BUG: "hc->tx_t_ipi == 0" holds (exception!) at net/dccp/ccids/ccid3.c:101/ccid3_update_send_interval() CPU: 0 PID: 16166 Comm: syz-executor.5 Not tainted 4.19.211-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 ccid3_update_send_interval.cold+0x87/0x93 net/dccp/ccids/ccid3.c:101 ccid3_hc_tx_update_s net/dccp/ccids/ccid3.c:178 [inline] ccid3_hc_tx_packet_sent+0x12e/0x160 net/dccp/ccids/ccid3.c:361 ccid_hc_tx_packet_sent net/dccp/ccid.h:178 [inline] dccp_xmit_packet+0x27e/0x760 net/dccp/output.c:289 dccp_write_xmit+0x16d/0x1d0 net/dccp/output.c:363 dccp_sendmsg+0x8de/0xc90 net/dccp/proto.c:816 inet_sendmsg+0x132/0x5a0 net/ipv4/af_inet.c:798 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg+0xc3/0x120 net/socket.c:661 __sys_sendto+0x21a/0x320 net/socket.c:1899 __do_sys_sendto net/socket.c:1911 [inline] __se_sys_sendto net/socket.c:1907 [inline] __x64_sys_sendto+0xdd/0x1b0 net/socket.c:1907 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7f19e2ed3059 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f19e1848168 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007f19e2fe5f60 RCX: 00007f19e2ed3059 RDX: 000000000000000b RSI: 00000000200002c0 RDI: 0000000000000004 RBP: 00007f19e2f2d08d R08: 0000000020000300 R09: 0000000000000010 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffffda563df R14: 00007f19e1848300 R15: 0000000000022000 BUG: "hc->tx_t_ipi == 0" holds (exception!) at net/dccp/ccids/ccid3.c:101/ccid3_update_send_interval() CPU: 1 PID: 16166 Comm: syz-executor.5 Not tainted 4.19.211-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 ccid3_update_send_interval.cold+0x87/0x93 net/dccp/ccids/ccid3.c:101 ccid3_hc_tx_update_s net/dccp/ccids/ccid3.c:178 [inline] ccid3_hc_tx_packet_sent+0x12e/0x160 net/dccp/ccids/ccid3.c:361 ccid_hc_tx_packet_sent net/dccp/ccid.h:178 [inline] dccp_xmit_packet+0x27e/0x760 net/dccp/output.c:289 dccp_write_xmit+0x16d/0x1d0 net/dccp/output.c:363 dccp_sendmsg+0x8de/0xc90 net/dccp/proto.c:816 inet_sendmsg+0x132/0x5a0 net/ipv4/af_inet.c:798 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg+0xc3/0x120 net/socket.c:661 __sys_sendto+0x21a/0x320 net/socket.c:1899 __do_sys_sendto net/socket.c:1911 [inline] __se_sys_sendto net/socket.c:1907 [inline] __x64_sys_sendto+0xdd/0x1b0 net/socket.c:1907 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7f19e2ed3059 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f19e1848168 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007f19e2fe5f60 RCX: 00007f19e2ed3059 RDX: 000000000000000b RSI: 00000000200002c0 RDI: 0000000000000004 RBP: 00007f19e2f2d08d R08: 0000000020000300 R09: 0000000000000010 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffffda563df R14: 00007f19e1848300 R15: 0000000000022000 BUG: "hc->tx_t_ipi == 0" holds (exception!) at net/dccp/ccids/ccid3.c:101/ccid3_update_send_interval() CPU: 1 PID: 16166 Comm: syz-executor.5 Not tainted 4.19.211-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 ccid3_update_send_interval.cold+0x87/0x93 net/dccp/ccids/ccid3.c:101 ccid3_hc_tx_update_s net/dccp/ccids/ccid3.c:178 [inline] ccid3_hc_tx_packet_sent+0x12e/0x160 net/dccp/ccids/ccid3.c:361 ccid_hc_tx_packet_sent net/dccp/ccid.h:178 [inline] dccp_xmit_packet+0x27e/0x760 net/dccp/output.c:289 dccp_write_xmit+0x16d/0x1d0 net/dccp/output.c:363 dccp_sendmsg+0x8de/0xc90 net/dccp/proto.c:816 inet_sendmsg+0x132/0x5a0 net/ipv4/af_inet.c:798 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg+0xc3/0x120 net/socket.c:661 __sys_sendto+0x21a/0x320 net/socket.c:1899 __do_sys_sendto net/socket.c:1911 [inline] __se_sys_sendto net/socket.c:1907 [inline] __x64_sys_sendto+0xdd/0x1b0 net/socket.c:1907 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7f19e2ed3059 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f19e1848168 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007f19e2fe5f60 RCX: 00007f19e2ed3059 RDX: 000000000000000b RSI: 00000000200002c0 RDI: 0000000000000004 RBP: 00007f19e2f2d08d R08: 0000000020000300 R09: 0000000000000010 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffffda563df R14: 00007f19e1848300 R15: 0000000000022000 EXT4-fs (loop3): mounted filesystem without journal. Opts: ,errors=continue audit: type=1800 audit(1644292191.169:4): pid=16330 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.3" name="bus" dev="sda1" ino=14729 res=0 audit: type=1804 audit(1644292191.209:5): pid=16330 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.3" name="/root/syzkaller-testdir370046964/syzkaller.MmsCSh/307/file0/bus" dev="sda1" ino=14729 res=1 EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue audit: type=1800 audit(1644292191.539:6): pid=16364 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.2" name="file0" dev="loop2" ino=17 res=0 EXT4-fs (loop3): mounted filesystem without journal. Opts: ,errors=continue audit: type=1804 audit(1644292191.569:7): pid=16364 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.2" name="/root/syzkaller-testdir181831849/syzkaller.ClxlY6/292/file0/file0" dev="loop2" ino=17 res=1 syz-executor.2 (16364) used greatest stack depth: 23008 bytes left audit: type=1804 audit(1644292191.589:8): pid=16364 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.2" name="/root/syzkaller-testdir181831849/syzkaller.ClxlY6/292/file0/file0" dev="loop2" ino=17 res=1 audit: type=1804 audit(1644292191.639:9): pid=16364 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.2" name="/root/syzkaller-testdir181831849/syzkaller.ClxlY6/292/file0/file0" dev="loop2" ino=17 res=1 audit: type=1800 audit(1644292191.769:10): pid=16399 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.3" name="bus" dev="loop3" ino=18 res=0 audit: type=1804 audit(1644292191.769:11): pid=16388 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.3" name="/root/syzkaller-testdir370046964/syzkaller.MmsCSh/308/file0/bus" dev="loop3" ino=18 res=1 syz-executor.3 (16388) used greatest stack depth: 22928 bytes left EXT4-fs (loop2): Unrecognized mount option "./file0" or missing value audit: type=1800 audit(1644292192.109:12): pid=16435 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.2" name="file0" dev="sda1" ino=14768 res=0 EXT4-fs (loop3): mounted filesystem without journal. Opts: ,errors=continue audit: type=1804 audit(1644292192.139:13): pid=16443 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.2" name="/root/syzkaller-testdir181831849/syzkaller.ClxlY6/293/file0/file0" dev="sda1" ino=14768 res=1 IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready A link change request failed with some changes committed already. Interface caif0 may have been left with an inconsistent configuration, please check. mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready A link change request failed with some changes committed already. Interface caif0 may have been left with an inconsistent configuration, please check. netlink: 'syz-executor.4': attribute type 4 has an invalid length. IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready F2FS-fs (loop5): Magic Mismatch, valid(0xf2f52010) - read(0x0) F2FS-fs (loop5): Can't find valid F2FS filesystem in 2th superblock F2FS-fs (loop5): Unrecognized mount option "bOckf" or missing value F2FS-fs (loop5): Magic Mismatch, valid(0xf2f52010) - read(0x0) F2FS-fs (loop5): Can't find valid F2FS filesystem in 2th superblock F2FS-fs (loop5): Unrecognized mount option "bOckf" or missing value mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium syz-executor.4 (16697) used greatest stack depth: 22600 bytes left F2FS-fs (loop5): Magic Mismatch, valid(0xf2f52010) - read(0x0) F2FS-fs (loop5): Can't find valid F2FS filesystem in 2th superblock netlink: 'syz-executor.4': attribute type 4 has an invalid length. F2FS-fs (loop5): Unrecognized mount option "bOckf" or missing value F2FS-fs (loop5): Magic Mismatch, valid(0xf2f52010) - read(0x0) netlink: 'syz-executor.2': attribute type 14 has an invalid length. netlink: 6 bytes leftover after parsing attributes in process `syz-executor.5'. netlink: 6 bytes leftover after parsing attributes in process `syz-executor.5'. netlink: 6 bytes leftover after parsing attributes in process `syz-executor.5'. netlink: 6 bytes leftover after parsing attributes in process `syz-executor.5'. *** Guest State *** MTD: Attempt to mount non-MTD device "/dev/loop3" CR0: actual=0x0000000000000020, shadow=0x0000000000000000, gh_mask=fffffffffffffff7 CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 CR3 = 0x0000000000000000 RSP = 0x0000000000000000 RIP = 0x0000000000000000 RFLAGS=0x00000002 DR7 = 0x0000000000000400 Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 netlink: 6 bytes leftover after parsing attributes in process `syz-executor.5'. CS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 netlink: 6 bytes leftover after parsing attributes in process `syz-executor.5'. DS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 SS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 ES: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 FS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 GS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 GDTR: limit=0x00000000, base=0x0000000000000000 LDTR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 IDTR: limit=0x00000000, base=0x0000000000000000 TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 overlayfs: unrecognized mount option "upperd" or missing value EFER = 0x0000000000000000 PAT = 0x0007040600070406 DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 Interruptibility = 00000000 ActivityState = 00000000 netlink: 'syz-executor.2': attribute type 14 has an invalid length. *** Host State *** RIP = 0xffffffff811a9c2f RSP = 0xffff88804cae78c0 CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 FSBase=00007f0e3419f700 GSBase=ffff8880ba100000 TRBase=fffffe0000034000 GDTBase=fffffe0000032000 IDTBase=fffffe0000000000 CR0=0000000080050033 CR3=00000000b2d78000 CR4=00000000003426e0 overlayfs: unrecognized mount option "upperd" or missing value Sysenter RSP=fffffe0000034000 CS:RIP=0010:ffffffff88201290 EFER = 0x0000000000000d01 PAT = 0x0407050600070106 *** Control State *** PinBased=0000003f CPUBased=b5a06dfa SecondaryExec=000000e2 EntryControls=0000d1ff ExitControls=002fefff ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 VMExit: intr_info=00000000 errcode=00000000 ilen=00000000 reason=80000021 qualification=0000000000000000 IDTVectoring: info=00000000 errcode=00000000 TSC Offset = 0xfffffeed781060a0 TPR Threshold = 0x00 EPT pointer = 0x00000000b405b01e Virtual processor ID = 0x0001 kauditd_printk_skb: 6 callbacks suppressed audit: type=1804 audit(1644292197.039:20): pid=17028 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.3" name="/root/syzkaller-testdir370046964/syzkaller.MmsCSh/316/file1/bus" dev="loop3" ino=9 res=1 overlayfs: unrecognized mount option "upperd" or missing value attempt to access beyond end of device loop3: rw=1048577, want=198, limit=87 attempt to access beyond end of device loop3: rw=1048577, want=230, limit=87 attempt to access beyond end of device loop3: rw=1, want=206, limit=87 netlink: 'syz-executor.2': attribute type 14 has an invalid length. audit: type=1804 audit(1644292197.829:21): pid=17164 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.3" name="/root/syzkaller-testdir370046964/syzkaller.MmsCSh/318/file1/bus" dev="loop3" ino=13 res=1 attempt to access beyond end of device loop3: rw=1, want=182, limit=87 attempt to access beyond end of device loop3: rw=1, want=222, limit=87