[ OK ] Started OpenBSD Secure Shell server. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.80' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program syzkaller login: [ 36.016590] audit: type=1400 audit(1588146155.588:8): avc: denied { execmem } for pid=6344 comm="syz-executor076" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 36.026551] xt_hashlimit: size too large, truncated to 1048576 [ 36.044294] xt_hashlimit: size too large, truncated to 1048576 [ 36.048075] xt_hashlimit: size too large, truncated to 1048576 [ 36.056731] xt_hashlimit: size too large, truncated to 1048576 [ 36.063988] xt_hashlimit: size too large, truncated to 1048576 [ 36.066957] xt_hashlimit: size too large, truncated to 1048576 [ 36.080862] ip_tables: iptables: counters copy to user failed while replacing table [ 36.089685] ip_tables: iptables: counters copy to user failed while replacing table [ 36.098644] ip_tables: iptables: counters copy to user failed while replacing table [ 36.108101] ip_tables: iptables: counters copy to user failed while replacing table [ 36.116577] ip_tables: iptables: counters copy to user failed while replacing table [ 36.126616] netlink: 4 bytes leftover after parsing attributes in process `syz-executor076'. [ 36.136605] [ 36.138251] ====================================================== [ 36.150714] WARNING: possible circular locking dependency detected [ 36.157803] 4.14.177-syzkaller #0 Not tainted [ 36.162411] ------------------------------------------------------ [ 36.169654] syz-executor076/6368 is trying to acquire lock: [ 36.175357] (&xt[i].mutex){+.+.}, at: [] xt_find_target+0x3d/0x1e0 [ 36.183834] [ 36.183834] but task is already holding lock: [ 36.189933] (rtnl_mutex){+.+.}, at: [] rtnetlink_rcv_msg+0x31d/0xb10 [ 36.199460] [ 36.199460] which lock already depends on the new lock. [ 36.199460] [ 36.208641] [ 36.208641] the existing dependency chain (in reverse order) is: [ 36.216466] [ 36.216466] -> #1 (rtnl_mutex){+.+.}: [ 36.221886] __mutex_lock+0xe8/0x1470 [ 36.226214] unregister_netdevice_notifier+0x5e/0x2b0 [ 36.232143] tee_tg_destroy+0x5c/0xb0 [ 36.236487] cleanup_entry+0x169/0x220 [ 36.241125] __do_replace+0x38d/0x570 [ 36.245738] do_ipt_set_ctl+0x255/0x39d [ 36.250341] nf_setsockopt+0x5f/0xb0 [ 36.255523] ip_setsockopt+0x94/0xb0 [ 36.259974] udp_setsockopt+0x45/0x80 [ 36.267602] SyS_setsockopt+0x110/0x1e0 [ 36.272237] do_syscall_64+0x1d5/0x640 [ 36.276740] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 36.282603] [ 36.282603] -> #0 (&xt[i].mutex){+.+.}: [ 36.288274] lock_acquire+0x170/0x3f0 [ 36.293174] __mutex_lock+0xe8/0x1470 [ 36.297496] xt_find_target+0x3d/0x1e0 [ 36.302174] xt_request_find_target+0x72/0xe0 [ 36.307613] ipt_init_target+0xb1/0x240 [ 36.312482] __tcf_ipt_init+0x455/0xaf0 [ 36.317071] tcf_xt_init+0x43/0x50 [ 36.321524] tcf_action_init_1+0x51a/0x9f0 [ 36.326503] tcf_action_init+0x26d/0x400 [ 36.331364] tc_ctl_action+0x2e3/0x513 [ 36.336308] rtnetlink_rcv_msg+0x3be/0xb10 [ 36.341282] netlink_rcv_skb+0x127/0x370 [ 36.345862] netlink_unicast+0x437/0x620 [ 36.350755] netlink_sendmsg+0x733/0xbe0 [ 36.355335] sock_sendmsg+0xc5/0x100 [ 36.359777] sock_no_sendpage+0xe5/0x110 [ 36.364805] kernel_sendpage+0x82/0xd0 [ 36.369430] sock_sendpage+0x84/0xa0 [ 36.373785] pipe_to_sendpage+0x226/0x2d0 [ 36.378460] __splice_from_pipe+0x332/0x740 [ 36.383639] splice_from_pipe+0xc6/0x120 [ 36.388399] SyS_splice+0xca0/0x1230 [ 36.392774] do_syscall_64+0x1d5/0x640 [ 36.397385] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 36.403089] [ 36.403089] other info that might help us debug this: [ 36.403089] [ 36.412286] Possible unsafe locking scenario: [ 36.412286] [ 36.418617] CPU0 CPU1 [ 36.423536] ---- ---- [ 36.428388] lock(rtnl_mutex); [ 36.431885] lock(&xt[i].mutex); [ 36.438486] lock(rtnl_mutex); [ 36.444329] lock(&xt[i].mutex); [ 36.447932] [ 36.447932] *** DEADLOCK *** [ 36.447932] [ 36.454964] 2 locks held by syz-executor076/6368: [ 36.459819] #0: (&pipe->mutex/1){+.+.}, at: [] pipe_lock+0x58/0x70 [ 36.469126] #1: (rtnl_mutex){+.+.}, at: [] rtnetlink_rcv_msg+0x31d/0xb10 [ 36.478275] [ 36.478275] stack backtrace: [ 36.482887] CPU: 0 PID: 6368 Comm: syz-executor076 Not tainted 4.14.177-syzkaller #0 [ 36.491148] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.501406] Call Trace: [ 36.504178] dump_stack+0x13e/0x194 [ 36.508080] print_circular_bug.isra.0.cold+0x1c4/0x282 [ 36.513793] __lock_acquire+0x2cb3/0x4620 [ 36.518196] ? deref_stack_reg+0x8a/0xc0 [ 36.522396] ? trace_hardirqs_on+0x10/0x10 [ 36.526782] ? save_trace+0x290/0x290 [ 36.530584] ? save_trace+0x290/0x290 [ 36.534430] lock_acquire+0x170/0x3f0 [ 36.538589] ? xt_find_target+0x3d/0x1e0 [ 36.542762] ? xt_find_target+0x3d/0x1e0 [ 36.547104] __mutex_lock+0xe8/0x1470 [ 36.551014] ? xt_find_target+0x3d/0x1e0 [ 36.555158] ? save_stack+0x89/0xa0 [ 36.558787] ? xt_find_target+0x3d/0x1e0 [ 36.562856] ? kasan_kmalloc+0xbf/0xe0 [ 36.566953] ? __kmalloc_track_caller+0x153/0x7b0 [ 36.572120] ? __tcf_ipt_init+0x431/0xaf0 [ 36.576520] ? mutex_trylock+0x1a0/0x1a0 [ 36.580662] ? rtnetlink_rcv_msg+0x3be/0xb10 [ 36.585093] ? netlink_rcv_skb+0x127/0x370 [ 36.589497] ? netlink_unicast+0x437/0x620 [ 36.594134] ? netlink_sendmsg+0x733/0xbe0 [ 36.598697] ? sock_sendmsg+0xc5/0x100 [ 36.604729] ? sock_no_sendpage+0xe5/0x110 [ 36.609276] ? kernel_sendpage+0x82/0xd0 [ 36.613597] ? sock_sendpage+0x84/0xa0 [ 36.617476] ? pipe_to_sendpage+0x226/0x2d0 [ 36.621952] ? __splice_from_pipe+0x332/0x740 [ 36.626447] ? splice_from_pipe+0xc6/0x120 [ 36.630925] ? SyS_splice+0xca0/0x1230 [ 36.635146] ? do_syscall_64+0x1d5/0x640 [ 36.639880] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 36.645318] ? trace_hardirqs_on+0x10/0x10 [ 36.649904] ? do_syscall_64+0x1d5/0x640 [ 36.653965] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 36.659576] ? xt_find_target+0x3d/0x1e0 [ 36.664013] xt_find_target+0x3d/0x1e0 [ 36.667896] xt_request_find_target+0x72/0xe0 [ 36.672454] ipt_init_target+0xb1/0x240 [ 36.676451] ? tcf_ipt_release+0x120/0x120 [ 36.680688] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 36.686276] ? memcpy+0x35/0x50 [ 36.689647] __tcf_ipt_init+0x455/0xaf0 [ 36.693758] ? ipt_init_target+0x240/0x240 [ 36.697988] ? lock_downgrade+0x6e0/0x6e0 [ 36.702532] tcf_xt_init+0x43/0x50 [ 36.706302] tcf_action_init_1+0x51a/0x9f0 [ 36.710895] ? tcf_action_dump_old+0x80/0x80 [ 36.715391] ? find_held_lock+0x2d/0x110 [ 36.719475] ? avc_has_perm_noaudit+0x270/0x400 [ 36.724313] ? nla_parse+0x183/0x240 [ 36.728026] tcf_action_init+0x26d/0x400 [ 36.732088] ? tcf_action_init_1+0x9f0/0x9f0 [ 36.736495] ? memset+0x20/0x40 [ 36.739887] ? nla_parse+0x183/0x240 [ 36.743842] tc_ctl_action+0x2e3/0x513 [ 36.748057] ? tca_action_gd+0x7b0/0x7b0 [ 36.752111] ? rtnetlink_rcv_msg+0x2e8/0xb10 [ 36.756632] ? tca_action_gd+0x7b0/0x7b0 [ 36.760685] rtnetlink_rcv_msg+0x3be/0xb10 [ 36.765135] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 36.769712] ? save_trace+0x290/0x290 [ 36.773511] ? save_trace+0x290/0x290 [ 36.777311] netlink_rcv_skb+0x127/0x370 [ 36.781366] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 36.786116] ? netlink_ack+0x980/0x980 [ 36.790100] netlink_unicast+0x437/0x620 [ 36.794292] ? netlink_attachskb+0x600/0x600 [ 36.798831] netlink_sendmsg+0x733/0xbe0 [ 36.803069] ? netlink_unicast+0x620/0x620 [ 36.807586] ? __lock_is_held+0xad/0x140 [ 36.811818] ? security_socket_sendmsg+0x83/0xb0 [ 36.816619] ? netlink_unicast+0x620/0x620 [ 36.820870] sock_sendmsg+0xc5/0x100 [ 36.824901] sock_no_sendpage+0xe5/0x110 [ 36.829105] ? sock_kzfree_s+0x50/0x50 [ 36.832986] ? sock_kzfree_s+0x50/0x50 [ 36.837076] kernel_sendpage+0x82/0xd0 [ 36.841214] sock_sendpage+0x84/0xa0 [ 36.845013] pipe_to_sendpage+0x226/0x2d0 [ 36.849531] ? kernel_sendpage+0xd0/0xd0 [ 36.853594] ? direct_splice_actor+0x160/0x160 [ 36.858541] ? splice_from_pipe_next.part.0+0x1e4/0x290 [ 36.864271] __splice_from_pipe+0x332/0x740 [ 36.869007] ? direct_splice_actor+0x160/0x160 [ 36.873674] ? direct_splice_actor+0x160/0x160 [ 36.878408] splice_from_pipe+0xc6/0x120 [ 36.882789] ? splice_shrink_spd+0xb0/0xb0 [ 36.887199] ? rw_verify_area+0xe1/0x2a0 [ 36.891253] ? splice_from_pipe+0x120/0x120 [ 36.895706] SyS_splice+0xca0/0x1230 [ 36.899523] ? do_futex+0x1850/0x1850 [ 36.903465] ? compat_SyS_vmsplice+0x250/0x250 [ 36.908193] ? do_syscall_64+0x4c/0x640 [ 36.912362] ? compat_SyS_vmsplice+0x250/0x250 [ 36.916944] do_syscall_64+0x1d5/0x640 [ 36.920978] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 36.926566] RIP: 0033:0x447639 [ 36.929894] RSP: 002b:00007f5837541d88 EFLAGS: 00000246 ORIG_RAX: 0000000000000113 [ 36.937954] RAX: ffffffffffffffda RBX: 00000000006dcc68 RCX: 0000000000447639 [ 36.945931] RDX: 0000000000000006 RSI: 0000000000000000 RDI: 0000000000000004 [ 36.953531] RBP: 00000000006dcc60 R08: 000000000004ffe0 R09: 0000000000000000 [ 36.961279] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc6c [ 36.968780] R13: 0000000000000000 R14: 0000000000000000 R15: 6570797472646461