[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 35.574659] random: sshd: uninitialized urandom read (32 bytes read) [ 35.846834] kauditd_printk_skb: 10 callbacks suppressed [ 35.846842] audit: type=1400 audit(1582651142.591:35): avc: denied { map } for pid=7199 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 35.906925] random: sshd: uninitialized urandom read (32 bytes read) [ 36.668897] random: sshd: uninitialized urandom read (32 bytes read) [ 52.686776] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.24' (ECDSA) to the list of known hosts. [ 58.269863] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 58.391482] audit: type=1400 audit(1582651165.141:36): avc: denied { map } for pid=7212 comm="syz-executor917" path="/root/syz-executor917063265" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 58.450184] netlink: 4 bytes leftover after parsing attributes in process `syz-executor917'. [ 58.464540] SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7215 comm=syz-executor917 [ 58.476870] SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7215 comm=syz-executor917 [ 58.489124] SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7215 comm=syz-executor917 [ 58.501341] SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7215 comm=syz-executor917 [ 58.513586] SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7215 comm=syz-executor917 [ 58.525984] SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7215 comm=syz-executor917 [ 58.538207] SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7215 comm=syz-executor917 [ 58.550524] SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7215 comm=syz-executor917 [ 58.562856] SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7215 comm=syz-executor917 [ 58.575091] SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7215 comm=syz-executor917 [ 58.591462] ip_tables: iptables: counters copy to user failed while replacing table executing program [ 58.714592] netlink: 4 bytes leftover after parsing attributes in process `syz-executor917'. [ 58.734934] [ 58.736639] ====================================================== [ 58.742991] WARNING: possible circular locking dependency detected [ 58.749294] 4.14.171-syzkaller #0 Not tainted [ 58.753807] ------------------------------------------------------ [ 58.760111] syz-executor917/7220 is trying to acquire lock: [ 58.765797] (rtnl_mutex){+.+.}, at: [] rtnl_lock+0x17/0x20 [ 58.773058] [ 58.773058] but task is already holding lock: [ 58.779005] (&xt[i].mutex){+.+.}, at: [] xt_find_table_lock+0x3c/0x3d0 [ 58.787314] [ 58.787314] which lock already depends on the new lock. [ 58.787314] [ 58.795665] [ 58.795665] the existing dependency chain (in reverse order) is: [ 58.803272] [ 58.803272] -> #1 (&xt[i].mutex){+.+.}: [ 58.808721] lock_acquire+0x16f/0x430 [ 58.813037] __mutex_lock+0xe8/0x1470 [ 58.817344] mutex_lock_nested+0x16/0x20 [ 58.821922] xt_find_target+0x3e/0x1e0 [ 58.826314] xt_request_find_target+0x74/0xe0 [ 58.831316] ipt_init_target+0xce/0x290 [ 58.835790] __tcf_ipt_init+0x48c/0xb50 [ 58.840277] tcf_xt_init+0x4e/0x60 [ 58.844327] tcf_action_init_1+0x53c/0xaa0 [ 58.849082] tcf_action_init+0x2ab/0x480 [ 58.853646] tc_ctl_action+0x30a/0x548 [ 58.858076] rtnetlink_rcv_msg+0x3da/0xb70 [ 58.862821] netlink_rcv_skb+0x14f/0x3c0 [ 58.867399] rtnetlink_rcv+0x1d/0x30 [ 58.871625] netlink_unicast+0x44d/0x650 [ 58.876185] netlink_sendmsg+0x7c4/0xc60 [ 58.880754] sock_sendmsg+0xce/0x110 [ 58.884976] kernel_sendmsg+0x44/0x50 [ 58.889284] sock_no_sendpage+0x107/0x130 [ 58.893940] kernel_sendpage+0x92/0xf0 [ 58.898335] sock_sendpage+0x8b/0xc0 [ 58.902553] pipe_to_sendpage+0x242/0x340 [ 58.907484] __splice_from_pipe+0x348/0x780 [ 58.912350] splice_from_pipe+0xf0/0x150 [ 58.916913] generic_splice_sendpage+0x3c/0x50 [ 58.922003] SyS_splice+0xd92/0x1430 [ 58.926275] do_syscall_64+0x1e8/0x640 [ 58.930715] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 58.936424] [ 58.936424] -> #0 (rtnl_mutex){+.+.}: [ 58.941695] __lock_acquire+0x2cb3/0x4620 [ 58.946350] lock_acquire+0x16f/0x430 [ 58.950660] __mutex_lock+0xe8/0x1470 [ 58.954962] mutex_lock_nested+0x16/0x20 [ 58.959535] rtnl_lock+0x17/0x20 [ 58.963412] unregister_netdevice_notifier+0x5f/0x2c0 [ 58.969102] tee_tg_destroy+0x61/0xc0 [ 58.973416] cleanup_entry+0x17d/0x230 [ 58.977812] __do_replace+0x3c5/0x5b0 [ 58.982178] do_ipt_set_ctl+0x296/0x3ee [ 58.986661] nf_setsockopt+0x67/0xc0 [ 58.990881] ip_setsockopt+0x9b/0xb0 [ 58.995099] udp_setsockopt+0x4e/0x90 [ 58.999407] sock_common_setsockopt+0x94/0xd0 [ 59.004451] SyS_setsockopt+0x13c/0x210 [ 59.008929] do_syscall_64+0x1e8/0x640 [ 59.013320] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 59.019094] [ 59.019094] other info that might help us debug this: [ 59.019094] [ 59.027304] Possible unsafe locking scenario: [ 59.027304] [ 59.033358] CPU0 CPU1 [ 59.038003] ---- ---- [ 59.042647] lock(&xt[i].mutex); [ 59.046138] lock(rtnl_mutex); [ 59.051925] lock(&xt[i].mutex); [ 59.057879] lock(rtnl_mutex); [ 59.061140] [ 59.061140] *** DEADLOCK *** [ 59.061140] [ 59.067184] 1 lock held by syz-executor917/7220: [ 59.071921] #0: (&xt[i].mutex){+.+.}, at: [] xt_find_table_lock+0x3c/0x3d0 [ 59.080718] [ 59.080718] stack backtrace: [ 59.085200] CPU: 0 PID: 7220 Comm: syz-executor917 Not tainted 4.14.171-syzkaller #0 [ 59.093083] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 59.102419] Call Trace: [ 59.104992] dump_stack+0x142/0x197 [ 59.108612] print_circular_bug.isra.0.cold+0x1cc/0x28f [ 59.114080] __lock_acquire+0x2cb3/0x4620 [ 59.118227] ? trace_hardirqs_on+0x10/0x10 [ 59.122463] ? __kernel_text_address+0xd/0x40 [ 59.126956] lock_acquire+0x16f/0x430 [ 59.130745] ? rtnl_lock+0x17/0x20 [ 59.134274] ? rtnl_lock+0x17/0x20 [ 59.137798] __mutex_lock+0xe8/0x1470 [ 59.141582] ? rtnl_lock+0x17/0x20 [ 59.145207] ? __bitmap_weight+0xbd/0xf0 [ 59.149372] ? rtnl_lock+0x17/0x20 [ 59.152900] ? pcpu_next_md_free_region+0x14c/0x2f0 [ 59.157904] ? mutex_trylock+0x1c0/0x1c0 [ 59.162044] ? pcpu_chunk_refresh_hint+0x29b/0x350 [ 59.166972] ? free_percpu+0x232/0x710 [ 59.170843] ? find_held_lock+0x35/0x130 [ 59.174891] ? free_percpu+0x232/0x710 [ 59.178762] mutex_lock_nested+0x16/0x20 [ 59.182850] ? mutex_lock_nested+0x16/0x20 [ 59.187103] rtnl_lock+0x17/0x20 [ 59.190505] unregister_netdevice_notifier+0x5f/0x2c0 [ 59.195703] ? trace_hardirqs_on_caller+0x400/0x590 [ 59.200720] ? register_netdevice_notifier+0x520/0x520 [ 59.206043] ? free_percpu+0x24f/0x710 [ 59.209918] tee_tg_destroy+0x61/0xc0 [ 59.213707] ? tee_tg6+0x160/0x160 [ 59.217228] cleanup_entry+0x17d/0x230 [ 59.221137] ? cleanup_match+0x140/0x140 [ 59.225180] __do_replace+0x3c5/0x5b0 [ 59.228979] ? compat_do_ipt_get_ctl+0x7f0/0x7f0 [ 59.233815] ? _copy_from_user+0x99/0x110 [ 59.237946] do_ipt_set_ctl+0x296/0x3ee [ 59.242004] ? compat_do_ipt_set_ctl+0x150/0x150 [ 59.246749] ? mutex_unlock+0xd/0x10 [ 59.250450] ? nf_sockopt_find.constprop.0+0x1b7/0x230 [ 59.255716] nf_setsockopt+0x67/0xc0 [ 59.259421] ip_setsockopt+0x9b/0xb0 [ 59.263131] udp_setsockopt+0x4e/0x90 [ 59.266978] sock_common_setsockopt+0x94/0xd0 [ 59.273123] SyS_setsockopt+0x13c/0x210 [ 59.277079] ? SyS_recv+0x40/0x40 [ 59.280517] ? do_syscall_64+0x53/0x640 [ 59.284471] ? SyS_recv+0x40/0x40 [ 59.287907] do_syscall_64+0x1e8/0x640 [ 59.291780] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 59.296666] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 59.301838] RIP: 0033:0x447809 [ 59.305009] RSP: 002b:00007fce5973fd98 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 executing program [ 59.312695] RAX: ffffffffffffffda RBX: 00000000006dcc58 RCX: 0000000000447809 [ 59.319959] RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000006 [ 59.327291] RBP: 00000000006dcc50 R08: 0000000000000338 R09: 0000000000000000 [ 59.334546] R10: 00000000200002c0 R11: 0000000000000246 R12: 00000000006dcc5c [ 59.341803] R13: 0000000000000000 R14: 0000000000000000 R15: 00005443454a4552 [ 59.349771] ip_tables: iptables: counters copy to user failed while replacing table [ 59.407415] netlink: 4 bytes leftover after parsing attributes in process `syz-executor917'. [ 59.422914] ip_tables: iptables: counters copy to user failed while replacing table executing program [ 59.587572] netlink: 4 bytes leftover after parsing attributes in process `syz-executor917'. [ 59.603476] ip_tables: iptables: counters copy to user failed while replacing table [ 59.769483] netlink: 4 bytes leftover after parsing attributes in process `syz-executor917'. [ 59.785379] ip_tables: iptables: counters copy to user failed while replacing table [ 59.951315] netlink: 4 bytes leftover after parsing attributes in process `syz-executor917'. [ 59.966960] ip_tables: iptables: counters copy to user failed while replacing table [ 60.132428] netlink: 4 bytes leftover after parsing attributes in process `syz-executor917'. [ 60.148150] ip_tables: iptables: counters copy to user failed while replacing table [ 60.314476] netlink: 4 bytes leftover after parsing attributes in process `syz-executor917'. [ 60.329823] ip_tables: iptables: counters copy to user failed while replacing table [ 60.495484] netlink: 4 bytes leftover after parsing attributes in process `syz-executor917'. [ 60.510917] ip_tables: iptables: counters copy to user failed while replacing table [ 60.676484] netlink: 4 bytes leftover after parsing attributes in process `syz-executor917'. [ 60.692672] ip_tables: iptables: counters copy to user failed while replacing table [ 63.486500] nla_parse: 16 callbacks suppressed [ 63.486503] netlink: 4 bytes leftover after parsing attributes in process `syz-executor917'. [ 63.503042] selinux_nlmsg_perm: 2044 callbacks suppressed [ 63.503047] SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7320 comm=syz-executor917 [ 63.520787] SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7320 comm=syz-executor917 [ 63.533199] SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7320 comm=syz-executor917 [ 63.545469] SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7320 comm=syz-executor917 [ 63.557891] SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7320 comm=syz-executor917 [ 63.570125] SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7320 comm=syz-executor917 [ 63.582381] SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7320 comm=syz-executor917 [ 63.594587] SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7320 comm=syz-executor917 [ 63.606893] SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7320 comm=syz-executor917 [ 63.619200] SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7320 comm=syz-executor917 [ 63.692449] netlink: 4 bytes leftover after parsing attributes in process `syz-executor917'. [ 63.707539] net_ratelimit: 17 callbacks suppressed [ 63.707541] ip_tables: iptables: counters copy to user failed while replacing table [ 63.878396] netlink: 4 bytes leftover after parsing attributes in process `syz-executor917'. [ 63.893921] ip_tables: iptables: counters copy to user failed while replacing table [ 64.058466] netlink: 4 bytes leftover after parsing attributes in process `syz-executor917'. [ 64.074375] ip_tables: iptables: counters copy to user failed while replacing table [ 64.240503] netlink: 4 bytes leftover after parsing attributes in process `syz-executor917'. [ 64.256568] ip_tables: iptables: counters copy to user failed while replacing table [ 64.422502] netlink: 4 bytes leftover after parsing attributes in process `syz-executor917'. [ 64.438072] ip_tables: iptables: counters copy to user failed while replacing table [ 64.604446] netlink: 4 bytes leftover after parsing attributes in process `syz-executor917'. [ 64.621424] ip_tables: iptables: counters copy to user failed while replacing table [ 64.787490] netlink: 4 bytes leftover after parsing attributes in process `syz-executor917'. [ 64.803985] ip_tables: iptables: counters copy to user failed while replacing table [ 64.969464] netlink: 4 bytes leftover after parsing attributes in process `syz-executor917'. [ 64.985723] ip_tables: iptables: counters copy to user failed while replacing table [ 65.151493] netlink: 4 bytes leftover after parsing attributes in process `syz-executor917'. [ 65.167066] ip_tables: iptables: counters copy to user failed while replacing table [ 65.338035] ip_tables: iptables: counters copy to user failed while replacing table [ 68.625992] nla_parse: 20 callbacks suppressed [ 68.625995] netlink: 4 bytes leftover after parsing attributes in process `syz-executor917'. [ 68.642649] selinux_nlmsg_perm: 2360 callbacks suppressed [ 68.642654] SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7441 comm=syz-executor917 [ 68.660487] SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7441 comm=syz-executor917 [ 68.672914] SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7441 comm=syz-executor917 [ 68.685107] SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7441 comm=syz-executor917 [ 68.697306] SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7441 comm=syz-executor917 [ 68.709540] SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7441 comm=syz-executor917