====================================================== [ INFO: possible circular locking dependency detected ] 4.4.174+ #17 Not tainted ------------------------------------------------------- syz-executor.4/22055 is trying to acquire lock: (&(&q->lock)->rlock){+.-...}, at: [] spin_lock include/linux/spinlock.h:302 [inline] (&(&q->lock)->rlock){+.-...}, at: [] ip_defrag+0x322/0x3b70 net/ipv4/ip_fragment.c:690 but task is already holding lock: (_xmit_NETROM){+.-...}, at: [] spin_lock include/linux/spinlock.h:302 [inline] (_xmit_NETROM){+.-...}, at: [] __netif_tx_lock include/linux/netdevice.h:3306 [inline] (_xmit_NETROM){+.-...}, at: [] sch_direct_xmit+0x238/0x700 net/sched/sch_generic.c:163 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: [] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592 [] __raw_spin_lock include/linux/spinlock_api_smp.h:144 [inline] [] _raw_spin_lock+0x38/0x50 kernel/locking/spinlock.c:151 [] spin_lock include/linux/spinlock.h:302 [inline] [] __instance_destroy+0xc2/0x180 net/netfilter/nfnetlink_log.c:222 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket [] nfulnl_rcv_nl_event+0x177/0x200 net/netfilter/nfnetlink_log.c:780 [] notifier_call_chain+0xb9/0x1e0 kernel/notifier.c:93 [] __atomic_notifier_call_chain+0x87/0x150 kernel/notifier.c:183 [] atomic_notifier_call_chain+0x2e/0x40 kernel/notifier.c:193 [] netlink_release+0xe37/0x1590 net/netlink/af_netlink.c:760 [] __sock_release+0xd5/0x260 net/socket.c:592 [] sock_close+0x1b/0x30 net/socket.c:1050 [] __fput+0x246/0x710 fs/file_table.c:208 [] ____fput+0x16/0x20 fs/file_table.c:244 [] task_work_run+0x202/0x2b0 kernel/task_work.c:115 [] tracehook_notify_resume include/linux/tracehook.h:191 [inline] [] exit_to_usermode_loop+0x14a/0x170 arch/x86/entry/common.c:188 [] prepare_exit_to_usermode arch/x86/entry/common.c:221 [inline] [] syscall_return_slowpath arch/x86/entry/common.c:286 [inline] [] do_syscall_32_irqs_on arch/x86/entry/common.c:336 [inline] [] do_fast_syscall_32+0x7a9/0xa90 arch/x86/entry/common.c:397 [] sysenter_flags_fixed+0xd/0x1a [] check_prev_add kernel/locking/lockdep.c:1853 [inline] [] check_prevs_add kernel/locking/lockdep.c:1958 [inline] [] validate_chain kernel/locking/lockdep.c:2144 [inline] [] __lock_acquire+0x37d6/0x4f50 kernel/locking/lockdep.c:3213 [] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592 [] __raw_spin_lock include/linux/spinlock_api_smp.h:144 [inline] [] _raw_spin_lock+0x38/0x50 kernel/locking/spinlock.c:151 [] spin_lock include/linux/spinlock.h:302 [inline] [] ip_defrag+0x322/0x3b70 net/ipv4/ip_fragment.c:690 [] ip_check_defrag net/ipv4/ip_fragment.c:738 [inline] [] ip_check_defrag+0x3d6/0x5b0 net/ipv4/ip_fragment.c:705 [] packet_rcv_fanout+0x51e/0x5f0 net/packet/af_packet.c:1458 [] deliver_skb net/core/dev.c:1842 [inline] [] dev_queue_xmit_nit net/core/dev.c:1898 [inline] [] xmit_one net/core/dev.c:2777 [inline] [] dev_hard_start_xmit+0x288/0x11e0 net/core/dev.c:2797 [] sch_direct_xmit+0x2b6/0x700 net/sched/sch_generic.c:165 [] __dev_xmit_skb net/core/dev.c:2979 [inline] [] __dev_queue_xmit+0xd24/0x1bb0 net/core/dev.c:3197 [] dev_queue_xmit+0x18/0x20 net/core/dev.c:3263 [] neigh_resolve_output+0x4a0/0x7a0 net/core/neighbour.c:1329 [] dst_neigh_output include/net/dst.h:461 [inline] [] ip_finish_output2+0x6a2/0x1280 net/ipv4/ip_output.c:213 [] ip_do_fragment+0x187c/0x1f70 net/ipv4/ip_output.c:635 [] ip_fragment.constprop.0+0x14b/0x200 net/ipv4/ip_output.c:505 [] ip_finish_output+0x3b9/0xc60 net/ipv4/ip_output.c:286 [] NF_HOOK_COND include/linux/netfilter.h:240 [inline] [] ip_mc_output+0x251/0xae0 net/ipv4/ip_output.c:347 [] dst_output include/net/dst.h:498 [inline] [] ip_local_out+0x9c/0x180 net/ipv4/ip_output.c:119 [] ip_send_skb+0x3e/0xc0 net/ipv4/ip_output.c:1453 [] udp_send_skb+0x4fd/0xc70 net/ipv4/udp.c:842 [] udp_push_pending_frames+0x4e/0xe0 net/ipv4/udp.c:870 [] udp_sendpage+0x2ae/0x410 net/ipv4/udp.c:1183 [] inet_sendpage+0x223/0x520 net/ipv4/af_inet.c:772 [] kernel_sendpage+0x95/0xf0 net/socket.c:3320 [] sock_sendpage+0x8b/0xc0 net/socket.c:793 [] pipe_to_sendpage+0x28d/0x3d0 fs/splice.c:724 [] splice_from_pipe_feed fs/splice.c:776 [inline] [] __splice_from_pipe+0x37e/0x7a0 fs/splice.c:901 [] splice_from_pipe+0x108/0x170 fs/splice.c:936 [] generic_splice_sendpage+0x3c/0x50 fs/splice.c:1109 [] do_splice_from fs/splice.c:1128 [inline] [] do_splice fs/splice.c:1404 [inline] [] SYSC_splice fs/splice.c:1707 [inline] [] SyS_splice+0xd71/0x13a0 fs/splice.c:1690 [] do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline] [] do_fast_syscall_32+0x32d/0xa90 arch/x86/entry/common.c:397 [] sysenter_flags_fixed+0xd/0x1a other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(_xmit_NETROM); lock(&(&q->lock)->rlock); lock(_xmit_NETROM); lock(&(&q->lock)->rlock); *** DEADLOCK *** 6 locks held by syz-executor.4/22055: #0: (&pipe->mutex/1){+.+.+.}, at: [] pipe_lock_nested fs/pipe.c:65 [inline] #0: (&pipe->mutex/1){+.+.+.}, at: [] pipe_lock+0x63/0x80 fs/pipe.c:73 #1: (sk_lock-AF_INET){+.+.+.}, at: [] lock_sock include/net/sock.h:1497 [inline] #1: (sk_lock-AF_INET){+.+.+.}, at: [] udp_sendpage+0x132/0x410 net/ipv4/udp.c:1160 #2: (rcu_read_lock_bh){......}, at: [] ip_finish_output2+0x20b/0x1280 net/ipv4/ip_output.c:193 #3: (rcu_read_lock_bh){......}, at: [] __dev_queue_xmit+0x1d7/0x1bb0 net/core/dev.c:3161 #4: (_xmit_NETROM){+.-...}, at: [] spin_lock include/linux/spinlock.h:302 [inline] #4: (_xmit_NETROM){+.-...}, at: [] __netif_tx_lock include/linux/netdevice.h:3306 [inline] #4: (_xmit_NETROM){+.-...}, at: [] sch_direct_xmit+0x238/0x700 net/sched/sch_generic.c:163 #5: (rcu_read_lock){......}, at: [] xmit_one net/core/dev.c:2776 [inline] #5: (rcu_read_lock){......}, at: [] dev_hard_start_xmit+0xb3/0x11e0 net/core/dev.c:2797 stack backtrace: CPU: 0 PID: 22055 Comm: syz-executor.4 Not tainted 4.4.174+ #17 0000000000000000 dbb001933db19113 ffff8801934b6c40 ffffffff81aad1a1 ffffffff84057a80 ffff8801da734740 ffffffff83af0370 ffffffff83ad4e60 ffffffff83af0370 ffff8801934b6c90 ffffffff813abcda ffff8801934b6d70 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x120 lib/dump_stack.c:51 [] print_circular_bug.cold+0x2f7/0x44e kernel/locking/lockdep.c:1226 [] check_prev_add kernel/locking/lockdep.c:1853 [inline] [] check_prevs_add kernel/locking/lockdep.c:1958 [inline] [] validate_chain kernel/locking/lockdep.c:2144 [inline] [] __lock_acquire+0x37d6/0x4f50 kernel/locking/lockdep.c:3213 [] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592 [] __raw_spin_lock include/linux/spinlock_api_smp.h:144 [inline] [] _raw_spin_lock+0x38/0x50 kernel/locking/spinlock.c:151 [] spin_lock include/linux/spinlock.h:302 [inline] [] ip_defrag+0x322/0x3b70 net/ipv4/ip_fragment.c:690 [] ip_check_defrag net/ipv4/ip_fragment.c:738 [inline] [] ip_check_defrag+0x3d6/0x5b0 net/ipv4/ip_fragment.c:705 [] packet_rcv_fanout+0x51e/0x5f0 net/packet/af_packet.c:1458 [] deliver_skb net/core/dev.c:1842 [inline] [] dev_queue_xmit_nit net/core/dev.c:1898 [inline] [] xmit_one net/core/dev.c:2777 [inline] [] dev_hard_start_xmit+0x288/0x11e0 net/core/dev.c:2797 [] sch_direct_xmit+0x2b6/0x700 net/sched/sch_generic.c:165 [] __dev_xmit_skb net/core/dev.c:2979 [inline] [] __dev_queue_xmit+0xd24/0x1bb0 net/core/dev.c:3197 [] dev_queue_xmit+0x18/0x20 net/core/dev.c:3263 [] neigh_resolve_output+0x4a0/0x7a0 net/core/neighbour.c:1329 [] dst_neigh_output include/net/dst.h:461 [inline] [] ip_finish_output2+0x6a2/0x1280 net/ipv4/ip_output.c:213 [] ip_do_fragment+0x187c/0x1f70 net/ipv4/ip_output.c:635 [] ip_fragment.constprop.0+0x14b/0x200 net/ipv4/ip_output.c:505 [] ip_finish_output+0x3b9/0xc60 net/ipv4/ip_output.c:286 [] NF_HOOK_COND include/linux/netfilter.h:240 [inline] [] ip_mc_output+0x251/0xae0 net/ipv4/ip_output.c:347 [] dst_output include/net/dst.h:498 [inline] [] ip_local_out+0x9c/0x180 net/ipv4/ip_output.c:119 [] ip_send_skb+0x3e/0xc0 net/ipv4/ip_output.c:1453 [] udp_send_skb+0x4fd/0xc70 net/ipv4/udp.c:842 [] udp_push_pending_frames+0x4e/0xe0 net/ipv4/udp.c:870 [] udp_sendpage+0x2ae/0x410 net/ipv4/udp.c:1183 [] inet_sendpage+0x223/0x520 net/ipv4/af_inet.c:772 [] kernel_sendpage+0x95/0xf0 net/socket.c:3320 [] sock_sendpage+0x8b/0xc0 net/socket.c:793 [] pipe_to_sendpage+0x28d/0x3d0 fs/splice.c:724 [] splice_from_pipe_feed fs/splice.c:776 [inline] [] __splice_from_pipe+0x37e/0x7a0 fs/splice.c:901 [] splice_from_pipe+0x108/0x170 fs/splice.c:936 [] generic_splice_sendpage+0x3c/0x50 fs/splice.c:1109 [] do_splice_from fs/splice.c:1128 [inline] [] do_splice fs/splice.c:1404 [inline] [] SYSC_splice fs/splice.c:1707 [inline] [] SyS_splice+0xd71/0x13a0 fs/splice.c:1690 [] do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline] [] do_fast_syscall_32+0x32d/0xa90 arch/x86/entry/common.c:397 [] sysenter_flags_fixed+0xd/0x1a SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket binder: 22125:22127 ioctl c0046686 20000500 returned -22 audit: type=1400 audit(1566017761.449:151): avc: denied { mounton } for pid=22126 comm="syz-executor.1" path="/proc/709/attr/exec" dev="proc" ino=71797 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=file permissive=1 binder: 22098:22131 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 22098:22131 transaction failed 29189/-22, size 0-0 line 3014 binder: 22125:22127 transaction failed 29189/-22, size 0-0 line 3014 binder: 22125:22127 ioctl c0046686 20000500 returned -22 binder: 22125:22132 transaction failed 29189/-22, size 0-0 line 3014 binder: 22098:22113 unknown command 536872192 binder: 22098:22113 ioctl c0306201 20008fd0 returned -22 binder: 22098:22122 transaction failed 29189/-22, size 0-0 line 3014 binder: 22145:22146 ioctl c0046686 20000500 returned -22 binder: 22145:22146 transaction failed 29189/-22, size 0-0 line 3014 binder: 22150:22151 ioctl c0046686 20000500 returned -22 binder: 22150:22151 transaction failed 29189/-22, size 0-0 line 3014 binder: 22161:22163 ioctl c0046686 20000500 returned -22 binder: 22161:22163 transaction failed 29189/-22, size 0-0 line 3014 binder: 22164:22166 ioctl c0046686 20000500 returned -22 binder: 22164:22166 transaction failed 29189/-22, size 0-0 line 3014 binder: 22179:22181 ioctl c0046686 20000500 returned -22 binder: 22180:22182 ioctl c0046686 20000500 returned -22 binder: 22180:22182 transaction failed 29189/-22, size 0-0 line 3014 binder: 22179:22181 transaction failed 29189/-22, size 0-0 line 3014 binder: 22192:22193 ioctl c0046686 20000500 returned -22 binder: 22194:22195 ioctl c0046686 20000500 returned -22 binder: 22192:22193 transaction failed 29189/-22, size 0-0 line 3014 binder: 22194:22195 transaction failed 29189/-22, size 0-0 line 3014 binder: 22201:22204 ioctl c0046686 20000500 returned -22 binder: 22200:22206 ioctl c0046686 20000500 returned -22 binder: 22201:22204 transaction failed 29189/-22, size 0-0 line 3014 binder: 22200:22206 transaction failed 29189/-22, size 0-0 line 3014 binder: 22214:22216 ioctl c0046686 20000500 returned -22 binder: 22215:22217 ioctl c0046686 20000500 returned -22 binder: 22215:22217 transaction failed 29189/-22, size 0-0 line 3014 binder: 22214:22227 transaction failed 29189/-22, size 0-0 line 3014 binder: 22226:22228 ioctl c0046686 20000500 returned -22 binder: 22226:22228 transaction failed 29189/-22, size 0-0 line 3014 binder: 22233:22234 ioctl c0046686 20000500 returned -22 binder: 22233:22234 transaction failed 29189/-22, size 0-0 line 3014 binder: 22238:22239 ioctl c0046686 20000500 returned -22 binder: 22238:22239 transaction failed 29189/-22, size 0-0 line 3014 binder: 22245:22249 ioctl c0046686 20000500 returned -22 binder: 22247:22251 ioctl c0046686 20000500 returned -22 binder: 22247:22251 transaction failed 29189/-22, size 0-0 line 3014 binder: 22245:22249 transaction failed 29189/-22, size 0-0 line 3014 binder: 22258:22259 ioctl c0046686 20000500 returned -22 binder: 22258:22259 transaction failed 29189/-22, size 0-0 line 3014 binder: 22267:22268 ioctl c0046686 20000500 returned -22 binder: 22267:22268 transaction failed 29189/-22, size 0-0 line 3014 binder: 22276:22278 ioctl c0046686 20000500 returned -22 binder: 22276:22278 transaction failed 29189/-22, size 0-0 line 3014 binder: 22286:22289 ioctl c0046686 20000500 returned -22 binder: 22285:22292 ioctl c0046686 20000500 returned -22 binder: 22286:22289 transaction failed 29189/-22, size 0-0 line 3014 binder: 22285:22292 transaction failed 29189/-22, size 0-0 line 3014 binder: 22301:22303 ioctl c0046686 20000500 returned -22 binder: 22301:22303 transaction failed 29189/-22, size 0-0 line 3014 binder: 22307:22309 ioctl c0046686 20000500 returned -22 binder: 22307:22309 transaction failed 29189/-22, size 0-0 line 3014 binder: 22311:22312 ioctl c0046686 20000500 returned -22 binder: 22311:22312 transaction failed 29189/-22, size 0-0 line 3014 binder: 22314:22315 ioctl c0046686 20000500 returned -22 binder: 22314:22315 transaction failed 29189/-22, size 0-0 line 3014 binder: 22326:22330 ioctl c0046686 20000500 returned -22 binder: 22329:22334 ioctl c0046686 20000500 returned -22 binder: 22326:22330 transaction failed 29189/-22, size 0-0 line 3014 binder: 22329:22334 transaction failed 29189/-22, size 0-0 line 3014 binder: 22343:22345 ioctl c0046686 20000500 returned -22 binder: 22344:22346 ioctl c0046686 20000500 returned -22 binder: 22344:22346 transaction failed 29189/-22, size 0-0 line 3014 binder: 22343:22345 transaction failed 29189/-22, size 0-0 line 3014 binder: 22352:22353 ioctl c0046686 20000500 returned -22 binder: 22352:22353 transaction failed 29189/-22, size 0-0 line 3014 binder: 22355:22356 ioctl c0046686 20000500 returned -22 binder: 22355:22356 transaction failed 29189/-22, size 0-0 line 3014 binder: 22359:22360 ioctl c0046686 20000500 returned -22 binder: 22359:22360 transaction failed 29189/-22, size 0-0 line 3014 binder: 22364:22366 ioctl c0046686 20000500 returned -22 binder: 22362:22367 ioctl c0046686 20000500 returned -22 binder: 22364:22366 transaction failed 29189/-22, size 0-0 line 3014 binder: 22362:22367 transaction failed 29189/-22, size 0-0 line 3014 binder: 22375:22376 ioctl c0046686 20000500 returned -22 binder: 22375:22376 transaction failed 29189/-22, size 0-0 line 3014 binder: 22381:22382 ioctl c0046686 20000500 returned -22 binder: 22381:22382 transaction failed 29189/-22, size 0-0 line 3014 binder: 22383:22384 transaction failed 29189/-22, size 0-0 line 3014 binder: 22390:22393 ioctl c0046686 20000500 returned -22 binder: 22400:22402 ioctl c0046686 20000500 returned -22