bisecting cause commit starting from 2b3e981a94d876ae4f05db28b9ac6a85a80c7633 building syzkaller on 8516f6d3332fc21083e2adae55114a022fcc2b9b testing commit 2b3e981a94d876ae4f05db28b9ac6a85a80c7633 with gcc (GCC) 8.1.0 kernel signature: c03e78667686f72ebdb815be4f41ca19948755ec2c43c7751e77a16a15b733f3 run #0: crashed: INFO: task hung in crda_timeout_work run #1: crashed: INFO: task hung in crda_timeout_work run #2: crashed: INFO: task hung in reg_todo run #3: crashed: INFO: task hung in linkwatch_event run #4: crashed: INFO: task hung in linkwatch_event run #5: crashed: INFO: task hung in addrconf_dad_work run #6: crashed: INFO: task hung in addrconf_dad_work run #7: crashed: INFO: task hung in addrconf_dad_work run #8: crashed: INFO: task hung in addrconf_dad_work run #9: crashed: INFO: task hung in addrconf_dad_work testing release v5.8 testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.1.0 kernel signature: e8c355fc6948667c8764ec736c81b2bbe06c652af285fdba628e149564d82ccf run #0: boot failed: can't ssh into the instance run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect start 2b3e981a94d876ae4f05db28b9ac6a85a80c7633 bcf876870b95592b52519ed4aafcf9d95999bc9c Bisecting: 7401 revisions left to test after this (roughly 13 steps) [47ec5303d73ea344e84f46660fff693c57641386] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next testing commit 47ec5303d73ea344e84f46660fff693c57641386 with gcc (GCC) 8.1.0 kernel signature: 78395453f5f118ddb3992dd5b9c7612cd0f0992fb2ee27b1a1e1da00e5c430f8 all runs: OK # git bisect good 47ec5303d73ea344e84f46660fff693c57641386 Bisecting: 3689 revisions left to test after this (roughly 12 steps) [9420f1ce01869409d78901c3e036b2c437cbc6b8] Merge tag 'pinctrl-v5.9-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl testing commit 9420f1ce01869409d78901c3e036b2c437cbc6b8 with gcc (GCC) 8.1.0 kernel signature: f9ec7dda09a34c29b8647112dd8927d139253074d8cb2c9ff6d688ee656eaec1 all runs: OK # git bisect good 9420f1ce01869409d78901c3e036b2c437cbc6b8 Bisecting: 1844 revisions left to test after this (roughly 11 steps) [eabe861881a733fc84f286f4d5a1ffaddd4f526f] net: handle the return value of pskb_carve_frag_list() correctly testing commit eabe861881a733fc84f286f4d5a1ffaddd4f526f with gcc (GCC) 8.1.0 kernel signature: dbd50236ab6bcc421b73fc1dfe604554f7ef49e3d039c7ad44989ffec85d95cd all runs: OK # git bisect good eabe861881a733fc84f286f4d5a1ffaddd4f526f Bisecting: 925 revisions left to test after this (roughly 10 steps) [86edf52e7c7201fabfba39ae694a5206d48e77af] Merge tag 'sound-5.9-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound testing commit 86edf52e7c7201fabfba39ae694a5206d48e77af with gcc (GCC) 8.1.0 kernel signature: a4f34ef1509b6c9798967ead7ab8679ffe604779ea82b60ab9beae84052680f2 all runs: OK # git bisect good 86edf52e7c7201fabfba39ae694a5206d48e77af Bisecting: 463 revisions left to test after this (roughly 9 steps) [4cbffc461ec91287c4cb1d0e27b01b988d0b8fba] Merge tag 'mips_fixes_5.9_2' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux testing commit 4cbffc461ec91287c4cb1d0e27b01b988d0b8fba with gcc (GCC) 8.1.0 kernel signature: 582e66f99e3ecdf35c22db1141bc036fb7927c5a98ec29375b37bb07ac611bdc all runs: OK # git bisect good 4cbffc461ec91287c4cb1d0e27b01b988d0b8fba Bisecting: 266 revisions left to test after this (roughly 8 steps) [0baca070068c58b95e342881d9da4840d5cf3bd1] Merge tag 'io_uring-5.9-2020-09-22' of git://git.kernel.dk/linux-block testing commit 0baca070068c58b95e342881d9da4840d5cf3bd1 with gcc (GCC) 8.1.0 kernel signature: d8999a5e6b96bd2a678bc1cc91ea9b04c149a680efddbb1fb3455937115ed67f all runs: OK # git bisect good 0baca070068c58b95e342881d9da4840d5cf3bd1 Bisecting: 133 revisions left to test after this (roughly 7 steps) [2b33b202dc3e30a15d7c0147f26fc6bb23f85493] Merge branch 'Bugfixes-in-Microsemi-Ocelot-switch-driver' testing commit 2b33b202dc3e30a15d7c0147f26fc6bb23f85493 with gcc (GCC) 8.1.0 kernel signature: bcfd2bb482dd3b9be0238e206ebce10d216c4862ad87c7ae1d9d4ef22b9e99c0 all runs: OK # git bisect good 2b33b202dc3e30a15d7c0147f26fc6bb23f85493 Bisecting: 66 revisions left to test after this (roughly 6 steps) [e49d8c22f1261c43a986a7fdbf677ac309682a07] net_sched: defer tcf_idr_insert() in tcf_action_init_1() testing commit e49d8c22f1261c43a986a7fdbf677ac309682a07 with gcc (GCC) 8.1.0 kernel signature: 0c160617a0faf3161bef517f20a5699561a60890a264f23d340c211646f2a71e all runs: OK # git bisect good e49d8c22f1261c43a986a7fdbf677ac309682a07 Bisecting: 33 revisions left to test after this (roughly 5 steps) [709a16be0593c08190982cfbdca6df95e6d5823b] r8169: fix RTL8168f/RTL8411 EPHY config testing commit 709a16be0593c08190982cfbdca6df95e6d5823b with gcc (GCC) 8.1.0 kernel signature: bb3ab6ae9354bf1f48561a31c1aa9c4b13721c3d931fe663b5ce0ad926fe6615 run #0: crashed: INFO: task hung in addrconf_dad_work run #1: crashed: INFO: task hung in addrconf_dad_work run #2: crashed: INFO: task hung in addrconf_dad_work run #3: crashed: INFO: task hung in addrconf_dad_work run #4: crashed: INFO: task hung in addrconf_dad_work run #5: crashed: INFO: task hung in addrconf_dad_work run #6: crashed: INFO: task hung in cfg80211_event_work run #7: crashed: INFO: task hung in addrconf_dad_work run #8: crashed: INFO: task hung in linkwatch_event run #9: crashed: INFO: task hung in addrconf_dad_work # git bisect bad 709a16be0593c08190982cfbdca6df95e6d5823b Bisecting: 16 revisions left to test after this (roughly 4 steps) [f6a07271bb1535d9549380461437cc48d9e19958] ice: fix memory leak in ice_vsi_setup testing commit f6a07271bb1535d9549380461437cc48d9e19958 with gcc (GCC) 8.1.0 kernel signature: 6c742ff4fc529a186cdb274577ad13efd1a4dcf6f6d05432a472d790751137eb run #0: crashed: INFO: task hung in addrconf_dad_work run #1: crashed: INFO: task hung in addrconf_dad_work run #2: crashed: INFO: task hung in addrconf_dad_work run #3: crashed: INFO: task hung in addrconf_dad_work run #4: crashed: INFO: task hung in addrconf_dad_work run #5: crashed: INFO: task hung in linkwatch_event run #6: crashed: INFO: task hung in addrconf_dad_work run #7: crashed: INFO: task hung in linkwatch_event run #8: crashed: INFO: task hung in linkwatch_event run #9: crashed: INFO: task hung in addrconf_dad_work # git bisect bad f6a07271bb1535d9549380461437cc48d9e19958 Bisecting: 7 revisions left to test after this (roughly 3 steps) [0eb11dfe224f9bf0f7d66a68500a43a9b9c83b02] net/ethernet/broadcom: fix spelling typo testing commit 0eb11dfe224f9bf0f7d66a68500a43a9b9c83b02 with gcc (GCC) 8.1.0 kernel signature: 4db9d87ea188ba0c875bacd81e4b5a2cc495bef052382faa740b0d124039b04a all runs: crashed: INFO: task hung in addrconf_dad_work # git bisect bad 0eb11dfe224f9bf0f7d66a68500a43a9b9c83b02 Bisecting: 3 revisions left to test after this (roughly 2 steps) [ed46cd1d4cc4b2cf05f31fe25fc68d1a9d3589ba] drivers/net/wan/x25_asy: Correct the ndo_open and ndo_stop functions testing commit ed46cd1d4cc4b2cf05f31fe25fc68d1a9d3589ba with gcc (GCC) 8.1.0 kernel signature: 06f9b6c89048d593532bd973e4c73bd25f0d9a9b80617b95bb9e69409fc51648 run #0: crashed: INFO: task hung in addrconf_dad_work run #1: crashed: INFO: task hung in crda_timeout_work run #2: crashed: INFO: task hung in cfg80211_event_work run #3: crashed: INFO: task hung in addrconf_dad_work run #4: crashed: INFO: task hung in addrconf_dad_work run #5: crashed: INFO: task hung in addrconf_dad_work run #6: crashed: INFO: task hung in cfg80211_event_work run #7: crashed: INFO: task hung in addrconf_dad_work run #8: crashed: INFO: task hung in linkwatch_event run #9: crashed: INFO: task hung in linkwatch_event # git bisect bad ed46cd1d4cc4b2cf05f31fe25fc68d1a9d3589ba Bisecting: 1 revision left to test after this (roughly 1 step) [6d8899962afdf789f6ec8407ffdf3130724a7005] Merge branch 'net_sched-fix-a-UAF-in-tcf_action_init' testing commit 6d8899962afdf789f6ec8407ffdf3130724a7005 with gcc (GCC) 8.1.0 kernel signature: 41e2048cca710b61de6847e41f11cc5cb2b5e5937805bb37ffe98e8281f70bf8 run #0: crashed: INFO: task hung in addrconf_dad_work run #1: crashed: INFO: task hung in crda_timeout_work run #2: crashed: INFO: task hung in addrconf_dad_work run #3: crashed: INFO: task hung in addrconf_dad_work run #4: crashed: INFO: task hung in addrconf_dad_work run #5: crashed: INFO: task hung in linkwatch_event run #6: crashed: INFO: task hung in addrconf_dad_work run #7: crashed: INFO: task hung in addrconf_dad_work run #8: crashed: INFO: task hung in linkwatch_event run #9: crashed: INFO: task hung in addrconf_dad_work # git bisect bad 6d8899962afdf789f6ec8407ffdf3130724a7005 Bisecting: 0 revisions left to test after this (roughly 0 steps) [0fedc63fadf0404a729e73a35349481c8009c02f] net_sched: commit action insertions together testing commit 0fedc63fadf0404a729e73a35349481c8009c02f with gcc (GCC) 8.1.0 kernel signature: 23dba92cd2a12213aed9ad09533f8b48f6c3cc3cc6e91fd30f9671dfe41b7602 run #0: crashed: INFO: task hung in reg_todo run #1: crashed: INFO: task hung in addrconf_dad_work run #2: crashed: INFO: task hung in addrconf_dad_work run #3: crashed: INFO: task hung in addrconf_dad_work run #4: crashed: INFO: task hung in addrconf_dad_work run #5: crashed: INFO: task hung in addrconf_dad_work run #6: crashed: INFO: task hung in addrconf_dad_work run #7: crashed: INFO: task hung in linkwatch_event run #8: crashed: INFO: task hung in addrconf_dad_work run #9: crashed: INFO: task hung in switchdev_deferred_process_work # git bisect bad 0fedc63fadf0404a729e73a35349481c8009c02f 0fedc63fadf0404a729e73a35349481c8009c02f is the first bad commit commit 0fedc63fadf0404a729e73a35349481c8009c02f Author: Cong Wang Date: Tue Sep 22 20:56:24 2020 -0700 net_sched: commit action insertions together syzbot is able to trigger a failure case inside the loop in tcf_action_init(), and when this happens we clean up with tcf_action_destroy(). But, as these actions are already inserted into the global IDR, other parallel process could free them before tcf_action_destroy(), then we will trigger a use-after-free. Fix this by deferring the insertions even later, after the loop, and committing all the insertions in a separate loop, so we will never fail in the middle of the insertions any more. One side effect is that the window between alloction and final insertion becomes larger, now it is more likely that the loop in tcf_del_walker() sees the placeholder -EBUSY pointer. So we have to check for error pointer in tcf_del_walker(). Reported-and-tested-by: syzbot+2287853d392e4b42374a@syzkaller.appspotmail.com Fixes: 0190c1d452a9 ("net: sched: atomically check-allocate action") Cc: Vlad Buslov Cc: Jamal Hadi Salim Cc: Jiri Pirko Signed-off-by: Cong Wang Signed-off-by: David S. Miller net/sched/act_api.c | 32 +++++++++++++++++++++++--------- 1 file changed, 23 insertions(+), 9 deletions(-) culprit signature: 23dba92cd2a12213aed9ad09533f8b48f6c3cc3cc6e91fd30f9671dfe41b7602 parent signature: 0c160617a0faf3161bef517f20a5699561a60890a264f23d340c211646f2a71e revisions tested: 16, total time: 3h43m6.208655845s (build: 1h25m3.676936331s, test: 2h16m23.734266879s) first bad commit: 0fedc63fadf0404a729e73a35349481c8009c02f net_sched: commit action insertions together recipients (to): ["davem@davemloft.net" "syzbot+2287853d392e4b42374a@syzkaller.appspotmail.com" "xiyou.wangcong@gmail.com"] recipients (cc): [] crash: INFO: task hung in switchdev_deferred_process_work INFO: task kworker/0:0:5 blocked for more than 143 seconds. Not tainted 5.9.0-rc6-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/0:0 state:D stack:13480 pid: 5 ppid: 2 flags:0x00004000 Workqueue: events switchdev_deferred_process_work Call Trace: context_switch kernel/sched/core.c:3778 [inline] __schedule+0x418/0x910 kernel/sched/core.c:4527 schedule+0x37/0xe0 kernel/sched/core.c:4602 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:4661 __mutex_lock_common kernel/locking/mutex.c:1033 [inline] __mutex_lock+0x472/0x9f0 kernel/locking/mutex.c:1103 switchdev_deferred_process_work+0x5/0x10 net/switchdev/switchdev.c:74 process_one_work+0x26a/0x5f0 kernel/workqueue.c:2269 worker_thread+0x38/0x380 kernel/workqueue.c:2415 kthread+0x148/0x170 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 INFO: task kworker/1:0:17 blocked for more than 143 seconds. Not tainted 5.9.0-rc6-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/1:0 state:D stack:13464 pid: 17 ppid: 2 flags:0x00004000 Workqueue: ipv6_addrconf addrconf_dad_work Call Trace: context_switch kernel/sched/core.c:3778 [inline] __schedule+0x418/0x910 kernel/sched/core.c:4527 schedule+0x37/0xe0 kernel/sched/core.c:4602 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:4661 __mutex_lock_common kernel/locking/mutex.c:1033 [inline] __mutex_lock+0x472/0x9f0 kernel/locking/mutex.c:1103 addrconf_dad_work+0x3f/0x500 net/ipv6/addrconf.c:4027 process_one_work+0x26a/0x5f0 kernel/workqueue.c:2269 worker_thread+0x38/0x380 kernel/workqueue.c:2415 kthread+0x148/0x170 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 INFO: task kworker/0:2:2688 blocked for more than 143 seconds. Not tainted 5.9.0-rc6-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/0:2 state:D stack:13544 pid: 2688 ppid: 2 flags:0x00004000 Workqueue: ipv6_addrconf addrconf_dad_work Call Trace: context_switch kernel/sched/core.c:3778 [inline] __schedule+0x418/0x910 kernel/sched/core.c:4527 schedule+0x37/0xe0 kernel/sched/core.c:4602 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:4661 __mutex_lock_common kernel/locking/mutex.c:1033 [inline] __mutex_lock+0x472/0x9f0 kernel/locking/mutex.c:1103 addrconf_dad_work+0x3f/0x500 net/ipv6/addrconf.c:4027 process_one_work+0x26a/0x5f0 kernel/workqueue.c:2269 worker_thread+0x38/0x380 kernel/workqueue.c:2415 kthread+0x148/0x170 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 INFO: task syz-executor.0:6966 blocked for more than 143 seconds. Not tainted 5.9.0-rc6-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor.0 state:D stack:11832 pid: 6966 ppid: 1 flags:0x00000004 Call Trace: context_switch kernel/sched/core.c:3778 [inline] __schedule+0x418/0x910 kernel/sched/core.c:4527 schedule+0x37/0xe0 kernel/sched/core.c:4602 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:4661 __mutex_lock_common kernel/locking/mutex.c:1033 [inline] __mutex_lock+0x472/0x9f0 kernel/locking/mutex.c:1103 rtnl_lock net/core/rtnetlink.c:72 [inline] rtnetlink_rcv_msg+0x14a/0x480 net/core/rtnetlink.c:5560 netlink_rcv_skb+0x41/0x110 net/netlink/af_netlink.c:2470 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] netlink_unicast+0x19a/0x270 net/netlink/af_netlink.c:1330 netlink_sendmsg+0x248/0x480 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg+0x2b/0x40 net/socket.c:671 __sys_sendto+0xec/0x160 net/socket.c:1992 __do_sys_sendto net/socket.c:2004 [inline] __se_sys_sendto net/socket.c:2000 [inline] __x64_sys_sendto+0x1f/0x30 net/socket.c:2000 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x417817 Code: Bad RIP value. RSP: 002b:00007ffeeda45700 EFLAGS: 00000293 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00000000016a4300 RCX: 0000000000417817 RDX: 0000000000000028 RSI: 00000000016a4350 RDI: 0000000000000003 RBP: 0000000000000000 R08: 00007ffeeda45710 R09: 000000000000000c R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 0000000000000000 R14: 00000000016a4350 R15: 0000000000000003 INFO: task syz-executor.2:6967 blocked for more than 143 seconds. Not tainted 5.9.0-rc6-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor.2 state:D stack:11832 pid: 6967 ppid: 1 flags:0x00000004 Call Trace: context_switch kernel/sched/core.c:3778 [inline] __schedule+0x418/0x910 kernel/sched/core.c:4527 schedule+0x37/0xe0 kernel/sched/core.c:4602 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:4661 __mutex_lock_common kernel/locking/mutex.c:1033 [inline] __mutex_lock+0x472/0x9f0 kernel/locking/mutex.c:1103 rtnl_lock net/core/rtnetlink.c:72 [inline] rtnetlink_rcv_msg+0x14a/0x480 net/core/rtnetlink.c:5560 netlink_rcv_skb+0x41/0x110 net/netlink/af_netlink.c:2470 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] netlink_unicast+0x19a/0x270 net/netlink/af_netlink.c:1330 netlink_sendmsg+0x248/0x480 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg+0x2b/0x40 net/socket.c:671 __sys_sendto+0xec/0x160 net/socket.c:1992 __do_sys_sendto net/socket.c:2004 [inline] __se_sys_sendto net/socket.c:2000 [inline] __x64_sys_sendto+0x1f/0x30 net/socket.c:2000 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x417817 Code: Bad RIP value. RSP: 002b:00007fffb6e50680 EFLAGS: 00000293 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00000000016a4300 RCX: 0000000000417817 RDX: 0000000000000028 RSI: 00000000016a4350 RDI: 0000000000000003 RBP: 0000000000000000 R08: 00007fffb6e50690 R09: 000000000000000c R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 0000000000000000 R14: 00000000016a4350 R15: 0000000000000003 INFO: task syz-executor.4:6969 blocked for more than 144 seconds. Not tainted 5.9.0-rc6-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor.4 state:D stack:11832 pid: 6969 ppid: 1 flags:0x00004004 Call Trace: context_switch kernel/sched/core.c:3778 [inline] __schedule+0x418/0x910 kernel/sched/core.c:4527 schedule+0x37/0xe0 kernel/sched/core.c:4602 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:4661 __mutex_lock_common kernel/locking/mutex.c:1033 [inline] __mutex_lock+0x472/0x9f0 kernel/locking/mutex.c:1103 rtnl_lock net/core/rtnetlink.c:72 [inline] rtnetlink_rcv_msg+0x14a/0x480 net/core/rtnetlink.c:5560 netlink_rcv_skb+0x41/0x110 net/netlink/af_netlink.c:2470 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] netlink_unicast+0x19a/0x270 net/netlink/af_netlink.c:1330 netlink_sendmsg+0x248/0x480 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg+0x2b/0x40 net/socket.c:671 __sys_sendto+0xec/0x160 net/socket.c:1992 __do_sys_sendto net/socket.c:2004 [inline] __se_sys_sendto net/socket.c:2000 [inline] __x64_sys_sendto+0x1f/0x30 net/socket.c:2000 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x417817 Code: Bad RIP value. RSP: 002b:00007ffdc21d5730 EFLAGS: 00000293 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00000000016a4300 RCX: 0000000000417817 RDX: 0000000000000040 RSI: 00000000016a4350 RDI: 0000000000000003 RBP: 0000000000000000 R08: 00007ffdc21d5740 R09: 000000000000000c R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 0000000000000000 R14: 00000000016a4350 R15: 0000000000000003 INFO: task syz-executor.3:6971 blocked for more than 144 seconds. Not tainted 5.9.0-rc6-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor.3 state:D stack:11736 pid: 6971 ppid: 1 flags:0x00004004 Call Trace: context_switch kernel/sched/core.c:3778 [inline] __schedule+0x418/0x910 kernel/sched/core.c:4527 schedule+0x37/0xe0 kernel/sched/core.c:4602 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:4661 __mutex_lock_common kernel/locking/mutex.c:1033 [inline] __mutex_lock+0x472/0x9f0 kernel/locking/mutex.c:1103 rtnl_lock net/core/rtnetlink.c:72 [inline] rtnetlink_rcv_msg+0x14a/0x480 net/core/rtnetlink.c:5560 netlink_rcv_skb+0x41/0x110 net/netlink/af_netlink.c:2470 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] netlink_unicast+0x19a/0x270 net/netlink/af_netlink.c:1330 netlink_sendmsg+0x248/0x480 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg+0x2b/0x40 net/socket.c:671 __sys_sendto+0xec/0x160 net/socket.c:1992 __do_sys_sendto net/socket.c:2004 [inline] __se_sys_sendto net/socket.c:2000 [inline] __x64_sys_sendto+0x1f/0x30 net/socket.c:2000 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x417817 Code: Bad RIP value. RSP: 002b:00007ffe1473fbf0 EFLAGS: 00000293 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00000000016a4300 RCX: 0000000000417817 RDX: 0000000000000040 RSI: 00000000016a4350 RDI: 0000000000000003 RBP: 0000000000000000 R08: 00007ffe1473fc00 R09: 000000000000000c R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 0000000000000000 R14: 00000000016a4350 R15: 0000000000000003 INFO: task syz-executor.5:6972 blocked for more than 144 seconds. Not tainted 5.9.0-rc6-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor.5 state:D stack:11592 pid: 6972 ppid: 1 flags:0x00000004 Call Trace: context_switch kernel/sched/core.c:3778 [inline] __schedule+0x418/0x910 kernel/sched/core.c:4527 schedule+0x37/0xe0 kernel/sched/core.c:4602 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:4661 __mutex_lock_common kernel/locking/mutex.c:1033 [inline] __mutex_lock+0x472/0x9f0 kernel/locking/mutex.c:1103 rtnl_lock net/core/rtnetlink.c:72 [inline] rtnetlink_rcv_msg+0x14a/0x480 net/core/rtnetlink.c:5560 netlink_rcv_skb+0x41/0x110 net/netlink/af_netlink.c:2470 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] netlink_unicast+0x19a/0x270 net/netlink/af_netlink.c:1330 netlink_sendmsg+0x248/0x480 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg+0x2b/0x40 net/socket.c:671 __sys_sendto+0xec/0x160 net/socket.c:1992 __do_sys_sendto net/socket.c:2004 [inline] __se_sys_sendto net/socket.c:2000 [inline] __x64_sys_sendto+0x1f/0x30 net/socket.c:2000 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x417817 Code: Bad RIP value. RSP: 002b:00007ffe6a0c9930 EFLAGS: 00000293 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00000000016a4300 RCX: 0000000000417817 RDX: 000000000000002c RSI: 00000000016a4350 RDI: 0000000000000003 RBP: 0000000000000000 R08: 00007ffe6a0c9940 R09: 000000000000000c R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 0000000000000000 R14: 00000000016a4350 R15: 0000000000000003 INFO: task kworker/0:4:7374 blocked for more than 144 seconds. Not tainted 5.9.0-rc6-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/0:4 state:D stack:13160 pid: 7374 ppid: 2 flags:0x00004000 Workqueue: events linkwatch_event Call Trace: context_switch kernel/sched/core.c:3778 [inline] __schedule+0x418/0x910 kernel/sched/core.c:4527 schedule+0x37/0xe0 kernel/sched/core.c:4602 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:4661 __mutex_lock_common kernel/locking/mutex.c:1033 [inline] __mutex_lock+0x472/0x9f0 kernel/locking/mutex.c:1103 linkwatch_event+0x5/0x30 net/core/link_watch.c:250 process_one_work+0x26a/0x5f0 kernel/workqueue.c:2269 worker_thread+0x38/0x380 kernel/workqueue.c:2415 kthread+0x148/0x170 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 Showing all locks held in the system: 3 locks held by kworker/0:0/5: #0: ffff88812bc55738 ((wq_completion)events){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:615 [inline] #0: ffff88812bc55738 ((wq_completion)events){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline] #0: ffff88812bc55738 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x1de/0x5f0 kernel/workqueue.c:2240 #1: ffffc90000c93e70 (deferred_process_work){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:615 [inline] #1: ffffc90000c93e70 (deferred_process_work){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline] #1: ffffc90000c93e70 (deferred_process_work){+.+.}-{0:0}, at: process_one_work+0x1de/0x5f0 kernel/workqueue.c:2240 #2: ffffffff8486f408 (rtnl_mutex){+.+.}-{3:3}, at: switchdev_deferred_process_work+0x5/0x10 net/switchdev/switchdev.c:74 3 locks held by kworker/1:0/17: #0: ffff88812542ed38 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:615 [inline] #0: ffff88812542ed38 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline] #0: ffff88812542ed38 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work+0x1de/0x5f0 kernel/workqueue.c:2240 #1: ffffc90000cfbe70 ((work_completion)(&(&ifa->dad_work)->work)){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:615 [inline] #1: ffffc90000cfbe70 ((work_completion)(&(&ifa->dad_work)->work)){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline] #1: ffffc90000cfbe70 ((work_completion)(&(&ifa->dad_work)->work)){+.+.}-{0:0}, at: process_one_work+0x1de/0x5f0 kernel/workqueue.c:2240 #2: ffffffff8486f408 (rtnl_mutex){+.+.}-{3:3}, at: addrconf_dad_work+0x3f/0x500 net/ipv6/addrconf.c:4027 1 lock held by khungtaskd/657: #0: ffffffff84518fe0 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x15/0x17a kernel/locking/lockdep.c:5853 3 locks held by kworker/0:2/2688: #0: ffff88812542ed38 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:615 [inline] #0: ffff88812542ed38 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline] #0: ffff88812542ed38 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work+0x1de/0x5f0 kernel/workqueue.c:2240 #1: ffffc90005b93e70 ((work_completion)(&(&ifa->dad_work)->work)){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:615 [inline] #1: ffffc90005b93e70 ((work_completion)(&(&ifa->dad_work)->work)){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline] #1: ffffc90005b93e70 ((work_completion)(&(&ifa->dad_work)->work)){+.+.}-{0:0}, at: process_one_work+0x1de/0x5f0 kernel/workqueue.c:2240 #2: ffffffff8486f408 (rtnl_mutex){+.+.}-{3:3}, at: addrconf_dad_work+0x3f/0x500 net/ipv6/addrconf.c:4027 1 lock held by in:imklog/6361: #0: ffff88812b2704f0 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0x45/0x50 fs/file.c:930 3 locks held by kworker/0:3/6395: #0: ffff88812bc55f38 ((wq_completion)events_power_efficient){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:615 [inline] #0: ffff88812bc55f38 ((wq_completion)events_power_efficient){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline] #0: ffff88812bc55f38 ((wq_completion)events_power_efficient){+.+.}-{0:0}, at: process_one_work+0x1de/0x5f0 kernel/workqueue.c:2240 #1: ffffc9000340fe70 ((reg_check_chans).work){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:615 [inline] #1: ffffc9000340fe70 ((reg_check_chans).work){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline] #1: ffffc9000340fe70 ((reg_check_chans).work){+.+.}-{0:0}, at: process_one_work+0x1de/0x5f0 kernel/workqueue.c:2240 #2: ffffffff8486f408 (rtnl_mutex){+.+.}-{3:3}, at: reg_check_chans_work+0x23/0x4a0 net/wireless/reg.c:2199 1 lock held by syz-executor.0/6966: #0: ffffffff8486f408 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:72 [inline] #0: ffffffff8486f408 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x14a/0x480 net/core/rtnetlink.c:5560 1 lock held by syz-executor.2/6967: #0: ffffffff8486f408 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:72 [inline] #0: ffffffff8486f408 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x14a/0x480 net/core/rtnetlink.c:5560 1 lock held by syz-executor.4/6969: #0: ffffffff8486f408 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:72 [inline] #0: ffffffff8486f408 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x14a/0x480 net/core/rtnetlink.c:5560 1 lock held by syz-executor.3/6971: #0: ffffffff8486f408 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:72 [inline] #0: ffffffff8486f408 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x14a/0x480 net/core/rtnetlink.c:5560 1 lock held by syz-executor.5/6972: #0: ffffffff8486f408 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:72 [inline] #0: ffffffff8486f408 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x14a/0x480 net/core/rtnetlink.c:5560 3 locks held by kworker/0:4/7374: #0: ffff88812bc55738 ((wq_completion)events){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:615 [inline] #0: ffff88812bc55738 ((wq_completion)events){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline] #0: ffff88812bc55738 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x1de/0x5f0 kernel/workqueue.c:2240 #1: ffffc90001053e70 ((linkwatch_work).work){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:615 [inline] #1: ffffc90001053e70 ((linkwatch_work).work){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline] #1: ffffc90001053e70 ((linkwatch_work).work){+.+.}-{0:0}, at: process_one_work+0x1de/0x5f0 kernel/workqueue.c:2240 #2: ffffffff8486f408 (rtnl_mutex){+.+.}-{3:3}, at: linkwatch_event+0x5/0x30 net/core/link_watch.c:250 2 locks held by syz-executor.1/8302: ============================================= NMI backtrace for cpu 1 CPU: 1 PID: 657 Comm: khungtaskd Not tainted 5.9.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xa3/0xcc lib/dump_stack.c:118 nmi_cpu_backtrace.cold.8+0x3e/0x58 lib/nmi_backtrace.c:101 nmi_trigger_cpumask_backtrace+0xd5/0xec lib/nmi_backtrace.c:62 trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline] check_hung_uninterruptible_tasks kernel/hung_task.c:209 [inline] watchdog+0x58e/0x680 kernel/hung_task.c:295 kthread+0x148/0x170 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 Sending NMI from CPU 1 to CPUs 0: NMI backtrace for cpu 0 CPU: 0 PID: 21 Comm: kworker/u4:1 Not tainted 5.9.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: bat_events batadv_nc_worker RIP: 0010:check_preemption_disabled+0x21/0xd0 lib/smp_processor_id.c:55 Code: 01 0f 00 00 00 c3 cc cc cc 41 55 41 54 55 53 65 8b 1d f3 f2 dd 7c 65 8b 05 0c 5e de 7c a9 ff ff ff 7f 74 09 89 d8 5b 5d 41 5c <41> 5d c3 48 83 3d 14 fd 2a 01 00 0f 84 98 00 00 00 9c 58 0f 1f 44 RSP: 0018:ffffc90000d1fd50 EFLAGS: 00000202 RAX: 0000000000000000 RBX: ffffc90000d1fd8f RCX: 0000000000000002 RDX: 0000000000000000 RSI: ffffffff8424c83e RDI: ffffffff84086c09 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: ffff88812b0de580 R11: b552eb836fb04bcd R12: 0000000000000002 R13: 0000000000000000 R14: ffffffff84518fe0 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff88812c000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f9e72bb6000 CR3: 000000010eee2000 CR4: 00000000001506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: rcu_dynticks_curr_cpu_in_eqs kernel/rcu/tree.c:326 [inline] rcu_is_watching+0x11/0x70 kernel/rcu/tree.c:1111 rcu_read_lock_held_common+0x1c/0x40 kernel/rcu/update.c:119 rcu_read_lock_sched_held+0x1e/0x80 kernel/rcu/update.c:134 trace_lock_acquire include/trace/events/lock.h:13 [inline] lock_acquire+0x37d/0x400 kernel/locking/lockdep.c:5003 rcu_lock_acquire include/linux/rcupdate.h:241 [inline] rcu_read_lock include/linux/rcupdate.h:634 [inline] batadv_nc_purge_orig_hash net/batman-adv/network-coding.c:407 [inline] batadv_nc_worker+0x66/0x240 net/batman-adv/network-coding.c:718 process_one_work+0x26a/0x5f0 kernel/workqueue.c:2269 worker_thread+0x38/0x380 kernel/workqueue.c:2415 kthread+0x148/0x170 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294