IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready ============================= WARNING: suspicious RCU usage 4.17.0-rc1+ #16 Not tainted ----------------------------- net/ipv6/route.c:1550 suspicious rcu_dereference_protected() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 3 locks held by syz-executor6/22402: #0: 00000000bd665a17 (rcu_read_lock_bh){....}, at: lwtunnel_xmit_redirect include/net/lwtunnel.h:92 [inline] #0: 00000000bd665a17 (rcu_read_lock_bh){....}, at: ip6_finish_output2+0x253/0x2800 net/ipv6/ip6_output.c:106 #1: 00000000bd665a17 (rcu_read_lock_bh){....}, at: __dev_queue_xmit+0x30f/0x34c0 net/core/dev.c:3519 #2: 000000005920f769 (rcu_read_lock){....}, at: ip6_link_failure+0xfe/0x790 net/ipv6/route.c:2227 stack backtrace: CPU: 1 PID: 22402 Comm: syz-executor6 Not tainted 4.17.0-rc1+ #16 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 lockdep_rcu_suspicious+0x14a/0x153 kernel/locking/lockdep.c:4592 rt6_remove_exception_rt+0x416/0x4d0 net/ipv6/route.c:1549 ip6_link_failure+0x484/0x790 net/ipv6/route.c:2231 dst_link_failure include/net/dst.h:427 [inline] ip6_tnl_xmit+0x49a/0x34b0 net/ipv6/ip6_tunnel.c:1222 ip6ip6_tnl_xmit net/ipv6/ip6_tunnel.c:1374 [inline] ip6_tnl_start_xmit+0x8fc/0x2290 net/ipv6/ip6_tunnel.c:1397 __netdev_start_xmit include/linux/netdevice.h:4087 [inline] netdev_start_xmit include/linux/netdevice.h:4096 [inline] xmit_one net/core/dev.c:3054 [inline] dev_hard_start_xmit+0x264/0xc10 net/core/dev.c:3070 __dev_queue_xmit+0x2724/0x34c0 net/core/dev.c:3585 dev_queue_xmit+0x17/0x20 net/core/dev.c:3618 neigh_direct_output+0x15/0x20 net/core/neighbour.c:1398 neigh_output include/net/neighbour.h:482 [inline] ip6_finish_output2+0xc93/0x2800 net/ipv6/ip6_output.c:120 ip6_finish_output+0x5fe/0xbc0 net/ipv6/ip6_output.c:154 NF_HOOK_COND include/linux/netfilter.h:277 [inline] ip6_output+0x227/0x9b0 net/ipv6/ip6_output.c:171 dst_output include/net/dst.h:444 [inline] NF_HOOK include/linux/netfilter.h:288 [inline] rawv6_send_hdrinc net/ipv6/raw.c:678 [inline] rawv6_sendmsg+0x2674/0x4590 net/ipv6/raw.c:924 inet_sendmsg+0x19f/0x690 net/ipv4/af_inet.c:798 sock_sendmsg_nosec net/socket.c:629 [inline] sock_sendmsg+0xd5/0x120 net/socket.c:639 ___sys_sendmsg+0x805/0x940 net/socket.c:2117 __sys_sendmsg+0x115/0x270 net/socket.c:2155 __do_sys_sendmsg net/socket.c:2164 [inline] __se_sys_sendmsg net/socket.c:2162 [inline] __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2162 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x455389 RSP: 002b:00007f6875f4ac68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f6875f4b6d4 RCX: 0000000000455389 RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000013 RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000000004f3 R14: 00000000006fa768 R15: 0000000000000000 device lo left promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready kernel msg: ebtables bug: please report to author: Wrong len argument device lo entered promiscuous mode device lo left promiscuous mode IPVS: set_ctl: invalid protocol: 98 0.0.0.6:20000 lc device lo entered promiscuous mode kernel msg: ebtables bug: please report to author: Wrong len argument IPVS: set_ctl: invalid protocol: 98 0.0.0.6:20000 lc ====================================================== WARNING: possible circular locking dependency detected 4.17.0-rc1+ #16 Not tainted ------------------------------------------------------ syz-executor0/22463 is trying to acquire lock: IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready 000000003368effb (sk_lock-AF_INET6){+.+.}, at: lock_sock include/net/sock.h:1469 [inline] 000000003368effb (sk_lock-AF_INET6){+.+.}, at: tcp_mmap+0x1c7/0x14f0 net/ipv4/tcp.c:1759 but task is already holding lock: 00000000baa9cc40 (&mm->mmap_sem){++++}, at: vm_mmap_pgoff+0x1a1/0x2a0 mm/util.c:355 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&mm->mmap_sem){++++}: __might_fault+0x155/0x1e0 mm/memory.c:4555 _copy_from_iter_full+0x2fd/0xd10 lib/iov_iter.c:607 copy_from_iter_full include/linux/uio.h:124 [inline] sctp_user_addto_chunk+0x70/0x1f0 net/sctp/sm_make_chunk.c:1551 sctp_datamsg_from_user+0x945/0x1540 net/sctp/chunk.c:290 sctp_sendmsg_to_asoc+0xd08/0x2100 net/sctp/socket.c:1951 sctp_sendmsg+0x13a8/0x1d70 net/sctp/socket.c:2123 inet_sendmsg+0x19f/0x690 net/ipv4/af_inet.c:798 sock_sendmsg_nosec net/socket.c:629 [inline] sock_sendmsg+0xd5/0x120 net/socket.c:639 __sys_sendto+0x3d7/0x670 net/socket.c:1789 __do_sys_sendto net/socket.c:1801 [inline] __se_sys_sendto net/socket.c:1797 [inline] __x64_sys_sendto+0xe1/0x1a0 net/socket.c:1797 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe -> #0 (sk_lock-AF_INET6){+.+.}: lock_acquire+0x1dc/0x520 kernel/locking/lockdep.c:3920 lock_sock_nested+0xd0/0x120 net/core/sock.c:2844 lock_sock include/net/sock.h:1469 [inline] tcp_mmap+0x1c7/0x14f0 net/ipv4/tcp.c:1759 sock_mmap+0x8e/0xc0 net/socket.c:1144 call_mmap include/linux/fs.h:1789 [inline] mmap_region+0xd13/0x1820 mm/mmap.c:1723 do_mmap+0xc79/0x11d0 mm/mmap.c:1494 do_mmap_pgoff include/linux/mm.h:2237 [inline] vm_mmap_pgoff+0x1fb/0x2a0 mm/util.c:357 ksys_mmap_pgoff+0x4c9/0x640 mm/mmap.c:1544 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:100 [inline] __se_sys_mmap arch/x86/kernel/sys_x86_64.c:91 [inline] __x64_sys_mmap+0xe9/0x1b0 arch/x86/kernel/sys_x86_64.c:91 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&mm->mmap_sem); lock(sk_lock-AF_INET6); lock(&mm->mmap_sem); lock(sk_lock-AF_INET6); *** DEADLOCK *** 1 lock held by syz-executor0/22463: #0: 00000000baa9cc40 (&mm->mmap_sem){++++}, at: vm_mmap_pgoff+0x1a1/0x2a0 mm/util.c:355 stack backtrace: CPU: 1 PID: 22463 Comm: syz-executor0 Not tainted 4.17.0-rc1+ #16 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 print_circular_bug.isra.36.cold.54+0x1bd/0x27d kernel/locking/lockdep.c:1223 check_prev_add kernel/locking/lockdep.c:1863 [inline] check_prevs_add kernel/locking/lockdep.c:1976 [inline] validate_chain kernel/locking/lockdep.c:2417 [inline] __lock_acquire+0x343e/0x5140 kernel/locking/lockdep.c:3431 lock_acquire+0x1dc/0x520 kernel/locking/lockdep.c:3920 lock_sock_nested+0xd0/0x120 net/core/sock.c:2844 lock_sock include/net/sock.h:1469 [inline] tcp_mmap+0x1c7/0x14f0 net/ipv4/tcp.c:1759 sock_mmap+0x8e/0xc0 net/socket.c:1144 call_mmap include/linux/fs.h:1789 [inline] mmap_region+0xd13/0x1820 mm/mmap.c:1723 do_mmap+0xc79/0x11d0 mm/mmap.c:1494 do_mmap_pgoff include/linux/mm.h:2237 [inline] vm_mmap_pgoff+0x1fb/0x2a0 mm/util.c:357 ksys_mmap_pgoff+0x4c9/0x640 mm/mmap.c:1544 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:100 [inline] __se_sys_mmap arch/x86/kernel/sys_x86_64.c:91 [inline] __x64_sys_mmap+0xe9/0x1b0 arch/x86/kernel/sys_x86_64.c:91 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x455389 RSP: 002b:00007f32c23e6c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000009 RAX: ffffffffffffffda RBX: 00007f32c23e76d4 RCX: 0000000000455389 RDX: 0000000002000004 RSI: 0000000000001000 RDI: 0000000020ffe000 RBP: 000000000072bea0 R08: 0000000000000013 R09: 0000000000000000 R10: 0000000000080011 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000000003fe R14: 00000000006f9070 R15: 0000000000000000 device lo left promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready device lo entered promiscuous mode device lo left promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready device lo left promiscuous mode device lo entered promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready device lo left promiscuous mode device lo entered promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready device lo left promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready device lo entered promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready device lo left promiscuous mode device lo entered promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready device lo left promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready device lo entered promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready device lo left promiscuous mode device lo entered promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready device lo left promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready device lo entered promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready device lo left promiscuous mode device lo entered promiscuous mode device lo entered promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode