====================================================== WARNING: possible circular locking dependency detected 4.14.290-syzkaller #0 Not tainted ------------------------------------------------------ kworker/u4:6/9462 is trying to acquire lock: ((&(&cp->cp_send_w)->work)){+.+.}, at: [] flush_work+0x88/0x770 kernel/workqueue.c:2887 but task is already holding lock: (k-sk_lock-AF_INET){+.+.}, at: [] lock_sock include/net/sock.h:1473 [inline] (k-sk_lock-AF_INET){+.+.}, at: [] rds_tcp_reset_callbacks+0x181/0x450 net/rds/tcp.c:165 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: netlink: 24 bytes leftover after parsing attributes in process `syz-executor.5'. -> #1 (k-sk_lock-AF_INET){+.+.}: lock_sock_nested+0xb7/0x100 net/core/sock.c:2813 lock_sock include/net/sock.h:1473 [inline] do_tcp_setsockopt.constprop.0+0xfb/0x1c10 net/ipv4/tcp.c:2564 tcp_setsockopt net/ipv4/tcp.c:2832 [inline] tcp_setsockopt+0xa7/0xc0 net/ipv4/tcp.c:2824 kernel_setsockopt+0xfb/0x1b0 net/socket.c:3396 rds_tcp_cork net/rds/tcp_send.c:43 [inline] rds_tcp_xmit_path_prepare+0xaf/0xe0 net/rds/tcp_send.c:50 rds_send_xmit+0x1ae/0x1c00 net/rds/send.c:187 rds_send_worker+0x6d/0x240 net/rds/threads.c:189 process_one_work+0x793/0x14a0 kernel/workqueue.c:2117 worker_thread+0x5cc/0xff0 kernel/workqueue.c:2251 kthread+0x30d/0x420 kernel/kthread.c:232 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404 -> #0 ((&(&cp->cp_send_w)->work)){+.+.}: lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 flush_work+0xad/0x770 kernel/workqueue.c:2890 __cancel_work_timer+0x321/0x460 kernel/workqueue.c:2965 rds_tcp_reset_callbacks+0x18d/0x450 net/rds/tcp.c:167 rds_tcp_accept_one+0x61a/0x8b0 net/rds/tcp_listen.c:194 rds_tcp_accept_worker+0x4d/0x70 net/rds/tcp.c:407 process_one_work+0x793/0x14a0 kernel/workqueue.c:2117 worker_thread+0x5cc/0xff0 kernel/workqueue.c:2251 kthread+0x30d/0x420 kernel/kthread.c:232 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404 other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(k-sk_lock-AF_INET); lock((&(&cp->cp_send_w)->work)); lock(k-sk_lock-AF_INET); lock((&(&cp->cp_send_w)->work)); *** DEADLOCK *** 4 locks held by kworker/u4:6/9462: #0: ("%s""krdsd"){+.+.}, at: [] process_one_work+0x6b0/0x14a0 kernel/workqueue.c:2088 #1: ((&rtn->rds_tcp_accept_w)){+.+.}, at: [] process_one_work+0x6e6/0x14a0 kernel/workqueue.c:2092 #2: (&tc->t_conn_path_lock){+.+.}, at: [] rds_tcp_accept_one+0x502/0x8b0 net/rds/tcp_listen.c:186 #3: (k-sk_lock-AF_INET){+.+.}, at: [] lock_sock include/net/sock.h:1473 [inline] #3: (k-sk_lock-AF_INET){+.+.}, at: [] rds_tcp_reset_callbacks+0x181/0x450 net/rds/tcp.c:165 stack backtrace: CPU: 1 PID: 9462 Comm: kworker/u4:6 Not tainted 4.14.290-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 Workqueue: krdsd rds_tcp_accept_worker Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x281 lib/dump_stack.c:58 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258 check_prev_add kernel/locking/lockdep.c:1905 [inline] check_prevs_add kernel/locking/lockdep.c:2022 [inline] validate_chain kernel/locking/lockdep.c:2464 [inline] __lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 flush_work+0xad/0x770 kernel/workqueue.c:2890 __cancel_work_timer+0x321/0x460 kernel/workqueue.c:2965 rds_tcp_reset_callbacks+0x18d/0x450 net/rds/tcp.c:167 rds_tcp_accept_one+0x61a/0x8b0 net/rds/tcp_listen.c:194 rds_tcp_accept_worker+0x4d/0x70 net/rds/tcp.c:407 process_one_work+0x793/0x14a0 kernel/workqueue.c:2117 worker_thread+0x5cc/0xff0 kernel/workqueue.c:2251 kthread+0x30d/0x420 kernel/kthread.c:232 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404 EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue attempt to access beyond end of device loop4: rw=1, want=128, limit=16 batman_adv: batadv0: Interface deactivated: batadv_slave_1 batman_adv: batadv0: Removing interface: batadv_slave_1 EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue MTD: Attempt to mount non-MTD device "/dev/loop2" romfs: Mounting image 'rom 5f663c08' through the block layer device hsr_slave_0 left promiscuous mode MTD: Attempt to mount non-MTD device "/dev/loop2" romfs: Mounting image 'rom 5f663c08' through the block layer MTD: Attempt to mount non-MTD device "/dev/loop2" BTRFS: device fsid f90cac8b-044b-4fa8-8bee-4b8d3da88dc2 devid 1 transid 7 /dev/loop3 romfs: Mounting image 'rom 5f663c08' through the block layer BTRFS info (device loop3): disabling disk space caching BTRFS info (device loop3): has skinny extents device bond1 entered promiscuous mode 8021q: adding VLAN 0 to HW filter on device batadv1 device batadv1 entered promiscuous mode bond1: Enslaving batadv1 as an active interface with an up link bond1 (unregistering): Releasing backup interface batadv1 device batadv1 left promiscuous mode bond1 (unregistering): Released all slaves BTRFS info (device loop1): disabling disk space caching BTRFS info (device loop1): has skinny extents BTRFS info (device loop3): disabling disk space caching BTRFS info (device loop3): has skinny extents print_req_error: I/O error, dev loop2, sector 0 netlink: 84 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 84 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 84 bytes leftover after parsing attributes in process `syz-executor.0'. print_req_error: I/O error, dev loop2, sector 0 print_req_error: I/O error, dev loop2, sector 0 Buffer I/O error on dev loop2, logical block 0, async page read autofs4:pid:10679:autofs4_fill_super: called with bogus options x_tables: eb_tables: AUDIT.0 target: invalid size 8 (kernel) != (user) 0 autofs4:pid:10723:autofs4_fill_super: called with bogus options print_req_error: I/O error, dev loop2, sector 0 nla_parse: 509 callbacks suppressed netlink: 84 bytes leftover after parsing attributes in process `syz-executor.3'. netlink: 84 bytes leftover after parsing attributes in process `syz-executor.3'. netlink: 84 bytes leftover after parsing attributes in process `syz-executor.3'. netlink: 84 bytes leftover after parsing attributes in process `syz-executor.3'. netlink: 84 bytes leftover after parsing attributes in process `syz-executor.3'. netlink: 84 bytes leftover after parsing attributes in process `syz-executor.3'. netlink: 84 bytes leftover after parsing attributes in process `syz-executor.3'. netlink: 84 bytes leftover after parsing attributes in process `syz-executor.3'. netlink: 84 bytes leftover after parsing attributes in process `syz-executor.3'. netlink: 84 bytes leftover after parsing attributes in process `syz-executor.3'. autofs4:pid:10826:autofs4_fill_super: called with bogus options x_tables: eb_tables: AUDIT.0 target: invalid size 8 (kernel) != (user) 0 ====================================================== WARNING: the mand mount option is being deprecated and will be removed in v5.15! ====================================================== XFS (loop1): unknown mount option [r]. NILFS (loop3): broken superblock, retrying with spare superblock (blocksize = 1024) NILFS (loop3): unrecognized mount option ". Ed9xPZO.f&Xi $ٚW2M4dYLx0ݢ(GP|B`" XFS (loop1): unknown mount option [r]. caif:caif_disconnect_client(): nothing to disconnect NILFS (loop3): broken superblock, retrying with spare superblock (blocksize = 1024) overlayfs: unrecognized mount option "lowerdir(ps" or missing value NILFS (loop3): unrecognized mount option ". Ed9xPZO.f&Xi $ٚW2M4dYLx0ݢ(GP|B`" overlayfs: fs on './file0' does not support file handles, falling back to index=off. 9pnet: Could not find request transport: xen caif:caif_disconnect_client(): nothing to disconnect FAT-fs (loop2): Directory bread(block 6) failed FAT-fs (loop2): Directory bread(block 6) failed FAT-fs (loop2): Directory bread(block 6) failed overlayfs: unrecognized mount option "lowerdir(ps" or missing value batman_adv: batadv0: Interface deactivated: batadv_slave_0 overlayfs: fs on './file0' does not support file handles, falling back to index=off. caif:caif_disconnect_client(): nothing to disconnect caif:caif_disconnect_client(): nothing to disconnect batman_adv: batadv0: Removing interface: batadv_slave_0 overlayfs: unrecognized mount option "lowerdir(ps" or missing value caif:caif_disconnect_client(): nothing to disconnect caif:caif_disconnect_client(): nothing to disconnect caif:caif_disconnect_client(): nothing to disconnect caif:caif_disconnect_client(): nothing to disconnect caif:caif_disconnect_client(): nothing to disconnect overlayfs: fs on './file0' does not support file handles, falling back to index=off. caif:caif_disconnect_client(): nothing to disconnect caif:caif_disconnect_client(): nothing to disconnect 9pnet: Could not find request transport: xen caif:caif_disconnect_client(): nothing to disconnect FAT-fs (loop2): Directory bread(block 6) failed FAT-fs (loop2): Directory bread(block 6) failed caif:caif_disconnect_client(): nothing to disconnect caif:caif_disconnect_client(): nothing to disconnect caif:caif_disconnect_client(): nothing to disconnect caif:caif_disconnect_client(): nothing to disconnect FAT-fs (loop0): Directory bread(block 6) failed caif:caif_disconnect_client(): nothing to disconnect FAT-fs (loop0): Directory bread(block 6) failed caif:caif_disconnect_client(): nothing to disconnect FAT-fs (loop0): Directory bread(block 6) failed caif:caif_disconnect_client(): nothing to disconnect caif:caif_disconnect_client(): nothing to disconnect caif:caif_disconnect_client(): nothing to disconnect batman_adv: batadv0: Interface deactivated: batadv_slave_0 caif:caif_disconnect_client(): nothing to disconnect caif:caif_disconnect_client(): nothing to disconnect caif:caif_disconnect_client(): nothing to disconnect caif:caif_disconnect_client(): nothing to disconnect caif:caif_disconnect_client(): nothing to disconnect caif:caif_disconnect_client(): nothing to disconnect caif:caif_disconnect_client(): nothing to disconnect caif:caif_disconnect_client(): nothing to disconnect caif:caif_disconnect_client(): nothing to disconnect batman_adv: batadv0: Removing interface: batadv_slave_0 caif:caif_disconnect_client(): nothing to disconnect caif:caif_disconnect_client(): nothing to disconnect caif:caif_disconnect_client(): nothing to disconnect caif:caif_disconnect_client(): nothing to disconnect caif:caif_disconnect_client(): nothing to disconnect FAT-fs (loop0): Directory bread(block 6) failed syz-executor.4 (11231) used greatest stack depth: 24736 bytes left FAT-fs (loop0): Directory bread(block 6) failed overlayfs: fs on 'file0' does not support file handles, falling back to index=off. overlayfs: fs on './file0' does not support file handles, falling back to index=off. L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. overlayfs: fs on 'file0' does not support file handles, falling back to index=off. UDF-fs: error (device loop4): udf_process_sequence: Block 99 of volume descriptor sequence is corrupted or we could not read it overlayfs: fs on './file0' does not support file handles, falling back to index=off. UDF-fs: error (device loop4): udf_process_sequence: Block 1984 of volume descriptor sequence is corrupted or we could not read it UDF-fs: Scanning with blocksize 512 failed UDF-fs: warning (device loop4): udf_load_vrs: No anchor found UDF-fs: Scanning with blocksize 1024 failed UDF-fs: warning (device loop4): udf_load_vrs: No anchor found UDF-fs: Scanning with blocksize 2048 failed UDF-fs: warning (device loop4): udf_load_vrs: No VRS found UDF-fs: Scanning with blocksize 4096 failed FAT-fs (loop2): Directory bread(block 6) failed FAT-fs (loop0): Directory bread(block 6) failed UDF-fs: error (device loop4): udf_process_sequence: Block 99 of volume descriptor sequence is corrupted or we could not read it UDF-fs: error (device loop4): udf_process_sequence: Block 1984 of volume descriptor sequence is corrupted or we could not read it UDF-fs: Scanning with blocksize 512 failed EXT4-fs (loop3): mounted filesystem without journal. Opts: ,errors=continue UDF-fs: warning (device loop4): udf_load_vrs: No anchor found UDF-fs: Scanning with blocksize 1024 failed unregister_netdevice: waiting for ip6gre0 to become free. Usage count = -1 UDF-fs: warning (device loop4): udf_load_vrs: No anchor found UDF-fs: Scanning with blocksize 2048 failed UDF-fs: warning (device loop4): udf_load_vrs: No VRS found UDF-fs: Scanning with blocksize 4096 failed IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready EXT4-fs (loop3): mounted filesystem without journal. Opts: ,errors=continue IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready UDF-fs: error (device loop4): udf_process_sequence: Block 99 of volume descriptor sequence is corrupted or we could not read it UDF-fs: error (device loop4): udf_process_sequence: Block 1984 of volume descriptor sequence is corrupted or we could not read it EXT4-fs (loop3): mounted filesystem without journal. Opts: ,errors=continue UDF-fs: Scanning with blocksize 512 failed UDF-fs: warning (device loop4): udf_load_vrs: No anchor found UDF-fs: Scanning with blocksize 1024 failed IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready UDF-fs: warning (device loop4): udf_load_vrs: No anchor found IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready UDF-fs: Scanning with blocksize 2048 failed UDF-fs: warning (device loop4): udf_load_vrs: No VRS found IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready UDF-fs: Scanning with blocksize 4096 failed IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready EXT4-fs (loop3): VFS: Can't find ext4 filesystem IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready EXT4-fs (loop3): VFS: Can't find ext4 filesystem IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready EXT4-fs (loop3): VFS: Can't find ext4 filesystem IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready