[ 33.041981] audit: type=1800 audit(1580194636.229:33): pid=7142 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 33.069557] audit: type=1800 audit(1580194636.229:34): pid=7142 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 36.775872] random: sshd: uninitialized urandom read (32 bytes read) [ 37.111559] audit: type=1400 audit(1580194640.299:35): avc: denied { map } for pid=7315 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 37.202552] random: sshd: uninitialized urandom read (32 bytes read) [ 37.989772] random: sshd: uninitialized urandom read (32 bytes read) [ 38.247286] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.245' (ECDSA) to the list of known hosts. [ 43.869917] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 44.005810] audit: type=1400 audit(1580194647.189:36): avc: denied { map } for pid=7327 comm="syz-executor392" path="/root/syz-executor392930428" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 44.034232] ip_tables: iptables: counters copy to user failed while replacing table [ 44.091188] netlink: 4 bytes leftover after parsing attributes in process `syz-executor392'. [ 44.105535] SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7330 comm=syz-executor392 [ 44.118203] SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7330 comm=syz-executor392 [ 44.130911] SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7330 comm=syz-executor392 [ 44.143188] SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7330 comm=syz-executor392 [ 44.156005] SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7330 comm=syz-executor392 [ 44.168271] SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7330 comm=syz-executor392 executing program [ 44.180486] SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7330 comm=syz-executor392 [ 44.192835] SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7330 comm=syz-executor392 [ 44.205677] SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7330 comm=syz-executor392 [ 44.219384] SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7330 comm=syz-executor392 [ 44.258896] [ 44.260697] ====================================================== [ 44.267152] WARNING: possible circular locking dependency detected [ 44.273520] 4.14.168-syzkaller #0 Not tainted [ 44.278029] ------------------------------------------------------ [ 44.284422] syz-executor392/7333 is trying to acquire lock: [ 44.290256] (rtnl_mutex){+.+.}, at: [] rtnl_lock+0x17/0x20 [ 44.297697] [ 44.297697] but task is already holding lock: [ 44.303660] (&xt[i].mutex){+.+.}, at: [] xt_find_table_lock+0x3c/0x3d0 [ 44.312118] [ 44.312118] which lock already depends on the new lock. [ 44.312118] [ 44.320438] [ 44.320438] the existing dependency chain (in reverse order) is: [ 44.328215] [ 44.328215] -> #1 (&xt[i].mutex){+.+.}: [ 44.333671] lock_acquire+0x16f/0x430 [ 44.337980] __mutex_lock+0xe8/0x1470 [ 44.342286] mutex_lock_nested+0x16/0x20 [ 44.346859] xt_find_target+0x3e/0x1e0 [ 44.350647] netlink: 4 bytes leftover after parsing attributes in process `syz-executor392'. [ 44.351262] xt_request_find_target+0x74/0xe0 [ 44.364898] ipt_init_target+0xce/0x290 [ 44.369453] __tcf_ipt_init+0x48c/0xb50 [ 44.373938] tcf_xt_init+0x4e/0x60 [ 44.377991] tcf_action_init_1+0x53c/0xaa0 [ 44.382850] tcf_action_init+0x2ab/0x480 [ 44.387524] tc_ctl_action+0x30a/0x548 [ 44.391924] rtnetlink_rcv_msg+0x3da/0xb70 [ 44.396670] netlink_rcv_skb+0x14f/0x3c0 [ 44.401236] rtnetlink_rcv+0x1d/0x30 [ 44.405512] netlink_unicast+0x44d/0x650 [ 44.410140] netlink_sendmsg+0x7c4/0xc60 [ 44.414707] sock_sendmsg+0xce/0x110 [ 44.419015] kernel_sendmsg+0x44/0x50 [ 44.423318] sock_no_sendpage+0x107/0x130 [ 44.428092] kernel_sendpage+0x92/0xf0 [ 44.432488] sock_sendpage+0x8b/0xc0 [ 44.436813] pipe_to_sendpage+0x242/0x340 [ 44.441578] __splice_from_pipe+0x348/0x780 [ 44.446467] splice_from_pipe+0xf0/0x150 [ 44.451039] generic_splice_sendpage+0x3c/0x50 [ 44.456182] SyS_splice+0xd92/0x1430 [ 44.460405] do_syscall_64+0x1e8/0x640 [ 44.465048] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.470785] [ 44.470785] -> #0 (rtnl_mutex){+.+.}: [ 44.476187] __lock_acquire+0x2cb3/0x4620 [ 44.480853] lock_acquire+0x16f/0x430 [ 44.485199] __mutex_lock+0xe8/0x1470 [ 44.489634] mutex_lock_nested+0x16/0x20 [ 44.494518] rtnl_lock+0x17/0x20 [ 44.498600] unregister_netdevice_notifier+0x5f/0x2c0 [ 44.504496] tee_tg_destroy+0x61/0xc0 [ 44.508809] cleanup_entry+0x17d/0x230 [ 44.513207] __do_replace+0x3c5/0x5b0 [ 44.517511] do_ipt_set_ctl+0x296/0x3ee [ 44.522004] nf_setsockopt+0x67/0xc0 [ 44.526348] ip_setsockopt+0x9b/0xb0 [ 44.530568] udp_setsockopt+0x4e/0x90 [ 44.534879] sock_common_setsockopt+0x94/0xd0 [ 44.539885] SyS_setsockopt+0x13c/0x210 [ 44.544382] do_syscall_64+0x1e8/0x640 [ 44.548784] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.554671] [ 44.554671] other info that might help us debug this: [ 44.554671] [ 44.562804] Possible unsafe locking scenario: [ 44.562804] [ 44.568999] CPU0 CPU1 [ 44.573646] ---- ---- [ 44.578412] lock(&xt[i].mutex); [ 44.581848] lock(rtnl_mutex); [ 44.587630] lock(&xt[i].mutex); [ 44.593587] lock(rtnl_mutex); [ 44.596874] [ 44.596874] *** DEADLOCK *** [ 44.596874] [ 44.602915] 1 lock held by syz-executor392/7333: [ 44.607644] #0: (&xt[i].mutex){+.+.}, at: [] xt_find_table_lock+0x3c/0x3d0 [ 44.616387] [ 44.616387] stack backtrace: [ 44.620865] CPU: 1 PID: 7333 Comm: syz-executor392 Not tainted 4.14.168-syzkaller #0 [ 44.628907] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.638386] Call Trace: [ 44.640962] dump_stack+0x142/0x197 [ 44.644699] print_circular_bug.isra.0.cold+0x1cc/0x28f [ 44.650061] __lock_acquire+0x2cb3/0x4620 [ 44.654286] ? trace_hardirqs_on+0x10/0x10 [ 44.658512] ? __kernel_text_address+0xd/0x40 [ 44.663011] lock_acquire+0x16f/0x430 [ 44.666796] ? rtnl_lock+0x17/0x20 [ 44.670502] ? rtnl_lock+0x17/0x20 [ 44.674082] __mutex_lock+0xe8/0x1470 [ 44.678074] ? rtnl_lock+0x17/0x20 [ 44.681763] ? __bitmap_weight+0xbd/0xf0 [ 44.685814] ? rtnl_lock+0x17/0x20 [ 44.689437] ? pcpu_next_md_free_region+0x14c/0x2f0 [ 44.694623] ? mutex_trylock+0x1c0/0x1c0 [ 44.698681] ? pcpu_chunk_refresh_hint+0x29b/0x350 [ 44.703611] ? free_percpu+0x232/0x710 [ 44.707569] ? find_held_lock+0x35/0x130 [ 44.711768] ? free_percpu+0x232/0x710 [ 44.715658] mutex_lock_nested+0x16/0x20 [ 44.719710] ? mutex_lock_nested+0x16/0x20 [ 44.723944] rtnl_lock+0x17/0x20 [ 44.727308] unregister_netdevice_notifier+0x5f/0x2c0 [ 44.732583] ? trace_hardirqs_on_caller+0x400/0x590 [ 44.737597] ? register_netdevice_notifier+0x520/0x520 [ 44.742957] ? free_percpu+0x24f/0x710 [ 44.746842] tee_tg_destroy+0x61/0xc0 [ 44.750629] ? tee_tg6+0x160/0x160 [ 44.754309] cleanup_entry+0x17d/0x230 [ 44.758366] ? cleanup_match+0x140/0x140 [ 44.762585] __do_replace+0x3c5/0x5b0 [ 44.766486] ? compat_do_ipt_get_ctl+0x7f0/0x7f0 [ 44.771230] ? _copy_from_user+0x99/0x110 [ 44.775360] do_ipt_set_ctl+0x296/0x3ee [ 44.779332] ? compat_do_ipt_set_ctl+0x150/0x150 [ 44.784182] ? mutex_unlock+0xd/0x10 [ 44.787891] ? nf_sockopt_find.constprop.0+0x1b7/0x230 [ 44.793195] nf_setsockopt+0x67/0xc0 [ 44.796903] ip_setsockopt+0x9b/0xb0 [ 44.800598] udp_setsockopt+0x4e/0x90 [ 44.804387] sock_common_setsockopt+0x94/0xd0 [ 44.808872] SyS_setsockopt+0x13c/0x210 [ 44.812835] ? SyS_recv+0x40/0x40 [ 44.816382] ? do_syscall_64+0x53/0x640 [ 44.820338] ? SyS_recv+0x40/0x40 [ 44.823780] do_syscall_64+0x1e8/0x640 [ 44.827648] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 44.832524] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.837698] RIP: 0033:0x447c29 [ 44.840868] RSP: 002b:00007f3a22547d98 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 [ 44.848700] RAX: ffffffffffffffda RBX: 00000000006dcc48 RCX: 0000000000447c29 [ 44.856003] RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000003 [ 44.863313] RBP: 00000000006dcc40 R08: 0000000000000410 R09: 0000000000000000 [ 44.870575] R10: 00000000200009c0 R11: 0000000000000246 R12: 00000000006dcc4c [ 44.877828] R13: 0000000000000000 R14: 0000000000000000 R15: 00000000004c5454