====================================================== WARNING: possible circular locking dependency detected 4.16.0-rc7+ #292 Not tainted ------------------------------------------------------ syz-executor6/21173 is trying to acquire lock: (_xmit_ETHER#2){+.-.}, at: [<0000000032cfae7d>] spin_lock include/linux/spinlock.h:310 [inline] (_xmit_ETHER#2){+.-.}, at: [<0000000032cfae7d>] __netif_tx_lock include/linux/netdevice.h:3582 [inline] (_xmit_ETHER#2){+.-.}, at: [<0000000032cfae7d>] sch_direct_xmit+0x361/0x1140 net/sched/sch_generic.c:325 but task is already holding lock: (_xmit_TUNNEL6#2){+.-.}, at: [<000000001ae7c11a>] spin_lock include/linux/spinlock.h:310 [inline] (_xmit_TUNNEL6#2){+.-.}, at: [<000000001ae7c11a>] __netif_tx_lock include/linux/netdevice.h:3582 [inline] (_xmit_TUNNEL6#2){+.-.}, at: [<000000001ae7c11a>] __dev_queue_xmit+0x2781/0x2fc0 net/core/dev.c:3580 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (_xmit_TUNNEL6#2){+.-.}: __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144 spin_lock include/linux/spinlock.h:310 [inline] __netif_tx_lock include/linux/netdevice.h:3582 [inline] __dev_queue_xmit+0x2781/0x2fc0 net/core/dev.c:3580 dev_queue_xmit+0x17/0x20 net/core/dev.c:3617 neigh_direct_output+0x15/0x20 net/core/neighbour.c:1390 neigh_output include/net/neighbour.h:482 [inline] ip_finish_output2+0x91a/0x1550 net/ipv4/ip_output.c:229 ip_do_fragment+0xc66/0x26d0 net/ipv4/ip_output.c:810 ip_fragment.constprop.47+0x145/0x200 net/ipv4/ip_output.c:546 ip_finish_output+0x698/0xd60 net/ipv4/ip_output.c:315 NF_HOOK_COND include/linux/netfilter.h:277 [inline] ip_mc_output+0x271/0x1350 net/ipv4/ip_output.c:390 dst_output include/net/dst.h:444 [inline] ip_local_out+0x95/0x160 net/ipv4/ip_output.c:124 iptunnel_xmit+0x556/0x810 net/ipv4/ip_tunnel_core.c:91 ip_tunnel_xmit+0x177b/0x3550 net/ipv4/ip_tunnel.c:777 __gre_xmit+0x546/0x8b0 net/ipv4/ip_gre.c:449 erspan_xmit+0x779/0x22a0 net/ipv4/ip_gre.c:731 __netdev_start_xmit include/linux/netdevice.h:4087 [inline] netdev_start_xmit include/linux/netdevice.h:4096 [inline] xmit_one net/core/dev.c:3053 [inline] dev_hard_start_xmit+0x24e/0xac0 net/core/dev.c:3069 sch_direct_xmit+0x40d/0x1140 net/sched/sch_generic.c:327 qdisc_restart net/sched/sch_generic.c:399 [inline] __qdisc_run+0x676/0x19b0 net/sched/sch_generic.c:410 __dev_xmit_skb net/core/dev.c:3244 [inline] __dev_queue_xmit+0xb8b/0x2fc0 net/core/dev.c:3552 dev_queue_xmit+0x17/0x20 net/core/dev.c:3617 br_dev_queue_push_xmit+0x196/0x5a0 net/bridge/br_forward.c:55 NF_HOOK include/linux/netfilter.h:288 [inline] br_forward_finish+0xc8/0x530 net/bridge/br_forward.c:67 NF_HOOK include/linux/netfilter.h:288 [inline] __br_forward+0x533/0xc80 net/bridge/br_forward.c:112 br_flood+0x665/0x770 net/bridge/br_forward.c:225 br_dev_xmit+0xfbe/0x1550 net/bridge/br_device.c:103 __netdev_start_xmit include/linux/netdevice.h:4087 [inline] netdev_start_xmit include/linux/netdevice.h:4096 [inline] xmit_one net/core/dev.c:3053 [inline] dev_hard_start_xmit+0x24e/0xac0 net/core/dev.c:3069 __dev_queue_xmit+0x26bf/0x2fc0 net/core/dev.c:3584 dev_queue_xmit+0x17/0x20 net/core/dev.c:3617 neigh_hh_output include/net/neighbour.h:472 [inline] neigh_output include/net/neighbour.h:480 [inline] ip_finish_output2+0xf4d/0x1550 net/ipv4/ip_output.c:229 ip_do_fragment+0x1f4e/0x26d0 net/ipv4/ip_output.c:675 ip_fragment.constprop.47+0x145/0x200 net/ipv4/ip_output.c:546 ip_finish_output+0x698/0xd60 net/ipv4/ip_output.c:315 NF_HOOK_COND include/linux/netfilter.h:277 [inline] ip_mc_output+0x271/0x1350 net/ipv4/ip_output.c:390 dst_output include/net/dst.h:444 [inline] ip_local_out+0x95/0x160 net/ipv4/ip_output.c:124 ip_send_skb+0x3c/0xc0 net/ipv4/ip_output.c:1421 udp_send_skb+0x666/0xc30 net/ipv4/udp.c:803 udp_sendmsg+0xba0/0x2f70 net/ipv4/udp.c:1038 inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:798 sock_sendmsg_nosec net/socket.c:629 [inline] sock_sendmsg+0xca/0x110 net/socket.c:639 SYSC_sendto+0x361/0x5c0 net/socket.c:1748 SyS_sendto+0x40/0x50 net/socket.c:1716 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 -> #0 (_xmit_ETHER#2){+.-.}: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144 spin_lock include/linux/spinlock.h:310 [inline] __netif_tx_lock include/linux/netdevice.h:3582 [inline] sch_direct_xmit+0x361/0x1140 net/sched/sch_generic.c:325 qdisc_restart net/sched/sch_generic.c:399 [inline] __qdisc_run+0x676/0x19b0 net/sched/sch_generic.c:410 __dev_xmit_skb net/core/dev.c:3244 [inline] __dev_queue_xmit+0xb8b/0x2fc0 net/core/dev.c:3552 dev_queue_xmit+0x17/0x20 net/core/dev.c:3617 br_dev_queue_push_xmit+0x196/0x5a0 net/bridge/br_forward.c:55 NF_HOOK include/linux/netfilter.h:288 [inline] br_forward_finish+0xc8/0x530 net/bridge/br_forward.c:67 NF_HOOK include/linux/netfilter.h:288 [inline] __br_forward+0x533/0xc80 net/bridge/br_forward.c:112 br_flood+0x665/0x770 net/bridge/br_forward.c:225 br_dev_xmit+0xa68/0x1550 net/bridge/br_device.c:87 __netdev_start_xmit include/linux/netdevice.h:4087 [inline] netdev_start_xmit include/linux/netdevice.h:4096 [inline] xmit_one net/core/dev.c:3053 [inline] dev_hard_start_xmit+0x24e/0xac0 net/core/dev.c:3069 __dev_queue_xmit+0x26bf/0x2fc0 net/core/dev.c:3584 dev_queue_xmit+0x17/0x20 net/core/dev.c:3617 arp_xmit_finish net/ipv4/arp.c:634 [inline] NF_HOOK include/linux/netfilter.h:288 [inline] arp_xmit+0xd6/0x550 net/ipv4/arp.c:643 arp_send_dst.part.18+0x19b/0x280 net/ipv4/arp.c:321 arp_send_dst net/ipv4/arp.c:394 [inline] arp_solicit+0x86a/0x1320 net/ipv4/arp.c:393 neigh_probe+0xc3/0x100 net/core/neighbour.c:899 __neigh_event_send+0x927/0x1040 net/core/neighbour.c:1055 neigh_event_send include/net/neighbour.h:435 [inline] neigh_resolve_output+0x62b/0xa00 net/core/neighbour.c:1334 neigh_output include/net/neighbour.h:482 [inline] ip_finish_output2+0x91a/0x1550 net/ipv4/ip_output.c:229 ip_finish_output+0x864/0xd60 net/ipv4/ip_output.c:317 NF_HOOK_COND include/linux/netfilter.h:277 [inline] ip_output+0x1d2/0x860 net/ipv4/ip_output.c:405 dst_output include/net/dst.h:444 [inline] ip_local_out+0x95/0x160 net/ipv4/ip_output.c:124 ip_send_skb+0x3c/0xc0 net/ipv4/ip_output.c:1421 ip_push_pending_frames+0x64/0x80 net/ipv4/ip_output.c:1441 icmp_push_reply+0x395/0x4f0 net/ipv4/icmp.c:394 icmp_send+0x1136/0x19b0 net/ipv4/icmp.c:741 ipv4_link_failure+0x2a/0x1b0 net/ipv4/route.c:1200 dst_link_failure include/net/dst.h:427 [inline] vti6_xmit net/ipv6/ip6_vti.c:517 [inline] vti6_tnl_xmit+0x6ee/0x1820 net/ipv6/ip6_vti.c:556 __netdev_start_xmit include/linux/netdevice.h:4087 [inline] netdev_start_xmit include/linux/netdevice.h:4096 [inline] xmit_one net/core/dev.c:3053 [inline] dev_hard_start_xmit+0x24e/0xac0 net/core/dev.c:3069 __dev_queue_xmit+0x26bf/0x2fc0 net/core/dev.c:3584 dev_queue_xmit+0x17/0x20 net/core/dev.c:3617 neigh_direct_output+0x15/0x20 net/core/neighbour.c:1390 neigh_output include/net/neighbour.h:482 [inline] ip_finish_output2+0x91a/0x1550 net/ipv4/ip_output.c:229 ip_finish_output+0x864/0xd60 net/ipv4/ip_output.c:317 NF_HOOK_COND include/linux/netfilter.h:277 [inline] ip_output+0x1d2/0x860 net/ipv4/ip_output.c:405 dst_output include/net/dst.h:444 [inline] ip_local_out+0x95/0x160 net/ipv4/ip_output.c:124 ip_queue_xmit+0x8c0/0x1920 net/ipv4/ip_output.c:504 tcp_transmit_skb+0x1b12/0x3960 net/ipv4/tcp_output.c:1176 tcp_connect+0x2d29/0x4100 net/ipv4/tcp_output.c:3499 tcp_v4_connect+0x15ef/0x1e70 net/ipv4/tcp_ipv4.c:272 __inet_stream_connect+0x2e3/0x1000 net/ipv4/af_inet.c:655 inet_stream_connect+0x58/0xa0 net/ipv4/af_inet.c:719 SYSC_connect+0x213/0x4a0 net/socket.c:1640 SyS_connect+0x24/0x30 net/socket.c:1621 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(_xmit_TUNNEL6#2); lock(_xmit_ETHER#2); lock(_xmit_TUNNEL6#2); lock(_xmit_ETHER#2); *** DEADLOCK *** 10 locks held by syz-executor6/21173: #0: (sk_lock-AF_INET){+.+.}, at: [<000000001898ca8f>] lock_sock include/net/sock.h:1469 [inline] #0: (sk_lock-AF_INET){+.+.}, at: [<000000001898ca8f>] inet_stream_connect+0x44/0xa0 net/ipv4/af_inet.c:718 #1: (rcu_read_lock){....}, at: [<00000000e8c173ef>] read_pnet include/net/net_namespace.h:288 [inline] #1: (rcu_read_lock){....}, at: [<00000000e8c173ef>] sock_net include/net/sock.h:2306 [inline] #1: (rcu_read_lock){....}, at: [<00000000e8c173ef>] ip_queue_xmit+0x9e/0x1920 net/ipv4/ip_output.c:429 #2: (rcu_read_lock_bh){....}, at: [<000000009bd2e42d>] lwtunnel_xmit_redirect include/net/lwtunnel.h:92 [inline] #2: (rcu_read_lock_bh){....}, at: [<000000009bd2e42d>] ip_finish_output2+0x2aa/0x1550 net/ipv4/ip_output.c:213 #3: (rcu_read_lock_bh){....}, at: [<000000004b7cfc59>] __dev_queue_xmit+0x2fe/0x2fc0 net/core/dev.c:3518 #4: (_xmit_TUNNEL6#2){+.-.}, at: [<000000001ae7c11a>] spin_lock include/linux/spinlock.h:310 [inline] #4: (_xmit_TUNNEL6#2){+.-.}, at: [<000000001ae7c11a>] __netif_tx_lock include/linux/netdevice.h:3582 [inline] #4: (_xmit_TUNNEL6#2){+.-.}, at: [<000000001ae7c11a>] __dev_queue_xmit+0x2781/0x2fc0 net/core/dev.c:3580 #5: (k-slock-AF_INET){+.-.}, at: [<0000000059be68f0>] spin_trylock include/linux/spinlock.h:320 [inline] #5: (k-slock-AF_INET){+.-.}, at: [<0000000059be68f0>] icmp_xmit_lock net/ipv4/icmp.c:219 [inline] #5: (k-slock-AF_INET){+.-.}, at: [<0000000059be68f0>] icmp_send+0x758/0x19b0 net/ipv4/icmp.c:668 #6: (rcu_read_lock_bh){....}, at: [<000000009bd2e42d>] lwtunnel_xmit_redirect include/net/lwtunnel.h:92 [inline] #6: (rcu_read_lock_bh){....}, at: [<000000009bd2e42d>] ip_finish_output2+0x2aa/0x1550 net/ipv4/ip_output.c:213 #7: (rcu_read_lock_bh){....}, at: [<000000004b7cfc59>] __dev_queue_xmit+0x2fe/0x2fc0 net/core/dev.c:3518 #8: (rcu_read_lock){....}, at: [<00000000cc6d657d>] br_dev_xmit+0x11d/0x1550 net/bridge/br_device.c:43 #9: (rcu_read_lock_bh){....}, at: [<000000004b7cfc59>] __dev_queue_xmit+0x2fe/0x2fc0 net/core/dev.c:3518 stack backtrace: CPU: 1 PID: 21173 Comm: syz-executor6 Not tainted 4.16.0-rc7+ #292 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x24d lib/dump_stack.c:53 print_circular_bug.isra.38+0x2cd/0x2dc kernel/locking/lockdep.c:1223 check_prev_add kernel/locking/lockdep.c:1863 [inline] check_prevs_add kernel/locking/lockdep.c:1976 [inline] validate_chain kernel/locking/lockdep.c:2417 [inline] __lock_acquire+0x30a8/0x3e00 kernel/locking/lockdep.c:3431 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144 spin_lock include/linux/spinlock.h:310 [inline] __netif_tx_lock include/linux/netdevice.h:3582 [inline] sch_direct_xmit+0x361/0x1140 net/sched/sch_generic.c:325 qdisc_restart net/sched/sch_generic.c:399 [inline] __qdisc_run+0x676/0x19b0 net/sched/sch_generic.c:410 __dev_xmit_skb net/core/dev.c:3244 [inline] __dev_queue_xmit+0xb8b/0x2fc0 net/core/dev.c:3552 dev_queue_xmit+0x17/0x20 net/core/dev.c:3617 br_dev_queue_push_xmit+0x196/0x5a0 net/bridge/br_forward.c:55 NF_HOOK include/linux/netfilter.h:288 [inline] br_forward_finish+0xc8/0x530 net/bridge/br_forward.c:67 NF_HOOK include/linux/netfilter.h:288 [inline] __br_forward+0x533/0xc80 net/bridge/br_forward.c:112 br_flood+0x665/0x770 net/bridge/br_forward.c:225 br_dev_xmit+0xa68/0x1550 net/bridge/br_device.c:87 __netdev_start_xmit include/linux/netdevice.h:4087 [inline] netdev_start_xmit include/linux/netdevice.h:4096 [inline] xmit_one net/core/dev.c:3053 [inline] dev_hard_start_xmit+0x24e/0xac0 net/core/dev.c:3069 __dev_queue_xmit+0x26bf/0x2fc0 net/core/dev.c:3584 dev_queue_xmit+0x17/0x20 net/core/dev.c:3617 arp_xmit_finish net/ipv4/arp.c:634 [inline] NF_HOOK include/linux/netfilter.h:288 [inline] arp_xmit+0xd6/0x550 net/ipv4/arp.c:643 arp_send_dst.part.18+0x19b/0x280 net/ipv4/arp.c:321 arp_send_dst net/ipv4/arp.c:394 [inline] arp_solicit+0x86a/0x1320 net/ipv4/arp.c:393 neigh_probe+0xc3/0x100 net/core/neighbour.c:899 __neigh_event_send+0x927/0x1040 net/core/neighbour.c:1055 neigh_event_send include/net/neighbour.h:435 [inline] neigh_resolve_output+0x62b/0xa00 net/core/neighbour.c:1334 neigh_output include/net/neighbour.h:482 [inline] ip_finish_output2+0x91a/0x1550 net/ipv4/ip_output.c:229 ip_finish_output+0x864/0xd60 net/ipv4/ip_output.c:317 NF_HOOK_COND include/linux/netfilter.h:277 [inline] ip_output+0x1d2/0x860 net/ipv4/ip_output.c:405 dst_output include/net/dst.h:444 [inline] ip_local_out+0x95/0x160 net/ipv4/ip_output.c:124 ip_send_skb+0x3c/0xc0 net/ipv4/ip_output.c:1421 ip_push_pending_frames+0x64/0x80 net/ipv4/ip_output.c:1441 icmp_push_reply+0x395/0x4f0 net/ipv4/icmp.c:394 icmp_send+0x1136/0x19b0 net/ipv4/icmp.c:741 ipv4_link_failure+0x2a/0x1b0 net/ipv4/route.c:1200 dst_link_failure include/net/dst.h:427 [inline] vti6_xmit net/ipv6/ip6_vti.c:517 [inline] vti6_tnl_xmit+0x6ee/0x1820 net/ipv6/ip6_vti.c:556 __netdev_start_xmit include/linux/netdevice.h:4087 [inline] netdev_start_xmit include/linux/netdevice.h:4096 [inline] xmit_one net/core/dev.c:3053 [inline] dev_hard_start_xmit+0x24e/0xac0 net/core/dev.c:3069 __dev_queue_xmit+0x26bf/0x2fc0 net/core/dev.c:3584 dev_queue_xmit+0x17/0x20 net/core/dev.c:3617 neigh_direct_output+0x15/0x20 net/core/neighbour.c:1390 neigh_output include/net/neighbour.h:482 [inline] ip_finish_output2+0x91a/0x1550 net/ipv4/ip_output.c:229 ip_finish_output+0x864/0xd60 net/ipv4/ip_output.c:317 NF_HOOK_COND include/linux/netfilter.h:277 [inline] ip_output+0x1d2/0x860 net/ipv4/ip_output.c:405 dst_output include/net/dst.h:444 [inline] ip_local_out+0x95/0x160 net/ipv4/ip_output.c:124 ip_queue_xmit+0x8c0/0x1920 net/ipv4/ip_output.c:504 tcp_transmit_skb+0x1b12/0x3960 net/ipv4/tcp_output.c:1176 tcp_connect+0x2d29/0x4100 net/ipv4/tcp_output.c:3499 tcp_v4_connect+0x15ef/0x1e70 net/ipv4/tcp_ipv4.c:272 __inet_stream_connect+0x2e3/0x1000 net/ipv4/af_inet.c:655 inet_stream_connect+0x58/0xa0 net/ipv4/af_inet.c:719 SYSC_connect+0x213/0x4a0 net/socket.c:1640 SyS_connect+0x24/0x30 net/socket.c:1621 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x4552d9 RSP: 002b:00007f16a6068c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 00007f16a60696d4 RCX: 00000000004552d9 RDX: 0000000000000010 RSI: 0000000020000240 RDI: 0000000000000013 RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 0000000000000059 R14: 00000000006f38f8 R15: 0000000000000000