bisecting cause commit starting from 5e46e43c2ad92bca709944be806feb9bce044061 building syzkaller on 4a006f636cdc7ecce6c16385b5aee54ddb717c2a testing commit 5e46e43c2ad92bca709944be806feb9bce044061 with gcc (GCC) 8.1.0 kernel signature: ab5d12cfa417ce5f50cc68313d5a1b2ec005d12709b2608a26bf7d2157ceca2e run #0: crashed: INFO: task hung in crda_timeout_work run #1: crashed: INFO: task hung in addrconf_dad_work run #2: crashed: INFO: task hung in linkwatch_event run #3: crashed: INFO: task hung in addrconf_dad_work run #4: crashed: INFO: task hung in addrconf_dad_work run #5: crashed: INFO: task hung in addrconf_dad_work run #6: crashed: INFO: task hung in addrconf_dad_work run #7: crashed: INFO: task hung in addrconf_dad_work run #8: crashed: INFO: task hung in linkwatch_event run #9: crashed: INFO: task hung in linkwatch_event testing release v5.8 testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.1.0 kernel signature: 92569cab3ee64273ca67d104d7d9c065364ac72e5c87e4158b5385f9d377b8f5 all runs: OK # git bisect start 5e46e43c2ad92bca709944be806feb9bce044061 bcf876870b95592b52519ed4aafcf9d95999bc9c Bisecting: 7362 revisions left to test after this (roughly 13 steps) [47ec5303d73ea344e84f46660fff693c57641386] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next testing commit 47ec5303d73ea344e84f46660fff693c57641386 with gcc (GCC) 8.1.0 kernel signature: ffb2d0f9a2e48025e9d932ae44131195b3e2ee163b7996e8229c9ac5d26fd7b3 all runs: OK # git bisect good 47ec5303d73ea344e84f46660fff693c57641386 Bisecting: 3650 revisions left to test after this (roughly 12 steps) [9420f1ce01869409d78901c3e036b2c437cbc6b8] Merge tag 'pinctrl-v5.9-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl testing commit 9420f1ce01869409d78901c3e036b2c437cbc6b8 with gcc (GCC) 8.1.0 kernel signature: 5c29f63cab217701eee28a6789c6063cb69af082527b470358244437cdbc7d24 all runs: OK # git bisect good 9420f1ce01869409d78901c3e036b2c437cbc6b8 Bisecting: 1819 revisions left to test after this (roughly 11 steps) [4cf7562190c795f1f95be6ee0d161107d0dc5d49] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 4cf7562190c795f1f95be6ee0d161107d0dc5d49 with gcc (GCC) 8.1.0 kernel signature: df1dbacda506e24fddb68cf117277736d1e02e7770cddf3ca4742f91dfa62494 all runs: OK # git bisect good 4cf7562190c795f1f95be6ee0d161107d0dc5d49 Bisecting: 917 revisions left to test after this (roughly 10 steps) [cf85f5de83b19361c3d575fa0ea05d8194bb0d05] Merge tag 'drm-fixes-2020-09-04' of git://anongit.freedesktop.org/drm/drm testing commit cf85f5de83b19361c3d575fa0ea05d8194bb0d05 with gcc (GCC) 8.1.0 kernel signature: bc6f0717d911af9bb617bc31ea8852d70f739a13ba4399992d8ab0fd30f7ecd4 all runs: OK # git bisect good cf85f5de83b19361c3d575fa0ea05d8194bb0d05 Bisecting: 458 revisions left to test after this (roughly 9 steps) [1e484d388773b0a984236a181fb21e133630df42] Merge tag 'fixes-v5.9a' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security testing commit 1e484d388773b0a984236a181fb21e133630df42 with gcc (GCC) 8.1.0 kernel signature: 1e7c7fad4ac5ced424b630a9769cb09ec9bdebc5bbd9d7625088403d6440c797 all runs: OK # git bisect good 1e484d388773b0a984236a181fb21e133630df42 Bisecting: 227 revisions left to test after this (roughly 8 steps) [0baca070068c58b95e342881d9da4840d5cf3bd1] Merge tag 'io_uring-5.9-2020-09-22' of git://git.kernel.dk/linux-block testing commit 0baca070068c58b95e342881d9da4840d5cf3bd1 with gcc (GCC) 8.1.0 kernel signature: b44f2411b2750de0f9a17ce4d803795b01acb766d0d4818e0e16ecba732469b1 all runs: OK # git bisect good 0baca070068c58b95e342881d9da4840d5cf3bd1 Bisecting: 113 revisions left to test after this (roughly 7 steps) [fd944dc24336922656a48f4608bfb41abdcdc4aa] net: dsa: microchip: ksz8795: really set the correct number of ports testing commit fd944dc24336922656a48f4608bfb41abdcdc4aa with gcc (GCC) 8.1.0 kernel signature: 7b7ef710a90ebe0d16090d136bf29a7c423afc8aeb4fbecb05776ae13e53fad9 all runs: OK # git bisect good fd944dc24336922656a48f4608bfb41abdcdc4aa Bisecting: 60 revisions left to test after this (roughly 6 steps) [2b617c11d7c0791a18402407222ca9f2c343c47b] net: Update MAINTAINERS for MediaTek switch driver testing commit 2b617c11d7c0791a18402407222ca9f2c343c47b with gcc (GCC) 8.1.0 kernel signature: 06cf1dc346632465f3b899de8f5399876fc8af1c875fc7e2758b4075c3c060ff all runs: OK # git bisect good 2b617c11d7c0791a18402407222ca9f2c343c47b Bisecting: 30 revisions left to test after this (roughly 5 steps) [ea6754aef2449e2cadfeb28741a199d35da53e28] net: switchdev: Fixed kerneldoc warning testing commit ea6754aef2449e2cadfeb28741a199d35da53e28 with gcc (GCC) 8.1.0 kernel signature: fc0ebb4c27472fc7af276ebbf8d0e0057d54801915ab17e7fadcaae80a745c93 all runs: OK # git bisect good ea6754aef2449e2cadfeb28741a199d35da53e28 Bisecting: 15 revisions left to test after this (roughly 4 steps) [ad2b9b0f8d0107602bdc1f3b1ab90719842ace11] tcp: skip DSACKs with dubious sequence ranges testing commit ad2b9b0f8d0107602bdc1f3b1ab90719842ace11 with gcc (GCC) 8.1.0 kernel signature: 6dc441576e511abeb608651445bd8bdb08b93d4b09873c779659373dee872c14 run #0: crashed: INFO: task hung in crda_timeout_work run #1: crashed: INFO: task hung in addrconf_dad_work run #2: crashed: INFO: task hung in addrconf_dad_work run #3: crashed: INFO: task hung in addrconf_dad_work run #4: crashed: INFO: task hung in addrconf_dad_work run #5: crashed: INFO: task hung in cfg80211_event_work run #6: crashed: INFO: task hung in addrconf_dad_work run #7: crashed: INFO: task hung in addrconf_dad_work run #8: crashed: INFO: task hung in addrconf_dad_work run #9: crashed: INFO: task hung in addrconf_dad_work # git bisect bad ad2b9b0f8d0107602bdc1f3b1ab90719842ace11 Bisecting: 7 revisions left to test after this (roughly 3 steps) [ed46cd1d4cc4b2cf05f31fe25fc68d1a9d3589ba] drivers/net/wan/x25_asy: Correct the ndo_open and ndo_stop functions testing commit ed46cd1d4cc4b2cf05f31fe25fc68d1a9d3589ba with gcc (GCC) 8.1.0 kernel signature: 5a795b13c0de285b49cd2023a4be022adc89c4bedb5ff8d81e1049c0d057304d run #0: crashed: INFO: task hung in addrconf_dad_work run #1: crashed: INFO: task hung in rtnetlink_rcv_msg run #2: crashed: INFO: task hung in addrconf_dad_work run #3: crashed: INFO: task hung in addrconf_dad_work run #4: crashed: INFO: task hung in addrconf_dad_work run #5: crashed: INFO: task hung in addrconf_dad_work run #6: crashed: INFO: task hung in addrconf_dad_work run #7: crashed: INFO: task hung in switchdev_deferred_process_work run #8: crashed: INFO: task hung in linkwatch_event run #9: crashed: INFO: task hung in linkwatch_event # git bisect bad ed46cd1d4cc4b2cf05f31fe25fc68d1a9d3589ba Bisecting: 3 revisions left to test after this (roughly 2 steps) [e49d8c22f1261c43a986a7fdbf677ac309682a07] net_sched: defer tcf_idr_insert() in tcf_action_init_1() testing commit e49d8c22f1261c43a986a7fdbf677ac309682a07 with gcc (GCC) 8.1.0 kernel signature: a4219afc8e8b712461b3f7272f38b0c82ae35b3c877a79b298397d7bebd3acd9 all runs: OK # git bisect good e49d8c22f1261c43a986a7fdbf677ac309682a07 Bisecting: 1 revision left to test after this (roughly 1 step) [6d8899962afdf789f6ec8407ffdf3130724a7005] Merge branch 'net_sched-fix-a-UAF-in-tcf_action_init' testing commit 6d8899962afdf789f6ec8407ffdf3130724a7005 with gcc (GCC) 8.1.0 kernel signature: b38286bec4e8bed94278fad38f1413aa84389a02871c9c66f13f6b76f884f2ef run #0: crashed: INFO: task hung in linkwatch_event run #1: crashed: INFO: task hung in linkwatch_event run #2: crashed: INFO: task hung in addrconf_dad_work run #3: crashed: INFO: task hung in addrconf_dad_work run #4: crashed: INFO: task hung in linkwatch_event run #5: crashed: INFO: task hung in linkwatch_event run #6: crashed: INFO: task hung in linkwatch_event run #7: crashed: INFO: task hung in addrconf_dad_work run #8: crashed: INFO: task hung in addrconf_dad_work run #9: crashed: INFO: task hung in addrconf_dad_work # git bisect bad 6d8899962afdf789f6ec8407ffdf3130724a7005 Bisecting: 0 revisions left to test after this (roughly 0 steps) [0fedc63fadf0404a729e73a35349481c8009c02f] net_sched: commit action insertions together testing commit 0fedc63fadf0404a729e73a35349481c8009c02f with gcc (GCC) 8.1.0 kernel signature: 3cbd7490073cb1c09bb7fc8069c1daac9a4211076b477ad8565f96a7004094d6 run #0: crashed: INFO: task hung in linkwatch_event run #1: crashed: INFO: task hung in crda_timeout_work run #2: crashed: INFO: task hung in addrconf_dad_work run #3: crashed: INFO: task hung in linkwatch_event run #4: crashed: INFO: task hung in addrconf_dad_work run #5: crashed: INFO: task hung in addrconf_dad_work run #6: crashed: INFO: task hung in addrconf_dad_work run #7: crashed: INFO: task hung in cfg80211_event_work run #8: crashed: INFO: task hung in cfg80211_event_work run #9: crashed: INFO: task hung in addrconf_dad_work # git bisect bad 0fedc63fadf0404a729e73a35349481c8009c02f 0fedc63fadf0404a729e73a35349481c8009c02f is the first bad commit commit 0fedc63fadf0404a729e73a35349481c8009c02f Author: Cong Wang Date: Tue Sep 22 20:56:24 2020 -0700 net_sched: commit action insertions together syzbot is able to trigger a failure case inside the loop in tcf_action_init(), and when this happens we clean up with tcf_action_destroy(). But, as these actions are already inserted into the global IDR, other parallel process could free them before tcf_action_destroy(), then we will trigger a use-after-free. Fix this by deferring the insertions even later, after the loop, and committing all the insertions in a separate loop, so we will never fail in the middle of the insertions any more. One side effect is that the window between alloction and final insertion becomes larger, now it is more likely that the loop in tcf_del_walker() sees the placeholder -EBUSY pointer. So we have to check for error pointer in tcf_del_walker(). Reported-and-tested-by: syzbot+2287853d392e4b42374a@syzkaller.appspotmail.com Fixes: 0190c1d452a9 ("net: sched: atomically check-allocate action") Cc: Vlad Buslov Cc: Jamal Hadi Salim Cc: Jiri Pirko Signed-off-by: Cong Wang Signed-off-by: David S. Miller net/sched/act_api.c | 32 +++++++++++++++++++++++--------- 1 file changed, 23 insertions(+), 9 deletions(-) culprit signature: 3cbd7490073cb1c09bb7fc8069c1daac9a4211076b477ad8565f96a7004094d6 parent signature: a4219afc8e8b712461b3f7272f38b0c82ae35b3c877a79b298397d7bebd3acd9 revisions tested: 16, total time: 3h48m22.389225132s (build: 1h21m9.343139854s, test: 2h25m27.330778612s) first bad commit: 0fedc63fadf0404a729e73a35349481c8009c02f net_sched: commit action insertions together recipients (to): ["davem@davemloft.net" "syzbot+2287853d392e4b42374a@syzkaller.appspotmail.com" "xiyou.wangcong@gmail.com"] recipients (cc): [] crash: INFO: task hung in addrconf_dad_work INFO: task kworker/0:0:5 blocked for more than 143 seconds. Not tainted 5.9.0-rc6-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/0:0 state:D stack:13480 pid: 5 ppid: 2 flags:0x00004000 Workqueue: ipv6_addrconf addrconf_dad_work Call Trace: context_switch kernel/sched/core.c:3778 [inline] __schedule+0x418/0x910 kernel/sched/core.c:4527 schedule+0x37/0xe0 kernel/sched/core.c:4602 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:4661 __mutex_lock_common kernel/locking/mutex.c:1033 [inline] __mutex_lock+0x472/0x9f0 kernel/locking/mutex.c:1103 addrconf_dad_work+0x3f/0x500 net/ipv6/addrconf.c:4027 process_one_work+0x26a/0x5f0 kernel/workqueue.c:2269 worker_thread+0x38/0x380 kernel/workqueue.c:2415 kthread+0x148/0x170 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 INFO: task syz-executor.2:6963 blocked for more than 143 seconds. Not tainted 5.9.0-rc6-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor.2 state:D stack:11784 pid: 6963 ppid: 1 flags:0x00000004 Call Trace: context_switch kernel/sched/core.c:3778 [inline] __schedule+0x418/0x910 kernel/sched/core.c:4527 schedule+0x37/0xe0 kernel/sched/core.c:4602 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:4661 __mutex_lock_common kernel/locking/mutex.c:1033 [inline] __mutex_lock+0x472/0x9f0 kernel/locking/mutex.c:1103 devinet_ioctl+0xa4/0x7a0 net/ipv4/devinet.c:1067 inet_ioctl+0x8c/0x140 net/ipv4/af_inet.c:967 sock_do_ioctl+0x38/0x130 net/socket.c:1047 sock_ioctl+0x2f1/0x3e0 net/socket.c:1198 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl fs/ioctl.c:739 [inline] __x64_sys_ioctl+0x7c/0xb0 fs/ioctl.c:739 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45dfe7 Code: Bad RIP value. RSP: 002b:00007ffecf56f998 EFLAGS: 00000206 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00000000016a4300 RCX: 000000000045dfe7 RDX: 00007ffecf56f9d0 RSI: 0000000000008914 RDI: 0000000000000004 RBP: 00007ffecf56fa50 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000004 R13: 0000000000000047 R14: 00007ffecf56faa0 R15: 0000000000000020 INFO: task syz-executor.3:6965 blocked for more than 143 seconds. Not tainted 5.9.0-rc6-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor.3 state:D stack:11496 pid: 6965 ppid: 1 flags:0x00000004 Call Trace: context_switch kernel/sched/core.c:3778 [inline] __schedule+0x418/0x910 kernel/sched/core.c:4527 schedule+0x37/0xe0 kernel/sched/core.c:4602 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:4661 __mutex_lock_common kernel/locking/mutex.c:1033 [inline] __mutex_lock+0x472/0x9f0 kernel/locking/mutex.c:1103 nl80211_pre_doit+0xf9/0x1b0 net/wireless/nl80211.c:14304 genl_family_rcv_msg_doit net/netlink/genetlink.c:664 [inline] genl_family_rcv_msg net/netlink/genetlink.c:714 [inline] genl_rcv_msg+0x1b8/0x2ef net/netlink/genetlink.c:731 netlink_rcv_skb+0x41/0x110 net/netlink/af_netlink.c:2470 genl_rcv+0x1f/0x30 net/netlink/genetlink.c:742 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] netlink_unicast+0x19a/0x270 net/netlink/af_netlink.c:1330 netlink_sendmsg+0x248/0x480 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg+0x2b/0x40 net/socket.c:671 __sys_sendto+0xec/0x160 net/socket.c:1992 __do_sys_sendto net/socket.c:2004 [inline] __se_sys_sendto net/socket.c:2000 [inline] __x64_sys_sendto+0x1f/0x30 net/socket.c:2000 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x417a27 Code: Bad RIP value. RSP: 002b:00007fff0520a510 EFLAGS: 00000293 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00000000016a4300 RCX: 0000000000417a27 RDX: 0000000000000024 RSI: 00000000016a4350 RDI: 0000000000000003 RBP: 0000000000000000 R08: 00007fff0520a520 R09: 000000000000000c R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 0000000000000000 R14: 00000000016a4350 R15: 0000000000000003 INFO: task syz-executor.4:6967 blocked for more than 143 seconds. Not tainted 5.9.0-rc6-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor.4 state:D stack:11592 pid: 6967 ppid: 1 flags:0x00000004 Call Trace: context_switch kernel/sched/core.c:3778 [inline] __schedule+0x418/0x910 kernel/sched/core.c:4527 schedule+0x37/0xe0 kernel/sched/core.c:4602 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:4661 __mutex_lock_common kernel/locking/mutex.c:1033 [inline] __mutex_lock+0x472/0x9f0 kernel/locking/mutex.c:1103 rtnl_lock net/core/rtnetlink.c:72 [inline] rtnetlink_rcv_msg+0x14a/0x480 net/core/rtnetlink.c:5560 netlink_rcv_skb+0x41/0x110 net/netlink/af_netlink.c:2470 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] netlink_unicast+0x19a/0x270 net/netlink/af_netlink.c:1330 netlink_sendmsg+0x248/0x480 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg+0x2b/0x40 net/socket.c:671 __sys_sendto+0xec/0x160 net/socket.c:1992 __do_sys_sendto net/socket.c:2004 [inline] __se_sys_sendto net/socket.c:2000 [inline] __x64_sys_sendto+0x1f/0x30 net/socket.c:2000 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x417a27 Code: Bad RIP value. RSP: 002b:00007ffca40ab840 EFLAGS: 00000293 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00000000016a4300 RCX: 0000000000417a27 RDX: 0000000000000028 RSI: 00000000016a4350 RDI: 0000000000000003 RBP: 0000000000000000 R08: 00007ffca40ab850 R09: 000000000000000c R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 0000000000000000 R14: 00000000016a4350 R15: 0000000000000003 INFO: task syz-executor.0:6972 blocked for more than 144 seconds. Not tainted 5.9.0-rc6-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor.0 state:D stack:11808 pid: 6972 ppid: 1 flags:0x00004004 Call Trace: context_switch kernel/sched/core.c:3778 [inline] __schedule+0x418/0x910 kernel/sched/core.c:4527 schedule+0x37/0xe0 kernel/sched/core.c:4602 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:4661 __mutex_lock_common kernel/locking/mutex.c:1033 [inline] __mutex_lock+0x472/0x9f0 kernel/locking/mutex.c:1103 devinet_ioctl+0xa4/0x7a0 net/ipv4/devinet.c:1067 inet_ioctl+0x8c/0x140 net/ipv4/af_inet.c:967 sock_do_ioctl+0x38/0x130 net/socket.c:1047 sock_ioctl+0x2f1/0x3e0 net/socket.c:1198 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl fs/ioctl.c:739 [inline] __x64_sys_ioctl+0x7c/0xb0 fs/ioctl.c:739 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45dfe7 Code: Bad RIP value. RSP: 002b:00007fffcab560c8 EFLAGS: 00000206 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00000000016a4300 RCX: 000000000045dfe7 RDX: 00007fffcab56100 RSI: 0000000000008914 RDI: 0000000000000004 RBP: 00007fffcab56180 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000004 R13: 0000000000000047 R14: 00007fffcab561d0 R15: 0000000000000020 INFO: task syz-executor.1:6973 blocked for more than 144 seconds. Not tainted 5.9.0-rc6-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor.1 state:D stack:11688 pid: 6973 ppid: 1 flags:0x00000004 Call Trace: context_switch kernel/sched/core.c:3778 [inline] __schedule+0x418/0x910 kernel/sched/core.c:4527 schedule+0x37/0xe0 kernel/sched/core.c:4602 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:4661 __mutex_lock_common kernel/locking/mutex.c:1033 [inline] __mutex_lock+0x472/0x9f0 kernel/locking/mutex.c:1103 rtnl_lock net/core/rtnetlink.c:72 [inline] rtnetlink_rcv_msg+0x14a/0x480 net/core/rtnetlink.c:5560 netlink_rcv_skb+0x41/0x110 net/netlink/af_netlink.c:2470 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] netlink_unicast+0x19a/0x270 net/netlink/af_netlink.c:1330 netlink_sendmsg+0x248/0x480 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg+0x2b/0x40 net/socket.c:671 __sys_sendto+0xec/0x160 net/socket.c:1992 __do_sys_sendto net/socket.c:2004 [inline] __se_sys_sendto net/socket.c:2000 [inline] __x64_sys_sendto+0x1f/0x30 net/socket.c:2000 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x417a27 Code: Bad RIP value. RSP: 002b:00007fff39ffd9c0 EFLAGS: 00000293 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00000000016a4300 RCX: 0000000000417a27 RDX: 0000000000000028 RSI: 00000000016a4350 RDI: 0000000000000003 RBP: 0000000000000000 R08: 00007fff39ffd9d0 R09: 000000000000000c R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 0000000000000000 R14: 00000000016a4350 R15: 0000000000000003 INFO: task kworker/1:4:8278 blocked for more than 144 seconds. Not tainted 5.9.0-rc6-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/1:4 state:D stack:13344 pid: 8278 ppid: 2 flags:0x00004000 Workqueue: ipv6_addrconf addrconf_dad_work Call Trace: context_switch kernel/sched/core.c:3778 [inline] __schedule+0x418/0x910 kernel/sched/core.c:4527 schedule+0x37/0xe0 kernel/sched/core.c:4602 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:4661 __mutex_lock_common kernel/locking/mutex.c:1033 [inline] __mutex_lock+0x472/0x9f0 kernel/locking/mutex.c:1103 addrconf_dad_work+0x3f/0x500 net/ipv6/addrconf.c:4027 process_one_work+0x26a/0x5f0 kernel/workqueue.c:2269 worker_thread+0x38/0x380 kernel/workqueue.c:2415 kthread+0x148/0x170 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 INFO: task syz-executor.5:8320 blocked for more than 144 seconds. Not tainted 5.9.0-rc6-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor.5 state:D stack:12152 pid: 8320 ppid: 6969 flags:0x00004004 Call Trace: context_switch kernel/sched/core.c:3778 [inline] __schedule+0x418/0x910 kernel/sched/core.c:4527 schedule+0x37/0xe0 kernel/sched/core.c:4602 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:4661 __mutex_lock_common kernel/locking/mutex.c:1033 [inline] __mutex_lock+0x472/0x9f0 kernel/locking/mutex.c:1103 tcf_action_init_1+0x277/0x4f0 net/sched/act_api.c:973 tcf_action_init+0xcf/0x1f0 net/sched/act_api.c:1054 tcf_action_add+0x7d/0x190 net/sched/act_api.c:1467 tc_ctl_action+0xdb/0x132 net/sched/act_api.c:1520 rtnetlink_rcv_msg+0x173/0x480 net/core/rtnetlink.c:5563 netlink_rcv_skb+0x41/0x110 net/netlink/af_netlink.c:2470 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] netlink_unicast+0x19a/0x270 net/netlink/af_netlink.c:1330 netlink_sendmsg+0x248/0x480 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg+0x2b/0x40 net/socket.c:671 ____sys_sendmsg+0x1ed/0x230 net/socket.c:2353 ___sys_sendmsg+0x77/0xb0 net/socket.c:2407 __sys_sendmsg+0x52/0xa0 net/socket.c:2440 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45e179 Code: Bad RIP value. RSP: 002b:00007fc2780e7c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 000000000002d400 RCX: 000000000045e179 RDX: 0000000000000000 RSI: 0000000020002980 RDI: 0000000000000003 RBP: 000000000118cf80 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118cf4c R13: 00007fff040dffcf R14: 00007fc2780e89c0 R15: 000000000118cf4c INFO: task syz-executor.5:8352 blocked for more than 145 seconds. Not tainted 5.9.0-rc6-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor.5 state:D stack:14176 pid: 8352 ppid: 6969 flags:0x00004004 Call Trace: context_switch kernel/sched/core.c:3778 [inline] __schedule+0x418/0x910 kernel/sched/core.c:4527 schedule+0x37/0xe0 kernel/sched/core.c:4602 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:4661 __mutex_lock_common kernel/locking/mutex.c:1033 [inline] __mutex_lock+0x472/0x9f0 kernel/locking/mutex.c:1103 rtnl_lock net/core/rtnetlink.c:72 [inline] rtnetlink_rcv_msg+0x14a/0x480 net/core/rtnetlink.c:5560 netlink_rcv_skb+0x41/0x110 net/netlink/af_netlink.c:2470 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] netlink_unicast+0x19a/0x270 net/netlink/af_netlink.c:1330 netlink_sendmsg+0x248/0x480 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg+0x2b/0x40 net/socket.c:671 ____sys_sendmsg+0x1ed/0x230 net/socket.c:2353 ___sys_sendmsg+0x77/0xb0 net/socket.c:2407 __sys_sendmsg+0x52/0xa0 net/socket.c:2440 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45e179 Code: Bad RIP value. RSP: 002b:00007fc2780a5c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 000000000002d400 RCX: 000000000045e179 RDX: 0000000000000000 RSI: 0000000020002980 RDI: 0000000000000003 RBP: 000000000118d0d0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118d09c R13: 00007fff040dffcf R14: 00007fc2780a69c0 R15: 000000000118d09c Showing all locks held in the system: 3 locks held by kworker/0:0/5: #0: ffff888217086b38 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:615 [inline] #0: ffff888217086b38 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline] #0: ffff888217086b38 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work+0x1de/0x5f0 kernel/workqueue.c:2240 #1: ffffc90000c93e70 ((work_completion)(&(&ifa->dad_work)->work)){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:615 [inline] #1: ffffc90000c93e70 ((work_completion)(&(&ifa->dad_work)->work)){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline] #1: ffffc90000c93e70 ((work_completion)(&(&ifa->dad_work)->work)){+.+.}-{0:0}, at: process_one_work+0x1de/0x5f0 kernel/workqueue.c:2240 #2: ffffffff8486f448 (rtnl_mutex){+.+.}-{3:3}, at: addrconf_dad_work+0x3f/0x500 net/ipv6/addrconf.c:4027 1 lock held by khungtaskd/1024: #0: ffffffff84518fe0 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x15/0x17a kernel/locking/lockdep.c:5853 3 locks held by kworker/0:2/2640: #0: ffff88812bc55f38 ((wq_completion)events_power_efficient){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:615 [inline] #0: ffff88812bc55f38 ((wq_completion)events_power_efficient){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline] #0: ffff88812bc55f38 ((wq_completion)events_power_efficient){+.+.}-{0:0}, at: process_one_work+0x1de/0x5f0 kernel/workqueue.c:2240 #1: ffffc90005b27e70 ((reg_check_chans).work){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:615 [inline] #1: ffffc90005b27e70 ((reg_check_chans).work){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline] #1: ffffc90005b27e70 ((reg_check_chans).work){+.+.}-{0:0}, at: process_one_work+0x1de/0x5f0 kernel/workqueue.c:2240 #2: ffffffff8486f448 (rtnl_mutex){+.+.}-{3:3}, at: reg_check_chans_work+0x23/0x4a0 net/wireless/reg.c:2199 1 lock held by in:imklog/6450: #0: ffff88811f1f7cf0 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0x45/0x50 fs/file.c:930 1 lock held by syz-executor.2/6963: #0: ffffffff8486f448 (rtnl_mutex){+.+.}-{3:3}, at: devinet_ioctl+0xa4/0x7a0 net/ipv4/devinet.c:1067 2 locks held by syz-executor.3/6965: #0: ffffffff84887e10 (cb_lock){++++}-{3:3}, at: genl_rcv+0x10/0x30 net/netlink/genetlink.c:741 #1: ffffffff8486f448 (rtnl_mutex){+.+.}-{3:3}, at: nl80211_pre_doit+0xf9/0x1b0 net/wireless/nl80211.c:14304 1 lock held by syz-executor.4/6967: #0: ffffffff8486f448 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:72 [inline] #0: ffffffff8486f448 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x14a/0x480 net/core/rtnetlink.c:5560 1 lock held by syz-executor.0/6972: #0: ffffffff8486f448 (rtnl_mutex){+.+.}-{3:3}, at: devinet_ioctl+0xa4/0x7a0 net/ipv4/devinet.c:1067 1 lock held by syz-executor.1/6973: #0: ffffffff8486f448 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:72 [inline] #0: ffffffff8486f448 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x14a/0x480 net/core/rtnetlink.c:5560 3 locks held by kworker/1:4/8278: #0: ffff888217086b38 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:615 [inline] #0: ffff888217086b38 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline] #0: ffff888217086b38 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work+0x1de/0x5f0 kernel/workqueue.c:2240 #1: ffffc90002e97e70 ((work_completion)(&(&ifa->dad_work)->work)){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:615 [inline] #1: ffffc90002e97e70 ((work_completion)(&(&ifa->dad_work)->work)){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline] #1: ffffc90002e97e70 ((work_completion)(&(&ifa->dad_work)->work)){+.+.}-{0:0}, at: process_one_work+0x1de/0x5f0 kernel/workqueue.c:2240 #2: ffffffff8486f448 (rtnl_mutex){+.+.}-{3:3}, at: addrconf_dad_work+0x3f/0x500 net/ipv6/addrconf.c:4027 1 lock held by syz-executor.5/8320: #0: ffffffff8486f448 (rtnl_mutex){+.+.}-{3:3}, at: tcf_action_init_1+0x277/0x4f0 net/sched/act_api.c:973 2 locks held by syz-executor.5/8334: 1 lock held by syz-executor.5/8352: #0: ffffffff8486f448 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:72 [inline] #0: ffffffff8486f448 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x14a/0x480 net/core/rtnetlink.c:5560 ============================================= NMI backtrace for cpu 1 CPU: 1 PID: 1024 Comm: khungtaskd Not tainted 5.9.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xa3/0xcc lib/dump_stack.c:118 nmi_cpu_backtrace.cold.8+0x3e/0x58 lib/nmi_backtrace.c:101 nmi_trigger_cpumask_backtrace+0xd5/0xec lib/nmi_backtrace.c:62 trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline] check_hung_uninterruptible_tasks kernel/hung_task.c:209 [inline] watchdog+0x58e/0x680 kernel/hung_task.c:295 kthread+0x148/0x170 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 Sending NMI from CPU 1 to CPUs 0: NMI backtrace for cpu 0 CPU: 0 PID: 8334 Comm: syz-executor.5 Not tainted 5.9.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:770 [inline] RIP: 0010:lock_is_held_type+0xe8/0x120 kernel/locking/lockdep.c:5070 Code: 14 25 c0 7e 01 00 8b 82 e4 08 00 00 83 e8 01 66 85 c0 89 82 e4 08 00 00 75 37 48 83 3d 98 08 2b 01 00 74 2b 48 8b 3c 24 57 9d <0f> 1f 44 00 00 48 83 c4 08 89 c8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 RSP: 0018:ffffc90002fc7458 EFLAGS: 00000286 RAX: 0000000000000000 RBX: ffff88810e72efa8 RCX: 0000000000000000 RDX: ffff88810e72e6c0 RSI: ffffffff84518f60 RDI: 0000000000000286 RBP: ffff88810e72e6c0 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: ffff8881107cd4d8 R12: ffffffff84518f60 R13: ffff88810e72efa8 R14: 00000000ffffffff R15: 0000000000000001 FS: 00007fc2780c7700(0000) GS:ffff88812c000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffefc72acb8 CR3: 000000010dad9000 CR4: 00000000001506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: lock_is_held include/linux/lockdep.h:267 [inline] rcu_read_lock_sched_held+0x4d/0x80 kernel/rcu/update.c:136 trace_lock_acquire include/trace/events/lock.h:13 [inline] lock_acquire+0x37d/0x400 kernel/locking/lockdep.c:5003 __mutex_lock_common kernel/locking/mutex.c:956 [inline] __mutex_lock+0x94/0x9f0 kernel/locking/mutex.c:1103 tcf_idr_check_alloc+0x43/0x120 net/sched/act_api.c:499 tcf_connmark_init+0x144/0x370 net/sched/act_connmark.c:124 tcf_action_init_1+0x3cc/0x4f0 net/sched/act_api.c:995 tcf_action_init+0xcf/0x1f0 net/sched/act_api.c:1054 tcf_action_add+0x7d/0x190 net/sched/act_api.c:1467 tc_ctl_action+0xdb/0x132 net/sched/act_api.c:1520 rtnetlink_rcv_msg+0x173/0x480 net/core/rtnetlink.c:5563 netlink_rcv_skb+0x41/0x110 net/netlink/af_netlink.c:2470 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] netlink_unicast+0x19a/0x270 net/netlink/af_netlink.c:1330 netlink_sendmsg+0x248/0x480 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg+0x2b/0x40 net/socket.c:671 ____sys_sendmsg+0x1ed/0x230 net/socket.c:2353 ___sys_sendmsg+0x77/0xb0 net/socket.c:2407 __sys_sendmsg+0x52/0xa0 net/socket.c:2440 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45e179 Code: 3d b2 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 0b b2 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fc2780c6c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 000000000002d400 RCX: 000000000045e179 RDX: 0000000000000000 RSI: 0000000020002980 RDI: 0000000000000004 RBP: 000000000118d028 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118cff4 R13: 00007fff040dffcf R14: 00007fc2780c79c0 R15: 000000000118cff4