[....] Starting enhanced syslogd: rsyslogd[ 13.360183] audit: type=1400 audit(1538998706.508:4): avc: denied { syslog } for pid=1918 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.66' (ECDSA) to the list of known hosts. net.ipv6.conf.syz_tun.accept_dad = 0 net.ipv6.conf.syz_tun.router_solicitations = 0 executing program syzkaller login: [ 41.021145] [ 41.022787] ====================================================== [ 41.029073] [ INFO: possible circular locking dependency detected ] [ 41.035465] 4.4.159+ #108 Not tainted [ 41.039233] ------------------------------------------------------- [ 41.045614] syz-executor265/2077 is trying to acquire lock: [ 41.051296] (&(&q->lock)->rlock){+.-...}, at: [] ip_defrag+0x31b/0x40c0 [ 41.060182] [ 41.060182] but task is already holding lock: [ 41.066136] (_xmit_NETROM){+.-...}, at: [] sch_direct_xmit+0x233/0x6c0 [ 41.074919] [ 41.074919] which lock already depends on the new lock. [ 41.074919] [ 41.083250] [ 41.083250] the existing dependency chain (in reverse order) is: [ 41.090857] -> #1 (_xmit_NETROM){+.-...}: [ 41.095635] [] lock_acquire+0x15e/0x450 [ 41.101874] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 41.108821] [] depot_save_stack+0x20b/0x5eb [ 41.115407] [] kasan_kmalloc.part.1+0xc9/0xf0 [ 41.122169] [] kasan_kmalloc+0xaf/0xc0 [ 41.128320] [] kasan_slab_alloc+0x12/0x20 [ 41.134731] [] kmem_cache_alloc+0xdc/0x2c0 [ 41.141230] [] inet_getpeer+0x159d/0x1d70 [ 41.147643] [] icmp6_send+0x17b7/0x1b70 [ 41.153878] [] icmpv6_param_prob+0x29/0x40 [ 41.160376] [] ipv6_frag_rcv+0x3de6/0x4f80 [ 41.166888] [] ip6_input_finish+0x57d/0x1510 [ 41.173569] [] ip6_input+0xf6/0x200 [ 41.179467] [] ip6_rcv_finish+0x14e/0x670 [ 41.185876] [] ipv6_rcv+0x10b2/0x1d10 [ 41.191943] [] __netif_receive_skb_core+0x12c8/0x2820 [ 41.199396] [] __netif_receive_skb+0x5b/0x1c0 [ 41.206152] [] process_backlog+0x20a/0x670 [ 41.212719] [] net_rx_action+0x367/0xd50 [ 41.219051] [] __do_softirq+0x22c/0xa1a [ 41.225338] [] do_softirq_own_stack+0x1c/0x30 [ 41.232108] [] do_softirq.part.2+0x54/0x60 [ 41.238634] [] do_softirq+0x19/0x20 [ 41.244528] [] netif_rx_ni+0xec/0x3a0 [ 41.250604] [] tun_get_user+0xf3a/0x2690 [ 41.256933] [] tun_chr_write_iter+0xd5/0x190 [ 41.263605] [] do_iter_readv_writev+0x133/0x1d0 [ 41.270581] [] do_readv_writev+0x335/0x6f0 [ 41.277092] [] vfs_writev+0x7b/0xb0 [ 41.282995] [] SyS_writev+0xd9/0x250 [ 41.288972] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 41.296183] -> #0 (&(&q->lock)->rlock){+.-...}: [ 41.301480] [] __lock_acquire+0x3e6c/0x5f10 [ 41.308067] [] lock_acquire+0x15e/0x450 [ 41.314317] [] _raw_spin_lock+0x36/0x50 [ 41.320565] [] ip_defrag+0x31b/0x40c0 [ 41.326636] [] ip_check_defrag+0x3a7/0x710 [ 41.333154] [] packet_rcv_fanout+0x52a/0x5e0 [ 41.339916] [] dev_hard_start_xmit+0x650/0x11c0 [ 41.346853] [] sch_direct_xmit+0x2b8/0x6c0 [ 41.353354] [] __dev_queue_xmit+0xf95/0x1c30 [ 41.360044] [] dev_queue_xmit+0x17/0x20 [ 41.366280] [] neigh_resolve_output+0x600/0x780 [ 41.373216] [] ip_finish_output2+0x8f0/0x1100 [ 41.379995] [] ip_do_fragment+0x1870/0x1f60 [ 41.386585] [] ip_fragment.constprop.5+0x145/0x200 [ 41.393792] [] ip_finish_output+0x396/0xc00 [ 41.400385] [] ip_mc_output+0x237/0x980 [ 41.406628] [] ip_local_out+0x9b/0x180 [ 41.412837] [] ip_send_skb+0x3c/0xc0 [ 41.418836] [] udp_send_skb+0x503/0xc70 [ 41.425075] [] udp_sendmsg+0x16c9/0x1c70 [ 41.431403] [] inet_sendmsg+0x203/0x4d0 [ 41.437705] [] sock_sendmsg+0xbb/0x110 [ 41.443873] [] SyS_sendto+0x220/0x370 [ 41.449940] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 41.457140] [ 41.457140] other info that might help us debug this: [ 41.457140] [ 41.465585] Possible unsafe locking scenario: [ 41.465585] [ 41.471618] CPU0 CPU1 [ 41.476258] ---- ---- [ 41.480949] lock(_xmit_NETROM); [ 41.484621] lock(&(&q->lock)->rlock); [ 41.491328] lock(_xmit_NETROM); [ 41.497517] lock(&(&q->lock)->rlock); [ 41.501699] [ 41.501699] *** DEADLOCK *** [ 41.501699] [ 41.507735] 4 locks held by syz-executor265/2077: [ 41.512546] #0: (rcu_read_lock_bh){......}, at: [] ip_finish_output2+0x20b/0x1100 [ 41.522536] #1: (rcu_read_lock_bh){......}, at: [] __dev_queue_xmit+0x1d7/0x1c30 [ 41.532398] #2: (_xmit_NETROM){+.-...}, at: [] sch_direct_xmit+0x233/0x6c0 [ 41.541731] #3: (rcu_read_lock){......}, at: [] dev_hard_start_xmit+0xa8/0x11c0 [ 41.551520] [ 41.551520] stack backtrace: [ 41.556006] CPU: 1 PID: 2077 Comm: syz-executor265 Not tainted 4.4.159+ #108 [ 41.563207] 0000000000000000 b39aeeed83d339d1 ffff8800b648ed88 ffffffff81a994bd [ 41.571201] ffffffff83accfd0 ffffffff83acd690 ffffffff83accfd0 ffff8800b70c20f8 [ 41.579199] ffff8800b70c17c0 ffff8800b648edd0 ffffffff813a84ea 0000000000000003 [ 41.587188] Call Trace: [ 41.589752] [] dump_stack+0xc1/0x124 [ 41.595097] [] print_circular_bug.cold.34+0x2f7/0x432 [ 41.601908] [] __lock_acquire+0x3e6c/0x5f10 [ 41.607853] [] ? trace_hardirqs_on+0x10/0x10 [ 41.613894] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 41.620863] [] ? trace_hardirqs_on_caller+0x266/0x590 [ 41.627688] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 41.634422] [] ? mod_timer+0x433/0x8f0 [ 41.640003] [] lock_acquire+0x15e/0x450 [ 41.645623] [] ? ip_defrag+0x31b/0x40c0 [ 41.651225] [] ? inet_frag_find+0x27a/0x9a0 [ 41.657172] [] _raw_spin_lock+0x36/0x50 [ 41.662773] [] ? ip_defrag+0x31b/0x40c0 [ 41.668370] [] ip_defrag+0x31b/0x40c0 [ 41.673905] [] ? trace_hardirqs_on+0x10/0x10 [ 41.679941] [] ? ipv4_frags_init_net+0x3a0/0x3a0 [ 41.686321] [] ip_check_defrag+0x3a7/0x710 [ 41.692180] [] ? ip_defrag+0x40c0/0x40c0 [ 41.697863] [] packet_rcv_fanout+0x52a/0x5e0 [ 41.703891] [] ? fanout_demux_rollover+0x4e0/0x4e0 [ 41.710444] [] dev_hard_start_xmit+0x650/0x11c0 [ 41.716884] [] ? dev_hard_start_xmit+0xa8/0x11c0 [ 41.723531] [] sch_direct_xmit+0x2b8/0x6c0 [ 41.729437] [] ? dev_deactivate_queue.constprop.6+0x160/0x160 [ 41.736967] [] __dev_queue_xmit+0xf95/0x1c30 [ 41.742999] [] ? __dev_queue_xmit+0x1d7/0x1c30 [ 41.749227] [] ? trace_hardirqs_on+0x10/0x10 [ 41.755264] [] ? netdev_pick_tx+0x2c0/0x2c0 [ 41.761222] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 41.767956] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 41.774684] [] ? memcpy+0x45/0x50 [ 41.779760] [] dev_queue_xmit+0x17/0x20 [ 41.785357] [] neigh_resolve_output+0x600/0x780 [ 41.791769] [] ? ip_finish_output2+0x8f0/0x1100 [ 41.798063] [] ip_finish_output2+0x8f0/0x1100 [ 41.804186] [] ? ip_finish_output2+0x20b/0x1100 [ 41.810639] [] ? nf_ct_deliver_cached_events+0x335/0x560 [ 41.817717] [] ? nf_ct_deliver_cached_events+0x83/0x560 [ 41.824707] [] ? nf_conntrack_seqadj_fini+0x20/0x20 [ 41.831347] [] ? ip_send_check+0xb0/0xb0 [ 41.837035] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 41.843763] [] ip_do_fragment+0x1870/0x1f60 [ 41.849840] [] ? ip_send_check+0xb0/0xb0 [ 41.855535] [] ip_fragment.constprop.5+0x145/0x200 [ 41.862100] [] ip_finish_output+0x396/0xc00 [ 41.868046] [] ip_mc_output+0x237/0x980 [ 41.873652] [] ? ip_queue_xmit+0x1a80/0x1a80 [ 41.879684] [] ? ip_make_skb+0x116/0x210 [ 41.885367] [] ? ip_fragment.constprop.5+0x200/0x200 [ 41.892100] [] ? ip_flush_pending_frames+0x30/0x30 [ 41.898655] [] ip_local_out+0x9b/0x180 [ 41.904165] [] ip_send_skb+0x3c/0xc0 [ 41.909510] [] udp_send_skb+0x503/0xc70 [ 41.915112] [] udp_sendmsg+0x16c9/0x1c70 [ 41.920798] [] ? ip_reply_glue_bits+0xc0/0xc0 [ 41.926916] [] ? udp_lib_unhash+0x630/0x630 [ 41.932904] [] ? trace_hardirqs_on+0x10/0x10 [ 41.938947] [] ? sock_has_perm+0x1c1/0x3f0 [ 41.944805] [] ? sock_has_perm+0x2a1/0x3f0 [ 41.950690] [] ? sock_has_perm+0x9f/0x3f0 [ 41.956494] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 41.963254] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 41.969996] [] ? check_preemption_disabled+0x3b/0x170 [ 41.976818] [] ? inet_sendmsg+0x143/0x4d0 [ 41.982590] [] inet_sendmsg+0x203/0x4d0 [ 41.988184] [] ? inet_sendmsg+0x73/0x4d0 [ 41.993864] [] ? inet_recvmsg+0x4c0/0x4c0 [ 41.999638] [] sock_sendmsg+0xbb/0x110 [ 42.005221] [] SyS_sendto+0x220/0x370 [ 42.010654] [] ? SyS_getpeername+0x2d0/0x2d0 [ 42.016697] [] ? _raw_spin_unlock+0x2c/0x50 [ 42.022650] [] ? handle_mm_fault+0x49a/0x2f30 [ 42.028770] [] ? inet_dgram_connect+0x11e/0x200 [ 42.035068] [] ? retint_user+0x18/0x3c [ 42.040582] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 42.047487] [] ? trace_hardirqs_on_thunk+0x17/0x19 [ 42.054056] [] entry_SYSCALL_64_fastpath+0x1e/0x9a