[....] Starting enhanced syslogd: rsyslogd[ 13.457083] audit: type=1400 audit(1541463555.684:4): avc: denied { syslog } for pid=1920 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.18' (ECDSA) to the list of known hosts. net.ipv6.conf.syz_tun.accept_dad = 0 net.ipv6.conf.syz_tun.router_solicitations = 0 executing program syzkaller login: [ 47.840575] [ 47.842344] ====================================================== [ 47.848632] [ INFO: possible circular locking dependency detected ] [ 47.855010] 4.4.162+ #8 Not tainted [ 47.858604] ------------------------------------------------------- [ 47.865025] syz-executor768/2085 is trying to acquire lock: [ 47.870712] (_xmit_NETROM){+.-...}, at: [] sch_direct_xmit+0x233/0x6c0 [ 47.879479] [ 47.879479] but task is already holding lock: [ 47.885418] (&(&q->lock)->rlock){+.-...}, at: [] ipv6_frag_rcv+0x5eb/0x4f80 [ 47.894615] [ 47.894615] which lock already depends on the new lock. [ 47.894615] [ 47.902900] [ 47.902900] the existing dependency chain (in reverse order) is: [ 47.910488] -> #1 (&(&q->lock)->rlock){+.-...}: [ 47.915787] [] lock_acquire+0x15e/0x450 [ 47.922027] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 47.928960] [] lock_timer_base+0xd5/0x170 [ 47.935456] [] mod_timer+0x1af/0x8f0 [ 47.941434] [] inet_frag_find+0x73e/0x9a0 [ 47.947847] [] ip_defrag+0x2f0/0x40c0 [ 47.954023] [] ip_check_defrag+0x3a7/0x710 [ 47.960531] [] packet_rcv_fanout+0x52a/0x5e0 [ 47.967205] [] dev_hard_start_xmit+0x650/0x11c0 [ 47.974137] [] sch_direct_xmit+0x2b8/0x6c0 [ 47.980672] [] __dev_queue_xmit+0xf95/0x1c30 [ 47.987471] [] dev_queue_xmit+0x17/0x20 [ 47.993722] [] neigh_resolve_output+0x600/0x780 [ 48.000658] [] ip_finish_output2+0x8f0/0x1100 [ 48.007533] [] ip_do_fragment+0x1870/0x1f60 [ 48.014122] [] ip_fragment.constprop.5+0x145/0x200 [ 48.021325] [] ip_finish_output+0x396/0xc00 [ 48.027907] [] ip_mc_output+0x237/0x980 [ 48.034142] [] ip_local_out+0x9b/0x180 [ 48.040291] [] ip_send_skb+0x3c/0xc0 [ 48.046270] [] udp_send_skb+0x503/0xc70 [ 48.052513] [] udp_sendmsg+0x16c9/0x1c70 [ 48.058834] [] inet_sendmsg+0x203/0x4d0 [ 48.065079] [] sock_sendmsg+0xbb/0x110 [ 48.071365] [] SyS_sendto+0x220/0x370 [ 48.077433] [] do_fast_syscall_32+0x31e/0xa80 [ 48.084194] [] sysenter_flags_fixed+0xd/0x1a [ 48.090867] -> #0 (_xmit_NETROM){+.-...}: [ 48.095642] [] __lock_acquire+0x3e6c/0x5f10 [ 48.102227] [] lock_acquire+0x15e/0x450 [ 48.108464] [] _raw_spin_lock+0x36/0x50 [ 48.114704] [] sch_direct_xmit+0x233/0x6c0 [ 48.121297] [] __dev_queue_xmit+0xf95/0x1c30 [ 48.128040] [] dev_queue_xmit+0x17/0x20 [ 48.134286] [] neigh_resolve_output+0x600/0x780 [ 48.141215] [] ip6_finish_output2+0xb94/0x1ca0 [ 48.148063] [] ip6_finish_output+0x2ee/0x750 [ 48.154739] [] ip6_output+0x1af/0x520 [ 48.160810] [] ndisc_send_skb+0x972/0x10e0 [ 48.167308] [] ndisc_send_ns+0x4fb/0x6f0 [ 48.173641] [] ndisc_solicit+0x2a0/0x420 [ 48.179963] [] neigh_probe+0xca/0x100 [ 48.186035] [] __neigh_event_send+0x2a0/0xc30 [ 48.192798] [] neigh_resolve_output+0x629/0x780 [ 48.199737] [] ip6_finish_output2+0xb94/0x1ca0 [ 48.206586] [] ip6_finish_output+0x2ee/0x750 [ 48.213263] [] ip6_output+0x1af/0x520 [ 48.219324] [] ip6_local_out+0x9b/0x180 [ 48.225575] [] ip6_send_skb+0xa1/0x340 [ 48.231727] [] ip6_push_pending_frames+0xb3/0xe0 [ 48.238743] [] icmpv6_push_pending_frames+0x335/0x530 [ 48.246194] [] icmp6_send+0x15f3/0x1b70 [ 48.252429] [] icmpv6_param_prob+0x29/0x40 [ 48.258929] [] ipv6_frag_rcv+0x3ba5/0x4f80 [ 48.265426] [] ip6_input_finish+0x57d/0x1510 [ 48.272097] [] ip6_input+0xf6/0x200 [ 48.277985] [] ip6_rcv_finish+0x14e/0x670 [ 48.284449] [] ipv6_defrag+0x33b/0x5c0 [ 48.290610] [] nf_iterate+0x182/0x210 [ 48.296680] [] nf_hook_slow+0x1b6/0x340 [ 48.302925] [] ipv6_rcv+0x1455/0x1d10 [ 48.308991] [] __netif_receive_skb_core+0x12c8/0x2820 [ 48.316445] [] __netif_receive_skb+0x5b/0x1c0 [ 48.323205] [] process_backlog+0x20a/0x670 [ 48.329705] [] net_rx_action+0x367/0xd50 [ 48.336028] [] __do_softirq+0x22c/0xa1a [ 48.342351] [] do_softirq_own_stack+0x1c/0x30 [ 48.349111] [] do_softirq.part.2+0x54/0x60 [ 48.355608] [] do_softirq+0x19/0x20 [ 48.361499] [] netif_rx_ni+0xec/0x3a0 [ 48.367569] [] tun_get_user+0xf3a/0x2690 [ 48.373940] [] tun_chr_write_iter+0xd5/0x190 [ 48.380618] [] do_iter_readv_writev+0x133/0x1d0 [ 48.387549] [] compat_do_readv_writev+0x337/0x6f0 [ 48.394864] [] compat_writev+0xe1/0x150 [ 48.401111] [] compat_SyS_writev+0xd8/0x1c0 [ 48.407694] [] do_fast_syscall_32+0x31e/0xa80 [ 48.414506] [] sysenter_flags_fixed+0xd/0x1a [ 48.421178] [ 48.421178] other info that might help us debug this: [ 48.421178] [ 48.429348] Possible unsafe locking scenario: [ 48.429348] [ 48.435383] CPU0 CPU1 [ 48.440019] ---- ---- [ 48.444728] lock(&(&q->lock)->rlock); [ 48.448917] lock(_xmit_NETROM); [ 48.455091] lock(&(&q->lock)->rlock); [ 48.461793] lock(_xmit_NETROM); [ 48.465455] [ 48.465455] *** DEADLOCK *** [ 48.465455] [ 48.471485] 10 locks held by syz-executor768/2085: [ 48.476380] #0: (rcu_read_lock){......}, at: [] process_backlog+0x1a6/0x670 [ 48.485802] #1: (rcu_read_lock){......}, at: [] nf_hook_slow+0x0/0x340 [ 48.494778] #2: (rcu_read_lock){......}, at: [] ip6_input_finish+0x0/0x1510 [ 48.504195] #3: (&(&q->lock)->rlock){+.-...}, at: [] ipv6_frag_rcv+0x5eb/0x4f80 [ 48.513957] #4: (slock-AF_INET6){+.....}, at: [] icmp6_send+0x7db/0x1b70 [ 48.523112] #5: (rcu_read_lock){......}, at: [] icmp6_send+0xf62/0x1b70 [ 48.532248] #6: (rcu_read_lock_bh){......}, at: [] ip6_finish_output2+0x1f9/0x1ca0 [ 48.542260] #7: (rcu_read_lock){......}, at: [] ndisc_send_skb+0x74d/0x10e0 [ 48.551664] #8: (rcu_read_lock_bh){......}, at: [] ip6_finish_output2+0x1f9/0x1ca0 [ 48.561695] #9: (rcu_read_lock_bh){......}, at: [] __dev_queue_xmit+0x1d7/0x1c30 [ 48.571631] [ 48.571631] stack backtrace: [ 48.576111] CPU: 0 PID: 2085 Comm: syz-executor768 Not tainted 4.4.162+ #8 [ 48.583092] 0000000000000000 423b854ea1ac4649 ffff8801db606138 ffffffff81aa50fd [ 48.591077] ffffffff83acbd40 ffffffff83acc5b0 ffffffff83acbd40 ffff8800b7b42120 [ 48.599058] ffff8800b7b417c0 ffff8801db606180 ffffffff813a834a 0000000000000004 [ 48.607038] Call Trace: [ 48.609590] [] dump_stack+0xc1/0x124 [ 48.615661] [] print_circular_bug.cold.34+0x2f7/0x432 [ 48.622479] [] __lock_acquire+0x3e6c/0x5f10 [ 48.628426] [] ? trace_hardirqs_on+0x10/0x10 [ 48.634460] [] ? skb_network_protocol+0xed/0x440 [ 48.640840] [] ? __lock_acquire+0x3531/0x5f10 [ 48.646955] [] ? __lock_acquire+0xa85/0x5f10 [ 48.652986] [] ? __dev_get_by_index+0x1a0/0x1a0 [ 48.659281] [] ? __skb_gso_segment+0x4b0/0x4b0 [ 48.665504] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 48.672227] [] lock_acquire+0x15e/0x450 [ 48.677826] [] ? sch_direct_xmit+0x233/0x6c0 [ 48.683859] [] _raw_spin_lock+0x36/0x50 [ 48.689461] [] ? sch_direct_xmit+0x233/0x6c0 [ 48.695489] [] sch_direct_xmit+0x233/0x6c0 [ 48.701348] [] ? dev_deactivate_queue.constprop.6+0x160/0x160 [ 48.708860] [] __dev_queue_xmit+0xf95/0x1c30 [ 48.714898] [] ? __dev_queue_xmit+0x1d7/0x1c30 [ 48.721101] [] ? trace_hardirqs_on+0x10/0x10 [ 48.727132] [] ? netdev_pick_tx+0x2c0/0x2c0 [ 48.733074] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 48.739803] [] ? mark_held_locks+0xc7/0x130 [ 48.745752] [] ? memcpy+0x45/0x50 [ 48.750908] [] dev_queue_xmit+0x17/0x20 [ 48.756513] [] neigh_resolve_output+0x600/0x780 [ 48.762805] [] ? ip6_finish_output2+0xb94/0x1ca0 [ 48.769182] [] ip6_finish_output2+0xb94/0x1ca0 [ 48.775384] [] ? ip6_finish_output2+0x1f9/0x1ca0 [ 48.781760] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 48.788483] [] ? ip6_forward_finish+0x4a0/0x4a0 [ 48.794775] [] ? check_preemption_disabled+0x3b/0x170 [ 48.801586] [] ? ip6_mtu+0x217/0x340 [ 48.806923] [] ip6_finish_output+0x2ee/0x750 [ 48.812952] [] ip6_output+0x1af/0x520 [ 48.818373] [] ? ip6_finish_output+0x750/0x750 [ 48.824576] [] ? nf_iterate+0x210/0x210 [ 48.830173] [] ? ip6_fragment+0x3310/0x3310 [ 48.836115] [] ndisc_send_skb+0x972/0x10e0 [ 48.841978] [] ? ndisc_send_skb+0x74d/0x10e0 [ 48.848017] [] ? kasan_unpoison_shadow+0x35/0x50 [ 48.854397] [] ? ndisc_alloc_skb+0x330/0x330 [ 48.860429] [] ? kasan_unpoison_task_stack_below+0x1a/0x20 [ 48.867674] [] ? compat_ipv6_setsockopt+0x1d0/0x1d0 [ 48.874310] [] ? __kmalloc_reserve.isra.5+0xc0/0xc0 [ 48.880947] [] ? ip6_rcv_finish+0x14e/0x670 [ 48.886894] [] ? ndisc_fill_addr_option+0x19a/0x1f0 [ 48.893531] [] ndisc_send_ns+0x4fb/0x6f0 [ 48.899217] [] ? trace_hardirqs_on+0xd/0x10 [ 48.905161] [] ? ndisc_netdev_event+0x360/0x360 [ 48.911452] [] ? ipv6_chk_addr_and_flags+0x3a4/0x530 [ 48.918235] [] ? ipv6_chk_addr_and_flags+0x69/0x530 [ 48.924887] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 48.931784] [] ndisc_solicit+0x2a0/0x420 [ 48.937470] [] ? ndisc_send_ns+0x6f0/0x6f0 [ 48.943330] [] ? neigh_probe+0x6f/0x100 [ 48.948927] [] ? ndisc_send_ns+0x6f0/0x6f0 [ 48.954785] [] neigh_probe+0xca/0x100 [ 48.960210] [] __neigh_event_send+0x2a0/0xc30 [ 48.966452] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 48.972849] [] neigh_resolve_output+0x629/0x780 [ 48.979194] [] ip6_finish_output2+0xb94/0x1ca0 [ 48.985403] [] ? ip6_finish_output2+0x1f9/0x1ca0 [ 48.991826] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 48.998564] [] ? ip6_forward_finish+0x4a0/0x4a0 [ 49.004861] [] ? check_preemption_disabled+0x3b/0x170 [ 49.011684] [] ? ip6_mtu+0x217/0x340 [ 49.017024] [] ip6_finish_output+0x2ee/0x750 [ 49.023055] [] ip6_output+0x1af/0x520 [ 49.028475] [] ? ip6_finish_output+0x750/0x750 [ 49.034678] [] ? ip6_fragment+0x3310/0x3310 [ 49.040621] [] ? ip6_flush_pending_frames+0xb0/0xb0 [ 49.047258] [] ip6_local_out+0x9b/0x180 [ 49.052856] [] ip6_send_skb+0xa1/0x340 [ 49.058374] [] ip6_push_pending_frames+0xb3/0xe0 [ 49.064752] [] icmpv6_push_pending_frames+0x335/0x530 [ 49.071564] [] icmp6_send+0x15f3/0x1b70 [ 49.077163] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 49.083909] [] ? icmpv6_push_pending_frames+0x530/0x530 [ 49.090900] [] ? __lock_acquire+0x17e4/0x5f10 [ 49.097016] [] ? trace_hardirqs_on+0x10/0x10 [ 49.103138] [] ? trace_hardirqs_on_caller+0x266/0x590 [ 49.109950] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 49.116676] [] ? mod_timer+0x433/0x8f0 [ 49.122191] [] ? inet_frag_find+0x27a/0x9a0 [ 49.128137] [] icmpv6_param_prob+0x29/0x40 [ 49.133996] [] ipv6_frag_rcv+0x3ba5/0x4f80 [ 49.139853] [] ? ipv6_frags_init_net+0x3a0/0x3a0 [ 49.146237] [] ? raw6_local_deliver+0x425/0x780 [ 49.152533] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 49.159262] [] ip6_input_finish+0x57d/0x1510 [ 49.165292] [] ? ip6_rcv_finish+0x670/0x670 [ 49.171360] [] ip6_input+0xf6/0x200 [ 49.176614] [] ? ipv6_rcv+0x1d10/0x1d10 [ 49.182209] [] ? ip6_rcv_finish+0x670/0x670 [ 49.188157] [] ip6_rcv_finish+0x14e/0x670 [ 49.193931] [] ipv6_defrag+0x33b/0x5c0 [ 49.199441] [] ? ip6_make_skb+0x400/0x400 [ 49.205258] [] ? nf_defrag_ipv6_enable+0x10/0x10 [ 49.211650] [] ? ip6_make_skb+0x400/0x400 [ 49.217422] [] ? trace_hardirqs_on+0x10/0x10 [ 49.223454] [] nf_iterate+0x182/0x210 [ 49.228883] [] nf_hook_slow+0x1b6/0x340 [ 49.234477] [] ? nf_iterate+0x210/0x210 [ 49.240073] [] ? nf_iterate+0x210/0x210 [ 49.245796] [] ? tun_sock_write_space+0xbe/0x1a0 [ 49.252183] [] ? sk_clone_lock+0xfd0/0xfd0 [ 49.258042] [] ipv6_rcv+0x1455/0x1d10 [ 49.263512] [] ? ipv6_rcv+0xf8/0x1d10 [ 49.268940] [] ? ip6_input_finish+0x1510/0x1510 [ 49.275233] [] ? ip6_make_skb+0x400/0x400 [ 49.281003] [] ? packet_rcv_fanout+0x170/0x5e0 [ 49.287214] [] ? ip6_input_finish+0x1510/0x1510 [ 49.293521] [] __netif_receive_skb_core+0x12c8/0x2820 [ 49.300338] [] ? dev_loopback_xmit+0x420/0x420 [ 49.306555] [] ? trace_hardirqs_on_caller+0x266/0x590 [ 49.313368] [] ? _raw_spin_unlock_irqrestore+0x45/0x70 [ 49.320267] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 49.326991] [] __netif_receive_skb+0x5b/0x1c0 [ 49.333107] [] process_backlog+0x20a/0x670 [ 49.338971] [] ? process_backlog+0x1a6/0x670 [ 49.345003] [] net_rx_action+0x367/0xd50 [ 49.350688] [] ? net_rps_action_and_irq_enable.isra.29+0x170/0x170 [ 49.358630] [] ? check_preemption_disabled+0x3b/0x170 [ 49.365443] [] __do_softirq+0x22c/0xa1a [ 49.371041] [] do_softirq_own_stack+0x1c/0x30 [ 49.377152] [] do_softirq.part.2+0x54/0x60 [ 49.383745] [] do_softirq+0x19/0x20 [ 49.389000] [] netif_rx_ni+0xec/0x3a0 [ 49.394424] [] tun_get_user+0xf3a/0x2690 [ 49.400108] [] ? tun_free_netdev+0xb0/0xb0 [ 49.406188] [] ? trace_hardirqs_on+0x10/0x10 [ 49.412218] [] ? __might_fault+0x18e/0x1d0 [ 49.418074] [] ? __might_fault+0xe4/0x1d0 [ 49.423845] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 49.430571] [] ? check_preemption_disabled+0x3b/0x170 [ 49.437388] [] tun_chr_write_iter+0xd5/0x190 [ 49.443422] [] do_iter_readv_writev+0x133/0x1d0 [ 49.449994] [] ? tun_sendmsg+0x140/0x140 [ 49.455677] [] ? vfs_iter_read+0x270/0x270 [ 49.461534] [] ? rw_verify_area+0x100/0x2f0 [ 49.467475] [] ? tun_sendmsg+0x140/0x140 [ 49.473163] [] compat_do_readv_writev+0x337/0x6f0 [ 49.479630] [] ? vfs_writev+0xb0/0xb0 [ 49.485058] [] ? set_current_blocked+0x40/0x40 [ 49.491262] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 49.498074] [] ? do_signal+0x45d/0x1840 [ 49.503671] [] ? force_sig_info_fault.constprop.7+0xd0/0x110 [ 49.511092] [] ? setup_sigcontext+0x780/0x780 [ 49.517210] [] ? spurious_fault+0x370/0x370 [ 49.523157] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 49.529889] [] compat_writev+0xe1/0x150 [ 49.535485] [] compat_SyS_writev+0xd8/0x1c0 [ 49.541427] [] ? compat_SyS_preadv+0x50/0x50 [ 49.547818] [] ? do_fast_syscall_32+0xdb/0xa80 [ 49.554032] [] ? compat_SyS_preadv+0x50/0x50 [ 49.560072] [] do_fast_syscall_32+0x31e/0xa80 [ 49.566199] [] sysenter_flags_fixed+0xd/0x1a