[ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Started OpenBSD Secure Shell server. [ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.73' (ECDSA) to the list of known hosts. syzkaller login: [ 28.006638] IPVS: ftp: loaded support on port[0] = 21 [ 28.072349] chnl_net:caif_netlink_parms(): no params data found [ 28.164146] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.170657] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.178251] device bridge_slave_0 entered promiscuous mode [ 28.185349] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.191699] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.199312] device bridge_slave_1 entered promiscuous mode [ 28.215457] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 28.224063] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 28.241798] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 28.248952] team0: Port device team_slave_0 added [ 28.254747] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 28.261778] team0: Port device team_slave_1 added [ 28.276206] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 28.282475] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 28.307895] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 28.319150] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 28.325466] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 28.350696] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 28.361369] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 28.368835] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 28.386738] device hsr_slave_0 entered promiscuous mode [ 28.392394] device hsr_slave_1 entered promiscuous mode [ 28.398777] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 28.405849] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 28.465091] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.471476] bridge0: port 2(bridge_slave_1) entered forwarding state [ 28.478313] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.484705] bridge0: port 1(bridge_slave_0) entered forwarding state [ 28.512709] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 28.518775] 8021q: adding VLAN 0 to HW filter on device bond0 [ 28.526828] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 28.535475] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 28.554026] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.560901] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.570682] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 28.576894] 8021q: adding VLAN 0 to HW filter on device team0 [ 28.585249] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 28.592948] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.599283] bridge0: port 1(bridge_slave_0) entered forwarding state [ 28.608052] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 28.616374] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.622756] bridge0: port 2(bridge_slave_1) entered forwarding state [ 28.640934] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 28.650740] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 28.661605] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 28.668731] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 28.676822] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 28.684471] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 28.691921] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 28.699876] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 28.706675] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 28.719234] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 28.727017] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 28.734302] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 28.745462] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 28.791869] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 28.801869] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 28.831527] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 28.838797] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 28.846598] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 28.855232] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 28.863033] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 28.869768] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 28.878807] device veth0_vlan entered promiscuous mode [ 28.887311] device veth1_vlan entered promiscuous mode [ 28.893425] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 28.901408] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 28.913894] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 28.923156] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 28.930288] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 28.937794] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 28.946925] device veth0_macvtap entered promiscuous mode [ 28.953968] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 28.961787] device veth1_macvtap entered promiscuous mode [ 28.970950] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 28.979973] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 28.989946] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 28.997428] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 29.005774] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 29.016208] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 29.023530] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready executing program [ 29.062119] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 32.222313] [ 32.223950] ================================ [ 32.228345] WARNING: inconsistent lock state [ 32.232734] 4.14.280-syzkaller #0 Not tainted [ 32.237202] -------------------------------- [ 32.241581] inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage. [ 32.247700] kworker/0:2/3413 [HC0[0]:SC0[0]:HE1:SE1] takes: [ 32.253478] (&(&xprt->transport_lock)->rlock){+.?.}, at: [] xprt_destroy+0x68/0x1c0 [ 32.262910] {IN-SOFTIRQ-W} state was registered at: [ 32.267901] lock_acquire+0x170/0x3f0 [ 32.271762] _raw_spin_lock_bh+0x2f/0x40 [ 32.275879] xprt_disconnect_done+0x19/0x40 [ 32.280258] xs_tcp_state_change+0x3c4/0x7e0 [ 32.284726] tcp_done+0x14f/0x210 [ 32.288237] tcp_v4_err+0x7dd/0x1820 [ 32.292009] icmp_socket_deliver+0x1a7/0x330 [ 32.296482] icmp_unreach+0x268/0xae0 [ 32.300343] icmp_rcv+0xb7f/0x1240 [ 32.303944] ip_local_deliver_finish+0x3f2/0xab0 [ 32.308757] ip_local_deliver+0x167/0x460 [ 32.312962] ip_rcv_finish+0x6e3/0x19f0 [ 32.316997] ip_rcv+0x8a7/0xf10 [ 32.320339] __netif_receive_skb_core+0x15ee/0x2a30 [ 32.325415] __netif_receive_skb+0x27/0x1a0 [ 32.330665] process_backlog+0x218/0x6f0 [ 32.334785] net_rx_action+0x466/0xfd0 [ 32.338731] __do_softirq+0x24d/0x9ff [ 32.342594] run_ksoftirqd+0x50/0x1a0 [ 32.346455] smpboot_thread_fn+0x5c1/0x920 [ 32.350748] kthread+0x30d/0x420 [ 32.354174] ret_from_fork+0x24/0x30 [ 32.357945] irq event stamp: 45695 [ 32.361458] hardirqs last enabled at (45695): [] kfree+0x14a/0x250 [ 32.369400] hardirqs last disabled at (45694): [] kfree+0x6f/0x250 [ 32.377256] softirqs last enabled at (45676): [] rpc_wake_up_first_on_wq+0x18d/0x480 [ 32.386760] softirqs last disabled at (45674): [] rpc_wake_up_first_on_wq+0x29/0x480 [ 32.396170] [ 32.396170] other info that might help us debug this: [ 32.402807] Possible unsafe locking scenario: [ 32.402807] [ 32.408838] CPU0 [ 32.411393] ---- [ 32.413946] lock(&(&xprt->transport_lock)->rlock); [ 32.419021] [ 32.421749] lock(&(&xprt->transport_lock)->rlock); [ 32.426995] [ 32.426995] *** DEADLOCK *** [ 32.426995] [ 32.433024] 2 locks held by kworker/0:2/3413: [ 32.437487] #0: ("rpciod"){+.+.}, at: [] process_one_work+0x6b0/0x14a0 [ 32.445870] #1: ((&task->u.tk_work)){+.+.}, at: [] process_one_work+0x6e6/0x14a0 [ 32.455122] [ 32.455122] stack backtrace: [ 32.459592] CPU: 0 PID: 3413 Comm: kworker/0:2 Not tainted 4.14.280-syzkaller #0 [ 32.467095] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.476431] Workqueue: rpciod rpc_async_schedule [ 32.481330] Call Trace: [ 32.483894] dump_stack+0x1b2/0x281 [ 32.487497] print_usage_bug.cold+0x42e/0x570 [ 32.491975] mark_lock+0xb4d/0x1050 [ 32.495573] ? check_usage_forwards+0x2d0/0x2d0 [ 32.500215] ? kasan_slab_free+0x12d/0x1a0 [ 32.504423] __lock_acquire+0xd5c/0x3f20 [ 32.508457] ? debug_check_no_obj_freed+0x2c0/0x680 [ 32.513445] ? lock_acquire+0x170/0x3f0 [ 32.517392] ? trace_hardirqs_on+0x10/0x10 [ 32.521624] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 32.526720] ? debug_check_no_obj_freed+0x2c0/0x680 [ 32.531721] lock_acquire+0x170/0x3f0 [ 32.535502] ? xprt_destroy+0x68/0x1c0 [ 32.539362] ? trace_hardirqs_on_caller+0x3a8/0x580 [ 32.544365] _raw_spin_lock+0x2a/0x40 [ 32.548150] ? xprt_destroy+0x68/0x1c0 [ 32.552017] xprt_destroy+0x68/0x1c0 [ 32.555711] xprt_put+0x32/0x40 [ 32.558968] rpc_task_release_client+0x1cd/0x280 [ 32.563707] __rpc_execute+0x66b/0xc90 [ 32.567569] ? rpc_exit+0x1a0/0x1a0 [ 32.571172] ? lock_acquire