Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.51' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 29.912309] ip6_tables: ip6tables: counters copy to user failed while replacing table [ 29.923191] IPVS: ftp: loaded support on port[0] = 21 [ 29.952884] netlink: 32 bytes leftover after parsing attributes in process `syz-executor396'. executing program [ 30.021404] ip6_tables: ip6tables: counters copy to user failed while replacing table [ 30.031700] IPVS: ftp: loaded support on port[0] = 21 executing program [ 30.063525] netlink: 32 bytes leftover after parsing attributes in process `syz-executor396'. [ 30.080536] ip6_tables: ip6tables: counters copy to user failed while replacing table [ 30.125893] [ 30.127521] ====================================================== [ 30.133809] WARNING: possible circular locking dependency detected [ 30.140100] 4.14.231-syzkaller #0 Not tainted [ 30.144606] ------------------------------------------------------ [ 30.150898] kworker/u4:1/22 is trying to acquire lock: [ 30.156144] (&table[i].mutex){+.+.}, at: [] nf_tables_netdev_event+0x10d/0x4d0 [ 30.165327] [ 30.165327] but task is already holding lock: [ 30.171270] (rtnl_mutex){+.+.}, at: [] ip6gre_exit_net+0x70/0x570 [ 30.179149] [ 30.179149] which lock already depends on the new lock. [ 30.179149] [ 30.187450] [ 30.187450] the existing dependency chain (in reverse order) is: [ 30.195043] [ 30.195043] -> #2 (rtnl_mutex){+.+.}: [ 30.200304] __mutex_lock+0xc4/0x1310 [ 30.204605] unregister_netdevice_notifier+0x5e/0x2b0 [ 30.210304] tee_tg_destroy+0x5c/0xb0 [ 30.214602] cleanup_entry+0x232/0x310 [ 30.218995] __do_replace+0x38d/0x580 [ 30.223294] do_ip6t_set_ctl+0x256/0x3b0 [ 30.227851] nf_setsockopt+0x5f/0xb0 [ 30.232073] ipv6_setsockopt+0xc0/0x120 [ 30.236546] tcp_setsockopt+0x7b/0xc0 [ 30.240856] SyS_setsockopt+0x110/0x1e0 [ 30.245327] do_syscall_64+0x1d5/0x640 [ 30.249709] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 30.255390] [ 30.255390] -> #1 (&xt[i].mutex){+.+.}: [ 30.260824] __mutex_lock+0xc4/0x1310 [ 30.265168] target_revfn+0x43/0x210 [ 30.269379] xt_find_revision+0x15e/0x1d0 [ 30.274025] nfnl_compat_get+0x1f7/0x870 [ 30.278600] nfnetlink_rcv_msg+0x9bb/0xc00 [ 30.283333] netlink_rcv_skb+0x125/0x390 [ 30.287900] nfnetlink_rcv+0x1ab/0x1da0 [ 30.292369] netlink_unicast+0x437/0x610 [ 30.296924] netlink_sendmsg+0x62e/0xb80 [ 30.301478] sock_sendmsg+0xb5/0x100 [ 30.305686] ___sys_sendmsg+0x6c8/0x800 [ 30.310158] __sys_sendmsg+0xa3/0x120 [ 30.314453] SyS_sendmsg+0x27/0x40 [ 30.318490] do_syscall_64+0x1d5/0x640 [ 30.322888] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 30.328568] [ 30.328568] -> #0 (&table[i].mutex){+.+.}: [ 30.334275] lock_acquire+0x170/0x3f0 [ 30.338583] __mutex_lock+0xc4/0x1310 [ 30.342883] nf_tables_netdev_event+0x10d/0x4d0 [ 30.348048] notifier_call_chain+0x108/0x1a0 [ 30.352954] rollback_registered_many+0x765/0xba0 [ 30.358312] unregister_netdevice_many.part.0+0x18/0x2e0 [ 30.364269] unregister_netdevice_many+0x36/0x50 [ 30.369524] ip6gre_exit_net+0x41e/0x570 [ 30.374080] ops_exit_list+0xa5/0x150 [ 30.378376] cleanup_net+0x3b3/0x840 [ 30.382598] process_one_work+0x793/0x14a0 [ 30.387326] worker_thread+0x5cc/0xff0 [ 30.391707] kthread+0x30d/0x420 [ 30.395570] ret_from_fork+0x24/0x30 [ 30.399788] [ 30.399788] other info that might help us debug this: [ 30.399788] [ 30.407916] Chain exists of: [ 30.407916] &table[i].mutex --> &xt[i].mutex --> rtnl_mutex [ 30.407916] [ 30.418120] Possible unsafe locking scenario: [ 30.418120] [ 30.424151] CPU0 CPU1 [ 30.428797] ---- ---- [ 30.433447] lock(rtnl_mutex); [ 30.436701] lock(&xt[i].mutex); [ 30.442644] lock(rtnl_mutex); [ 30.448413] lock(&table[i].mutex); [ 30.452112] [ 30.452112] *** DEADLOCK *** [ 30.452112] [ 30.458147] 4 locks held by kworker/u4:1/22: [ 30.462526] #0: ("%s""netns"){+.+.}, at: [] process_one_work+0x6b0/0x14a0 [ 30.471185] #1: (net_cleanup_work){+.+.}, at: [] process_one_work+0x6e6/0x14a0 [ 30.480266] #2: (net_mutex){+.+.}, at: [] cleanup_net+0x110/0x840 [ 30.488217] #3: (rtnl_mutex){+.+.}, at: [] ip6gre_exit_net+0x70/0x570 [ 30.496534] [ 30.496534] stack backtrace: [ 30.501007] CPU: 1 PID: 22 Comm: kworker/u4:1 Not tainted 4.14.231-syzkaller #0 [ 30.508434] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.517774] Workqueue: netns cleanup_net [ 30.521808] Call Trace: [ 30.524375] dump_stack+0x1b2/0x281 [ 30.528010] print_circular_bug.constprop.0.cold+0x2d7/0x41e [ 30.533793] __lock_acquire+0x2e0e/0x3f20 [ 30.537924] ? unwind_next_frame+0x404/0x17d0 [ 30.542391] ? trace_hardirqs_on+0x10/0x10 [ 30.546600] ? check_usage_forwards+0x2d0/0x2d0 [ 30.551244] ? ret_from_fork+0x24/0x30 [ 30.555108] lock_acquire+0x170/0x3f0 [ 30.558902] ? nf_tables_netdev_event+0x10d/0x4d0 [ 30.563722] ? nf_tables_netdev_event+0x10d/0x4d0 [ 30.568550] __mutex_lock+0xc4/0x1310 [ 30.572330] ? nf_tables_netdev_event+0x10d/0x4d0 [ 30.577149] ? nf_tables_netdev_event+0x10d/0x4d0 [ 30.581965] ? __ww_mutex_wakeup_for_backoff+0x210/0x210 [ 30.587403] ? trace_hardirqs_on+0x10/0x10 [ 30.591613] ? trace_hardirqs_on_caller+0x3a8/0x580 [ 30.596619] ? lock_downgrade+0x740/0x740 [ 30.600741] nf_tables_netdev_event+0x10d/0x4d0 [ 30.605384] ? mirred_device_event+0x12f/0x170 [ 30.609964] ? nf_tables_netdev_init_net+0x140/0x140 [ 30.615040] ? mirred_device_event+0x12f/0x170 [ 30.619598] ? __local_bh_enable_ip+0xc1/0x170 [ 30.624170] notifier_call_chain+0x108/0x1a0 [ 30.628554] rollback_registered_many+0x765/0xba0 [ 30.633381] ? __ww_mutex_wakeup_for_backoff+0x210/0x210 [ 30.638853] ? netdev_state_change+0xf0/0xf0 [ 30.643248] ? lock_acquire+0x170/0x3f0 [ 30.647206] unregister_netdevice_many.part.0+0x18/0x2e0 [ 30.652632] unregister_netdevice_many+0x36/0x50 [ 30.657368] ip6gre_exit_net+0x41e/0x570 [ 30.661406] ? lock_downgrade+0x740/0x740 [ 30.665574] ? ip6gre_dellink+0x260/0x260 [ 30.669711] ? ip6gre_dellink+0x260/0x260 [ 30.673837] ops_exit_list+0xa5/0x150 [ 30.677615] cleanup_net+0x3b3/0x840 [ 30.681320] ? net_drop_ns+0x70/0x70 [ 30.685009] ? lock_acquire+0x170/0x3f0 [ 30.688957] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 30.694429] process_one_work+0x793/0x14a0 [ 30.698654] ? work_busy+0x320/0x320 [ 30.702344] ? worker_thread+0x158/0xff0 [ 30.706383] ? _raw_spin_unlock_irq+0x24/0x80 [ 30.710851] worker_thread+0x5cc/0xff0 [ 30.714727] ? rescuer_thread+0xc80/0xc80 [ 30.718853] kthread+0x30d/0x420 [ 30.722193] ? kthread_create_on_node+0xd0/0xd0 [ 30.726837] ret_from_fork+0x24/0x30 [ 31.292159] IPVS: ftp: loaded support on port[0] = 21 executing program [ 31.317657] netlink: 32 bytes leftover after parsing attributes in process `syz-executor396'. [ 31.331658] ip6_tables: ip6tables: counters copy to user failed while replacing table executing program [ 31.952432] IPVS: ftp: loaded support on port[0] = 21 [ 31.978740] netlink: 32 bytes leftover after parsing attributes in process `syz-executor396'. [ 31.992013] ip6_tables: ip6tables: counters copy to user failed while replacing table [ 32.641466] IPVS: ftp: loaded support on port[0] = 21 executing program [ 32.668799] netlink: 32 bytes leftover after parsing attributes in process `syz-executor396'. [ 32.684947] ip6_tables: ip6tables: counters copy to user failed while replacing table [ 33.278978] IPVS: ftp: loaded support on port[0] = 21 executing program [ 33.304458] netlink: 32 bytes leftover after parsing attributes in process `syz-executor396'. [ 33.330922] ip6_tables: ip6tables: counters copy to user failed while replacing table [ 34.009808] IPVS: ftp: loaded support on port[0] = 21 executing program [ 34.035399] netlink: 32 bytes leftover after parsing attributes in process `syz-executor396'. [ 34.049091] ip6_tables: ip6tables: counters copy to user failed while replacing table [ 34.059456] IPVS: ftp: loaded support on port[0] = 21 executing program [ 34.086683] netlink: 32 bytes leftover after parsing attributes in process `syz-executor396'. [ 34.105956] ip6_tables: ip6tables: counters copy to user failed while replacing table [ 34.778843] IPVS: ftp: loaded support on port[0] = 21 executing program [ 34.805490] netlink: 32 bytes leftover after parsing attributes in process `syz-executor396'. [ 34.818683] ip6_tables: ip6tables: counters copy to user failed while replacing table [ 35.934726] IPVS: ftp: loaded support on port[0] = 21 executing program [ 35.961560] netlink: 32 bytes leftover after parsing attributes in process `syz-executor396'. [ 35.984298] ip6_tables: ip6tables: counters copy to user failed while replacing table [ 36.647729] IPVS: ftp: loaded support on port[0] = 21 executing program [ 36.673439] netlink: 32 bytes leftover after parsing attributes in process `syz-executor396'. [ 36.686629] ip6_tables: ip6tables: counters copy to user failed while replacing table [ 36.696894] IPVS: ftp: loaded support on port[0] = 21 executing program [ 36.724846] netlink: 32 bytes leftover after parsing attributes in process `syz-executor396'. [ 36.740309] ip6_tables: ip6tables: counters copy to user failed while replacing table [ 37.366691] IPVS: ftp: loaded support on port[0] = 21 executing program [ 37.394671] netlink: 32 bytes leftover after parsing attributes in process `syz-executor396'. [ 37.410206] ip6_tables: ip6tables: counters copy to user failed while replacing table [ 38.493311] IPVS: ftp: loaded support on port[0] = 21 executing program [ 38.519359] netlink: 32 bytes leftover after parsing attributes in process `syz-executor396'. [ 38.544177] ip6_tables: ip6tables: counters copy to user failed while replacing table [ 39.158031] IPVS: ftp: loaded support on port[0] = 21 executing program [ 39.183767] netlink: 32 bytes leftover after parsing attributes in process `syz-executor396'. [ 39.197699] ip6_tables: ip6tables: counters copy to user failed while replacing table executing program [ 39.827606] IPVS: ftp: loaded support on port[0] = 21 [ 39.853658] netlink: 32 bytes leftover after parsing attributes in process `syz-executor396'. [ 39.868201] ip6_tables: ip6tables: counters copy to user failed while replacing table [ 39.878424] IPVS: ftp: loaded support on port[0] = 21 executing program [ 39.906308] netlink: 32 bytes leftover after parsing attributes in process `syz-executor396'. [ 39.923260] ip6_tables: ip6tables: counters copy to user failed while replacing table