Warning: Permanently added '10.128.10.44' (ECDSA) to the list of known hosts. syzkaller login: [ 34.187113] audit: type=1400 audit(1574924186.526:5): avc: denied { create } for pid=2075 comm="syz-executor795" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 34.211598] audit: type=1400 audit(1574924186.556:6): avc: denied { write } for pid=2075 comm="syz-executor795" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 executing program [ 34.243156] audit: type=1400 audit(1574924186.586:7): avc: denied { read } for pid=2075 comm="syz-executor795" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 34.355379] [ 34.357151] ====================================================== [ 34.363445] [ INFO: possible circular locking dependency detected ] [ 34.369871] 4.4.174+ #4 Not tainted [ 34.373581] ------------------------------------------------------- [ 34.380117] syz-executor795/2079 is trying to acquire lock: [ 34.385812] (_xmit_NETROM){+.-...}, at: [] sch_direct_xmit+0x238/0x700 [ 34.394717] [ 34.394717] but task is already holding lock: [ 34.400669] (&(&q->lock)->rlock){+.-...}, at: [] ipv6_frag_rcv+0x6cc/0x51e0 [ 34.409921] [ 34.409921] which lock already depends on the new lock. [ 34.409921] [ 34.418217] [ 34.418217] the existing dependency chain (in reverse order) is: [ 34.425824] -> #1 (&(&q->lock)->rlock){+.-...}: [ 34.431654] [] lock_acquire+0x15e/0x450 [ 34.437908] [] _raw_spin_lock_irqsave+0x50/0x70 [ 34.444852] [] depot_save_stack+0x20c/0x5f0 [ 34.451522] [] kasan_kmalloc.part.0+0xc6/0xf0 [ 34.458530] [] kasan_kmalloc+0xb7/0xd0 [ 34.464707] [] kasan_slab_alloc+0xf/0x20 [ 34.471060] [] kmem_cache_alloc+0xdc/0x2c0 [ 34.477579] [] inet_getpeer+0x1525/0x1ce0 [ 34.484063] [] ip4_frag_init+0x2a2/0x310 [ 34.490411] [] inet_frag_create+0x1ac/0x14e0 [ 34.497123] [] inet_frag_find+0x64d/0x880 [ 34.503549] [] ip_defrag+0x2fb/0x3b70 [ 34.509620] [] ip_check_defrag+0x3d6/0x5b0 [ 34.516219] [] packet_rcv_fanout+0x51e/0x5f0 [ 34.522904] [] dev_hard_start_xmit+0x654/0x11e0 [ 34.529845] [] sch_direct_xmit+0x2b6/0x700 [ 34.536348] [] __dev_queue_xmit+0xd24/0x1bb0 [ 34.543021] [] dev_queue_xmit+0x18/0x20 [ 34.549264] [] neigh_resolve_output+0x4a0/0x7a0 [ 34.556201] [] ip_finish_output2+0x6a2/0x1280 [ 34.562962] [] ip_do_fragment+0x187c/0x1f70 [ 34.569553] [] ip_fragment.constprop.0+0x14b/0x200 [ 34.576754] [] ip_finish_output+0x3b9/0xc60 [ 34.583348] [] ip_mc_output+0x251/0xae0 [ 34.589591] [] ip_local_out+0x9c/0x180 [ 34.595748] [] ip_send_skb+0x3e/0xc0 [ 34.601728] [] udp_send_skb+0x4fd/0xc70 [ 34.608002] [] udp_push_pending_frames+0x4e/0xe0 [ 34.615075] [] udp_sendpage+0x2ae/0x410 [ 34.621356] [] inet_sendpage+0x223/0x520 [ 34.627692] [] kernel_sendpage+0x95/0xf0 [ 34.634053] [] sock_sendpage+0x8b/0xc0 [ 34.640230] [] pipe_to_sendpage+0x28d/0x3d0 [ 34.646820] [] __splice_from_pipe+0x37e/0x7a0 [ 34.653589] [] splice_from_pipe+0x108/0x170 [ 34.660176] [] generic_splice_sendpage+0x3c/0x50 [ 34.667225] [] SyS_splice+0xd71/0x13a0 [ 34.673413] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 34.680628] -> #0 (_xmit_NETROM){+.-...}: [ 34.685424] [] __lock_acquire+0x37d6/0x4f50 [ 34.692027] [] lock_acquire+0x15e/0x450 [ 34.698278] [] _raw_spin_lock+0x38/0x50 [ 34.704521] [] sch_direct_xmit+0x238/0x700 [ 34.711038] [] __dev_queue_xmit+0xd24/0x1bb0 [ 34.717716] [] dev_queue_xmit+0x18/0x20 [ 34.723969] [] neigh_resolve_output+0x4a0/0x7a0 [ 34.730999] [] ip6_finish_output2+0x9c7/0x1dc0 [ 34.737888] [] ip6_finish_output+0x2f3/0x750 [ 34.744577] [] ip6_output+0x1b4/0x520 [ 34.750766] [] ndisc_send_skb+0x98d/0x1110 [ 34.757295] [] ndisc_send_ns+0x4bf/0x6b0 [ 34.763625] [] ndisc_solicit+0x2b2/0x440 [ 34.769988] [] neigh_probe+0xc8/0x100 [ 34.776069] [] __neigh_event_send+0x2ab/0xc50 [ 34.782830] [] neigh_resolve_output+0x5ec/0x7a0 [ 34.789776] [] ip6_finish_output2+0x9c7/0x1dc0 [ 34.796626] [] ip6_finish_output+0x2f3/0x750 [ 34.803299] [] ip6_output+0x1b4/0x520 [ 34.809383] [] ip6_local_out+0x9c/0x180 [ 34.815644] [] ip6_send_skb+0xa2/0x340 [ 34.821794] [] ip6_push_pending_frames+0xbb/0xe0 [ 34.828813] [] icmpv6_push_pending_frames+0x336/0x530 [ 34.836276] [] icmp6_send+0x1506/0x1b40 [ 34.842515] [] icmpv6_param_prob+0x29/0x40 [ 34.849277] [] ipv6_frag_rcv+0x3ce5/0x51e0 [ 34.855779] [] ip6_input_finish+0x57d/0x14f0 [ 34.862462] [] ip6_input+0xf8/0x1f0 [ 34.868354] [] ip6_rcv_finish+0x14d/0x670 [ 34.874777] [] ipv6_rcv+0xfc1/0x1a20 [ 34.880762] [] __netif_receive_skb_core+0x1300/0x2950 [ 34.888217] [] __netif_receive_skb+0x58/0x1c0 [ 34.894975] [] process_backlog+0x200/0x630 [ 34.901488] [] net_rx_action+0x367/0xd30 [ 34.907817] [] __do_softirq+0x226/0xa3f [ 34.914065] [] do_softirq_own_stack+0x1c/0x30 [ 34.920837] [] do_softirq.part.0+0x54/0x60 [ 34.927348] [] do_softirq+0x18/0x20 [ 34.933247] [] netif_rx_ni+0xeb/0x3b0 [ 34.939312] [] tun_get_user+0xdbf/0x2640 [ 34.945637] [] tun_chr_write_iter+0xda/0x190 [ 34.952307] [] do_iter_readv_writev+0x141/0x1e0 [ 34.959241] [] do_readv_writev+0x387/0x6e0 [ 34.966086] [] vfs_writev+0x7d/0xb0 [ 34.971983] [] SyS_writev+0xdc/0x260 [ 34.977968] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 34.985163] [ 34.985163] other info that might help us debug this: [ 34.985163] [ 34.993279] Possible unsafe locking scenario: [ 34.993279] [ 34.999308] CPU0 CPU1 [ 35.003947] ---- ---- [ 35.008591] lock(&(&q->lock)->rlock); [ 35.012782] lock(_xmit_NETROM); [ 35.018974] lock(&(&q->lock)->rlock); [ 35.025679] lock(_xmit_NETROM); [ 35.029350] [ 35.029350] *** DEADLOCK *** [ 35.029350] [ 35.035384] 9 locks held by syz-executor795/2079: [ 35.040196] #0: (rcu_read_lock){......}, at: [] process_backlog+0x19c/0x630 [ 35.049668] #1: (rcu_read_lock){......}, at: [] ip6_input_finish+0x0/0x14f0 [ 35.059102] #2: (&(&q->lock)->rlock){+.-...}, at: [] ipv6_frag_rcv+0x6cc/0x51e0 [ 35.068867] #3: (slock-AF_INET6){+.....}, at: [] icmp6_send+0x7bd/0x1b40 [ 35.078036] #4: (rcu_read_lock){......}, at: [] icmp6_send+0xf44/0x1b40 [ 35.087107] #5: (rcu_read_lock_bh){......}, at: [] ip6_finish_output2+0x1e1/0x1dc0 [ 35.097161] #6: (rcu_read_lock){......}, at: [] ndisc_send_skb+0x779/0x1110 [ 35.106583] #7: (rcu_read_lock_bh){......}, at: [] ip6_finish_output2+0x1e1/0x1dc0 [ 35.116712] #8: (rcu_read_lock_bh){......}, at: [] __dev_queue_xmit+0x1d7/0x1bb0 [ 35.116713] [ 35.116713] stack backtrace: [ 35.116726] CPU: 1 PID: 2079 Comm: syz-executor795 Not tainted 4.4.174+ #4 [ 35.116734] 0000000000000000 c27725336b879830 ffff8801db7064e0 ffffffff81aad1a1 [ 35.116740] ffffffff84057a80 ffff8801d4d5c740 ffffffff83ad40e0 ffffffff83ad47a0 [ 35.116750] ffffffff83ad40e0 ffff8801db706530 ffffffff813abcda ffff8801db706610 [ 35.116751] Call Trace: [ 35.116763] [] dump_stack+0xc1/0x120 [ 35.116772] [] print_circular_bug.cold+0x2f7/0x44e [ 35.116780] [] __lock_acquire+0x37d6/0x4f50 [ 35.116786] [] ? check_usage+0x14e/0x5a0 [ 35.116792] [] ? trace_hardirqs_on+0x10/0x10 [ 35.116799] [] ? __lock_acquire+0x2c79/0x4f50 [ 35.116805] [] ? __dev_get_by_index+0x130/0x130 [ 35.116812] [] ? __skb_gso_segment+0x4c0/0x4c0 [ 35.116821] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 35.116827] [] lock_acquire+0x15e/0x450 [ 35.116834] [] ? sch_direct_xmit+0x238/0x700 [ 35.116842] [] _raw_spin_lock+0x38/0x50 [ 35.116848] [] ? sch_direct_xmit+0x238/0x700 [ 35.116854] [] sch_direc