DUID 00:04:ef:eb:16:6a:bb:4b:eb:e8:98:52:3b:5c:58:f5:72:fb forked to background, child pid 3213 [ 34.391269][ T3214] 8021q: adding VLAN 0 to HW filter on device bond0 [ 34.403247][ T3214] eql: remember to turn off Van-Jacobson compression on your slave devices Starting sshd: OK syzkaller Warning: Permanently added '10.128.10.40' (ECDSA) to the list of known hosts. Setting up swapspace version 1, size = 127995904 bytes syzkaller login: [ 57.128358][ T3543] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k FS [ 57.210716][ T3547] chnl_net:caif_netlink_parms(): no params data found [ 57.255864][ T3547] bridge0: port 1(bridge_slave_0) entered blocking state [ 57.263079][ T3547] bridge0: port 1(bridge_slave_0) entered disabled state [ 57.271698][ T3547] device bridge_slave_0 entered promiscuous mode [ 57.280837][ T3547] bridge0: port 2(bridge_slave_1) entered blocking state [ 57.287951][ T3547] bridge0: port 2(bridge_slave_1) entered disabled state [ 57.296825][ T3547] device bridge_slave_1 entered promiscuous mode [ 57.320111][ T3547] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 57.331640][ T3547] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 57.356392][ T3547] team0: Port device team_slave_0 added [ 57.363994][ T3547] team0: Port device team_slave_1 added [ 57.383709][ T3547] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 57.390789][ T3547] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 57.417211][ T3547] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 57.429485][ T3547] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 57.437216][ T3547] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 57.463642][ T3547] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 57.494662][ T3547] device hsr_slave_0 entered promiscuous mode [ 57.501783][ T3547] device hsr_slave_1 entered promiscuous mode [ 57.599543][ T3547] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 57.610850][ T3547] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 57.620028][ T3547] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 57.628782][ T3547] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 57.651518][ T3547] bridge0: port 2(bridge_slave_1) entered blocking state [ 57.658700][ T3547] bridge0: port 2(bridge_slave_1) entered forwarding state [ 57.666444][ T3547] bridge0: port 1(bridge_slave_0) entered blocking state [ 57.673554][ T3547] bridge0: port 1(bridge_slave_0) entered forwarding state [ 57.726230][ T3547] 8021q: adding VLAN 0 to HW filter on device bond0 [ 57.738987][ T3291] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 57.749006][ T3291] bridge0: port 1(bridge_slave_0) entered disabled state [ 57.757933][ T3291] bridge0: port 2(bridge_slave_1) entered disabled state [ 57.766761][ T3291] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 57.779332][ T3547] 8021q: adding VLAN 0 to HW filter on device team0 [ 57.791736][ T3291] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 57.800647][ T3291] bridge0: port 1(bridge_slave_0) entered blocking state [ 57.807713][ T3291] bridge0: port 1(bridge_slave_0) entered forwarding state [ 57.822090][ T3291] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 57.830762][ T3291] bridge0: port 2(bridge_slave_1) entered blocking state [ 57.837904][ T3291] bridge0: port 2(bridge_slave_1) entered forwarding state [ 57.856996][ T3291] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 57.865886][ T3291] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 57.882013][ T3291] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 57.891075][ T3291] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 57.903473][ T3547] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 57.915726][ T3547] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 57.924692][ T3553] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 57.946685][ T3547] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 57.956608][ T3291] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 57.964645][ T3291] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 57.982012][ T3553] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 58.002832][ T3553] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 58.012182][ T3553] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 58.020110][ T3553] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 58.030927][ T3547] device veth0_vlan entered promiscuous mode [ 58.041922][ T3547] device veth1_vlan entered promiscuous mode [ 58.062460][ T3553] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 58.072760][ T3553] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 58.081228][ T3553] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 58.091521][ T3547] device veth0_macvtap entered promiscuous mode [ 58.101961][ T3547] device veth1_macvtap entered promiscuous mode [ 58.118524][ T3547] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 58.126193][ T3553] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 58.136948][ T3553] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 58.148771][ T3547] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 58.156407][ T3553] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready executing program [ 58.168325][ T3547] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 58.178052][ T3547] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 58.186903][ T3547] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 58.196687][ T3547] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 58.458867][ T3556] nci: nci_start_poll: failed to set local general bytes [ 63.520000][ T3547] nci: __nci_request: wait_for_completion_interruptible_timeout failed 0 [ 63.528745][ T3547] [ 63.531068][ T3547] ====================================================== [ 63.538074][ T3547] WARNING: possible circular locking dependency detected [ 63.545075][ T3547] 6.1.35-syzkaller #0 Not tainted [ 63.550100][ T3547] ------------------------------------------------------ [ 63.557108][ T3547] syz-executor118/3547 is trying to acquire lock: [ 63.563518][ T3547] ffffffff8d7cd8e8 (nci_mutex){+.+.}-{3:3}, at: virtual_nci_close+0x13/0x40 [ 63.572240][ T3547] [ 63.572240][ T3547] but task is already holding lock: [ 63.579589][ T3547] ffff8880233e9350 (&ndev->req_lock){+.+.}-{3:3}, at: nci_close_device+0x106/0x5f0 [ 63.588931][ T3547] [ 63.588931][ T3547] which lock already depends on the new lock. [ 63.588931][ T3547] [ 63.599324][ T3547] [ 63.599324][ T3547] the existing dependency chain (in reverse order) is: [ 63.608325][ T3547] [ 63.608325][ T3547] -> #3 (&ndev->req_lock){+.+.}-{3:3}: [ 63.615969][ T3547] lock_acquire+0x1f8/0x5a0 [ 63.620996][ T3547] __mutex_lock_common+0x1d4/0x2520 [ 63.626737][ T3547] mutex_lock_nested+0x17/0x20 [ 63.632034][ T3547] nci_start_poll+0x59f/0xf20 [ 63.637241][ T3547] nfc_start_poll+0x184/0x2f0 [ 63.642436][ T3547] nfc_genl_start_poll+0x1e7/0x350 [ 63.648063][ T3547] genl_rcv_msg+0xc1a/0xf70 [ 63.653078][ T3547] netlink_rcv_skb+0x1cd/0x410 [ 63.658352][ T3547] genl_rcv+0x24/0x40 [ 63.662850][ T3547] netlink_unicast+0x7bf/0x990 [ 63.668136][ T3547] netlink_sendmsg+0xa26/0xd60 [ 63.673419][ T3547] ____sys_sendmsg+0x59e/0x8f0 [ 63.678719][ T3547] __sys_sendmsg+0x2a9/0x390 [ 63.683835][ T3547] do_syscall_64+0x3d/0xb0 [ 63.688765][ T3547] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 63.695184][ T3547] [ 63.695184][ T3547] -> #2 (&genl_data->genl_data_mutex){+.+.}-{3:3}: [ 63.703858][ T3547] lock_acquire+0x1f8/0x5a0 [ 63.708870][ T3547] __mutex_lock_common+0x1d4/0x2520 [ 63.714615][ T3547] mutex_lock_nested+0x17/0x20 [ 63.719917][ T3547] nfc_urelease_event_work+0x113/0x2f0 [ 63.725895][ T3547] process_one_work+0x8aa/0x11f0 [ 63.731376][ T3547] worker_thread+0xa5f/0x1210 [ 63.736577][ T3547] kthread+0x26e/0x300 [ 63.741165][ T3547] ret_from_fork+0x1f/0x30 [ 63.746109][ T3547] [ 63.746109][ T3547] -> #1 (nfc_devlist_mutex){+.+.}-{3:3}: [ 63.753931][ T3547] lock_acquire+0x1f8/0x5a0 [ 63.758954][ T3547] __mutex_lock_common+0x1d4/0x2520 [ 63.764673][ T3547] mutex_lock_nested+0x17/0x20 [ 63.769965][ T3547] nfc_register_device+0x38/0x310 [ 63.775505][ T3547] nci_register_device+0x7be/0x900 [ 63.781142][ T3547] virtual_ncidev_open+0x55/0xc0 [ 63.786609][ T3547] misc_open+0x304/0x380 [ 63.791376][ T3547] chrdev_open+0x54a/0x630 [ 63.796315][ T3547] do_dentry_open+0x7f9/0x10f0 [ 63.801607][ T3547] path_openat+0x2644/0x2e60 [ 63.806720][ T3547] do_filp_open+0x230/0x480 [ 63.811746][ T3547] do_sys_openat2+0x13b/0x500 [ 63.816948][ T3547] __x64_sys_openat+0x243/0x290 [ 63.822579][ T3547] do_syscall_64+0x3d/0xb0 [ 63.827513][ T3547] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 63.833924][ T3547] [ 63.833924][ T3547] -> #0 (nci_mutex){+.+.}-{3:3}: [ 63.841047][ T3547] validate_chain+0x1667/0x58e0 [ 63.846420][ T3547] __lock_acquire+0x125b/0x1f80 [ 63.851794][ T3547] lock_acquire+0x1f8/0x5a0 [ 63.856810][ T3547] __mutex_lock_common+0x1d4/0x2520 [ 63.862527][ T3547] mutex_lock_nested+0x17/0x20 [ 63.867826][ T3547] virtual_nci_close+0x13/0x40 [ 63.873103][ T3547] nci_close_device+0x3a8/0x5f0 [ 63.878481][ T3547] nci_unregister_device+0x3c/0x230 [ 63.884201][ T3547] virtual_ncidev_close+0x55/0x90 [ 63.889743][ T3547] __fput+0x3b7/0x890 [ 63.894240][ T3547] task_work_run+0x246/0x300 [ 63.899352][ T3547] exit_to_user_mode_loop+0xd9/0x100 [ 63.905154][ T3547] exit_to_user_mode_prepare+0xb1/0x140 [ 63.911225][ T3547] syscall_exit_to_user_mode+0x60/0x270 [ 63.917285][ T3547] do_syscall_64+0x49/0xb0 [ 63.922239][ T3547] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 63.928672][ T3547] [ 63.928672][ T3547] other info that might help us debug this: [ 63.928672][ T3547] [ 63.938887][ T3547] Chain exists of: [ 63.938887][ T3547] nci_mutex --> &genl_data->genl_data_mutex --> &ndev->req_lock [ 63.938887][ T3547] [ 63.952434][ T3547] Possible unsafe locking scenario: [ 63.952434][ T3547] [ 63.959866][ T3547] CPU0 CPU1 [ 63.965218][ T3547] ---- ---- [ 63.970575][ T3547] lock(&ndev->req_lock); [ 63.974985][ T3547] lock(&genl_data->genl_data_mutex); [ 63.982954][ T3547] lock(&ndev->req_lock); [ 63.989892][ T3547] lock(nci_mutex); [ 63.993799][ T3547] [ 63.993799][ T3547] *** DEADLOCK *** [ 63.993799][ T3547] [ 64.001936][ T3547] 1 lock held by syz-executor118/3547: [ 64.007400][ T3547] #0: ffff8880233e9350 (&ndev->req_lock){+.+.}-{3:3}, at: nci_close_device+0x106/0x5f0 [ 64.017148][ T3547] [ 64.017148][ T3547] stack backtrace: [ 64.023040][ T3547] CPU: 1 PID: 3547 Comm: syz-executor118 Not tainted 6.1.35-syzkaller #0 [ 64.031457][ T3547] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 [ 64.041510][ T3547] Call Trace: [ 64.044785][ T3547] [ 64.047706][ T3547] dump_stack_lvl+0x1e3/0x2cb [ 64.052381][ T3547] ? nf_tcp_handle_invalid+0x642/0x642 [ 64.057834][ T3547] ? print_circular_bug+0x12b/0x1a0 [ 64.063029][ T3547] check_noncircular+0x2fa/0x3b0 [ 64.067971][ T3547] ? add_chain_block+0x850/0x850 [ 64.072906][ T3547] ? lockdep_lock+0x11f/0x2a0 [ 64.077590][ T3547] ? prb_read_valid+0xf0/0xf0 [ 64.082263][ T3547] ? _find_first_zero_bit+0xd0/0x100 [ 64.087548][ T3547] validate_chain+0x1667/0x58e0 [ 64.092395][ T3547] ? lockdep_hardirqs_on_prepare+0x438/0x7a0 [ 64.098371][ T3547] ? __lock_acquire+0x125b/0x1f80 [ 64.103393][ T3547] ? desc_read+0x200/0x3f0 [ 64.107815][ T3547] ? memcpy+0x3c/0x60 [ 64.111797][ T3547] ? reacquire_held_locks+0x660/0x660 [ 64.117170][ T3547] ? desc_read+0x1a2/0x3f0 [ 64.121590][ T3547] ? _prb_read_valid+0xb46/0xbe0 [ 64.126535][ T3547] ? mark_lock+0x9a/0x340 [ 64.130863][ T3547] __lock_acquire+0x125b/0x1f80 [ 64.135722][ T3547] lock_acquire+0x1f8/0x5a0 [ 64.140221][ T3547] ? virtual_nci_close+0x13/0x40 [ 64.145162][ T3547] ? read_lock_is_recursive+0x10/0x10 [ 64.150532][ T3547] ? __might_sleep+0xb0/0xb0 [ 64.155127][ T3547] ? find_next_clump8+0x1a0/0x1a0 [ 64.160150][ T3547] ? console_unlock+0x311/0x6e0 [ 64.164997][ T3547] ? console_unlock+0x6aa/0x6e0 [ 64.169840][ T3547] __mutex_lock_common+0x1d4/0x2520 [ 64.175067][ T3547] ? virtual_nci_close+0x13/0x40 [ 64.180013][ T3547] ? irq_work_queue+0xc6/0x150 [ 64.184770][ T3547] ? __wake_up_klogd+0xd5/0x100 [ 64.189608][ T3547] ? vprintk_emit+0x109/0x1f0 [ 64.194281][ T3547] ? virtual_nci_close+0x13/0x40 [ 64.199224][ T3547] ? _printk+0xd1/0x111 [ 64.203395][ T3547] ? mutex_lock_io_nested+0x60/0x60 [ 64.208598][ T3547] ? panic+0x75d/0x75d [ 64.212669][ T3547] ? _raw_spin_unlock_irq+0x1f/0x40 [ 64.217857][ T3547] mutex_lock_nested+0x17/0x20 [ 64.222617][ T3547] virtual_nci_close+0x13/0x40 [ 64.227381][ T3547] nci_close_device+0x3a8/0x5f0 [ 64.232233][ T3547] ? nci_unregister_device+0x230/0x230 [ 64.237688][ T3547] ? mutex_unlock+0x10/0x10 [ 64.242192][ T3547] nci_unregister_device+0x3c/0x230 [ 64.247396][ T3547] ? virtual_ncidev_open+0xc0/0xc0 [ 64.252508][ T3547] virtual_ncidev_close+0x55/0x90 [ 64.257542][ T3547] ? virtual_ncidev_open+0xc0/0xc0 [ 64.262659][ T3547] __fput+0x3b7/0x890 [ 64.266648][ T3547] task_work_run+0x246/0x300 [ 64.271250][ T3547] ? task_work_cancel+0x2b0/0x2b0 [ 64.276277][ T3547] ? exit_to_user_mode_loop+0x39/0x100 [ 64.281733][ T3547] exit_to_user_mode_loop+0xd9/0x100 [ 64.287019][ T3547] exit_to_user_mode_prepare+0xb1/0x140 [ 64.292577][ T3547] syscall_exit_to_user_mode+0x60/0x270 [ 64.298130][ T3547] do_syscall_64+0x49/0xb0 [ 64.302548][ T3547] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 64.308532][ T3547] RIP: 0033:0x7f574c01e28b [ 64.312938][ T3547] Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 03 fd ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 41 fd ff ff 8b 44 [ 64.332537][ T3547] RSP: 002b:00007fff866480a0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 64.340953][ T3547] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f574c01e28b [ 64.348917][ T3547] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 [ 64.356877][ T3547] RBP: 00007f574c0e94cc R08: 0000000000000000 R09: 0000000000000010 [ 64.364850][ T3547] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000032 [ 64.37280