INIT: Entering runlevel: 2 [[36minfo[39;49m] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.15.193' (ECDSA) to the list of known hosts. net.ipv6.conf.syz_tun.accept_dad = 0 net.ipv6.conf.syz_tun.router_solicitations = 0 executing program syzkaller login: [ 26.997572] [ 26.999333] ====================================================== [ 27.005625] [ INFO: possible circular locking dependency detected ] [ 27.012109] 4.4.153+ #91 Not tainted [ 27.015795] ------------------------------------------------------- [ 27.022174] syz-executor142/2257 is trying to acquire lock: [ 27.027858] (&(&q->lock)->rlock){+.-...}, at: [] ip_defrag+0x31b/0x40c0 [ 27.036740] [ 27.036740] but task is already holding lock: [ 27.042751] (_xmit_NETROM){+.-...}, at: [] sch_direct_xmit+0x233/0x6c0 [ 27.051559] [ 27.051559] which lock already depends on the new lock. [ 27.051559] [ 27.059918] [ 27.059918] the existing dependency chain (in reverse order) is: [ 27.067517] -> #1 (_xmit_NETROM){+.-...}: [ 27.072356] [] lock_acquire+0x15e/0x450 [ 27.078603] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 27.085544] [] depot_save_stack+0x20b/0x5eb [ 27.092245] [] kasan_kmalloc.part.1+0xc9/0xf0 [ 27.099014] [] kasan_kmalloc+0xaf/0xc0 [ 27.105170] [] kasan_slab_alloc+0x12/0x20 [ 27.111581] [] kmem_cache_alloc+0xba/0x2a0 [ 27.118107] [] inet_getpeer+0x159d/0x1d70 [ 27.124650] [] icmp6_send+0x17b7/0x1b70 [ 27.130907] [] icmpv6_param_prob+0x29/0x40 [ 27.137409] [] ipv6_frag_rcv+0x3de6/0x4f80 [ 27.144038] [] ip6_input_finish+0x57d/0x1510 [ 27.150714] [] ip6_input+0xf6/0x200 [ 27.156617] [] ip6_rcv_finish+0x14e/0x670 [ 27.163032] [] ipv6_rcv+0x10b2/0x1d10 [ 27.169099] [] __netif_receive_skb_core+0x12c8/0x2820 [ 27.176558] [] __netif_receive_skb+0x5b/0x1c0 [ 27.183323] [] process_backlog+0x20a/0x670 [ 27.189827] [] net_rx_action+0x2ec/0xc50 [ 27.196163] [] __do_softirq+0x22c/0xa1a [ 27.202423] [] do_softirq_own_stack+0x1c/0x30 [ 27.209200] [] do_softirq.part.2+0x54/0x60 [ 27.215698] [] do_softirq+0x19/0x20 [ 27.221595] [] netif_rx_ni+0xec/0x3a0 [ 27.227696] [] tun_get_user+0xf3a/0x2690 [ 27.234020] [] tun_chr_write_iter+0xd5/0x190 [ 27.240697] [] do_iter_readv_writev+0x133/0x1d0 [ 27.247653] [] do_readv_writev+0x335/0x6f0 [ 27.254150] [] vfs_writev+0x7b/0xb0 [ 27.260130] [] SyS_writev+0xd9/0x250 [ 27.266120] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 27.273428] -> #0 (&(&q->lock)->rlock){+.-...}: [ 27.278747] [] __lock_acquire+0x3b6e/0x5ba0 [ 27.285332] [] lock_acquire+0x15e/0x450 [ 27.291574] [] _raw_spin_lock+0x36/0x50 [ 27.297810] [] ip_defrag+0x31b/0x40c0 [ 27.303954] [] ip_check_defrag+0x3a7/0x710 [ 27.310458] [] packet_rcv_fanout+0x52a/0x5e0 [ 27.317130] [] dev_hard_start_xmit+0x650/0x11c0 [ 27.324062] [] sch_direct_xmit+0x2b8/0x6c0 [ 27.330626] [] __dev_queue_xmit+0xf95/0x1c30 [ 27.337309] [] dev_queue_xmit+0x17/0x20 [ 27.343581] [] neigh_resolve_output+0x600/0x780 [ 27.350530] [] ip_finish_output2+0x8f0/0x1100 [ 27.357478] [] ip_do_fragment+0x1870/0x1f60 [ 27.364074] [] ip_fragment.constprop.5+0x145/0x200 [ 27.371292] [] ip_finish_output+0x396/0xc00 [ 27.377884] [] ip_mc_output+0x237/0x980 [ 27.384214] [] ip_local_out+0x9b/0x180 [ 27.390372] [] ip_send_skb+0x3c/0xc0 [ 27.396349] [] udp_send_skb+0x503/0xc70 [ 27.402591] [] udp_sendmsg+0x16c9/0x1c70 [ 27.408985] [] inet_sendmsg+0x203/0x4d0 [ 27.415229] [] sock_sendmsg+0xbb/0x110 [ 27.421560] [] SyS_sendto+0x220/0x370 [ 27.427642] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 27.434847] [ 27.434847] other info that might help us debug this: [ 27.434847] [ 27.442965] Possible unsafe locking scenario: [ 27.442965] [ 27.448992] CPU0 CPU1 [ 27.453625] ---- ---- [ 27.458259] lock(_xmit_NETROM); [ 27.461916] lock(&(&q->lock)->rlock); [ 27.468610] lock(_xmit_NETROM); [ 27.474784] lock(&(&q->lock)->rlock); [ 27.478957] [ 27.478957] *** DEADLOCK *** [ 27.478957] [ 27.484986] 4 locks held by syz-executor142/2257: [ 27.489803] #0: (rcu_read_lock_bh){......}, at: [] ip_finish_output2+0x20b/0x1100 [ 27.499806] #1: (rcu_read_lock_bh){......}, at: [] __dev_queue_xmit+0x1d7/0x1c30 [ 27.509639] #2: (_xmit_NETROM){+.-...}, at: [] sch_direct_xmit+0x233/0x6c0 [ 27.518987] #3: (rcu_read_lock){......}, at: [] dev_hard_start_xmit+0xa8/0x11c0 [ 27.528728] [ 27.528728] stack backtrace: [ 27.533271] CPU: 0 PID: 2257 Comm: syz-executor142 Not tainted 4.4.153+ #91 [ 27.540414] 0000000000000000 33381196c29a3fda ffff8800aef7ed88 ffffffff81a4510d [ 27.548415] ffffffff83ac5550 ffffffff83ac5c10 ffffffff83ac5550 ffff8800af04e838 [ 27.556416] ffff8800af04df00 ffff8800aef7edd0 ffffffff81391172 0000000000000003 [ 27.564397] Call Trace: [ 27.566967] [] dump_stack+0xc1/0x124 [ 27.572303] [] print_circular_bug.cold.34+0x2f7/0x432 [ 27.579116] [] __lock_acquire+0x3b6e/0x5ba0 [ 27.585058] [] ? trace_hardirqs_on+0x10/0x10 [ 27.591088] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 27.597985] [] ? trace_hardirqs_on_caller+0x266/0x590 [ 27.604795] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 27.611518] [] ? mod_timer+0x433/0x8f0 [ 27.617028] [] lock_acquire+0x15e/0x450 [ 27.622624] [] ? ip_defrag+0x31b/0x40c0 [ 27.628220] [] ? inet_frag_find+0x27a/0x9a0 [ 27.634164] [] _raw_spin_lock+0x36/0x50 [ 27.639760] [] ? ip_defrag+0x31b/0x40c0 [ 27.645357] [] ip_defrag+0x31b/0x40c0 [ 27.650781] [] ? trace_hardirqs_on+0x10/0x10 [ 27.656814] [] ? ipv4_frags_init_net+0x3a0/0x3a0 [ 27.663193] [] ip_check_defrag+0x3a7/0x710 [ 27.669112] [] ? ip_defrag+0x40c0/0x40c0 [ 27.674823] [] packet_rcv_fanout+0x52a/0x5e0 [ 27.680852] [] ? fanout_demux_rollover+0x4e0/0x4e0 [ 27.687418] [] dev_hard_start_xmit+0x650/0x11c0 [ 27.693714] [] ? dev_hard_start_xmit+0xa8/0x11c0 [ 27.700091] [] sch_direct_xmit+0x2b8/0x6c0 [ 27.705952] [] ? dev_deactivate_queue.constprop.6+0x160/0x160 [ 27.713458] [] __dev_queue_xmit+0xf95/0x1c30 [ 27.719486] [] ? __dev_queue_xmit+0x1d7/0x1c30 [ 27.725691] [] ? trace_hardirqs_on+0x10/0x10 [ 27.731766] [] ? netdev_pick_tx+0x2c0/0x2c0 [ 27.737719] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 27.744473] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 27.751203] [] ? memcpy+0x45/0x50 [ 27.756301] [] dev_queue_xmit+0x17/0x20 [ 27.761899] [] neigh_resolve_output+0x600/0x780 [ 27.768188] [] ? ip_finish_output2+0x8f0/0x1100 [ 27.774477] [] ip_finish_output2+0x8f0/0x1100 [ 27.780593] [] ? ip_finish_output2+0x20b/0x1100 [ 27.786890] [] ? nf_ct_deliver_cached_events+0x335/0x560 [ 27.793967] [] ? nf_ct_deliver_cached_events+0x83/0x560 [ 27.800956] [] ? nf_conntrack_seqadj_fini+0x20/0x20 [ 27.807593] [] ? ip_send_check+0xb0/0xb0 [ 27.813277] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 27.820001] [] ip_do_fragment+0x1870/0x1f60 [ 27.825944] [] ? ip_send_check+0xb0/0xb0 [ 27.831678] [] ip_fragment.constprop.5+0x145/0x200 [ 27.838237] [] ip_finish_output+0x396/0xc00 [ 27.844243] [] ip_mc_output+0x237/0x980 [ 27.849855] [] ? ip_queue_xmit+0x1a80/0x1a80 [ 27.855895] [] ? ip_make_skb+0x116/0x210 [ 27.861843] [] ? ip_fragment.constprop.5+0x200/0x200 [ 27.868570] [] ? ip_flush_pending_frames+0x30/0x30 [ 27.875126] [] ip_local_out+0x9b/0x180 [ 27.880638] [] ip_send_skb+0x3c/0xc0 [ 27.885982] [] udp_send_skb+0x503/0xc70 [ 27.891582] [] udp_sendmsg+0x16c9/0x1c70 [ 27.897266] [] ? ip_reply_glue_bits+0xc0/0xc0 [ 27.903383] [] ? udp_lib_unhash+0x630/0x630 [ 27.909332] [] ? trace_hardirqs_on+0x10/0x10 [ 27.915367] [] ? sock_has_perm+0x1c1/0x3f0 [ 27.921225] [] ? sock_has_perm+0x2a1/0x3f0 [ 27.927080] [] ? sock_has_perm+0x9f/0x3f0 [ 27.932853] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 27.939581] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 27.946308] [] ? check_preemption_disabled+0x3b/0x170 [ 27.953122] [] ? inet_sendmsg+0x143/0x4d0 [ 27.958897] [] inet_sendmsg+0x203/0x4d0 [ 27.964496] [] ? inet_sendmsg+0x73/0x4d0 [ 27.970397] [] ? inet_recvmsg+0x4c0/0x4c0 [ 27.976170] [] sock_sendmsg+0xbb/0x110 [ 27.981681] [] SyS_sendto+0x220/0x370 [ 27.987156] [] ? SyS_getpeername+0x2d0/0x2d0 [ 27.993355] [] ? _raw_spin_unlock+0x2c/0x50 [ 27.999359] [] ? handle_mm_fault+0x49a/0x2f30 [ 28.005490] [] ? inet_dgram_connect+0x11e/0x200 [ 28.011788] [] ? retint_user+0x18/0x3c [ 28.017304] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 28.024123] [] ? trace_hardirqs_on_thunk+0x17/0x19 [ 28.030678] [] entry_SYSCALL_64_fastpath+0x1e/0x9a