[ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Started OpenBSD Secure Shell server. [ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.24' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 28.701219] ip6_tables: ip6tables: counters copy to user failed while replacing table [ 28.712959] IPVS: ftp: loaded support on port[0] = 21 executing program executing program [ 28.791006] ip6_tables: ip6tables: counters copy to user failed while replacing table [ 28.803802] IPVS: ftp: loaded support on port[0] = 21 [ 28.843537] ip6_tables: ip6tables: counters copy to user failed while replacing table [ 28.901064] [ 28.902695] ====================================================== [ 28.908999] WARNING: possible circular locking dependency detected [ 28.915290] 4.14.231-syzkaller #0 Not tainted [ 28.919754] ------------------------------------------------------ [ 28.926048] kworker/u4:1/22 is trying to acquire lock: [ 28.931307] (&table[i].mutex){+.+.}, at: [] nf_tables_netdev_event+0x10d/0x4d0 [ 28.940299] [ 28.940299] but task is already holding lock: [ 28.946240] (rtnl_mutex){+.+.}, at: [] ip6gre_exit_net+0x70/0x570 [ 28.954106] [ 28.954106] which lock already depends on the new lock. [ 28.954106] [ 28.962395] [ 28.962395] the existing dependency chain (in reverse order) is: [ 28.969986] [ 28.969986] -> #2 (rtnl_mutex){+.+.}: [ 28.975261] __mutex_lock+0xc4/0x1310 [ 28.979558] unregister_netdevice_notifier+0x5e/0x2b0 [ 28.985244] tee_tg_destroy+0x5c/0xb0 [ 28.989539] cleanup_entry+0x232/0x310 [ 28.993937] __do_replace+0x38d/0x580 [ 28.998237] do_ip6t_set_ctl+0x256/0x3b0 [ 29.002797] nf_setsockopt+0x5f/0xb0 [ 29.007018] ipv6_setsockopt+0xc0/0x120 [ 29.011572] tcp_setsockopt+0x7b/0xc0 [ 29.015866] SyS_setsockopt+0x110/0x1e0 [ 29.020338] do_syscall_64+0x1d5/0x640 [ 29.024721] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.030402] [ 29.030402] -> #1 (&xt[i].mutex){+.+.}: [ 29.035834] __mutex_lock+0xc4/0x1310 [ 29.040127] match_revfn+0x43/0x210 [ 29.044247] xt_find_revision+0x8d/0x1d0 [ 29.048818] nfnl_compat_get+0x1f7/0x870 [ 29.053374] nfnetlink_rcv_msg+0x9bb/0xc00 [ 29.058109] netlink_rcv_skb+0x125/0x390 [ 29.062667] nfnetlink_rcv+0x1ab/0x1da0 [ 29.067137] netlink_unicast+0x437/0x610 [ 29.071690] netlink_sendmsg+0x62e/0xb80 [ 29.076247] sock_sendmsg+0xb5/0x100 [ 29.080505] ___sys_sendmsg+0x6c8/0x800 [ 29.084977] __sys_sendmsg+0xa3/0x120 [ 29.089271] SyS_sendmsg+0x27/0x40 [ 29.093347] do_syscall_64+0x1d5/0x640 [ 29.097730] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.103410] [ 29.103410] -> #0 (&table[i].mutex){+.+.}: [ 29.109104] lock_acquire+0x170/0x3f0 [ 29.113400] __mutex_lock+0xc4/0x1310 [ 29.117696] nf_tables_netdev_event+0x10d/0x4d0 [ 29.122859] notifier_call_chain+0x108/0x1a0 [ 29.127769] rollback_registered_many+0x765/0xba0 [ 29.133106] unregister_netdevice_many.part.0+0x18/0x2e0 [ 29.139054] unregister_netdevice_many+0x36/0x50 [ 29.144312] ip6gre_exit_net+0x41e/0x570 [ 29.148870] ops_exit_list+0xa5/0x150 [ 29.153163] cleanup_net+0x3b3/0x840 [ 29.157371] process_one_work+0x793/0x14a0 [ 29.162100] worker_thread+0x5cc/0xff0 [ 29.166479] kthread+0x30d/0x420 [ 29.170340] ret_from_fork+0x24/0x30 [ 29.174546] [ 29.174546] other info that might help us debug this: [ 29.174546] [ 29.182670] Chain exists of: [ 29.182670] &table[i].mutex --> &xt[i].mutex --> rtnl_mutex [ 29.182670] [ 29.192879] Possible unsafe locking scenario: [ 29.192879] [ 29.199020] CPU0 CPU1 [ 29.203659] ---- ---- [ 29.208302] lock(rtnl_mutex); [ 29.211567] lock(&xt[i].mutex); [ 29.217514] lock(rtnl_mutex); [ 29.223283] lock(&table[i].mutex); [ 29.226971] [ 29.226971] *** DEADLOCK *** [ 29.226971] [ 29.233003] 4 locks held by kworker/u4:1/22: [ 29.237382] #0: ("%s""netns"){+.+.}, at: [] process_one_work+0x6b0/0x14a0 [ 29.246025] #1: (net_cleanup_work){+.+.}, at: [] process_one_work+0x6e6/0x14a0 [ 29.255099] #2: (net_mutex){+.+.}, at: [] cleanup_net+0x110/0x840 [ 29.263049] #3: (rtnl_mutex){+.+.}, at: [] ip6gre_exit_net+0x70/0x570 [ 29.271345] [ 29.271345] stack backtrace: [ 29.275814] CPU: 0 PID: 22 Comm: kworker/u4:1 Not tainted 4.14.231-syzkaller #0 [ 29.283232] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.292568] Workqueue: netns cleanup_net [ 29.296604] Call Trace: [ 29.299176] dump_stack+0x1b2/0x281 [ 29.302781] print_circular_bug.constprop.0.cold+0x2d7/0x41e [ 29.308554] __lock_acquire+0x2e0e/0x3f20 [ 29.312678] ? unwind_next_frame+0x404/0x17d0 [ 29.317150] ? trace_hardirqs_on+0x10/0x10 [ 29.321359] ? check_usage_forwards+0x2d0/0x2d0 [ 29.326001] ? ret_from_fork+0x24/0x30 [ 29.329863] lock_acquire+0x170/0x3f0 [ 29.333638] ? nf_tables_netdev_event+0x10d/0x4d0 [ 29.338452] ? nf_tables_netdev_event+0x10d/0x4d0 [ 29.343268] __mutex_lock+0xc4/0x1310 [ 29.347044] ? nf_tables_netdev_event+0x10d/0x4d0 [ 29.351858] ? nf_tables_netdev_event+0x10d/0x4d0 [ 29.356673] ? __ww_mutex_wakeup_for_backoff+0x210/0x210 [ 29.362104] ? trace_hardirqs_on+0x10/0x10 [ 29.366336] ? trace_hardirqs_on_caller+0x3a8/0x580 [ 29.371330] ? lock_downgrade+0x740/0x740 [ 29.375453] nf_tables_netdev_event+0x10d/0x4d0 [ 29.380100] ? mirred_device_event+0x12f/0x170 [ 29.384674] ? nf_tables_netdev_init_net+0x140/0x140 [ 29.389760] ? mirred_device_event+0x12f/0x170 [ 29.394323] ? __local_bh_enable_ip+0xc1/0x170 [ 29.398887] notifier_call_chain+0x108/0x1a0 [ 29.403274] rollback_registered_many+0x765/0xba0 [ 29.408095] ? __ww_mutex_wakeup_for_backoff+0x210/0x210 [ 29.413529] ? netdev_state_change+0xf0/0xf0 [ 29.417954] ? lock_acquire+0x170/0x3f0 [ 29.421902] unregister_netdevice_many.part.0+0x18/0x2e0 [ 29.427329] unregister_netdevice_many+0x36/0x50 [ 29.432063] ip6gre_exit_net+0x41e/0x570 [ 29.436100] ? lock_downgrade+0x740/0x740 [ 29.440221] ? ip6gre_dellink+0x260/0x260 [ 29.444343] ? ip6gre_dellink+0x260/0x260 [ 29.448466] ops_exit_list+0xa5/0x150 [ 29.452242] cleanup_net+0x3b3/0x840 [ 29.455933] ? net_drop_ns+0x70/0x70 [ 29.459621] ? lock_acquire+0x170/0x3f0 [ 29.463569] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 29.468995] process_one_work+0x793/0x14a0 [ 29.473207] ? work_busy+0x320/0x320 [ 29.476896] ? worker_thread+0x158/0xff0 [ 29.480935] ? _raw_spin_unlock_irq+0x24/0x80 [ 29.485406] worker_thread+0x5cc/0xff0 [ 29.489278] ? rescuer_thread+0xc80/0xc80 [ 29.493401] kthread+0x30d/0x420 [ 29.496740] ? kthread_create_on_node+0xd0/0xd0 [ 29.501382] ret_from_fork+0x24/0x30 executing program [ 30.080004] IPVS: ftp: loaded support on port[0] = 21 [ 30.110692] ip6_tables: ip6tables: counters copy to user failed while replacing table executing program [ 30.749131] IPVS: ftp: loaded support on port[0] = 21 executing program [ 30.778175] ip6_tables: ip6tables: counters copy to user failed while replacing table [ 30.789176] IPVS: ftp: loaded support on port[0] = 21 [ 30.829780] ip6_tables: ip6tables: counters copy to user failed while replacing table executing program [ 31.448237] IPVS: ftp: loaded support on port[0] = 21 executing program [ 31.478827] ip6_tables: ip6tables: counters copy to user failed while replacing table [ 31.489863] IPVS: ftp: loaded support on port[0] = 21 [ 31.526230] ip6_tables: ip6tables: counters copy to user failed while replacing table executing program [ 32.603835] IPVS: ftp: loaded support on port[0] = 21 executing program [ 32.634560] ip6_tables: ip6tables: counters copy to user failed while replacing table [ 32.644879] IPVS: ftp: loaded support on port[0] = 21 [ 32.678342] ip6_tables: ip6tables: counters copy to user failed while replacing table executing program [ 33.763813] IPVS: ftp: loaded support on port[0] = 21 [ 33.795438] ip6_tables: ip6tables: counters copy to user failed while replacing table executing program [ 34.853036] IPVS: ftp: loaded support on port[0] = 21 executing program [ 34.882446] ip6_tables: ip6tables: counters copy to user failed while replacing table [ 34.892753] IPVS: ftp: loaded support on port[0] = 21 [ 34.924722] ip6_tables: ip6tables: counters copy to user failed while replacing table executing program [ 35.548147] IPVS: ftp: loaded support on port[0] = 21 [ 35.578844] ip6_tables: ip6tables: counters copy to user failed while replacing table executing program [ 36.655245] IPVS: ftp: loaded support on port[0] = 21 [ 36.687302] ip6_tables: ip6tables: counters copy to user failed while replacing table executing program [ 37.316786] IPVS: ftp: loaded support on port[0] = 21 executing program [ 37.346847] ip6_tables: ip6tables: counters copy to user failed while replacing table [ 37.357915] IPVS: ftp: loaded support on port[0] = 21 [ 37.390284] ip6_tables: ip6tables: counters copy to user failed while replacing table executing program [ 38.005931] IPVS: ftp: loaded support on port[0] = 21 [ 38.037608] ip6_tables: ip6tables: counters copy to user failed while replacing table