======================================================
syz-executor.5 (10302) used greatest stack depth: 24104 bytes left
WARNING: possible circular locking dependency detected
4.14.278-syzkaller #0 Not tainted
------------------------------------------------------
kworker/u4:0/5 is trying to acquire lock:
 (sk_lock-AF_INET){+.+.}, at: [<ffffffff868258ce>] do_strp_work net/strparser/strparser.c:415 [inline]
 (sk_lock-AF_INET){+.+.}, at: [<ffffffff868258ce>] strp_work+0x3e/0x100 net/strparser/strparser.c:434

but task is already holding lock:
 ((&strp->work)){+.+.}, at: [<ffffffff81364fb6>] process_one_work+0x6e6/0x14a0 kernel/workqueue.c:2092

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 ((&strp->work)){+.+.}:
       flush_work+0xad/0x770 kernel/workqueue.c:2890
       __cancel_work_timer+0x321/0x460 kernel/workqueue.c:2965
       strp_done+0x53/0xd0 net/strparser/strparser.c:519
       kcm_attach net/kcm/kcmsock.c:1429 [inline]
       kcm_attach_ioctl net/kcm/kcmsock.c:1490 [inline]
       kcm_ioctl+0x828/0xfb0 net/kcm/kcmsock.c:1701
       sock_do_ioctl net/socket.c:974 [inline]
       sock_ioctl+0x2cc/0x4c0 net/socket.c:1071
       vfs_ioctl fs/ioctl.c:46 [inline]
       file_ioctl fs/ioctl.c:500 [inline]
       do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684
       SYSC_ioctl fs/ioctl.c:701 [inline]
       SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
       do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x46/0xbb

-> #0 (sk_lock-AF_INET){+.+.}:
       lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
       lock_sock_nested+0xb7/0x100 net/core/sock.c:2813
       do_strp_work net/strparser/strparser.c:415 [inline]
       strp_work+0x3e/0x100 net/strparser/strparser.c:434
       process_one_work+0x793/0x14a0 kernel/workqueue.c:2117
       worker_thread+0x5cc/0xff0 kernel/workqueue.c:2251
       kthread+0x30d/0x420 kernel/kthread.c:232
       ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock((&strp->work));
                               lock(sk_lock-AF_INET);
                               lock((&strp->work));
  lock(sk_lock-AF_INET);

 *** DEADLOCK ***

2 locks held by kworker/u4:0/5:
 #0:  ("%s""kstrp"){+.+.}, at: [<ffffffff81364f80>] process_one_work+0x6b0/0x14a0 kernel/workqueue.c:2088
 #1:  ((&strp->work)){+.+.}, at: [<ffffffff81364fb6>] process_one_work+0x6e6/0x14a0 kernel/workqueue.c:2092

stack backtrace:
CPU: 1 PID: 5 Comm: kworker/u4:0 Not tainted 4.14.278-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: kstrp strp_work
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x281 lib/dump_stack.c:58
 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258
 check_prev_add kernel/locking/lockdep.c:1905 [inline]
 check_prevs_add kernel/locking/lockdep.c:2022 [inline]
 validate_chain kernel/locking/lockdep.c:2464 [inline]
 __lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491
 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
 lock_sock_nested+0xb7/0x100 net/core/sock.c:2813
 do_strp_work net/strparser/strparser.c:415 [inline]
 strp_work+0x3e/0x100 net/strparser/strparser.c:434
 process_one_work+0x793/0x14a0 kernel/workqueue.c:2117
 worker_thread+0x5cc/0xff0 kernel/workqueue.c:2251
 kthread+0x30d/0x420 kernel/kthread.c:232
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details.
raw_sendmsg: syz-executor.2 forgot to set AF_INET. Fix it!
syz-executor.1 uses obsolete (PF_INET,SOCK_PACKET)
EXT4-fs (loop0): VFS: Can't find ext4 filesystem
print_req_error: I/O error, dev loop1, sector 0
EXT4-fs (loop1): VFS: Can't find ext4 filesystem
EXT4-fs (loop2): VFS: Can't find ext4 filesystem
audit: type=1804 audit(1652414265.180:2): pid=10990 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="ToMToU" comm="syz-executor.1" name="/root/syzkaller-testdir164224443/syzkaller.ePGsuA/98/file0" dev="sda1" ino=14056 res=1
unregister_netdevice: waiting for ip6gre0 to become free. Usage count = -1
==================================================================
BUG: KASAN: slab-out-of-bounds in tipc_nametbl_lookup_dst_nodes+0x44c/0x4c0 net/tipc/name_table.c:670
Read of size 4 at addr ffff88809f8342d0 by task syz-executor.3/11511

CPU: 0 PID: 11511 Comm: syz-executor.3 Not tainted 4.14.278-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x281 lib/dump_stack.c:58
 print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
 kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:351
 kasan_report mm/kasan/report.c:409 [inline]
 __asan_report_load4_noabort+0x68/0x70 mm/kasan/report.c:429
 tipc_nametbl_lookup_dst_nodes+0x44c/0x4c0 net/tipc/name_table.c:670
 tipc_sendmcast+0x51a/0xac0 net/tipc/socket.c:767
 __tipc_sendmsg+0xbab/0xf90 net/tipc/socket.c:974
 tipc_sendmsg+0x4c/0x70 net/tipc/socket.c:922
 sock_sendmsg_nosec net/socket.c:646 [inline]
 sock_sendmsg+0xb5/0x100 net/socket.c:656
 ___sys_sendmsg+0x6c8/0x800 net/socket.c:2062
 __sys_sendmsg+0xa3/0x120 net/socket.c:2096
 SYSC_sendmsg net/socket.c:2107 [inline]
 SyS_sendmsg+0x27/0x40 net/socket.c:2103
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x7fe1dd0b00e9
RSP: 002b:00007fe1dba25168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007fe1dd1c2f60 RCX: 00007fe1dd0b00e9
RDX: 0000000000000e50 RSI: 00000000200016c0 RDI: 0000000000000004
RBP: 00007fe1dd10a08d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffcf1fa6a8f R14: 00007fe1dba25300 R15: 0000000000022000

Allocated by task 7998:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551
 __do_kmalloc mm/slab.c:3720 [inline]
 __kmalloc+0x15a/0x400 mm/slab.c:3729
 tipc_nameseq_create+0x53/0x290 net/tipc/name_table.c:152
 tipc_nametbl_insert_publ+0xb37/0x14e0 net/tipc/name_table.c:476
 tipc_nametbl_publish+0x211/0x3f0 net/tipc/name_table.c:701
 tipc_sk_publish net/tipc/socket.c:2205 [inline]
 tipc_bind+0x2c4/0x600 net/tipc/socket.c:629
 tipc_create_listen_sock net/tipc/server.c:338 [inline]
 tipc_open_listening_sock net/tipc/server.c:396 [inline]
 tipc_server_start+0x31f/0x880 net/tipc/server.c:611
 tipc_topsrv_start net/tipc/subscr.c:382 [inline]
 tipc_topsrv_init_net+0x53b/0x730 net/tipc/subscr.c:397
 ops_init+0xaa/0x3e0 net/core/net_namespace.c:118
 setup_net+0x22f/0x530 net/core/net_namespace.c:298
 copy_net_ns+0x19b/0x440 net/core/net_namespace.c:422
 create_new_namespaces+0x375/0x720 kernel/nsproxy.c:107
 unshare_nsproxy_namespaces+0xa1/0x1d0 kernel/nsproxy.c:206
 SYSC_unshare kernel/fork.c:2413 [inline]
 SyS_unshare+0x308/0x7f0 kernel/fork.c:2363
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb

Freed by task 4618:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0xc3/0x1a0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3496 [inline]
 kfree+0xc9/0x250 mm/slab.c:3815
 aa_free_task_context+0xda/0x130 security/apparmor/context.c:54
 apparmor_cred_free+0x34/0x70 security/apparmor/lsm.c:58
 security_cred_free+0x71/0xb0 security/security.c:1003
 put_cred_rcu+0xe3/0x300 kernel/cred.c:117
 __put_cred+0x1a1/0x210 kernel/cred.c:151
 put_cred include/linux/cred.h:274 [inline]
 SYSC_faccessat fs/open.c:444 [inline]
 SyS_faccessat+0x52a/0x680 fs/open.c:353
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb

The buggy address belongs to the object at ffff88809f8342c0
 which belongs to the cache kmalloc-32 of size 32
The buggy address is located 16 bytes inside of
 32-byte region [ffff88809f8342c0, ffff88809f8342e0)
The buggy address belongs to the page:
page:ffffea00027e0d00 count:1 mapcount:0 mapping:ffff88809f834000 index:0xffff88809f834fc1
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffff88809f834000 ffff88809f834fc1 0000000100000033
raw: ffffea000293e420 ffffea0002818420 ffff88813fe741c0 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88809f834180: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
 ffff88809f834200: 00 fc fc fc fc fc fc fc 00 fc fc fc fc fc fc fc
>ffff88809f834280: 00 fc fc fc fc fc fc fc 00 00 fc fc fc fc fc fc
                                                 ^
 ffff88809f834300: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
 ffff88809f834380: 00 00 00 fc fc fc fc fc fb fb fb fb fc fc fc fc
==================================================================