Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.190' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 30.839926] ip6_tables: ip6tables: counters copy to user failed while replacing table [ 30.852208] IPVS: ftp: loaded support on port[0] = 21 executing program [ 30.883964] netlink: 32 bytes leftover after parsing attributes in process `syz-executor131'. executing program [ 30.946610] ip6_tables: ip6tables: counters copy to user failed while replacing table [ 30.961460] IPVS: ftp: loaded support on port[0] = 21 [ 30.993662] netlink: 32 bytes leftover after parsing attributes in process `syz-executor131'. [ 31.012408] ip6_tables: ip6tables: counters copy to user failed while replacing table [ 31.064547] [ 31.067652] ====================================================== [ 31.078020] WARNING: possible circular locking dependency detected [ 31.086520] 4.14.226-syzkaller #0 Not tainted [ 31.091444] ------------------------------------------------------ [ 31.099787] kworker/u4:2/70 is trying to acquire lock: [ 31.106241] (&table[i].mutex){+.+.}, at: [] nf_tables_netdev_event+0x10d/0x4d0 [ 31.115947] [ 31.115947] but task is already holding lock: [ 31.122445] (rtnl_mutex){+.+.}, at: [] ip6gre_exit_net+0x70/0x570 [ 31.131054] [ 31.131054] which lock already depends on the new lock. [ 31.131054] [ 31.140082] [ 31.140082] the existing dependency chain (in reverse order) is: [ 31.149196] [ 31.149196] -> #2 (rtnl_mutex){+.+.}: [ 31.155492] __mutex_lock+0xc4/0x1310 [ 31.160959] unregister_netdevice_notifier+0x5e/0x2b0 [ 31.166671] tee_tg_destroy+0x5c/0xb0 [ 31.171650] cleanup_entry+0x232/0x310 [ 31.176605] __do_replace+0x38d/0x580 [ 31.181103] do_ip6t_set_ctl+0x256/0x3b0 [ 31.185984] nf_setsockopt+0x5f/0xb0 [ 31.190202] ipv6_setsockopt+0xc0/0x120 [ 31.195071] tcp_setsockopt+0x7b/0xc0 [ 31.199811] SyS_setsockopt+0x110/0x1e0 [ 31.204982] do_syscall_64+0x1d5/0x640 [ 31.209589] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 31.216153] [ 31.216153] -> #1 (&xt[i].mutex){+.+.}: [ 31.221875] __mutex_lock+0xc4/0x1310 [ 31.226298] target_revfn+0x43/0x210 [ 31.231621] xt_find_revision+0x15e/0x1d0 [ 31.236867] nfnl_compat_get+0x1f7/0x870 [ 31.241703] nfnetlink_rcv_msg+0x9bb/0xc00 [ 31.246876] netlink_rcv_skb+0x125/0x390 [ 31.252322] nfnetlink_rcv+0x1ab/0x1da0 [ 31.257985] netlink_unicast+0x437/0x610 [ 31.263270] netlink_sendmsg+0x62e/0xb80 [ 31.269002] sock_sendmsg+0xb5/0x100 [ 31.274180] ___sys_sendmsg+0x6c8/0x800 [ 31.280707] __sys_sendmsg+0xa3/0x120 [ 31.286602] SyS_sendmsg+0x27/0x40 [ 31.290973] do_syscall_64+0x1d5/0x640 [ 31.295680] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 31.301911] [ 31.301911] -> #0 (&table[i].mutex){+.+.}: [ 31.308168] lock_acquire+0x170/0x3f0 [ 31.313062] __mutex_lock+0xc4/0x1310 [ 31.317756] nf_tables_netdev_event+0x10d/0x4d0 [ 31.323519] notifier_call_chain+0x108/0x1a0 [ 31.329378] rollback_registered_many+0x765/0xba0 [ 31.334934] unregister_netdevice_many.part.0+0x18/0x2e0 [ 31.341739] unregister_netdevice_many+0x36/0x50 [ 31.347432] ip6gre_exit_net+0x41e/0x570 [ 31.352399] ops_exit_list+0xa5/0x150 [ 31.356946] cleanup_net+0x3b3/0x840 [ 31.361349] process_one_work+0x793/0x14a0 [ 31.366235] worker_thread+0x5cc/0xff0 [ 31.371958] kthread+0x30d/0x420 [ 31.376134] ret_from_fork+0x24/0x30 [ 31.381668] [ 31.381668] other info that might help us debug this: [ 31.381668] [ 31.390617] Chain exists of: [ 31.390617] &table[i].mutex --> &xt[i].mutex --> rtnl_mutex [ 31.390617] [ 31.402564] Possible unsafe locking scenario: [ 31.402564] [ 31.409248] CPU0 CPU1 [ 31.414517] ---- ---- [ 31.419262] lock(rtnl_mutex); [ 31.422619] lock(&xt[i].mutex); [ 31.430238] lock(rtnl_mutex); [ 31.436904] lock(&table[i].mutex); [ 31.441002] [ 31.441002] *** DEADLOCK *** [ 31.441002] [ 31.447588] 4 locks held by kworker/u4:2/70: [ 31.452314] #0: ("%s""netns"){+.+.}, at: [] process_one_work+0x6b0/0x14a0 [ 31.461332] #1: (net_cleanup_work){+.+.}, at: [] process_one_work+0x6e6/0x14a0 [ 31.472496] #2: (net_mutex){+.+.}, at: [] cleanup_net+0x110/0x840 [ 31.481550] #3: (rtnl_mutex){+.+.}, at: [] ip6gre_exit_net+0x70/0x570 [ 31.490234] [ 31.490234] stack backtrace: [ 31.494937] CPU: 1 PID: 70 Comm: kworker/u4:2 Not tainted 4.14.226-syzkaller #0 [ 31.504333] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.515293] Workqueue: netns cleanup_net [ 31.519533] Call Trace: [ 31.522234] dump_stack+0x1b2/0x281 [ 31.526025] print_circular_bug.constprop.0.cold+0x2d7/0x41e [ 31.532389] __lock_acquire+0x2e0e/0x3f20 [ 31.536841] ? unwind_next_frame+0x404/0x17d0 [ 31.541423] ? trace_hardirqs_on+0x10/0x10 [ 31.545940] ? check_usage_forwards+0x2d0/0x2d0 [ 31.550620] ? ret_from_fork+0x24/0x30 [ 31.554733] lock_acquire+0x170/0x3f0 [ 31.558649] ? nf_tables_netdev_event+0x10d/0x4d0 [ 31.563988] ? nf_tables_netdev_event+0x10d/0x4d0 [ 31.568824] __mutex_lock+0xc4/0x1310 [ 31.572997] ? nf_tables_netdev_event+0x10d/0x4d0 [ 31.578394] ? nf_tables_netdev_event+0x10d/0x4d0 [ 31.583874] ? __ww_mutex_wakeup_for_backoff+0x210/0x210 [ 31.590490] ? trace_hardirqs_on+0x10/0x10 [ 31.594750] ? trace_hardirqs_on_caller+0x3a8/0x580 [ 31.600025] ? lock_downgrade+0x740/0x740 [ 31.604183] nf_tables_netdev_event+0x10d/0x4d0 [ 31.608955] ? mirred_device_event+0x12f/0x170 [ 31.614276] ? nf_tables_netdev_init_net+0x140/0x140 [ 31.620042] ? mirred_device_event+0x12f/0x170 [ 31.625933] ? __local_bh_enable_ip+0xc1/0x170 [ 31.631314] notifier_call_chain+0x108/0x1a0 [ 31.636016] rollback_registered_many+0x765/0xba0 [ 31.641394] ? __ww_mutex_wakeup_for_backoff+0x210/0x210 [ 31.647211] ? netdev_state_change+0xf0/0xf0 [ 31.652294] ? lock_acquire+0x170/0x3f0 [ 31.657623] unregister_netdevice_many.part.0+0x18/0x2e0 [ 31.664453] unregister_netdevice_many+0x36/0x50 [ 31.669483] ip6gre_exit_net+0x41e/0x570 [ 31.673718] ? lock_downgrade+0x740/0x740 [ 31.677946] ? ip6gre_dellink+0x260/0x260 [ 31.682288] ? ip6gre_dellink+0x260/0x260 [ 31.687034] ops_exit_list+0xa5/0x150 [ 31.690841] cleanup_net+0x3b3/0x840 [ 31.695107] ? net_drop_ns+0x70/0x70 [ 31.699270] ? lock_acquire+0x170/0x3f0 [ 31.703385] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 31.709315] process_one_work+0x793/0x14a0 [ 31.713743] ? work_busy+0x320/0x320 [ 31.717447] ? worker_thread+0x158/0xff0 [ 31.722005] ? _raw_spin_unlock_irq+0x24/0x80 [ 31.726795] worker_thread+0x5cc/0xff0 [ 31.730883] ? rescuer_thread+0xc80/0xc80 [ 31.735649] kthread+0x30d/0x420 [ 31.739421] ? kthread_create_on_node+0xd0/0xd0 [ 31.744718] ret_from_fork+0x24/0x30 executing program [ 32.351180] IPVS: ftp: loaded support on port[0] = 21 [ 32.377695] netlink: 32 bytes leftover after parsing attributes in process `syz-executor131'. [ 32.394979] ip6_tables: ip6tables: counters copy to user failed while replacing table executing program [ 33.032612] IPVS: ftp: loaded support on port[0] = 21 [ 33.062947] netlink: 32 bytes leftover after parsing attributes in process `syz-executor131'. [ 33.085935] ip6_tables: ip6tables: counters copy to user failed while replacing table executing program [ 33.755389] IPVS: ftp: loaded support on port[0] = 21 [ 33.782108] netlink: 32 bytes leftover after parsing attributes in process `syz-executor131'. executing program [ 33.799974] ip6_tables: ip6tables: counters copy to user failed while replacing table [ 33.813373] IPVS: ftp: loaded support on port[0] = 21 [ 33.842032] netlink: 32 bytes leftover after parsing attributes in process `syz-executor131'. [ 33.858378] ip6_tables: ip6tables: counters copy to user failed while replacing table executing program [ 34.552037] IPVS: ftp: loaded support on port[0] = 21 [ 34.578621] netlink: 32 bytes leftover after parsing attributes in process `syz-executor131'. [ 34.596046] ip6_tables: ip6tables: counters copy to user failed while replacing table executing program [ 35.693420] IPVS: ftp: loaded support on port[0] = 21 [ 35.720331] netlink: 32 bytes leftover after parsing attributes in process `syz-executor131'. [ 35.745013] ip6_tables: ip6tables: counters copy to user failed while replacing table executing program [ 36.387772] IPVS: ftp: loaded support on port[0] = 21 [ 36.414351] netlink: 32 bytes leftover after parsing attributes in process `syz-executor131'. [ 36.429500] ip6_tables: ip6tables: counters copy to user failed while replacing table executing program [ 37.048970] IPVS: ftp: loaded support on port[0] = 21 [ 37.076718] netlink: 32 bytes leftover after parsing attributes in process `syz-executor131'. [ 37.102710] ip6_tables: ip6tables: counters copy to user failed while replacing table executing program [ 37.780681] IPVS: ftp: loaded support on port[0] = 21 [ 37.807411] netlink: 32 bytes leftover after parsing attributes in process `syz-executor131'. [ 37.834358] ip6_tables: ip6tables: counters copy to user failed while replacing table executing program [ 38.490969] IPVS: ftp: loaded support on port[0] = 21 [ 38.517705] netlink: 32 bytes leftover after parsing attributes in process `syz-executor131'. [ 38.549753] ip6_tables: ip6tables: counters copy to user failed while replacing table executing program [ 39.179495] IPVS: ftp: loaded support on port[0] = 21 [ 39.207308] netlink: 32 bytes leftover after parsing attributes in process `syz-executor131'. [ 39.231829] ip6_tables: ip6tables: counters copy to user failed while replacing table executing program [ 39.930637] IPVS: ftp: loaded support on port[0] = 21 [ 39.961827] netlink: 32 bytes leftover after parsing attributes in process `syz-executor131'. [ 39.993414] ip6_tables: ip6tables: counters copy to user failed while replacing table executing program [ 40.642430] IPVS: ftp: loaded support on port[0] = 21 [ 40.672743] netlink: 32 bytes leftover after parsing attributes in process `syz-executor131'. [ 40.701416] ip6_tables: ip6tables: counters copy to user failed while replacing table