======================================================
[ INFO: possible circular locking dependency detected ]
4.9.95-g142d4b5 #7 Not tainted
-------------------------------------------------------
syz-executor4/23978 is trying to acquire lock:
 (&ndev->lock){++--..}, at: [<ffffffff835e39c5>] __ipv6_dev_mc_dec+0x45/0x320 net/ipv6/mcast.c:928
but task is already holding lock:
 (&tbl->lock){++-...}, at: [<ffffffff830a6d7e>] neigh_ifdown+0x3e/0x250 net/core/neighbour.c:255
which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

       lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756
       __raw_write_lock_bh include/linux/rwlock_api_smp.h:203 [inline]
       _raw_write_lock_bh+0x3a/0x50 kernel/locking/spinlock.c:319
       __neigh_create+0x7a9/0x1b20 net/core/neighbour.c:492
       neigh_create include/net/neighbour.h:313 [inline]
       ip6_neigh_lookup+0x777/0xa60 net/ipv6/route.c:217
       dst_neigh_lookup include/net/dst.h:475 [inline]
       fib6_age+0x23d/0x370 net/ipv6/ip6_fib.c:1793
       fib6_clean_node+0x1f0/0x4c0 net/ipv6/ip6_fib.c:1654
       fib6_walk_continue+0x3e5/0x640 net/ipv6/ip6_fib.c:1583
       fib6_walk+0xd9/0x150 net/ipv6/ip6_fib.c:1628
       fib6_clean_tree+0xd3/0x110 net/ipv6/ip6_fib.c:1702
       __fib6_clean_all+0xf9/0x220 net/ipv6/ip6_fib.c:1718
       fib6_clean_all net/ipv6/ip6_fib.c:1729 [inline]
       fib6_run_gc+0x117/0x2c0 net/ipv6/ip6_fib.c:1826
       fib6_gc_timer_cb+0x1c/0x20 net/ipv6/ip6_fib.c:1841
       call_timer_fn+0x163/0x6e0 kernel/time/timer.c:1319
       expire_timers kernel/time/timer.c:1359 [inline]
       __run_timers kernel/time/timer.c:1658 [inline]
       run_timer_softirq+0x1047/0x1590 kernel/time/timer.c:1684
       __do_softirq+0x20b/0x937 kernel/softirq.c:284
       invoke_softirq kernel/softirq.c:364 [inline]
       irq_exit+0x147/0x190 kernel/softirq.c:405
       exiting_irq arch/x86/include/asm/apic.h:659 [inline]
       smp_apic_timer_interrupt+0x81/0xa0 arch/x86/kernel/apic/apic.c:960
       apic_timer_interrupt+0xa0/0xb0 arch/x86/entry/entry_64.S:648
       __debug_check_no_obj_freed lib/debugobjects.c:733 [inline]
       debug_check_no_obj_freed+0x2ec/0x930 lib/debugobjects.c:749
       free_pages_prepare mm/page_alloc.c:1061 [inline]
       __free_pages_ok+0x1dd/0x1610 mm/page_alloc.c:1263
       free_compound_page+0x5e/0x70 mm/page_alloc.c:594
       free_transhuge_page+0x99/0xc0 mm/huge_memory.c:2228
       __put_compound_page+0x80/0xc0 mm/swap.c:94
       release_pages+0x2f4/0x970 mm/swap.c:763
       free_pages_and_swap_cache+0x117/0x160 mm/swap_state.c:273
       tlb_flush_mmu_free+0xb4/0x150 mm/memory.c:259
       zap_pte_range mm/memory.c:1216 [inline]
       zap_pmd_range mm/memory.c:1258 [inline]
       zap_pud_range mm/memory.c:1279 [inline]
       unmap_page_range+0x104d/0x1730 mm/memory.c:1300
       unmap_single_vma+0x101/0x260 mm/memory.c:1345
       unmap_vmas+0x102/0x1d0 mm/memory.c:1375
       exit_mmap+0x214/0x3f0 mm/mmap.c:2988
       __mmput kernel/fork.c:878 [inline]
       mmput+0xf3/0x2d0 kernel/fork.c:900
       exit_mm kernel/exit.c:518 [inline]
       do_exit+0x906/0x27c0 kernel/exit.c:824
       do_group_exit+0x111/0x340 kernel/exit.c:941
       get_signal+0x4cf/0x1450 kernel/signal.c:2317
       do_signal+0x87/0x19f0 arch/x86/kernel/signal.c:807
binder_alloc: 23939: binder_alloc_buf, no vma
binder: 23939:23997 transaction failed 29189/-3, size 0-0 line 3133
       exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:157
       prepare_exit_to_usermode arch/x86/entry/common.c:191 [inline]
       syscall_return_slowpath arch/x86/entry/common.c:260 [inline]
       do_syscall_64+0x364/0x490 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_swapgs+0x5d/0xdb

       lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756
       __raw_write_lock_bh include/linux/rwlock_api_smp.h:203 [inline]
       _raw_write_lock_bh+0x3a/0x50 kernel/locking/spinlock.c:319
       __ip6_ins_rt+0x4e/0x80 net/ipv6/route.c:928
       ip6_route_add+0x1b8/0x1e0 net/ipv6/route.c:2118
       addrconf_prefix_route.isra.59+0x1d4/0x2b0 net/ipv6/addrconf.c:2265
       fixup_permanent_addr net/ipv6/addrconf.c:3309 [inline]
       addrconf_permanent_addr net/ipv6/addrconf.c:3332 [inline]
       addrconf_notify+0x19bb/0x2160 net/ipv6/addrconf.c:3401
       notifier_call_chain+0xb4/0x1d0 kernel/notifier.c:93
       __raw_notifier_call_chain kernel/notifier.c:394 [inline]
       raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401
       call_netdevice_notifiers_info+0x55/0x70 net/core/dev.c:1647
       call_netdevice_notifiers net/core/dev.c:1663 [inline]
       __dev_notify_flags+0xf6/0x270 net/core/dev.c:6513
       dev_change_flags+0xf3/0x140 net/core/dev.c:6546
       do_setlink+0x99b/0x30d0 net/core/rtnetlink.c:2023
       rtnl_newlink+0xde8/0x1550 net/core/rtnetlink.c:2557
       rtnetlink_rcv_msg+0x49c/0x650 net/core/rtnetlink.c:4059
       netlink_rcv_skb+0x145/0x370 net/netlink/af_netlink.c:2356
       rtnetlink_rcv+0x2a/0x40 net/core/rtnetlink.c:4065
       netlink_unicast_kernel net/netlink/af_netlink.c:1278 [inline]
       netlink_unicast+0x4d8/0x6f0 net/netlink/af_netlink.c:1304
       netlink_sendmsg+0x78b/0xc10 net/netlink/af_netlink.c:1850
       sock_sendmsg_nosec net/socket.c:635 [inline]
       sock_sendmsg+0xcc/0x110 net/socket.c:645
       ___sys_sendmsg+0x6fc/0x840 net/socket.c:1969
binder: BINDER_SET_CONTEXT_MGR already set
binder: 23939:23998 ioctl 40046207 0 returned -16
binder_alloc: 23939: binder_alloc_buf, no vma
binder: 23939:23999 transaction failed 29189/-3, size 0-0 line 3133
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29189
       __sys_sendmsg+0xd9/0x190 net/socket.c:2003
       SYSC_sendmsg net/socket.c:2014 [inline]
       SyS_sendmsg+0x2d/0x50 net/socket.c:2010
       do_syscall_64+0x1a6/0x490 arch/x86/entry/common.c:282
       entry_SYSCALL_64_after_swapgs+0x5d/0xdb

       check_prev_add kernel/locking/lockdep.c:1828 [inline]
       check_prevs_add kernel/locking/lockdep.c:1938 [inline]
       validate_chain kernel/locking/lockdep.c:2265 [inline]
       __lock_acquire+0x3019/0x4070 kernel/locking/lockdep.c:3345
       lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756
       __raw_write_lock_bh include/linux/rwlock_api_smp.h:203 [inline]
       _raw_write_lock_bh+0x3a/0x50 kernel/locking/spinlock.c:319
       __ipv6_dev_mc_dec+0x45/0x320 net/ipv6/mcast.c:928
       ipv6_dev_mc_dec+0x70/0xe0 net/ipv6/mcast.c:961
       pndisc_destructor+0x132/0x200 net/ipv6/ndisc.c:390
       pneigh_ifdown net/core/neighbour.c:659 [inline]
       neigh_ifdown+0x1a0/0x250 net/core/neighbour.c:257
       ndisc_netdev_event+0x2ca/0x390 net/ipv6/ndisc.c:1744
       notifier_call_chain+0xb4/0x1d0 kernel/notifier.c:93
       __raw_notifier_call_chain kernel/notifier.c:394 [inline]
       raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401
       call_netdevice_notifiers_info+0x55/0x70 net/core/dev.c:1647
       call_netdevice_notifiers net/core/dev.c:1663 [inline]
       __dev_notify_flags+0x19d/0x270 net/core/dev.c:6515
       dev_change_flags+0xf3/0x140 net/core/dev.c:6546
       dev_ifsioc+0x59c/0x870 net/core/dev_ioctl.c:255
       dev_ioctl+0x1df/0xdb0 net/core/dev_ioctl.c:533
       sock_do_ioctl+0x99/0xb0 net/socket.c:899
       sock_ioctl+0x346/0x3e0 net/socket.c:978
       vfs_ioctl fs/ioctl.c:43 [inline]
       file_ioctl fs/ioctl.c:493 [inline]
       do_vfs_ioctl+0x1ac/0x11a0 fs/ioctl.c:677
       SYSC_ioctl fs/ioctl.c:694 [inline]
       SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
       do_syscall_64+0x1a6/0x490 arch/x86/entry/common.c:282
       entry_SYSCALL_64_after_swapgs+0x5d/0xdb

other info that might help us debug this:

Chain exists of:
 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&tbl->lock);
                               lock(&tb->tb6_lock);
                               lock(&tbl->lock);
  lock(&ndev->lock);

 *** DEADLOCK ***

2 locks held by syz-executor4/23978:
 #0:  (rtnl_mutex){+.+.+.}, at: [<ffffffff830b06a7>] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:70
 #1:  (&tbl->lock){++-...}, at: [<ffffffff830a6d7e>] neigh_ifdown+0x3e/0x250 net/core/neighbour.c:255

stack backtrace:
CPU: 1 PID: 23978 Comm: syz-executor4 Not tainted 4.9.95-g142d4b5 #7
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801d49a74a8 ffffffff81eb0f89 ffffffff853e7330 ffffffff853ad160
 ffffffff853c8310 ffff8801d7c15110 ffff8801d7c14800 ffff8801d49a74f0
 ffffffff814242cd 0000000000000002 00000000d7c14800 0000000000000002
Call Trace:
 [<ffffffff81eb0f89>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81eb0f89>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff814242cd>] print_circular_bug.cold.51+0x1bd/0x27d kernel/locking/lockdep.c:1202
 [<ffffffff81237369>] check_prev_add kernel/locking/lockdep.c:1828 [inline]
 [<ffffffff81237369>] check_prevs_add kernel/locking/lockdep.c:1938 [inline]
 [<ffffffff81237369>] validate_chain kernel/locking/lockdep.c:2265 [inline]
 [<ffffffff81237369>] __lock_acquire+0x3019/0x4070 kernel/locking/lockdep.c:3345
 [<ffffffff81238e30>] lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756
 [<ffffffff839f2b4a>] __raw_write_lock_bh include/linux/rwlock_api_smp.h:203 [inline]
 [<ffffffff839f2b4a>] _raw_write_lock_bh+0x3a/0x50 kernel/locking/spinlock.c:319
 [<ffffffff835e39c5>] __ipv6_dev_mc_dec+0x45/0x320 net/ipv6/mcast.c:928
 [<ffffffff835e67f0>] ipv6_dev_mc_dec+0x70/0xe0 net/ipv6/mcast.c:961
 [<ffffffff835b0d72>] pndisc_destructor+0x132/0x200 net/ipv6/ndisc.c:390
 [<ffffffff830a6ee0>] pneigh_ifdown net/core/neighbour.c:659 [inline]
 [<ffffffff830a6ee0>] neigh_ifdown+0x1a0/0x250 net/core/neighbour.c:257
 [<ffffffff835b416a>] ndisc_netdev_event+0x2ca/0x390 net/ipv6/ndisc.c:1744
 [<ffffffff8119f544>] notifier_call_chain+0xb4/0x1d0 kernel/notifier.c:93
 [<ffffffff8119f6cd>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 [<ffffffff8119f6cd>] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401
 [<ffffffff83063eb5>] call_netdevice_notifiers_info+0x55/0x70 net/core/dev.c:1647
 [<ffffffff8308802d>] call_netdevice_notifiers net/core/dev.c:1663 [inline]
 [<ffffffff8308802d>] __dev_notify_flags+0x19d/0x270 net/core/dev.c:6515
 [<ffffffff830891a3>] dev_change_flags+0xf3/0x140 net/core/dev.c:6546
 [<ffffffff830d4dcc>] dev_ifsioc+0x59c/0x870 net/core/dev_ioctl.c:255
 [<ffffffff830d542f>] dev_ioctl+0x1df/0xdb0 net/core/dev_ioctl.c:533
 [<ffffffff8300c119>] sock_do_ioctl+0x99/0xb0 net/socket.c:899
 [<ffffffff8300cba6>] sock_ioctl+0x346/0x3e0 net/socket.c:978
 [<ffffffff815b04dc>] vfs_ioctl fs/ioctl.c:43 [inline]
 [<ffffffff815b04dc>] file_ioctl fs/ioctl.c:493 [inline]
 [<ffffffff815b04dc>] do_vfs_ioctl+0x1ac/0x11a0 fs/ioctl.c:677
 [<ffffffff815b155f>] SYSC_ioctl fs/ioctl.c:694 [inline]
 [<ffffffff815b155f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
 [<ffffffff81006316>] do_syscall_64+0x1a6/0x490 arch/x86/entry/common.c:282
 [<ffffffff839f3313>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
device syz_tun entered promiscuous mode
device syz_tun left promiscuous mode
binder: BINDER_SET_CONTEXT_MGR already set
binder: 24013:24060 ioctl 40046207 0 returned -16
binder_alloc: 24014: binder_alloc_buf, no vma
binder: 24014:24059 transaction failed 29189/-3, size 0-0 line 3133
binder_alloc: 24014: binder_alloc_buf, no vma
binder: 24013:24060 transaction failed 29189/-3, size 0-0 line 3133
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29189
binder: BINDER_SET_CONTEXT_MGR already set
binder: 24080:24119 ioctl 40046207 0 returned -16
binder_alloc: 24077: binder_alloc_buf, no vma
binder: 24077:24118 transaction failed 29189/-3, size 0-0 line 3133
binder_alloc: 24077: binder_alloc_buf, no vma
binder: 24080:24119 transaction failed 29189/-3, size 0-0 line 3133
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29189
binder: BINDER_SET_CONTEXT_MGR already set
binder: 24142:24190 ioctl 40046207 0 returned -16
binder_alloc: 24140: binder_alloc_buf, no vma
binder: 24140:24189 transaction failed 29189/-3, size 0-0 line 3133
binder_alloc: 24140: binder_alloc_buf, no vma
binder: 24142:24190 transaction failed 29189/-3, size 0-0 line 3133
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29189
binder: BINDER_SET_CONTEXT_MGR already set
binder: 24211:24250 ioctl 40046207 0 returned -16
binder_alloc: 24208: binder_alloc_buf, no vma
binder: 24211:24250 transaction failed 29189/-3, size 0-0 line 3133
binder: undelivered TRANSACTION_ERROR: 29189
binder: BINDER_SET_CONTEXT_MGR already set
binder: 24262:24313 ioctl 40046207 0 returned -16
binder_alloc: 24267: binder_alloc_buf, no vma
binder: 24262:24313 transaction failed 29189/-3, size 0-0 line 3133
binder: undelivered TRANSACTION_ERROR: 29189
binder: BINDER_SET_CONTEXT_MGR already set
binder: 24335:24358 ioctl 40046207 0 returned -16
binder_alloc: 24331: binder_alloc_buf, no vma
binder: 24331:24356 transaction failed 29189/-3, size 0-0 line 3133
binder: undelivered TRANSACTION_ERROR: 29189
binder: BINDER_SET_CONTEXT_MGR already set
binder: 24375:24415 ioctl 40046207 0 returned -16
binder_alloc: 24370: binder_alloc_buf, no vma
binder: 24375:24415 transaction failed 29189/-3, size 0-0 line 3133
binder: undelivered TRANSACTION_ERROR: 29189
binder: BINDER_SET_CONTEXT_MGR already set
binder: 24436:24491 ioctl 40046207 0 returned -16
binder_alloc: 24435: binder_alloc_buf, no vma
binder: 24436:24491 transaction failed 29189/-3, size 0-0 line 3133
binder: undelivered TRANSACTION_ERROR: 29189