Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.36' (ECDSA) to the list of known hosts. syzkaller login: [ 37.477802] IPVS: ftp: loaded support on port[0] = 21 [ 37.550594] chnl_net:caif_netlink_parms(): no params data found [ 37.612497] bridge0: port 1(bridge_slave_0) entered blocking state [ 37.620109] bridge0: port 1(bridge_slave_0) entered disabled state [ 37.628074] device bridge_slave_0 entered promiscuous mode [ 37.636039] bridge0: port 2(bridge_slave_1) entered blocking state [ 37.642440] bridge0: port 2(bridge_slave_1) entered disabled state [ 37.649964] device bridge_slave_1 entered promiscuous mode [ 37.669232] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 37.678198] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 37.698083] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 37.706153] team0: Port device team_slave_0 added [ 37.711656] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 37.719903] team0: Port device team_slave_1 added [ 37.736004] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 37.742264] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 37.767730] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 37.779459] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 37.785872] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 37.811124] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 37.821874] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 37.829557] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 37.848911] device hsr_slave_0 entered promiscuous mode [ 37.854741] device hsr_slave_1 entered promiscuous mode [ 37.861344] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 37.868769] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 37.941190] bridge0: port 2(bridge_slave_1) entered blocking state [ 37.947818] bridge0: port 2(bridge_slave_1) entered forwarding state [ 37.954710] bridge0: port 1(bridge_slave_0) entered blocking state [ 37.961130] bridge0: port 1(bridge_slave_0) entered forwarding state [ 37.992468] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 37.999832] 8021q: adding VLAN 0 to HW filter on device bond0 [ 38.009599] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 38.019573] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 38.028923] bridge0: port 1(bridge_slave_0) entered disabled state [ 38.036650] bridge0: port 2(bridge_slave_1) entered disabled state [ 38.043656] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 38.054778] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 38.062140] 8021q: adding VLAN 0 to HW filter on device team0 [ 38.072196] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 38.080459] bridge0: port 1(bridge_slave_0) entered blocking state [ 38.086877] bridge0: port 1(bridge_slave_0) entered forwarding state [ 38.098673] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 38.106370] bridge0: port 2(bridge_slave_1) entered blocking state [ 38.112698] bridge0: port 2(bridge_slave_1) entered forwarding state [ 38.129297] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 38.137179] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 38.148498] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 38.160860] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 38.172308] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 38.183219] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 38.190008] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 38.198219] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 38.207026] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 38.219844] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 38.227862] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 38.234502] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 38.246175] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 38.260505] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 38.270048] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 38.307698] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 38.315677] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 38.322267] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 38.331864] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 38.339613] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 38.347065] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 38.356947] device veth0_vlan entered promiscuous mode [ 38.359823] device veth1_vlan entered promiscuous mode [ 38.360399] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 38.362001] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 38.377326] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 38.400182] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 38.408265] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 38.416375] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 38.426591] device veth0_macvtap entered promiscuous mode [ 38.432874] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 38.441710] device veth1_macvtap entered promiscuous mode [ 38.450840] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 38.461741] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 38.472526] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 38.480241] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 38.489220] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 38.499914] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 38.506802] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready executing program [ 38.603010] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. [ 38.638512] [ 38.640154] ===================================================== [ 38.646371] WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected [ 38.653101] 4.19.168-syzkaller #0 Not tainted [ 38.657637] ----------------------------------------------------- [ 38.663846] syz-executor109/8107 [HC0[0]:SC0[2]:HE1:SE0] is trying to acquire: [ 38.671298] 0000000056494cde (hugetlb_lock){+.+.}, at: free_huge_page+0x482/0xd20 [ 38.679031] [ 38.679031] and this task is already holding: [ 38.685023] 000000000567018b (slock-AF_INET){+.-.}, at: tcp_close+0x5bd/0xfd0 [ 38.692281] which would create a new lock dependency: [ 38.697444] (slock-AF_INET){+.-.} -> (hugetlb_lock){+.+.} [ 38.703045] [ 38.703045] but this new dependency connects a SOFTIRQ-irq-safe lock: [ 38.711113] (slock-AF_INET){+.-.} [ 38.711118] [ 38.711118] ... which became SOFTIRQ-irq-safe at: [ 38.720926] _raw_spin_lock+0x2a/0x40 [ 38.724791] sk_clone_lock+0x40b/0x1430 [ 38.728834] inet_csk_clone_lock+0x1f/0x3e0 [ 38.733220] tcp_create_openreq_child+0x2c/0x19f0 [ 38.738127] tcp_v4_syn_recv_sock+0xb6/0x1030 [ 38.742685] tcp_check_req+0x601/0x16b0 [ 38.746727] tcp_v4_rcv+0x1e3c/0x3b80 [ 38.750592] ip_local_deliver_finish+0x495/0xc00 [ 38.755500] ip_local_deliver+0x188/0x500 [ 38.759731] ip_rcv_finish+0x1ca/0x2e0 [ 38.763685] ip_rcv+0xca/0x3c0 [ 38.766962] __netif_receive_skb_one_core+0x114/0x180 [ 38.772223] __netif_receive_skb+0x27/0x1c0 [ 38.776610] netif_receive_skb_internal+0xf0/0x3f0 [ 38.781618] napi_gro_receive+0x2e6/0x450 [ 38.785832] receive_buf+0xf1d/0x6120 [ 38.789697] virtnet_poll+0x568/0xd70 [ 38.793623] net_rx_action+0x4ac/0xfb0 [ 38.797595] __do_softirq+0x26c/0x9a0 [ 38.801473] run_ksoftirqd+0x57/0x110 [ 38.805383] smpboot_thread_fn+0x655/0x9e0 [ 38.809701] kthread+0x33f/0x460 [ 38.813132] ret_from_fork+0x24/0x30 [ 38.816907] [ 38.816907] to a SOFTIRQ-irq-unsafe lock: [ 38.822506] (hugetlb_lock){+.+.} [ 38.822512] [ 38.822512] ... which became SOFTIRQ-irq-unsafe at: [ 38.832398] ... [ 38.832410] _raw_spin_lock+0x2a/0x40 [ 38.838151] hugetlb_overcommit_handler+0x2d4/0x460 [ 38.843244] proc_sys_call_handler.isra.0+0x1f3/0x3b0 [ 38.848568] __vfs_write+0xf7/0x770 [ 38.852258] vfs_write+0x1f3/0x540 [ 38.855984] ksys_write+0x12b/0x2a0 [ 38.859682] do_syscall_64+0xf9/0x620 [ 38.863547] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 38.868795] [ 38.868795] other info that might help us debug this: [ 38.868795] [ 38.876921] Possible interrupt unsafe locking scenario: [ 38.876921] [ 38.883843] CPU0 CPU1 [ 38.888491] ---- ---- [ 38.893159] lock(hugetlb_lock); [ 38.896595] local_irq_disable(); [ 38.902625] lock(slock-AF_INET); [ 38.908657] lock(hugetlb_lock); [ 38.914610] [ 38.917340] lock(slock-AF_INET); [ 38.921027] [ 38.921027] *** DEADLOCK *** [ 38.921027] [ 38.927063] 3 locks held by syz-executor109/8107: [ 38.931878] #0: 0000000036fcdfb6 (&sb->s_type->i_mutex_key#13){+.+.}, at: __sock_release+0x86/0x2a0 [ 38.941142] #1: 00000000c6da12ff (sk_lock-AF_INET){+.+.}, at: tcp_close+0x25/0xfd0 [ 38.948983] #2: 000000000567018b (slock-AF_INET){+.-.}, at: tcp_close+0x5bd/0xfd0 [ 38.956679] [ 38.956679] the dependencies between SOFTIRQ-irq-safe lock and the holding lock: [ 38.965690] -> (slock-AF_INET){+.-.} ops: 6607 { [ 38.970857] HARDIRQ-ON-W at: [ 38.974161] _raw_spin_lock_bh+0x2f/0x40 [ 38.979854] lock_sock_nested+0x3b/0x110 [ 38.985543] inet_autobind+0x1a/0x190 [ 38.990997] inet_dgram_connect+0x245/0x2d0 [ 38.996946] __sys_connect+0x265/0x2c0 [ 39.002483] __x64_sys_connect+0x6f/0xb0 [ 39.008259] do_syscall_64+0xf9/0x620 [ 39.013704] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.020516] IN-SOFTIRQ-W at: [ 39.023775] _raw_spin_lock+0x2a/0x40 [ 39.029202] sk_clone_lock+0x40b/0x1430 [ 39.034805] inet_csk_clone_lock+0x1f/0x3e0 [ 39.040758] tcp_create_openreq_child+0x2c/0x19f0 [ 39.047245] tcp_v4_syn_recv_sock+0xb6/0x1030 [ 39.053394] tcp_check_req+0x601/0x16b0 [ 39.058999] tcp_v4_rcv+0x1e3c/0x3b80 [ 39.064428] ip_local_deliver_finish+0x495/0xc00 [ 39.070809] ip_local_deliver+0x188/0x500 [ 39.076704] ip_rcv_finish+0x1ca/0x2e0 [ 39.082214] ip_rcv+0xca/0x3c0 [ 39.087050] __netif_receive_skb_one_core+0x114/0x180 [ 39.093908] __netif_receive_skb+0x27/0x1c0 [ 39.099861] netif_receive_skb_internal+0xf0/0x3f0 [ 39.106431] napi_gro_receive+0x2e6/0x450 [ 39.112247] receive_buf+0xf1d/0x6120 [ 39.117674] virtnet_poll+0x568/0xd70 [ 39.123128] net_rx_action+0x4ac/0xfb0 [ 39.128750] __do_softirq+0x26c/0x9a0 [ 39.134207] run_ksoftirqd+0x57/0x110 [ 39.139636] smpboot_thread_fn+0x655/0x9e0 [ 39.145499] kthread+0x33f/0x460 [ 39.150493] ret_from_fork+0x24/0x30 [ 39.155832] INITIAL USE at: [ 39.159005] _raw_spin_lock_bh+0x2f/0x40 [ 39.164609] lock_sock_nested+0x3b/0x110 [ 39.170208] inet_autobind+0x1a/0x190 [ 39.175549] inet_dgram_connect+0x245/0x2d0 [ 39.181412] __sys_connect+0x265/0x2c0 [ 39.186839] __x64_sys_connect+0x6f/0xb0 [ 39.192443] do_syscall_64+0xf9/0x620 [ 39.197803] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.204529] } [ 39.206313] ... key at: [] af_family_slock_keys+0x10/0x1a0 [ 39.213994] ... acquired at: [ 39.217080] _raw_spin_lock+0x2a/0x40 [ 39.221031] free_huge_page+0x482/0xd20 [ 39.225154] __put_page+0xe2/0x3a0 [ 39.228844] skb_release_data+0x2f3/0x920 [ 39.233140] __kfree_skb+0x46/0x60 [ 39.236831] tcp_write_queue_purge+0x24d/0x800 [ 39.241570] tcp_v4_destroy_sock+0x101/0x770 [ 39.246129] inet_csk_destroy_sock+0x189/0x400 [ 39.250861] tcp_close+0x95f/0xfd0 [ 39.254549] inet_release+0xd7/0x1e0 [ 39.258413] __sock_release+0xcd/0x2a0 [ 39.262449] sock_close+0x15/0x20 [ 39.266052] __fput+0x2ce/0x890 [ 39.269481] task_work_run+0x148/0x1c0 [ 39.273519] exit_to_usermode_loop+0x251/0x2a0 [ 39.278427] do_syscall_64+0x538/0x620 [ 39.282465] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.287801] [ 39.289402] [ 39.289402] the dependencies between the lock to be acquired [ 39.289405] and SOFTIRQ-irq-unsafe lock: [ 39.300790] -> (hugetlb_lock){+.+.} ops: 26 { [ 39.305265] HARDIRQ-ON-W at: [ 39.308525] _raw_spin_lock+0x2a/0x40 [ 39.313973] hugetlb_overcommit_handler+0x2d4/0x460 [ 39.320622] proc_sys_call_handler.isra.0+0x1f3/0x3b0 [ 39.327438] __vfs_write+0xf7/0x770 [ 39.332693] vfs_write+0x1f3/0x540 [ 39.337858] ksys_write+0x12b/0x2a0 [ 39.343111] do_syscall_64+0xf9/0x620 [ 39.348540] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.355352] SOFTIRQ-ON-W at: [ 39.358610] _raw_spin_lock+0x2a/0x40 [ 39.364039] hugetlb_overcommit_handler+0x2d4/0x460 [ 39.370681] proc_sys_call_handler.isra.0+0x1f3/0x3b0 [ 39.377497] __vfs_write+0xf7/0x770 [ 39.382748] vfs_write+0x1f3/0x540 [ 39.387917] ksys_write+0x12b/0x2a0 [ 39.393201] do_syscall_64+0xf9/0x620 [ 39.398652] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.405465] INITIAL USE at: [ 39.408639] _raw_spin_lock+0x2a/0x40 [ 39.413981] hugetlb_overcommit_handler+0x2d4/0x460 [ 39.420533] proc_sys_call_handler.isra.0+0x1f3/0x3b0 [ 39.427263] __vfs_write+0xf7/0x770 [ 39.432457] vfs_write+0x1f3/0x540 [ 39.437538] ksys_write+0x12b/0x2a0 [ 39.442704] do_syscall_64+0xf9/0x620 [ 39.448066] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.454790] } [ 39.456573] ... key at: [] hugetlb_lock+0x18/0x17a0 [ 39.463642] ... acquired at: [ 39.466729] _raw_spin_lock+0x2a/0x40 [ 39.470680] free_huge_page+0x482/0xd20 [ 39.474801] __put_page+0xe2/0x3a0 [ 39.478493] skb_release_data+0x2f3/0x920 [ 39.482788] __kfree_skb+0x46/0x60 [ 39.486480] tcp_write_queue_purge+0x24d/0x800 [ 39.491213] tcp_v4_destroy_sock+0x101/0x770 [ 39.495773] inet_csk_destroy_sock+0x189/0x400 [ 39.500506] tcp_close+0x95f/0xfd0 [ 39.504196] inet_release+0xd7/0x1e0 [ 39.508060] __sock_release+0xcd/0x2a0 [ 39.512096] sock_close+0x15/0x20 [ 39.515699] __fput+0x2ce/0x890 [ 39.519131] task_work_run+0x148/0x1c0 [ 39.523184] exit_to_usermode_loop+0x251/0x2a0 [ 39.527915] do_syscall_64+0x538/0x620 [ 39.531951] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.537286] [ 39.538903] [ 39.538903] stack backtrace: [ 39.543382] CPU: 1 PID: 8107 Comm: syz-executor109 Not tainted 4.19.168-syzkaller #0 [ 39.551238] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.560567] Call Trace: [ 39.563134] dump_stack+0x1fc/0x2ef [ 39.566739] check_usage.cold+0x7ea/0xbad [ 39.570867] ? check_usage_backwards+0x300/0x300 [ 39.575600] ? __save_stack_trace+0x72/0x190 [ 39.579986] ? deref_stack_reg+0x134/0x1d0 [ 39.584199] ? __read_once_size_nocheck.constprop.0+0x10/0x10 [ 39.590063] ? lock_downgrade+0x720/0x720 [ 39.594189] ? lock_acquire+0x170/0x3c0 [ 39.598144] __lock_acquire+0x1da1/0x3ff0 [ 39.602275] ? trace_hardirqs_off+0x64/0x200 [ 39.606660] ? mark_held_locks+0xf0/0xf0 [ 39.610722] ? __kasan_slab_free+0x186/0x1f0 [ 39.615126] ? tcp_write_queue_purge+0x24d/0x800 [ 39.619858] ? tcp_v4_destroy_sock+0x101/0x770 [ 39.624430] ? inet_csk_destroy_sock+0x189/0x400 [ 39.629162] ? tcp_close+0x95f/0xfd0 [ 39.632875] ? inet_release+0xd7/0x1e0 [ 39.636739] ? __sock_release+0xcd/0x2a0 [ 39.640776] ? sock_close+0x15/0x20 [ 39.644381] ? task_work_run+0x148/0x1c0 [ 39.648436] ? exit_to_usermode_loop+0x251/0x2a0 [ 39.653166] ? do_syscall_64+0x538/0x620 [ 39.657208] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.662549] ? lock_downgrade+0x720/0x720 [ 39.666676] lock_acquire+0x170/0x3c0 [ 39.670455] ? free_huge_page+0x482/0xd20 [ 39.674576] ? PageHuge+0xc7/0x160 [ 39.678093] _raw_spin_lock+0x2a/0x40 [ 39.681869] ? free_huge_page+0x482/0xd20 [ 39.685993] free_huge_page+0x482/0xd20 [ 39.689945] ? PageHuge+0xc7/0x160 [ 39.693460] __put_page+0xe2/0x3a0 [ 39.696981] skb_release_data+0x2f3/0x920 [ 39.701123] __kfree_skb+0x46/0x60 [ 39.704642] tcp_write_queue_purge+0x24d/0x800 [ 39.709206] tcp_v4_destroy_sock+0x101/0x770 [ 39.713767] inet_csk_destroy_sock+0x189/0x400 [ 39.718343] tcp_close+0x95f/0xfd0 [ 39.721860] inet_release+0xd7/0x1e0 [ 39.725552] __sock_release+0xcd/0x2a0 [ 39.729417] ? __sock_release+0x2a0/0x2a0 [ 39.733560] sock_close+0x15/0x20 [ 39.736992] __fput+0x2ce/0x890 [ 39.740268] task_work_run+0x148/0x1c0 [ 39.744136] exit_to_usermode_loop+0x251/0x2a0 [ 39.748694] do_syscall_64+0x538/0x620 [ 39.752561] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.757728] RIP: 0033:0x408111 [ 39.760901] Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 24 1a 00 00 c3 48 83 ec 08 e8 6a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 b3 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 [ 39.779781] RSP: 002b:00007ffca6dbde70 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 39.787466] RAX: 0000000000000000 RBX: 00007ffca6dbdea0 RCX: 0000000000408111 [ 39.794713] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 [ 39.801959] RBP: 0000000000000004 R08: 0000000000000140 R09: 00000000