====================================================== [ INFO: possible circular locking dependency detected ] 4.4.174+ #4 Not tainted ------------------------------------------------------- syz-executor.5/6919 is trying to acquire lock: (&(&q->lock)->rlock){+.-...}, at: [] spin_lock include/linux/spinlock.h:302 [inline] (&(&q->lock)->rlock){+.-...}, at: [] ip_defrag+0x322/0x3b70 net/ipv4/ip_fragment.c:690 but task is already holding lock: (_xmit_NETROM){+.-...}, at: [] spin_lock include/linux/spinlock.h:302 [inline] (_xmit_NETROM){+.-...}, at: [] __netif_tx_lock include/linux/netdevice.h:3306 [inline] (_xmit_NETROM){+.-...}, at: [] sch_direct_xmit+0x238/0x700 net/sched/sch_generic.c:163 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: [] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592 [] __raw_spin_lock include/linux/spinlock_api_smp.h:144 [inline] [] _raw_spin_lock+0x38/0x50 kernel/locking/spinlock.c:151 [] spin_lock include/linux/spinlock.h:302 [inline] [] get_partial_node.isra.0+0x45/0x490 mm/slub.c:1727 [] get_partial mm/slub.c:1834 [inline] [] new_slab_objects mm/slub.c:2314 [inline] [] ___slab_alloc.constprop.0+0x1ca/0x3e0 mm/slub.c:2476 [] __slab_alloc.isra.0.constprop.0+0x50/0xa0 mm/slub.c:2518 [] slab_alloc_node mm/slub.c:2581 [inline] [] slab_alloc mm/slub.c:2623 [inline] [] __kmalloc_track_caller+0x23e/0x2e0 mm/slub.c:4153 [] kmemdup+0x27/0x60 mm/util.c:115 [] scm_fp_dup+0x5e/0x220 net/core/scm.c:339 [] unix_stream_read_generic+0xbfc/0x1fa0 net/unix/af_unix.c:2431 [] unix_stream_recvmsg+0xc3/0x100 net/unix/af_unix.c:2481 [] sock_recvmsg_nosec+0x75/0x90 net/socket.c:740 [] ___sys_recvmsg+0x257/0x530 net/socket.c:2129 [] __sys_recvmmsg+0x223/0x6f0 net/socket.c:2237 [] SYSC_recvmmsg net/socket.c:2311 [inline] [] SyS_recvmmsg+0x178/0x1a0 net/socket.c:2300 [] entry_SYSCALL_64_fastpath+0x1e/0x9a [] check_prev_add kernel/locking/lockdep.c:1853 [inline] [] check_prevs_add kernel/locking/lockdep.c:1958 [inline] [] validate_chain kernel/locking/lockdep.c:2144 [inline] [] __lock_acquire+0x37d6/0x4f50 kernel/locking/lockdep.c:3213 [] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592 [] __raw_spin_lock include/linux/spinlock_api_smp.h:144 [inline] [] _raw_spin_lock+0x38/0x50 kernel/locking/spinlock.c:151 [] spin_lock include/linux/spinlock.h:302 [inline] [] ip_defrag+0x322/0x3b70 net/ipv4/ip_fragment.c:690 [] ip_check_defrag net/ipv4/ip_fragment.c:738 [inline] [] ip_check_defrag+0x3d6/0x5b0 net/ipv4/ip_fragment.c:705 [] packet_rcv_fanout+0x51e/0x5f0 net/packet/af_packet.c:1458 [] deliver_skb net/core/dev.c:1842 [inline] [] dev_queue_xmit_nit net/core/dev.c:1898 [inline] [] xmit_one net/core/dev.c:2777 [inline] [] dev_hard_start_xmit+0x288/0x11e0 net/core/dev.c:2797 [] sch_direct_xmit+0x2b6/0x700 net/sched/sch_generic.c:165 [] __dev_xmit_skb net/core/dev.c:2979 [inline] [] __dev_queue_xmit+0xd24/0x1bb0 net/core/dev.c:3197 [] dev_queue_xmit+0x18/0x20 net/core/dev.c:3263 [] neigh_hh_output include/net/neighbour.h:486 [inline] [] dst_neigh_output include/net/dst.h:459 [inline] [] ip_finish_output2+0xbf2/0x1280 net/ipv4/ip_output.c:213 [] ip_do_fragment+0x187c/0x1f70 net/ipv4/ip_output.c:635 [] ip_fragment.constprop.0+0x14b/0x200 net/ipv4/ip_output.c:505 [] ip_finish_output+0x3b9/0xc60 net/ipv4/ip_output.c:286 [] NF_HOOK_COND include/linux/netfilter.h:240 [inline] [] ip_mc_output+0x251/0xae0 net/ipv4/ip_output.c:347 [] dst_output include/net/dst.h:498 [inline] [] ip_local_out+0x9c/0x180 net/ipv4/ip_output.c:119 [] ip_send_skb+0x3e/0xc0 net/ipv4/ip_output.c:1453 [] udp_send_skb+0x4fd/0xc70 net/ipv4/udp.c:842 [] udp_push_pending_frames+0x4e/0xe0 net/ipv4/udp.c:870 [] udp_sendpage+0x2ae/0x410 net/ipv4/udp.c:1183 [] inet_sendpage+0x223/0x520 net/ipv4/af_inet.c:772 [] kernel_sendpage+0x95/0xf0 net/socket.c:3320 [] sock_sendpage+0x8b/0xc0 net/socket.c:793 [] pipe_to_sendpage+0x28d/0x3d0 fs/splice.c:724 [] splice_from_pipe_feed fs/splice.c:776 [inline] [] __splice_from_pipe+0x37e/0x7a0 fs/splice.c:901 [] splice_from_pipe+0x108/0x170 fs/splice.c:936 [] generic_splice_sendpage+0x3c/0x50 fs/splice.c:1109 [] do_splice_from fs/splice.c:1128 [inline] [] do_splice fs/splice.c:1404 [inline] [] SYSC_splice fs/splice.c:1707 [inline] [] SyS_splice+0xd71/0x13a0 fs/splice.c:1690 [] entry_SYSCALL_64_fastpath+0x1e/0x9a other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(_xmit_NETROM); lock(&(&q->lock)->rlock); lock(_xmit_NETROM); lock(&(&q->lock)->rlock); *** DEADLOCK *** 6 locks held by syz-executor.5/6919: #0: (&pipe->mutex/1){+.+.+.}, at: [] pipe_lock_nested fs/pipe.c:65 [inline] #0: (&pipe->mutex/1){+.+.+.}, at: [] pipe_lock+0x63/0x80 fs/pipe.c:73 #1: (sk_lock-AF_INET){+.+.+.}, at: [] lock_sock include/net/sock.h:1497 [inline] #1: (sk_lock-AF_INET){+.+.+.}, at: [] udp_sendpage+0x132/0x410 net/ipv4/udp.c:1160 #2: (rcu_read_lock_bh){......}, at: [] ip_finish_output2+0x20b/0x1280 net/ipv4/ip_output.c:193 #3: (rcu_read_lock_bh){......}, at: [] __dev_queue_xmit+0x1d7/0x1bb0 net/core/dev.c:3161 #4: (_xmit_NETROM){+.-...}, at: [] spin_lock include/linux/spinlock.h:302 [inline] #4: (_xmit_NETROM){+.-...}, at: [] __netif_tx_lock include/linux/netdevice.h:3306 [inline] #4: (_xmit_NETROM){+.-...}, at: [] sch_direct_xmit+0x238/0x700 net/sched/sch_generic.c:163 #5: (rcu_read_lock){......}, at: [] xmit_one net/core/dev.c:2776 [inline] #5: (rcu_read_lock){......}, at: [] dev_hard_start_xmit+0xb3/0x11e0 net/core/dev.c:2797 stack backtrace: CPU: 0 PID: 6919 Comm: syz-executor.5 Not tainted 4.4.174+ #4 0000000000000000 91177751d9bd5072 ffff8800b4cbed40 ffffffff81aad1a1 ffffffff84057a80 ffff8801d6ae5f00 ffffffff83aee000 ffffffff83ad5370 ffffffff83aee000 ffff8800b4cbed90 ffffffff813abcda ffff8800b4cbee70 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x120 lib/dump_stack.c:51 [] print_circular_bug.cold+0x2f7/0x44e kernel/locking/lockdep.c:1226 [] check_prev_add kernel/locking/lockdep.c:1853 [inline] [] check_prevs_add kernel/locking/lockdep.c:1958 [inline] [] validate_chain kernel/locking/lockdep.c:2144 [inline] [] __lock_acquire+0x37d6/0x4f50 kernel/locking/lockdep.c:3213 [] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592 [] __raw_spin_lock include/linux/spinlock_api_smp.h:144 [inline] [] _raw_spin_lock+0x38/0x50 kernel/locking/spinlock.c:151 [] spin_lock include/linux/spinlock.h:302 [inline] [] ip_defrag+0x322/0x3b70 net/ipv4/ip_fragment.c:690 [] ip_check_defrag net/ipv4/ip_fragment.c:738 [inline] [] ip_check_defrag+0x3d6/0x5b0 net/ipv4/ip_fragment.c:705 [] packet_rcv_fanout+0x51e/0x5f0 net/packet/af_packet.c:1458 [] deliver_skb net/core/dev.c:1842 [inline] [] dev_queue_xmit_nit net/core/dev.c:1898 [inline] [] xmit_one net/core/dev.c:2777 [inline] [] dev_hard_start_xmit+0x288/0x11e0 net/core/dev.c:2797 [] sch_direct_xmit+0x2b6/0x700 net/sched/sch_generic.c:165 [] __dev_xmit_skb net/core/dev.c:2979 [inline] [] __dev_queue_xmit+0xd24/0x1bb0 net/core/dev.c:3197 [] dev_queue_xmit+0x18/0x20 net/core/dev.c:3263 [] neigh_hh_output include/net/neighbour.h:486 [inline] [] dst_neigh_output include/net/dst.h:459 [inline] [] ip_finish_output2+0xbf2/0x1280 net/ipv4/ip_output.c:213 [] ip_do_fragment+0x187c/0x1f70 net/ipv4/ip_output.c:635 [] ip_fragment.constprop.0+0x14b/0x200 net/ipv4/ip_output.c:505 [] ip_finish_output+0x3b9/0xc60 net/ipv4/ip_output.c:286 [] NF_HOOK_COND include/linux/netfilter.h:240 [inline] [] ip_mc_output+0x251/0xae0 net/ipv4/ip_output.c:347 [] dst_output include/net/dst.h:498 [inline] [] ip_local_out+0x9c/0x180 net/ipv4/ip_output.c:119 [] ip_send_skb+0x3e/0xc0 net/ipv4/ip_output.c:1453 [] udp_send_skb+0x4fd/0xc70 net/ipv4/udp.c:842 [] udp_push_pending_frames+0x4e/0xe0 net/ipv4/udp.c:870 [] udp_sendpage+0x2ae/0x410 net/ipv4/udp.c:1183 [] inet_sendpage+0x223/0x520 net/ipv4/af_inet.c:772 [] kernel_sendpage+0x95/0xf0 net/socket.c:3320 [] sock_sendpage+0x8b/0xc0 net/socket.c:793 [] pipe_to_sendpage+0x28d/0x3d0 fs/splice.c:724 [] splice_from_pipe_feed fs/splice.c:776 [inline] [] __splice_from_pipe+0x37e/0x7a0 fs/splice.c:901 [] splice_from_pipe+0x108/0x170 fs/splice.c:936 [] generic_splice_sendpage+0x3c/0x50 fs/splice.c:1109 [] do_splice_from fs/splice.c:1128 [inline] [] do_splice fs/splice.c:1404 [inline] [] SYSC_splice fs/splice.c:1707 [inline] [] SyS_splice+0xd71/0x13a0 fs/splice.c:1690 [] entry_SYSCALL_64_fastpath+0x1e/0x9a