====================================================== WARNING: possible circular locking dependency detected 4.14.292-syzkaller #0 Not tainted ------------------------------------------------------ syz-executor.5/9656 is trying to acquire lock: ((&strp->work)){+.+.}, at: [] flush_work+0x88/0x770 kernel/workqueue.c:2887 but task is already holding lock: (sk_lock-AF_INET){+.+.}, at: [] lock_sock include/net/sock.h:1473 [inline] (sk_lock-AF_INET){+.+.}, at: [] kcm_attach net/kcm/kcmsock.c:1390 [inline] (sk_lock-AF_INET){+.+.}, at: [] kcm_attach_ioctl net/kcm/kcmsock.c:1490 [inline] (sk_lock-AF_INET){+.+.}, at: [] kcm_ioctl+0x328/0xfb0 net/kcm/kcmsock.c:1701 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (sk_lock-AF_INET){+.+.}: lock_sock_nested+0xb7/0x100 net/core/sock.c:2813 do_strp_work net/strparser/strparser.c:415 [inline] strp_work+0x3e/0x100 net/strparser/strparser.c:434 process_one_work+0x793/0x14a0 kernel/workqueue.c:2117 worker_thread+0x5cc/0xff0 kernel/workqueue.c:2251 kthread+0x30d/0x420 kernel/kthread.c:232 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404 -> #0 ((&strp->work)){+.+.}: lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 flush_work+0xad/0x770 kernel/workqueue.c:2890 __cancel_work_timer+0x321/0x460 kernel/workqueue.c:2965 strp_done+0x53/0xd0 net/strparser/strparser.c:519 kcm_attach net/kcm/kcmsock.c:1429 [inline] kcm_attach_ioctl net/kcm/kcmsock.c:1490 [inline] kcm_ioctl+0x828/0xfb0 net/kcm/kcmsock.c:1701 sock_do_ioctl net/socket.c:974 [inline] sock_ioctl+0x2cc/0x4c0 net/socket.c:1071 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:500 [inline] do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684 SYSC_ioctl fs/ioctl.c:701 [inline] SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(sk_lock-AF_INET); lock((&strp->work)); lock(sk_lock-AF_INET); lock((&strp->work)); *** DEADLOCK *** 1 lock held by syz-executor.5/9656: #0: (sk_lock-AF_INET){+.+.}, at: [] lock_sock include/net/sock.h:1473 [inline] #0: (sk_lock-AF_INET){+.+.}, at: [] kcm_attach net/kcm/kcmsock.c:1390 [inline] #0: (sk_lock-AF_INET){+.+.}, at: [] kcm_attach_ioctl net/kcm/kcmsock.c:1490 [inline] #0: (sk_lock-AF_INET){+.+.}, at: [] kcm_ioctl+0x328/0xfb0 net/kcm/kcmsock.c:1701 stack backtrace: CPU: 0 PID: 9656 Comm: syz-executor.5 Not tainted 4.14.292-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x281 lib/dump_stack.c:58 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258 check_prev_add kernel/locking/lockdep.c:1905 [inline] check_prevs_add kernel/locking/lockdep.c:2022 [inline] validate_chain kernel/locking/lockdep.c:2464 [inline] __lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 flush_work+0xad/0x770 kernel/workqueue.c:2890 __cancel_work_timer+0x321/0x460 kernel/workqueue.c:2965 strp_done+0x53/0xd0 net/strparser/strparser.c:519 kcm_attach net/kcm/kcmsock.c:1429 [inline] kcm_attach_ioctl net/kcm/kcmsock.c:1490 [inline] kcm_ioctl+0x828/0xfb0 net/kcm/kcmsock.c:1701 sock_do_ioctl net/socket.c:974 [inline] sock_ioctl+0x2cc/0x4c0 net/socket.c:1071 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:500 [inline] do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684 SYSC_ioctl fs/ioctl.c:701 [inline] SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb RIP: 0033:0x7fb918194279 RSP: 002b:00007fb916b09168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fb9182a6f80 RCX: 00007fb918194279 RDX: 0000000020000200 RSI: 00000000000089e0 RDI: 0000000000000005 RBP: 00007fb9181ee2e9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffc8555390f R14: 00007fb916b09300 R15: 0000000000022000 syz-executor.0 (9642) used greatest stack depth: 23984 bytes left L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. device team0 entered promiscuous mode autofs4:pid:9834:check_dev_ioctl_version: ioctl control interface version mismatch: kernel(1.1), user(1.768), cmd(0xc0189376) device team_slave_0 entered promiscuous mode autofs4:pid:9834:validate_dev_ioctl: invalid device control module version supplied for cmd(0xc0189376) device team_slave_1 entered promiscuous mode device geneve2 entered promiscuous mode device team0 left promiscuous mode device team_slave_0 left promiscuous mode device team_slave_1 left promiscuous mode audit: type=1804 audit(1662395507.039:2): pid=9895 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.1" name="/root/syzkaller-testdir1420252434/syzkaller.lDxDHS/17/bus" dev="sda1" ino=13961 res=1 device geneve2 entered promiscuous mode device geneve2 entered promiscuous mode device team0 entered promiscuous mode device team_slave_0 entered promiscuous mode device team_slave_1 entered promiscuous mode device team0 left promiscuous mode device team_slave_0 left promiscuous mode device team_slave_1 left promiscuous mode device geneve2 entered promiscuous mode device geneve2 entered promiscuous mode device geneve2 entered promiscuous mode device geneve2 entered promiscuous mode syz-executor.5 (9948) used greatest stack depth: 23776 bytes left can: request_module (can-proto-6) failed. overlayfs: fs on 'file0' does not support file handles, falling back to index=off. overlayfs: fs on 'file0' does not support file handles, falling back to index=off. Dev loop5: unable to read RDB block 7 loop5: unable to read partition table loop5: partition table beyond EOD, truncated loop_reread_partitions: partition scan of loop5 () failed (rc=-5) overlayfs: fs on 'file0' does not support file handles, falling back to index=off. ufs: ufs was compiled with read-only support, can't be mounted as read-write Dev loop5: unable to read RDB block 7 loop5: unable to read partition table overlayfs: fs on 'file0' does not support file handles, falling back to index=off. loop5: partition table beyond EOD, truncated loop_reread_partitions: partition scan of loop5 () failed (rc=-5) audit: type=1804 audit(1662395509.949:3): pid=10363 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.1" name="/root/syzkaller-testdir1420252434/syzkaller.lDxDHS/32/bus" dev="sda1" ino=13983 res=1 audit: type=1800 audit(1662395509.949:4): pid=10363 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.1" name="bus" dev="sda1" ino=13983 res=0 [U] ^@ Bluetooth: Wrong link type (-22) print_req_error: I/O error, dev loop3, sector 0 syz-executor.3 uses obsolete (PF_INET,SOCK_PACKET) audit: type=1804 audit(1662395511.489:5): pid=10646 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.3" name="/root/syzkaller-testdir2917703120/syzkaller.lVFAF5/56/file0" dev="sda1" ino=13884 res=1 EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue audit: type=1804 audit(1662395511.489:6): pid=10646 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.3" name="/root/syzkaller-testdir2917703120/syzkaller.lVFAF5/56/file0" dev="sda1" ino=13884 res=1 EXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue audit: type=1804 audit(1662395511.729:7): pid=10695 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.5" name="/root/syzkaller-testdir3401857874/syzkaller.4pacxR/61/file0" dev="sda1" ino=14008 res=1 audit: type=1800 audit(1662395511.729:8): pid=10695 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.5" name="file0" dev="sda1" ino=14008 res=0 EXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue audit: type=1804 audit(1662395511.869:9): pid=10731 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.5" name="/root/syzkaller-testdir3401857874/syzkaller.4pacxR/62/file0" dev="sda1" ino=13968 res=1 audit: type=1800 audit(1662395511.899:10): pid=10731 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.5" name="file0" dev="sda1" ino=13968 res=0 EXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue EXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue audit: type=1804 audit(1662395512.089:11): pid=10780 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.5" name="/root/syzkaller-testdir3401857874/syzkaller.4pacxR/63/file0" dev="sda1" ino=14017 res=1 audit: type=1800 audit(1662395512.089:12): pid=10780 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.5" name="file0" dev="sda1" ino=14017 res=0 rfkill: input handler disabled rfkill: input handler enabled audit: type=1804 audit(1662395512.279:13): pid=10809 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.5" name="/root/syzkaller-testdir3401857874/syzkaller.4pacxR/64/file0" dev="sda1" ino=13966 res=1 x_tables: ip_tables: l2tp match: used from hooks POSTROUTING, but only valid from PREROUTING/INPUT/FORWARD/OUTPUT audit: type=1800 audit(1662395512.279:14): pid=10809 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.5" name="file0" dev="sda1" ino=13966 res=0 netlink: 84 bytes leftover after parsing attributes in process `syz-executor.5'. device batadv0 entered promiscuous mode device batadv0 left promiscuous mode PM: Marking nosave pages: [mem 0x00000000-0x00000fff] PM: Marking nosave pages: [mem 0x0009f000-0x000fffff] device batadv0 entered promiscuous mode PM: Marking nosave pages: [mem 0xbfffd000-0xffffffff] device batadv0 left promiscuous mode PM: Basic memory bitmaps created PM: Basic memory bitmaps freed device batadv0 entered promiscuous mode device batadv0 left promiscuous mode device batadv0 entered promiscuous mode device batadv0 left promiscuous mode netlink: 4 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 12 bytes leftover after parsing attributes in process `syz-executor.2'. bridge: RTM_NEWNEIGH bridge1 with NTF_USE is not supported netlink: 4 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor.3'. netlink: 12 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 12 bytes leftover after parsing attributes in process `syz-executor.3'. bridge: RTM_NEWNEIGH bridge2 with NTF_USE is not supported bridge: RTM_NEWNEIGH bridge1 with NTF_USE is not supported netlink: 4 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor.3'. netlink: 12 bytes leftover after parsing attributes in process `syz-executor.2'. bridge: RTM_NEWNEIGH bridge3 with NTF_USE is not supported bridge: RTM_NEWNEIGH bridge2 with NTF_USE is not supported bridge: RTM_NEWNEIGH bridge4 with NTF_USE is not supported bridge: RTM_NEWNEIGH bridge3 with NTF_USE is not supported