====================================================== WARNING: possible circular locking dependency detected 4.15.0+ #291 Not tainted ------------------------------------------------------ syz-executor2/5372 is trying to acquire lock: (sk_lock-AF_INET){+.+.}, at: [<00000000ea1613db>] lock_sock include/net/sock.h:1461 [inline] (sk_lock-AF_INET){+.+.}, at: [<00000000ea1613db>] do_ip_setsockopt.isra.12+0x1d9/0x3210 net/ipv4/ip_sockglue.c:646 but task is already holding lock: (rtnl_mutex){+.+.}, at: [<00000000b219fc9d>] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (rtnl_mutex){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908 rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74 register_netdevice_notifier+0xad/0x860 net/core/dev.c:1607 tee_tg_check+0x1a0/0x280 net/netfilter/xt_TEE.c:106 xt_check_target+0x22c/0x7d0 net/netfilter/x_tables.c:845 check_target net/ipv4/netfilter/ip_tables.c:513 [inline] find_check_entry.isra.8+0x8c8/0xcb0 net/ipv4/netfilter/ip_tables.c:554 translate_table+0xed1/0x1610 net/ipv4/netfilter/ip_tables.c:725 do_replace net/ipv4/netfilter/ip_tables.c:1141 [inline] do_ipt_set_ctl+0x370/0x5f0 net/ipv4/netfilter/ip_tables.c:1675 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115 ip_setsockopt+0xa1/0xb0 net/ipv4/ip_sockglue.c:1260 sctp_setsockopt+0x2b6/0x61d0 net/sctp/socket.c:4104 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2978 SYSC_setsockopt net/socket.c:1849 [inline] SyS_setsockopt+0x189/0x360 net/socket.c:1828 entry_SYSCALL_64_fastpath+0x29/0xa0 -> #0 (sk_lock-AF_INET){+.+.}: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920 lock_sock_nested+0xc2/0x110 net/core/sock.c:2780 lock_sock include/net/sock.h:1461 [inline] do_ip_setsockopt.isra.12+0x1d9/0x3210 net/ipv4/ip_sockglue.c:646 ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1252 tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2905 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2978 SYSC_setsockopt net/socket.c:1849 [inline] SyS_setsockopt+0x189/0x360 net/socket.c:1828 entry_SYSCALL_64_fastpath+0x29/0xa0 other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(rtnl_mutex); lock(sk_lock-AF_INET); lock(rtnl_mutex); lock(sk_lock-AF_INET); *** DEADLOCK *** 1 lock held by syz-executor2/5372: #0: (rtnl_mutex){+.+.}, at: [<00000000b219fc9d>] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74 stack backtrace: CPU: 0 PID: 5372 Comm: syz-executor2 Not tainted 4.15.0+ #291 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 print_circular_bug.isra.38+0x2cd/0x2dc kernel/locking/lockdep.c:1223 check_prev_add kernel/locking/lockdep.c:1863 [inline] check_prevs_add kernel/locking/lockdep.c:1976 [inline] validate_chain kernel/locking/lockdep.c:2417 [inline] __lock_acquire+0x30a8/0x3e00 kernel/locking/lockdep.c:3431 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920 lock_sock_nested+0xc2/0x110 net/core/sock.c:2780 lock_sock include/net/sock.h:1461 [inline] do_ip_setsockopt.isra.12+0x1d9/0x3210 net/ipv4/ip_sockglue.c:646 ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1252 tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2905 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2978 SYSC_setsockopt net/socket.c:1849 [inline] SyS_setsockopt+0x189/0x360 net/socket.c:1828 entry_SYSCALL_64_fastpath+0x29/0xa0 RIP: 0033:0x453299 RSP: 002b:00007fcab34f2c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000453299 RDX: 000000000000002a RSI: 0000000000000000 RDI: 0000000000000013 RBP: 00000000000005d0 R08: 0000000000000090 R09: 0000000000000000 R10: 000000002009ff70 R11: 0000000000000212 R12: 00000000006f7c20 R13: 00000000ffffffff R14: 00007fcab34f36d4 R15: 0000000000000000 xt_TPROXY: Can be used only in combination with either -p tcp or -p udp netlink: 132 bytes leftover after parsing attributes in process `syz-executor5'. xt_TPROXY: Can be used only in combination with either -p tcp or -p udp netlink: 132 bytes leftover after parsing attributes in process `syz-executor5'. sctp: [Deprecated]: syz-executor2 (pid 5408) Use of int in max_burst socket option. Use struct sctp_assoc_value instead netlink: 188 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 188 bytes leftover after parsing attributes in process `syz-executor1'. sctp: [Deprecated]: syz-executor2 (pid 5411) Use of int in max_burst socket option. Use struct sctp_assoc_value instead netlink: 188 bytes leftover after parsing attributes in process `syz-executor1'. kauditd_printk_skb: 2 callbacks suppressed audit: type=1326 audit(1517535829.365:21): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=5423 comm="syz-executor3" exe="/root/syz-executor3" sig=0 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517535829.365:22): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=5423 comm="syz-executor3" exe="/root/syz-executor3" sig=0 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517535829.367:23): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=5423 comm="syz-executor3" exe="/root/syz-executor3" sig=0 arch=c000003e syscall=257 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517535829.367:24): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=5423 comm="syz-executor3" exe="/root/syz-executor3" sig=0 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517535829.369:25): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=5423 comm="syz-executor3" exe="/root/syz-executor3" sig=0 arch=c000003e syscall=51 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517535829.369:26): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=5423 comm="syz-executor3" exe="/root/syz-executor3" sig=0 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517535829.370:27): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=5423 comm="syz-executor3" exe="/root/syz-executor3" sig=0 arch=c000003e syscall=16 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517535829.370:28): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=5423 comm="syz-executor3" exe="/root/syz-executor3" sig=0 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517535829.371:29): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=5423 comm="syz-executor3" exe="/root/syz-executor3" sig=0 arch=c000003e syscall=9 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517535829.373:30): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=5423 comm="syz-executor3" exe="/root/syz-executor3" sig=0 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x7ffc0000 capability: warning: `syz-executor2' uses 32-bit capabilities (legacy support in use) netlink: 188 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 188 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 188 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 188 bytes leftover after parsing attributes in process `syz-executor1'. capability: warning: `syz-executor4' uses deprecated v2 capabilities in a way that may be insecure netlink: 3 bytes leftover after parsing attributes in process `syz-executor4'. IPVS: set_ctl: invalid protocol: 13703 39.52.93.236:60696 Ɓtpm`x/.HݼބDBC+ IPVS: set_ctl: invalid protocol: 13703 39.52.93.236:60696 Ɓtpm`x/.HݼބDBC+ syz-executor2 uses obsolete (PF_INET,SOCK_PACKET) device syz2 entered promiscuous mode device syz2 left promiscuous mode device syz2 entered promiscuous mode netlink: 'syz-executor6': attribute type 1 has an invalid length. device eql entered promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode TCP: request_sock_TCPv6: Possible SYN flooding on port 20010. Sending cookies. Check SNMP counters. kauditd_printk_skb: 34 callbacks suppressed audit: type=1400 audit(1517535834.404:65): avc: denied { map } for pid=6085 comm="syz-executor2" path="/proc/226/net/pfkey" dev="proc" ino=4026533061 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 1 CPU: 0 PID: 6207 Comm: syz-executor1 Not tainted 4.15.0+ #291 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:418 [inline] slab_alloc_node mm/slab.c:3285 [inline] kmem_cache_alloc_node+0x56/0x760 mm/slab.c:3628 __alloc_skb+0xf1/0x780 net/core/skbuff.c:193 alloc_skb include/linux/skbuff.h:983 [inline] netlink_alloc_large_skb net/netlink/af_netlink.c:1180 [inline] netlink_sendmsg+0xa86/0xe60 net/netlink/af_netlink.c:1872 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg+0xca/0x110 net/socket.c:640 sock_write_iter+0x31a/0x5d0 net/socket.c:909 call_write_iter include/linux/fs.h:1781 [inline] new_sync_write fs/read_write.c:469 [inline] __vfs_write+0x684/0x970 fs/read_write.c:482 vfs_write+0x189/0x510 fs/read_write.c:544 SYSC_write fs/read_write.c:589 [inline] SyS_write+0xef/0x220 fs/read_write.c:581 entry_SYSCALL_64_fastpath+0x29/0xa0 RIP: 0033:0x453299 RSP: 002b:00007f5357bdac58 EFLAGS: 00000212 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007f5357bdaaa0 RCX: 0000000000453299 RDX: 00000000000000fc RSI: 0000000020c7b000 RDI: 0000000000000013 RBP: 00007f5357bdaa90 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b8096 R13: 00007f5357bdabc8 R14: 00000000004b8096 R15: 0000000000000000 nla_parse: 10 callbacks suppressed netlink: 188 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 188 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 188 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 188 bytes leftover after parsing attributes in process `syz-executor1'. audit: type=1400 audit(1517535835.981:66): avc: denied { map } for pid=6302 comm="syz-executor0" path=2F616E6F6E5F6875676570616765202864656C6574656429 dev="hugetlbfs" ino=17509 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:hugetlbfs_t:s0 tclass=file permissive=1 netlink: 188 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 188 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 188 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 188 bytes leftover after parsing attributes in process `syz-executor1'. audit: type=1400 audit(1517535836.614:67): avc: denied { prog_run } for pid=6358 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 netlink: 188 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 188 bytes leftover after parsing attributes in process `syz-executor1'. SELinux: unrecognized netlink message: protocol=6 nlmsg_type=40 sclass=netlink_xfrm_socket pig=6411 comm=syz-executor4 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 1 PID: 6437 Comm: syz-executor5 Not tainted 4.15.0+ #291 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:418 [inline] slab_alloc mm/slab.c:3364 [inline] kmem_cache_alloc_trace+0x4b/0x750 mm/slab.c:3604 kmalloc include/linux/slab.h:499 [inline] kzalloc include/linux/slab.h:688 [inline] kvm_irqfd_assign arch/x86/kvm/../../../virt/kvm/eventfd.c:296 [inline] kvm_irqfd+0x16c/0x1d70 arch/x86/kvm/../../../virt/kvm/eventfd.c:572 kvm_vm_ioctl+0x109b/0x1c60 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3001 vfs_ioctl fs/ioctl.c:46 [inline] do_vfs_ioctl+0x1b1/0x1520 fs/ioctl.c:686 SYSC_ioctl fs/ioctl.c:701 [inline] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692 entry_SYSCALL_64_fastpath+0x29/0xa0 RIP: 0033:0x453299 RSP: 002b:00007f472908ac58 EFLAGS: 00000212 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000453299 RDX: 0000000020ae9000 RSI: 000000004020ae76 RDI: 0000000000000014 RBP: 0000000000000231 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f2538 R13: 0000000000000016 R14: 000000000071bf00 R15: ffffffffffffffff xt_CT: You must specify a L4 protocol, and not use inversions on it. audit: type=1400 audit(1517535837.462:68): avc: denied { map } for pid=6478 comm="syz-executor6" path="/dev/binder6" dev="devtmpfs" ino=9129 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1 audit: type=1400 audit(1517535837.465:69): avc: denied { set_context_mgr } for pid=6478 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 binder: 6478:6483 got transaction with invalid offset (0, min 0 max 0) or object. audit: type=1400 audit(1517535837.528:70): avc: denied { call } for pid=6478 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 sctp: [Deprecated]: syz-executor0 (pid 6479) Use of struct sctp_assoc_value in delayed_ack socket option. Use struct sctp_sack_info instead xt_CT: You must specify a L4 protocol, and not use inversions on it. sctp: [Deprecated]: syz-executor0 (pid 6489) Use of struct sctp_assoc_value in delayed_ack socket option. Use struct sctp_sack_info instead binder: 6478:6504 got transaction with invalid offsets size, 286 binder: 6478:6504 transaction failed 29201/-22, size 0-286 line 2939 binder_alloc: binder_alloc_mmap_handler: 6478 20265000-20279000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 6478:6504 ioctl 40046207 0 returned -16 binder_alloc: 6478: binder_alloc_buf, no vma binder: 6478:6504 transaction failed 29189/-3, size 0-8 line 2903 binder_alloc: 6478: binder_alloc_buf, no vma binder: 6478:6513 transaction failed 29189/-3, size 0-286 line 2903 binder: 6478:6483 transaction failed 29201/-22, size 0-8 line 2966 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29189 PPPIOCDETACH file->f_count=2 audit: type=1400 audit(1517535838.305:71): avc: denied { ipc_lock } for pid=6740 comm="syz-executor6" capability=14 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=1792 sclass=netlink_route_socket pig=6785 comm=syz-executor1 netlink: 'syz-executor4': attribute type 1 has an invalid length. netlink: 'syz-executor4': attribute type 1 has an invalid length. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=1792 sclass=netlink_route_socket pig=6802 comm=syz-executor1 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0