====================================================== WARNING: possible circular locking dependency detected 4.15.0+ #220 Not tainted ------------------------------------------------------ syz-executor0/5831 is trying to acquire lock: (&xt[i].mutex){+.+.}, at: [<000000005cf157ea>] xt_find_target+0x44/0x1e0 net/netfilter/x_tables.c:229 but task is already holding lock: (sk_lock-AF_INET6){+.+.}, at: [<000000006f1078e6>] lock_sock include/net/sock.h:1461 [inline] (sk_lock-AF_INET6){+.+.}, at: [<000000006f1078e6>] ipv6_setsockopt+0xff/0x150 net/ipv6/ipv6_sockglue.c:927 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (sk_lock-AF_INET6){+.+.}: lock_sock_nested+0xc2/0x110 net/core/sock.c:2780 lock_sock include/net/sock.h:1461 [inline] do_ipv6_setsockopt.isra.8+0x3c5/0x39d0 net/ipv6/ipv6_sockglue.c:167 ipv6_setsockopt+0xd7/0x150 net/ipv6/ipv6_sockglue.c:922 sctp_setsockopt+0x2b6/0x61d0 net/sctp/socket.c:4104 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2978 SYSC_setsockopt net/socket.c:1849 [inline] SyS_setsockopt+0x189/0x360 net/socket.c:1828 entry_SYSCALL_64_fastpath+0x29/0xa0 -> #1 (rtnl_mutex){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908 rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74 unregister_netdevice_notifier+0x91/0x4e0 net/core/dev.c:1673 tee_tg_destroy+0x61/0xc0 net/netfilter/xt_TEE.c:123 cleanup_entry+0x218/0x350 net/ipv4/netfilter/ip_tables.c:654 __do_replace+0x79d/0xa50 net/ipv4/netfilter/ip_tables.c:1089 do_replace net/ipv4/netfilter/ip_tables.c:1145 [inline] do_ipt_set_ctl+0x40f/0x5f0 net/ipv4/netfilter/ip_tables.c:1675 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115 ip_setsockopt+0xa1/0xb0 net/ipv4/ip_sockglue.c:1260 tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2905 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2978 SYSC_setsockopt net/socket.c:1849 [inline] SyS_setsockopt+0x189/0x360 net/socket.c:1828 entry_SYSCALL_64_fastpath+0x29/0xa0 -> #0 (&xt[i].mutex){+.+.}: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908 xt_find_target+0x44/0x1e0 net/netfilter/x_tables.c:229 xt_request_find_target+0x2c/0xb0 net/netfilter/x_tables.c:255 find_check_entry.isra.7+0x669/0xcf0 net/ipv6/netfilter/ip6_tables.c:567 translate_table+0xf52/0x1690 net/ipv6/netfilter/ip6_tables.c:744 do_replace net/ipv6/netfilter/ip6_tables.c:1160 [inline] do_ip6t_set_ctl+0x370/0x5f0 net/ipv6/netfilter/ip6_tables.c:1686 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115 ipv6_setsockopt+0x115/0x150 net/ipv6/ipv6_sockglue.c:928 udpv6_setsockopt+0x45/0x80 net/ipv6/udp.c:1422 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2978 SYSC_setsockopt net/socket.c:1849 [inline] SyS_setsockopt+0x189/0x360 net/socket.c:1828 entry_SYSCALL_64_fastpath+0x29/0xa0 other info that might help us debug this: Chain exists of: &xt[i].mutex --> rtnl_mutex --> sk_lock-AF_INET6 Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(sk_lock-AF_INET6); lock(rtnl_mutex); lock(sk_lock-AF_INET6); lock(&xt[i].mutex); *** DEADLOCK *** 1 lock held by syz-executor0/5831: #0: (sk_lock-AF_INET6){+.+.}, at: [<000000006f1078e6>] lock_sock include/net/sock.h:1461 [inline] #0: (sk_lock-AF_INET6){+.+.}, at: [<000000006f1078e6>] ipv6_setsockopt+0xff/0x150 net/ipv6/ipv6_sockglue.c:927 stack backtrace: CPU: 1 PID: 5831 Comm: syz-executor0 Not tainted 4.15.0+ #220 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 print_circular_bug.isra.38+0x2cd/0x2dc kernel/locking/lockdep.c:1223 check_prev_add kernel/locking/lockdep.c:1863 [inline] check_prevs_add kernel/locking/lockdep.c:1976 [inline] validate_chain kernel/locking/lockdep.c:2417 [inline] __lock_acquire+0x30a8/0x3e00 kernel/locking/lockdep.c:3431 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908 xt_find_target+0x44/0x1e0 net/netfilter/x_tables.c:229 xt_request_find_target+0x2c/0xb0 net/netfilter/x_tables.c:255 find_check_entry.isra.7+0x669/0xcf0 net/ipv6/netfilter/ip6_tables.c:567 translate_table+0xf52/0x1690 net/ipv6/netfilter/ip6_tables.c:744 do_replace net/ipv6/netfilter/ip6_tables.c:1160 [inline] do_ip6t_set_ctl+0x370/0x5f0 net/ipv6/netfilter/ip6_tables.c:1686 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115 ipv6_setsockopt+0x115/0x150 net/ipv6/ipv6_sockglue.c:928 udpv6_setsockopt+0x45/0x80 net/ipv6/udp.c:1422 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2978 SYSC_setsockopt net/socket.c:1849 [inline] SyS_setsockopt+0x189/0x360 net/socket.c:1828 entry_SYSCALL_64_fastpath+0x29/0xa0 RIP: 0033:0x453299 RSP: 002b:00007f04f00f7c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000453299 RDX: 0000000000000040 RSI: 0000000000000029 RDI: 0000000000000013 RBP: 00000000000005c5 R08: 00000000000004e8 R09: 0000000000000000 R10: 000000002000f000 R11: 0000000000000212 R12: 00000000006f7b18 R13: 00000000ffffffff R14: 00007f04f00f86d4 R15: 0000000000000000 xt_SECMARK: target only valid in the 'mangle' or 'security' tables, not 'raw'. netlink: 'syz-executor3': attribute type 15 has an invalid length. netlink: 'syz-executor5': attribute type 21 has an invalid length. netlink: 'syz-executor5': attribute type 21 has an invalid length. netlink: 'syz-executor3': attribute type 15 has an invalid length. netlink: 5 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 'syz-executor1': attribute type 1 has an invalid length. netlink: 'syz-executor1': attribute type 1 has an invalid length. netlink: 5 bytes leftover after parsing attributes in process `syz-executor6'. sock: sock_set_timeout: `syz-executor3' (pid 6162) tries to set negative timeout A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. device syz1 entered promiscuous mode device syz1 left promiscuous mode device syz1 entered promiscuous mode device syz1 left promiscuous mode kauditd_printk_skb: 14 callbacks suppressed audit: type=1400 audit(1517509411.428:36): avc: denied { name_connect } for pid=6512 comm="syz-executor3" dest=20014 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=dccp_socket permissive=1 sctp: [Deprecated]: syz-executor5 (pid 6536) Use of struct sctp_assoc_value in delayed_ack socket option. Use struct sctp_sack_info instead sctp: [Deprecated]: syz-executor5 (pid 6554) Use of struct sctp_assoc_value in delayed_ack socket option. Use struct sctp_sack_info instead sock: process `syz-executor1' is using obsolete getsockopt SO_BSDCOMPAT xt_addrtype: both incoming and outgoing interface limitation cannot be selected dccp_invalid_packet: pskb_may_pull failed dccp_invalid_packet: pskb_may_pull failed xt_addrtype: both incoming and outgoing interface limitation cannot be selected audit: type=1400 audit(1517509411.905:37): avc: denied { read } for pid=6646 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 netlink: 8 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor0'. audit: type=1400 audit(1517509411.937:38): avc: denied { ioctl } for pid=6646 comm="syz-executor6" path="socket:[16464]" dev="sockfs" ino=16464 ioctlcmd=0x8933 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 Cannot find add_set index 0 as target Cannot find add_set index 0 as target --map-set only usable from mangle table FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 1 CPU: 0 PID: 6798 Comm: syz-executor4 Not tainted 4.15.0+ #220 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:418 [inline] slab_alloc mm/slab.c:3364 [inline] kmem_cache_alloc+0x47/0x760 mm/slab.c:3538 anon_vma_chain_alloc mm/rmap.c:128 [inline] __anon_vma_prepare+0xbc/0x6b0 mm/rmap.c:182 anon_vma_prepare include/linux/rmap.h:153 [inline] do_huge_pmd_anonymous_page+0x1124/0x1b00 mm/huge_memory.c:678 create_huge_pmd mm/memory.c:3860 [inline] __handle_mm_fault+0x1a0c/0x3ce0 mm/memory.c:4064 handle_mm_fault+0x38f/0x930 mm/memory.c:4130 __do_page_fault+0x5c9/0xc90 arch/x86/mm/fault.c:1426 do_page_fault+0xee/0x720 arch/x86/mm/fault.c:1501 page_fault+0x4c/0x60 arch/x86/entry/entry_64.S:1261 RIP: 0033:0x400ec1 RSP: 002b:00007f476a91ab70 EFLAGS: 00010202 RAX: ffffffffffffffff RBX: 000000000000006e RCX: 0000000000000000 RDX: 0000000020000000 RSI: 000000000000006e RDI: 0000000020010b82 RBP: 0000000020010b82 R08: 0000000000000000 R09: 0000000000000000 R10: 000000000000006e R11: 0000000000000000 R12: 000000000000006e R13: 0000000000000013 R14: 00007f476a91b6d4 R15: ffffffffffffffff oom_reaper: reaped process 6798 (syz-executor4), now anon-rss:0kB, file-rss:0kB, shmem-rss:0kB audit: type=1400 audit(1517509412.833:39): avc: denied { setopt } for pid=6880 comm="syz-executor7" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=socket permissive=1 xt_TCPMSS: Only works on TCP SYN packets xt_TCPMSS: Only works on TCP SYN packets audit: type=1400 audit(1517509412.857:40): avc: denied { getopt } for pid=6880 comm="syz-executor7" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=socket permissive=1 sctp: [Deprecated]: syz-executor7 (pid 6933) Use of int in maxseg socket option. Use struct sctp_assoc_value instead ieee80211 phy2: Selected rate control algorithm 'minstrel_ht' sctp: [Deprecated]: syz-executor7 (pid 6948) Use of int in maxseg socket option. Use struct sctp_assoc_value instead device syz5 entered promiscuous mode device syz5 left promiscuous mode validate_nla: 6 callbacks suppressed netlink: 'syz-executor0': attribute type 1 has an invalid length. netlink: 'syz-executor0': attribute type 1 has an invalid length. dccp_v4_rcv: dropped packet with invalid checksum dccp_v4_rcv: dropped packet with invalid checksum raw_sendmsg: syz-executor7 forgot to set AF_INET. Fix it! xt_socket: unknown flags 0xec xt_socket: unknown flags 0xec IPVS: length: 760 != 24 IPVS: length: 760 != 24 netlink: 'syz-executor5': attribute type 21 has an invalid length. netlink: 'syz-executor5': attribute type 5 has an invalid length. netlink: 'syz-executor5': attribute type 21 has an invalid length. netlink: 'syz-executor5': attribute type 5 has an invalid length. SELinux: unrecognized netlink message: protocol=6 nlmsg_type=1792 sclass=netlink_xfrm_socket pig=7499 comm=syz-executor0 SELinux: unrecognized netlink message: protocol=6 nlmsg_type=1792 sclass=netlink_xfrm_socket pig=7511 comm=syz-executor0 IPv4: Oversized IP packet from 127.0.0.1 netlink: 'syz-executor3': attribute type 3 has an invalid length. netlink: 'syz-executor3': attribute type 3 has an invalid length. audit: type=1400 audit(1517509414.917:41): avc: denied { map } for pid=7683 comm="syz-executor7" path="socket:[17209]" dev="sockfs" ino=17209 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_route_socket permissive=1 can: request_module (can-proto-6) failed. can: request_module (can-proto-6) failed. audit: type=1400 audit(1517509415.251:42): avc: denied { create } for pid=7808 comm="syz-executor7" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_connector_socket permissive=1 IPv4: Oversized IP packet from 127.0.0.1 IPv4: Oversized IP packet from 127.0.0.1 audit: type=1400 audit(1517509415.252:43): avc: denied { ioctl } for pid=7808 comm="syz-executor7" path="socket:[17298]" dev="sockfs" ino=17298 ioctlcmd=0x8946 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_connector_socket permissive=1 ieee80211 phy3: Selected rate control algorithm 'minstrel_ht' bridge: RTM_NEWNEIGH with invalid state 0x0 bridge: RTM_NEWNEIGH with invalid state 0x0 ieee80211 phy4: Selected rate control algorithm 'minstrel_ht' audit: type=1400 audit(1517509415.919:44): avc: denied { getopt } for pid=8024 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 netlink: 'syz-executor2': attribute type 21 has an invalid length. netlink: 'syz-executor2': attribute type 21 has an invalid length. audit: type=1400 audit(1517509416.537:45): avc: denied { create } for pid=8220 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_iscsi_socket permissive=1 IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready audit: type=1400 audit(1517509416.685:46): avc: denied { getopt } for pid=8264 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 SELinux: unrecognized netlink message: protocol=4 nlmsg_type=2806 sclass=netlink_tcpdiag_socket pig=8269 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=4 nlmsg_type=2806 sclass=netlink_tcpdiag_socket pig=8280 comm=syz-executor5 netlink: 11 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 11 bytes leftover after parsing attributes in process `syz-executor3'. audit: type=1400 audit(1517509416.951:47): avc: denied { read } for pid=8346 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=socket permissive=1 Trying to set illegal importance in message sctp: [Deprecated]: syz-executor6 (pid 8420) Use of struct sctp_assoc_value in delayed_ack socket option. Use struct sctp_sack_info instead sctp: [Deprecated]: syz-executor6 (pid 8420) Use of struct sctp_assoc_value in delayed_ack socket option. Use struct sctp_sack_info instead audit: type=1400 audit(1517509417.163:48): avc: denied { net_bind_service } for pid=8423 comm="syz-executor0" capability=10 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1517509417.335:49): avc: denied { write } for pid=8475 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_connector_socket permissive=1 audit: type=1400 audit(1517509417.335:50): avc: denied { bind } for pid=8475 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_connector_socket permissive=1 netlink: 8 bytes leftover after parsing attributes in process `syz-executor3'. ieee80211 phy5: Selected rate control algorithm 'minstrel_ht' sctp: [Deprecated]: syz-executor2 (pid 8533) Use of struct sctp_assoc_value in delayed_ack socket option. Use struct sctp_sack_info instead netlink: 17 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 17 bytes leftover after parsing attributes in process `syz-executor6'. ieee80211 phy6: Selected rate control algorithm 'minstrel_ht' sctp: [Deprecated]: syz-executor2 (pid 8533) Use of struct sctp_assoc_value in delayed_ack socket option. Use struct sctp_sack_info instead netlink: 3 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor5'. audit: type=1400 audit(1517509417.925:51): avc: denied { bind } for pid=8664 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 netlink: 3 bytes leftover after parsing attributes in process `syz-executor5'. audit: type=1400 audit(1517509417.944:52): avc: denied { accept } for pid=8664 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 netlink: 3 bytes leftover after parsing attributes in process `syz-executor5'. TCP: request_sock_TCPv6: Possible SYN flooding on port 20014. Sending cookies. Check SNMP counters. TCP: request_sock_TCPv6: Possible SYN flooding on port 20014. Sending cookies. Check SNMP counters. netlink: 2 bytes leftover after parsing attributes in process `syz-executor5'. TCP: request_sock_TCPv6: Possible SYN flooding on port 20014. Sending cookies. Check SNMP counters. audit: type=1400 audit(1517509418.491:53): avc: denied { bind } for pid=8846 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_crypto_socket permissive=1 audit: type=1400 audit(1517509418.523:54): avc: denied { getattr } for pid=8846 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_crypto_socket permissive=1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=23 sclass=netlink_route_socket pig=8932 comm=syz-executor2 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=23 sclass=netlink_route_socket pig=8939 comm=syz-executor2