Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.240' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 29.719469] ip6_tables: ip6tables: counters copy to user failed while replacing table [ 29.728656] ip6_tables: ip6tables: counters copy to user failed while replacing table [ 29.745112] [ 29.746753] ====================================================== [ 29.753045] WARNING: possible circular locking dependency detected [ 29.759337] 4.14.231-syzkaller #0 Not tainted [ 29.763840] ------------------------------------------------------ [ 29.770130] syz-executor412/7978 is trying to acquire lock: [ 29.775810] (&table[i].mutex){+.+.}, at: [] nf_tables_netdev_event+0x10d/0x4d0 [ 29.784839] [ 29.784839] but task is already holding lock: [ 29.790795] (rtnl_mutex){+.+.}, at: [] tun_chr_close+0x34/0x60 [ 29.798478] [ 29.798478] which lock already depends on the new lock. [ 29.798478] [ 29.806767] [ 29.806767] the existing dependency chain (in reverse order) is: [ 29.814393] [ 29.814393] -> #2 (rtnl_mutex){+.+.}: [ 29.819693] __mutex_lock+0xc4/0x1310 [ 29.824002] unregister_netdevice_notifier+0x5e/0x2b0 [ 29.829696] tee_tg_destroy+0x5c/0xb0 [ 29.834014] cleanup_entry+0x232/0x310 [ 29.838410] __do_replace+0x38d/0x580 [ 29.842710] do_ip6t_set_ctl+0x256/0x3b0 [ 29.847279] nf_setsockopt+0x5f/0xb0 [ 29.851491] ipv6_setsockopt+0xc0/0x120 [ 29.855959] udpv6_setsockopt+0x45/0x80 [ 29.860427] SyS_setsockopt+0x110/0x1e0 [ 29.864909] do_syscall_64+0x1d5/0x640 [ 29.869292] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.874972] [ 29.874972] -> #1 (&xt[i].mutex){+.+.}: [ 29.880410] __mutex_lock+0xc4/0x1310 [ 29.884711] match_revfn+0x43/0x210 [ 29.888828] xt_find_revision+0x8d/0x1d0 [ 29.893405] nfnl_compat_get+0x1f7/0x870 [ 29.897973] nfnetlink_rcv_msg+0x9bb/0xc00 [ 29.902714] netlink_rcv_skb+0x125/0x390 [ 29.907292] nfnetlink_rcv+0x1ab/0x1da0 [ 29.911759] netlink_unicast+0x437/0x610 [ 29.916312] netlink_sendmsg+0x62e/0xb80 [ 29.920864] sock_sendmsg+0xb5/0x100 [ 29.925069] ___sys_sendmsg+0x6c8/0x800 [ 29.929554] __sys_sendmsg+0xa3/0x120 [ 29.933846] SyS_sendmsg+0x27/0x40 [ 29.937878] do_syscall_64+0x1d5/0x640 [ 29.942257] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.947946] [ 29.947946] -> #0 (&table[i].mutex){+.+.}: [ 29.953656] lock_acquire+0x170/0x3f0 [ 29.957959] __mutex_lock+0xc4/0x1310 [ 29.962251] nf_tables_netdev_event+0x10d/0x4d0 [ 29.967411] notifier_call_chain+0x108/0x1a0 [ 29.972311] rollback_registered_many+0x765/0xba0 [ 29.977643] rollback_registered+0xca/0x170 [ 29.982456] unregister_netdevice_queue+0x1b4/0x360 [ 29.987965] __tun_detach+0xca2/0xf60 [ 29.992256] tun_chr_close+0x41/0x60 [ 29.996477] __fput+0x25f/0x7a0 [ 30.000259] task_work_run+0x11f/0x190 [ 30.004648] do_exit+0xa44/0x2850 [ 30.008592] do_group_exit+0x100/0x2e0 [ 30.012972] SyS_exit_group+0x19/0x20 [ 30.017263] do_syscall_64+0x1d5/0x640 [ 30.021651] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 30.027330] [ 30.027330] other info that might help us debug this: [ 30.027330] [ 30.035440] Chain exists of: [ 30.035440] &table[i].mutex --> &xt[i].mutex --> rtnl_mutex [ 30.035440] [ 30.045642] Possible unsafe locking scenario: [ 30.045642] [ 30.051667] CPU0 CPU1 [ 30.056304] ---- ---- [ 30.060941] lock(rtnl_mutex); [ 30.064189] lock(&xt[i].mutex); [ 30.070126] lock(rtnl_mutex); [ 30.075892] lock(&table[i].mutex); [ 30.079576] [ 30.079576] *** DEADLOCK *** [ 30.079576] [ 30.085615] 1 lock held by syz-executor412/7978: [ 30.090335] #0: (rtnl_mutex){+.+.}, at: [] tun_chr_close+0x34/0x60 [ 30.098367] [ 30.098367] stack backtrace: [ 30.102847] CPU: 1 PID: 7978 Comm: syz-executor412 Not tainted 4.14.231-syzkaller #0 [ 30.110697] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.120038] Call Trace: [ 30.122614] dump_stack+0x1b2/0x281 [ 30.126229] print_circular_bug.constprop.0.cold+0x2d7/0x41e [ 30.132001] __lock_acquire+0x2e0e/0x3f20 [ 30.136122] ? lock_downgrade+0x740/0x740 [ 30.140254] ? unwind_next_frame+0xe54/0x17d0 [ 30.144719] ? trace_hardirqs_on+0x10/0x10 [ 30.148927] ? kernel_text_address+0xbd/0xf0 [ 30.153306] ? __kernel_text_address+0x9/0x30 [ 30.157770] ? unwind_get_return_address+0x51/0x90 [ 30.162698] lock_acquire+0x170/0x3f0 [ 30.166472] ? nf_tables_netdev_event+0x10d/0x4d0 [ 30.171295] ? nf_tables_netdev_event+0x10d/0x4d0 [ 30.176118] __mutex_lock+0xc4/0x1310 [ 30.179890] ? nf_tables_netdev_event+0x10d/0x4d0 [ 30.184703] ? nf_tables_netdev_event+0x10d/0x4d0 [ 30.189516] ? __ww_mutex_wakeup_for_backoff+0x210/0x210 [ 30.194950] ? trace_hardirqs_on+0x10/0x10 [ 30.199161] ? trace_hardirqs_on_caller+0x3a8/0x580 [ 30.204148] ? lock_downgrade+0x740/0x740 [ 30.208265] nf_tables_netdev_event+0x10d/0x4d0 [ 30.212906] ? mirred_device_event+0x12f/0x170 [ 30.217460] ? nf_tables_netdev_init_net+0x140/0x140 [ 30.222541] ? mirred_device_event+0x12f/0x170 [ 30.227094] ? __local_bh_enable_ip+0xc1/0x170 [ 30.231646] notifier_call_chain+0x108/0x1a0 [ 30.236028] rollback_registered_many+0x765/0xba0 [ 30.240840] ? netdev_state_change+0xf0/0xf0 [ 30.245221] ? queue_delayed_work_on+0x114/0x1d0 [ 30.249947] rollback_registered+0xca/0x170 [ 30.254239] ? rollback_registered_many+0xba0/0xba0 [ 30.259236] ? linkwatch_schedule_work+0xe5/0x110 [ 30.264049] unregister_netdevice_queue+0x1b4/0x360 [ 30.269040] __tun_detach+0xca2/0xf60 [ 30.272821] ? tun_recvmsg+0x3b0/0x3b0 [ 30.276680] tun_chr_close+0x41/0x60 [ 30.280364] __fput+0x25f/0x7a0 [ 30.283628] task_work_run+0x11f/0x190 [ 30.287487] do_exit+0xa44/0x2850 [ 30.290912] ? io_schedule_timeout+0x140/0x140 [ 30.295466] ? mm_update_next_owner+0x5b0/0x5b0 [ 30.300278] ? preempt_schedule_common+0x45/0xc0 [ 30.305007] ? ___preempt_schedule+0x16/0x18 [ 30.309404] do_group_exit+0x100/0x2e0 [ 30.313269] SyS_exit_group+0x19/0x20 [ 30.317044] ? do_group_exit+0x2e0/0x2e0 [ 30.321080] do_syscall_64+0x1d5/0x640 [ 30.324945] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 30.330120] RIP: 0033:0x444a99 [ 30.333324] RSP: 002b:00007ffc946cf358 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 30.341003] RAX: ffffffffffffffda RBX: 00000000004cb390 RCX: 0000000000444a99 [ 30.348245] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 30.355512] RBP: 0000000000000000 R08: ffffffffffffffb8 R09: 0000000000000000 [ 30.362754] R10: 00007ffc946cf300 R11: 0000000000000246 R12: 00000000004cb390 [ 30.370050] R13: 00000000