[....] Starting enhanced syslogd: rsyslogd[ 20.113897] audit: type=1400 audit(1536263830.125:4): avc: denied { syslog } for pid=2150 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.37' (ECDSA) to the list of known hosts. net.ipv6.conf.syz_tun.accept_dad = 0 net.ipv6.conf.syz_tun.router_solicitations = 0 executing program syzkaller login: [ 29.656685] [ 29.658327] ====================================================== [ 29.664644] [ INFO: possible circular locking dependency detected ] [ 29.671026] 4.4.154+ #33 Not tainted [ 29.674713] ------------------------------------------------------- [ 29.681091] syz-executor906/2297 is trying to acquire lock: [ 29.686805] (&(&q->lock)->rlock){+.-...}, at: [] ip_defrag+0x31b/0x40c0 [ 29.695695] [ 29.695695] but task is already holding lock: [ 29.701644] (_xmit_NETROM){+.-...}, at: [] sch_direct_xmit+0x233/0x6c0 [ 29.710430] [ 29.710430] which lock already depends on the new lock. [ 29.710430] [ 29.718756] [ 29.718756] the existing dependency chain (in reverse order) is: [ 29.726353] -> #1 (_xmit_NETROM){+.-...}: [ 29.731126] [] lock_acquire+0x15e/0x450 [ 29.737374] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 29.744317] [] depot_save_stack+0x20b/0x5eb [ 29.750908] [] kasan_kmalloc.part.1+0xc9/0xf0 [ 29.758113] [] kasan_kmalloc+0xaf/0xc0 [ 29.764276] [] kasan_slab_alloc+0x12/0x20 [ 29.770690] [] kmem_cache_alloc+0xdc/0x2c0 [ 29.777309] [] inet_getpeer+0x159d/0x1d70 [ 29.783725] [] icmp6_send+0x17b7/0x1b70 [ 29.789962] [] icmpv6_param_prob+0x29/0x40 [ 29.796462] [] ipv6_frag_rcv+0x3de6/0x4f80 [ 29.802982] [] ip6_input_finish+0x57d/0x1510 [ 29.809661] [] ip6_input+0xf6/0x200 [ 29.815552] [] ip6_rcv_finish+0x14e/0x670 [ 29.821966] [] ipv6_rcv+0x10b2/0x1d10 [ 29.828031] [] __netif_receive_skb_core+0x12c8/0x2820 [ 29.835506] [] __netif_receive_skb+0x5b/0x1c0 [ 29.842287] [] process_backlog+0x20a/0x670 [ 29.848783] [] net_rx_action+0x2ec/0xc50 [ 29.855107] [] __do_softirq+0x22c/0xa1a [ 29.861349] [] do_softirq_own_stack+0x1c/0x30 [ 29.868110] [] do_softirq.part.2+0x54/0x60 [ 29.874632] [] do_softirq+0x19/0x20 [ 29.880563] [] netif_rx_ni+0xec/0x3a0 [ 29.886632] [] tun_get_user+0xf3a/0x2690 [ 29.892979] [] tun_chr_write_iter+0xd5/0x190 [ 29.899673] [] do_iter_readv_writev+0x133/0x1d0 [ 29.906607] [] compat_do_readv_writev+0x337/0x6f0 [ 29.913724] [] compat_writev+0xe1/0x150 [ 29.919961] [] compat_SyS_writev+0xd8/0x1c0 [ 29.926564] [] do_fast_syscall_32+0x31e/0x8b0 [ 29.933322] [] sysenter_flags_fixed+0xd/0x1a [ 29.939993] -> #0 (&(&q->lock)->rlock){+.-...}: [ 29.945274] [] __lock_acquire+0x3b6e/0x5ba0 [ 29.951864] [] lock_acquire+0x15e/0x450 [ 29.958102] [] _raw_spin_lock+0x36/0x50 [ 29.964344] [] ip_defrag+0x31b/0x40c0 [ 29.970430] [] ip_check_defrag+0x3a7/0x710 [ 29.976934] [] packet_rcv_fanout+0x52a/0x5e0 [ 29.983626] [] dev_hard_start_xmit+0x650/0x11c0 [ 29.990585] [] sch_direct_xmit+0x2b8/0x6c0 [ 29.997085] [] __dev_queue_xmit+0xf95/0x1c30 [ 30.003752] [] dev_queue_xmit+0x17/0x20 [ 30.009989] [] neigh_resolve_output+0x600/0x780 [ 30.016922] [] ip_finish_output2+0x8f0/0x1100 [ 30.023682] [] ip_do_fragment+0x1870/0x1f60 [ 30.030264] [] ip_fragment.constprop.5+0x145/0x200 [ 30.037481] [] ip_finish_output+0x396/0xc00 [ 30.044071] [] ip_mc_output+0x237/0x980 [ 30.050306] [] ip_local_out+0x9b/0x180 [ 30.056456] [] ip_send_skb+0x3c/0xc0 [ 30.062451] [] udp_send_skb+0x503/0xc70 [ 30.068707] [] udp_sendmsg+0x16c9/0x1c70 [ 30.075029] [] inet_sendmsg+0x203/0x4d0 [ 30.081264] [] sock_sendmsg+0xbb/0x110 [ 30.087420] [] SyS_sendto+0x220/0x370 [ 30.093483] [] do_fast_syscall_32+0x31e/0x8b0 [ 30.100266] [] sysenter_flags_fixed+0xd/0x1a [ 30.106939] [ 30.106939] other info that might help us debug this: [ 30.106939] [ 30.115056] Possible unsafe locking scenario: [ 30.115056] [ 30.121085] CPU0 CPU1 [ 30.125725] ---- ---- [ 30.130376] lock(_xmit_NETROM); [ 30.134033] lock(&(&q->lock)->rlock); [ 30.140730] lock(_xmit_NETROM); [ 30.146910] lock(&(&q->lock)->rlock); [ 30.151086] [ 30.151086] *** DEADLOCK *** [ 30.151086] [ 30.157118] 4 locks held by syz-executor906/2297: [ 30.161929] #0: (rcu_read_lock_bh){......}, at: [] ip_finish_output2+0x20b/0x1100 [ 30.171908] #1: (rcu_read_lock_bh){......}, at: [] __dev_queue_xmit+0x1d7/0x1c30 [ 30.181742] #2: (_xmit_NETROM){+.-...}, at: [] sch_direct_xmit+0x233/0x6c0 [ 30.191078] #3: (rcu_read_lock){......}, at: [] dev_hard_start_xmit+0xa8/0x11c0 [ 30.200867] [ 30.200867] stack backtrace: [ 30.205340] CPU: 1 PID: 2297 Comm: syz-executor906 Not tainted 4.4.154+ #33 [ 30.212412] 0000000000000000 accd050fb542725a ffff8801c9676d18 ffffffff81a54fed [ 30.220402] ffffffff83aca760 ffffffff83acae20 ffffffff83aca760 ffff8800ad805078 [ 30.228402] ffff8800ad804740 ffff8801c9676d60 ffffffff81391d2f 0000000000000003 [ 30.236407] Call Trace: [ 30.238972] [] dump_stack+0xc1/0x124 [ 30.244311] [] print_circular_bug.cold.34+0x2f7/0x432 [ 30.251128] [] __lock_acquire+0x3b6e/0x5ba0 [ 30.257075] [] ? trace_hardirqs_on+0x10/0x10 [ 30.263128] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 30.270032] [] ? trace_hardirqs_on_caller+0x266/0x590 [ 30.276846] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 30.283573] [] ? mod_timer+0x433/0x8f0 [ 30.289082] [] lock_acquire+0x15e/0x450 [ 30.294682] [] ? ip_defrag+0x31b/0x40c0 [ 30.300281] [] ? inet_frag_find+0x27a/0x9a0 [ 30.306249] [] _raw_spin_lock+0x36/0x50 [ 30.311847] [] ? ip_defrag+0x31b/0x40c0 [ 30.317446] [] ip_defrag+0x31b/0x40c0 [ 30.322874] [] ? trace_hardirqs_on+0x10/0x10 [ 30.328911] [] ? ipv4_frags_init_net+0x3a0/0x3a0 [ 30.335292] [] ? ___slab_alloc.constprop.33+0x323/0x3e0 [ 30.342281] [] ? skb_clone+0x124/0x280 [ 30.347794] [] ip_check_defrag+0x3a7/0x710 [ 30.353843] [] ? ip_defrag+0x40c0/0x40c0 [ 30.359530] [] packet_rcv_fanout+0x52a/0x5e0 [ 30.365560] [] ? fanout_demux_rollover+0x4e0/0x4e0 [ 30.372116] [] dev_hard_start_xmit+0x650/0x11c0 [ 30.378431] [] ? dev_hard_start_xmit+0xa8/0x11c0 [ 30.384812] [] sch_direct_xmit+0x2b8/0x6c0 [ 30.390669] [] ? dev_deactivate_queue.constprop.6+0x160/0x160 [ 30.398184] [] __dev_queue_xmit+0xf95/0x1c30 [ 30.404220] [] ? __dev_queue_xmit+0x1d7/0x1c30 [ 30.410436] [] ? trace_hardirqs_on+0x10/0x10 [ 30.416470] [] ? netdev_pick_tx+0x2c0/0x2c0 [ 30.422415] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 30.429146] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 30.435879] [] ? memcpy+0x45/0x50 [ 30.440960] [] dev_queue_xmit+0x17/0x20 [ 30.446559] [] neigh_resolve_output+0x600/0x780 [ 30.452855] [] ? ip_finish_output2+0x8f0/0x1100 [ 30.459327] [] ip_finish_output2+0x8f0/0x1100 [ 30.465449] [] ? ip_finish_output2+0x20b/0x1100 [ 30.471747] [] ? nf_ct_deliver_cached_events+0x335/0x560 [ 30.478825] [] ? nf_ct_deliver_cached_events+0x83/0x560 [ 30.485819] [] ? nf_conntrack_seqadj_fini+0x20/0x20 [ 30.492467] [] ? ip_send_check+0xb0/0xb0 [ 30.498159] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 30.504891] [] ? ip_options_fragment+0x1ac/0x280 [ 30.511291] [] ip_do_fragment+0x1870/0x1f60 [ 30.517262] [] ? ip_send_check+0xb0/0xb0 [ 30.522982] [] ip_fragment.constprop.5+0x145/0x200 [ 30.529541] [] ip_finish_output+0x396/0xc00 [ 30.535491] [] ip_mc_output+0x237/0x980 [ 30.541096] [] ? ip_queue_xmit+0x1a80/0x1a80 [ 30.547152] [] ? ip_make_skb+0x116/0x210 [ 30.552863] [] ? ip_fragment.constprop.5+0x200/0x200 [ 30.559593] [] ? ip_flush_pending_frames+0x30/0x30 [ 30.566152] [] ip_local_out+0x9b/0x180 [ 30.571685] [] ip_send_skb+0x3c/0xc0 [ 30.577029] [] udp_send_skb+0x503/0xc70 [ 30.582657] [] udp_sendmsg+0x16c9/0x1c70 [ 30.588353] [] ? ip_reply_glue_bits+0xc0/0xc0 [ 30.594499] [] ? udp_lib_unhash+0x630/0x630 [ 30.600451] [] ? trace_hardirqs_on+0x10/0x10 [ 30.606489] [] ? sock_has_perm+0x1c1/0x3f0 [ 30.612355] [] ? sock_has_perm+0x2a1/0x3f0 [ 30.618237] [] ? sock_has_perm+0x9f/0x3f0 [ 30.624015] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 30.630747] [] ? check_preemption_disabled+0x3b/0x170 [ 30.637565] [] ? inet_sendmsg+0x143/0x4d0 [ 30.643337] [] inet_sendmsg+0x203/0x4d0 [ 30.648934] [] ? inet_sendmsg+0x73/0x4d0 [ 30.654646] [] ? inet_recvmsg+0x4c0/0x4c0 [ 30.660424] [] sock_sendmsg+0xbb/0x110 [ 30.665939] [] SyS_sendto+0x220/0x370 [ 30.671368] [] ? SyS_getpeername+0x2d0/0x2d0 [ 30.677408] [] ? _raw_spin_unlock+0x2c/0x50 [ 30.683361] [] ? handle_mm_fault+0x49a/0x2f30 [ 30.689485] [] ? SyS_accept+0x30/0x30 [ 30.694917] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 30.701656] [] ? __do_page_fault+0x2b6/0x7e0 [ 30.707697] [] ? do_fast_syscall_32+0xdb/0x8b0 [ 30.713910] [] ? SyS_getpeername+0x2d0/0x2d0 [ 30.719979] [] do_fast_syscall_32+0x31e/0x8b0 [ 30.726108] [] sysenter_flags_fixed+0xd/0x1a