IPVS: ftp: loaded support on port[0] = 21 ====================================================== WARNING: possible circular locking dependency detected 4.19.195-syzkaller #0 Not tainted ------------------------------------------------------ kworker/u4:0/7 is trying to acquire lock: 000000003bcecf5b ((wq_completion)"events"){+.+.}, at: flush_workqueue+0xe8/0x13e0 kernel/workqueue.c:2658 but task is already holding lock: 000000001b539df9 (pernet_ops_rwsem){++++}, at: cleanup_net+0xa8/0x8b0 net/core/net_namespace.c:520 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #3 (pernet_ops_rwsem){++++}: unregister_netdevice_notifier+0x7b/0x330 net/core/dev.c:1708 bcm_release+0x94/0x700 net/can/bcm.c:1525 __sock_release+0xcd/0x2a0 net/socket.c:579 sock_close+0x15/0x20 net/socket.c:1140 __fput+0x2ce/0x890 fs/file_table.c:278 task_work_run+0x148/0x1c0 kernel/task_work.c:113 get_signal+0x1b64/0x1f70 kernel/signal.c:2400 do_signal+0x8f/0x1670 arch/x86/kernel/signal.c:799 exit_to_usermode_loop+0x204/0x2a0 arch/x86/entry/common.c:163 prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline] syscall_return_slowpath arch/x86/entry/common.c:271 [inline] do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe -> #2 (&sb->s_type->i_mutex_key#13){+.+.}: inode_lock include/linux/fs.h:748 [inline] __sock_release+0x86/0x2a0 net/socket.c:578 sock_close+0x15/0x20 net/socket.c:1140 __fput+0x2ce/0x890 fs/file_table.c:278 delayed_fput+0x56/0x70 fs/file_table.c:304 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 -> #1 ((delayed_fput_work).work){+.+.}: worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 -> #0 ((wq_completion)"events"){+.+.}: flush_workqueue+0x117/0x13e0 kernel/workqueue.c:2661 flush_scheduled_work include/linux/workqueue.h:599 [inline] tipc_exit_net+0x38/0x60 net/tipc/core.c:100 ops_exit_list+0xa5/0x150 net/core/net_namespace.c:153 cleanup_net+0x3b4/0x8b0 net/core/net_namespace.c:553 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 other info that might help us debug this: Chain exists of: (wq_completion)"events" --> &sb->s_type->i_mutex_key#13 --> pernet_ops_rwsem Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(pernet_ops_rwsem); lock(&sb->s_type->i_mutex_key#13); lock(pernet_ops_rwsem); lock((wq_completion)"events"); *** DEADLOCK *** 3 locks held by kworker/u4:0/7: #0: 0000000018fff679 ((wq_completion)"%s""netns"){+.+.}, at: process_one_work+0x767/0x1570 kernel/workqueue.c:2124 #1: 000000004992e05b (net_cleanup_work){+.+.}, at: process_one_work+0x79c/0x1570 kernel/workqueue.c:2128 #2: 000000001b539df9 (pernet_ops_rwsem){++++}, at: cleanup_net+0xa8/0x8b0 net/core/net_namespace.c:520 stack backtrace: CPU: 0 PID: 7 Comm: kworker/u4:0 Not tainted 4.19.195-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1222 check_prev_add kernel/locking/lockdep.c:1866 [inline] check_prevs_add kernel/locking/lockdep.c:1979 [inline] validate_chain kernel/locking/lockdep.c:2420 [inline] __lock_acquire+0x30c9/0x3ff0 kernel/locking/lockdep.c:3416 lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3908 flush_workqueue+0x117/0x13e0 kernel/workqueue.c:2661 flush_scheduled_work include/linux/workqueue.h:599 [inline] tipc_exit_net+0x38/0x60 net/tipc/core.c:100 ops_exit_list+0xa5/0x150 net/core/net_namespace.c:153 cleanup_net+0x3b4/0x8b0 net/core/net_namespace.c:553 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 ipt_CLUSTERIP: bad local_nodes[1] 0 audit: type=1804 audit(1624914920.319:12): pid=10300 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.3" name="/root/syzkaller-testdir145384670/syzkaller.Qi5STH/10/cgroup.controllers" dev="sda1" ino=13936 res=1 overlayfs: fs on './file0' does not support file handles, falling back to index=off,nfs_export=off. overlayfs: unrecognized mount option "smackfsfloor=hBhö»¬xù©}§]‹†*L" or missing value overlayfs: unrecognized mount option "red" or missing value overlayfs: maximum fs stacking depth exceeded overlayfs: filesystem on './bus' not supported as upperdir overlayfs: unrecognized mount option "smackfsfloor=hBhö»¬xù©}§]‹†*L" or missing value hub 9-0:1.0: USB hub found hub 9-0:1.0: 8 ports detected serio: Serial port pts0 serio: Serial port pts0 IPv6: sit1: Disabled Multicast RS nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. MTD: Attempt to mount non-MTD device "/dev/loop5" romfs: Mounting image 'rom 5f663c08' through the block layer audit: type=1800 audit(1624914922.210:13): pid=10459 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed comm="syz-executor.5" name="file0" dev="loop5" ino=128 res=0 overlayfs: './file0' not a directory overlayfs: './file0' not a directory overlayfs: 'file0' not a directory netlink: 28 bytes leftover after parsing attributes in process `syz-executor.5'. netlink: 28 bytes leftover after parsing attributes in process `syz-executor.5'. ptrace attach of "/root/syz-executor.4"[8117] was attempted by "/root/syz-executor.4"[10522] REISERFS (device loop5): found reiserfs format "3.5" with non-standard journal REISERFS warning (device loop5): reiserfs_fill_super: Filesystem cannot be mounted because it is bigger than the device REISERFS warning (device loop5): reiserfs_fill_super: You may need to run fsck or increase size of your LVM partition REISERFS warning (device loop5): reiserfs_fill_super: Or may be you forgot to reboot after fdisk when it told you to REISERFS (device loop5): found reiserfs format "3.5" with non-standard journal REISERFS warning (device loop5): reiserfs_fill_super: Filesystem cannot be mounted because it is bigger than the device REISERFS warning (device loop5): reiserfs_fill_super: You may need to run fsck or increase size of your LVM partition REISERFS warning (device loop5): reiserfs_fill_super: Or may be you forgot to reboot after fdisk when it told you to ptrace attach of "/root/syz-executor.4"[8117] was attempted by "/root/syz-executor.4"[10554] IPVS: ftp: loaded support on port[0] = 21 ptrace attach of "/root/syz-executor.4"[8117] was attempted by "/root/syz-executor.4"[10570] ptrace attach of "/root/syz-executor.3"[8115] was attempted by "/root/syz-executor.3"[10583] overlayfs: failed to create directory ./file1/work (errno: 13); mounting read-only overlayfs: filesystem on './bus' not supported as upperdir IPVS: ftp: loaded support on port[0] = 21 device wlan1 entered promiscuous mode EXT4-fs (loop4): mounted filesystem without journal. Opts: ,errors=continue overlayfs: missing 'lowerdir' overlayfs: failed to resolve './file1': -2 EXT4-fs (loop4): Unrecognized mount option "" or missing value overlayfs: missing 'lowerdir' overlayfs: workdir and upperdir must reside under the same mount audit: type=1804 audit(1624914926.550:14): pid=10716 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.3" name="/root/syzkaller-testdir145384670/syzkaller.Qi5STH/19/bus/file0" dev="overlay" ino=14040 res=1 wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 audit: type=1326 audit(1624914926.630:15): auid=4294967295 uid=0 gid=0 ses=4294967295 subj==unconfined pid=10717 comm="syz-executor.0" exe="/root/syz-executor.0" sig=0 arch=c000003e syscall=202 compat=0 ip=0x4665d9 code=0x7ffc0000 audit: type=1326 audit(1624914926.630:16): auid=4294967295 uid=0 gid=0 ses=4294967295 subj==unconfined pid=10717 comm="syz-executor.0" exe="/root/syz-executor.0" sig=0 arch=c000003e syscall=202 compat=0 ip=0x4665d9 code=0x7ffc0000 IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready audit: type=1326 audit(1624914926.640:17): auid=4294967295 uid=0 gid=0 ses=4294967295 subj==unconfined pid=10717 comm="syz-executor.0" exe="/root/syz-executor.0" sig=0 arch=c000003e syscall=298 compat=0 ip=0x4665d9 code=0x7ffc0000 audit: type=1326 audit(1624914926.640:18): auid=4294967295 uid=0 gid=0 ses=4294967295 subj==unconfined pid=10717 comm="syz-executor.0" exe="/root/syz-executor.0" sig=0 arch=c000003e syscall=202 compat=0 ip=0x4665d9 code=0x7ffc0000 audit: type=1326 audit(1624914926.640:19): auid=4294967295 uid=0 gid=0 ses=4294967295 subj==unconfined pid=10717 comm="syz-executor.0" exe="/root/syz-executor.0" sig=0 arch=c000003e syscall=202 compat=0 ip=0x4665d9 code=0x7ffc0000 audit: type=1326 audit(1624914926.640:20): auid=4294967295 uid=0 gid=0 ses=4294967295 subj==unconfined pid=10717 comm="syz-executor.0" exe="/root/syz-executor.0" sig=0 arch=c000003e syscall=41 compat=0 ip=0x4665d9 code=0x7ffc0000 audit: type=1326 audit(1624914926.640:21): auid=4294967295 uid=0 gid=0 ses=4294967295 subj==unconfined pid=10717 comm="syz-executor.0" exe="/root/syz-executor.0" sig=0 arch=c000003e syscall=202 compat=0 ip=0x4665d9 code=0x7ffc0000 audit: type=1326 audit(1624914926.640:22): auid=4294967295 uid=0 gid=0 ses=4294967295 subj==unconfined pid=10717 comm="syz-executor.0" exe="/root/syz-executor.0" sig=0 arch=c000003e syscall=285 compat=0 ip=0x4665d9 code=0x7ffc0000 netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'. hpfs: bad mount options. hpfs: bad mount options. capability: warning: `syz-executor.3' uses deprecated v2 capabilities in a way that may be insecure nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. EXT4-fs (loop4): mounted filesystem without journal. Opts: ,errors=continue kauditd_printk_skb: 50 callbacks suppressed audit: type=1804 audit(1624914928.530:73): pid=10849 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.4" name="/root/syzkaller-testdir090119711/syzkaller.dCNolV/36/file0/bus" dev="sda1" ino=14057 res=1 audit: type=1804 audit(1624914928.620:74): pid=10849 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.4" name="/root/syzkaller-testdir090119711/syzkaller.dCNolV/36/file0/file0/bus" dev="sda1" ino=14059 res=1 semctl(GETNCNT/GETZCNT) is since 3.16 Single Unix Specification compliant. The task syz-executor.4 (10878) triggered the difference, watch for misbehavior. FAT-fs (loop4): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1) FAT-fs (loop4): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1) new mount options do not match the existing superblock, will be ignored MTD: Attempt to mount non-MTD device "/dev/loop4" cramfs: Error -3 while decompressing! cramfs: 0000000011d3bd3a(27)->0000000066b75827(4096) cramfs: Error -3 while decompressing! cramfs: 0000000011d3bd3a(27)->0000000066b75827(4096) audit: type=1800 audit(1624914929.500:75): pid=10905 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed comm="syz-executor.4" name="file0" dev="loop4" ino=244 res=0 new mount options do not match the existing superblock, will be ignored