[....] Starting enhanced syslogd: rsyslogd[ 12.228810] audit: type=1400 audit(1538949676.342:4): avc: denied { syslog } for pid=1905 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.34' (ECDSA) to the list of known hosts. net.ipv6.conf.syz_tun.accept_dad = 0 net.ipv6.conf.syz_tun.router_solicitations = 0 executing program syzkaller login: [ 29.835900] [ 29.837546] ====================================================== [ 29.843834] [ INFO: possible circular locking dependency detected ] [ 29.850210] 4.4.159+ #108 Not tainted [ 29.853978] ------------------------------------------------------- [ 29.860352] syz-executor219/2058 is trying to acquire lock: [ 29.866031] (&(&q->lock)->rlock){+.-...}, at: [] ip_defrag+0x31b/0x40c0 [ 29.874917] [ 29.874917] but task is already holding lock: [ 29.880857] (_xmit_NETROM){+.-...}, at: [] sch_direct_xmit+0x233/0x6c0 [ 29.889628] [ 29.889628] which lock already depends on the new lock. [ 29.889628] [ 29.897915] [ 29.897915] the existing dependency chain (in reverse order) is: [ 29.905504] -> #1 (_xmit_NETROM){+.-...}: [ 29.910282] [] lock_acquire+0x15e/0x450 [ 29.916523] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 29.923457] [] depot_save_stack+0x20b/0x5eb [ 29.930050] [] kasan_kmalloc.part.1+0xc9/0xf0 [ 29.936811] [] kasan_kmalloc+0xaf/0xc0 [ 29.942962] [] kasan_slab_alloc+0x12/0x20 [ 29.949372] [] kmem_cache_alloc+0xdc/0x2c0 [ 29.955872] [] inet_getpeer+0x159d/0x1d70 [ 29.962282] [] icmp6_send+0x17b7/0x1b70 [ 29.968522] [] icmpv6_param_prob+0x29/0x40 [ 29.975018] [] ipv6_frag_rcv+0x3de6/0x4f80 [ 29.981516] [] ip6_input_finish+0x57d/0x1510 [ 29.988267] [] ip6_input+0xf6/0x200 [ 29.994242] [] ip6_rcv_finish+0x14e/0x670 [ 30.000661] [] ipv6_rcv+0x10b2/0x1d10 [ 30.006727] [] __netif_receive_skb_core+0x12c8/0x2820 [ 30.014188] [] __netif_receive_skb+0x5b/0x1c0 [ 30.020950] [] process_backlog+0x20a/0x670 [ 30.027453] [] net_rx_action+0x367/0xd50 [ 30.033792] [] __do_softirq+0x22c/0xa1a [ 30.040036] [] do_softirq_own_stack+0x1c/0x30 [ 30.046799] [] do_softirq.part.2+0x54/0x60 [ 30.053408] [] do_softirq+0x19/0x20 [ 30.059306] [] netif_rx_ni+0xec/0x3a0 [ 30.065372] [] tun_get_user+0xf3a/0x2690 [ 30.071697] [] tun_chr_write_iter+0xd5/0x190 [ 30.078374] [] do_iter_readv_writev+0x133/0x1d0 [ 30.085485] [] do_readv_writev+0x335/0x6f0 [ 30.092276] [] vfs_writev+0x7b/0xb0 [ 30.098284] [] SyS_writev+0xd9/0x250 [ 30.104266] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 30.111472] -> #0 (&(&q->lock)->rlock){+.-...}: [ 30.117021] [] __lock_acquire+0x3e6c/0x5f10 [ 30.123614] [] lock_acquire+0x15e/0x450 [ 30.129856] [] _raw_spin_lock+0x36/0x50 [ 30.136103] [] ip_defrag+0x31b/0x40c0 [ 30.142173] [] ip_check_defrag+0x3a7/0x710 [ 30.148669] [] packet_rcv_fanout+0x52a/0x5e0 [ 30.155339] [] dev_hard_start_xmit+0x650/0x11c0 [ 30.162273] [] sch_direct_xmit+0x2b8/0x6c0 [ 30.168767] [] __dev_queue_xmit+0xf95/0x1c30 [ 30.175444] [] dev_queue_xmit+0x17/0x20 [ 30.181683] [] neigh_resolve_output+0x600/0x780 [ 30.188615] [] ip_finish_output2+0x8f0/0x1100 [ 30.195374] [] ip_do_fragment+0x1870/0x1f60 [ 30.201960] [] ip_fragment.constprop.5+0x145/0x200 [ 30.209157] [] ip_finish_output+0x396/0xc00 [ 30.215743] [] ip_mc_output+0x237/0x980 [ 30.221981] [] ip_local_out+0x9b/0x180 [ 30.228136] [] ip_send_skb+0x3c/0xc0 [ 30.234230] [] udp_send_skb+0x503/0xc70 [ 30.240527] [] udp_sendmsg+0x16c9/0x1c70 [ 30.246939] [] inet_sendmsg+0x203/0x4d0 [ 30.253219] [] sock_sendmsg+0xbb/0x110 [ 30.259377] [] SyS_sendto+0x220/0x370 [ 30.265450] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 30.272726] [ 30.272726] other info that might help us debug this: [ 30.272726] [ 30.280984] Possible unsafe locking scenario: [ 30.280984] [ 30.287018] CPU0 CPU1 [ 30.291665] ---- ---- [ 30.296315] lock(_xmit_NETROM); [ 30.299999] lock(&(&q->lock)->rlock); [ 30.306710] lock(_xmit_NETROM); [ 30.312895] lock(&(&q->lock)->rlock); [ 30.317088] [ 30.317088] *** DEADLOCK *** [ 30.317088] [ 30.323126] 4 locks held by syz-executor219/2058: [ 30.327938] #0: (rcu_read_lock_bh){......}, at: [] ip_finish_output2+0x20b/0x1100 [ 30.337977] #1: (rcu_read_lock_bh){......}, at: [] __dev_queue_xmit+0x1d7/0x1c30 [ 30.347882] #2: (_xmit_NETROM){+.-...}, at: [] sch_direct_xmit+0x233/0x6c0 [ 30.357217] #3: (rcu_read_lock){......}, at: [] dev_hard_start_xmit+0xa8/0x11c0 [ 30.367230] [ 30.367230] stack backtrace: [ 30.371712] CPU: 0 PID: 2058 Comm: syz-executor219 Not tainted 4.4.159+ #108 [ 30.378878] 0000000000000000 b0673b4782c8c101 ffff8800b6b46d88 ffffffff81a994bd [ 30.386874] ffffffff83accc70 ffffffff83acc5b0 ffffffff83accc70 ffff8800b820e838 [ 30.394868] ffff8800b820df00 ffff8800b6b46dd0 ffffffff813a84ea 0000000000000003 [ 30.402882] Call Trace: [ 30.405524] [] dump_stack+0xc1/0x124 [ 30.410878] [] print_circular_bug.cold.34+0x2f7/0x432 [ 30.417698] [] __lock_acquire+0x3e6c/0x5f10 [ 30.423646] [] ? trace_hardirqs_on+0x10/0x10 [ 30.429687] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 30.436587] [] ? trace_hardirqs_on_caller+0x266/0x590 [ 30.443402] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 30.450126] [] ? mod_timer+0x433/0x8f0 [ 30.455634] [] lock_acquire+0x15e/0x450 [ 30.461232] [] ? ip_defrag+0x31b/0x40c0 [ 30.466828] [] ? inet_frag_find+0x27a/0x9a0 [ 30.472773] [] _raw_spin_lock+0x36/0x50 [ 30.478384] [] ? ip_defrag+0x31b/0x40c0 [ 30.484001] [] ip_defrag+0x31b/0x40c0 [ 30.489430] [] ? trace_hardirqs_on+0x10/0x10 [ 30.495475] [] ? ipv4_frags_init_net+0x3a0/0x3a0 [ 30.501856] [] ip_check_defrag+0x3a7/0x710 [ 30.507714] [] ? ip_defrag+0x40c0/0x40c0 [ 30.513404] [] packet_rcv_fanout+0x52a/0x5e0 [ 30.519467] [] ? fanout_demux_rollover+0x4e0/0x4e0 [ 30.526031] [] dev_hard_start_xmit+0x650/0x11c0 [ 30.532400] [] ? dev_hard_start_xmit+0xa8/0x11c0 [ 30.538796] [] sch_direct_xmit+0x2b8/0x6c0 [ 30.544653] [] ? dev_deactivate_queue.constprop.6+0x160/0x160 [ 30.552166] [] __dev_queue_xmit+0xf95/0x1c30 [ 30.558200] [] ? __dev_queue_xmit+0x1d7/0x1c30 [ 30.564572] [] ? trace_hardirqs_on+0x10/0x10 [ 30.570618] [] ? netdev_pick_tx+0x2c0/0x2c0 [ 30.576574] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 30.583303] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 30.590031] [] ? memcpy+0x45/0x50 [ 30.595104] [] dev_queue_xmit+0x17/0x20 [ 30.600701] [] neigh_resolve_output+0x600/0x780 [ 30.606996] [] ? ip_finish_output2+0x8f0/0x1100 [ 30.613285] [] ip_finish_output2+0x8f0/0x1100 [ 30.619400] [] ? ip_finish_output2+0x20b/0x1100 [ 30.625692] [] ? nf_ct_deliver_cached_events+0x335/0x560 [ 30.632761] [] ? nf_ct_deliver_cached_events+0x83/0x560 [ 30.639746] [] ? nf_conntrack_seqadj_fini+0x20/0x20 [ 30.646554] [] ? ip_send_check+0xb0/0xb0 [ 30.652265] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 30.658998] [] ip_do_fragment+0x1870/0x1f60 [ 30.664945] [] ? ip_send_check+0xb0/0xb0 [ 30.670691] [] ip_fragment.constprop.5+0x145/0x200 [ 30.677283] [] ip_finish_output+0x396/0xc00 [ 30.683339] [] ip_mc_output+0x237/0x980 [ 30.689128] [] ? ip_queue_xmit+0x1a80/0x1a80 [ 30.695182] [] ? ip_make_skb+0x116/0x210 [ 30.700874] [] ? ip_fragment.constprop.5+0x200/0x200 [ 30.707636] [] ? ip_flush_pending_frames+0x30/0x30 [ 30.714200] [] ip_local_out+0x9b/0x180 [ 30.719732] [] ip_send_skb+0x3c/0xc0 [ 30.725073] [] udp_send_skb+0x503/0xc70 [ 30.730766] [] udp_sendmsg+0x16c9/0x1c70 [ 30.737279] [] ? ip_reply_glue_bits+0xc0/0xc0 [ 30.743409] [] ? udp_lib_unhash+0x630/0x630 [ 30.749382] [] ? trace_hardirqs_on+0x10/0x10 [ 30.755534] [] ? sock_has_perm+0x1c1/0x3f0 [ 30.761399] [] ? sock_has_perm+0x2a1/0x3f0 [ 30.767260] [] ? sock_has_perm+0x9f/0x3f0 [ 30.773037] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 30.779765] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 30.786491] [] ? check_preemption_disabled+0x3b/0x170 [ 30.793305] [] ? inet_sendmsg+0x143/0x4d0 [ 30.799149] [] inet_sendmsg+0x203/0x4d0 [ 30.804766] [] ? inet_sendmsg+0x73/0x4d0 [ 30.810490] [] ? inet_recvmsg+0x4c0/0x4c0 [ 30.816277] [] sock_sendmsg+0xbb/0x110 [ 30.821793] [] SyS_sendto+0x220/0x370 [ 30.827227] [] ? SyS_getpeername+0x2d0/0x2d0 [ 30.833265] [] ? _raw_spin_unlock+0x2c/0x50 [ 30.839216] [] ? handle_mm_fault+0x49a/0x2f30 [ 30.845335] [] ? inet_dgram_connect+0x11e/0x200 [ 30.851640] [] ? retint_user+0x18/0x3c [ 30.857164] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 30.863990] [] ? trace_hardirqs_on_thunk+0x17/0x19 [ 30.870550] [] entry_SYSCALL_64_fastpath+0x1e/0x9a