[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 95.012166][ T27] audit: type=1800 audit(1581110890.611:25): pid=9676 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 95.042460][ T27] audit: type=1800 audit(1581110890.611:26): pid=9676 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 95.087770][ T27] audit: type=1800 audit(1581110890.611:27): pid=9676 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.29' (ECDSA) to the list of known hosts. 2020/02/07 21:28:21 parsed 1 programs 2020/02/07 21:28:23 executed programs: 0 syzkaller login: [ 108.374426][ T9844] IPVS: ftp: loaded support on port[0] = 21 [ 108.428794][ T9844] chnl_net:caif_netlink_parms(): no params data found [ 108.462656][ T9844] bridge0: port 1(bridge_slave_0) entered blocking state [ 108.470071][ T9844] bridge0: port 1(bridge_slave_0) entered disabled state [ 108.478111][ T9844] device bridge_slave_0 entered promiscuous mode [ 108.486503][ T9844] bridge0: port 2(bridge_slave_1) entered blocking state [ 108.493857][ T9844] bridge0: port 2(bridge_slave_1) entered disabled state [ 108.501493][ T9844] device bridge_slave_1 entered promiscuous mode [ 108.518342][ T9844] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 108.529037][ T9844] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 108.547920][ T9844] team0: Port device team_slave_0 added [ 108.555147][ T9844] team0: Port device team_slave_1 added [ 108.569433][ T9844] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 108.576951][ T9844] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 108.602910][ T9844] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 108.615369][ T9844] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 108.622447][ T9844] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 108.648404][ T9844] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 108.705290][ T9844] device hsr_slave_0 entered promiscuous mode [ 108.772542][ T9844] device hsr_slave_1 entered promiscuous mode [ 108.909279][ T9844] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 108.965589][ T9844] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 109.025122][ T9844] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 109.064361][ T9844] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 109.115395][ T9844] bridge0: port 2(bridge_slave_1) entered blocking state [ 109.122573][ T9844] bridge0: port 2(bridge_slave_1) entered forwarding state [ 109.130301][ T9844] bridge0: port 1(bridge_slave_0) entered blocking state [ 109.137471][ T9844] bridge0: port 1(bridge_slave_0) entered forwarding state [ 109.181492][ T9844] 8021q: adding VLAN 0 to HW filter on device bond0 [ 109.197665][ T2693] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 109.208110][ T2693] bridge0: port 1(bridge_slave_0) entered disabled state [ 109.216226][ T2693] bridge0: port 2(bridge_slave_1) entered disabled state [ 109.225281][ T2693] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 109.239335][ T9844] 8021q: adding VLAN 0 to HW filter on device team0 [ 109.250559][ T3233] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 109.259970][ T3233] bridge0: port 1(bridge_slave_0) entered blocking state [ 109.267083][ T3233] bridge0: port 1(bridge_slave_0) entered forwarding state [ 109.279161][ T2693] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 109.288362][ T2693] bridge0: port 2(bridge_slave_1) entered blocking state [ 109.295497][ T2693] bridge0: port 2(bridge_slave_1) entered forwarding state [ 109.313545][ T3233] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 109.322114][ T3233] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 109.335522][ T2708] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 109.350886][ T9844] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 109.363138][ T9844] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 109.375011][ T3233] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 109.384011][ T3233] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 109.394115][ T3233] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 109.409665][ T2708] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 109.417887][ T2708] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 109.430981][ T9844] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 109.449170][ T3233] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 109.459456][ T3233] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 109.481075][ T9844] device veth0_vlan entered promiscuous mode [ 109.488376][ T3146] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 109.497318][ T3146] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 109.506584][ T3146] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 109.515246][ T3146] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 109.528397][ T9844] device veth1_vlan entered promiscuous mode [ 109.548115][ T2708] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 109.557454][ T2708] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 109.565717][ T2708] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 109.574514][ T2708] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 109.585492][ T9844] device veth0_macvtap entered promiscuous mode [ 109.596375][ T9844] device veth1_macvtap entered promiscuous mode [ 109.613533][ T9844] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 109.621050][ T3146] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 109.630253][ T3146] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 109.638546][ T3146] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 109.647487][ T3146] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 109.659647][ T9844] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 109.667652][ T2708] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 109.676944][ T2708] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready 2020/02/07 21:28:28 executed programs: 146 2020/02/07 21:28:33 executed programs: 354 [ 122.183985][ T2710] BUG: sleeping function called from invalid context at net/core/sock.c:2935 [ 122.192985][ T2710] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2710, name: kworker/0:6 [ 122.202334][ T2710] 4 locks held by kworker/0:6/2710: [ 122.207545][ T2710] #0: ffff8880aa426d28 ((wq_completion)events){+.+.}, at: process_one_work+0x8dd/0x17a0 [ 122.217428][ T2710] #1: ffffc900090cfdc0 ((work_completion)(&map->work)){+.+.}, at: process_one_work+0x917/0x17a0 [ 122.228367][ T2710] #2: ffffffff89bac700 (rcu_read_lock){....}, at: sock_hash_free+0x0/0x540 [ 122.237106][ T2710] #3: ffffc9000a1fc860 (&htab->buckets[i].lock){+...}, at: sock_hash_free+0x131/0x540 [ 122.246792][ T2710] Preemption disabled at: [ 122.246810][ T2710] [] sock_hash_free+0x131/0x540 [ 122.258749][ T2710] CPU: 0 PID: 2710 Comm: kworker/0:6 Not tainted 5.5.0-next-20200207-syzkaller #0 [ 122.268108][ T2710] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 122.278159][ T2710] Workqueue: events bpf_map_free_deferred [ 122.283858][ T2710] Call Trace: [ 122.287146][ T2710] dump_stack+0x197/0x210 [ 122.291464][ T2710] ? sock_hash_free+0x131/0x540 [ 122.296306][ T2710] ___might_sleep.cold+0x1fb/0x23e [ 122.301406][ T2710] __might_sleep+0x95/0x190 [ 122.305901][ T2710] lock_sock_nested+0x39/0x120 [ 122.311182][ T2710] sock_hash_free+0x29f/0x540 [ 122.315855][ T2710] bpf_map_free_deferred+0xb3/0x100 [ 122.321045][ T2710] ? bpf_map_charge_move+0x80/0x80 [ 122.326169][ T2710] ? trace_hardirqs_on+0x67/0x240 [ 122.331197][ T2710] process_one_work+0xa05/0x17a0 [ 122.336120][ T2710] ? mark_held_locks+0xf0/0xf0 [ 122.340889][ T2710] ? pwq_dec_nr_in_flight+0x320/0x320 [ 122.346246][ T2710] ? lock_acquire+0x190/0x410 [ 122.350925][ T2710] worker_thread+0x98/0xe40 [ 122.355447][ T2710] kthread+0x361/0x430 [ 122.359509][ T2710] ? process_one_work+0x17a0/0x17a0 [ 122.364705][ T2710] ? kthread_mod_delayed_work+0x1f0/0x1f0 [ 122.370420][ T2710] ret_from_fork+0x24/0x30 [ 122.374921][ T2710] [ 122.377251][ T2710] ====================================================== [ 122.384247][ T2710] WARNING: possible circular locking dependency detected [ 122.391249][ T2710] 5.5.0-next-20200207-syzkaller #0 Tainted: G W [ 122.398763][ T2710] ------------------------------------------------------ [ 122.405848][ T2710] kworker/0:6/2710 is trying to acquire lock: [ 122.411896][ T2710] ffff8880a70d4f50 (sk_lock-AF_INET6){+.+.}, at: sock_hash_free+0x29f/0x540 [ 122.420579][ T2710] [ 122.420579][ T2710] but task is already holding lock: [ 122.427932][ T2710] ffffc9000a1fc860 (&htab->buckets[i].lock){+...}, at: sock_hash_free+0x131/0x540 [ 122.437121][ T2710] [ 122.437121][ T2710] which lock already depends on the new lock. [ 122.437121][ T2710] [ 122.447516][ T2710] [ 122.447516][ T2710] the existing dependency chain (in reverse order) is: [ 122.456509][ T2710] [ 122.456509][ T2710] -> #1 (&htab->buckets[i].lock){+...}: [ 122.464300][ T2710] _raw_spin_lock_bh+0x33/0x50 [ 122.469565][ T2710] sock_hash_update_common+0x811/0x1030 [ 122.475609][ T2710] sock_hash_update_elem+0x242/0x2b0 [ 122.481398][ T2710] bpf_map_update_value.isra.0+0x2a6/0x8e0 [ 122.487717][ T2710] __do_sys_bpf+0x3084/0x4130 [ 122.492981][ T2710] __x64_sys_bpf+0x73/0xb0 [ 122.497922][ T2710] do_syscall_64+0xfa/0x790 [ 122.502948][ T2710] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 122.509367][ T2710] [ 122.509367][ T2710] -> #0 (sk_lock-AF_INET6){+.+.}: [ 122.516574][ T2710] __lock_acquire+0x2596/0x4a00 [ 122.521965][ T2710] lock_acquire+0x190/0x410 [ 122.526991][ T2710] lock_sock_nested+0xcb/0x120 [ 122.532280][ T2710] sock_hash_free+0x29f/0x540 [ 122.537478][ T2710] bpf_map_free_deferred+0xb3/0x100 [ 122.543184][ T2710] process_one_work+0xa05/0x17a0 [ 122.548631][ T2710] worker_thread+0x98/0xe40 [ 122.553637][ T2710] kthread+0x361/0x430 [ 122.558207][ T2710] ret_from_fork+0x24/0x30 [ 122.563129][ T2710] [ 122.563129][ T2710] other info that might help us debug this: [ 122.563129][ T2710] [ 122.573338][ T2710] Possible unsafe locking scenario: [ 122.573338][ T2710] [ 122.580775][ T2710] CPU0 CPU1 [ 122.586123][ T2710] ---- ---- [ 122.591465][ T2710] lock(&htab->buckets[i].lock); [ 122.596476][ T2710] lock(sk_lock-AF_INET6); [ 122.603472][ T2710] lock(&htab->buckets[i].lock); [ 122.610997][ T2710] lock(sk_lock-AF_INET6); [ 122.615473][ T2710] [ 122.615473][ T2710] *** DEADLOCK *** [ 122.615473][ T2710] [ 122.623606][ T2710] 4 locks held by kworker/0:6/2710: [ 122.628786][ T2710] #0: ffff8880aa426d28 ((wq_completion)events){+.+.}, at: process_one_work+0x8dd/0x17a0 [ 122.638575][ T2710] #1: ffffc900090cfdc0 ((work_completion)(&map->work)){+.+.}, at: process_one_work+0x917/0x17a0 [ 122.649150][ T2710] #2: ffffffff89bac700 (rcu_read_lock){....}, at: sock_hash_free+0x0/0x540 [ 122.657817][ T2710] #3: ffffc9000a1fc860 (&htab->buckets[i].lock){+...}, at: sock_hash_free+0x131/0x540 [ 122.667447][ T2710] [ 122.667447][ T2710] stack backtrace: [ 122.673340][ T2710] CPU: 0 PID: 2710 Comm: kworker/0:6 Tainted: G W 5.5.0-next-20200207-syzkaller #0 [ 122.683898][ T2710] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 122.693941][ T2710] Workqueue: events bpf_map_free_deferred [ 122.699636][ T2710] Call Trace: [ 122.702912][ T2710] dump_stack+0x197/0x210 [ 122.707224][ T2710] print_circular_bug.isra.0.cold+0x163/0x172 [ 122.713282][ T2710] check_noncircular+0x32e/0x3e0 [ 122.718208][ T2710] ? print_circular_bug.isra.0+0x230/0x230 [ 122.723998][ T2710] ? mark_held_locks+0xa4/0xf0 [ 122.728750][ T2710] ? alloc_list_entry+0xc0/0xc0 [ 122.733584][ T2710] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 122.739803][ T2710] ? find_first_zero_bit+0x9a/0xc0 [ 122.744907][ T2710] __lock_acquire+0x2596/0x4a00 [ 122.749741][ T2710] ? mark_held_locks+0xf0/0xf0 [ 122.754498][ T2710] lock_acquire+0x190/0x410 [ 122.758980][ T2710] ? sock_hash_free+0x29f/0x540 [ 122.763811][ T2710] lock_sock_nested+0xcb/0x120 [ 122.768562][ T2710] ? sock_hash_free+0x29f/0x540 [ 122.773407][ T2710] sock_hash_free+0x29f/0x540 [ 122.778081][ T2710] bpf_map_free_deferred+0xb3/0x100 [ 122.783260][ T2710] ? bpf_map_charge_move+0x80/0x80 [ 122.788364][ T2710] ? trace_hardirqs_on+0x67/0x240 [ 122.793371][ T2710] process_one_work+0xa05/0x17a0 [ 122.798299][ T2710] ? mark_held_locks+0xf0/0xf0 [ 122.803055][ T2710] ? pwq_dec_nr_in_flight+0x320/0x320 [ 122.808411][ T2710] ? lock_acquire+0x190/0x410 [ 122.813082][ T2710] worker_thread+0x98/0xe40 [ 122.817578][ T2710] kthread+0x361/0x430 [ 122.821729][ T2710] ? process_one_work+0x17a0/0x17a0 [ 122.826983][ T2710] ? kthread_mod_delayed_work+0x1f0/0x1f0 [ 122.832701][ T2710] ret_from_fork+0x24/0x30 2020/02/07 21:28:38 executed programs: 547