netlink: 'syz.2.1063': attribute type 10 has an invalid length. veth0_vlan: left promiscuous mode veth0_vlan: entered promiscuous mode ============================================ WARNING: possible recursive locking detected 6.13.0-rc3-syzkaller-00193-ge9b8ffafd20a #0 Not tainted -------------------------------------------- syz.2.1063/11805 is trying to acquire lock: ffff88804c3f8e00 (team->team_lock_key#3){+.+.}-{4:4}, at: team_port_change_check drivers/net/team/team_core.c:2954 [inline] ffff88804c3f8e00 (team->team_lock_key#3){+.+.}-{4:4}, at: team_device_event+0x2c7/0x770 drivers/net/team/team_core.c:2977 but task is already holding lock: ffff88804c3f8e00 (team->team_lock_key#3){+.+.}-{4:4}, at: team_add_slave+0x9c/0x1ff0 drivers/net/team/team_core.c:1980 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(team->team_lock_key#3); lock(team->team_lock_key#3); *** DEADLOCK *** May be due to missing lock nesting notation 2 locks held by syz.2.1063/11805: #0: ffffffff8fabfc48 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:79 [inline] #0: ffffffff8fabfc48 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:326 [inline] #0: ffffffff8fabfc48 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x5e4/0x1d70 net/core/rtnetlink.c:4011 #1: ffff88804c3f8e00 (team->team_lock_key#3){+.+.}-{4:4}, at: team_add_slave+0x9c/0x1ff0 drivers/net/team/team_core.c:1980 stack backtrace: CPU: 0 UID: 0 PID: 11805 Comm: syz.2.1063 Not tainted 6.13.0-rc3-syzkaller-00193-ge9b8ffafd20a #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_deadlock_bug+0x2e3/0x410 kernel/locking/lockdep.c:3037 check_deadlock kernel/locking/lockdep.c:3089 [inline] validate_chain kernel/locking/lockdep.c:3891 [inline] __lock_acquire+0x2117/0x3c40 kernel/locking/lockdep.c:5226 lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5849 __mutex_lock_common kernel/locking/mutex.c:585 [inline] __mutex_lock+0x19b/0xa60 kernel/locking/mutex.c:735 team_port_change_check drivers/net/team/team_core.c:2954 [inline] team_device_event+0x2c7/0x770 drivers/net/team/team_core.c:2977 notifier_call_chain+0xb7/0x410 kernel/notifier.c:85 call_netdevice_notifiers_info+0xbe/0x140 net/core/dev.c:1996 call_netdevice_notifiers_extack net/core/dev.c:2034 [inline] call_netdevice_notifiers net/core/dev.c:2048 [inline] __dev_notify_flags+0x12d/0x2e0 net/core/dev.c:8988 dev_change_flags+0x10c/0x160 net/core/dev.c:9026 vlan_device_event+0xdfc/0x2120 net/8021q/vlan.c:468 notifier_call_chain+0xb7/0x410 kernel/notifier.c:85 call_netdevice_notifiers_info+0xbe/0x140 net/core/dev.c:1996 call_netdevice_notifiers_extack net/core/dev.c:2034 [inline] call_netdevice_notifiers net/core/dev.c:2048 [inline] dev_open net/core/dev.c:1517 [inline] dev_open+0x144/0x160 net/core/dev.c:1505 team_port_add drivers/net/team/team_core.c:1222 [inline] team_add_slave+0xa8c/0x1ff0 drivers/net/team/team_core.c:1981 do_set_master+0x1bc/0x230 net/core/rtnetlink.c:2917 do_setlink.constprop.0+0xa0d/0x3f20 net/core/rtnetlink.c:3116 rtnl_changelink net/core/rtnetlink.c:3723 [inline] __rtnl_newlink net/core/rtnetlink.c:3875 [inline] rtnl_newlink+0x131c/0x1d70 net/core/rtnetlink.c:4012 rtnetlink_rcv_msg+0x95b/0xea0 net/core/rtnetlink.c:6922 netlink_rcv_skb+0x165/0x410 net/netlink/af_netlink.c:2542 netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline] netlink_unicast+0x53c/0x7f0 net/netlink/af_netlink.c:1347 netlink_sendmsg+0x8b8/0xd70 net/netlink/af_netlink.c:1891 sock_sendmsg_nosec net/socket.c:711 [inline] __sock_sendmsg net/socket.c:726 [inline] ____sys_sendmsg+0x9ae/0xb40 net/socket.c:2583 ___sys_sendmsg+0x135/0x1e0 net/socket.c:2637 __sys_sendmsg+0x16e/0x220 net/socket.c:2669 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] __do_fast_syscall_32+0x73/0x120 arch/x86/entry/common.c:386 do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:411 entry_SYSENTER_compat_after_hwframe+0x84/0x8e RIP: 0023:0xf7f51579 Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 RSP: 002b:00000000f50a655c EFLAGS: 00000296 ORIG_RAX: 0000000000000172 RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000020000600 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 ---------------- Code disassembly (best guess), 2 bytes skipped: 0: 10 06 adc %al,(%rsi) 2: 03 74 b4 01 add 0x1(%rsp,%rsi,4),%esi 6: 10 07 adc %al,(%rdi) 8: 03 74 b0 01 add 0x1(%rax,%rsi,4),%esi c: 10 08 adc %cl,(%rax) e: 03 74 d8 01 add 0x1(%rax,%rbx,8),%esi 1e: 00 51 52 add %dl,0x52(%rcx) 21: 55 push %rbp 22: 89 e5 mov %esp,%ebp 24: 0f 34 sysenter 26: cd 80 int $0x80 * 28: 5d pop %rbp <-- trapping instruction 29: 5a pop %rdx 2a: 59 pop %rcx 2b: c3 ret 2c: 90 nop 2d: 90 nop 2e: 90 nop 2f: 90 nop 30: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi 37: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi