[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.108' (ECDSA) to the list of known hosts. syzkaller login: [ 39.854706] audit: type=1400 audit(1596178915.454:8): avc: denied { execmem } for pid=6446 comm="syz-executor916" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 39.874467] IPVS: ftp: loaded support on port[0] = 21 [ 39.950264] chnl_net:caif_netlink_parms(): no params data found [ 40.021018] bridge0: port 1(bridge_slave_0) entered blocking state [ 40.029902] bridge0: port 1(bridge_slave_0) entered disabled state [ 40.037865] device bridge_slave_0 entered promiscuous mode [ 40.046160] bridge0: port 2(bridge_slave_1) entered blocking state [ 40.053083] bridge0: port 2(bridge_slave_1) entered disabled state [ 40.060114] device bridge_slave_1 entered promiscuous mode [ 40.078129] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 40.087202] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 40.106958] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 40.114426] team0: Port device team_slave_0 added [ 40.119933] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 40.128847] team0: Port device team_slave_1 added [ 40.145094] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 40.151337] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 40.176763] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 40.188584] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 40.194910] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 40.220238] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 40.231412] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 40.239290] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 40.294584] device hsr_slave_0 entered promiscuous mode [ 40.342408] device hsr_slave_1 entered promiscuous mode [ 40.392883] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 40.400123] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 40.470200] bridge0: port 2(bridge_slave_1) entered blocking state [ 40.476754] bridge0: port 2(bridge_slave_1) entered forwarding state [ 40.483645] bridge0: port 1(bridge_slave_0) entered blocking state [ 40.490026] bridge0: port 1(bridge_slave_0) entered forwarding state [ 40.526188] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 40.534440] 8021q: adding VLAN 0 to HW filter on device bond0 [ 40.544470] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 40.554051] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 40.563111] bridge0: port 1(bridge_slave_0) entered disabled state [ 40.580658] bridge0: port 2(bridge_slave_1) entered disabled state [ 40.588782] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 40.600550] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 40.606857] 8021q: adding VLAN 0 to HW filter on device team0 [ 40.617047] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 40.625980] bridge0: port 1(bridge_slave_0) entered blocking state [ 40.632440] bridge0: port 1(bridge_slave_0) entered forwarding state [ 40.642431] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 40.650087] bridge0: port 2(bridge_slave_1) entered blocking state [ 40.656530] bridge0: port 2(bridge_slave_1) entered forwarding state [ 40.674157] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 40.682649] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 40.694816] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 40.707859] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 40.718553] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 40.730979] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 40.739392] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 40.747510] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 40.755263] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 40.768508] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 40.777146] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 40.784684] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 40.796393] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 40.809293] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 40.819886] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 40.857615] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 40.864822] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 40.873308] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 40.883496] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 40.890868] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 40.899171] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 40.908364] device veth0_vlan entered promiscuous mode [ 40.917653] device veth1_vlan entered promiscuous mode [ 40.924326] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 40.933622] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 40.940211] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 40.948332] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 40.962627] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 40.971874] IPv6: ADDRCONF(NETDEV_UP): veth1_macvtap: link is not ready [ 40.978682] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 40.987286] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 40.996881] device veth0_macvtap entered promiscuous mode [ 41.003833] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 41.013058] device veth1_macvtap entered promiscuous mode [ 41.019177] IPv6: ADDRCONF(NETDEV_UP): macsec0: link is not ready [ 41.028355] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 41.038832] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 41.049457] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready [ 41.057230] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 41.064711] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 41.072680] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 41.079851] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 41.088491] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 41.099035] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 41.106069] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 41.113397] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 41.121237] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready executing program [ 42.301253] [ 42.302917] ============================================ [ 42.308453] WARNING: possible recursive locking detected [ 42.313898] 4.19.135-syzkaller #0 Not tainted [ 42.318385] -------------------------------------------- [ 42.323837] syz-executor916/6447 is trying to acquire lock: [ 42.329533] 00000000ec7871f0 (_xmit_ETHER#2){+.-.}, at: __dev_queue_xmit+0x2592/0x2e00 [ 42.337594] [ 42.337594] but task is already holding lock: [ 42.343579] 000000002216d9e3 (_xmit_ETHER#2){+.-.}, at: sch_direct_xmit+0x254/0xf50 [ 42.351366] [ 42.351366] other info that might help us debug this: [ 42.358008] Possible unsafe locking scenario: [ 42.358008] [ 42.364059] CPU0 [ 42.366616] ---- [ 42.369170] lock(_xmit_ETHER#2); [ 42.373119] lock(_xmit_ETHER#2); [ 42.376683] [ 42.376683] *** DEADLOCK *** [ 42.376683] [ 42.382723] May be due to missing lock nesting notation [ 42.382723] [ 42.389643] 11 locks held by syz-executor916/6447: [ 42.394544] #0: 0000000041be4ca5 (rcu_read_lock){....}, at: rawv6_sendmsg+0x1e3d/0x36a0 [ 42.402771] #1: 00000000fac33b54 (rcu_read_lock_bh){....}, at: ip6_finish_output2+0x1f2/0x2290 [ 42.411691] #2: 00000000fac33b54 (rcu_read_lock_bh){....}, at: __dev_queue_xmit+0x1e2/0x2e00 [ 42.420344] #3: 00000000cac4d69a (&(&sch->seqlock)->rlock){+...}, at: __dev_queue_xmit+0x278b/0x2e00 [ 42.429843] #4: 00000000ce3642cd (dev->qdisc_running_key ?: &qdisc_running_key){+...}, at: neigh_resolve_output+0x55a/0x910 [ 42.441198] #5: 000000002216d9e3 (_xmit_ETHER#2){+.-.}, at: sch_direct_xmit+0x254/0xf50 [ 42.449423] #6: 0000000041be4ca5 (rcu_read_lock){....}, at: icmpv6_send+0x0/0x210 [ 42.457122] #7: 0000000094cb44d9 (k-slock-AF_INET6){+...}, at: icmp6_send+0xfea/0x2230 [ 42.465254] #8: 0000000041be4ca5 (rcu_read_lock){....}, at: icmp6_send+0x1685/0x2230 [ 42.473210] #9: 00000000fac33b54 (rcu_read_lock_bh){....}, at: ip6_finish_output2+0x1f2/0x2290 [ 42.482048] #10: 00000000fac33b54 (rcu_read_lock_bh){....}, at: __dev_queue_xmit+0x1e2/0x2e00 [ 42.490810] [ 42.490810] stack backtrace: [ 42.495304] CPU: 0 PID: 6447 Comm: syz-executor916 Not tainted 4.19.135-syzkaller #0 [ 42.503164] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.512499] Call Trace: [ 42.515105] dump_stack+0x1fc/0x2fe [ 42.518714] __lock_acquire.cold+0x121/0x57e [ 42.523135] ? check_preemption_disabled+0x41/0x280 [ 42.528145] ? mark_held_locks+0xf0/0xf0 [ 42.532188] ? skb_crc32c_csum_help+0x70/0x70 [ 42.536680] ? mark_held_locks+0xa6/0xf0 [ 42.540740] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 42.545475] ? netif_skb_features+0x5c1/0xb30 [ 42.549947] ? __skb_gso_segment+0x720/0x720 [ 42.554352] ? validate_xmit_xfrm+0x3dc/0xe30 [ 42.558848] lock_acquire+0x170/0x3c0 [ 42.562632] ? __dev_queue_xmit+0x2592/0x2e00 [ 42.567110] _raw_spin_lock+0x2a/0x40 [ 42.570906] ? __dev_queue_xmit+0x2592/0x2e00 [ 42.575403] __dev_queue_xmit+0x2592/0x2e00 [ 42.579711] ? netdev_pick_tx+0x2f0/0x2f0 [ 42.583850] ? ip6_finish_output2+0x113d/0x2290 [ 42.588498] ? memcpy+0x35/0x50 [ 42.591777] neigh_resolve_output+0x55a/0x910 [ 42.596298] ip6_finish_output2+0x113d/0x2290 [ 42.600775] ? ip6_forward_finish+0x4b0/0x4b0 [ 42.605264] ? lock_downgrade+0x720/0x720 [ 42.609404] ? check_preemption_disabled+0x41/0x280 [ 42.614398] ? check_preemption_disabled+0x41/0x280 [ 42.619395] ip6_finish_output+0x7eb/0xc10 [ 42.623612] ip6_output+0x205/0x770 [ 42.627254] ? ip6_finish_output+0xc10/0xc10 [ 42.631658] ? ip6_output+0x770/0x770 [ 42.635456] ? ip6_fragment+0x32a0/0x32a0 [ 42.639587] ip6_local_out+0xaf/0x170 [ 42.643368] ip6_send_skb+0xb3/0x300 [ 42.647079] ip6_push_pending_frames+0xbd/0xe0 [ 42.651670] icmpv6_push_pending_frames+0x294/0x470 [ 42.656669] icmp6_send+0x1b5f/0x2230 [ 42.660451] ? icmpv6_push_pending_frames+0x470/0x470 [ 42.665625] ? lock_unpin_lock+0x110/0x4f0 [ 42.669850] ? mark_held_locks+0xf0/0xf0 [ 42.673948] ? __local_bh_enable_ip+0x159/0x270 [ 42.678610] ? __neigh_create+0xb8e/0x1c40 [ 42.682828] ? check_preemption_disabled+0x41/0x280 [ 42.687824] ? icmpv6_push_pending_frames+0x470/0x470 [ 42.693013] ? icmpv6_send+0xde/0x210 [ 42.696802] icmpv6_send+0xde/0x210 [ 42.700412] ip6_link_failure+0x26/0x4e0 [ 42.704460] ? inet6_rtm_delroute+0x140/0x140 [ 42.708942] ip_tunnel_xmit+0x195f/0x37f0 [ 42.713075] ? ip_md_tunnel_xmit+0x1250/0x1250 [ 42.717653] ? __lock_acquire+0x22f9/0x3ff0 [ 42.721976] ? skb_push+0x9d/0xc0 [ 42.725425] ? __gre_xmit+0x52c/0x8d0 [ 42.729203] erspan_xmit+0x1837/0x2790 [ 42.733073] ? netif_skb_features+0x5c1/0xb30 [ 42.737557] ? ipgre_header+0x3c0/0x3c0 [ 42.741509] ? __skb_gso_segment+0x720/0x720 [ 42.745911] ? validate_xmit_xfrm+0x3dc/0xe30 [ 42.750399] ? __lock_acquire+0x22f9/0x3ff0 [ 42.754702] ? check_preemption_disabled+0x41/0x280 [ 42.759697] dev_hard_start_xmit+0x1a8/0x920 [ 42.764122] sch_direct_xmit+0x2d6/0xf50 [ 42.768163] ? __lock_acquire+0x6de/0x3ff0 [ 42.772381] ? qdisc_destroy+0x780/0x780 [ 42.776421] ? check_preemption_disabled+0x41/0x280 [ 42.781505] ? assoc_array_gc+0x1210/0x1260 [ 42.785819] __qdisc_run+0x4d0/0x1630 [ 42.789635] __dev_queue_xmit+0x2102/0x2e00 [ 42.794219] ? neigh_resolve_output+0x55a/0x910 [ 42.799303] ? netdev_pick_tx+0x2f0/0x2f0 [ 42.803450] ? lock_downgrade+0x720/0x720 [ 42.812644] ? memcpy+0x35/0x50 [ 42.815924] neigh_resolve_output+0x55a/0x910 [ 42.820436] ip6_finish_output2+0x113d/0x2290 [ 42.824923] ? ip6_forward_finish+0x4b0/0x4b0 [ 42.829418] ? lock_downgrade+0x720/0x720 [ 42.833583] ? check_preemption_disabled+0x41/0x280 [ 42.838594] ? check_preemption_disabled+0x41/0x280 [ 42.843605] ip6_finish_output+0x7eb/0xc10 [ 42.847833] ip6_output+0x205/0x770 [ 42.851453] ? ip6_finish_output+0xc10/0xc10 [ 42.855870] ? ip6_fragment+0x32a0/0x32a0 [ 42.860012] ? check_preemption_disabled+0x41/0x280 [ 42.865026] rawv6_sendmsg+0x202c/0x36a0 [ 42.869070] ? compat_rawv6_setsockopt+0x140/0x140 [ 42.873998] ? mark_held_locks+0xf0/0xf0 [ 42.878132] ? udplite6_proc_exit+0x20/0x20 [ 42.882436] ? __lock_acquire+0x6de/0x3ff0 [ 42.886660] ? sock_has_perm+0x1e7/0x280 [ 42.890708] ? selinux_secmark_relabel_packet+0xd0/0xd0 [ 42.896062] ? avc_has_perm+0x227/0x410 [ 42.900159] inet_sendmsg+0x132/0x5a0 [ 42.903947] ? security_socket_sendmsg+0x83/0xb0 [ 42.908704] ? inet_recvmsg+0x5c0/0x5c0 [ 42.912754] sock_sendmsg+0xc3/0x120 [ 42.916464] sock_write_iter+0x287/0x3c0 [ 42.920507] ? sock_sendmsg+0x120/0x120 [ 42.924478] ? file_has_perm+0x23f/0x330 [ 42.928534] __vfs_write+0x51b/0x770 [ 42.932228] ? kernel_read+0x110/0x110 [ 42.936095] ? selinux_file_permission+0x87/0x5f0 [ 42.940943] ? security_file_permission+0x1c0/0x220 [ 42.945938] vfs_write+0x1f3/0x540 [ 42.949454] ksys_write+0x12b/0x2a0 [ 42.953073] ? __ia32_sys_read+0xb0/0xb0 [ 42.957128] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 42.961870] ? trace_hardirqs_off_caller+0x69/0x210 [ 42.966885] ? do_syscall_64+0x21/0x620 [ 42.970861] do_syscall_64+0xf9/0x620 [ 42.974661] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 42.979939] RIP: 0033:0x449ee9 [ 42.983127] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 0e fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 43.002104] RSP: 002b:00007fffc4bee918 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 43.009905] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000000449ee9 [ 43.017155] RDX: 0000000000000028 RSI: 0000000020000140 RDI: 0000000000000005 [ 43.024404] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 43.031684] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fffc4bee990 [ 43.038948] R13: 0000000000000003 R14: 0000000000959914 R15: 0000000000000013