[....] Starting enhanced syslogd: rsyslogd[ 12.710741] audit: type=1400 audit(1538949655.693:4): avc: denied { syslog } for pid=1904 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.90' (ECDSA) to the list of known hosts. net.ipv6.conf.syz_tun.accept_dad = 0 net.ipv6.conf.syz_tun.router_solicitations = 0 executing program syzkaller login: [ 28.766622] [ 28.768468] ====================================================== [ 28.774911] [ INFO: possible circular locking dependency detected ] [ 28.781299] 4.4.159+ #44 Not tainted [ 28.785002] ------------------------------------------------------- [ 28.791512] syz-executor493/2057 is trying to acquire lock: [ 28.797196] (&(&q->lock)->rlock){+.-...}, at: [] ip_defrag+0x31b/0x40c0 [ 28.806211] [ 28.806211] but task is already holding lock: [ 28.812162] (_xmit_NETROM){+.-...}, at: [] sch_direct_xmit+0x233/0x6c0 [ 28.820960] [ 28.820960] which lock already depends on the new lock. [ 28.820960] [ 28.829256] [ 28.829256] the existing dependency chain (in reverse order) is: [ 28.836857] -> #1 (_xmit_NETROM){+.-...}: [ 28.841879] [] lock_acquire+0x15e/0x450 [ 28.848305] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 28.855249] [] depot_save_stack+0x20b/0x5eb [ 28.861862] [] kasan_kmalloc.part.1+0xc9/0xf0 [ 28.868699] [] kasan_kmalloc+0xaf/0xc0 [ 28.875028] [] kasan_slab_alloc+0x12/0x20 [ 28.881465] [] kmem_cache_alloc+0xdc/0x2c0 [ 28.887981] [] inet_getpeer+0x159d/0x1d70 [ 28.894415] [] icmp6_send+0x17b7/0x1b70 [ 28.900663] [] icmpv6_param_prob+0x29/0x40 [ 28.907164] [] ipv6_frag_rcv+0x3de6/0x4f80 [ 28.913669] [] ip6_input_finish+0x57d/0x1510 [ 28.920703] [] ip6_input+0xf6/0x200 [ 28.926619] [] ip6_rcv_finish+0x14e/0x670 [ 28.933054] [] ipv6_rcv+0x10b2/0x1d10 [ 28.939129] [] __netif_receive_skb_core+0x12c8/0x2820 [ 28.946591] [] __netif_receive_skb+0x5b/0x1c0 [ 28.953356] [] process_backlog+0x20a/0x670 [ 28.959868] [] net_rx_action+0x367/0xd50 [ 28.966210] [] __do_softirq+0x22c/0xa1a [ 28.972460] [] do_softirq_own_stack+0x1c/0x30 [ 28.979226] [] do_softirq.part.2+0x54/0x60 [ 28.985877] [] do_softirq+0x19/0x20 [ 28.991792] [] netif_rx_ni+0xec/0x3a0 [ 28.997869] [] tun_get_user+0xf3a/0x2690 [ 29.004199] [] tun_chr_write_iter+0xd5/0x190 [ 29.011052] [] do_iter_readv_writev+0x133/0x1d0 [ 29.018001] [] compat_do_readv_writev+0x337/0x6f0 [ 29.025219] [] compat_writev+0xe1/0x150 [ 29.031473] [] compat_SyS_writev+0xd8/0x1c0 [ 29.038166] [] do_fast_syscall_32+0x31e/0xa80 [ 29.044939] [] sysenter_flags_fixed+0xd/0x1a [ 29.051632] -> #0 (&(&q->lock)->rlock){+.-...}: [ 29.056939] [] __lock_acquire+0x3e6c/0x5f10 [ 29.063535] [] lock_acquire+0x15e/0x450 [ 29.069776] [] _raw_spin_lock+0x36/0x50 [ 29.076036] [] ip_defrag+0x31b/0x40c0 [ 29.082104] [] ip_check_defrag+0x3a7/0x710 [ 29.088628] [] packet_rcv_fanout+0x52a/0x5e0 [ 29.095314] [] dev_hard_start_xmit+0x650/0x11c0 [ 29.102367] [] sch_direct_xmit+0x2b8/0x6c0 [ 29.108998] [] __dev_queue_xmit+0xf95/0x1c30 [ 29.115683] [] dev_queue_xmit+0x17/0x20 [ 29.121942] [] neigh_resolve_output+0x600/0x780 [ 29.128882] [] ip_finish_output2+0x8f0/0x1100 [ 29.135644] [] ip_do_fragment+0x1870/0x1f60 [ 29.142229] [] ip_fragment.constprop.5+0x145/0x200 [ 29.149423] [] ip_finish_output+0x396/0xc00 [ 29.156021] [] ip_mc_output+0x237/0x980 [ 29.162275] [] ip_local_out+0x9b/0x180 [ 29.168439] [] ip_send_skb+0x3c/0xc0 [ 29.174811] [] udp_send_skb+0x503/0xc70 [ 29.181120] [] udp_sendmsg+0x16c9/0x1c70 [ 29.187482] [] inet_sendmsg+0x203/0x4d0 [ 29.193731] [] sock_sendmsg+0xbb/0x110 [ 29.199890] [] SyS_sendto+0x220/0x370 [ 29.205961] [] do_fast_syscall_32+0x31e/0xa80 [ 29.212728] [] sysenter_flags_fixed+0xd/0x1a [ 29.219406] [ 29.219406] other info that might help us debug this: [ 29.219406] [ 29.227523] Possible unsafe locking scenario: [ 29.227523] [ 29.233552] CPU0 CPU1 [ 29.238190] ---- ---- [ 29.242827] lock(_xmit_NETROM); [ 29.246500] lock(&(&q->lock)->rlock); [ 29.253208] lock(_xmit_NETROM); [ 29.259409] lock(&(&q->lock)->rlock); [ 29.263622] [ 29.263622] *** DEADLOCK *** [ 29.263622] [ 29.269664] 4 locks held by syz-executor493/2057: [ 29.274480] #0: (rcu_read_lock_bh){......}, at: [] ip_finish_output2+0x20b/0x1100 [ 29.284425] #1: (rcu_read_lock_bh){......}, at: [] __dev_queue_xmit+0x1d7/0x1c30 [ 29.294283] #2: (_xmit_NETROM){+.-...}, at: [] sch_direct_xmit+0x233/0x6c0 [ 29.303623] #3: (rcu_read_lock){......}, at: [] dev_hard_start_xmit+0xa8/0x11c0 [ 29.313445] [ 29.313445] stack backtrace: [ 29.317927] CPU: 1 PID: 2057 Comm: syz-executor493 Not tainted 4.4.159+ #44 [ 29.325003] 0000000000000000 ce339ca5817dbb93 ffff8800b6eaed18 ffffffff81a994bd [ 29.333016] ffffffff83acc5b0 ffffffff83accc70 ffffffff83acc5b0 ffff8800b7f0a0f8 [ 29.341060] ffff8800b7f097c0 ffff8800b6eaed60 ffffffff813a84ea 0000000000000003 [ 29.349160] Call Trace: [ 29.351726] [] dump_stack+0xc1/0x124 [ 29.357069] [] print_circular_bug.cold.34+0x2f7/0x432 [ 29.363899] [] __lock_acquire+0x3e6c/0x5f10 [ 29.369865] [] ? trace_hardirqs_on+0x10/0x10 [ 29.375905] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 29.382811] [] ? trace_hardirqs_on_caller+0x266/0x590 [ 29.389630] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 29.396511] [] ? mod_timer+0x433/0x8f0 [ 29.402041] [] lock_acquire+0x15e/0x450 [ 29.407652] [] ? ip_defrag+0x31b/0x40c0 [ 29.413256] [] ? inet_frag_find+0x27a/0x9a0 [ 29.419208] [] _raw_spin_lock+0x36/0x50 [ 29.424984] [] ? ip_defrag+0x31b/0x40c0 [ 29.430599] [] ip_defrag+0x31b/0x40c0 [ 29.436030] [] ? trace_hardirqs_on+0x10/0x10 [ 29.442068] [] ? ipv4_frags_init_net+0x3a0/0x3a0 [ 29.448468] [] ip_check_defrag+0x3a7/0x710 [ 29.454335] [] ? ip_defrag+0x40c0/0x40c0 [ 29.460119] [] packet_rcv_fanout+0x52a/0x5e0 [ 29.466166] [] ? fanout_demux_rollover+0x4e0/0x4e0 [ 29.472838] [] dev_hard_start_xmit+0x650/0x11c0 [ 29.479146] [] ? dev_hard_start_xmit+0xa8/0x11c0 [ 29.485534] [] sch_direct_xmit+0x2b8/0x6c0 [ 29.491395] [] ? dev_deactivate_queue.constprop.6+0x160/0x160 [ 29.499000] [] __dev_queue_xmit+0xf95/0x1c30 [ 29.505061] [] ? __dev_queue_xmit+0x1d7/0x1c30 [ 29.511276] [] ? trace_hardirqs_on+0x10/0x10 [ 29.517311] [] ? netdev_pick_tx+0x2c0/0x2c0 [ 29.523362] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 29.530117] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 29.536850] [] ? memcpy+0x45/0x50 [ 29.542109] [] dev_queue_xmit+0x17/0x20 [ 29.547724] [] neigh_resolve_output+0x600/0x780 [ 29.554155] [] ? ip_finish_output2+0x8f0/0x1100 [ 29.560520] [] ip_finish_output2+0x8f0/0x1100 [ 29.566652] [] ? ip_finish_output2+0x20b/0x1100 [ 29.572958] [] ? nf_ct_deliver_cached_events+0x335/0x560 [ 29.580037] [] ? nf_ct_deliver_cached_events+0x83/0x560 [ 29.587029] [] ? nf_conntrack_seqadj_fini+0x20/0x20 [ 29.593803] [] ? ip_send_check+0xb0/0xb0 [ 29.599502] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 29.606393] [] ? ip_options_fragment+0x1ac/0x280 [ 29.612788] [] ip_do_fragment+0x1870/0x1f60 [ 29.618740] [] ? ip_send_check+0xb0/0xb0 [ 29.624436] [] ip_fragment.constprop.5+0x145/0x200 [ 29.630998] [] ip_finish_output+0x396/0xc00 [ 29.636949] [] ip_mc_output+0x237/0x980 [ 29.642546] [] ? ip_queue_xmit+0x1a80/0x1a80 [ 29.648667] [] ? ip_make_skb+0x116/0x210 [ 29.654358] [] ? ip_fragment.constprop.5+0x200/0x200 [ 29.661084] [] ? ip_flush_pending_frames+0x30/0x30 [ 29.667634] [] ip_local_out+0x9b/0x180 [ 29.673292] [] ip_send_skb+0x3c/0xc0 [ 29.679042] [] udp_send_skb+0x503/0xc70 [ 29.684659] [] udp_sendmsg+0x16c9/0x1c70 [ 29.690355] [] ? ip_reply_glue_bits+0xc0/0xc0 [ 29.696480] [] ? udp_lib_unhash+0x630/0x630 [ 29.702576] [] ? trace_hardirqs_on+0x10/0x10 [ 29.708761] [] ? sock_has_perm+0x1c1/0x3f0 [ 29.714637] [] ? sock_has_perm+0x2a1/0x3f0 [ 29.720684] [] ? sock_has_perm+0x9f/0x3f0 [ 29.726463] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 29.733201] [] ? check_preemption_disabled+0x3b/0x170 [ 29.740022] [] ? inet_sendmsg+0x143/0x4d0 [ 29.745803] [] inet_sendmsg+0x203/0x4d0 [ 29.751415] [] ? inet_sendmsg+0x73/0x4d0 [ 29.757114] [] ? inet_recvmsg+0x4c0/0x4c0 [ 29.763046] [] sock_sendmsg+0xbb/0x110 [ 29.768568] [] SyS_sendto+0x220/0x370 [ 29.773999] [] ? SyS_getpeername+0x2d0/0x2d0 [ 29.780041] [] ? _raw_spin_unlock+0x2c/0x50 [ 29.785990] [] ? handle_mm_fault+0x49a/0x2f30 [ 29.792107] [] ? SyS_accept+0x30/0x30 [ 29.797543] [] ? get_unused_fd_flags+0xd0/0xd0 [ 29.803751] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 29.810481] [] ? __do_page_fault+0x2b6/0x7e0 [ 29.816512] [] ? do_fast_syscall_32+0xdb/0xa80 [ 29.822836] [] ? SyS_getpeername+0x2d0/0x2d0 [ 29.828879] [] do_fast_syscall_32+0x31e/0xa80 [ 29.835003] [] sysenter_flags_fixed+0xd/0x1a