib.c:1583
fib6_walk+0xd9/0x150 net/ipv6/ip6_fib.c:1628
fib6_clean_tree+0xd3/0x110 net/ipv6/ip6_fib.c:1702
__fib6_clean_all+0xf9/0x220 net/ipv6/ip6_fib.c:1718
fib6_clean_all net/ipv6/ip6_fib.c:1729 [inline]
fib6_run_gc+0x117/0x2c0 net/ipv6/ip6_fib.c:1826
fib6_gc_timer_cb+0x1c/0x20 net/ipv6/ip6_fib.c:1841
call_timer_fn+0x163/0x6e0 kernel/time/timer.c:1319
expire_timers kernel/time/timer.c:1359 [inline]
__run_timers kernel/time/timer.c:1658 [inline]
run_timer_softirq+0x1047/0x1590 kernel/time/timer.c:1684
__do_softirq+0x20b/0x937 kernel/softirq.c:284
invoke_softirq kernel/softirq.c:364 [inline]
irq_exit+0x147/0x190 kernel/softirq.c:405
exiting_irq arch/x86/include/asm/apic.h:659 [inline]
smp_apic_timer_interrupt+0x81/0xa0 arch/x86/kernel/apic/apic.c:960
apic_timer_interrupt+0xa0/0xb0 arch/x86/entry/entry_64.S:648
__debug_check_no_obj_freed lib/debugobjects.c:733 [inline]
debug_check_no_obj_freed+0x2ec/0x930 lib/debugobjects.c:749
free_pages_prepare mm/page_alloc.c:1061 [inline]
__free_pages_ok+0x1dd/0x1610 mm/page_alloc.c:1263
free_compound_page+0x5e/0x70 mm/page_alloc.c:594
free_transhuge_page+0x99/0xc0 mm/huge_memory.c:2228
__put_compound_page+0x80/0xc0 mm/swap.c:94
release_pages+0x2f4/0x970 mm/swap.c:763
free_pages_and_swap_cache+0x117/0x160 mm/swap_state.c:273
tlb_flush_mmu_free+0xb4/0x150 mm/memory.c:259
zap_pte_range mm/memory.c:1216 [inline]
zap_pmd_range mm/memory.c:1258 [inline]
zap_pud_range mm/memory.c:1279 [inline]
unmap_page_range+0x104d/0x1730 mm/memory.c:1300
unmap_single_vma+0x101/0x260 mm/memory.c:1345
unmap_vmas+0x102/0x1d0 mm/memory.c:1375
exit_mmap+0x214/0x3f0 mm/mmap.c:2988
__mmput kernel/fork.c:878 [inline]
mmput+0xf3/0x2d0 kernel/fork.c:900
exit_mm kernel/exit.c:518 [inline]
do_exit+0x906/0x27c0 kernel/exit.c:824
do_group_exit+0x111/0x340 kernel/exit.c:941
get_signal+0x4cf/0x1450 kernel/signal.c:2317
do_signal+0x87/0x19f0 arch/x86/kernel/signal.c:807
binder_alloc: 23939: binder_alloc_buf, no vma
binder: 23939:23997 transaction failed 29189/-3, size 0-0 line 3133
exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:157
prepare_exit_to_usermode arch/x86/entry/common.c:191 [inline]
syscall_return_slowpath arch/x86/entry/common.c:260 [inline]
do_syscall_64+0x364/0x490 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_swapgs+0x5d/0xdb
lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756
__raw_write_lock_bh include/linux/rwlock_api_smp.h:203 [inline]
_raw_write_lock_bh+0x3a/0x50 kernel/locking/spinlock.c:319
__ip6_ins_rt+0x4e/0x80 net/ipv6/route.c:928
ip6_route_add+0x1b8/0x1e0 net/ipv6/route.c:2118
addrconf_prefix_route.isra.59+0x1d4/0x2b0 net/ipv6/addrconf.c:2265
fixup_permanent_addr net/ipv6/addrconf.c:3309 [inline]
addrconf_permanent_addr net/ipv6/addrconf.c:3332 [inline]
addrconf_notify+0x19bb/0x2160 net/ipv6/addrconf.c:3401
notifier_call_chain+0xb4/0x1d0 kernel/notifier.c:93
__raw_notifier_call_chain kernel/notifier.c:394 [inline]
raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401
call_netdevice_notifiers_info+0x55/0x70 net/core/dev.c:1647
call_netdevice_notifiers net/core/dev.c:1663 [inline]
__dev_notify_flags+0xf6/0x270 net/core/dev.c:6513
dev_change_flags+0xf3/0x140 net/core/dev.c:6546
do_setlink+0x99b/0x30d0 net/core/rtnetlink.c:2023
rtnl_newlink+0xde8/0x1550 net/core/rtnetlink.c:2557
rtnetlink_rcv_msg+0x49c/0x650 net/core/rtnetlink.c:4059
netlink_rcv_skb+0x145/0x370 net/netlink/af_netlink.c:2356
rtnetlink_rcv+0x2a/0x40 net/core/rtnetlink.c:4065
netlink_unicast_kernel net/netlink/af_netlink.c:1278 [inline]
netlink_unicast+0x4d8/0x6f0 net/netlink/af_netlink.c:1304
netlink_sendmsg+0x78b/0xc10 net/netlink/af_netlink.c:1850
sock_sendmsg_nosec net/socket.c:635 [inline]
sock_sendmsg+0xcc/0x110 net/socket.c:645
___sys_sendmsg+0x6fc/0x840 net/socket.c:1969
binder: BINDER_SET_CONTEXT_MGR already set
binder: 23939:23998 ioctl 40046207 0 returned -16
binder_alloc: 23939: binder_alloc_buf, no vma
binder: 23939:23999 transaction failed 29189/-3, size 0-0 line 3133
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29189
__sys_sendmsg+0xd9/0x190 net/socket.c:2003
SYSC_sendmsg net/socket.c:2014 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2010
do_syscall_64+0x1a6/0x490 arch/x86/entry/common.c:282
entry_SYSCALL_64_after_swapgs+0x5d/0xdb
check_prev_add kernel/locking/lockdep.c:1828 [inline]
check_prevs_add kernel/locking/lockdep.c:1938 [inline]
validate_chain kernel/locking/lockdep.c:2265 [inline]
__lock_acquire+0x3019/0x4070 kernel/locking/lockdep.c:3345
lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756
__raw_write_lock_bh include/linux/rwlock_api_smp.h:203 [inline]
_raw_write_lock_bh+0x3a/0x50 kernel/locking/spinlock.c:319
__ipv6_dev_mc_dec+0x45/0x320 net/ipv6/mcast.c:928
ipv6_dev_mc_dec+0x70/0xe0 net/ipv6/mcast.c:961
pndisc_destructor+0x132/0x200 net/ipv6/ndisc.c:390
pneigh_ifdown net/core/neighbour.c:659 [inline]
neigh_ifdown+0x1a0/0x250 net/core/neighbour.c:257
ndisc_netdev_event+0x2ca/0x390 net/ipv6/ndisc.c:1744
notifier_call_chain+0xb4/0x1d0 kernel/notifier.c:93
__raw_notifier_call_chain kernel/notifier.c:394 [inline]
raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401
call_netdevice_notifiers_info+0x55/0x70 net/core/dev.c:1647
call_netdevice_notifiers net/core/dev.c:1663 [inline]
__dev_notify_flags+0x19d/0x270 net/core/dev.c:6515
dev_change_flags+0xf3/0x140 net/core/dev.c:6546
dev_ifsioc+0x59c/0x870 net/core/dev_ioctl.c:255
dev_ioctl+0x1df/0xdb0 net/core/dev_ioctl.c:533
sock_do_ioctl+0x99/0xb0 net/socket.c:899
sock_ioctl+0x346/0x3e0 net/socket.c:978
vfs_ioctl fs/ioctl.c:43 [inline]
file_ioctl fs/ioctl.c:493 [inline]
do_vfs_ioctl+0x1ac/0x11a0 fs/ioctl.c:677
SYSC_ioctl fs/ioctl.c:694 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
do_syscall_64+0x1a6/0x490 arch/x86/entry/common.c:282
entry_SYSCALL_64_after_swapgs+0x5d/0xdb
other info that might help us debug this:
Chain exists of:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&tbl->lock);
lock(&tb->tb6_lock);
lock(&tbl->lock);
lock(&ndev->lock);
*** DEADLOCK ***
2 locks held by syz-executor4/23978:
#0: (rtnl_mutex){+.+.+.}, at: [<ffffffff830b06a7>] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:70
#1: (&tbl->lock){++-...}, at: [<ffffffff830a6d7e>] neigh_ifdown+0x3e/0x250 net/core/neighbour.c:255
stack backtrace:
CPU: 1 PID: 23978 Comm: syz-executor4 Not tainted 4.9.95-g142d4b5 #7
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
ffff8801d49a74a8 ffffffff81eb0f89 ffffffff853e7330 ffffffff853ad160
ffffffff853c8310 ffff8801d7c15110 ffff8801d7c14800 ffff8801d49a74f0
ffffffff814242cd 0000000000000002 00000000d7c14800 0000000000000002
Call Trace:
[<ffffffff81eb0f89>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81eb0f89>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff814242cd>] print_circular_bug.cold.51+0x1bd/0x27d kernel/locking/lockdep.c:1202
[<ffffffff81237369>] check_prev_add kernel/locking/lockdep.c:1828 [inline]
[<ffffffff81237369>] check_prevs_add kernel/locking/lockdep.c:1938 [inline]
[<ffffffff81237369>] validate_chain kernel/locking/lockdep.c:2265 [inline]
[<ffffffff81237369>] __lock_acquire+0x3019/0x4070 kernel/locking/lockdep.c:3345
[<ffffffff81238e30>] lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756
[<ffffffff839f2b4a>] __raw_write_lock_bh include/linux/rwlock_api_smp.h:203 [inline]
[<ffffffff839f2b4a>] _raw_write_lock_bh+0x3a/0x50 kernel/locking/spinlock.c:319
[<ffffffff835e39c5>] __ipv6_dev_mc_dec+0x45/0x320 net/ipv6/mcast.c:928
[<ffffffff835e67f0>] ipv6_dev_mc_dec+0x70/0xe0 net/ipv6/mcast.c:961
[<ffffffff835b0d72>] pndisc_destructor+0x132/0x200 net/ipv6/ndisc.c:390
[<ffffffff830a6ee0>] pneigh_ifdown net/core/neighbour.c:659 [inline]
[<ffffffff830a6ee0>] neigh_ifdown+0x1a0/0x250 net/core/neighbour.c:257
[<ffffffff835b416a>] ndisc_netdev_event+0x2ca/0x390 net/ipv6/ndisc.c:1744
[<ffffffff8119f544>] notifier_call_chain+0xb4/0x1d0 kernel/notifier.c:93
[<ffffffff8119f6cd>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
[<ffffffff8119f6cd>] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401
[<ffffffff83063eb5>] call_netdevice_notifiers_info+0x55/0x70 net/core/dev.c:1647
[<ffffffff8308802d>] call_netdevice_notifiers net/core/dev.c:1663 [inline]
[<ffffffff8308802d>] __dev_notify_flags+0x19d/0x270 net/core/dev.c:6515
[<ffffffff830891a3>] dev_change_flags+0xf3/0x140 net/core/dev.c:6546
[<ffffffff830d4dcc>] dev_ifsioc+0x59c/0x870 net/core/dev_ioctl.c:255
[<ffffffff830d542f>] dev_ioctl+0x1df/0xdb0 net/core/dev_ioctl.c:533
[<ffffffff8300c119>] sock_do_ioctl+0x99/0xb0 net/socket.c:899
[<ffffffff8300cba6>] sock_ioctl+0x346/0x3e0 net/socket.c:978
[<ffffffff815b04dc>] vfs_ioctl fs/ioctl.c:43 [inline]
[<ffffffff815b04dc>] file_ioctl fs/ioctl.c:493 [inline]
[<ffffffff815b04dc>] do_vfs_ioctl+0x1ac/0x11a0 fs/ioctl.c:677
[<ffffffff815b155f>] SYSC_ioctl fs/ioctl.c:694 [inline]
[<ffffffff815b155f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
[<ffffffff81006316>] do_syscall_64+0x1a6/0x490 arch/x86/entry/common.c:282
[<ffffffff839f3313>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
device syz_tun entered promiscuous mode
device syz_tun left promiscuous mode
binder: BINDER_SET_CONTEXT_MGR already set
binder: 24013:24060 ioctl 40046207 0 returned -16
binder_alloc: 24014: binder_alloc_buf, no vma
binder: 24014:24059 transaction failed 29189/-3, size 0-0 line 3133
binder_alloc: 24014: binder_alloc_buf, no vma
binder: 24013:24060 transaction failed 29189/-3, size 0-0 line 3133
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29189
binder: BINDER_SET_CONTEXT_MGR already set
binder: 24080:24119 ioctl 40046207 0 returned -16
binder_alloc: 24077: binder_alloc_buf, no vma
binder: 24077:24118 transaction failed 29189/-3, size 0-0 line 3133
binder_alloc: 24077: binder_alloc_buf, no vma
binder: 24080:24119 transaction failed 29189/-3, size 0-0 line 3133
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29189
binder: BINDER_SET_CONTEXT_MGR already set
binder: 24142:24190 ioctl 40046207 0 returned -16
binder_alloc: 24140: binder_alloc_buf, no vma
binder: 24140:24189 transaction failed 29189/-3, size 0-0 line 3133
binder_alloc: 24140: binder_alloc_buf, no vma
binder: 24142:24190 transaction failed 29189/-3, size 0-0 line 3133
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29189
binder: BINDER_SET_CONTEXT_MGR already set
binder: 24211:24250 ioctl 40046207 0 returned -16
binder_alloc: 24208: binder_alloc_buf, no vma
binder: 24211:24250 transaction failed 29189/-3, size 0-0 line 3133
binder: undelivered TRANSACTION_ERROR: 29189
binder: BINDER_SET_CONTEXT_MGR already set
binder: 24262:24313 ioctl 40046207 0 returned -16
binder_alloc: 24267: binder_alloc_buf, no vma
binder: 24262:24313 transaction failed 29189/-3, size 0-0 line 3133
binder: undelivered TRANSACTION_ERROR: 29189
binder: BINDER_SET_CONTEXT_MGR already set
binder: 24335:24358 ioctl 40046207 0 returned -16
binder_alloc: 24331: binder_alloc_buf, no vma
binder: 24331:24356 transaction failed 29189/-3, size 0-0 line 3133
binder: undelivered TRANSACTION_ERROR: 29189
binder: BINDER_SET_CONTEXT_MGR already set
binder: 24375:24415 ioctl 40046207 0 returned -16
binder_alloc: 24370: binder_alloc_buf, no vma
binder: 24375:24415 transaction failed 29189/-3, size 0-0 line 3133
binder: undelivered TRANSACTION_ERROR: 29189
binder: BINDER_SET_CONTEXT_MGR already set
binder: 24436:24491 ioctl 40046207 0 returned -16
binder_alloc: 24435: binder_alloc_buf, no vma
binder: 24436:24491 transaction failed 29189/-3, size 0-0 line 3133
binder: undelivered TRANSACTION_ERROR: 29189