Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.149' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 27.423922] ip6_tables: ip6tables: counters copy to user failed while replacing table [ 27.434024] ip6_tables: ip6tables: counters copy to user failed while replacing table [ 27.450365] [ 27.451993] ====================================================== [ 27.458283] WARNING: possible circular locking dependency detected [ 27.464576] 4.14.226-syzkaller #0 Not tainted [ 27.469041] ------------------------------------------------------ [ 27.475328] syz-executor966/7985 is trying to acquire lock: [ 27.481006] (&table[i].mutex){+.+.}, at: [] nf_tables_netdev_event+0x10d/0x4d0 [ 27.489993] [ 27.489993] but task is already holding lock: [ 27.495934] (rtnl_mutex){+.+.}, at: [] tun_chr_close+0x34/0x60 [ 27.503532] [ 27.503532] which lock already depends on the new lock. [ 27.503532] [ 27.511824] [ 27.511824] the existing dependency chain (in reverse order) is: [ 27.519415] [ 27.519415] -> #2 (rtnl_mutex){+.+.}: [ 27.524669] __mutex_lock+0xc4/0x1310 [ 27.528963] unregister_netdevice_notifier+0x5e/0x2b0 [ 27.534644] tee_tg_destroy+0x5c/0xb0 [ 27.538937] cleanup_entry+0x232/0x310 [ 27.543319] __do_replace+0x38d/0x580 [ 27.547610] do_ip6t_set_ctl+0x256/0x3b0 [ 27.552163] nf_setsockopt+0x5f/0xb0 [ 27.556370] ipv6_setsockopt+0xc0/0x120 [ 27.560852] udpv6_setsockopt+0x45/0x80 [ 27.565319] SyS_setsockopt+0x110/0x1e0 [ 27.569783] do_syscall_64+0x1d5/0x640 [ 27.574164] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 27.579845] [ 27.579845] -> #1 (&xt[i].mutex){+.+.}: [ 27.585272] __mutex_lock+0xc4/0x1310 [ 27.589564] match_revfn+0x43/0x210 [ 27.593683] xt_find_revision+0x8d/0x1d0 [ 27.598233] nfnl_compat_get+0x1f7/0x870 [ 27.602784] nfnetlink_rcv_msg+0x9bb/0xc00 [ 27.607508] netlink_rcv_skb+0x125/0x390 [ 27.612058] nfnetlink_rcv+0x1ab/0x1da0 [ 27.616523] netlink_unicast+0x437/0x610 [ 27.621076] netlink_sendmsg+0x62e/0xb80 [ 27.625627] sock_sendmsg+0xb5/0x100 [ 27.629896] ___sys_sendmsg+0x6c8/0x800 [ 27.634365] __sys_sendmsg+0xa3/0x120 [ 27.638659] SyS_sendmsg+0x27/0x40 [ 27.642692] do_syscall_64+0x1d5/0x640 [ 27.647081] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 27.652761] [ 27.652761] -> #0 (&table[i].mutex){+.+.}: [ 27.658451] lock_acquire+0x170/0x3f0 [ 27.662746] __mutex_lock+0xc4/0x1310 [ 27.667039] nf_tables_netdev_event+0x10d/0x4d0 [ 27.672238] notifier_call_chain+0x108/0x1a0 [ 27.677140] rollback_registered_many+0x765/0xba0 [ 27.682479] rollback_registered+0xca/0x170 [ 27.687293] unregister_netdevice_queue+0x1b4/0x360 [ 27.692804] __tun_detach+0xca2/0xf60 [ 27.697098] tun_chr_close+0x41/0x60 [ 27.701321] __fput+0x25f/0x7a0 [ 27.705094] task_work_run+0x11f/0x190 [ 27.709474] do_exit+0xa44/0x2850 [ 27.713418] do_group_exit+0x100/0x2e0 [ 27.717799] get_signal+0x38d/0x1ca0 [ 27.722003] do_signal+0x7c/0x1550 [ 27.726036] exit_to_usermode_loop+0x160/0x200 [ 27.731107] do_syscall_64+0x4a3/0x640 [ 27.735492] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 27.741178] [ 27.741178] other info that might help us debug this: [ 27.741178] [ 27.749289] Chain exists of: [ 27.749289] &table[i].mutex --> &xt[i].mutex --> rtnl_mutex [ 27.749289] [ 27.759491] Possible unsafe locking scenario: [ 27.759491] [ 27.765517] CPU0 CPU1 [ 27.770155] ---- ---- [ 27.774790] lock(rtnl_mutex); [ 27.778062] lock(&xt[i].mutex); [ 27.784002] lock(rtnl_mutex); [ 27.789767] lock(&table[i].mutex); [ 27.793448] [ 27.793448] *** DEADLOCK *** [ 27.793448] [ 27.799475] 1 lock held by syz-executor966/7985: [ 27.804197] #0: (rtnl_mutex){+.+.}, at: [] tun_chr_close+0x34/0x60 [ 27.812233] [ 27.812233] stack backtrace: [ 27.816724] CPU: 0 PID: 7985 Comm: syz-executor966 Not tainted 4.14.226-syzkaller #0 [ 27.824572] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.833906] Call Trace: [ 27.836469] dump_stack+0x1b2/0x281 [ 27.840078] print_circular_bug.constprop.0.cold+0x2d7/0x41e [ 27.845854] __lock_acquire+0x2e0e/0x3f20 [ 27.849974] ? lock_downgrade+0x740/0x740 [ 27.854091] ? unwind_next_frame+0xe54/0x17d0 [ 27.858570] ? trace_hardirqs_on+0x10/0x10 [ 27.862775] ? kernel_text_address+0xbd/0xf0 [ 27.867152] ? __kernel_text_address+0x9/0x30 [ 27.871630] ? unwind_get_return_address+0x51/0x90 [ 27.876536] lock_acquire+0x170/0x3f0 [ 27.880309] ? nf_tables_netdev_event+0x10d/0x4d0 [ 27.885124] ? nf_tables_netdev_event+0x10d/0x4d0 [ 27.889939] __mutex_lock+0xc4/0x1310 [ 27.893713] ? nf_tables_netdev_event+0x10d/0x4d0 [ 27.899828] ? nf_tables_netdev_event+0x10d/0x4d0 [ 27.904661] ? __ww_mutex_wakeup_for_backoff+0x210/0x210 [ 27.910099] ? trace_hardirqs_on+0x10/0x10 [ 27.914305] ? trace_hardirqs_on_caller+0x3a8/0x580 [ 27.919305] ? lock_downgrade+0x740/0x740 [ 27.923425] nf_tables_netdev_event+0x10d/0x4d0 [ 27.928079] ? mirred_device_event+0x12f/0x170 [ 27.932642] ? nf_tables_netdev_init_net+0x140/0x140 [ 27.937721] ? mirred_device_event+0x12f/0x170 [ 27.942280] ? __local_bh_enable_ip+0xc1/0x170 [ 27.946849] notifier_call_chain+0x108/0x1a0 [ 27.951231] rollback_registered_many+0x765/0xba0 [ 27.956048] ? netdev_state_change+0xf0/0xf0 [ 27.960430] ? queue_delayed_work_on+0x114/0x1d0 [ 27.965158] rollback_registered+0xca/0x170 [ 27.969451] ? rollback_registered_many+0xba0/0xba0 [ 27.974439] ? linkwatch_schedule_work+0xe5/0x110 [ 27.979255] unregister_netdevice_queue+0x1b4/0x360 [ 27.984256] __tun_detach+0xca2/0xf60 [ 27.988031] ? tun_recvmsg+0x3b0/0x3b0 [ 27.991892] tun_chr_close+0x41/0x60 [ 27.995578] __fput+0x25f/0x7a0 [ 27.998831] task_work_run+0x11f/0x190 [ 28.002690] do_exit+0xa44/0x2850 [ 28.006121] ? wake_up_q+0x82/0xd0 [ 28.009649] ? mm_update_next_owner+0x5b0/0x5b0 [ 28.014289] ? get_signal+0x323/0x1ca0 [ 28.018237] ? lock_acquire+0x170/0x3f0 [ 28.022188] ? lock_downgrade+0x740/0x740 [ 28.026326] do_group_exit+0x100/0x2e0 [ 28.030184] get_signal+0x38d/0x1ca0 [ 28.033870] ? do_futex+0x12b/0x1570 [ 28.037555] ? __fget+0x1fe/0x360 [ 28.040981] do_signal+0x7c/0x1550 [ 28.044493] ? __fget+0x225/0x360 [ 28.047916] ? setup_sigcontext+0x820/0x820 [ 28.052209] ? __fdget+0x196/0x1f0 [ 28.055720] ? sockfd_lookup_light+0xb2/0x160 [ 28.060185] ? fput+0xb/0x140 [ 28.063262] ? __sys_sendmsg+0xb6/0x120 [ 28.067207] ? SyS_futex+0x1da/0x290 [ 28.070889] ? SyS_futex+0x1e3/0x290 [ 28.074586] ? exit_to_usermode_loop+0x41/0x200 [ 28.079238] exit_to_usermode_loop+0x160/0x200 [ 28.083798] do_syscall_64+0x4a3/0x640 [ 28.087662] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 28.092828] RIP: 0033:0x4460c9 [ 28.095989] RSP: 002b:00007eff75715308 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 28.103672] RAX: fffffffffffffe00 RBX: 00000000004cb458 RCX: 00000000004460c9 [ 28.110918] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000004cb458 [ 28.118165] RBP: 00000000004cb450 R08: 0000000000000000 R09: 0000000000000000 [ 28.125445] R10: