IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready
8021q: adding VLAN 0 to HW filter on device batadv0
audit: type=1400 audit(1559406269.108:38): avc:  denied  { associate } for  pid=7781 comm="syz-executor.0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1
============================================
WARNING: possible recursive locking detected
4.19.47 #19 Not tainted
--------------------------------------------
syz-executor.0/8271 is trying to acquire lock:
000000000277713c (_xmit_ETHER#2){+.-.}, at: spin_lock include/linux/spinlock.h:329 [inline]
000000000277713c (_xmit_ETHER#2){+.-.}, at: __netif_tx_lock include/linux/netdevice.h:3798 [inline]
000000000277713c (_xmit_ETHER#2){+.-.}, at: sch_direct_xmit+0x2de/0xfa0 net/sched/sch_generic.c:325

but task is already holding lock:
000000006d93c4d7 (_xmit_ETHER#2){+.-.}, at: spin_lock include/linux/spinlock.h:329 [inline]
000000006d93c4d7 (_xmit_ETHER#2){+.-.}, at: __netif_tx_lock include/linux/netdevice.h:3798 [inline]
000000006d93c4d7 (_xmit_ETHER#2){+.-.}, at: sch_direct_xmit+0x2de/0xfa0 net/sched/sch_generic.c:325

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(_xmit_ETHER#2);
  lock(_xmit_ETHER#2);

 *** DEADLOCK ***

 May be due to missing lock nesting notation

9 locks held by syz-executor.0/8271:
 #0: 00000000d16eb40f (rcu_read_lock_bh){....}, at: lwtunnel_xmit_redirect include/net/lwtunnel.h:92 [inline]
 #0: 00000000d16eb40f (rcu_read_lock_bh){....}, at: ip_finish_output2+0x2b0/0x1760 net/ipv4/ip_output.c:213
 #1: 00000000d16eb40f (rcu_read_lock_bh){....}, at: __dev_queue_xmit+0x214/0x3010 net/core/dev.c:3777
 #2: 0000000067133d5f (&(&sch->seqlock)->rlock){+...}, at: spin_trylock include/linux/spinlock.h:339 [inline]
 #2: 0000000067133d5f (&(&sch->seqlock)->rlock){+...}, at: qdisc_run_begin include/net/sch_generic.h:130 [inline]
 #2: 0000000067133d5f (&(&sch->seqlock)->rlock){+...}, at: qdisc_run include/net/pkt_sched.h:119 [inline]
 #2: 0000000067133d5f (&(&sch->seqlock)->rlock){+...}, at: __dev_xmit_skb net/core/dev.c:3452 [inline]
 #2: 0000000067133d5f (&(&sch->seqlock)->rlock){+...}, at: __dev_queue_xmit+0x28cf/0x3010 net/core/dev.c:3811
 #3: 00000000ff114ac1 (dev->qdisc_running_key ?: &qdisc_running_key){+...}, at: dev_queue_xmit+0x18/0x20 net/core/dev.c:3876
 #4: 000000006d93c4d7 (_xmit_ETHER#2){+.-.}, at: spin_lock include/linux/spinlock.h:329 [inline]
 #4: 000000006d93c4d7 (_xmit_ETHER#2){+.-.}, at: __netif_tx_lock include/linux/netdevice.h:3798 [inline]
 #4: 000000006d93c4d7 (_xmit_ETHER#2){+.-.}, at: sch_direct_xmit+0x2de/0xfa0 net/sched/sch_generic.c:325
 #5: 00000000d16eb40f (rcu_read_lock_bh){....}, at: lwtunnel_xmit_redirect include/net/lwtunnel.h:92 [inline]
 #5: 00000000d16eb40f (rcu_read_lock_bh){....}, at: ip_finish_output2+0x2b0/0x1760 net/ipv4/ip_output.c:213
 #6: 00000000d16eb40f (rcu_read_lock_bh){....}, at: __dev_queue_xmit+0x214/0x3010 net/core/dev.c:3777
 #7: 000000006e2d0b56 (&(&sch->seqlock)->rlock){+...}, at: spin_trylock include/linux/spinlock.h:339 [inline]
 #7: 000000006e2d0b56 (&(&sch->seqlock)->rlock){+...}, at: qdisc_run_begin include/net/sch_generic.h:130 [inline]
 #7: 000000006e2d0b56 (&(&sch->seqlock)->rlock){+...}, at: qdisc_run include/net/pkt_sched.h:119 [inline]
 #7: 000000006e2d0b56 (&(&sch->seqlock)->rlock){+...}, at: __dev_xmit_skb net/core/dev.c:3452 [inline]
 #7: 000000006e2d0b56 (&(&sch->seqlock)->rlock){+...}, at: __dev_queue_xmit+0x28cf/0x3010 net/core/dev.c:3811
 #8: 000000002f6d49b4 (dev->qdisc_running_key ?: &qdisc_running_key){+...}, at: dev_queue_xmit+0x18/0x20 net/core/dev.c:3876

stack backtrace:
CPU: 0 PID: 8271 Comm: syz-executor.0 Not tainted 4.19.47 #19
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 print_deadlock_bug kernel/locking/lockdep.c:1759 [inline]
 check_deadlock kernel/locking/lockdep.c:1803 [inline]
 validate_chain kernel/locking/lockdep.c:2399 [inline]
 __lock_acquire.cold+0x135/0x4a1 kernel/locking/lockdep.c:3411
 lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3900
 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
 _raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:144
 spin_lock include/linux/spinlock.h:329 [inline]
 __netif_tx_lock include/linux/netdevice.h:3798 [inline]
 sch_direct_xmit+0x2de/0xfa0 net/sched/sch_generic.c:325
 qdisc_restart net/sched/sch_generic.c:390 [inline]
 __qdisc_run+0x57f/0x1960 net/sched/sch_generic.c:398
 qdisc_run include/net/pkt_sched.h:120 [inline]
 qdisc_run include/net/pkt_sched.h:117 [inline]
 __dev_xmit_skb net/core/dev.c:3452 [inline]
 __dev_queue_xmit+0x228d/0x3010 net/core/dev.c:3811
 dev_queue_xmit+0x18/0x20 net/core/dev.c:3876
 neigh_resolve_output net/core/neighbour.c:1366 [inline]
 neigh_resolve_output+0x5b7/0x980 net/core/neighbour.c:1346
 neigh_output include/net/neighbour.h:501 [inline]
 ip_finish_output2+0x93d/0x1760 net/ipv4/ip_output.c:229
 ip_do_fragment+0x933/0x2570 net/ipv4/ip_output.c:814
 ip_fragment.constprop.0+0x176/0x240 net/ipv4/ip_output.c:550
 ip_finish_output+0x5f8/0xd20 net/ipv4/ip_output.c:315
 NF_HOOK_COND include/linux/netfilter.h:278 [inline]
 ip_mc_output+0x298/0xf70 net/ipv4/ip_output.c:390
 dst_output include/net/dst.h:444 [inline]
 ip_local_out+0xbb/0x1b0 net/ipv4/ip_output.c:124
 iptunnel_xmit+0x5c5/0x9b0 net/ipv4/ip_tunnel_core.c:91
 ip_tunnel_xmit+0x1250/0x36ce net/ipv4/ip_tunnel.c:778
 __gre_xmit+0x5e1/0x9a0 net/ipv4/ip_gre.c:450
 erspan_xmit+0xa26/0x2b50 net/ipv4/ip_gre.c:759
 __netdev_start_xmit include/linux/netdevice.h:4303 [inline]
 netdev_start_xmit include/linux/netdevice.h:4312 [inline]
 xmit_one net/core/dev.c:3257 [inline]
 dev_hard_start_xmit+0x1a5/0x980 net/core/dev.c:3273
 sch_direct_xmit+0x370/0xfa0 net/sched/sch_generic.c:327
 qdisc_restart net/sched/sch_generic.c:390 [inline]
 __qdisc_run+0x57f/0x1960 net/sched/sch_generic.c:398
 qdisc_run include/net/pkt_sched.h:120 [inline]
 qdisc_run include/net/pkt_sched.h:117 [inline]
 __dev_xmit_skb net/core/dev.c:3452 [inline]
 __dev_queue_xmit+0x228d/0x3010 net/core/dev.c:3811
 dev_queue_xmit+0x18/0x20 net/core/dev.c:3876
 neigh_resolve_output net/core/neighbour.c:1366 [inline]
 neigh_resolve_output+0x5b7/0x980 net/core/neighbour.c:1346
 neigh_output include/net/neighbour.h:501 [inline]
 ip_finish_output2+0x93d/0x1760 net/ipv4/ip_output.c:229
 ip_do_fragment+0x1d8c/0x2570 net/ipv4/ip_output.c:679
 ip_fragment.constprop.0+0x176/0x240 net/ipv4/ip_output.c:550
 ip_finish_output+0x5f8/0xd20 net/ipv4/ip_output.c:315
 NF_HOOK_COND include/linux/netfilter.h:278 [inline]
 ip_mc_output+0x298/0xf70 net/ipv4/ip_output.c:390
 dst_output include/net/dst.h:444 [inline]
 ip_local_out+0xbb/0x1b0 net/ipv4/ip_output.c:124
 ip_send_skb+0x42/0xf0 net/ipv4/ip_output.c:1442
 udp_send_skb.isra.0+0x6bb/0x11f0 net/ipv4/udp.c:837
 udp_sendmsg+0x1e07/0x25f0 net/ipv4/udp.c:1124
 inet_sendmsg+0x141/0x5d0 net/ipv4/af_inet.c:798
 sock_sendmsg_nosec net/socket.c:622 [inline]
 sock_sendmsg+0xd7/0x130 net/socket.c:632
 __sys_sendto+0x262/0x380 net/socket.c:1787
 __do_sys_sendto net/socket.c:1799 [inline]
 __se_sys_sendto net/socket.c:1795 [inline]
 __x64_sys_sendto+0xe1/0x1a0 net/socket.c:1795
 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x459279
Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f73bba6cc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 0000000000459279
RDX: 00000000000005aa RSI: 00000000200000c0 RDI: 0000000000000003
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000120
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f73bba6d6d4
R13: 00000000004c6d91 R14: 00000000004dbc28 R15: 00000000ffffffff
syz-executor.0 (8271) used greatest stack depth: 22432 bytes left
kobject: 'loop0' (0000000021632b4c): kobject_uevent_env
kobject: 'loop0' (0000000021632b4c): fill_kobj_path: path = '/devices/virtual/block/loop0'
kobject: 'loop0' (0000000021632b4c): kobject_uevent_env
kobject: 'loop0' (0000000021632b4c): fill_kobj_path: path = '/devices/virtual/block/loop0'
kobject: 'loop0' (0000000021632b4c): kobject_uevent_env
kobject: 'loop0' (0000000021632b4c): fill_kobj_path: path = '/devices/virtual/block/loop0'
IPVS: ftp: loaded support on port[0] = 21
IPVS: ftp: loaded support on port[0] = 21
NET: Registered protocol family 30
Failed to register TIPC socket type
IPVS: ftp: loaded support on port[0] = 21
IPVS: ftp: loaded support on port[0] = 21
list_add double add: new=ffffffff892e7630, prev=ffffffff890f3140, next=ffffffff892e7630.
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:29!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 8445 Comm: syz-executor.3 Not tainted 4.19.47 #19
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
kobject: 'loop0' (0000000021632b4c): kobject_uevent_env
RIP: 0010:__list_add_valid.cold+0x26/0x3c lib/list_debug.c:29
Code: 56 ff ff ff 4c 89 e1 48 c7 c7 a0 ae 81 87 e8 d0 f3 30 fe 0f 0b 48 89 f2 4c 89 e1 4c 89 ee 48 c7 c7 e0 af 81 87 e8 b9 f3 30 fe <0f> 0b 48 89 f1 48 c7 c7 60 af 81 87 4c 89 e6 e8 a5 f3 30 fe 0f 0b
RSP: 0018:ffff88808791fb88 EFLAGS: 00010282
RAX: 0000000000000058 RBX: ffffffff892e74a0 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff81559f66 RDI: ffffed1010f23f63
RBP: ffff88808791fba0 R08: 0000000000000058 R09: ffffed1015d03ee3
kobject: 'loop0' (0000000021632b4c): fill_kobj_path: path = '/devices/virtual/block/loop0'
R10: ffffed1015d03ee2 R11: ffff8880ae81f717 R12: ffffffff892e7630
R13: ffffffff892e7630 R14: ffffffff892e7630 R15: ffffffff892e75d0
FS:  0000000001c8f940(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000a75e58 CR3: 000000007f673000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 __list_add include/linux/list.h:60 [inline]
 list_add include/linux/list.h:79 [inline]
 proto_register+0x459/0x8e0 net/core/sock.c:3299
 tipc_socket_init+0x1c/0x70 net/tipc/socket.c:3157
 tipc_init_net+0x2ed/0x570 net/tipc/core.c:69
 ops_init+0xb3/0x410 net/core/net_namespace.c:129
 setup_net+0x2d3/0x740 net/core/net_namespace.c:315
 copy_net_ns+0x1df/0x340 net/core/net_namespace.c:438
 create_new_namespaces+0x400/0x7b0 kernel/nsproxy.c:107
 unshare_nsproxy_namespaces+0xc2/0x200 kernel/nsproxy.c:206
 ksys_unshare+0x440/0x980 kernel/fork.c:2525
 __do_sys_unshare kernel/fork.c:2593 [inline]
 __se_sys_unshare kernel/fork.c:2591 [inline]
 __x64_sys_unshare+0x31/0x40 kernel/fork.c:2591
 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45bd47
Code: 00 00 00 b8 63 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 1d 8d fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 10 01 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 fd 8c fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffcc3d777f8 EFLAGS: 00000206 ORIG_RAX: 0000000000000110
RAX: ffffffffffffffda RBX: 000000000075c9a8 RCX: 000000000045bd47
RDX: 0000000000000000 RSI: 00007ffcc3d777a0 RDI: 0000000040000000
RBP: 00000000000000f8 R08: 0000000000000000 R09: 0000000000000005
R10: 0000000000000000 R11: 0000000000000206 R12: 000000000075c9a8
R13: 00007ffcc3d77a68 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
---[ end trace a22065e820f89287 ]---
RIP: 0010:__list_add_valid.cold+0x26/0x3c lib/list_debug.c:29
Code: 56 ff ff ff 4c 89 e1 48 c7 c7 a0 ae 81 87 e8 d0 f3 30 fe 0f 0b 48 89 f2 4c 89 e1 4c 89 ee 48 c7 c7 e0 af 81 87 e8 b9 f3 30 fe <0f> 0b 48 89 f1 48 c7 c7 60 af 81 87 4c 89 e6 e8 a5 f3 30 fe 0f 0b
RSP: 0018:ffff88808791fb88 EFLAGS: 00010282
kobject: 'loop0' (0000000021632b4c): kobject_uevent_env
RAX: 0000000000000058 RBX: ffffffff892e74a0 RCX: 0000000000000000
kobject: 'loop0' (0000000021632b4c): fill_kobj_path: path = '/devices/virtual/block/loop0'
RDX: 0000000000000000 RSI: ffffffff81559f66 RDI: ffffed1010f23f63
RBP: ffff88808791fba0 R08: 0000000000000058 R09: ffffed1015d03ee3
R10: ffffed1015d03ee2 R11: ffff8880ae81f717 R12: ffffffff892e7630
kobject: 'loop0' (0000000021632b4c): kobject_uevent_env
R13: ffffffff892e7630 R14: ffffffff892e7630 R15: ffffffff892e75d0
kobject: 'loop0' (0000000021632b4c): fill_kobj_path: path = '/devices/virtual/block/loop0'
FS:  0000000001c8f940(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffefcaf3f8c CR3: 000000007f673000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400