audit: type=1804 audit(1654773333.642:4): pid=10112 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.1" name="/root/syzkaller-testdir815931478/syzkaller.dA9GGN/34/file0" dev="sda1" ino=13914 res=1 8021q: adding VLAN 0 to HW filter on device batadv1 ============================================ WARNING: possible recursive locking detected 4.14.282-syzkaller #0 Not tainted -------------------------------------------- syz-executor.3/10049 is trying to acquire lock: (&(&bond->stats_lock)->rlock#2/2){+.+.}, at: [] bond_get_stats+0xb7/0x440 drivers/net/bonding/bond_main.c:3457 but task is already holding lock: (&(&bond->stats_lock)->rlock#2/2){+.+.}, at: [] bond_get_stats+0xb7/0x440 drivers/net/bonding/bond_main.c:3457 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&(&bond->stats_lock)->rlock#2/2); lock(&(&bond->stats_lock)->rlock#2/2); *** DEADLOCK *** May be due to missing lock nesting notation 3 locks held by syz-executor.3/10049: #0: (rtnl_mutex){+.+.}, at: [] rtnl_lock net/core/rtnetlink.c:72 [inline] #0: (rtnl_mutex){+.+.}, at: [] rtnetlink_rcv_msg+0x31d/0xb10 net/core/rtnetlink.c:4317 #1: (&(&bond->stats_lock)->rlock#2/2){+.+.}, at: [] bond_get_stats+0xb7/0x440 drivers/net/bonding/bond_main.c:3457 #2: (rcu_read_lock){....}, at: [] bond_get_nest_level drivers/net/bonding/bond_main.c:3446 [inline] #2: (rcu_read_lock){....}, at: [] bond_get_stats+0x9b/0x440 drivers/net/bonding/bond_main.c:3457 stack backtrace: CPU: 1 PID: 10049 Comm: syz-executor.3 Not tainted 4.14.282-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x281 lib/dump_stack.c:58 print_deadlock_bug kernel/locking/lockdep.c:1800 [inline] check_deadlock kernel/locking/lockdep.c:1847 [inline] validate_chain kernel/locking/lockdep.c:2448 [inline] __lock_acquire.cold+0x180/0x97c kernel/locking/lockdep.c:3491 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 _raw_spin_lock_nested+0x30/0x40 kernel/locking/spinlock.c:362 bond_get_stats+0xb7/0x440 drivers/net/bonding/bond_main.c:3457 dev_get_stats+0xa5/0x280 net/core/dev.c:8019 bond_get_stats+0x1da/0x440 drivers/net/bonding/bond_main.c:3463 dev_get_stats+0xa5/0x280 net/core/dev.c:8019 rtnl_fill_stats+0x48/0xa90 net/core/rtnetlink.c:1079 rtnl_fill_ifinfo+0xe16/0x3050 net/core/rtnetlink.c:1385 rtmsg_ifinfo_build_skb+0x8e/0x130 net/core/rtnetlink.c:2915 rtmsg_ifinfo_event net/core/rtnetlink.c:2945 [inline] rtmsg_ifinfo_event net/core/rtnetlink.c:2936 [inline] rtnetlink_event+0xee/0x1a0 net/core/rtnetlink.c:4366 notifier_call_chain+0x108/0x1a0 kernel/notifier.c:93 call_netdevice_notifiers_info net/core/dev.c:1667 [inline] call_netdevice_notifiers net/core/dev.c:1683 [inline] netdev_features_change net/core/dev.c:1296 [inline] netdev_change_features+0x7e/0xa0 net/core/dev.c:7457 bond_compute_features+0x444/0x860 drivers/net/bonding/bond_main.c:1122 bond_slave_netdev_event drivers/net/bonding/bond_main.c:3191 [inline] bond_netdev_event+0x664/0xbd0 drivers/net/bonding/bond_main.c:3232 notifier_call_chain+0x108/0x1a0 kernel/notifier.c:93 call_netdevice_notifiers_info net/core/dev.c:1667 [inline] call_netdevice_notifiers net/core/dev.c:1683 [inline] netdev_features_change net/core/dev.c:1296 [inline] netdev_change_features+0x7e/0xa0 net/core/dev.c:7457 bond_compute_features+0x444/0x860 drivers/net/bonding/bond_main.c:1122 bond_enslave+0x37fb/0x4cf0 drivers/net/bonding/bond_main.c:1757 do_set_master+0x19e/0x200 net/core/rtnetlink.c:1961 rtnl_newlink+0x1356/0x1830 net/core/rtnetlink.c:2759 rtnetlink_rcv_msg+0x3be/0xb10 net/core/rtnetlink.c:4322 netlink_rcv_skb+0x125/0x390 net/netlink/af_netlink.c:2454 netlink_unicast_kernel net/netlink/af_netlink.c:1296 [inline] netlink_unicast+0x437/0x610 net/netlink/af_netlink.c:1322 netlink_sendmsg+0x648/0xbc0 net/netlink/af_netlink.c:1893 sock_sendmsg_nosec net/socket.c:646 [inline] sock_sendmsg+0xb5/0x100 net/socket.c:656 ___sys_sendmsg+0x6c8/0x800 net/socket.c:2062 __sys_sendmsg+0xa3/0x120 net/socket.c:2096 SYSC_sendmsg net/socket.c:2107 [inline] SyS_sendmsg+0x27/0x40 net/socket.c:2103 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb RIP: 0033:0x7f13c1ab6109 RSP: 002b:00007f13c042b168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f13c1bc8f60 RCX: 00007f13c1ab6109 RDX: 0000000000000000 RSI: 0000000020000300 RDI: 0000000000000008 RBP: 00007f13c1b100ad R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffdfc7f51ff R14: 00007f13c042b300 R15: 0000000000022000 audit: type=1800 audit(1654773334.002:5): pid=10129 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.2" name="file0" dev="loop2" ino=3 res=0 audit: type=1804 audit(1654773334.002:6): pid=10129 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.2" name="/root/syzkaller-testdir1961452733/syzkaller.wEoCPU/44/file0/file0" dev="loop2" ino=3 res=1 audit: type=1804 audit(1654773334.002:7): pid=10129 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="ToMToU" comm="syz-executor.2" name="/root/syzkaller-testdir1961452733/syzkaller.wEoCPU/44/file0/file0" dev="loop2" ino=3 res=1 bond1: Enslaving batadv1 as an active interface with an up link netlink: 12 bytes leftover after parsing attributes in process `syz-executor.0'. syz-executor.3 (10049) used greatest stack depth: 23832 bytes left audit: type=1800 audit(1654773334.952:8): pid=10146 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.1" name="file0" dev="sda1" ino=13923 res=0 netlink: 12 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 12 bytes leftover after parsing attributes in process `syz-executor.3'. audit: type=1804 audit(1654773334.952:9): pid=10148 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.1" name="/root/syzkaller-testdir815931478/syzkaller.dA9GGN/35/file0" dev="sda1" ino=13923 res=1 netlink: 12 bytes leftover after parsing attributes in process `syz-executor.0'. audit: type=1800 audit(1654773335.252:10): pid=10163 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.2" name="file0" dev="sda1" ino=13960 res=0 audit: type=1804 audit(1654773335.262:11): pid=10169 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.2" name="/root/syzkaller-testdir1961452733/syzkaller.wEoCPU/45/file0" dev="sda1" ino=13960 res=1 8021q: adding VLAN 0 to HW filter on device bond1 bond0: Enslaving bond1 as an active interface with an up link 8021q: adding VLAN 0 to HW filter on device batadv1 bond1: Enslaving batadv1 as an active interface with an up link netlink: 12 bytes leftover after parsing attributes in process `syz-executor.3'. befs: Unrecognized mount option "!ríãb¯" or missing value MTD: Attempt to mount non-MTD device "/dev/loop0" romfs: VFS: Can't find a romfs filesystem on dev loop0. 8021q: adding VLAN 0 to HW filter on device batadv7 bond3: Enslaving batadv7 as an active interface with an up link befs: Unrecognized mount option "!ríãb¯" or missing value befs: Unrecognized mount option "!ríãb¯" or missing value befs: Unrecognized mount option "!ríãb¯" or missing value MTD: Attempt to mount non-MTD device "/dev/loop1" romfs: VFS: Can't find a romfs filesystem on dev loop1. befs: Unrecognized mount option "!ríãb¯" or missing value gfs2: invalid mount option: quoTa_ gfs2: can't parse mount arguments gfs2: invalid mount option: quoTa_ gfs2: can't parse mount arguments MTD: Attempt to mount non-MTD device "/dev/loop1" romfs: VFS: Can't find a romfs filesystem on dev loop1. gfs2: invalid mount option: quoTa_ gfs2: can't parse mount arguments unregister_netdevice: waiting for ip6gre0 to become free. Usage count = -1 gfs2: invalid mount option: quoTa_ befs: Unrecognized mount option "!ríãb¯" or missing value gfs2: can't parse mount arguments MTD: Attempt to mount non-MTD device "/dev/loop1" romfs: VFS: Can't find a romfs filesystem on dev loop1. hpfs: bad mount options. hpfs: bad mount options. befs: Unrecognized mount option "!ríãb¯" or missing value hpfs: bad mount options. befs: Unrecognized mount option "!ríãb¯" or missing value befs: Unrecognized mount option "!ríãb¯" or missing value F2FS-fs (loop4): Unable to read 2th superblock attempt to access beyond end of device loop4: rw=12288, want=4104, limit=10 befs: Unrecognized mount option "!ríãb¯" or missing value F2FS-fs (loop4): invalid crc value attempt to access beyond end of device loop4: rw=12288, want=8200, limit=10 F2FS-fs (loop4): invalid crc value F2FS-fs (loop4): Failed to get valid F2FS checkpoint F2FS-fs (loop4): Magic Mismatch, valid(0xf2f52010) - read(0x0) F2FS-fs (loop4): Can't find valid F2FS filesystem in 2th superblock attempt to access beyond end of device loop4: rw=12288, want=4104, limit=10 F2FS-fs (loop4): invalid crc value attempt to access beyond end of device loop4: rw=12288, want=8200, limit=10 F2FS-fs (loop4): invalid crc value F2FS-fs (loop4): Failed to get valid F2FS checkpoint kauditd_printk_skb: 42 callbacks suppressed audit: type=1800 audit(1654773339.832:54): pid=11014 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.3" name="bus" dev="sda1" ino=13994 res=0 F2FS-fs (loop4): Unable to read 2th superblock attempt to access beyond end of device loop4: rw=12288, want=4104, limit=10 attempt to access beyond end of device loop4: rw=12288, want=8200, limit=10 attempt to access beyond end of device loop4: rw=12288, want=4104, limit=10 attempt to access beyond end of device loop4: rw=12288, want=8200, limit=10 XFS (loop2): unknown mount option [º]. netlink: 91 bytes leftover after parsing attributes in process `syz-executor.2'. tc_ctl_action: received NO action attribs attempt to access beyond end of device loop4: rw=12288, want=4104, limit=10 attempt to access beyond end of device loop4: rw=12288, want=8200, limit=10 attempt to access beyond end of device loop4: rw=12288, want=4104, limit=10 attempt to access beyond end of device loop4: rw=12288, want=8200, limit=10 arp_tables: arptables: counters copy to user failed while replacing table arp_tables: arp_tables: error: 'ÝÙ¤äêú7|šr]ý18Wx»)Ï!ÛõHq' audit: type=1800 audit(1654773340.682:55): pid=11115 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.3" name="bus" dev="sda1" ino=13993 res=0 arp_tables: arptables: counters copy to user failed while replacing table arp_tables: arp_tables: error: 'ÝÙ¤äêú7|šr]ý18Wx»)Ï!ÛõHq' XFS (loop2): unknown mount option [º]. netlink: 91 bytes leftover after parsing attributes in process `syz-executor.2'. tc_ctl_action: received NO action attribs netlink: 91 bytes leftover after parsing attributes in process `syz-executor.2'. tc_ctl_action: received NO action attribs arp_tables: arptables: counters copy to user failed while replacing table arp_tables: arp_tables: error: 'ÝÙ¤äêú7|šr]ý18Wx»)Ï!ÛõHq' XFS (loop2): unknown mount option [º]. netlink: 91 bytes leftover after parsing attributes in process `syz-executor.2'. tc_ctl_action: received NO action attribs arp_tables: arptables: counters copy to user failed while replacing table arp_tables: arp_tables: error: 'ÝÙ¤äêú7|šr]ý18Wx»)Ï!ÛõHq' XFS (loop4): unknown mount option [º]. audit: type=1800 audit(1654773341.542:56): pid=11251 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.3" name="bus" dev="sda1" ino=14036 res=0 befs: Unrecognized mount option "!ríãb¯" or missing value netlink: 91 bytes leftover after parsing attributes in process `syz-executor.4'. tc_ctl_action: received NO action attribs befs: Unrecognized mount option "!ríãb¯" or missing value befs: Unrecognized mount option "!ríãb¯" or missing value befs: (loop1): cannot parse mount options EXT4-fs (loop5): Ignoring removed bh option EXT4-fs (loop5): mounted filesystem without journal. Opts: resgid=0x0000000000000000,norecovery,nojournal_checksum,inode_readahead_blks=0x0000000002000000,bh,noquota,,errors=continue XFS (loop4): unknown mount option [º]. netlink: 91 bytes leftover after parsing attributes in process `syz-executor.4'. tc_ctl_action: received NO action attribs EXT4-fs (loop5): Ignoring removed bh option EXT4-fs (loop5): mounted filesystem without journal. Opts: resgid=0x0000000000000000,norecovery,nojournal_checksum,inode_readahead_blks=0x0000000002000000,bh,noquota,,errors=continue befs: (loop1): No write support. Marking filesystem read-only befs: (loop1): invalid magic header EXT4-fs (loop5): Ignoring removed bh option EXT4-fs (loop5): mounted filesystem without journal. Opts: resgid=0x0000000000000000,norecovery,nojournal_checksum,inode_readahead_blks=0x0000000002000000,bh,noquota,,errors=continue XFS (loop4): unknown mount option [º]. netlink: 91 bytes leftover after parsing attributes in process `syz-executor.4'. tc_ctl_action: received NO action attribs FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 1 EXT4-fs (loop2): Ignoring removed bh option CPU: 0 PID: 11520 Comm: syz-executor.5 Not tainted 4.14.282-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x281 lib/dump_stack.c:58 fail_dump lib/fault-inject.c:51 [inline] should_fail.cold+0x10a/0x149 lib/fault-inject.c:149 should_failslab+0xd6/0x130 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:421 [inline] slab_alloc mm/slab.c:3376 [inline] __do_kmalloc mm/slab.c:3718 [inline] __kmalloc+0x2c1/0x400 mm/slab.c:3729 kmalloc include/linux/slab.h:493 [inline] SYSC_memfd_create mm/shmem.c:3754 [inline] SyS_memfd_create+0xbc/0x3c0 mm/shmem.c:3724 EXT4-fs (loop2): mounted filesystem without journal. Opts: resgid=0x0000000000000000,norecovery,nojournal_checksum,inode_readahead_blks=0x0000000002000000,bh,noquota,,errors=continue do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb RIP: 0033:0x7f7c043ed109 RSP: 002b:00007f7c02d61f28 EFLAGS: 00000246 ORIG_RAX: 000000000000013f RAX: ffffffffffffffda RBX: 0000000020000280 RCX: 00007f7c043ed109 RDX: 00007f7c02d61fe0 RSI: 0000000000000000 RDI: 00007f7c0444620e RBP: 0000000000000000 R08: 00007f7c02d61fd8 R09: 00007f7c02d621d0 R10: 00007f7c02d61fdc R11: 0000000000000246 R12: 0000000020000000 R13: 0000000020000040 R14: 0000000000000000 R15: 0000000020000080 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 0 PID: 11567 Comm: syz-executor.5 Not tainted 4.14.282-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x281 lib/dump_stack.c:58 MTD: Attempt to mount non-MTD device "/dev/loop2" fail_dump lib/fault-inject.c:51 [inline] should_fail.cold+0x10a/0x149 lib/fault-inject.c:149 should_failslab+0xd6/0x130 mm/failslab.c:32 romfs: Mounting image 'rom 5f663c08' through the block layer slab_pre_alloc_hook mm/slab.h:421 [inline] slab_alloc mm/slab.c:3376 [inline] kmem_cache_alloc+0x28e/0x3c0 mm/slab.c:3550 __d_alloc+0x2a/0xa20 fs/dcache.c:1623 __shmem_file_setup.part.0+0xcb/0x3c0 mm/shmem.c:4276 __shmem_file_setup mm/shmem.c:4264 [inline] shmem_file_setup mm/shmem.c:4331 [inline] SYSC_memfd_create mm/shmem.c:3784 [inline] SyS_memfd_create+0x1fc/0x3c0 mm/shmem.c:3724 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb XFS (loop4): unknown mount option [º]. RIP: 0033:0x7f7c043ed109 RSP: 002b:00007f7c02d61f28 EFLAGS: 00000246 ORIG_RAX: 000000000000013f RAX: ffffffffffffffda RBX: 0000000020000280 RCX: 00007f7c043ed109 RDX: 00007f7c02d61fe0 RSI: 0000000000000000 RDI: 00007f7c0444620e RBP: 0000000000000000 R08: 00007f7c02d61fd8 R09: 00007f7c02d621d0 audit: type=1800 audit(1654773344.072:57): pid=11576 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed" comm="syz-executor.2" name="file0" dev="loop2" ino=128 res=0 R10: 00007f7c02d61fdc R11: 0000000000000246 R12: 0000000020000000 R13: 0000000020000040 R14: 0000000000000000 R15: 0000000020000080 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0