====================================================== WARNING: possible circular locking dependency detected 4.16.0-rc1+ #315 Not tainted ------------------------------------------------------ syz-executor2/5572 is trying to acquire lock: (sk_lock-AF_INET6){+.+.}, at: [<00000000561b838f>] lock_sock include/net/sock.h:1463 [inline] (sk_lock-AF_INET6){+.+.}, at: [<00000000561b838f>] do_ipv6_setsockopt.isra.8+0x3c5/0x39d0 net/ipv6/ipv6_sockglue.c:167 but task is already holding lock: (rtnl_mutex){+.+.}, at: [<00000000fad5da93>] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (rtnl_mutex){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908 rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74 unregister_netdevice_notifier+0x91/0x4e0 net/core/dev.c:1673 tee_tg_destroy+0x61/0xc0 net/netfilter/xt_TEE.c:123 cleanup_entry+0x218/0x350 net/ipv4/netfilter/ip_tables.c:654 __do_replace+0x79d/0xa50 net/ipv4/netfilter/ip_tables.c:1089 do_replace net/ipv4/netfilter/ip_tables.c:1145 [inline] do_ipt_set_ctl+0x40f/0x5f0 net/ipv4/netfilter/ip_tables.c:1675 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115 ip_setsockopt+0x97/0xa0 net/ipv4/ip_sockglue.c:1259 raw_setsockopt+0xb7/0xd0 net/ipv4/raw.c:870 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2975 SYSC_setsockopt net/socket.c:1849 [inline] SyS_setsockopt+0x189/0x360 net/socket.c:1828 do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 -> #1 (&xt[i].mutex){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908 xt_find_table_lock+0x3e/0x3e0 net/netfilter/x_tables.c:1046 xt_request_find_table_lock+0x28/0xc0 net/netfilter/x_tables.c:1093 get_info+0x154/0x690 net/ipv6/netfilter/ip6_tables.c:989 do_ip6t_get_ctl+0x159/0xaf0 net/ipv6/netfilter/ip6_tables.c:1710 nf_sockopt net/netfilter/nf_sockopt.c:104 [inline] nf_getsockopt+0x6a/0xc0 net/netfilter/nf_sockopt.c:122 ipv6_getsockopt+0x1df/0x2e0 net/ipv6/ipv6_sockglue.c:1371 tcp_getsockopt+0x82/0xd0 net/ipv4/tcp.c:3359 sock_common_getsockopt+0x95/0xd0 net/core/sock.c:2934 SYSC_getsockopt net/socket.c:1880 [inline] SyS_getsockopt+0x178/0x340 net/socket.c:1862 do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 -> #0 (sk_lock-AF_INET6){+.+.}: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920 lock_sock_nested+0xc2/0x110 net/core/sock.c:2777 lock_sock include/net/sock.h:1463 [inline] do_ipv6_setsockopt.isra.8+0x3c5/0x39d0 net/ipv6/ipv6_sockglue.c:167 ipv6_setsockopt+0xd7/0x130 net/ipv6/ipv6_sockglue.c:922 sctp_setsockopt+0x2b6/0x61d0 net/sctp/socket.c:4104 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2975 SYSC_setsockopt net/socket.c:1849 [inline] SyS_setsockopt+0x189/0x360 net/socket.c:1828 do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 other info that might help us debug this: Chain exists of: sk_lock-AF_INET6 --> &xt[i].mutex --> rtnl_mutex Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(rtnl_mutex); lock(&xt[i].mutex); lock(rtnl_mutex); lock(sk_lock-AF_INET6); *** DEADLOCK *** 1 lock held by syz-executor2/5572: #0: (rtnl_mutex){+.+.}, at: [<00000000fad5da93>] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74 stack backtrace: CPU: 0 PID: 5572 Comm: syz-executor2 Not tainted 4.16.0-rc1+ #315 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 print_circular_bug.isra.38+0x2cd/0x2dc kernel/locking/lockdep.c:1223 check_prev_add kernel/locking/lockdep.c:1863 [inline] check_prevs_add kernel/locking/lockdep.c:1976 [inline] validate_chain kernel/locking/lockdep.c:2417 [inline] __lock_acquire+0x30a8/0x3e00 kernel/locking/lockdep.c:3431 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920 lock_sock_nested+0xc2/0x110 net/core/sock.c:2777 lock_sock include/net/sock.h:1463 [inline] do_ipv6_setsockopt.isra.8+0x3c5/0x39d0 net/ipv6/ipv6_sockglue.c:167 ipv6_setsockopt+0xd7/0x130 net/ipv6/ipv6_sockglue.c:922 sctp_setsockopt+0x2b6/0x61d0 net/sctp/socket.c:4104 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2975 SYSC_setsockopt net/socket.c:1849 [inline] SyS_setsockopt+0x189/0x360 net/socket.c:1828 do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x453a59 RSP: 002b:00007ff9b9b6ac68 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 00007ff9b9b6b6d4 RCX: 0000000000453a59 RDX: 000000000000002a RSI: 0000000000000029 RDI: 0000000000000013 RBP: 000000000071bea0 R08: 0000000000000088 R09: 0000000000000000 R10: 0000000020058000 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000000004fb R14: 00000000006f7828 R15: 0000000000000000 audit: type=1400 audit(1518805400.557:31): avc: denied { getrlimit } for pid=5591 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=process permissive=1 audit: type=1326 audit(1518805400.586:32): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=5615 comm="syz-executor1" exe="/root/syz-executor1" sig=9 arch=c000003e syscall=202 compat=0 ip=0x453a59 code=0x0 audit: type=1400 audit(1518805400.601:33): avc: denied { create } for pid=5610 comm="syz-executor7" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl syz-executor1 uses obsolete (PF_INET,SOCK_PACKET) mmap: syz-executor2 (5959) uses deprecated remap_file_pages() syscall. See Documentation/vm/remap_file_pages.txt. Cannot find set identified by id 5 to match Cannot find set identified by id 5 to match xt_connbytes: Forcing CT accounting to be enabled QAT: Invalid ioctl QAT: Invalid ioctl ieee80211 phy2: Selected rate control algorithm 'minstrel_ht' netlink: 'syz-executor0': attribute type 21 has an invalid length. ieee80211 phy3: Selected rate control algorithm 'minstrel_ht' netlink: 'syz-executor0': attribute type 21 has an invalid length. ieee80211 phy4: Selected rate control algorithm 'minstrel_ht' rpcbind: RPC call returned error 22 rpcbind: RPC call returned error 22 do_dccp_setsockopt: sockopt(CHANGE_L/R) is deprecated: fix your app xt_addrtype: ipv6 does not support BROADCAST matching xt_addrtype: ipv6 does not support BROADCAST matching xt_connbytes: Forcing CT accounting to be enabled BUG: sleeping function called from invalid context at mm/slab.h:420 in_atomic(): 1, irqs_disabled(): 0, pid: 6989, name: syz-executor6 INFO: lockdep is turned off. CPU: 1 PID: 6989 Comm: syz-executor6 Not tainted 4.16.0-rc1+ #315 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 ___might_sleep+0x2b2/0x470 kernel/sched/core.c:6133 __might_sleep+0x95/0x190 kernel/sched/core.c:6086 slab_pre_alloc_hook mm/slab.h:420 [inline] slab_alloc mm/slab.c:3365 [inline] kmem_cache_alloc+0x2a2/0x760 mm/slab.c:3539 rds_tcp_conn_alloc+0xa7/0x4e0 net/rds/tcp.c:296 __rds_conn_create+0x112f/0x1b50 net/rds/connection.c:227 rds_conn_create_outgoing+0x3f/0x50 net/rds/connection.c:309 rds_sendmsg+0xda3/0x2390 net/rds/send.c:1126 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg+0xca/0x110 net/socket.c:640 ___sys_sendmsg+0x767/0x8b0 net/socket.c:2046 __sys_sendmsg+0xe5/0x210 net/socket.c:2080 SYSC_sendmsg net/socket.c:2091 [inline] SyS_sendmsg+0x2d/0x50 net/socket.c:2087 do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x453a59 RSP: 002b:00007f70f8cbcc68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f70f8cbd6d4 RCX: 0000000000453a59 RDX: 0000000000000000 RSI: 00000000201c3000 RDI: 0000000000000013 RBP: 000000000071bea0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000000004b5 R14: 00000000006f7198 R15: 0000000000000000 atomic_op 00000000aee6e8c8 conn xmit_atomic (null) atomic_op 000000008d7be3dd conn xmit_atomic (null) netlink: 3 bytes leftover after parsing attributes in process `syz-executor4'. FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 1 CPU: 1 PID: 7291 Comm: syz-executor7 Tainted: G W 4.16.0-rc1+ #315 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:422 [inline] slab_alloc_node mm/slab.c:3286 [inline] kmem_cache_alloc_node+0x56/0x760 mm/slab.c:3629 __alloc_skb+0xf1/0x780 net/core/skbuff.c:193 alloc_skb include/linux/skbuff.h:983 [inline] nlmsg_new include/net/netlink.h:511 [inline] mr6_netlink_event+0xd1/0x190 net/ipv6/ip6mr.c:2450 ip6mr_mfc_add net/ipv6/ip6mr.c:1493 [inline] ip6_mroute_setsockopt+0x24f4/0x35b0 net/ipv6/ip6mr.c:1743 do_ipv6_setsockopt.isra.8+0x2f0/0x39d0 net/ipv6/ipv6_sockglue.c:163 ipv6_setsockopt+0xd7/0x130 net/ipv6/ipv6_sockglue.c:922 rawv6_setsockopt+0x4a/0xf0 net/ipv6/raw.c:1060 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2975 SYSC_setsockopt net/socket.c:1849 [inline] SyS_setsockopt+0x189/0x360 net/socket.c:1828 do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x453a59 RSP: 002b:00007fc45db31c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 00007fc45db326d4 RCX: 0000000000453a59 RDX: 00000000000000cc RSI: 0000000000000029 RDI: 0000000000000013 RBP: 000000000071bea0 R08: 000000000000005c R09: 0000000000000000 R10: 0000000020f07000 R11: 0000000000000246 R12: 0000000000000014 R13: 00000000000004fe R14: 00000000006f7870 R15: 0000000000000000 TCP: request_sock_TCP: Possible SYN flooding on port 20018. Sending cookies. Check SNMP counters. FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 1 PID: 7768 Comm: syz-executor3 Tainted: G W 4.16.0-rc1+ #315 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:422 [inline] slab_alloc_node mm/slab.c:3286 [inline] kmem_cache_alloc_node+0x56/0x760 mm/slab.c:3629 __alloc_skb+0xf1/0x780 net/core/skbuff.c:193 alloc_skb include/linux/skbuff.h:983 [inline] alloc_skb_with_frags+0x10d/0x750 net/core/skbuff.c:5190 sock_alloc_send_pskb+0x787/0x9b0 net/core/sock.c:2085 sock_alloc_send_skb+0x32/0x40 net/core/sock.c:2102 __ip6_append_data.isra.44+0x1c38/0x3390 net/ipv6/ip6_output.c:1409 ip6_make_skb+0x386/0x5e0 net/ipv6/ip6_output.c:1757 udpv6_sendmsg+0x27fc/0x3400 net/ipv6/udp.c:1310 inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:764 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg+0xca/0x110 net/socket.c:640 SYSC_sendto+0x361/0x5c0 net/socket.c:1747 SyS_sendto+0x40/0x50 net/socket.c:1715 do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x453a59 RSP: 002b:00007f1025bf5c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007f1025bf66d4 RCX: 0000000000453a59 RDX: 0000000000000000 RSI: 0000000020b26000 RDI: 0000000000000013 RBP: 000000000071bea0 R08: 0000000020fabfe4 R09: 000000000000001c R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000014 R13: 00000000000004ba R14: 00000000006f7210 R15: 0000000000000000 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 0 PID: 7809 Comm: syz-executor2 Tainted: G W 4.16.0-rc1+ #315 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:422 [inline] slab_alloc mm/slab.c:3365 [inline] kmem_cache_alloc+0x47/0x760 mm/slab.c:3539 kmem_cache_zalloc include/linux/slab.h:691 [inline] ebitmap_cpy+0xce/0x260 security/selinux/ss/ebitmap.c:60 mls_context_cpy security/selinux/ss/context.h:51 [inline] mls_compute_sid+0x555/0x930 security/selinux/ss/mls.c:556 security_compute_sid+0x8df/0x18f0 security/selinux/ss/services.c:1725 security_transition_sid+0x75/0x90 security/selinux/ss/services.c:1764 socket_sockcreate_sid security/selinux/hooks.c:4335 [inline] selinux_socket_create+0x3cf/0x740 security/selinux/hooks.c:4368 security_socket_create+0x83/0xc0 security/security.c:1338 __sock_create+0xf7/0x850 net/socket.c:1240 sock_create net/socket.c:1325 [inline] SYSC_socket net/socket.c:1355 [inline] SyS_socket+0xeb/0x1d0 net/socket.c:1335 do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x453a59 RSP: 002b:00007ff9b9b6ac68 EFLAGS: 00000246 ORIG_RAX: 0000000000000029 RAX: ffffffffffffffda RBX: 00007ff9b9b6b6d4 RCX: 0000000000453a59 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000000000a RBP: 000000000071bea0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000013 R13: 00000000000005cb R14: 00000000006f8ba8 R15: 0000000000000000 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 0 PID: 7832 Comm: syz-executor2 Tainted: G W 4.16.0-rc1+ #315 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:422 [inline] slab_alloc mm/slab.c:3365 [inline] kmem_cache_alloc+0x47/0x760 mm/slab.c:3539 kmem_cache_zalloc include/linux/slab.h:691 [inline] ebitmap_cpy+0xce/0x260 security/selinux/ss/ebitmap.c:60 mls_context_cpy security/selinux/ss/context.h:51 [inline] mls_compute_sid+0x555/0x930 security/selinux/ss/mls.c:556 security_compute_sid+0x8df/0x18f0 security/selinux/ss/services.c:1725 security_transition_sid+0x75/0x90 security/selinux/ss/services.c:1764 socket_sockcreate_sid security/selinux/hooks.c:4335 [inline] selinux_socket_create+0x3cf/0x740 security/selinux/hooks.c:4368 security_socket_create+0x83/0xc0 security/security.c:1338 __sock_create+0xf7/0x850 net/socket.c:1240 sock_create net/socket.c:1325 [inline] SYSC_socket net/socket.c:1355 [inline] SyS_socket+0xeb/0x1d0 net/socket.c:1335 do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x453a59 RSP: 002b:00007ff9b9b6ac68 EFLAGS: 00000246 ORIG_RAX: 0000000000000029 RAX: ffffffffffffffda RBX: 00007ff9b9b6b6d4 RCX: 0000000000453a59 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000000000a RBP: 000000000071bea0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000013 R13: 00000000000005cb R14: 00000000006f8ba8 R15: 0000000000000001