[ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.148' (ECDSA) to the list of known hosts. 2020/11/15 00:00:51 fuzzer started 2020/11/15 00:00:52 connecting to host at 10.128.0.26:43883 2020/11/15 00:00:52 checking machine... 2020/11/15 00:00:52 checking revisions... 2020/11/15 00:00:52 testing simple program... syzkaller login: [ 65.557425][ T8496] IPVS: ftp: loaded support on port[0] = 21 [ 65.737063][ T8496] chnl_net:caif_netlink_parms(): no params data found [ 65.794813][ T8496] bridge0: port 1(bridge_slave_0) entered blocking state [ 65.803859][ T8496] bridge0: port 1(bridge_slave_0) entered disabled state [ 65.813309][ T8496] device bridge_slave_0 entered promiscuous mode [ 65.824048][ T8496] bridge0: port 2(bridge_slave_1) entered blocking state [ 65.831403][ T8496] bridge0: port 2(bridge_slave_1) entered disabled state [ 65.839095][ T8496] device bridge_slave_1 entered promiscuous mode [ 65.860515][ T8496] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 65.872708][ T8496] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 65.896965][ T8496] team0: Port device team_slave_0 added [ 65.904770][ T8496] team0: Port device team_slave_1 added [ 65.924793][ T8496] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 65.932357][ T8496] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 65.959996][ T8496] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 65.974496][ T8496] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 65.982052][ T8496] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 66.009228][ T8496] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 66.038294][ T8496] device hsr_slave_0 entered promiscuous mode [ 66.045452][ T8496] device hsr_slave_1 entered promiscuous mode [ 66.234545][ T8496] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 66.245724][ T8496] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 66.262490][ T8496] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 66.274894][ T8496] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 66.305578][ T8496] bridge0: port 2(bridge_slave_1) entered blocking state [ 66.313110][ T8496] bridge0: port 2(bridge_slave_1) entered forwarding state [ 66.321665][ T8496] bridge0: port 1(bridge_slave_0) entered blocking state [ 66.328769][ T8496] bridge0: port 1(bridge_slave_0) entered forwarding state [ 66.381645][ T8496] 8021q: adding VLAN 0 to HW filter on device bond0 [ 66.397831][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 66.408885][ T17] bridge0: port 1(bridge_slave_0) entered disabled state [ 66.418699][ T17] bridge0: port 2(bridge_slave_1) entered disabled state [ 66.427402][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 66.441330][ T8496] 8021q: adding VLAN 0 to HW filter on device team0 [ 66.454205][ T4256] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 66.463448][ T4256] bridge0: port 1(bridge_slave_0) entered blocking state [ 66.471011][ T4256] bridge0: port 1(bridge_slave_0) entered forwarding state [ 66.491590][ T4256] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 66.500532][ T4256] bridge0: port 2(bridge_slave_1) entered blocking state [ 66.510714][ T4256] bridge0: port 2(bridge_slave_1) entered forwarding state [ 66.531916][ T4256] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 66.543005][ T4256] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 66.553473][ T4256] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 66.565164][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 66.573938][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 66.585495][ T8496] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 66.610392][ T8496] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 66.619214][ T23] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 66.629848][ T23] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 66.653209][ T23] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 66.671532][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 66.679796][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 66.688882][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 66.699110][ T8496] device veth0_vlan entered promiscuous mode [ 66.714886][ T8496] device veth1_vlan entered promiscuous mode [ 66.739878][ T23] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 66.749461][ T23] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 66.763994][ T8496] device veth0_macvtap entered promiscuous mode [ 66.776866][ T8496] device veth1_macvtap entered promiscuous mode [ 66.796454][ T8496] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 66.804983][ T23] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 66.814575][ T23] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 66.822931][ T23] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 66.831853][ T23] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 66.844637][ T8496] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 66.853347][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 66.862833][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 66.875375][ T8496] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 66.886174][ T8496] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 66.895100][ T8496] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 66.903925][ T8496] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 66.993630][ T211] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 67.009342][ T211] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 67.030060][ T4256] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 67.055654][ T211] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 67.065565][ T211] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 67.077480][ T4256] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready executing program [ 67.124078][ T211] BUG: sleeping function called from invalid context at net/mac80211/sta_info.c:1962 [ 67.141389][ T211] in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 211, name: kworker/u4:5 [ 67.151265][ T211] 4 locks held by kworker/u4:5/211: [ 67.156484][ T211] #0: ffff88802362d938 ((wq_completion)phy3){+.+.}-{0:0}, at: process_one_work+0x821/0x15a0 2020/11/15 00:00:55 building call list... [ 67.168805][ T211] #1: ffffc90000dcfda8 ((work_completion)(&sdata->work)){+.+.}-{0:0}, at: process_one_work+0x854/0x15a0 [ 67.182648][ T211] #2: ffff88801bdfcd00 (&wdev->mtx){+.+.}-{3:3}, at: ieee80211_ibss_work+0x93/0xe80 [ 67.210767][ T211] #3: ffffffff8b337160 (rcu_read_lock){....}-{1:2}, at: sta_info_insert_rcu+0x680/0x2ba0 [ 67.227230][ T211] Preemption disabled at: [ 67.227258][ T211] [] __mutex_lock+0x10f/0x10e0 [ 67.239014][ T211] CPU: 0 PID: 211 Comm: kworker/u4:5 Not tainted 5.10.0-rc3-syzkaller #0 [ 67.247454][ T211] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 67.257537][ T211] Workqueue: phy3 ieee80211_iface_work [ 67.263100][ T211] Call Trace: [ 67.266403][ T211] dump_stack+0x107/0x163 [ 67.270748][ T211] ? __mutex_lock+0x10f/0x10e0 [ 67.275558][ T211] ___might_sleep.cold+0x1e8/0x22e [ 67.280683][ T211] sta_info_move_state+0x32/0x8d0 [ 67.285760][ T211] sta_info_free+0x65/0x3b0 [ 67.290288][ T211] sta_info_insert_rcu+0x303/0x2ba0 [ 67.295503][ T211] ? find_held_lock+0x2d/0x110 [ 67.300295][ T211] ? rate_control_rate_init+0x32c/0x6a0 [ 67.305871][ T211] ? sta_info_free+0x3b0/0x3b0 [ 67.310663][ T211] ? __local_bh_enable_ip+0x9c/0x110 [ 67.316161][ T211] ? rate_control_rate_init+0x35f/0x6a0 [ 67.321735][ T211] ieee80211_ibss_finish_sta+0x212/0x390 [ 67.327399][ T211] ? ieee80211_ibss_build_presp+0x15f0/0x15f0 [ 67.333730][ T211] ? __local_bh_enable_ip+0x9c/0x110 [ 67.339149][ T211] ieee80211_ibss_work+0x2c7/0xe80 [ 67.344303][ T211] ? ieee80211_ibss_rx_queued_mgmt+0x1870/0x1870 [ 67.350658][ T211] ? mark_held_locks+0x9f/0xe0 [ 67.355461][ T211] ? _raw_spin_unlock_irqrestore+0x42/0x50 [ 67.361298][ T211] ? lockdep_hardirqs_on+0x79/0x100 [ 67.366511][ T211] ? _raw_spin_unlock_irqrestore+0x2f/0x50 [ 67.372339][ T211] ieee80211_iface_work+0x91f/0xa90 [ 67.377562][ T211] process_one_work+0x933/0x15a0 [ 67.382526][ T211] ? lock_release+0x710/0x710 [ 67.387219][ T211] ? pwq_dec_nr_in_flight+0x320/0x320 [ 67.392609][ T211] ? rwlock_bug.part.0+0x90/0x90 [ 67.397848][ T211] ? _raw_spin_lock_irq+0x41/0x50 [ 67.402900][ T211] worker_thread+0x64c/0x1120 [ 67.407616][ T211] ? process_one_work+0x15a0/0x15a0 [ 67.412832][ T211] kthread+0x3af/0x4a0 [ 67.416922][ T211] ? kthread_create_worker_on_cpu+0xf0/0xf0 [ 67.422849][ T211] ret_from_fork+0x1f/0x30 [ 67.456209][ T211] [ 67.460855][ T211] ============================= [ 67.465785][ T211] [ BUG: Invalid wait context ] [ 67.470641][ T211] 5.10.0-rc3-syzkaller #0 Tainted: G W [ 67.477479][ T211] ----------------------------- [ 67.482354][ T211] kworker/u4:5/211 is trying to lock: [ 67.487725][ T211] ffff88801b2029d0 (&local->chanctx_mtx){+.+.}-{3:3}, at: ieee80211_recalc_min_chandef+0x49/0x140 [ 67.498331][ T211] other info that might help us debug this: [ 67.504211][ T211] context-{4:4} [ 67.507665][ T211] 4 locks held by kworker/u4:5/211: [ 67.512845][ T211] #0: ffff88802362d938 ((wq_completion)phy3){+.+.}-{0:0}, at: process_one_work+0x821/0x15a0 [ 67.523020][ T211] #1: ffffc90000dcfda8 ((work_completion)(&sdata->work)){+.+.}-{0:0}, at: process_one_work+0x854/0x15a0 [ 67.534318][ T211] #2: ffff88801bdfcd00 (&wdev->mtx){+.+.}-{3:3}, at: ieee80211_ibss_work+0x93/0xe80 [ 67.543971][ T211] #3: ffffffff8b337160 (rcu_read_lock){....}-{1:2}, at: sta_info_insert_rcu+0x680/0x2ba0 [ 67.555012][ T211] stack backtrace: [ 67.558731][ T211] CPU: 0 PID: 211 Comm: kworker/u4:5 Tainted: G W 5.10.0-rc3-syzkaller #0 [ 67.568523][ T211] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 67.579911][ T211] Workqueue: phy3 ieee80211_iface_work [ 67.585361][ T211] Call Trace: [ 67.588647][ T211] dump_stack+0x107/0x163 [ 67.592970][ T211] __lock_acquire.cold+0x310/0x3a2 [ 67.598077][ T211] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 67.604046][ T211] ? find_held_lock+0x2d/0x110 [ 67.608801][ T211] lock_acquire+0x2a3/0x8c0 [ 67.613295][ T211] ? ieee80211_recalc_min_chandef+0x49/0x140 [ 67.619530][ T211] ? lock_release+0x710/0x710 [ 67.624223][ T211] __mutex_lock+0x134/0x10e0 [ 67.628819][ T211] ? ieee80211_recalc_min_chandef+0x49/0x140 [ 67.634881][ T211] ? ieee80211_recalc_min_chandef+0x49/0x140 [ 67.641816][ T211] ? mutex_lock_io_nested+0xf60/0xf60 [ 67.647204][ T211] ? ieee80211_clear_fast_rx+0x58/0x80 [ 67.652663][ T211] ? mark_held_locks+0x9f/0xe0 [ 67.657420][ T211] ieee80211_recalc_min_chandef+0x49/0x140 [ 67.663222][ T211] sta_info_move_state+0x3cf/0x8d0 [ 67.668324][ T211] sta_info_free+0x65/0x3b0 [ 67.672844][ T211] sta_info_insert_rcu+0x303/0x2ba0 [ 67.678127][ T211] ? find_held_lock+0x2d/0x110 [ 67.683755][ T211] ? rate_control_rate_init+0x32c/0x6a0 [ 67.689512][ T211] ? sta_info_free+0x3b0/0x3b0 [ 67.694455][ T211] ? __local_bh_enable_ip+0x9c/0x110 [ 67.699745][ T211] ? rate_control_rate_init+0x35f/0x6a0 [ 67.705373][ T211] ieee80211_ibss_finish_sta+0x212/0x390 [ 67.711060][ T211] ? ieee80211_ibss_build_presp+0x15f0/0x15f0 [ 67.717504][ T211] ? __local_bh_enable_ip+0x9c/0x110 [ 67.722883][ T211] ieee80211_ibss_work+0x2c7/0xe80 [ 67.728016][ T211] ? ieee80211_ibss_rx_queued_mgmt+0x1870/0x1870 [ 67.734357][ T211] ? mark_held_locks+0x9f/0xe0 [ 67.739140][ T211] ? _raw_spin_unlock_irqrestore+0x42/0x50 [ 67.744963][ T211] ? lockdep_hardirqs_on+0x79/0x100 [ 67.750168][ T211] ? _raw_spin_unlock_irqrestore+0x2f/0x50 [ 67.755993][ T211] ieee80211_iface_work+0x91f/0xa90 [ 67.761203][ T211] process_one_work+0x933/0x15a0 [ 67.766135][ T211] ? lock_release+0x710/0x710 [ 67.770882][ T211] ? pwq_dec_nr_in_flight+0x320/0x320 [ 67.776246][ T211] ? rwlock_bug.part.0+0x90/0x90 [ 67.781177][ T211] ? _raw_spin_lock_irq+0x41/0x50 [ 67.786196][ T211] worker_thread+0x64c/0x1120 [ 67.790872][ T211] ? process_one_work+0x15a0/0x15a0 [ 67.796068][ T211] kthread+0x3af/0x4a0 [ 67.800131][ T211] ? kthread_create_worker_on_cpu+0xf0/0xf0 [ 67.806019][ T211] ret_from_fork+0x1f/0x30 [ 67.821426][ T5] Bluetooth: hci0: command 0x0409 tx timeout [ 67.985481][ T27] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 68.067965][ T27] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 68.135229][ T27] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 68.236569][ T27] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 69.461135][ T27] device hsr_slave_0 left promiscuous mode [ 69.477304][ T27] device hsr_slave_1 left promiscuous mode [ 69.484882][ T27] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 69.493658][ T27] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 69.503006][ T27] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 69.511136][ T27] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 69.521806][ T27] device bridge_slave_1 left promiscuous mode [ 69.528360][ T27] bridge0: port 2(bridge_slave_1) entered disabled state [ 69.537667][ T27] device bridge_slave_0 left promiscuous mode [ 69.544958][ T27] bridge0: port 1(bridge_slave_0) entered disabled state [ 69.555523][ T27] device veth1_macvtap left promiscuous mode [ 69.562527][ T27] device veth0_macvtap left promiscuous mode [ 69.568540][ T27] device veth1_vlan left promiscuous mode [ 69.575182][ T27] device veth0_vlan left promiscuous mode executing program [ 70.487515][ T27] team0 (unregistering): Port device team_slave_1 removed [ 70.498334][ T27] team0 (unregistering): Port device team_slave_0 removed [ 70.510151][ T27] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 70.521998][ T27] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 70.549596][ T27] bond0 (unregistering): Released all slaves [ 70.639482][ T8494] can: request_module (can-proto-0) failed. [ 70.992523][ T8494] can: request_module (can-proto-0) failed. [ 71.003268][ T8494] can: request_module (can-proto-0) failed. [ 71.152508][ T8494] base_sock_release(000000004609a091) sk=000000000a07379d