G[ ok [39;[ 31.787983] audit: type=1800 audit(1579456254.660:34): pid=7099 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 36.548148] random: sshd: uninitialized urandom read (32 bytes read) [ 36.813785] audit: type=1400 audit(1579456259.720:35): avc: denied { map } for pid=7272 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 36.864784] random: sshd: uninitialized urandom read (32 bytes read) [ 37.587195] random: sshd: uninitialized urandom read (32 bytes read) [ 37.769721] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.201' (ECDSA) to the list of known hosts. [ 43.323683] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 43.443237] audit: type=1400 audit(1579456266.350:36): avc: denied { map } for pid=7284 comm="syz-executor265" path="/root/syz-executor265439234" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 43.470680] ip_tables: iptables: counters copy to user failed while replacing table [ 43.486272] audit: type=1400 audit(1579456266.390:37): avc: denied { create } for pid=7285 comm="syz-executor265" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 [ 43.511707] audit: type=1400 audit(1579456266.390:38): avc: denied { write } for pid=7285 comm="syz-executor265" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 [ 43.542972] ip_tables: iptables: counters copy to user failed while replacing table [ 43.557124] [ 43.558782] ====================================================== [ 43.565114] WARNING: possible circular locking dependency detected [ 43.571528] 4.14.166-syzkaller #0 Not tainted [ 43.576023] ------------------------------------------------------ [ 43.582359] syz-executor265/7292 is trying to acquire lock: [ 43.588063] (&table[i].mutex){+.+.}, at: [] nfnl_lock+0x24/0x30 [ 43.595793] [ 43.595793] but task is already holding lock: [ 43.601763] (rtnl_mutex){+.+.}, at: [] rtnl_lock+0x17/0x20 [ 43.609046] [ 43.609046] which lock already depends on the new lock. [ 43.609046] [ 43.617359] [ 43.617359] the existing dependency chain (in reverse order) is: [ 43.624975] [ 43.624975] -> #2 (rtnl_mutex){+.+.}: [ 43.630256] lock_acquire+0x16f/0x430 [ 43.634611] __mutex_lock+0xe8/0x1470 [ 43.638955] mutex_lock_nested+0x16/0x20 [ 43.643623] rtnl_lock+0x17/0x20 [ 43.647503] unregister_netdevice_notifier+0x5f/0x2c0 [ 43.653199] tee_tg_destroy+0x61/0xc0 [ 43.657552] cleanup_entry+0x17d/0x230 [ 43.661941] __do_replace+0x3c5/0x5b0 [ 43.666255] do_ipt_set_ctl+0x296/0x3ee [ 43.670733] nf_setsockopt+0x67/0xc0 [ 43.674958] ip_setsockopt+0x9b/0xb0 [ 43.679189] udp_setsockopt+0x4e/0x90 [ 43.683618] sock_common_setsockopt+0x94/0xd0 [ 43.688623] SyS_setsockopt+0x13c/0x210 [ 43.693209] do_syscall_64+0x1e8/0x640 [ 43.697599] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 43.703345] [ 43.703345] -> #1 (&xt[i].mutex){+.+.}: [ 43.708796] lock_acquire+0x16f/0x430 [ 43.713110] __mutex_lock+0xe8/0x1470 [ 43.717412] mutex_lock_nested+0x16/0x20 [ 43.722024] xt_find_revision+0x82/0x200 [ 43.726599] nfnl_compat_get+0x229/0x950 [ 43.732091] nfnetlink_rcv_msg+0xa08/0xc00 [ 43.736845] netlink_rcv_skb+0x14f/0x3c0 [ 43.741420] nfnetlink_rcv+0x1ab/0x1650 [ 43.745911] netlink_unicast+0x44d/0x650 [ 43.750482] netlink_sendmsg+0x7c4/0xc60 [ 43.755052] sock_sendmsg+0xce/0x110 [ 43.759394] ___sys_sendmsg+0x70a/0x840 [ 43.763878] __sys_sendmsg+0xb9/0x140 [ 43.768189] SyS_sendmsg+0x2d/0x50 [ 43.772248] do_syscall_64+0x1e8/0x640 [ 43.776660] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 43.782352] [ 43.782352] -> #0 (&table[i].mutex){+.+.}: [ 43.788070] __lock_acquire+0x2cb3/0x4620 [ 43.792839] lock_acquire+0x16f/0x430 [ 43.797153] __mutex_lock+0xe8/0x1470 [ 43.801469] mutex_lock_nested+0x16/0x20 [ 43.806039] nfnl_lock+0x24/0x30 [ 43.809914] nf_tables_netdev_event+0x13f/0x580 [ 43.815095] notifier_call_chain+0x111/0x1b0 [ 43.820005] raw_notifier_call_chain+0x2e/0x40 [ 43.825174] call_netdevice_notifiers_info+0x56/0x70 [ 43.830832] rollback_registered_many+0x70d/0xb60 [ 43.836188] rollback_registered+0xdd/0x180 [ 43.841041] unregister_netdevice_queue+0x1ae/0x230 [ 43.846648] br_dev_delete+0x13a/0x190 [ 43.851045] br_del_bridge+0xb4/0xf0 [ 43.855270] br_ioctl_deviceless_stub+0x23b/0x6a0 [ 43.860741] sock_ioctl+0x26a/0x470 [ 43.864875] do_vfs_ioctl+0x7ae/0x1060 [ 43.869274] SyS_ioctl+0x8f/0xc0 [ 43.873187] do_syscall_64+0x1e8/0x640 [ 43.879437] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 43.885224] [ 43.885224] other info that might help us debug this: [ 43.885224] [ 43.893469] Chain exists of: [ 43.893469] &table[i].mutex --> &xt[i].mutex --> rtnl_mutex [ 43.893469] [ 43.903728] Possible unsafe locking scenario: [ 43.903728] [ 43.910492] CPU0 CPU1 [ 43.915597] ---- ---- [ 43.920246] lock(rtnl_mutex); [ 43.923520] lock(&xt[i].mutex); [ 43.929484] lock(rtnl_mutex); [ 43.935281] lock(&table[i].mutex); [ 43.939025] [ 43.939025] *** DEADLOCK *** [ 43.939025] [ 43.945082] 2 locks held by syz-executor265/7292: [ 43.949904] #0: (br_ioctl_mutex){+.+.}, at: [] sock_ioctl+0x24e/0x470 [ 43.958221] #1: (rtnl_mutex){+.+.}, at: [] rtnl_lock+0x17/0x20 [ 43.965986] [ 43.965986] stack backtrace: [ 43.970506] CPU: 1 PID: 7292 Comm: syz-executor265 Not tainted 4.14.166-syzkaller #0 [ 43.978369] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.987758] Call Trace: [ 43.990385] dump_stack+0x142/0x197 [ 43.994004] print_circular_bug.isra.0.cold+0x1cc/0x28f [ 43.999365] __lock_acquire+0x2cb3/0x4620 [ 44.003651] ? trace_hardirqs_on+0x10/0x10 [ 44.007878] ? is_bpf_text_address+0xa6/0x120 [ 44.012507] lock_acquire+0x16f/0x430 [ 44.016289] ? nfnl_lock+0x24/0x30 [ 44.019917] ? nfnl_lock+0x24/0x30 [ 44.023441] __mutex_lock+0xe8/0x1470 [ 44.027226] ? nfnl_lock+0x24/0x30 [ 44.030759] ? __lock_acquire+0x2298/0x4620 [ 44.035072] ? debug_object_active_state+0x23c/0x370 [ 44.040207] ? nfnl_lock+0x24/0x30 [ 44.043740] ? mutex_trylock+0x1c0/0x1c0 [ 44.047792] ? trace_hardirqs_on+0x10/0x10 [ 44.052007] ? find_held_lock+0x35/0x130 [ 44.056076] ? dropmon_net_event+0x210/0x440 [ 44.060481] ? save_trace+0x290/0x290 [ 44.064450] mutex_lock_nested+0x16/0x20 [ 44.068517] ? mutex_lock_nested+0x16/0x20 [ 44.072787] nfnl_lock+0x24/0x30 [ 44.076148] nf_tables_netdev_event+0x13f/0x580 [ 44.080807] ? mark_held_locks+0xb1/0x100 [ 44.084940] ? __local_bh_enable_ip+0x99/0x1a0 [ 44.089559] ? nf_tables_netdev_init_net+0x220/0x220 [ 44.094650] ? mirred_device_event+0x152/0x190 [ 44.099309] ? _raw_spin_unlock_bh+0x31/0x40 [ 44.103705] ? mirred_device_event+0x57/0x190 [ 44.108187] ? nfqnl_rcv_dev_event+0x23/0x440 [ 44.112672] notifier_call_chain+0x111/0x1b0 [ 44.117058] raw_notifier_call_chain+0x2e/0x40 [ 44.121629] call_netdevice_notifiers_info+0x56/0x70 [ 44.126723] rollback_registered_many+0x70d/0xb60 [ 44.131614] ? netdev_info+0xf0/0xf0 [ 44.135325] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 44.140790] ? kernfs_put+0x30b/0x490 [ 44.144567] ? kmem_cache_free+0x244/0x2b0 [ 44.148795] rollback_registered+0xdd/0x180 [ 44.153106] ? rollback_registered_many+0xb60/0xb60 [ 44.158099] unregister_netdevice_queue+0x1ae/0x230 [ 44.163098] br_dev_delete+0x13a/0x190 [ 44.167030] br_del_bridge+0xb4/0xf0 [ 44.170733] br_ioctl_deviceless_stub+0x23b/0x6a0 [ 44.175690] ? old_dev_ioctl.isra.0+0x1460/0x1460 [ 44.180523] ? old_dev_ioctl.isra.0+0x1460/0x1460 [ 44.185355] sock_ioctl+0x26a/0x470 [ 44.188969] ? dlci_ioctl_set+0x40/0x40 [ 44.192931] do_vfs_ioctl+0x7ae/0x1060 [ 44.196809] ? selinux_file_mprotect+0x5d0/0x5d0 [ 44.201554] ? ioctl_preallocate+0x1c0/0x1c0 [ 44.205951] ? fd_install+0x4d/0x60 [ 44.209573] ? security_file_ioctl+0x7d/0xb0 [ 44.213982] ? security_file_ioctl+0x89/0xb0 [ 44.218398] SyS_ioctl+0x8f/0xc0 [ 44.221761] ? do_vfs_ioctl+0x1060/0x1060 [ 44.226032] do_syscall_64+0x1e8/0x640 [ 44.229954] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 44.234785] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.239960] RIP: 0033:0x441599 [ 44.243135] RSP: 002b:00007ffdb381b0d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 44.250886] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441599 [ 44.258194] RDX: 00000000200000c0 RSI: 00000000000089a1 RDI: 0000000000000004 [ 44.265932] RBP: 000000000000a9b5 R08: 00000000004002c8 R09: 00000000004002c8 [ 44.273451] R10: 00000000004002c8 R11: 0000000000000246 R12: 00000000004023c0 [ 44.280706] R13: 0000000000402450 R14: 0000000000000000 R15: 0000000000000000 [ 44.368579] ip_tables: iptables: counters copy to user failed while replacing table [ 44.499964] ip_tables: iptables: counters copy to user failed while replacing table [ 44.626164] ip_tables: iptables: counters copy to user failed while replacing table [ 44.731892] ip_tables: iptables: counters copy to user failed while replacing table [ 44.860157] ip_tables: iptables: counters copy to user failed while replacing table [ 44.978321] ip_tables: iptables: counters copy to user failed while replacing table [ 45.068330] ip_tables: iptables: counters copy to user failed while replacing table [ 45.181393] ip_tables: iptables: counters copy to user failed while replacing table [ 48.516787] net_ratelimit: 32 callbacks suppressed [ 48.516791] ip_tables: iptables: counters copy to user failed while replacing table [ 48.640757] ip_tables: iptables: counters copy to user failed while replacing table [ 48.738681] ip_tables: iptables: counters copy to user failed while replacing table [ 48.821473] ip_tables: iptables: counters copy to user failed while replacing table [ 48.951261] ip_tables: iptables: counters copy to user failed while replacing table [ 49.059932] ip_tables: iptables: counters copy to user failed while replacing table [ 49.171844] ip_tables: iptables: counters copy to user failed while replacing table [ 49.291544] ip_tables: iptables: counters copy to user failed while replacing table [ 49.393235] ip_tables: iptables: counters copy to user failed while replacing table [ 49.511923] ip_tables: iptables: counters copy to user failed while replacing table