====================================================== WARNING: possible circular locking dependency detected 4.19.195-syzkaller #0 Not tainted ------------------------------------------------------ kworker/u4:3/250 is trying to acquire lock: 000000001bebbff6 ((wq_completion)"events"){+.+.}, at: flush_workqueue+0xe8/0x13e0 kernel/workqueue.c:2658 but task is already holding lock: 00000000b894dbff (pernet_ops_rwsem){++++}, at: cleanup_net+0xa8/0x8b0 net/core/net_namespace.c:520 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #3 (pernet_ops_rwsem){++++}: unregister_netdevice_notifier+0x7b/0x330 net/core/dev.c:1708 raw_release+0x58/0x820 net/can/raw.c:358 __sock_release+0xcd/0x2a0 net/socket.c:579 sock_close+0x15/0x20 net/socket.c:1140 __fput+0x2ce/0x890 fs/file_table.c:278 task_work_run+0x148/0x1c0 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:193 [inline] exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167 prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline] syscall_return_slowpath arch/x86/entry/common.c:271 [inline] do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe -> #2 (&sb->s_type->i_mutex_key#13){+.+.}: inode_lock include/linux/fs.h:748 [inline] __sock_release+0x86/0x2a0 net/socket.c:578 sock_close+0x15/0x20 net/socket.c:1140 __fput+0x2ce/0x890 fs/file_table.c:278 delayed_fput+0x56/0x70 fs/file_table.c:304 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 -> #1 ((delayed_fput_work).work){+.+.}: worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 -> #0 ((wq_completion)"events"){+.+.}: flush_workqueue+0x117/0x13e0 kernel/workqueue.c:2661 flush_scheduled_work include/linux/workqueue.h:599 [inline] tipc_exit_net+0x38/0x60 net/tipc/core.c:100 ops_exit_list+0xa5/0x150 net/core/net_namespace.c:153 cleanup_net+0x3b4/0x8b0 net/core/net_namespace.c:553 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 other info that might help us debug this: Chain exists of: (wq_completion)"events" --> &sb->s_type->i_mutex_key#13 --> pernet_ops_rwsem Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(pernet_ops_rwsem); lock(&sb->s_type->i_mutex_key#13); lock(pernet_ops_rwsem); lock((wq_completion)"events"); *** DEADLOCK *** 3 locks held by kworker/u4:3/250: #0: 000000001c9c8b77 ((wq_completion)"%s""netns"){+.+.}, at: process_one_work+0x767/0x1570 kernel/workqueue.c:2124 #1: 00000000f65875ef (net_cleanup_work){+.+.}, at: process_one_work+0x79c/0x1570 kernel/workqueue.c:2128 #2: 00000000b894dbff (pernet_ops_rwsem){++++}, at: cleanup_net+0xa8/0x8b0 net/core/net_namespace.c:520 stack backtrace: CPU: 1 PID: 250 Comm: kworker/u4:3 Not tainted 4.19.195-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1222 check_prev_add kernel/locking/lockdep.c:1866 [inline] check_prevs_add kernel/locking/lockdep.c:1979 [inline] validate_chain kernel/locking/lockdep.c:2420 [inline] __lock_acquire+0x30c9/0x3ff0 kernel/locking/lockdep.c:3416 lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3908 flush_workqueue+0x117/0x13e0 kernel/workqueue.c:2661 flush_scheduled_work include/linux/workqueue.h:599 [inline] tipc_exit_net+0x38/0x60 net/tipc/core.c:100 ops_exit_list+0xa5/0x150 net/core/net_namespace.c:153 cleanup_net+0x3b4/0x8b0 net/core/net_namespace.c:553 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 netlink: 16 bytes leftover after parsing attributes in process `syz-executor.1'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor.2'. audit: type=1804 audit(1624815694.666:24): pid=15040 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.4" name="/root/syzkaller-testdir880659851/syzkaller.h3oY63/269/cgroup.controllers" dev="sda1" ino=14471 res=1 nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. netlink: 20 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 20 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 20 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 20 bytes leftover after parsing attributes in process `syz-executor.0'. audit: type=1804 audit(1624815695.136:25): pid=15096 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.4" name="/root/syzkaller-testdir880659851/syzkaller.h3oY63/270/cgroup.controllers" dev="sda1" ino=14482 res=1 audit: type=1804 audit(1624815695.466:26): pid=15142 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.4" name="/root/syzkaller-testdir880659851/syzkaller.h3oY63/271/cgroup.controllers" dev="sda1" ino=14482 res=1 audit: type=1804 audit(1624815695.796:27): pid=15182 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.4" name="/root/syzkaller-testdir880659851/syzkaller.h3oY63/272/cgroup.controllers" dev="sda1" ino=14468 res=1 audit: type=1804 audit(1624815695.846:28): pid=15175 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.0" name="/root/syzkaller-testdir380334047/syzkaller.v4axBr/290/cgroup.controllers" dev="sda1" ino=14482 res=1 netlink: 16 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 44 bytes leftover after parsing attributes in process `syz-executor.3'. netlink: 'syz-executor.2': attribute type 2 has an invalid length. netlink: 44 bytes leftover after parsing attributes in process `syz-executor.3'. netlink: 44 bytes leftover after parsing attributes in process `syz-executor.3'. netlink: 'syz-executor.2': attribute type 1 has an invalid length. netlink: 80 bytes leftover after parsing attributes in process `syz-executor.5'. netlink: 16 bytes leftover after parsing attributes in process `syz-executor.1'. audit: type=1804 audit(1624815697.246:29): pid=15368 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.5" name="/root/syzkaller-testdir544029173/syzkaller.GobV39/303/cgroup.controllers" dev="sda1" ino=14494 res=1 base_sock_release(0000000013328f0e) sk=00000000aa6c64c7 base_sock_release(000000006e7990b9) sk=00000000d1ee6d53 ********************************************************** ** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE ** audit: type=1804 audit(1624815698.306:30): pid=15437 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.1" name="/root/syzkaller-testdir145854388/syzkaller.I0m9VC/303/cgroup.controllers" dev="sda1" ino=14494 res=1 ** ** ** trace_printk() being used. Allocating extra memory. ** ** ** ** This means that this is a DEBUG kernel and it is ** ** unsafe for production use. ** ** ** ** If you see this message and you are not debugging ** ** the kernel, report this immediately to your vendor! ** ** ** ** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE ** ********************************************************** syz-executor.1 (15437) used greatest stack depth: 23384 bytes left netlink: 'syz-executor.3': attribute type 1 has an invalid length. nla_parse: 7 callbacks suppressed netlink: 16 bytes leftover after parsing attributes in process `syz-executor.3'.