[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 36.966279] random: sshd: uninitialized urandom read (32 bytes read) [ 37.302530] kauditd_printk_skb: 11 callbacks suppressed [ 37.302539] audit: type=1400 audit(1582436509.194:35): avc: denied { map } for pid=7290 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 37.359839] random: sshd: uninitialized urandom read (32 bytes read) [ 38.149551] random: sshd: uninitialized urandom read (32 bytes read) [ 45.913657] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.1.42' (ECDSA) to the list of known hosts. [ 51.444791] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 51.564665] audit: type=1400 audit(1582436523.454:36): avc: denied { map } for pid=7302 comm="syz-executor180" path="/root/syz-executor180127143" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 51.592996] ip_tables: iptables: counters copy to user failed while replacing table [ 51.648208] netlink: 4 bytes leftover after parsing attributes in process `syz-executor180'. [ 51.663402] SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7305 comm=syz-executor180 [ 51.675613] SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7305 comm=syz-executor180 [ 51.687993] SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7305 comm=syz-executor180 [ 51.700224] SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7305 comm=syz-executor180 [ 51.712586] SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7305 comm=syz-executor180 [ 51.724858] SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7305 comm=syz-executor180 executing program [ 51.738047] SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7305 comm=syz-executor180 [ 51.750369] SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7305 comm=syz-executor180 [ 51.762600] SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7305 comm=syz-executor180 [ 51.774858] SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7305 comm=syz-executor180 [ 51.825957] [ 51.827597] ====================================================== [ 51.833892] WARNING: possible circular locking dependency detected [ 51.840192] 4.14.171-syzkaller #0 Not tainted [ 51.844659] ------------------------------------------------------ [ 51.850956] syz-executor180/7308 is trying to acquire lock: [ 51.856642] (rtnl_mutex){+.+.}, at: [] rtnl_lock+0x17/0x20 [ 51.863915] [ 51.863915] but task is already holding lock: [ 51.869860] (&xt[i].mutex){+.+.}, at: [] xt_find_table_lock+0x3c/0x3d0 [ 51.878167] [ 51.878167] which lock already depends on the new lock. [ 51.878167] [ 51.886463] [ 51.886463] the existing dependency chain (in reverse order) is: [ 51.894095] [ 51.894095] -> #1 (&xt[i].mutex){+.+.}: [ 51.899538] lock_acquire+0x16f/0x430 [ 51.903844] __mutex_lock+0xe8/0x1470 [ 51.908171] mutex_lock_nested+0x16/0x20 [ 51.912743] xt_find_target+0x3e/0x1e0 [ 51.917135] xt_request_find_target+0x74/0xe0 [ 51.917544] netlink: 4 bytes leftover after parsing attributes in process `syz-executor180'. [ 51.922155] ipt_init_target+0xce/0x290 [ 51.922161] __tcf_ipt_init+0x48c/0xb50 [ 51.922166] tcf_xt_init+0x4e/0x60 [ 51.922171] tcf_action_init_1+0x53c/0xaa0 [ 51.922176] tcf_action_init+0x2ab/0x480 [ 51.922180] tc_ctl_action+0x30a/0x548 [ 51.922187] rtnetlink_rcv_msg+0x3da/0xb70 [ 51.922192] netlink_rcv_skb+0x14f/0x3c0 [ 51.922197] rtnetlink_rcv+0x1d/0x30 [ 51.922206] netlink_unicast+0x44d/0x650 [ 51.975592] netlink_sendmsg+0x7c4/0xc60 [ 51.980153] sock_sendmsg+0xce/0x110 [ 51.984372] kernel_sendmsg+0x44/0x50 [ 51.988669] sock_no_sendpage+0x107/0x130 [ 51.993315] kernel_sendpage+0x92/0xf0 [ 51.997700] sock_sendpage+0x8b/0xc0 [ 52.001917] pipe_to_sendpage+0x242/0x340 [ 52.006571] __splice_from_pipe+0x348/0x780 [ 52.011399] splice_from_pipe+0xf0/0x150 [ 52.015969] generic_splice_sendpage+0x3c/0x50 [ 52.021063] SyS_splice+0xd92/0x1430 [ 52.025289] do_syscall_64+0x1e8/0x640 [ 52.029680] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 52.035363] [ 52.035363] -> #0 (rtnl_mutex){+.+.}: [ 52.040630] __lock_acquire+0x2cb3/0x4620 [ 52.045285] lock_acquire+0x16f/0x430 [ 52.049632] __mutex_lock+0xe8/0x1470 [ 52.053973] mutex_lock_nested+0x16/0x20 [ 52.058535] rtnl_lock+0x17/0x20 [ 52.062402] unregister_netdevice_notifier+0x5f/0x2c0 [ 52.068091] tee_tg_destroy+0x61/0xc0 [ 52.072399] cleanup_entry+0x17d/0x230 [ 52.082275] __do_replace+0x3c5/0x5b0 [ 52.086576] do_ipt_set_ctl+0x296/0x3ee [ 52.091052] nf_setsockopt+0x67/0xc0 [ 52.095277] ip_setsockopt+0x9b/0xb0 [ 52.099492] udp_setsockopt+0x4e/0x90 [ 52.103803] sock_common_setsockopt+0x94/0xd0 [ 52.108794] SyS_setsockopt+0x13c/0x210 [ 52.113266] do_syscall_64+0x1e8/0x640 [ 52.117663] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 52.123358] [ 52.123358] other info that might help us debug this: [ 52.123358] [ 52.131480] Possible unsafe locking scenario: [ 52.131480] [ 52.137514] CPU0 CPU1 [ 52.142163] ---- ---- [ 52.146806] lock(&xt[i].mutex); [ 52.150240] lock(rtnl_mutex); [ 52.156013] lock(&xt[i].mutex); [ 52.161963] lock(rtnl_mutex); [ 52.165244] [ 52.165244] *** DEADLOCK *** [ 52.165244] [ 52.171284] 1 lock held by syz-executor180/7308: [ 52.176010] #0: (&xt[i].mutex){+.+.}, at: [] xt_find_table_lock+0x3c/0x3d0 [ 52.184762] [ 52.184762] stack backtrace: [ 52.189251] CPU: 0 PID: 7308 Comm: syz-executor180 Not tainted 4.14.171-syzkaller #0 [ 52.197121] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 52.206478] Call Trace: [ 52.209054] dump_stack+0x142/0x197 [ 52.212664] print_circular_bug.isra.0.cold+0x1cc/0x28f [ 52.218021] __lock_acquire+0x2cb3/0x4620 [ 52.222155] ? trace_hardirqs_on+0x10/0x10 [ 52.226369] ? __kernel_text_address+0xd/0x40 [ 52.230845] lock_acquire+0x16f/0x430 [ 52.234971] ? rtnl_lock+0x17/0x20 [ 52.238500] ? rtnl_lock+0x17/0x20 [ 52.242027] __mutex_lock+0xe8/0x1470 [ 52.245810] ? rtnl_lock+0x17/0x20 [ 52.249337] ? __bitmap_weight+0xbd/0xf0 [ 52.253389] ? rtnl_lock+0x17/0x20 [ 52.257866] ? pcpu_next_md_free_region+0x14c/0x2f0 [ 52.262863] ? mutex_trylock+0x1c0/0x1c0 [ 52.266904] ? pcpu_chunk_refresh_hint+0x29b/0x350 [ 52.271824] ? free_percpu+0x232/0x710 [ 52.275690] ? find_held_lock+0x35/0x130 [ 52.279728] ? free_percpu+0x232/0x710 [ 52.283597] mutex_lock_nested+0x16/0x20 [ 52.287640] ? mutex_lock_nested+0x16/0x20 [ 52.291865] rtnl_lock+0x17/0x20 [ 52.295219] unregister_netdevice_notifier+0x5f/0x2c0 [ 52.300393] ? trace_hardirqs_on_caller+0x400/0x590 [ 52.305428] ? register_netdevice_notifier+0x520/0x520 [ 52.310696] ? free_percpu+0x24f/0x710 [ 52.314563] tee_tg_destroy+0x61/0xc0 [ 52.318349] ? tee_tg6+0x160/0x160 [ 52.321867] cleanup_entry+0x17d/0x230 [ 52.325732] ? cleanup_match+0x140/0x140 [ 52.329770] __do_replace+0x3c5/0x5b0 [ 52.333551] ? compat_do_ipt_get_ctl+0x7f0/0x7f0 [ 52.338300] ? _copy_from_user+0x99/0x110 [ 52.342428] do_ipt_set_ctl+0x296/0x3ee [ 52.346387] ? compat_do_ipt_set_ctl+0x150/0x150 [ 52.351129] ? mutex_unlock+0xd/0x10 [ 52.354844] ? nf_sockopt_find.constprop.0+0x1b7/0x230 [ 52.360101] nf_setsockopt+0x67/0xc0 [ 52.363810] ip_setsockopt+0x9b/0xb0 [ 52.367503] udp_setsockopt+0x4e/0x90 [ 52.371296] sock_common_setsockopt+0x94/0xd0 [ 52.375770] SyS_setsockopt+0x13c/0x210 [ 52.379733] ? SyS_recv+0x40/0x40 [ 52.383174] ? do_syscall_64+0x53/0x640 [ 52.387135] ? SyS_recv+0x40/0x40 [ 52.390571] do_syscall_64+0x1e8/0x640 [ 52.394466] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 52.399297] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 52.404470] RIP: 0033:0x4468c9 [ 52.407635] RSP: 002b:00007f5bbc3bad98 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 [ 52.415336] RAX: ffffffffffffffda RBX: 00000000006dbc48 RCX: 00000000004468c9 [ 52.422582] RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000003 [ 52.429853] RBP: 00000000006dbc40 R08: 0000000000000001 R09: 0000000000000000 [ 52.437106] R10: 0000000020000240 R11: 0000000000000246 R12: 00000000006dbc4c [ 52.444354] R13: 0001004c008dcaf0 R14: a100000000000000 R15: fa3d003000000060