bond0: Enslaving bond3 as an active interface with an up link audit: type=1800 audit(1639416176.133:5): pid=10146 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.3" name="bus" dev="sda1" ino=14002 res=0 ============================================ WARNING: possible recursive locking detected 4.14.257-syzkaller #0 Not tainted -------------------------------------------- syz-executor.0/10124 is trying to acquire lock: (&(&bond->stats_lock)->rlock#3/3){+.+.}, at: [] bond_get_stats+0xb7/0x440 drivers/net/bonding/bond_main.c:3457 but task is already holding lock: (&(&bond->stats_lock)->rlock#3/3){+.+.}, at: [] bond_get_stats+0xb7/0x440 drivers/net/bonding/bond_main.c:3457 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&(&bond->stats_lock)->rlock#3/3); lock(&(&bond->stats_lock)->rlock#3/3); *** DEADLOCK *** May be due to missing lock nesting notation 3 locks held by syz-executor.0/10124: #0: (rtnl_mutex){+.+.}, at: [] rtnl_lock net/core/rtnetlink.c:72 [inline] #0: (rtnl_mutex){+.+.}, at: [] rtnetlink_rcv_msg+0x31d/0xb10 net/core/rtnetlink.c:4315 #1: (&(&bond->stats_lock)->rlock#3/3){+.+.}, at: [] bond_get_stats+0xb7/0x440 drivers/net/bonding/bond_main.c:3457 #2: (rcu_read_lock){....}, at: [] bond_get_nest_level drivers/net/bonding/bond_main.c:3446 [inline] #2: (rcu_read_lock){....}, at: [] bond_get_stats+0x9b/0x440 drivers/net/bonding/bond_main.c:3457 stack backtrace: CPU: 0 PID: 10124 Comm: syz-executor.0 Not tainted 4.14.257-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x281 lib/dump_stack.c:58 print_deadlock_bug kernel/locking/lockdep.c:1800 [inline] check_deadlock kernel/locking/lockdep.c:1847 [inline] validate_chain kernel/locking/lockdep.c:2448 [inline] __lock_acquire.cold+0x180/0x97c kernel/locking/lockdep.c:3491 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 _raw_spin_lock_nested+0x30/0x40 kernel/locking/spinlock.c:362 bond_get_stats+0xb7/0x440 drivers/net/bonding/bond_main.c:3457 dev_get_stats+0xa5/0x280 net/core/dev.c:8019 bond_get_stats+0x1da/0x440 drivers/net/bonding/bond_main.c:3463 dev_get_stats+0xa5/0x280 net/core/dev.c:8019 rtnl_fill_stats+0x48/0xa90 net/core/rtnetlink.c:1079 rtnl_fill_ifinfo+0xe16/0x3050 net/core/rtnetlink.c:1385 rtmsg_ifinfo_build_skb+0x8e/0x130 net/core/rtnetlink.c:2913 rtmsg_ifinfo_event net/core/rtnetlink.c:2943 [inline] rtmsg_ifinfo_event net/core/rtnetlink.c:2934 [inline] rtnetlink_event+0xee/0x1a0 net/core/rtnetlink.c:4364 notifier_call_chain+0x108/0x1a0 kernel/notifier.c:93 call_netdevice_notifiers_info net/core/dev.c:1667 [inline] call_netdevice_notifiers net/core/dev.c:1683 [inline] netdev_features_change net/core/dev.c:1296 [inline] netdev_change_features+0x7e/0xa0 net/core/dev.c:7457 L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. bond_compute_features+0x444/0x860 drivers/net/bonding/bond_main.c:1122 bond_slave_netdev_event drivers/net/bonding/bond_main.c:3191 [inline] bond_netdev_event+0x664/0xbd0 drivers/net/bonding/bond_main.c:3232 notifier_call_chain+0x108/0x1a0 kernel/notifier.c:93 call_netdevice_notifiers_info net/core/dev.c:1667 [inline] call_netdevice_notifiers net/core/dev.c:1683 [inline] netdev_features_change net/core/dev.c:1296 [inline] netdev_change_features+0x7e/0xa0 net/core/dev.c:7457 bond_compute_features+0x444/0x860 drivers/net/bonding/bond_main.c:1122 bond_enslave+0x37fb/0x4cf0 drivers/net/bonding/bond_main.c:1757 do_set_master+0x19e/0x200 net/core/rtnetlink.c:1961 rtnl_newlink+0x136f/0x1860 net/core/rtnetlink.c:2757 rtnetlink_rcv_msg+0x3be/0xb10 net/core/rtnetlink.c:4320 netlink_rcv_skb+0x125/0x390 net/netlink/af_netlink.c:2441 netlink_unicast_kernel net/netlink/af_netlink.c:1294 [inline] netlink_unicast+0x437/0x610 net/netlink/af_netlink.c:1320 netlink_sendmsg+0x638/0xb90 net/netlink/af_netlink.c:1886 sock_sendmsg_nosec net/socket.c:646 [inline] sock_sendmsg+0xb5/0x100 net/socket.c:656 ___sys_sendmsg+0x6c8/0x800 net/socket.c:2062 __sys_sendmsg+0xa3/0x120 net/socket.c:2096 SYSC_sendmsg net/socket.c:2107 [inline] SyS_sendmsg+0x27/0x40 net/socket.c:2103 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb RIP: 0033:0x7f431ef67e99 RSP: 002b:00007f431d8bc168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f431f07b030 RCX: 00007f431ef67e99 RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000005 RBP: 00007f431efc2031 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffcf4f4b15f R14: 00007f431d8bc300 R15: 0000000000022000 audit: type=1800 audit(1639416176.973:6): pid=10187 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.5" name="bus" dev="sda1" ino=13994 res=0 bond3: making interface vlan4 the new active one bond3: Enslaving vlan4 as an active interface with an up link syz-executor.0 (10124) used greatest stack depth: 23792 bytes left audit: type=1800 audit(1639416177.153:7): pid=10212 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.3" name="bus" dev="sda1" ino=14007 res=0 raw_sendmsg: syz-executor.4 forgot to set AF_INET. Fix it! audit: type=1800 audit(1639416177.363:8): pid=10241 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.5" name="bus" dev="sda1" ino=13890 res=0 audit: type=1800 audit(1639416177.583:9): pid=10265 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.3" name="bus" dev="sda1" ino=13989 res=0 ubi0: attaching mtd0 ubi0: scanning is finished ubi0: empty MTD device detected ubi0: attached mtd0 (name "mtdram test device", size 0 MiB) ubi0: PEB size: 4096 bytes (4 KiB), LEB size: 3968 bytes ubi0: min./max. I/O unit sizes: 1/64, sub-page size 1 ubi0: VID header offset: 64 (aligned 64), data offset: 128 ubi0: good PEBs: 32, bad PEBs: 0, corrupted PEBs: 0 ubi0: user volume: 0, internal volumes: 1, max. volumes count: 23 ubi0: max/mean erase counter: 0/0, WL threshold: 4096, image sequence number: 1089210369 ubi0: available PEBs: 28, total reserved PEBs: 4, PEBs reserved for bad PEB handling: 0 netlink: 3 bytes leftover after parsing attributes in process `syz-executor.5'. ubi0: background thread "ubi_bgt0d" started, PID 10431 ubi0: detaching mtd0 ubi0: mtd0 is detached netlink: 3 bytes leftover after parsing attributes in process `syz-executor.5'. ubi0: attaching mtd0 ubi0: scanning is finished netlink: 3 bytes leftover after parsing attributes in process `syz-executor.5'. ubi0: attached mtd0 (name "mtdram test device", size 0 MiB) ubi0: PEB size: 4096 bytes (4 KiB), LEB size: 3968 bytes ubi0: min./max. I/O unit sizes: 1/64, sub-page size 1 ubi0: VID header offset: 64 (aligned 64), data offset: 128 ubi0: good PEBs: 32, bad PEBs: 0, corrupted PEBs: 0 ubi0: user volume: 0, internal volumes: 1, max. volumes count: 23 ubi0: max/mean erase counter: 1/1, WL threshold: 4096, image sequence number: 1089210369 ubi0: available PEBs: 28, total reserved PEBs: 4, PEBs reserved for bad PEB handling: 0 ubi0: detaching mtd0 ubi0: background thread "ubi_bgt0d" started, PID 10505 ubi0: mtd0 is detached netlink: 3 bytes leftover after parsing attributes in process `syz-executor.5'. ubi0: attaching mtd0 ubi0: scanning is finished hfsplus: unable to find HFS+ superblock EXT4-fs (loop4): mounted filesystem without journal. Opts: ,errors=continue ubi0: attached mtd0 (name "mtdram test device", size 0 MiB) ubi0: PEB size: 4096 bytes (4 KiB), LEB size: 3968 bytes ====================================================== WARNING: the mand mount option is being deprecated and will be removed in v5.15! ====================================================== ubi0: min./max. I/O unit sizes: 1/64, sub-page size 1 ubi0: VID header offset: 64 (aligned 64), data offset: 128 ubi0: good PEBs: 32, bad PEBs: 0, corrupted PEBs: 0 ubi0: user volume: 0, internal volumes: 1, max. volumes count: 23 ubi0: max/mean erase counter: 1/1, WL threshold: 4096, image sequence number: 1089210369 ubi0: available PEBs: 28, total reserved PEBs: 4, PEBs reserved for bad PEB handling: 0 ubi0: detaching mtd0 ubi0: background thread "ubi_bgt0d" started, PID 10567 ubi0: mtd0 is detached ubi0: attaching mtd0 hfsplus: unable to find HFS+ superblock ubi0: scanning is finished EXT4-fs (loop4): mounted filesystem without journal. Opts: ,errors=continue hfsplus: unable to find HFS+ superblock ubi0: attached mtd0 (name "mtdram test device", size 0 MiB) ubi0: PEB size: 4096 bytes (4 KiB), LEB size: 3968 bytes ubi0: min./max. I/O unit sizes: 1/64, sub-page size 1 ubi0: VID header offset: 64 (aligned 64), data offset: 128 ubi0: good PEBs: 32, bad PEBs: 0, corrupted PEBs: 0 EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue ubi0: user volume: 0, internal volumes: 1, max. volumes count: 23 ubi0: max/mean erase counter: 1/1, WL threshold: 4096, image sequence number: 1089210369 EXT4-fs (loop4): mounted filesystem without journal. Opts: ,errors=continue ubi0: available PEBs: 28, total reserved PEBs: 4, PEBs reserved for bad PEB handling: 0 ubi0: background thread "ubi_bgt0d" started, PID 10628 ubi0: detaching mtd0 ubi0: mtd0 is detached netem: change failed hfsplus: unable to find HFS+ superblock EXT4-fs (loop4): mounted filesystem without journal. Opts: ,errors=continue EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue input: syz1 as /devices/virtual/input/input5 input: syz1 as /devices/virtual/input/input6 input: syz1 as /devices/virtual/input/input7 input: syz1 as /devices/virtual/input/input8 audit: type=1800 audit(1639416184.574:10): pid=10807 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.5" name="bus" dev="sda1" ino=13935 res=0