[....] Starting enhanced syslogd: rsyslogd[ 12.965206] audit: type=1400 audit(1540640219.116:4): avc: denied { syslog } for pid=1926 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.37' (ECDSA) to the list of known hosts. net.ipv6.conf.syz_tun.accept_dad = 0 net.ipv6.conf.syz_tun.router_solicitations = 0 executing program syzkaller login: [ 39.244161] [ 39.245836] ====================================================== [ 39.252129] [ INFO: possible circular locking dependency detected ] [ 39.258510] 4.4.162+ #7 Not tainted [ 39.262250] ------------------------------------------------------- [ 39.268630] syz-executor119/2085 is trying to acquire lock: [ 39.274311] (&(&q->lock)->rlock){+.-...}, at: [] ip_defrag+0x31b/0x40c0 [ 39.283201] [ 39.283201] but task is already holding lock: [ 39.289162] (_xmit_NETROM){+.-...}, at: [] sch_direct_xmit+0x233/0x6c0 [ 39.297965] [ 39.297965] which lock already depends on the new lock. [ 39.297965] [ 39.306255] [ 39.306255] the existing dependency chain (in reverse order) is: [ 39.313851] -> #1 (_xmit_NETROM){+.-...}: [ 39.318631] [] lock_acquire+0x15e/0x450 [ 39.324875] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 39.331815] [] depot_save_stack+0x20b/0x5eb [ 39.338416] [] kasan_kmalloc.part.1+0xc9/0xf0 [ 39.345196] [] kasan_kmalloc+0xaf/0xc0 [ 39.351354] [] kasan_slab_alloc+0x12/0x20 [ 39.357769] [] kmem_cache_alloc+0xdc/0x2c0 [ 39.364277] [] inet_getpeer+0x159d/0x1d70 [ 39.370697] [] icmp6_send+0x17b7/0x1b70 [ 39.376957] [] icmpv6_param_prob+0x29/0x40 [ 39.383471] [] ipv6_frag_rcv+0x3ba5/0x4f80 [ 39.389989] [] ip6_input_finish+0x57d/0x1510 [ 39.396674] [] ip6_input+0xf6/0x200 [ 39.402570] [] ip6_rcv_finish+0x14e/0x670 [ 39.408991] [] ipv6_defrag+0x33b/0x5c0 [ 39.415170] [] nf_iterate+0x182/0x210 [ 39.421243] [] nf_hook_slow+0x1b6/0x340 [ 39.427491] [] ipv6_rcv+0x1455/0x1d10 [ 39.433578] [] __netif_receive_skb_core+0x12c8/0x2820 [ 39.441206] [] __netif_receive_skb+0x5b/0x1c0 [ 39.447970] [] process_backlog+0x20a/0x670 [ 39.454481] [] net_rx_action+0x367/0xd50 [ 39.460808] [] __do_softirq+0x22c/0xa1a [ 39.467072] [] irq_exit+0x10d/0x140 [ 39.472972] [] do_IRQ+0x10d/0x1c0 [ 39.479024] [] ret_from_intr+0x0/0x20 [ 39.485461] [] netif_rx_internal+0x15b/0x700 [ 39.492580] [] netif_rx_ni+0xa5/0x3a0 [ 39.498833] [] tun_get_user+0xf3a/0x2690 [ 39.505591] [] tun_chr_write_iter+0xd5/0x190 [ 39.512939] [] do_iter_readv_writev+0x133/0x1d0 [ 39.520055] [] compat_do_readv_writev+0x337/0x6f0 [ 39.527386] [] compat_writev+0xe1/0x150 [ 39.533967] [] compat_SyS_writev+0xd8/0x1c0 [ 39.540663] [] do_fast_syscall_32+0x31e/0xa80 [ 39.547539] [] sysenter_flags_fixed+0xd/0x1a [ 39.554239] -> #0 (&(&q->lock)->rlock){+.-...}: [ 39.559558] [] __lock_acquire+0x3e6c/0x5f10 [ 39.566382] [] lock_acquire+0x15e/0x450 [ 39.572732] [] _raw_spin_lock+0x36/0x50 [ 39.578988] [] ip_defrag+0x31b/0x40c0 [ 39.585216] [] ip_check_defrag+0x3a7/0x710 [ 39.591848] [] packet_rcv_fanout+0x52a/0x5e0 [ 39.598660] [] dev_hard_start_xmit+0x650/0x11c0 [ 39.605599] [] sch_direct_xmit+0x2b8/0x6c0 [ 39.612195] [] __dev_queue_xmit+0xf95/0x1c30 [ 39.619023] [] dev_queue_xmit+0x17/0x20 [ 39.625265] [] neigh_resolve_output+0x600/0x780 [ 39.633141] [] ip_finish_output2+0x8f0/0x1100 [ 39.640032] [] ip_do_fragment+0x1870/0x1f60 [ 39.646697] [] ip_fragment.constprop.5+0x145/0x200 [ 39.653895] [] ip_finish_output+0x396/0xc00 [ 39.660485] [] ip_mc_output+0x237/0x980 [ 39.666797] [] ip_local_out+0x9b/0x180 [ 39.673144] [] ip_send_skb+0x3c/0xc0 [ 39.679142] [] udp_send_skb+0x503/0xc70 [ 39.685441] [] udp_sendmsg+0x16c9/0x1c70 [ 39.692005] [] inet_sendmsg+0x203/0x4d0 [ 39.698250] [] sock_sendmsg+0xbb/0x110 [ 39.704597] [] SyS_sendto+0x220/0x370 [ 39.710670] [] do_fast_syscall_32+0x31e/0xa80 [ 39.717449] [] sysenter_flags_fixed+0xd/0x1a [ 39.724142] [ 39.724142] other info that might help us debug this: [ 39.724142] [ 39.732261] Possible unsafe locking scenario: [ 39.732261] [ 39.738304] CPU0 CPU1 [ 39.742958] ---- ---- [ 39.747621] lock(_xmit_NETROM); [ 39.751313] lock(&(&q->lock)->rlock); [ 39.758035] lock(_xmit_NETROM); [ 39.764222] lock(&(&q->lock)->rlock); [ 39.768424] [ 39.768424] *** DEADLOCK *** [ 39.768424] [ 39.774457] 4 locks held by syz-executor119/2085: [ 39.779271] #0: (rcu_read_lock_bh){......}, at: [] ip_finish_output2+0x20b/0x1100 [ 39.789233] #1: (rcu_read_lock_bh){......}, at: [] __dev_queue_xmit+0x1d7/0x1c30 [ 39.799101] #2: (_xmit_NETROM){+.-...}, at: [] sch_direct_xmit+0x233/0x6c0 [ 39.808437] #3: (rcu_read_lock){......}, at: [] dev_hard_start_xmit+0xa8/0x11c0 [ 39.818222] [ 39.818222] stack backtrace: [ 39.822708] CPU: 1 PID: 2085 Comm: syz-executor119 Not tainted 4.4.162+ #7 [ 39.829999] 0000000000000000 58a7002b0ad2e19a ffff8801d3f86d18 ffffffff81a994bd [ 39.838391] ffffffff83acb680 ffffffff83acbd40 ffffffff83acb680 ffff8801d5df38b8 [ 39.846730] ffff8801d5df2f80 ffff8801d3f86d60 ffffffff813a834a 0000000000000003 [ 39.854751] Call Trace: [ 39.857320] [] dump_stack+0xc1/0x124 [ 39.862667] [] print_circular_bug.cold.34+0x2f7/0x432 [ 39.869498] [] __lock_acquire+0x3e6c/0x5f10 [ 39.875562] [] ? trace_hardirqs_on+0x10/0x10 [ 39.881601] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 39.888525] [] ? trace_hardirqs_on_caller+0x266/0x590 [ 39.895345] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 39.902076] [] ? mod_timer+0x433/0x8f0 [ 39.907597] [] lock_acquire+0x15e/0x450 [ 39.913207] [] ? ip_defrag+0x31b/0x40c0 [ 39.918810] [] ? inet_frag_find+0x27a/0x9a0 [ 39.924766] [] _raw_spin_lock+0x36/0x50 [ 39.930368] [] ? ip_defrag+0x31b/0x40c0 [ 39.935978] [] ip_defrag+0x31b/0x40c0 [ 39.941407] [] ? trace_hardirqs_on+0x10/0x10 [ 39.947444] [] ? ipv4_frags_init_net+0x3a0/0x3a0 [ 39.953833] [] ip_check_defrag+0x3a7/0x710 [ 39.959705] [] ? ip_defrag+0x40c0/0x40c0 [ 39.965540] [] packet_rcv_fanout+0x52a/0x5e0 [ 39.971689] [] ? fanout_demux_rollover+0x4e0/0x4e0 [ 39.978247] [] dev_hard_start_xmit+0x650/0x11c0 [ 39.984561] [] ? dev_hard_start_xmit+0xa8/0x11c0 [ 39.990945] [] sch_direct_xmit+0x2b8/0x6c0 [ 39.996806] [] ? dev_deactivate_queue.constprop.6+0x160/0x160 [ 40.004343] [] __dev_queue_xmit+0xf95/0x1c30 [ 40.010379] [] ? __dev_queue_xmit+0x1d7/0x1c30 [ 40.016590] [] ? trace_hardirqs_on+0x10/0x10 [ 40.022645] [] ? netdev_pick_tx+0x2c0/0x2c0 [ 40.028598] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 40.035865] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 40.043176] [] ? memcpy+0x45/0x50 [ 40.048270] [] dev_queue_xmit+0x17/0x20 [ 40.054692] [] neigh_resolve_output+0x600/0x780 [ 40.061398] [] ? ip_finish_output2+0x8f0/0x1100 [ 40.067888] [] ip_finish_output2+0x8f0/0x1100 [ 40.074013] [] ? ip_finish_output2+0x20b/0x1100 [ 40.080538] [] ? nf_ct_deliver_cached_events+0x335/0x560 [ 40.087846] [] ? nf_ct_deliver_cached_events+0x83/0x560 [ 40.095248] [] ? nf_conntrack_seqadj_fini+0x20/0x20 [ 40.102077] [] ? ip_send_check+0xb0/0xb0 [ 40.107867] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 40.114702] [] ? ip_options_fragment+0x1ac/0x280 [ 40.121423] [] ip_do_fragment+0x1870/0x1f60 [ 40.127803] [] ? ip_send_check+0xb0/0xb0 [ 40.133524] [] ip_fragment.constprop.5+0x145/0x200 [ 40.140105] [] ip_finish_output+0x396/0xc00 [ 40.146062] [] ip_mc_output+0x237/0x980 [ 40.151680] [] ? ip_queue_xmit+0x1a80/0x1a80 [ 40.157716] [] ? ip_make_skb+0x116/0x210 [ 40.163404] [] ? ip_fragment.constprop.5+0x200/0x200 [ 40.170136] [] ? ip_flush_pending_frames+0x30/0x30 [ 40.176693] [] ip_local_out+0x9b/0x180 [ 40.182212] [] ip_send_skb+0x3c/0xc0 [ 40.187554] [] udp_send_skb+0x503/0xc70 [ 40.193156] [] udp_sendmsg+0x16c9/0x1c70 [ 40.198853] [] ? ip_reply_glue_bits+0xc0/0xc0 [ 40.204983] [] ? udp_lib_unhash+0x630/0x630 [ 40.210935] [] ? trace_hardirqs_on+0x10/0x10 [ 40.217144] [] ? sock_has_perm+0x1c1/0x3f0 [ 40.223019] [] ? sock_has_perm+0x2a1/0x3f0 [ 40.228880] [] ? sock_has_perm+0x9f/0x3f0 [ 40.234678] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 40.241416] [] ? check_preemption_disabled+0x3b/0x170 [ 40.248233] [] ? inet_sendmsg+0x143/0x4d0 [ 40.254013] [] inet_sendmsg+0x203/0x4d0 [ 40.259615] [] ? inet_sendmsg+0x73/0x4d0 [ 40.265305] [] ? inet_recvmsg+0x4c0/0x4c0 [ 40.271097] [] sock_sendmsg+0xbb/0x110 [ 40.276616] [] SyS_sendto+0x220/0x370 [ 40.282059] [] ? SyS_getpeername+0x2d0/0x2d0 [ 40.288115] [] ? _raw_spin_unlock+0x2c/0x50 [ 40.294070] [] ? handle_mm_fault+0x49a/0x2f30 [ 40.300190] [] ? SyS_accept+0x30/0x30 [ 40.305626] [] ? get_unused_fd_flags+0xd0/0xd0 [ 40.311841] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 40.318571] [] ? __do_page_fault+0x2b6/0x7e0 [ 40.324627] [] ? do_fast_syscall_32+0xdb/0xa80 [ 40.330843] [] ? SyS_getpeername+0x2d0/0x2d0 [ 40.336880] [] do_fast_syscall_32+0x31e/0xa80 [ 40.343019] [] sysenter_flags_fixed+0xd/0x1a