netlink: 'syz-executor0': attribute type 3 has an invalid length. netlink: 'syz-executor0': attribute type 2 has an invalid length. ====================================================== WARNING: possible circular locking dependency detected 4.20.0-rc6+ #374 Not tainted kobject: 'loop5' (000000006633ee26): kobject_uevent_env ------------------------------------------------------ kworker/0:1/12 is trying to acquire lock: kobject: 'loop5' (000000006633ee26): fill_kobj_path: path = '/devices/virtual/block/loop5' 000000006fd78335 (&mdev->req_queue_mutex){+.+.}, at: v4l2_release+0x1d7/0x3a0 drivers/media/v4l2-core/v4l2-dev.c:455 but task is already holding lock: 00000000d2aa72d8 ((delayed_fput_work).work){+.+.}, at: process_one_work+0xb9a/0x1c40 kernel/workqueue.c:2128 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: kobject: 'loop0' (00000000fc2d9db6): kobject_uevent_env -> #3 ((delayed_fput_work).work){+.+.}: process_one_work+0xc0a/0x1c40 kernel/workqueue.c:2129 worker_thread+0x17f/0x1390 kernel/workqueue.c:2296 kthread+0x35a/0x440 kernel/kthread.c:246 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 kobject: 'loop0' (00000000fc2d9db6): fill_kobj_path: path = '/devices/virtual/block/loop0' -> #2 ((wq_completion)"events"){+.+.}: flush_workqueue+0x30a/0x1e10 kernel/workqueue.c:2655 flush_scheduled_work include/linux/workqueue.h:599 [inline] vim2m_stop_streaming+0x7c/0x2c0 drivers/media/platform/vim2m.c:811 __vb2_queue_cancel+0x14f/0xd50 drivers/media/common/videobuf2/videobuf2-core.c:1843 vb2_core_streamoff+0x60/0x140 drivers/media/common/videobuf2/videobuf2-core.c:2006 vb2_streamoff+0x4a/0x90 drivers/media/common/videobuf2/videobuf2-v4l2.c:789 v4l2_m2m_streamoff+0xd0/0x720 drivers/media/v4l2-core/v4l2-mem2mem.c:563 v4l2_m2m_ioctl_streamoff+0x6b/0x80 drivers/media/v4l2-core/v4l2-mem2mem.c:1081 v4l_streamoff+0x76/0x90 drivers/media/v4l2-core/v4l2-ioctl.c:1698 __video_do_ioctl+0x8b1/0x1050 drivers/media/v4l2-core/v4l2-ioctl.c:2853 video_usercopy+0x5c1/0x1760 drivers/media/v4l2-core/v4l2-ioctl.c:3035 video_ioctl2+0x2c/0x33 drivers/media/v4l2-core/v4l2-ioctl.c:3079 v4l2_ioctl+0x154/0x1b0 drivers/media/v4l2-core/v4l2-dev.c:364 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:509 [inline] do_vfs_ioctl+0x1de/0x1790 fs/ioctl.c:696 ksys_ioctl+0xa9/0xd0 fs/ioctl.c:713 __do_sys_ioctl fs/ioctl.c:720 [inline] __se_sys_ioctl fs/ioctl.c:718 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe -> #1 (&dev->dev_mutex){+.+.}: __mutex_lock_common kernel/locking/mutex.c:925 [inline] __mutex_lock+0x166/0x16f0 kernel/locking/mutex.c:1072 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087 vim2m_release+0xbc/0x150 drivers/media/platform/vim2m.c:976 v4l2_release+0x224/0x3a0 drivers/media/v4l2-core/v4l2-dev.c:456 __fput+0x385/0xa30 fs/file_table.c:278 ____fput+0x15/0x20 fs/file_table.c:309 task_work_run+0x1e8/0x2a0 kernel/task_work.c:113 kobject: 'loop4' (00000000db4e69fd): kobject_uevent_env tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_usermode_loop+0x318/0x380 arch/x86/entry/common.c:166 kobject: 'loop4' (00000000db4e69fd): fill_kobj_path: path = '/devices/virtual/block/loop4' prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline] syscall_return_slowpath arch/x86/entry/common.c:268 [inline] do_syscall_64+0x6be/0x820 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe -> #0 (&mdev->req_queue_mutex){+.+.}: lock_acquire+0x1ed/0x520 kernel/locking/lockdep.c:3844 __mutex_lock_common kernel/locking/mutex.c:925 [inline] __mutex_lock+0x166/0x16f0 kernel/locking/mutex.c:1072 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087 v4l2_release+0x1d7/0x3a0 drivers/media/v4l2-core/v4l2-dev.c:455 __fput+0x385/0xa30 fs/file_table.c:278 delayed_fput+0x55/0x80 fs/file_table.c:304 process_one_work+0xc90/0x1c40 kernel/workqueue.c:2153 worker_thread+0x17f/0x1390 kernel/workqueue.c:2296 kthread+0x35a/0x440 kernel/kthread.c:246 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 other info that might help us debug this: Chain exists of: &mdev->req_queue_mutex --> (wq_completion)"events" --> (delayed_fput_work).work Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock((delayed_fput_work).work); lock((wq_completion)"events"); lock((delayed_fput_work).work); lock(&mdev->req_queue_mutex); *** DEADLOCK *** 2 locks held by kworker/0:1/12: #0: 00000000821b2332 ((wq_completion)"events"){+.+.}, at: __write_once_size include/linux/compiler.h:209 [inline] #0: 00000000821b2332 ((wq_completion)"events"){+.+.}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] #0: 00000000821b2332 ((wq_completion)"events"){+.+.}, at: atomic64_set include/asm-generic/atomic-instrumented.h:40 [inline] #0: 00000000821b2332 ((wq_completion)"events"){+.+.}, at: atomic_long_set include/asm-generic/atomic-long.h:59 [inline] #0: 00000000821b2332 ((wq_completion)"events"){+.+.}, at: set_work_data kernel/workqueue.c:617 [inline] #0: 00000000821b2332 ((wq_completion)"events"){+.+.}, at: set_work_pool_and_clear_pending kernel/workqueue.c:644 [inline] #0: 00000000821b2332 ((wq_completion)"events"){+.+.}, at: process_one_work+0xb43/0x1c40 kernel/workqueue.c:2124 #1: 00000000d2aa72d8 ((delayed_fput_work).work){+.+.}, at: process_one_work+0xb9a/0x1c40 kernel/workqueue.c:2128 stack backtrace: CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 4.20.0-rc6+ #374 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events delayed_fput Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x244/0x39d lib/dump_stack.c:113 print_circular_bug.isra.35.cold.54+0x1bd/0x27d kernel/locking/lockdep.c:1221 check_prev_add kernel/locking/lockdep.c:1863 [inline] check_prevs_add kernel/locking/lockdep.c:1976 [inline] validate_chain kernel/locking/lockdep.c:2347 [inline] __lock_acquire+0x3399/0x4c20 kernel/locking/lockdep.c:3341 lock_acquire+0x1ed/0x520 kernel/locking/lockdep.c:3844 __mutex_lock_common kernel/locking/mutex.c:925 [inline] __mutex_lock+0x166/0x16f0 kernel/locking/mutex.c:1072 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087 v4l2_release+0x1d7/0x3a0 drivers/media/v4l2-core/v4l2-dev.c:455 __fput+0x385/0xa30 fs/file_table.c:278 delayed_fput+0x55/0x80 fs/file_table.c:304 process_one_work+0xc90/0x1c40 kernel/workqueue.c:2153 worker_thread+0x17f/0x1390 kernel/workqueue.c:2296 kthread+0x35a/0x440 kernel/kthread.c:246 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 kobject: 'loop3' (0000000069c0d8fa): kobject_uevent_env kobject: 'loop3' (0000000069c0d8fa): fill_kobj_path: path = '/devices/virtual/block/loop3' netlink: 'syz-executor0': attribute type 3 has an invalid length. kobject: 'loop2' (00000000aaa1ac2d): kobject_uevent_env kobject: 'loop2' (00000000aaa1ac2d): fill_kobj_path: path = '/devices/virtual/block/loop2' kobject: 'hwsim15' (00000000d6ff6299): kobject_add_internal: parent: 'mac80211_hwsim', set: 'devices' netlink: 'syz-executor0': attribute type 2 has an invalid length. kobject: 'hwsim15' (00000000d6ff6299): kobject_uevent_env kobject: 'loop4' (00000000db4e69fd): kobject_uevent_env kobject: 'hwsim15' (00000000d6ff6299): fill_kobj_path: path = '/devices/virtual/mac80211_hwsim/hwsim15' kobject: 'loop4' (00000000db4e69fd): fill_kobj_path: path = '/devices/virtual/block/loop4' kobject: 'hwsim15' (00000000d6ff6299): kobject_uevent_env kobject: 'hwsim15' (00000000d6ff6299): fill_kobj_path: path = '/devices/virtual/mac80211_hwsim/hwsim15' kobject: 'ieee80211' (00000000e9564b63): kobject_add_internal: parent: 'hwsim15', set: '(null)' kobject: 'loop2' (00000000aaa1ac2d): kobject_uevent_env kobject: 'phy15' (0000000059e2ca77): kobject_add_internal: parent: 'ieee80211', set: 'devices' kobject: 'loop2' (00000000aaa1ac2d): fill_kobj_path: path = '/devices/virtual/block/loop2' kobject: 'loop5' (000000006633ee26): kobject_uevent_env kobject: 'loop5' (000000006633ee26): fill_kobj_path: path = '/devices/virtual/block/loop5' kobject: 'phy15' (0000000059e2ca77): kobject_uevent_env kobject: 'phy15' (0000000059e2ca77): fill_kobj_path: path = '/devices/virtual/mac80211_hwsim/hwsim15/ieee80211/phy15' kobject: 'loop0' (00000000fc2d9db6): kobject_uevent_env kobject: 'loop0' (00000000fc2d9db6): fill_kobj_path: path = '/devices/virtual/block/loop0' kobject: 'rfkill26' (00000000ad6a1a9f): kobject_add_internal: parent: 'phy15', set: 'devices' kobject: 'rfkill26' (00000000ad6a1a9f): kobject_uevent_env kobject: 'rfkill26' (00000000ad6a1a9f): fill_kobj_path: path = '/devices/virtual/mac80211_hwsim/hwsim15/ieee80211/phy15/rfkill26' kobject: 'loop4' (00000000db4e69fd): kobject_uevent_env kobject: 'loop4' (00000000db4e69fd): fill_kobj_path: path = '/devices/virtual/block/loop4' ieee80211 phy15: Selected rate control algorithm 'minstrel_ht' kobject: 'loop2' (00000000aaa1ac2d): kobject_uevent_env kobject: 'loop2' (00000000aaa1ac2d): fill_kobj_path: path = '/devices/virtual/block/loop2' kobject: 'net' (00000000c6ce9f8b): kobject_add_internal: parent: 'hwsim15', set: '(null)' kobject: 'wlan2' (000000009eae50cc): kobject_add_internal: parent: 'net', set: 'devices' kobject: 'wlan2' (000000009eae50cc): kobject_uevent_env kobject: 'loop2' (00000000aaa1ac2d): kobject_uevent_env kobject: 'loop2' (00000000aaa1ac2d): fill_kobj_path: path = '/devices/virtual/block/loop2' kobject: 'wlan2' (000000009eae50cc): fill_kobj_path: path = '/devices/virtual/mac80211_hwsim/hwsim15/net/wlan2' kobject: 'queues' (000000009985f3e3): kobject_add_internal: parent: 'wlan2', set: '' kobject: 'queues' (000000009985f3e3): kobject_uevent_env kobject: 'queues' (000000009985f3e3): kobject_uevent_env: filter function caused the event to drop! kobject: 'rx-0' (0000000060e30c25): kobject_add_internal: parent: 'queues', set: 'queues' kobject: 'rx-0' (0000000060e30c25): kobject_uevent_env kobject: 'rx-0' (0000000060e30c25): fill_kobj_path: path = '/devices/virtual/mac80211_hwsim/hwsim15/net/wlan2/queues/rx-0' kobject: 'tx-0' (00000000d3b4737d): kobject_add_internal: parent: 'queues', set: 'queues' kobject: 'tx-0' (00000000d3b4737d): kobject_uevent_env kobject: 'tx-0' (00000000d3b4737d): fill_kobj_path: path = '/devices/virtual/mac80211_hwsim/hwsim15/net/wlan2/queues/tx-0' kobject: 'tx-1' (0000000014ed68e4): kobject_add_internal: parent: 'queues', set: 'queues' kobject: 'tx-1' (0000000014ed68e4): kobject_uevent_env kobject: 'tx-1' (0000000014ed68e4): fill_kobj_path: path = '/devices/virtual/mac80211_hwsim/hwsim15/net/wlan2/queues/tx-1' kobject: 'tx-2' (000000005800b0cb): kobject_add_internal: parent: 'queues', set: 'queues' kobject: 'tx-2' (000000005800b0cb): kobject_uevent_env kobject: 'tx-2' (000000005800b0cb): fill_kobj_path: path = '/devices/virtual/mac80211_hwsim/hwsim15/net/wlan2/queues/tx-2' kobject: 'loop2' (00000000aaa1ac2d): kobject_uevent_env kobject: 'loop2' (00000000aaa1ac2d): fill_kobj_path: path = '/devices/virtual/block/loop2' kobject: 'tx-3' (0000000029ce3c3e): kobject_add_internal: parent: 'queues', set: 'queues' kobject: 'tx-3' (0000000029ce3c3e): kobject_uevent_env kobject: 'tx-3' (0000000029ce3c3e): fill_kobj_path: path = '/devices/virtual/mac80211_hwsim/hwsim15/net/wlan2/queues/tx-3' kobject: 'loop3' (0000000069c0d8fa): kobject_uevent_env kobject: 'loop3' (0000000069c0d8fa): fill_kobj_path: path = '/devices/virtual/block/loop3' kobject: 'hwsim16' (000000007fecfa02): kobject_add_internal: parent: 'mac80211_hwsim', set: 'devices' kobject: 'hwsim16' (000000007fecfa02): kobject_uevent_env kobject: 'hwsim16' (000000007fecfa02): fill_kobj_path: path = '/devices/virtual/mac80211_hwsim/hwsim16' kobject: 'hwsim16' (000000007fecfa02): kobject_uevent_env kobject: 'hwsim16' (000000007fecfa02): fill_kobj_path: path = '/devices/virtual/mac80211_hwsim/hwsim16' kobject: 'ieee80211' (00000000f15c2f02): kobject_add_internal: parent: 'hwsim16', set: '(null)' kobject: 'phy16' (00000000125fe736): kobject_add_internal: parent: 'ieee80211', set: 'devices' kobject: 'phy16' (00000000125fe736): kobject_uevent_env kobject: 'phy16' (00000000125fe736): fill_kobj_path: path = '/devices/virtual/mac80211_hwsim/hwsim16/ieee80211/phy16' kobject: 'loop5' (000000006633ee26): kobject_uevent_env kobject: 'loop5' (000000006633ee26): fill_kobj_path: path = '/devices/virtual/block/loop5' kobject: 'rfkill27' (00000000829999c9): kobject_add_internal: parent: 'phy16', set: 'devices' kobject: 'rfkill27' (00000000829999c9): kobject_uevent_env kobject: 'rfkill27' (00000000829999c9): fill_kobj_path: path = '/devices/virtual/mac80211_hwsim/hwsim16/ieee80211/phy16/rfkill27' ieee80211 phy16: Selected rate control algorithm 'minstrel_ht' kobject: 'net' (00000000dd6a3f6a): kobject_add_internal: parent: 'hwsim16', set: '(null)' kobject: 'wlan3' (0000000093770d6b): kobject_add_internal: parent: 'net', set: 'devices' kobject: 'wlan3' (0000000093770d6b): kobject_uevent_env kobject: 'wlan3' (0000000093770d6b): fill_kobj_path: path = '/devices/virtual/mac80211_hwsim/hwsim16/net/wlan3' kobject: 'queues' (000000003c325246): kobject_add_internal: parent: 'wlan3', set: '' kobject: 'queues' (000000003c325246): kobject_uevent_env kobject: 'queues' (000000003c325246): kobject_uevent_env: filter function caused the event to drop! kobject: 'rx-0' (00000000d4b749af): kobject_add_internal: parent: 'queues', set: 'queues' kobject: 'rx-0' (00000000d4b749af): kobject_uevent_env kobject: 'rx-0' (00000000d4b749af): fill_kobj_path: path = '/devices/virtual/mac80211_hwsim/hwsim16/net/wlan3/queues/rx-0' kobject: 'tx-0' (00000000dbf4ae6b): kobject_add_internal: parent: 'queues', set: 'queues' kobject: 'tx-0' (00000000dbf4ae6b): kobject_uevent_env kobject: 'tx-0' (00000000dbf4ae6b): fill_kobj_path: path = '/devices/virtual/mac80211_hwsim/hwsim16/net/wlan3/queues/tx-0' kobject: 'tx-1' (0000000081d4d1fa): kobject_add_internal: parent: 'queues', set: 'queues' kobject: 'tx-1' (0000000081d4d1fa): kobject_uevent_env kobject: 'tx-1' (0000000081d4d1fa): fill_kobj_path: path = '/devices/virtual/mac80211_hwsim/hwsim16/net/wlan3/queues/tx-1' kobject: 'tx-2' (00000000a1c5a938): kobject_add_internal: parent: 'queues', set: 'queues' kobject: 'tx-2' (00000000a1c5a938): kobject_uevent_env kobject: 'tx-2' (00000000a1c5a938): fill_kobj_path: path = '/devices/virtual/mac80211_hwsim/hwsim16/net/wlan3/queues/tx-2' kobject: 'tx-3' (000000009f749bc0): kobject_add_internal: parent: 'queues', set: 'queues' kobject: 'tx-3' (000000009f749bc0): kobject_uevent_env kobject: 'tx-3' (000000009f749bc0): fill_kobj_path: path = '/devices/virtual/mac80211_hwsim/hwsim16/net/wlan3/queues/tx-3' kobject: 'loop5' (000000006633ee26): kobject_uevent_env kobject: 'loop5' (000000006633ee26): fill_kobj_path: path = '/devices/virtual/block/loop5' kobject: 'loop3' (0000000069c0d8fa): kobject_uevent_env kobject: 'loop3' (0000000069c0d8fa): fill_kobj_path: path = '/devices/virtual/block/loop3' kobject: 'loop5' (000000006633ee26): kobject_uevent_env kobject: 'loop5' (000000006633ee26): fill_kobj_path: path = '/devices/virtual/block/loop5' kobject: 'loop5' (000000006633ee26): kobject_uevent_env kobject: 'loop5' (000000006633ee26): fill_kobj_path: path = '/devices/virtual/block/loop5' kobject: 'loop2' (00000000aaa1ac2d): kobject_uevent_env kobject: 'loop2' (00000000aaa1ac2d): fill_kobj_path: path = '/devices/virtual/block/loop2' kobject: 'loop3' (0000000069c0d8fa): kobject_uevent_env kobject: 'loop3' (0000000069c0d8fa): fill_kobj_path: path = '/devices/virtual/block/loop3' kobject: 'loop0' (00000000fc2d9db6): kobject_uevent_env kobject: 'loop0' (00000000fc2d9db6): fill_kobj_path: path = '/devices/virtual/block/loop0' kobject: 'loop5' (000000006633ee26): kobject_uevent_env kobject: 'loop5' (000000006633ee26): fill_kobj_path: path = '/devices/virtual/block/loop5' kobject: 'loop4' (00000000db4e69fd): kobject_uevent_env kobject: 'loop4' (00000000db4e69fd): fill_kobj_path: path = '/devices/virtual/block/loop4' kobject: 'loop2' (00000000aaa1ac2d): kobject_uevent_env