[....] Starting enhanced syslogd: rsyslogd[ 12.918487] audit: type=1400 audit(1541463478.102:4): avc: denied { syslog } for pid=1917 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.13' (ECDSA) to the list of known hosts. net.ipv6.conf.syz_tun.accept_dad = 0 net.ipv6.conf.syz_tun.router_solicitations = 0 executing program syzkaller login: [ 36.242085] [ 36.243729] ====================================================== [ 36.250014] [ INFO: possible circular locking dependency detected ] [ 36.256390] 4.4.162+ #118 Not tainted [ 36.260158] ------------------------------------------------------- [ 36.266533] syz-executor383/2076 is trying to acquire lock: [ 36.272213] (_xmit_NETROM){+.-...}, at: [] sch_direct_xmit+0x233/0x6c0 [ 36.281015] [ 36.281015] but task is already holding lock: [ 36.286959] (&(&q->lock)->rlock){+.-...}, at: [] ipv6_frag_rcv+0x5eb/0x4f80 [ 36.296162] [ 36.296162] which lock already depends on the new lock. [ 36.296162] [ 36.304451] [ 36.304451] the existing dependency chain (in reverse order) is: [ 36.312064] -> #1 (&(&q->lock)->rlock){+.-...}: [ 36.317403] [] lock_acquire+0x15e/0x450 [ 36.323646] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 36.330598] [] lock_timer_base+0xd5/0x170 [ 36.337016] [] mod_timer+0x1af/0x8f0 [ 36.342992] [] inet_frag_find+0x73e/0x9a0 [ 36.349406] [] ip_defrag+0x2f0/0x40c0 [ 36.355474] [] ip_check_defrag+0x3a7/0x710 [ 36.361974] [] packet_rcv_fanout+0x52a/0x5e0 [ 36.368648] [] dev_hard_start_xmit+0x650/0x11c0 [ 36.375583] [] sch_direct_xmit+0x2b8/0x6c0 [ 36.382090] [] __dev_queue_xmit+0xf95/0x1c30 [ 36.389290] [] dev_queue_xmit+0x17/0x20 [ 36.395529] [] neigh_resolve_output+0x600/0x780 [ 36.402466] [] ip_finish_output2+0x8f0/0x1100 [ 36.409230] [] ip_do_fragment+0x1870/0x1f60 [ 36.415835] [] ip_fragment.constprop.5+0x145/0x200 [ 36.423042] [] ip_finish_output+0x396/0xc00 [ 36.429629] [] ip_mc_output+0x237/0x980 [ 36.435872] [] ip_local_out+0x9b/0x180 [ 36.442036] [] ip_send_skb+0x3c/0xc0 [ 36.448019] [] udp_send_skb+0x503/0xc70 [ 36.454256] [] udp_sendmsg+0x16c9/0x1c70 [ 36.460581] [] inet_sendmsg+0x203/0x4d0 [ 36.466824] [] sock_sendmsg+0xbb/0x110 [ 36.473013] [] SyS_sendto+0x220/0x370 [ 36.479094] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 36.486294] -> #0 (_xmit_NETROM){+.-...}: [ 36.491064] [] __lock_acquire+0x3e6c/0x5f10 [ 36.497664] [] lock_acquire+0x15e/0x450 [ 36.503913] [] _raw_spin_lock+0x36/0x50 [ 36.510164] [] sch_direct_xmit+0x233/0x6c0 [ 36.516660] [] __dev_queue_xmit+0xf95/0x1c30 [ 36.523348] [] dev_queue_xmit+0x17/0x20 [ 36.529589] [] neigh_resolve_output+0x600/0x780 [ 36.536536] [] ip6_finish_output2+0xb94/0x1ca0 [ 36.543383] [] ip6_finish_output+0x2ee/0x750 [ 36.550054] [] ip6_output+0x1af/0x520 [ 36.556122] [] ndisc_send_skb+0x972/0x10e0 [ 36.562640] [] ndisc_send_ns+0x4fb/0x6f0 [ 36.568967] [] ndisc_solicit+0x2a0/0x420 [ 36.575309] [] neigh_probe+0xca/0x100 [ 36.581376] [] __neigh_event_send+0x2a0/0xc30 [ 36.588134] [] neigh_resolve_output+0x629/0x780 [ 36.595066] [] ip6_finish_output2+0xb94/0x1ca0 [ 36.601914] [] ip6_finish_output+0x2ee/0x750 [ 36.608598] [] ip6_output+0x1af/0x520 [ 36.614664] [] ip6_local_out+0x9b/0x180 [ 36.620917] [] ip6_send_skb+0xa1/0x340 [ 36.627085] [] ip6_push_pending_frames+0xb3/0xe0 [ 36.634109] [] icmpv6_push_pending_frames+0x335/0x530 [ 36.641563] [] icmp6_send+0x15f3/0x1b70 [ 36.647816] [] icmpv6_param_prob+0x29/0x40 [ 36.654333] [] ipv6_frag_rcv+0x3ba5/0x4f80 [ 36.660835] [] ip6_input_finish+0x57d/0x1510 [ 36.667519] [] ip6_input+0xf6/0x200 [ 36.673413] [] ip6_rcv_finish+0x14e/0x670 [ 36.679828] [] ipv6_defrag+0x33b/0x5c0 [ 36.686009] [] nf_iterate+0x182/0x210 [ 36.692082] [] nf_hook_slow+0x1b6/0x340 [ 36.698319] [] ipv6_rcv+0x1455/0x1d10 [ 36.704390] [] __netif_receive_skb_core+0x12c8/0x2820 [ 36.711852] [] __netif_receive_skb+0x5b/0x1c0 [ 36.718627] [] process_backlog+0x20a/0x670 [ 36.725128] [] net_rx_action+0x367/0xd50 [ 36.731455] [] __do_softirq+0x22c/0xa1a [ 36.737694] [] do_softirq_own_stack+0x1c/0x30 [ 36.744463] [] do_softirq.part.2+0x54/0x60 [ 36.750966] [] do_softirq+0x19/0x20 [ 36.756864] [] netif_rx_ni+0xec/0x3a0 [ 36.762929] [] tun_get_user+0xf3a/0x2690 [ 36.769259] [] tun_chr_write_iter+0xd5/0x190 [ 36.775934] [] do_iter_readv_writev+0x133/0x1d0 [ 36.782874] [] do_readv_writev+0x335/0x6f0 [ 36.789391] [] vfs_writev+0x7b/0xb0 [ 36.795296] [] SyS_writev+0xd9/0x250 [ 36.801275] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 36.808483] [ 36.808483] other info that might help us debug this: [ 36.808483] [ 36.816717] Possible unsafe locking scenario: [ 36.816717] [ 36.822750] CPU0 CPU1 [ 36.827394] ---- ---- [ 36.832031] lock(&(&q->lock)->rlock); [ 36.836213] lock(_xmit_NETROM); [ 36.842389] lock(&(&q->lock)->rlock); [ 36.849099] lock(_xmit_NETROM); [ 36.852761] [ 36.852761] *** DEADLOCK *** [ 36.852761] [ 36.858793] 10 locks held by syz-executor383/2076: [ 36.863689] #0: (rcu_read_lock){......}, at: [] process_backlog+0x1a6/0x670 [ 36.873130] #1: (rcu_read_lock){......}, at: [] nf_hook_slow+0x0/0x340 [ 36.882124] #2: (rcu_read_lock){......}, at: [] ip6_input_finish+0x0/0x1510 [ 36.891577] #3: (&(&q->lock)->rlock){+.-...}, at: [] ipv6_frag_rcv+0x5eb/0x4f80 [ 36.901349] #4: (slock-AF_INET6){+.....}, at: [] icmp6_send+0x7db/0x1b70 [ 36.910538] #5: (rcu_read_lock){......}, at: [] icmp6_send+0xf62/0x1b70 [ 36.919620] #6: (rcu_read_lock_bh){......}, at: [] ip6_finish_output2+0x1f9/0x1ca0 [ 36.929653] #7: (rcu_read_lock){......}, at: [] ndisc_send_skb+0x74d/0x10e0 [ 36.939105] #8: (rcu_read_lock_bh){......}, at: [] ip6_finish_output2+0x1f9/0x1ca0 [ 36.949146] #9: (rcu_read_lock_bh){......}, at: [] __dev_queue_xmit+0x1d7/0x1c30 [ 36.959024] [ 36.959024] stack backtrace: [ 36.963498] CPU: 0 PID: 2076 Comm: syz-executor383 Not tainted 4.4.162+ #118 [ 36.970654] 0000000000000000 54da61ae131a217e ffff8801db606138 ffffffff81aa50fd [ 36.978634] ffffffff83acb9e0 ffffffff83acc250 ffffffff83acb9e0 ffff8800b8200960 [ 36.986634] ffff8800b8200000 ffff8801db606180 ffffffff813a834a 0000000000000004 [ 36.994614] Call Trace: [ 36.997169] [] dump_stack+0xc1/0x124 [ 37.003247] [] print_circular_bug.cold.34+0x2f7/0x432 [ 37.010077] [] __lock_acquire+0x3e6c/0x5f10 [ 37.016038] [] ? trace_hardirqs_on+0x10/0x10 [ 37.022076] [] ? skb_network_protocol+0xed/0x440 [ 37.028468] [] ? __lock_acquire+0x3531/0x5f10 [ 37.034590] [] ? __lock_acquire+0xa85/0x5f10 [ 37.040639] [] ? __dev_get_by_index+0x1a0/0x1a0 [ 37.046934] [] ? __skb_gso_segment+0x4b0/0x4b0 [ 37.053164] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 37.059893] [] lock_acquire+0x15e/0x450 [ 37.065494] [] ? sch_direct_xmit+0x233/0x6c0 [ 37.071535] [] _raw_spin_lock+0x36/0x50 [ 37.077142] [] ? sch_direct_xmit+0x233/0x6c0 [ 37.083202] [] sch_direct_xmit+0x233/0x6c0 [ 37.089063] [] ? dev_deactivate_queue.constprop.6+0x160/0x160 [ 37.096583] [] __dev_queue_xmit+0xf95/0x1c30 [ 37.102621] [] ? __dev_queue_xmit+0x1d7/0x1c30 [ 37.108829] [] ? trace_hardirqs_on+0x10/0x10 [ 37.114876] [] ? netdev_pick_tx+0x2c0/0x2c0 [ 37.120824] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 37.127557] [] ? mark_held_locks+0xc7/0x130 [ 37.133510] [] ? memcpy+0x45/0x50 [ 37.138604] [] dev_queue_xmit+0x17/0x20 [ 37.144208] [] neigh_resolve_output+0x600/0x780 [ 37.150514] [] ? ip6_finish_output2+0xb94/0x1ca0 [ 37.156904] [] ip6_finish_output2+0xb94/0x1ca0 [ 37.163112] [] ? ip6_finish_output2+0x1f9/0x1ca0 [ 37.169501] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 37.176240] [] ? ip6_forward_finish+0x4a0/0x4a0 [ 37.182543] [] ? check_preemption_disabled+0x3b/0x170 [ 37.189386] [] ? ip6_mtu+0x217/0x340 [ 37.194731] [] ip6_finish_output+0x2ee/0x750 [ 37.200766] [] ip6_output+0x1af/0x520 [ 37.206193] [] ? ip6_finish_output+0x750/0x750 [ 37.212402] [] ? nf_iterate+0x210/0x210 [ 37.218003] [] ? ip6_fragment+0x3310/0x3310 [ 37.223949] [] ndisc_send_skb+0x972/0x10e0 [ 37.229807] [] ? ndisc_send_skb+0x74d/0x10e0 [ 37.235842] [] ? kasan_unpoison_shadow+0x35/0x50 [ 37.242512] [] ? ndisc_alloc_skb+0x330/0x330 [ 37.248545] [] ? kasan_unpoison_task_stack_below+0x1a/0x20 [ 37.255794] [] ? compat_ipv6_setsockopt+0x1d0/0x1d0 [ 37.262434] [] ? __kmalloc_reserve.isra.5+0xc0/0xc0 [ 37.269882] [] ? ip6_rcv_finish+0x14e/0x670 [ 37.275830] [] ? ndisc_fill_addr_option+0x19a/0x1f0 [ 37.282495] [] ndisc_send_ns+0x4fb/0x6f0 [ 37.288193] [] ? trace_hardirqs_on+0xd/0x10 [ 37.294143] [] ? ndisc_netdev_event+0x360/0x360 [ 37.300439] [] ? ipv6_chk_addr_and_flags+0x3a4/0x530 [ 37.307170] [] ? ipv6_chk_addr_and_flags+0x69/0x530 [ 37.313856] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 37.320872] [] ndisc_solicit+0x2a0/0x420 [ 37.326575] [] ? ndisc_send_ns+0x6f0/0x6f0 [ 37.332433] [] ? neigh_probe+0x6f/0x100 [ 37.338035] [] ? ndisc_send_ns+0x6f0/0x6f0 [ 37.343898] [] neigh_probe+0xca/0x100 [ 37.349327] [] __neigh_event_send+0x2a0/0xc30 [ 37.355449] [] ? __local_bh_enable_ip+0x6a/0xd0 [ 37.361745] [] neigh_resolve_output+0x629/0x780 [ 37.368038] [] ip6_finish_output2+0xb94/0x1ca0 [ 37.374672] [] ? ip6_finish_output2+0x1f9/0x1ca0 [ 37.381069] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 37.387806] [] ? ip6_forward_finish+0x4a0/0x4a0 [ 37.394102] [] ? check_preemption_disabled+0x3b/0x170 [ 37.400918] [] ? ip6_mtu+0x217/0x340 [ 37.406267] [] ip6_finish_output+0x2ee/0x750 [ 37.412303] [] ip6_output+0x1af/0x520 [ 37.417727] [] ? ip6_finish_output+0x750/0x750 [ 37.424107] [] ? ip6_fragment+0x3310/0x3310 [ 37.430063] [] ? ip6_flush_pending_frames+0xb0/0xb0 [ 37.436707] [] ip6_local_out+0x9b/0x180 [ 37.442304] [] ip6_send_skb+0xa1/0x340 [ 37.447817] [] ip6_push_pending_frames+0xb3/0xe0 [ 37.454213] [] icmpv6_push_pending_frames+0x335/0x530 [ 37.461040] [] icmp6_send+0x15f3/0x1b70 [ 37.466638] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 37.473367] [] ? icmpv6_push_pending_frames+0x530/0x530 [ 37.480882] [] ? __lock_acquire+0x17e4/0x5f10 [ 37.487000] [] ? trace_hardirqs_on+0x10/0x10 [ 37.493034] [] ? trace_hardirqs_on_caller+0x266/0x590 [ 37.499873] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 37.506692] [] ? mod_timer+0x433/0x8f0 [ 37.512209] [] ? inet_frag_find+0x27a/0x9a0 [ 37.518155] [] icmpv6_param_prob+0x29/0x40 [ 37.524016] [] ipv6_frag_rcv+0x3ba5/0x4f80 [ 37.529879] [] ? ipv6_frags_init_net+0x3a0/0x3a0 [ 37.536259] [] ? raw6_local_deliver+0x425/0x780 [ 37.542571] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 37.549325] [] ip6_input_finish+0x57d/0x1510 [ 37.555366] [] ? ip6_rcv_finish+0x670/0x670 [ 37.561313] [] ip6_input+0xf6/0x200 [ 37.566582] [] ? ipv6_rcv+0x1d10/0x1d10 [ 37.572182] [] ? ip6_rcv_finish+0x670/0x670 [ 37.578127] [] ip6_rcv_finish+0x14e/0x670 [ 37.584012] [] ipv6_defrag+0x33b/0x5c0 [ 37.589541] [] ? ip6_make_skb+0x400/0x400 [ 37.595326] [] ? nf_defrag_ipv6_enable+0x10/0x10 [ 37.601718] [] ? ip6_make_skb+0x400/0x400 [ 37.607496] [] ? trace_hardirqs_on+0x10/0x10 [ 37.613533] [] nf_iterate+0x182/0x210 [ 37.618972] [] nf_hook_slow+0x1b6/0x340 [ 37.624585] [] ? nf_iterate+0x210/0x210 [ 37.630191] [] ? nf_iterate+0x210/0x210 [ 37.635789] [] ? tun_sock_write_space+0xbe/0x1a0 [ 37.642170] [] ? sk_clone_lock+0xfd0/0xfd0 [ 37.648028] [] ipv6_rcv+0x1455/0x1d10 [ 37.653453] [] ? ipv6_rcv+0xf8/0x1d10 [ 37.658878] [] ? ip6_input_finish+0x1510/0x1510 [ 37.665181] [] ? ip6_make_skb+0x400/0x400 [ 37.670956] [] ? packet_rcv_fanout+0x170/0x5e0 [ 37.677281] [] ? ip6_input_finish+0x1510/0x1510 [ 37.683594] [] __netif_receive_skb_core+0x12c8/0x2820 [ 37.690411] [] ? dev_loopback_xmit+0x420/0x420 [ 37.696618] [] ? search_binary_handler+0x14f/0x6f0 [ 37.703174] [] ? SyS_execve+0x42/0x50 [ 37.708612] [] ? stub_execve+0x5/0x5 [ 37.713952] [] ? _raw_spin_unlock_irqrestore+0x45/0x70 [ 37.720862] [] ? free_object+0x115/0x2a0 [ 37.726550] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 37.733279] [] __netif_receive_skb+0x5b/0x1c0 [ 37.739410] [] process_backlog+0x20a/0x670 [ 37.745270] [] ? process_backlog+0x1a6/0x670 [ 37.751306] [] net_rx_action+0x367/0xd50 [ 37.756995] [] ? net_rps_action_and_irq_enable.isra.29+0x170/0x170 [ 37.764943] [] ? check_preemption_disabled+0x3b/0x170 [ 37.771778] [] __do_softirq+0x22c/0xa1a [ 37.777391] [] do_softirq_own_stack+0x1c/0x30 [ 37.783506] [] do_softirq.part.2+0x54/0x60 [ 37.790103] [] do_softirq+0x19/0x20 [ 37.795369] [] netif_rx_ni+0xec/0x3a0 [ 37.800809] [] tun_get_user+0xf3a/0x2690 [ 37.806500] [] ? tun_free_netdev+0xb0/0xb0 [ 37.812460] [] ? trace_hardirqs_on+0x10/0x10 [ 37.818493] [] ? trace_hardirqs_on+0x10/0x10 [ 37.824540] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 37.831272] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 37.838004] [] ? check_preemption_disabled+0x3b/0x170 [ 37.844843] [] tun_chr_write_iter+0xd5/0x190 [ 37.850892] [] do_iter_readv_writev+0x133/0x1d0 [ 37.857189] [] ? tun_sendmsg+0x140/0x140 [ 37.862880] [] ? vfs_iter_read+0x270/0x270 [ 37.868739] [] ? rw_verify_area+0x100/0x2f0 [ 37.874687] [] ? tun_sendmsg+0x140/0x140 [ 37.880375] [] do_readv_writev+0x335/0x6f0 [ 37.886240] [] ? vfs_write+0x4e0/0x4e0 [ 37.891752] [] ? do_signal+0x45d/0x1840 [ 37.897349] [] ? setup_sigcontext+0x780/0x780 [ 37.903477] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 37.910209] [] vfs_writev+0x7b/0xb0 [ 37.915462] [] SyS_writev+0xd9/0x250 [ 37.920799] [] ? SyS_readv+0x250/0x250 [ 37.926314] [] ? trace_hardirqs_on_thunk+0x17/0x19 [ 37.932874] [] entry_SYSCALL_64_fastpath+0x1e/0x9a