INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.47' (ECDSA) to the list of known hosts. net.ipv6.conf.syz_tun.accept_dad = 0 net.ipv6.conf.syz_tun.router_solicitations = 0 executing program syzkaller login: [ 36.871850] [ 36.873503] ====================================================== [ 36.879789] [ INFO: possible circular locking dependency detected ] [ 36.886162] 4.4.153+ #27 Not tainted [ 36.889842] ------------------------------------------------------- [ 36.896217] syz-executor814/2263 is trying to acquire lock: [ 36.901898] (&(&q->lock)->rlock){+.-...}, at: [] ip_defrag+0x31b/0x40c0 [ 36.910770] [ 36.910770] but task is already holding lock: [ 36.916720] (_xmit_NETROM){+.-...}, at: [] sch_direct_xmit+0x233/0x6c0 [ 36.925499] [ 36.925499] which lock already depends on the new lock. [ 36.925499] [ 36.933818] [ 36.933818] the existing dependency chain (in reverse order) is: [ 36.941543] -> #1 (_xmit_NETROM){+.-...}: [ 36.946314] [] lock_acquire+0x15e/0x450 [ 36.952567] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 36.959502] [] depot_save_stack+0x20b/0x5eb [ 36.966094] [] kasan_kmalloc.part.1+0xc9/0xf0 [ 36.972849] [] kasan_kmalloc+0xaf/0xc0 [ 36.979016] [] kasan_slab_alloc+0x12/0x20 [ 36.985452] [] kmem_cache_alloc+0xba/0x2a0 [ 36.991962] [] inet_getpeer+0x159d/0x1d70 [ 36.998372] [] icmp6_send+0x17b7/0x1b70 [ 37.004633] [] icmpv6_param_prob+0x29/0x40 [ 37.011162] [] ipv6_frag_rcv+0x3de6/0x4f80 [ 37.017667] [] ip6_input_finish+0x57d/0x1510 [ 37.024338] [] ip6_input+0xf6/0x200 [ 37.030235] [] ip6_rcv_finish+0x14e/0x670 [ 37.036642] [] ipv6_rcv+0x10b2/0x1d10 [ 37.042733] [] __netif_receive_skb_core+0x12c8/0x2820 [ 37.050198] [] __netif_receive_skb+0x5b/0x1c0 [ 37.056957] [] process_backlog+0x20a/0x670 [ 37.063453] [] net_rx_action+0x2ec/0xc50 [ 37.069790] [] __do_softirq+0x22c/0xa1a [ 37.076027] [] do_softirq_own_stack+0x1c/0x30 [ 37.082819] [] do_softirq.part.2+0x54/0x60 [ 37.089321] [] do_softirq+0x19/0x20 [ 37.095208] [] netif_rx_ni+0xec/0x3a0 [ 37.101266] [] tun_get_user+0xf3a/0x2690 [ 37.107591] [] tun_chr_write_iter+0xd5/0x190 [ 37.114258] [] do_iter_readv_writev+0x133/0x1d0 [ 37.121204] [] compat_do_readv_writev+0x337/0x6f0 [ 37.128340] [] compat_writev+0xe1/0x150 [ 37.134577] [] compat_SyS_writev+0xd8/0x1c0 [ 37.141181] [] do_fast_syscall_32+0x31e/0x8b0 [ 37.147961] [] sysenter_flags_fixed+0xd/0x1a [ 37.154636] -> #0 (&(&q->lock)->rlock){+.-...}: [ 37.159923] [] __lock_acquire+0x3b6e/0x5ba0 [ 37.166508] [] lock_acquire+0x15e/0x450 [ 37.172760] [] _raw_spin_lock+0x36/0x50 [ 37.178995] [] ip_defrag+0x31b/0x40c0 [ 37.185055] [] ip_check_defrag+0x3a7/0x710 [ 37.191548] [] packet_rcv_fanout+0x52a/0x5e0 [ 37.198216] [] dev_hard_start_xmit+0x650/0x11c0 [ 37.205158] [] sch_direct_xmit+0x2b8/0x6c0 [ 37.211656] [] __dev_queue_xmit+0xf95/0x1c30 [ 37.218343] [] dev_queue_xmit+0x17/0x20 [ 37.224587] [] neigh_resolve_output+0x600/0x780 [ 37.231556] [] ip_finish_output2+0x8f0/0x1100 [ 37.238313] [] ip_do_fragment+0x1870/0x1f60 [ 37.244895] [] ip_fragment.constprop.5+0x145/0x200 [ 37.252089] [] ip_finish_output+0x396/0xc00 [ 37.258676] [] ip_mc_output+0x237/0x980 [ 37.264940] [] ip_local_out+0x9b/0x180 [ 37.271098] [] ip_send_skb+0x3c/0xc0 [ 37.277099] [] udp_send_skb+0x503/0xc70 [ 37.283338] [] udp_sendmsg+0x16c9/0x1c70 [ 37.289657] [] inet_sendmsg+0x203/0x4d0 [ 37.295894] [] sock_sendmsg+0xbb/0x110 [ 37.302041] [] SyS_sendto+0x220/0x370 [ 37.308101] [] do_fast_syscall_32+0x31e/0x8b0 [ 37.314881] [] sysenter_flags_fixed+0xd/0x1a [ 37.321558] [ 37.321558] other info that might help us debug this: [ 37.321558] [ 37.329861] Possible unsafe locking scenario: [ 37.329861] [ 37.335891] CPU0 CPU1 [ 37.340543] ---- ---- [ 37.345180] lock(_xmit_NETROM); [ 37.348865] lock(&(&q->lock)->rlock); [ 37.355594] lock(_xmit_NETROM); [ 37.361764] lock(&(&q->lock)->rlock); [ 37.365984] [ 37.365984] *** DEADLOCK *** [ 37.365984] [ 37.372016] 4 locks held by syz-executor814/2263: [ 37.376828] #0: (rcu_read_lock_bh){......}, at: [] ip_finish_output2+0x20b/0x1100 [ 37.386754] #1: (rcu_read_lock_bh){......}, at: [] __dev_queue_xmit+0x1d7/0x1c30 [ 37.396650] #2: (_xmit_NETROM){+.-...}, at: [] sch_direct_xmit+0x233/0x6c0 [ 37.405989] #3: (rcu_read_lock){......}, at: [] dev_hard_start_xmit+0xa8/0x11c0 [ 37.415761] [ 37.415761] stack backtrace: [ 37.420232] CPU: 1 PID: 2263 Comm: syz-executor814 Not tainted 4.4.153+ #27 [ 37.427303] 0000000000000000 e3b96697ee6d0a75 ffff8800b97e6d18 ffffffff81a4510d [ 37.435308] ffffffff83ac5c10 ffffffff83ac62d0 ffffffff83ac5c10 ffff8801cbb98938 [ 37.443295] ffff8801cbb98000 ffff8800b97e6d60 ffffffff81391172 0000000000000003 [ 37.451292] Call Trace: [ 37.453855] [] dump_stack+0xc1/0x124 [ 37.459193] [] print_circular_bug.cold.34+0x2f7/0x432 [ 37.466028] [] __lock_acquire+0x3b6e/0x5ba0 [ 37.471975] [] ? trace_hardirqs_on+0x10/0x10 [ 37.478009] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 37.484910] [] ? trace_hardirqs_on_caller+0x266/0x590 [ 37.491736] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 37.498465] [] ? mod_timer+0x433/0x8f0 [ 37.503989] [] lock_acquire+0x15e/0x450 [ 37.509588] [] ? ip_defrag+0x31b/0x40c0 [ 37.515198] [] ? inet_frag_find+0x27a/0x9a0 [ 37.521159] [] _raw_spin_lock+0x36/0x50 [ 37.526768] [] ? ip_defrag+0x31b/0x40c0 [ 37.532368] [] ip_defrag+0x31b/0x40c0 [ 37.537818] [] ? trace_hardirqs_on+0x10/0x10 [ 37.543978] [] ? ipv4_frags_init_net+0x3a0/0x3a0 [ 37.550357] [] ip_check_defrag+0x3a7/0x710 [ 37.556225] [] ? ip_defrag+0x40c0/0x40c0 [ 37.561924] [] packet_rcv_fanout+0x52a/0x5e0 [ 37.567955] [] ? fanout_demux_rollover+0x4e0/0x4e0 [ 37.574507] [] dev_hard_start_xmit+0x650/0x11c0 [ 37.580798] [] ? dev_hard_start_xmit+0xa8/0x11c0 [ 37.587177] [] sch_direct_xmit+0x2b8/0x6c0 [ 37.593074] [] ? dev_deactivate_queue.constprop.6+0x160/0x160 [ 37.600580] [] __dev_queue_xmit+0xf95/0x1c30 [ 37.606613] [] ? __dev_queue_xmit+0x1d7/0x1c30 [ 37.612816] [] ? trace_hardirqs_on+0x10/0x10 [ 37.618847] [] ? netdev_pick_tx+0x2c0/0x2c0 [ 37.624791] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 37.631514] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 37.638268] [] ? memcpy+0x45/0x50 [ 37.643342] [] dev_queue_xmit+0x17/0x20 [ 37.648937] [] neigh_resolve_output+0x600/0x780 [ 37.655248] [] ? ip_finish_output2+0x8f0/0x1100 [ 37.661539] [] ip_finish_output2+0x8f0/0x1100 [ 37.667655] [] ? ip_finish_output2+0x20b/0x1100 [ 37.673950] [] ? nf_ct_deliver_cached_events+0x335/0x560 [ 37.681023] [] ? nf_ct_deliver_cached_events+0x83/0x560 [ 37.688009] [] ? nf_conntrack_seqadj_fini+0x20/0x20 [ 37.694649] [] ? ip_send_check+0xb0/0xb0 [ 37.700336] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 37.707063] [] ? ip_options_fragment+0x1ac/0x280 [ 37.713447] [] ip_do_fragment+0x1870/0x1f60 [ 37.719393] [] ? ip_send_check+0xb0/0xb0 [ 37.725080] [] ip_fragment.constprop.5+0x145/0x200 [ 37.731630] [] ip_finish_output+0x396/0xc00 [ 37.737572] [] ip_mc_output+0x237/0x980 [ 37.743171] [] ? ip_queue_xmit+0x1a80/0x1a80 [ 37.749225] [] ? ip_make_skb+0x116/0x210 [ 37.754911] [] ? ip_fragment.constprop.5+0x200/0x200 [ 37.761635] [] ? ip_flush_pending_frames+0x30/0x30 [ 37.768214] [] ip_local_out+0x9b/0x180 [ 37.773723] [] ip_send_skb+0x3c/0xc0 [ 37.779069] [] udp_send_skb+0x503/0xc70 [ 37.784687] [] udp_sendmsg+0x16c9/0x1c70 [ 37.790373] [] ? ip_reply_glue_bits+0xc0/0xc0 [ 37.796499] [] ? udp_lib_unhash+0x630/0x630 [ 37.802449] [] ? trace_hardirqs_on+0x10/0x10 [ 37.808480] [] ? sock_has_perm+0x1c1/0x3f0 [ 37.814336] [] ? sock_has_perm+0x2a1/0x3f0 [ 37.820191] [] ? sock_has_perm+0x9f/0x3f0 [ 37.825970] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 37.832784] [] ? check_preemption_disabled+0x3b/0x170 [ 37.839613] [] ? inet_sendmsg+0x143/0x4d0 [ 37.845411] [] inet_sendmsg+0x203/0x4d0 [ 37.851012] [] ? inet_sendmsg+0x73/0x4d0 [ 37.856697] [] ? inet_recvmsg+0x4c0/0x4c0 [ 37.862471] [] sock_sendmsg+0xbb/0x110 [ 37.867983] [] SyS_sendto+0x220/0x370 [ 37.873403] [] ? SyS_getpeername+0x2d0/0x2d0 [ 37.879439] [] ? _raw_spin_unlock+0x2c/0x50 [ 37.885397] [] ? handle_mm_fault+0x49a/0x2f30 [ 37.891512] [] ? SyS_accept+0x30/0x30 [ 37.896934] [] ? get_unused_fd_flags+0xd0/0xd0 [ 37.903139] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 37.909866] [] ? __do_page_fault+0x2b6/0x7e0 [ 37.915899] [] ? do_fast_syscall_32+0xdb/0x8b0 [ 37.922189] [] ? SyS_getpeername+0x2d0/0x2d0 [ 37.928226] [] do_fast_syscall_32+0x31e/0x8b0 [ 37.934548] [] sysenter_flags_fixed+0xd/0x1a