overlayfs: unrecognized mount option "\ystem_u:object_r:auditd_initrc_exec_t:s0 unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 00000000000000000000" or missing value ====================================================== WARNING: possible circular locking dependency detected 4.14.171-syzkaller #0 Not tainted ------------------------------------------------------ syz-executor.2/16630 is trying to acquire lock: (rtnl_mutex){+.+.}, at: [] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:72 but task is already holding lock: FAT-fs (loop2): bogus number of reserved sectors (&xt[i].mutex){+.+.}, at: [] xt_find_table_lock+0x3c/0x3d0 net/netfilter/x_tables.c:1092 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: FAT-fs (loop2): Can't find a valid FAT filesystem -> #2 (&xt[i].mutex){+.+.}: lock_acquire+0x16f/0x430 kernel/locking/lockdep.c:3994 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xe8/0x1470 kernel/locking/mutex.c:893 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908 xt_find_revision+0x82/0x200 net/netfilter/x_tables.c:373 nfnl_compat_get+0x229/0x950 net/netfilter/nft_compat.c:678 nfnetlink_rcv_msg+0xa08/0xc00 net/netfilter/nfnetlink.c:214 netlink_rcv_skb+0x14f/0x3c0 net/netlink/af_netlink.c:2432 nfnetlink_rcv+0x1ab/0x1650 net/netfilter/nfnetlink.c:515 netlink_unicast_kernel net/netlink/af_netlink.c:1286 [inline] netlink_unicast+0x44d/0x650 net/netlink/af_netlink.c:1312 netlink_sendmsg+0x7c4/0xc60 net/netlink/af_netlink.c:1877 sock_sendmsg_nosec net/socket.c:646 [inline] sock_sendmsg+0xce/0x110 net/socket.c:656 ___sys_sendmsg+0x70a/0x840 net/socket.c:2062 __sys_sendmsg+0xb9/0x140 net/socket.c:2096 SYSC_sendmsg net/socket.c:2107 [inline] SyS_sendmsg+0x2d/0x50 net/socket.c:2103 do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 -> #1 (&table[i].mutex){+.+.}: lock_acquire+0x16f/0x430 kernel/locking/lockdep.c:3994 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xe8/0x1470 kernel/locking/mutex.c:893 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908 nfnl_lock+0x24/0x30 net/netfilter/nfnetlink.c:61 nf_tables_netdev_event+0x13f/0x580 net/netfilter/nf_tables_netdev.c:122 notifier_call_chain+0x111/0x1b0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2e/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x56/0x70 net/core/dev.c:1671 call_netdevice_notifiers net/core/dev.c:1687 [inline] rollback_registered_many+0x70d/0xb60 net/core/dev.c:7205 rollback_registered+0xdd/0x180 net/core/dev.c:7247 unregister_netdevice_queue net/core/dev.c:8259 [inline] unregister_netdevice_queue+0x1ae/0x230 net/core/dev.c:8252 unregister_netdevice include/linux/netdevice.h:2442 [inline] __tun_detach+0xa8c/0xce0 drivers/net/tun.c:576 tun_detach drivers/net/tun.c:586 [inline] tun_chr_close+0x46/0x60 drivers/net/tun.c:2660 __fput+0x275/0x7a0 fs/file_table.c:210 ____fput+0x16/0x20 fs/file_table.c:244 task_work_run+0x114/0x190 kernel/task_work.c:113 get_signal+0x18a8/0x1cd0 kernel/signal.c:2229 do_signal+0x86/0x19a0 arch/x86/kernel/signal.c:814 exit_to_usermode_loop+0x15c/0x220 arch/x86/entry/common.c:160 prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline] syscall_return_slowpath arch/x86/entry/common.c:270 [inline] do_syscall_64+0x4bc/0x640 arch/x86/entry/common.c:297 entry_SYSCALL_64_after_hwframe+0x42/0xb7 -> #0 (rtnl_mutex){+.+.}: check_prev_add kernel/locking/lockdep.c:1901 [inline] check_prevs_add kernel/locking/lockdep.c:2018 [inline] validate_chain kernel/locking/lockdep.c:2460 [inline] __lock_acquire+0x2cb3/0x4620 kernel/locking/lockdep.c:3487 lock_acquire+0x16f/0x430 kernel/locking/lockdep.c:3994 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xe8/0x1470 kernel/locking/mutex.c:893 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908 rtnl_lock+0x17/0x20 net/core/rtnetlink.c:72 unregister_netdevice_notifier+0x5f/0x2c0 net/core/dev.c:1634 tee_tg_destroy+0x61/0xc0 net/netfilter/xt_TEE.c:123 cleanup_entry+0x1a6/0x260 net/ipv6/netfilter/ip6_tables.c:684 __do_replace+0x3c5/0x5c0 net/ipv6/netfilter/ip6_tables.c:1105 do_replace net/ipv6/netfilter/ip6_tables.c:1161 [inline] do_ip6t_set_ctl+0x296/0x3f4 net/ipv6/netfilter/ip6_tables.c:1685 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115 ipv6_setsockopt net/ipv6/ipv6_sockglue.c:930 [inline] ipv6_setsockopt+0x105/0x130 net/ipv6/ipv6_sockglue.c:914 tcp_setsockopt net/ipv4/tcp.c:2826 [inline] tcp_setsockopt+0x84/0xd0 net/ipv4/tcp.c:2820 sock_common_setsockopt+0x94/0xd0 net/core/sock.c:2968 SYSC_setsockopt net/socket.c:1865 [inline] SyS_setsockopt+0x13c/0x210 net/socket.c:1844 do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 other info that might help us debug this: Chain exists of: rtnl_mutex --> &table[i].mutex --> &xt[i].mutex Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&xt[i].mutex); lock(&table[i].mutex); lock(&xt[i].mutex); lock(rtnl_mutex); *** DEADLOCK *** 1 lock held by syz-executor.2/16630: #0: (&xt[i].mutex){+.+.}, at: [] xt_find_table_lock+0x3c/0x3d0 net/netfilter/x_tables.c:1092 stack backtrace: CPU: 0 PID: 16630 Comm: syz-executor.2 Not tainted 4.14.171-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x142/0x197 lib/dump_stack.c:58 print_circular_bug.isra.0.cold+0x1cc/0x28f kernel/locking/lockdep.c:1258 check_prev_add kernel/locking/lockdep.c:1901 [inline] check_prevs_add kernel/locking/lockdep.c:2018 [inline] validate_chain kernel/locking/lockdep.c:2460 [inline] __lock_acquire+0x2cb3/0x4620 kernel/locking/lockdep.c:3487 lock_acquire+0x16f/0x430 kernel/locking/lockdep.c:3994 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xe8/0x1470 kernel/locking/mutex.c:893 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908 rtnl_lock+0x17/0x20 net/core/rtnetlink.c:72 unregister_netdevice_notifier+0x5f/0x2c0 net/core/dev.c:1634 tee_tg_destroy+0x61/0xc0 net/netfilter/xt_TEE.c:123 cleanup_entry+0x1a6/0x260 net/ipv6/netfilter/ip6_tables.c:684 __do_replace+0x3c5/0x5c0 net/ipv6/netfilter/ip6_tables.c:1105 do_replace net/ipv6/netfilter/ip6_tables.c:1161 [inline] do_ip6t_set_ctl+0x296/0x3f4 net/ipv6/netfilter/ip6_tables.c:1685 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115 ipv6_setsockopt net/ipv6/ipv6_sockglue.c:930 [inline] ipv6_setsockopt+0x105/0x130 net/ipv6/ipv6_sockglue.c:914 tcp_setsockopt net/ipv4/tcp.c:2826 [inline] tcp_setsockopt+0x84/0xd0 net/ipv4/tcp.c:2820 sock_common_setsockopt+0x94/0xd0 net/core/sock.c:2968 SYSC_setsockopt net/socket.c:1865 [inline] SyS_setsockopt+0x13c/0x210 net/socket.c:1844 do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x45c6b9 RSP: 002b:00007f41e2564c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 00007f41e25656d4 RCX: 000000000045c6b9 RDX: 0000000000000040 RSI: 0000000000000029 RDI: 0000000000000006 RBP: 000000000076c060 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000020000900 R11: 0000000000000246 R12: 00000000ffffffff R13: 0000000000000a09 R14: 00000000004d59b0 R15: 000000000076c06c ip6_tables: ip6tables: counters copy to user failed while replacing table overlayfs: unrecognized mount option "\ystem_u:object_r:auditd_initrc_exec_t:s0 unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 00000000000000000000" or missing value netlink: 24 bytes leftover after parsing attributes in process `syz-executor.5'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'. device sit23 entered promiscuous mode FAT-fs (loop2): Unrecognized mount option "tzIn('ex" or missing value Bearer rejected, not supported in standalone mode netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'. device sit24 entered promiscuous mode netlink: 24 bytes leftover after parsing attributes in process `syz-executor.5'. FAT-fs (loop2): Unrecognized mount option "tzIn('ex" or missing value netlink: 20 bytes leftover after parsing attributes in process `syz-executor.1'. netlink: 20 bytes leftover after parsing attributes in process `syz-executor.1'. FAT-fs (loop2): bogus number of reserved sectors FAT-fs (loop2): Can't find a valid FAT filesystem SELinux: unrecognized netlink message: protocol=0 nlmsg_type=25600 sclass=netlink_route_socket pig=16725 comm=syz-executor.0 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=25600 sclass=netlink_route_socket pig=16733 comm=syz-executor.0 FAT-fs (loop2): bogus number of reserved sectors FAT-fs (loop2): Can't find a valid FAT filesystem FAT-fs (loop2): bogus number of reserved sectors FAT-fs (loop2): Can't find a valid FAT filesystem FAT-fs (loop2): bogus number of reserved sectors FAT-fs (loop2): Can't find a valid FAT filesystem SELinux: unrecognized netlink message: protocol=0 nlmsg_type=1792 sclass=netlink_route_socket pig=16771 comm=syz-executor.1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=65324 sclass=netlink_route_socket pig=16771 comm=syz-executor.1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=1792 sclass=netlink_route_socket pig=16776 comm=syz-executor.1 FAT-fs (loop2): bogus number of reserved sectors FAT-fs (loop2): Can't find a valid FAT filesystem device sit25 entered promiscuous mode device sit26 entered promiscuous mode device sit27 entered promiscuous mode device sit28 entered promiscuous mode SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=16812 comm=syz-executor.0 netlink: 24 bytes leftover after parsing attributes in process `syz-executor.5'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.5'. netlink: 12 bytes leftover after parsing attributes in process `syz-executor.1'. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=16856 comm=syz-executor.1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=16870 comm=syz-executor.1 FAT-fs (loop2): bogus number of reserved sectors FAT-fs (loop2): Can't find a valid FAT filesystem FAT-fs (loop2): bogus number of reserved sectors FAT-fs (loop2): Can't find a valid FAT filesystem FAT-fs (loop2): Unrecognized mount option "" or missing value FAT-fs (loop2): Unrecognized mount option "00000000000000000005" or missing value nla_parse: 7 callbacks suppressed netlink: 24 bytes leftover after parsing attributes in process `syz-executor.5'. netlink: 40 bytes leftover after parsing attributes in process `syz-executor.1'. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=10111 sclass=netlink_route_socket pig=16996 comm=syz-executor.0 netlink: 24 bytes leftover after parsing attributes in process `syz-executor.5'. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=10111 sclass=netlink_route_socket pig=16996 comm=syz-executor.0 FAT-fs (loop2): Unrecognized mount option "00000000000000000005" or missing value netlink: 40 bytes leftover after parsing attributes in process `syz-executor.1'. FAT-fs (loop2): bogus number of reserved sectors FAT-fs (loop2): Can't find a valid FAT filesystem netlink: 20 bytes leftover after parsing attributes in process `syz-executor.5'. device sit25 entered promiscuous mode device sit26 entered promiscuous mode netlink: 20 bytes leftover after parsing attributes in process `syz-executor.1'. device sit27 entered promiscuous mode netlink: 20 bytes leftover after parsing attributes in process `syz-executor.1'. netlink: 20 bytes leftover after parsing attributes in process `syz-executor.5'. FAT-fs (loop2): Unrecognized mount option "tY+" or missing value device sit28 entered promiscuous mode device sit29 entered promiscuous mode FAT-fs (loop2): Unrecognized mount option "tzy e=" or missing value FAT-fs (loop2): Unrecognized mount option "tzy e=" or missing value netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'. FAT-fs (loop2): bogus number of reserved sectors FAT-fs (loop2): Can't find a valid FAT filesystem SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=17124 comm=syz-executor.1 device sit30 entered promiscuous mode device sit31 entered promiscuous mode FAT-fs (loop2): bogus number of reserved sectors SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=17140 comm=syz-executor.1 FAT-fs (loop2): Can't find a valid FAT filesystem device sit32 entered promiscuous mode device sit33 entered promiscuous mode device sit34 entered promiscuous mode device sit35 entered promiscuous mode device sit36 entered promiscuous mode device sit37 entered promiscuous mode FAT-fs (loop2): bogus number of reserved sectors FAT-fs (loop2): Can't find a valid FAT filesystem FAT-fs (loop2): bogus number of reserved sectors FAT-fs (loop2): Can't find a valid FAT filesystem FAT-fs (loop2): Unrecognized mount option "tz=UCC" or missing value FAT-fs (loop2): Unrecognized mount option "tz=UCC" or missing value FAT-fs (loop2): bogus number of reserved sectors FAT-fs (loop2): Can't find a valid FAT filesystem FAT-fs (loop2): bogus number of reserved sectors FAT-fs (loop2): Can't find a valid FAT filesystem ieee80211 phy2: Selected rate control algorithm 'minstrel_ht' ieee80211 phy2: hwaddr 02:00:00:00:02:00 registered ieee80211 phy3: Selected rate control algorithm 'minstrel_ht' FAT-fs (loop2): bogus number of reserved sectors FAT-fs (loop2): Can't find a valid FAT filesystem ieee80211 phy3: hwaddr 02:00:00:00:03:00 registered FAT-fs (loop2): bogus number of reserved sectors FAT-fs (loop2): Can't find a valid FAT filesystem SELinux: unrecognized netlink message: protocol=0 nlmsg_type=29928 sclass=netlink_route_socket pig=17332 comm=syz-executor.5 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=17339 comm=syz-executor.1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=29928 sclass=netlink_route_socket pig=17332 comm=syz-executor.5