[....] Starting enhanced syslogd: rsyslogd[ 19.125906] audit: type=1400 audit(1536263848.505:4): avc: denied { syslog } for pid=2153 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.15' (ECDSA) to the list of known hosts. net.ipv6.conf.syz_tun.accept_dad = 0 net.ipv6.conf.syz_tun.router_solicitations = 0 executing program syzkaller login: [ 35.483508] [ 35.485300] ====================================================== [ 35.491590] [ INFO: possible circular locking dependency detected ] [ 35.497967] 4.4.154+ #97 Not tainted [ 35.501653] ------------------------------------------------------- [ 35.508567] syz-executor169/2306 is trying to acquire lock: [ 35.514263] (&(&q->lock)->rlock){+.-...}, at: [] ip_defrag+0x31b/0x40c0 [ 35.523258] [ 35.523258] but task is already holding lock: [ 35.529314] (_xmit_NETROM){+.-...}, at: [] sch_direct_xmit+0x233/0x6c0 [ 35.538121] [ 35.538121] which lock already depends on the new lock. [ 35.538121] [ 35.546584] [ 35.546584] the existing dependency chain (in reverse order) is: [ 35.554187] -> #1 (_xmit_NETROM){+.-...}: [ 35.559081] [] lock_acquire+0x15e/0x450 [ 35.565347] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 35.572384] [] depot_save_stack+0x20b/0x5eb [ 35.578986] [] kasan_kmalloc.part.1+0xc9/0xf0 [ 35.586153] [] kasan_kmalloc+0xaf/0xc0 [ 35.592377] [] kasan_slab_alloc+0x12/0x20 [ 35.598802] [] kmem_cache_alloc+0xdc/0x2c0 [ 35.605310] [] inet_getpeer+0x159d/0x1d70 [ 35.611736] [] icmp6_send+0x17b7/0x1b70 [ 35.617994] [] icmpv6_param_prob+0x29/0x40 [ 35.624497] [] ipv6_frag_rcv+0x3de6/0x4f80 [ 35.631028] [] ip6_input_finish+0x57d/0x1510 [ 35.637707] [] ip6_input+0xf6/0x200 [ 35.643613] [] ip6_rcv_finish+0x14e/0x670 [ 35.650045] [] ipv6_rcv+0x10b2/0x1d10 [ 35.656123] [] __netif_receive_skb_core+0x12c8/0x2820 [ 35.663768] [] __netif_receive_skb+0x5b/0x1c0 [ 35.670545] [] process_backlog+0x20a/0x670 [ 35.677051] [] net_rx_action+0x2ec/0xc50 [ 35.683383] [] __do_softirq+0x22c/0xa1a [ 35.689730] [] do_softirq_own_stack+0x1c/0x30 [ 35.696596] [] do_softirq.part.2+0x54/0x60 [ 35.703233] [] do_softirq+0x19/0x20 [ 35.709130] [] netif_rx_ni+0xec/0x3a0 [ 35.715201] [] tun_get_user+0xf3a/0x2690 [ 35.721534] [] tun_chr_write_iter+0xd5/0x190 [ 35.728314] [] do_iter_readv_writev+0x133/0x1d0 [ 35.735413] [] do_readv_writev+0x335/0x6f0 [ 35.742040] [] vfs_writev+0x7b/0xb0 [ 35.747935] [] SyS_writev+0xd9/0x250 [ 35.753936] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 35.761217] -> #0 (&(&q->lock)->rlock){+.-...}: [ 35.766515] [] __lock_acquire+0x3b6e/0x5ba0 [ 35.773109] [] lock_acquire+0x15e/0x450 [ 35.779354] [] _raw_spin_lock+0x36/0x50 [ 35.785811] [] ip_defrag+0x31b/0x40c0 [ 35.791999] [] ip_check_defrag+0x3a7/0x710 [ 35.798506] [] packet_rcv_fanout+0x52a/0x5e0 [ 35.805199] [] dev_hard_start_xmit+0x650/0x11c0 [ 35.812246] [] sch_direct_xmit+0x2b8/0x6c0 [ 35.818759] [] __dev_queue_xmit+0xf95/0x1c30 [ 35.825556] [] dev_queue_xmit+0x17/0x20 [ 35.831902] [] neigh_resolve_output+0x600/0x780 [ 35.838848] [] ip_finish_output2+0x8f0/0x1100 [ 35.845618] [] ip_do_fragment+0x1870/0x1f60 [ 35.852205] [] ip_fragment.constprop.5+0x145/0x200 [ 35.859404] [] ip_finish_output+0x396/0xc00 [ 35.866020] [] ip_mc_output+0x237/0x980 [ 35.872268] [] ip_local_out+0x9b/0x180 [ 35.878489] [] ip_send_skb+0x3c/0xc0 [ 35.884493] [] udp_send_skb+0x503/0xc70 [ 35.890738] [] udp_sendmsg+0x16c9/0x1c70 [ 35.897075] [] inet_sendmsg+0x203/0x4d0 [ 35.903676] [] sock_sendmsg+0xbb/0x110 [ 35.909840] [] SyS_sendto+0x220/0x370 [ 35.915929] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 35.923130] [ 35.923130] other info that might help us debug this: [ 35.923130] [ 35.931338] Possible unsafe locking scenario: [ 35.931338] [ 35.937378] CPU0 CPU1 [ 35.942084] ---- ---- [ 35.946729] lock(_xmit_NETROM); [ 35.950503] lock(&(&q->lock)->rlock); [ 35.957300] lock(_xmit_NETROM); [ 35.963680] lock(&(&q->lock)->rlock); [ 35.967865] [ 35.967865] *** DEADLOCK *** [ 35.967865] [ 35.973903] 4 locks held by syz-executor169/2306: [ 35.978718] #0: (rcu_read_lock_bh){......}, at: [] ip_finish_output2+0x20b/0x1100 [ 35.988660] #1: (rcu_read_lock_bh){......}, at: [] __dev_queue_xmit+0x1d7/0x1c30 [ 35.998565] #2: (_xmit_NETROM){+.-...}, at: [] sch_direct_xmit+0x233/0x6c0 [ 36.007955] #3: (rcu_read_lock){......}, at: [] dev_hard_start_xmit+0xa8/0x11c0 [ 36.017794] [ 36.017794] stack backtrace: [ 36.022278] CPU: 0 PID: 2306 Comm: syz-executor169 Not tainted 4.4.154+ #97 [ 36.029643] 0000000000000000 6d79b3c881ee8dac ffff8801c783ed88 ffffffff81a54fed [ 36.037726] ffffffff83aca400 ffffffff83acaac0 ffffffff83aca400 ffff8800ace938b8 [ 36.045713] ffff8800ace92f80 ffff8801c783edd0 ffffffff81391d2f 0000000000000003 [ 36.053710] Call Trace: [ 36.056281] [] dump_stack+0xc1/0x124 [ 36.061631] [] print_circular_bug.cold.34+0x2f7/0x432 [ 36.068571] [] __lock_acquire+0x3b6e/0x5ba0 [ 36.074533] [] ? trace_hardirqs_on+0x10/0x10 [ 36.080570] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 36.087487] [] ? trace_hardirqs_on_caller+0x266/0x590 [ 36.094316] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 36.101051] [] ? mod_timer+0x433/0x8f0 [ 36.106577] [] lock_acquire+0x15e/0x450 [ 36.112189] [] ? ip_defrag+0x31b/0x40c0 [ 36.117796] [] ? inet_frag_find+0x27a/0x9a0 [ 36.123751] [] _raw_spin_lock+0x36/0x50 [ 36.129357] [] ? ip_defrag+0x31b/0x40c0 [ 36.134966] [] ip_defrag+0x31b/0x40c0 [ 36.140399] [] ? trace_hardirqs_on+0x10/0x10 [ 36.146519] [] ? ipv4_frags_init_net+0x3a0/0x3a0 [ 36.152920] [] ip_check_defrag+0x3a7/0x710 [ 36.158787] [] ? ip_defrag+0x40c0/0x40c0 [ 36.164491] [] packet_rcv_fanout+0x52a/0x5e0 [ 36.170623] [] ? fanout_demux_rollover+0x4e0/0x4e0 [ 36.177206] [] dev_hard_start_xmit+0x650/0x11c0 [ 36.183599] [] ? dev_hard_start_xmit+0xa8/0x11c0 [ 36.190002] [] sch_direct_xmit+0x2b8/0x6c0 [ 36.195885] [] ? dev_deactivate_queue.constprop.6+0x160/0x160 [ 36.203412] [] __dev_queue_xmit+0xf95/0x1c30 [ 36.209459] [] ? __dev_queue_xmit+0x1d7/0x1c30 [ 36.215687] [] ? trace_hardirqs_on+0x10/0x10 [ 36.221740] [] ? netdev_pick_tx+0x2c0/0x2c0 [ 36.227705] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 36.234590] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 36.241506] [] ? memcpy+0x45/0x50 [ 36.246586] [] dev_queue_xmit+0x17/0x20 [ 36.252187] [] neigh_resolve_output+0x600/0x780 [ 36.258490] [] ? ip_finish_output2+0x8f0/0x1100 [ 36.264786] [] ip_finish_output2+0x8f0/0x1100 [ 36.270923] [] ? ip_finish_output2+0x20b/0x1100 [ 36.277225] [] ? nf_ct_deliver_cached_events+0x335/0x560 [ 36.284497] [] ? nf_ct_deliver_cached_events+0x83/0x560 [ 36.291511] [] ? nf_conntrack_seqadj_fini+0x20/0x20 [ 36.298248] [] ? ip_send_check+0xb0/0xb0 [ 36.303962] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 36.310711] [] ip_do_fragment+0x1870/0x1f60 [ 36.316673] [] ? ip_send_check+0xb0/0xb0 [ 36.322483] [] ip_fragment.constprop.5+0x145/0x200 [ 36.329062] [] ip_finish_output+0x396/0xc00 [ 36.335138] [] ip_mc_output+0x237/0x980 [ 36.340754] [] ? ip_queue_xmit+0x1a80/0x1a80 [ 36.346801] [] ? ip_make_skb+0x116/0x210 [ 36.352616] [] ? ip_fragment.constprop.5+0x200/0x200 [ 36.359373] [] ? ip_flush_pending_frames+0x30/0x30 [ 36.366064] [] ip_local_out+0x9b/0x180 [ 36.371594] [] ip_send_skb+0x3c/0xc0 [ 36.376952] [] udp_send_skb+0x503/0xc70 [ 36.382568] [] udp_sendmsg+0x16c9/0x1c70 [ 36.388267] [] ? ip_reply_glue_bits+0xc0/0xc0 [ 36.394397] [] ? udp_lib_unhash+0x630/0x630 [ 36.400466] [] ? trace_hardirqs_on+0x10/0x10 [ 36.406604] [] ? sock_has_perm+0x1c1/0x3f0 [ 36.412488] [] ? sock_has_perm+0x2a1/0x3f0 [ 36.418619] [] ? sock_has_perm+0x9f/0x3f0 [ 36.424514] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 36.431335] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 36.438195] [] ? check_preemption_disabled+0x3b/0x170 [ 36.445282] [] ? inet_sendmsg+0x143/0x4d0 [ 36.451427] [] inet_sendmsg+0x203/0x4d0 [ 36.457038] [] ? inet_sendmsg+0x73/0x4d0 [ 36.462796] [] ? inet_recvmsg+0x4c0/0x4c0 [ 36.468576] [] sock_sendmsg+0xbb/0x110 [ 36.474097] [] SyS_sendto+0x220/0x370 [ 36.479529] [] ? SyS_getpeername+0x2d0/0x2d0 [ 36.485571] [] ? _raw_spin_unlock+0x2c/0x50 [ 36.491710] [] ? handle_mm_fault+0x49a/0x2f30 [ 36.498038] [] ? inet_dgram_connect+0x11e/0x200 [ 36.504341] [] ? retint_user+0x18/0x3c [ 36.509861] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 36.517017] [] ? trace_hardirqs_on_thunk+0x17/0x19 [ 36.523738] [] entry_SYSCALL_64_fastpath+0x1e/0x9a