bisecting fixing commit since c63ee2939dc1c6eee6c544af1b4ab441490bfe6e
building syzkaller on 598ca6c8b8766304c3b2865e38f5f301c39bd299
testing commit c63ee2939dc1c6eee6c544af1b4ab441490bfe6e with gcc (GCC) 8.4.1 20210217
kernel signature: 5ef598e94bb51a1d4b0522766360d8088085035bccb221f3428317e6c5c8158b
run #0: crashed: general protection fault in skb_unlink
run #1: crashed: general protection fault in skb_unlink
run #2: crashed: general protection fault in skb_unlink
run #3: crashed: general protection fault in skb_unlink
run #4: crashed: general protection fault in skb_unlink
run #5: crashed: general protection fault in requeue_rx_msgs
run #6: crashed: general protection fault in skb_unlink
run #7: crashed: general protection fault in requeue_rx_msgs
run #8: crashed: general protection fault in skb_unlink
run #9: crashed: general protection fault in skb_unlink
run #10: crashed: general protection fault in skb_unlink
run #11: crashed: general protection fault in skb_unlink
run #12: crashed: general protection fault in skb_unlink
run #13: crashed: general protection fault in skb_unlink
run #14: crashed: general protection fault in skb_unlink
run #15: crashed: general protection fault in skb_unlink
run #16: crashed: general protection fault in skb_unlink
run #17: crashed: general protection fault in skb_unlink
run #18: crashed: general protection fault in skb_unlink
run #19: crashed: general protection fault in skb_unlink
testing current HEAD 1e986fe9ad15b8406034c504afc5ae76f0a8e852
testing commit 1e986fe9ad15b8406034c504afc5ae76f0a8e852 with gcc (GCC) 8.4.1 20210217
kernel signature: 373774b9f275d1b8210ee772a39f82eafeb1c657267ae40eadf81d7f4c7b8a99
run #0: crashed: general protection fault in skb_unlink
run #1: crashed: general protection fault in skb_unlink
run #2: crashed: general protection fault in skb_unlink
run #3: crashed: general protection fault in skb_unlink
run #4: crashed: general protection fault in skb_unlink
run #5: crashed: general protection fault in skb_unlink
run #6: crashed: general protection fault in skb_unlink
run #7: crashed: general protection fault in skb_unlink
run #8: crashed: possible deadlock in __sock_release
run #9: crashed: possible deadlock in __sock_release
revisions tested: 2, total time: 28m42.308302335s (build: 21m8.161696675s, test: 6m20.275372595s)
the crash still happens on HEAD
commit msg: Linux 4.19.191
crash: possible deadlock in __sock_release
IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
8021q: adding VLAN 0 to HW filter on device batadv0
======================================================
WARNING: possible circular locking dependency detected
4.19.191-syzkaller #0 Not tainted
------------------------------------------------------
kworker/1:3/5893 is trying to acquire lock:
00000000882bbb69 (&sb->s_type->i_mutex_key#11){+.+.}, at: inode_lock include/linux/fs.h:748 [inline]
00000000882bbb69 (&sb->s_type->i_mutex_key#11){+.+.}, at: __sock_release+0x7d/0x290 net/socket.c:578

but task is already holding lock:
00000000374547bf ((delayed_fput_work).work){+.+.}, at: process_one_work+0x792/0x1670 kernel/workqueue.c:2127

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #3 ((delayed_fput_work).work){+.+.}:
       process_one_work+0x7e3/0x1670 kernel/workqueue.c:2128
       worker_thread+0x85/0xb60 kernel/workqueue.c:2295
       kthread+0x347/0x410 kernel/kthread.c:259
       ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

-> #2 ((wq_completion)"events"){+.+.}:
       flush_workqueue+0xf2/0x13c0 kernel/workqueue.c:2660
       flush_scheduled_work include/linux/workqueue.h:599 [inline]
       tipc_exit_net+0x37/0x60 net/tipc/core.c:100
       ops_exit_list.isra.5+0x8b/0x120 net/core/net_namespace.c:153
       cleanup_net+0x368/0x850 net/core/net_namespace.c:553
       process_one_work+0x830/0x1670 kernel/workqueue.c:2152
       worker_thread+0x85/0xb60 kernel/workqueue.c:2295
       kthread+0x347/0x410 kernel/kthread.c:259
       ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

-> #1 (pernet_ops_rwsem){++++}:
       down_write+0x38/0x90 kernel/locking/rwsem.c:70
       unregister_netdevice_notifier+0x79/0x320 net/core/dev.c:1708
       bcm_release+0x8a/0x520 net/can/bcm.c:1525
       __sock_release+0xc2/0x290 net/socket.c:579
       sock_close+0x10/0x20 net/socket.c:1140
       __fput+0x249/0x7f0 fs/file_table.c:278
       ____fput+0x9/0x10 fs/file_table.c:309
       task_work_run+0x108/0x180 kernel/task_work.c:113
       tracehook_notify_resume include/linux/tracehook.h:193 [inline]
       exit_to_usermode_loop+0x1a9/0x200 arch/x86/entry/common.c:167
       prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
       syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
       do_syscall_64+0x413/0x4e0 arch/x86/entry/common.c:296
       entry_SYSCALL_64_after_hwframe+0x49/0xbe

-> #0 (&sb->s_type->i_mutex_key#11){+.+.}:
       lock_acquire+0x173/0x3d0 kernel/locking/lockdep.c:3908
       down_write+0x38/0x90 kernel/locking/rwsem.c:70
       inode_lock include/linux/fs.h:748 [inline]
       __sock_release+0x7d/0x290 net/socket.c:578
       sock_close+0x10/0x20 net/socket.c:1140
       __fput+0x249/0x7f0 fs/file_table.c:278
       delayed_fput+0x4b/0x70 fs/file_table.c:304
       process_one_work+0x830/0x1670 kernel/workqueue.c:2152
       worker_thread+0x85/0xb60 kernel/workqueue.c:2295
       kthread+0x347/0x410 kernel/kthread.c:259
       ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

other info that might help us debug this:

Chain exists of:
  &sb->s_type->i_mutex_key#11 --> (wq_completion)"events" --> (delayed_fput_work).work

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock((delayed_fput_work).work);
                               lock((wq_completion)"events");
                               lock((delayed_fput_work).work);
  lock(&sb->s_type->i_mutex_key#11);

 *** DEADLOCK ***

2 locks held by kworker/1:3/5893:
 #0: 000000003ac846c0 ((wq_completion)"events"){+.+.}, at: __write_once_size include/linux/compiler.h:288 [inline]
 #0: 000000003ac846c0 ((wq_completion)"events"){+.+.}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
 #0: 000000003ac846c0 ((wq_completion)"events"){+.+.}, at: atomic64_set include/asm-generic/atomic-instrumented.h:40 [inline]
 #0: 000000003ac846c0 ((wq_completion)"events"){+.+.}, at: atomic_long_set include/asm-generic/atomic-long.h:59 [inline]
 #0: 000000003ac846c0 ((wq_completion)"events"){+.+.}, at: set_work_data kernel/workqueue.c:617 [inline]
 #0: 000000003ac846c0 ((wq_completion)"events"){+.+.}, at: set_work_pool_and_clear_pending kernel/workqueue.c:644 [inline]
 #0: 000000003ac846c0 ((wq_completion)"events"){+.+.}, at: process_one_work+0x762/0x1670 kernel/workqueue.c:2123
 #1: 00000000374547bf ((delayed_fput_work).work){+.+.}, at: process_one_work+0x792/0x1670 kernel/workqueue.c:2127

stack backtrace:
CPU: 1 PID: 5893 Comm: kworker/1:3 Not tainted 4.19.191-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events delayed_fput
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x123/0x171 lib/dump_stack.c:118
 print_circular_bug.isra.34.cold.55+0x1bd/0x27d kernel/locking/lockdep.c:1222
 check_prev_add kernel/locking/lockdep.c:1866 [inline]
 check_prevs_add kernel/locking/lockdep.c:1979 [inline]
 validate_chain kernel/locking/lockdep.c:2420 [inline]
 __lock_acquire+0x30bb/0x4950 kernel/locking/lockdep.c:3416
 lock_acquire+0x173/0x3d0 kernel/locking/lockdep.c:3908
 down_write+0x38/0x90 kernel/locking/rwsem.c:70
 inode_lock include/linux/fs.h:748 [inline]
 __sock_release+0x7d/0x290 net/socket.c:578
 sock_close+0x10/0x20 net/socket.c:1140
 __fput+0x249/0x7f0 fs/file_table.c:278
 delayed_fput+0x4b/0x70 fs/file_table.c:304
 process_one_work+0x830/0x1670 kernel/workqueue.c:2152
 worker_thread+0x85/0xb60 kernel/workqueue.c:2295
 kthread+0x347/0x410 kernel/kthread.c:259
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 143 Comm: kworker/u4:3 Not tainted 4.19.191-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: kstrp strp_work
RIP: 0010:__write_once_size include/linux/compiler.h:288 [inline]
RIP: 0010:__skb_unlink include/linux/skbuff.h:1919 [inline]
RIP: 0010:__skb_dequeue include/linux/skbuff.h:1936 [inline]
RIP: 0010:requeue_rx_msgs+0xf2/0x460 net/kcm/kcmsock.c:226
Code: 03 42 80 3c 38 00 0f 85 1e 03 00 00 49 8d 7e 08 4c 8b 6b 08 48 c7 03 00 00 00 00 48 89 f8 48 c7 43 08 00 00 00 00 48 c1 e8 03 <42> 80 3c 38 00 0f 85 eb 02 00 00 4c 89 e8 4d 89 6e 08 48 c1 e8 03
RSP: 0018:ffff8881f4e0f978 EFLAGS: 00010202
RAX: 0000000000000001 RBX: ffff8881cfcb3440 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000008
RBP: ffff8881f4e0f9d0 R08: ffffed103ab0326f R09: ffffed103ab0326e
R10: ffffed103ab0326e R11: ffff8881d5819373 R12: ffff8881d5819200
R13: 0000000000000000 R14: 0000000000000000 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8881f6900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fff0b5af518 CR3: 000000000806d004 CR4: 00000000001606e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 unreserve_rx_kcm+0x2f4/0x3a0 net/kcm/kcmsock.c:334
 kcm_rcv_strparser+0x6e/0x7c0 net/kcm/kcmsock.c:375
 __strp_recv+0x51b/0x1e40 net/strparser/strparser.c:315
 strp_recv+0xb6/0x150 net/strparser/strparser.c:349
 tcp_read_sock+0x207/0x870 net/ipv4/tcp.c:1667
 strp_read_sock+0x137/0x1e0 net/strparser/strparser.c:372
 do_strp_work net/strparser/strparser.c:420 [inline]
 strp_work+0x99/0xd0 net/strparser/strparser.c:429
 process_one_work+0x830/0x1670 kernel/workqueue.c:2152
 worker_thread+0x85/0xb60 kernel/workqueue.c:2295
 kthread+0x347/0x410 kernel/kthread.c:259
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Modules linked in:
---[ end trace 973963dcb2074835 ]---
RIP: 0010:__write_once_size include/linux/compiler.h:288 [inline]
RIP: 0010:__skb_unlink include/linux/skbuff.h:1919 [inline]
RIP: 0010:__skb_dequeue include/linux/skbuff.h:1936 [inline]
RIP: 0010:requeue_rx_msgs+0xf2/0x460 net/kcm/kcmsock.c:226
Code: 03 42 80 3c 38 00 0f 85 1e 03 00 00 49 8d 7e 08 4c 8b 6b 08 48 c7 03 00 00 00 00 48 89 f8 48 c7 43 08 00 00 00 00 48 c1 e8 03 <42> 80 3c 38 00 0f 85 eb 02 00 00 4c 89 e8 4d 89 6e 08 48 c1 e8 03
RSP: 0018:ffff8881f4e0f978 EFLAGS: 00010202
RAX: 0000000000000001 RBX: ffff8881cfcb3440 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000008
RBP: ffff8881f4e0f9d0 R08: ffffed103ab0326f R09: ffffed103ab0326e
R10: ffffed103ab0326e R11: ffff8881d5819373 R12: ffff8881d5819200
R13: 0000000000000000 R14: 0000000000000000 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8881f6900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fff0b5af518 CR3: 000000000806d004 CR4: 00000000001606e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400