ci starts bisection 2022-11-18 15:27:42.324908795 +0000 UTC m=+4698.395025199 bisecting cause commit starting from 81ac25651a62c958bb0e074e0d4e25060ea557dd building syzkaller on 4ba8ab94b872006785aeb11e8c22c9dd578b3d1e ensuring issue is reproducible on original commit 81ac25651a62c958bb0e074e0d4e25060ea557dd testing commit 81ac25651a62c958bb0e074e0d4e25060ea557dd gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 0e056537973e5400a7b15e42c21c4614fa824019aebb2404dee2fc010648acd7 all runs: crashed: possible deadlock in l2tp_tunnel_register testing release v6.0 testing commit 4fe89d07dcc2804c8b562f6c7896a45643d34b2f gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 4fa6b939b99902d8816a35cf2b4470bfc290d6b5ecb2161371f0f616f6dbe80c all runs: OK # git bisect start 81ac25651a62c958bb0e074e0d4e25060ea557dd 4fe89d07dcc2804c8b562f6c7896a45643d34b2f Bisecting: 7051 revisions left to test after this (roughly 13 steps) [3fb55dd14036b875b96c39d6e18fc53feb891891] Merge tag 'pwm/for-6.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/thierry.reding/linux-pwm testing commit 3fb55dd14036b875b96c39d6e18fc53feb891891 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 04500c64c38191e9fcdbbbc49518908f92e338c7304541b64584d453ccb38653 all runs: OK # git bisect good 3fb55dd14036b875b96c39d6e18fc53feb891891 Bisecting: 3380 revisions left to test after this (roughly 12 steps) [27bc50fc90647bbf7b734c3fc306a5e61350da53] Merge tag 'mm-stable-2022-10-08' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm testing commit 27bc50fc90647bbf7b734c3fc306a5e61350da53 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: de616198d1bd9faaebd92e719c8b44cf33ff6b48e820f5ba1282d15d7d282396 all runs: boot failed: WARNING in cpumask_next_wrap # git bisect skip 27bc50fc90647bbf7b734c3fc306a5e61350da53 Bisecting: 3380 revisions left to test after this (roughly 12 steps) [780854186946e0de2be192ee7fa5125666533b3a] wifi: mac80211: fix general-protection-fault in ieee80211_subif_start_xmit() testing commit 780854186946e0de2be192ee7fa5125666533b3a gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b27267516308084190e612f5fafa07119fcda8c18d4d09215ecb13b388e5c320 all runs: OK # git bisect good 780854186946e0de2be192ee7fa5125666533b3a Bisecting: 845 revisions left to test after this (roughly 10 steps) [9f127546bb4341df88a51df8e6cc7d8a70cbacd7] Merge tag 'char-misc-6.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc testing commit 9f127546bb4341df88a51df8e6cc7d8a70cbacd7 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: f8857f837bb6aa983eb572a2956ba588131ea60a3826e52508425b7394dd9972 all runs: boot failed: WARNING in genl_register_family # git bisect skip 9f127546bb4341df88a51df8e6cc7d8a70cbacd7 Bisecting: 845 revisions left to test after this (roughly 10 steps) [3df52e584ed13a4451930d2d712580e3f2e63b6a] media: atomisp: hmm_bo: Rewrite free_private_pages() using pages_array helper funcs testing commit 3df52e584ed13a4451930d2d712580e3f2e63b6a gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: f429ce051b29ba367ddef4dc4e6f1c9f244cb4038a4de6ec71361e24fc7a8f61 run #0: boot failed: possible deadlock in vivid_update_format_cap run #1: boot failed: BUG: unable to handle kernel paging request in kernel_execve run #2: boot failed: general protection fault in netdev_queue_update_kobjects run #3: boot failed: possible deadlock in vivid_update_format_cap run #4: boot failed: WARNING in copy_process run #5: boot failed: general protection fault in netdev_queue_update_kobjects run #6: boot failed: BUG: unable to handle kernel paging request in put_prev_entity run #7: boot failed: BUG: unable to handle kernel paging request in sysfs_add_file_mode_ns run #8: boot failed: BUG: unable to handle kernel paging request in insert_header run #9: boot failed: possible deadlock in vivid_update_format_cap # git bisect skip 3df52e584ed13a4451930d2d712580e3f2e63b6a Bisecting: 845 revisions left to test after this (roughly 10 steps) [89b3554782e6b65894f0551e9e0a82ad02dac94d] drm/amdgpu: set fb_modifiers_not_supported in vkms testing commit 89b3554782e6b65894f0551e9e0a82ad02dac94d gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: f96be323f58ce1e22e90434823d2a6f79c72654bbd5d27e1ccd227b547a3a6b6 all runs: boot failed: WARNING in genl_register_family # git bisect skip 89b3554782e6b65894f0551e9e0a82ad02dac94d Bisecting: 845 revisions left to test after this (roughly 10 steps) [39dfd52d0f481de42a435f9fb79c98b376c68c39] media: cx88: add IR remote support for NotOnlyTV LV3H testing commit 39dfd52d0f481de42a435f9fb79c98b376c68c39 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b516a5c05218e07a1468db5b223323c7e8d086d986d4287bdc854be1512c1c34 run #0: boot failed: general protection fault in driver_register run #1: boot failed: general protection fault in driver_register run #2: boot failed: general protection fault in driver_register run #3: boot failed: general protection fault in mm_alloc run #4: boot failed: general protection fault in alloc_netdev_mqs run #5: boot failed: general protection fault in driver_register run #6: boot failed: general protection fault in scsi_alloc_sdev run #7: boot failed: general protection fault in driver_register run #8: boot failed: general protection fault in copy_process run #9: boot failed: BUG: unable to handle kernel paging request in copy_process # git bisect skip 39dfd52d0f481de42a435f9fb79c98b376c68c39 Bisecting: 845 revisions left to test after this (roughly 10 steps) [4a6f316d6855a434f56dbbeba05e14c01acde8f8] kprobe: reverse kp->flags when arm_kprobe failed testing commit 4a6f316d6855a434f56dbbeba05e14c01acde8f8 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 85394238f155499b8002ba1b73f19a682a309ab93fa09b0890db29e42b599cf5 all runs: boot failed: WARNING in genl_register_family # git bisect skip 4a6f316d6855a434f56dbbeba05e14c01acde8f8 Bisecting: 845 revisions left to test after this (roughly 10 steps) [5be07b3fb53d14581f470745d129141b97d15614] Merge tag 'hyperv-fixes-signed-20221110' of git://git.kernel.org/pub/scm/linux/kernel/git/hyperv/linux testing commit 5be07b3fb53d14581f470745d129141b97d15614 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: bf44f19b15384c54bca120f89de52de418c497727721596369ae485a51d67166 all runs: OK # git bisect good 5be07b3fb53d14581f470745d129141b97d15614 Bisecting: 110 revisions left to test after this (roughly 7 steps) [ab57bc6f027c761d5411fae9492756b5fbb91108] Merge tag 'efi-fixes-for-v6.1-3' of git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi testing commit ab57bc6f027c761d5411fae9492756b5fbb91108 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 744d8ab2edb896c67a937c74fa9a38640faae8c9f7e188b0514464dc4e913bbd all runs: OK # git bisect good ab57bc6f027c761d5411fae9492756b5fbb91108 Bisecting: 54 revisions left to test after this (roughly 6 steps) [58e0be1ef6118c5352b56a4d06e974c5599993a5] net: use struct_group to copy ip/ipv6 header addresses testing commit 58e0be1ef6118c5352b56a4d06e974c5599993a5 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 4b566add10b9bb49f8f2746232d9c2c88284dd6fcf1a0540528cb634292b84e3 all runs: crashed: possible deadlock in l2tp_tunnel_register # git bisect bad 58e0be1ef6118c5352b56a4d06e974c5599993a5 Bisecting: 27 revisions left to test after this (roughly 5 steps) [9d3ff7131877fb092185c369fbb14b57ac4e7cec] octeon_ep: ensure octep_get_link_status() successfully before octep_link_up() testing commit 9d3ff7131877fb092185c369fbb14b57ac4e7cec gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e7c47c72bb9ce640d392c5fcbd2eaf402256ec5baeaaf9ff712bf81011cdc1ce all runs: OK # git bisect good 9d3ff7131877fb092185c369fbb14b57ac4e7cec Bisecting: 13 revisions left to test after this (roughly 4 steps) [598ab4b12eae70654b6d8af6038e6cdb45f22634] Merge branch 'net-hns3-this-series-bugfix-for-the-hns3-ethernet-driver' testing commit 598ab4b12eae70654b6d8af6038e6cdb45f22634 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 6af7f7c03cfeeb8c53858605d2b8af06e30e5222e01b47783bf0c3ef15b1dfa8 all runs: OK # git bisect good 598ab4b12eae70654b6d8af6038e6cdb45f22634 Bisecting: 6 revisions left to test after this (roughly 3 steps) [e4aa85cf0d43e293f474e3b415ff44e49ef768ae] Merge branch 'microchip-fixes' testing commit e4aa85cf0d43e293f474e3b415ff44e49ef768ae gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: dd3c1912f1671e8a824b27197efc0ecf855c303bb176d29aa1702ec323468d0c all runs: OK # git bisect good e4aa85cf0d43e293f474e3b415ff44e49ef768ae Bisecting: 2 revisions left to test after this (roughly 2 steps) [064bc7312bd09a48798418663090be0c776183db] netdevsim: Fix memory leak of nsim_dev->fa_cookie testing commit 064bc7312bd09a48798418663090be0c776183db gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 608f6f35dfbebb6948e9d65e0a59ebaa34ba34eb82dd5efe4d13e16bdd760aa6 all runs: crashed: possible deadlock in l2tp_tunnel_register # git bisect bad 064bc7312bd09a48798418663090be0c776183db Bisecting: 1 revision left to test after this (roughly 1 step) [b68777d54fac21fc833ec26ea1a2a84f975ab035] l2tp: Serialize access to sk_user_data with sk_callback_lock testing commit b68777d54fac21fc833ec26ea1a2a84f975ab035 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 7ef95c2ef1ebc850ca648ed26e5fe5d6de8feece7acb9fff6812abb77691f8c1 all runs: crashed: possible deadlock in l2tp_tunnel_register # git bisect bad b68777d54fac21fc833ec26ea1a2a84f975ab035 Bisecting: 0 revisions left to test after this (roughly 0 steps) [f524b7289bbb0c8ffaa2ba3c34c146e43da54fb2] net: thunderbolt: Fix error handling in tbnet_init() testing commit f524b7289bbb0c8ffaa2ba3c34c146e43da54fb2 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b68fd2a5bb785ead9e57a118fc3f8ef5a572c7ae8d3753b320e5043ef40a6fbf all runs: OK # git bisect good f524b7289bbb0c8ffaa2ba3c34c146e43da54fb2 b68777d54fac21fc833ec26ea1a2a84f975ab035 is the first bad commit commit b68777d54fac21fc833ec26ea1a2a84f975ab035 Author: Jakub Sitnicki Date: Mon Nov 14 20:16:19 2022 +0100 l2tp: Serialize access to sk_user_data with sk_callback_lock sk->sk_user_data has multiple users, which are not compatible with each other. Writers must synchronize by grabbing the sk->sk_callback_lock. l2tp currently fails to grab the lock when modifying the underlying tunnel socket fields. Fix it by adding appropriate locking. We err on the side of safety and grab the sk_callback_lock also inside the sk_destruct callback overridden by l2tp, even though there should be no refs allowing access to the sock at the time when sk_destruct gets called. v4: - serialize write to sk_user_data in l2tp sk_destruct v3: - switch from sock lock to sk_callback_lock - document write-protection for sk_user_data v2: - update Fixes to point to origin of the bug - use real names in Reported/Tested-by tags Cc: Tom Parkin Fixes: 3557baabf280 ("[L2TP]: PPP over L2TP driver core") Reported-by: Haowei Yan Signed-off-by: Jakub Sitnicki Signed-off-by: David S. Miller include/net/sock.h | 2 +- net/l2tp/l2tp_core.c | 19 +++++++++++++------ 2 files changed, 14 insertions(+), 7 deletions(-) culprit signature: 7ef95c2ef1ebc850ca648ed26e5fe5d6de8feece7acb9fff6812abb77691f8c1 parent signature: b68fd2a5bb785ead9e57a118fc3f8ef5a572c7ae8d3753b320e5043ef40a6fbf revisions tested: 19, total time: 5h31m57.887083916s (build: 2h55m25.221979724s, test: 2h33m43.450196404s) first bad commit: b68777d54fac21fc833ec26ea1a2a84f975ab035 l2tp: Serialize access to sk_user_data with sk_callback_lock recipients (to): ["davem@davemloft.net" "davem@davemloft.net" "edumazet@google.com" "jakub@cloudflare.com" "kuba@kernel.org" "netdev@vger.kernel.org" "pabeni@redhat.com"] recipients (cc): ["linux-kernel@vger.kernel.org" "tparkin@katalix.com"] crash: possible deadlock in l2tp_tunnel_register ======================================================== WARNING: possible irq lock inversion dependency detected 6.1.0-rc4-syzkaller #0 Not tainted -------------------------------------------------------- syz-executor.0/4178 just changed the state of lock: ffff88807e0a83b8 (k-clock-AF_INET){+++.}-{2:2}, at: l2tp_tunnel_register+0xf9/0xf60 net/l2tp/l2tp_core.c:1477 but this lock was taken by another, SOFTIRQ-safe lock in the past: (k-slock-AF_INET){+.-.}-{2:2} and interrupts could create inverse lock ordering between them. other info that might help us debug this: Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(k-clock-AF_INET); local_irq_disable(); lock(k-slock-AF_INET); lock(k-clock-AF_INET); lock(k-slock-AF_INET); *** DEADLOCK *** 2 locks held by syz-executor.0/4178: #0: ffffffff8d0969d0 (cb_lock){++++}-{3:3}, at: genl_rcv+0x14/0x30 net/netlink/genetlink.c:860 #1: ffffffff8d096a88 (genl_mutex){+.+.}-{3:3}, at: genl_lock net/netlink/genetlink.c:33 [inline] #1: ffffffff8d096a88 (genl_mutex){+.+.}-{3:3}, at: genl_rcv_msg+0x3e5/0x630 net/netlink/genetlink.c:848 the shortest dependencies between 2nd lock and 1st lock: -> (k-slock-AF_INET){+.-.}-{2:2} { HARDIRQ-ON-W at: lock_acquire kernel/locking/lockdep.c:5668 [inline] lock_acquire+0x1e3/0x630 kernel/locking/lockdep.c:5633 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x33/0x40 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:355 [inline] lock_sock_nested+0x54/0xd0 net/core/sock.c:3450 lock_sock include/net/sock.h:1721 [inline] __inet_bind+0x69d/0xb50 net/ipv4/af_inet.c:511 inet_bind+0x133/0x1b0 net/ipv4/af_inet.c:456 udp_sock_create4+0x19c/0x420 net/ipv4/udp_tunnel_core.c:30 udp_sock_create include/net/udp_tunnel.h:59 [inline] rxe_setup_udp_tunnel.constprop.0+0xd0/0x190 drivers/infiniband/sw/rxe/rxe_net.c:186 rxe_net_ipv4_init drivers/infiniband/sw/rxe/rxe_net.c:622 [inline] rxe_net_init+0x18/0x70 drivers/infiniband/sw/rxe/rxe_net.c:667 rxe_module_init+0xb/0x30 drivers/infiniband/sw/rxe/rxe.c:213 do_one_initcall+0xf8/0x550 init/main.c:1303 do_initcall_level init/main.c:1376 [inline] do_initcalls init/main.c:1392 [inline] do_basic_setup init/main.c:1411 [inline] kernel_init_freeable+0x5e5/0x63f init/main.c:1631 kernel_init+0x18/0x130 init/main.c:1519 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 IN-SOFTIRQ-W at: lock_acquire kernel/locking/lockdep.c:5668 [inline] lock_acquire+0x1e3/0x630 kernel/locking/lockdep.c:5633 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154 spin_lock include/linux/spinlock.h:350 [inline] dccp_v4_ctl_send_reset+0x961/0x1150 net/dccp/ipv4.c:569 dccp_v4_rcv+0xe75/0x1660 net/dccp/ipv4.c:924 ip_protocol_deliver_rcu+0x7f/0x5f0 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x29c/0x400 net/ipv4/ip_input.c:233 __netif_receive_skb_one_core+0x104/0x180 net/core/dev.c:5489 process_backlog+0x326/0x730 net/core/dev.c:5931 __napi_poll+0x9e/0x5c0 net/core/dev.c:6498 napi_poll net/core/dev.c:6565 [inline] net_rx_action+0x8c8/0xcc0 net/core/dev.c:6676 __do_softirq+0x1fb/0xadc kernel/softirq.c:571 do_softirq.part.0+0xde/0x130 kernel/softirq.c:472 do_softirq kernel/softirq.c:464 [inline] __local_bh_enable_ip+0x106/0x130 kernel/softirq.c:396 local_bh_enable include/linux/bottom_half.h:33 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:808 [inline] ip_finish_output2+0x634/0x1be0 net/ipv4/ip_output.c:229 dst_output include/net/dst.h:445 [inline] ip_local_out net/ipv4/ip_output.c:126 [inline] __ip_queue_xmit+0x74c/0x1e60 net/ipv4/ip_output.c:532 dccp_transmit_skb+0xbca/0x1530 net/dccp/output.c:138 dccp_connect+0x35b/0x670 net/dccp/output.c:569 dccp_v4_connect+0xc53/0x2140 net/dccp/ipv4.c:149 __inet_stream_connect+0x542/0xcf0 net/ipv4/af_inet.c:665 inet_stream_connect+0x52/0xa0 net/ipv4/af_inet.c:729 __sys_connect+0xf9/0x130 net/socket.c:1993 __do_sys_connect net/socket.c:2003 [inline] __se_sys_connect net/socket.c:2000 [inline] __x64_sys_connect+0x6e/0xb0 net/socket.c:2000 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd INITIAL USE at: lock_acquire kernel/locking/lockdep.c:5668 [inline] lock_acquire+0x1e3/0x630 kernel/locking/lockdep.c:5633 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x33/0x40 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:355 [inline] lock_sock_nested+0x54/0xd0 net/core/sock.c:3450 lock_sock include/net/sock.h:1721 [inline] __inet_bind+0x69d/0xb50 net/ipv4/af_inet.c:511 inet_bind+0x133/0x1b0 net/ipv4/af_inet.c:456 udp_sock_create4+0x19c/0x420 net/ipv4/udp_tunnel_core.c:30 udp_sock_create include/net/udp_tunnel.h:59 [inline] rxe_setup_udp_tunnel.constprop.0+0xd0/0x190 drivers/infiniband/sw/rxe/rxe_net.c:186 rxe_net_ipv4_init drivers/infiniband/sw/rxe/rxe_net.c:622 [inline] rxe_net_init+0x18/0x70 drivers/infiniband/sw/rxe/rxe_net.c:667 rxe_module_init+0xb/0x30 drivers/infiniband/sw/rxe/rxe.c:213 do_one_initcall+0xf8/0x550 init/main.c:1303 do_initcall_level init/main.c:1376 [inline] do_initcalls init/main.c:1392 [inline] do_basic_setup init/main.c:1411 [inline] kernel_init_freeable+0x5e5/0x63f init/main.c:1631 kernel_init+0x18/0x130 init/main.c:1519 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 } ... key at: [] af_family_kern_slock_keys+0x20/0x300 ... acquired at: __raw_write_lock_bh include/linux/rwlock_api_smp.h:202 [inline] _raw_write_lock_bh+0x33/0x40 kernel/locking/spinlock.c:334 sock_orphan include/net/sock.h:2090 [inline] __mptcp_close+0x2f1/0x7e0 net/mptcp/protocol.c:2943 mptcp_close+0x20/0xc0 net/mptcp/protocol.c:2969 inet_release+0xf3/0x210 net/ipv4/af_inet.c:428 __sock_release+0xbb/0x270 net/socket.c:650 sock_close+0x13/0x20 net/socket.c:1365 __fput+0x1fa/0x9a0 fs/file_table.c:320 task_work_run+0x12f/0x220 kernel/task_work.c:179 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop kernel/entry/common.c:171 [inline] exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:203 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296 do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd -> (k-clock-AF_INET){+++.}-{2:2} { HARDIRQ-ON-W at: lock_acquire kernel/locking/lockdep.c:5668 [inline] lock_acquire+0x1e3/0x630 kernel/locking/lockdep.c:5633 __raw_write_lock_bh include/linux/rwlock_api_smp.h:202 [inline] _raw_write_lock_bh+0x33/0x40 kernel/locking/spinlock.c:334 sock_orphan include/net/sock.h:2090 [inline] sk_common_release+0xb4/0x2e0 net/core/sock.c:3672 inet_release+0xf3/0x210 net/ipv4/af_inet.c:428 __sock_release net/socket.c:650 [inline] sock_release+0x81/0x190 net/socket.c:678 sock_free drivers/net/wireguard/socket.c:339 [inline] wg_socket_reinit+0x1aa/0x300 drivers/net/wireguard/socket.c:435 wg_netns_pre_exit+0xed/0x1e0 drivers/net/wireguard/device.c:427 ops_pre_exit_list net/core/net_namespace.c:159 [inline] cleanup_net+0x3a8/0x980 net/core/net_namespace.c:589 process_one_work+0x8ba/0x14c0 kernel/workqueue.c:2289 worker_thread+0x59c/0xec0 kernel/workqueue.c:2436 kthread+0x298/0x340 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 HARDIRQ-ON-R at: lock_acquire kernel/locking/lockdep.c:5668 [inline] lock_acquire+0x1e3/0x630 kernel/locking/lockdep.c:5633 __raw_read_lock_bh include/linux/rwlock_api_smp.h:176 [inline] _raw_read_lock_bh+0x3f/0x70 kernel/locking/spinlock.c:252 sock_i_uid+0x1a/0xa0 net/core/sock.c:2542 udp_lib_lport_inuse+0x2c/0x3f0 net/ipv4/udp.c:140 udp_lib_get_port+0x719/0x1630 net/ipv4/udp.c:306 __inet_bind+0x635/0xb50 net/ipv4/af_inet.c:525 inet_bind+0x133/0x1b0 net/ipv4/af_inet.c:456 udp_sock_create4+0x19c/0x420 net/ipv4/udp_tunnel_core.c:30 udp_sock_create include/net/udp_tunnel.h:59 [inline] rxe_setup_udp_tunnel.constprop.0+0xd0/0x190 drivers/infiniband/sw/rxe/rxe_net.c:186 rxe_net_ipv4_init drivers/infiniband/sw/rxe/rxe_net.c:622 [inline] rxe_net_init+0x18/0x70 drivers/infiniband/sw/rxe/rxe_net.c:667 rxe_module_init+0xb/0x30 drivers/infiniband/sw/rxe/rxe.c:213 do_one_initcall+0xf8/0x550 init/main.c:1303 do_initcall_level init/main.c:1376 [inline] do_initcalls init/main.c:1392 [inline] do_basic_setup init/main.c:1411 [inline] kernel_init_freeable+0x5e5/0x63f init/main.c:1631 kernel_init+0x18/0x130 init/main.c:1519 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 SOFTIRQ-ON-W at: lock_acquire kernel/locking/lockdep.c:5668 [inline] lock_acquire+0x1e3/0x630 kernel/locking/lockdep.c:5633 __raw_write_lock include/linux/rwlock_api_smp.h:209 [inline] _raw_write_lock+0x2e/0x40 kernel/locking/spinlock.c:300 l2tp_tunnel_register+0xf9/0xf60 net/l2tp/l2tp_core.c:1477 l2tp_nl_cmd_tunnel_create+0x364/0x9a0 net/l2tp/l2tp_netlink.c:245 genl_family_rcv_msg_doit+0x1e4/0x2f0 net/netlink/genetlink.c:756 genl_family_rcv_msg net/netlink/genetlink.c:833 [inline] genl_rcv_msg+0x34c/0x630 net/netlink/genetlink.c:850 netlink_rcv_skb+0x11c/0x370 net/netlink/af_netlink.c:2540 genl_rcv+0x23/0x30 net/netlink/genetlink.c:861 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x437/0x710 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x786/0xc30 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg+0xaf/0xe0 net/socket.c:734 ____sys_sendmsg+0x5f7/0x8a0 net/socket.c:2482 ___sys_sendmsg+0xdb/0x160 net/socket.c:2536 __sys_sendmsg+0xc7/0x160 net/socket.c:2565 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd INITIAL USE at: lock_acquire kernel/locking/lockdep.c:5668 [inline] lock_acquire+0x1e3/0x630 kernel/locking/lockdep.c:5633 __raw_write_lock_bh include/linux/rwlock_api_smp.h:202 [inline] _raw_write_lock_bh+0x33/0x40 kernel/locking/spinlock.c:334 sock_orphan include/net/sock.h:2090 [inline] sk_common_release+0xb4/0x2e0 net/core/sock.c:3672 inet_release+0xf3/0x210 net/ipv4/af_inet.c:428 __sock_release net/socket.c:650 [inline] sock_release+0x81/0x190 net/socket.c:678 sock_free drivers/net/wireguard/socket.c:339 [inline] wg_socket_reinit+0x1aa/0x300 drivers/net/wireguard/socket.c:435 wg_netns_pre_exit+0xed/0x1e0 drivers/net/wireguard/device.c:427 ops_pre_exit_list net/core/net_namespace.c:159 [inline] cleanup_net+0x3a8/0x980 net/core/net_namespace.c:589 process_one_work+0x8ba/0x14c0 kernel/workqueue.c:2289 worker_thread+0x59c/0xec0 kernel/workqueue.c:2436 kthread+0x298/0x340 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 INITIAL READ USE at: lock_acquire kernel/locking/lockdep.c:5668 [inline] lock_acquire+0x1e3/0x630 kernel/locking/lockdep.c:5633 __raw_read_lock_bh include/linux/rwlock_api_smp.h:176 [inline] _raw_read_lock_bh+0x3f/0x70 kernel/locking/spinlock.c:252 sock_i_uid+0x1a/0xa0 net/core/sock.c:2542 udp_lib_lport_inuse+0x2c/0x3f0 net/ipv4/udp.c:140 udp_lib_get_port+0x719/0x1630 net/ipv4/udp.c:306 __inet_bind+0x635/0xb50 net/ipv4/af_inet.c:525 inet_bind+0x133/0x1b0 net/ipv4/af_inet.c:456 udp_sock_create4+0x19c/0x420 net/ipv4/udp_tunnel_core.c:30 udp_sock_create include/net/udp_tunnel.h:59 [inline] rxe_setup_udp_tunnel.constprop.0+0xd0/0x190 drivers/infiniband/sw/rxe/rxe_net.c:186 rxe_net_ipv4_init drivers/infiniband/sw/rxe/rxe_net.c:622 [inline] rxe_net_init+0x18/0x70 drivers/infiniband/sw/rxe/rxe_net.c:667 rxe_module_init+0xb/0x30 drivers/infiniband/sw/rxe/rxe.c:213 do_one_initcall+0xf8/0x550 init/main.c:1303 do_initcall_level init/main.c:1376 [inline] do_initcalls init/main.c:1392 [inline] do_basic_setup init/main.c:1411 [inline] kernel_init_freeable+0x5e5/0x63f init/main.c:1631 kernel_init+0x18/0x130 init/main.c:1519 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 } ... key at: [] af_kern_callback_keys+0x20/0x300 ... acquired at: mark_lock kernel/locking/lockdep.c:4598 [inline] mark_usage kernel/locking/lockdep.c:4547 [inline] __lock_acquire+0x893/0x56d0 kernel/locking/lockdep.c:5009 lock_acquire kernel/locking/lockdep.c:5668 [inline] lock_acquire+0x1e3/0x630 kernel/locking/lockdep.c:5633 __raw_write_lock include/linux/rwlock_api_smp.h:209 [inline] _raw_write_lock+0x2e/0x40 kernel/locking/spinlock.c:300 l2tp_tunnel_register+0xf9/0xf60 net/l2tp/l2tp_core.c:1477 l2tp_nl_cmd_tunnel_create+0x364/0x9a0 net/l2tp/l2tp_netlink.c:245 genl_family_rcv_msg_doit+0x1e4/0x2f0 net/netlink/genetlink.c:756 genl_family_rcv_msg net/netlink/genetlink.c:833 [inline] genl_rcv_msg+0x34c/0x630 net/netlink/genetlink.c:850 netlink_rcv_skb+0x11c/0x370 net/netlink/af_netlink.c:2540 genl_rcv+0x23/0x30 net/netlink/genetlink.c:861 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x437/0x710 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x786/0xc30 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg+0xaf/0xe0 net/socket.c:734 ____sys_sendmsg+0x5f7/0x8a0 net/socket.c:2482 ___sys_sendmsg+0xdb/0x160 net/socket.c:2536 __sys_sendmsg+0xc7/0x160 net/socket.c:2565 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd stack backtrace: CPU: 0 PID: 4178 Comm: syz-executor.0 Not tainted 6.1.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x5b/0x81 lib/dump_stack.c:106 print_irq_inversion_bug kernel/locking/lockdep.c:222 [inline] check_usage_backwards kernel/locking/lockdep.c:4105 [inline] mark_lock_irq kernel/locking/lockdep.c:4198 [inline] mark_lock.part.0.cold+0x61/0xd8 kernel/locking/lockdep.c:4634 mark_lock kernel/locking/lockdep.c:4598 [inline] mark_usage kernel/locking/lockdep.c:4547 [inline] __lock_acquire+0x893/0x56d0 kernel/locking/lockdep.c:5009 lock_acquire kernel/locking/lockdep.c:5668 [inline] lock_acquire+0x1e3/0x630 kernel/locking/lockdep.c:5633 __raw_write_lock include/linux/rwlock_api_smp.h:209 [inline] _raw_write_lock+0x2e/0x40 kernel/locking/spinlock.c:300 l2tp_tunnel_register+0xf9/0xf60 net/l2tp/l2tp_core.c:1477 l2tp_nl_cmd_tunnel_create+0x364/0x9a0 net/l2tp/l2tp_netlink.c:245 genl_family_rcv_msg_doit+0x1e4/0x2f0 net/netlink/genetlink.c:756 genl_family_rcv_msg net/netlink/genetlink.c:833 [inline] genl_rcv_msg+0x34c/0x630 net/netlink/genetlink.c:850 netlink_rcv_skb+0x11c/0x370 net/netlink/af_netlink.c:2540 genl_rcv+0x23/0x30 net/netlink/genetlink.c:861 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x437/0x710 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x786/0xc30 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg+0xaf/0xe0 net/socket.c:734 ____sys_sendmsg+0x5f7/0x8a0 net/socket.c:2482 ___sys_sendmsg+0xdb/0x160 net/socket.c:2536 __sys_sendmsg+0xc7/0x160 net/socket.c:2565 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f0b7628b639 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f0b76fdf168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f0b763abf80 RCX: 00007f0b7628b639 RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000004 RBP: 00007f0b762e6ae9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffd428ae57f R14: 00007f0b76fdf300 R15: 0000000000022000