EXT4-fs error (device loop2): ext4_mb_generate_buddy:754: group 0, block bitmap and bg descriptor inconsistent: 100 vs 41 free clusters ip6_tables: ip6tables: counters copy to user failed while replacing table ====================================================== WARNING: possible circular locking dependency detected 4.14.302-syzkaller #0 Not tainted ------------------------------------------------------ syz-executor.5/8012 is trying to acquire lock: (rtnl_mutex){+.+.}, at: [] unregister_netdevice_notifier+0x5e/0x2b0 net/core/dev.c:1630 but task is already holding lock: (&xt[i].mutex){+.+.}, at: [] xt_find_table_lock+0x38/0x3d0 net/netfilter/x_tables.c:1088 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (&xt[i].mutex){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 match_revfn+0x43/0x210 net/netfilter/x_tables.c:332 xt_find_revision+0x8d/0x1d0 net/netfilter/x_tables.c:380 nfnl_compat_get+0x1f7/0x870 net/netfilter/nft_compat.c:678 nfnetlink_rcv_msg+0x9bb/0xc00 net/netfilter/nfnetlink.c:214 netlink_rcv_skb+0x125/0x390 net/netlink/af_netlink.c:2454 nfnetlink_rcv+0x1ab/0x1da0 net/netfilter/nfnetlink.c:515 netlink_unicast_kernel net/netlink/af_netlink.c:1296 [inline] netlink_unicast+0x437/0x610 net/netlink/af_netlink.c:1322 netlink_sendmsg+0x648/0xbc0 net/netlink/af_netlink.c:1893 sock_sendmsg_nosec net/socket.c:646 [inline] sock_sendmsg+0xb5/0x100 net/socket.c:656 ___sys_sendmsg+0x6c8/0x800 net/socket.c:2062 __sys_sendmsg+0xa3/0x120 net/socket.c:2096 SYSC_sendmsg net/socket.c:2107 [inline] SyS_sendmsg+0x27/0x40 net/socket.c:2103 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x5e/0xd3 -> #1 (&table[i].mutex){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 nf_tables_netdev_event+0x10d/0x4d0 net/netfilter/nf_tables_netdev.c:122 notifier_call_chain+0x108/0x1a0 kernel/notifier.c:93 call_netdevice_notifiers_info net/core/dev.c:1667 [inline] call_netdevice_notifiers net/core/dev.c:1683 [inline] rollback_registered_many+0x765/0xbb0 net/core/dev.c:7211 rollback_registered+0xca/0x170 net/core/dev.c:7253 unregister_netdevice_queue+0x1b4/0x360 net/core/dev.c:8274 unregister_netdevice include/linux/netdevice.h:2444 [inline] __tun_detach+0xca2/0xf60 drivers/net/tun.c:584 tun_detach drivers/net/tun.c:594 [inline] tun_chr_close+0x41/0x60 drivers/net/tun.c:2732 __fput+0x25f/0x7a0 fs/file_table.c:210 task_work_run+0x11f/0x190 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:191 [inline] exit_to_usermode_loop+0x1ad/0x200 arch/x86/entry/common.c:164 prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline] syscall_return_slowpath arch/x86/entry/common.c:270 [inline] do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297 entry_SYSCALL_64_after_hwframe+0x5e/0xd3 -> #0 (rtnl_mutex){+.+.}: lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 unregister_netdevice_notifier+0x5e/0x2b0 net/core/dev.c:1630 tee_tg_destroy+0x5c/0xb0 net/netfilter/xt_TEE.c:123 cleanup_entry+0x232/0x310 net/ipv6/netfilter/ip6_tables.c:685 __do_replace+0x38d/0x580 net/ipv4/netfilter/arp_tables.c:930 do_replace net/ipv6/netfilter/ip6_tables.c:1162 [inline] do_ip6t_set_ctl+0x256/0x3b0 net/ipv6/netfilter/ip6_tables.c:1688 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x5f/0xb0 net/netfilter/nf_sockopt.c:115 ipv6_setsockopt+0xc0/0x120 net/ipv6/ipv6_sockglue.c:944 tcp_setsockopt+0x7b/0xc0 net/ipv4/tcp.c:2831 SYSC_setsockopt net/socket.c:1865 [inline] SyS_setsockopt+0x110/0x1e0 net/socket.c:1844 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x5e/0xd3 other info that might help us debug this: Chain exists of: rtnl_mutex --> &table[i].mutex --> &xt[i].mutex Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&xt[i].mutex); lock(&table[i].mutex); lock(&xt[i].mutex); lock(rtnl_mutex); *** DEADLOCK *** 1 lock held by syz-executor.5/8012: #0: (&xt[i].mutex){+.+.}, at: [] xt_find_table_lock+0x38/0x3d0 net/netfilter/x_tables.c:1088 stack backtrace: CPU: 1 PID: 8012 Comm: syz-executor.5 Not tainted 4.14.302-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x281 lib/dump_stack.c:58 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258 check_prev_add kernel/locking/lockdep.c:1905 [inline] check_prevs_add kernel/locking/lockdep.c:2022 [inline] validate_chain kernel/locking/lockdep.c:2464 [inline] __lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 unregister_netdevice_notifier+0x5e/0x2b0 net/core/dev.c:1630 tee_tg_destroy+0x5c/0xb0 net/netfilter/xt_TEE.c:123 cleanup_entry+0x232/0x310 net/ipv6/netfilter/ip6_tables.c:685 __do_replace+0x38d/0x580 net/ipv4/netfilter/arp_tables.c:930 do_replace net/ipv6/netfilter/ip6_tables.c:1162 [inline] do_ip6t_set_ctl+0x256/0x3b0 net/ipv6/netfilter/ip6_tables.c:1688 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x5f/0xb0 net/netfilter/nf_sockopt.c:115 ipv6_setsockopt+0xc0/0x120 net/ipv6/ipv6_sockglue.c:944 tcp_setsockopt+0x7b/0xc0 net/ipv4/tcp.c:2831 SYSC_setsockopt net/socket.c:1865 [inline] SyS_setsockopt+0x110/0x1e0 net/socket.c:1844 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x5e/0xd3 RIP: 0033:0x7fb0d0a4671a RSP: 002b:00007ffcd561d158 EFLAGS: 00000202 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 0000000000000029 RCX: 00007fb0d0a4671a RDX: 0000000000000040 RSI: 0000000000000029 RDI: 0000000000000003 RBP: 00007ffcd561d180 R08: 00000000000003b8 R09: ffffffffff000000 R10: 00007fb0d0b3cbc0 R11: 0000000000000202 R12: 00007ffcd561d1e0 R13: 0000000000000003 R14: 00007ffcd561d17c R15: 00007fb0d0b3cb60 EXT4-fs (loop2): 1 orphan inode deleted EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue ip6_tables: ip6tables: counters copy to user failed while replacing table ip6_tables: ip6tables: counters copy to user failed while replacing table ip6_tables: ip6tables: counters copy to user failed while replacing table hfs: part requires an argument hfs: unable to parse mount options EXT4-fs error (device loop2): ext4_mb_generate_buddy:754: group 0, block bitmap and bg descriptor inconsistent: 100 vs 41 free clusters EXT4-fs (loop2): 1 orphan inode deleted EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue print_req_error: I/O error, dev loop1, sector 0 hfs: part requires an argument hfs: unable to parse mount options print_req_error: I/O error, dev loop1, sector 0 hfs: part requires an argument hfs: unable to parse mount options syz-executor.2 uses obsolete (PF_INET,SOCK_PACKET) hfs: part requires an argument device syzkaller1 entered promiscuous mode hfs: unable to parse mount options device syzkaller1 entered promiscuous mode XFS (loop1): Mounting V4 Filesystem XFS (loop1): Ending clean mount syz-executor.1 (11062) used greatest stack depth: 23936 bytes left XFS (loop1): Unmounting Filesystem device syzkaller1 entered promiscuous mode kauditd_printk_skb: 24 callbacks suppressed audit: type=1800 audit(1672839993.939:23): pid=11142 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.0" name="file0" dev="sda1" ino=14056 res=0 device syzkaller1 entered promiscuous mode audit: type=1800 audit(1672839994.839:24): pid=11205 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.0" name="file0" dev="sda1" ino=14056 res=0 audit: type=1800 audit(1672839995.719:25): pid=11232 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.2" name="file0" dev="sda1" ino=14118 res=0 audit: type=1804 audit(1672839995.759:26): pid=11232 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.2" name="/root/syzkaller-testdir2764048908/syzkaller.RMxvfo/41/file0" dev="sda1" ino=14118 res=1 audit: type=1800 audit(1672839995.929:27): pid=11281 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.2" name="file0" dev="sda1" ino=14108 res=0 audit: type=1800 audit(1672839995.959:28): pid=11280 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.4" name="file0" dev="sda1" ino=14114 res=0 audit: type=1800 audit(1672839995.959:29): pid=11276 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.5" name="file0" dev="sda1" ino=14115 res=0 audit: type=1804 audit(1672839995.969:30): pid=11280 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.4" name="/root/syzkaller-testdir2058417172/syzkaller.8BYYEN/62/file0" dev="sda1" ino=14114 res=1 audit: type=1804 audit(1672839995.979:32): pid=11301 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.2" name="/root/syzkaller-testdir2764048908/syzkaller.RMxvfo/42/file0" dev="sda1" ino=14108 res=1 audit: type=1804 audit(1672839995.979:31): pid=11276 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.5" name="/root/syzkaller-testdir2946159062/syzkaller.xah4hf/47/file0" dev="sda1" ino=14115 res=1 device lo entered promiscuous mode ====================================================== WARNING: the mand mount option is being deprecated and will be removed in v5.15! ====================================================== Y4`Ҙ: renamed from lo UDF-fs: warning (device loop2): udf_load_vrs: No VRS found UDF-fs: Scanning with blocksize 512 failed UDF-fs: warning (device loop2): udf_load_vrs: No VRS found UDF-fs: Scanning with blocksize 1024 failed UDF-fs: warning (device loop2): udf_load_vrs: No VRS found UDF-fs: Scanning with blocksize 2048 failed UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/22 14:59 (1000) new mount options do not match the existing superblock, will be ignored device lo entered promiscuous mode device lo entered promiscuous mode Y4`Ҙ: renamed from lo Y4`Ҙ: renamed from lo device lo entered promiscuous mode Y4`Ҙ: renamed from lo new mount options do not match the existing superblock, will be ignored new mount options do not match the existing superblock, will be ignored new mount options do not match the existing superblock, will be ignored new mount options do not match the existing superblock, will be ignored UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/22 14:59 (1000) unregister_netdevice: waiting for ip6gre0 to become free. Usage count = -1 new mount options do not match the existing superblock, will be ignored EXT4-fs (loop4): mounted filesystem without journal. Opts: ,errors=continue EXT4-fs error (device loop4): ext4_validate_block_bitmap:405: comm syz-executor.4: bg 0: block 2: invalid block bitmap new mount options do not match the existing superblock, will be ignored kauditd_printk_skb: 12 callbacks suppressed audit: type=1800 audit(1672839999.720:45): pid=11622 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.1" name="file0" dev="sda1" ino=14104 res=0 device veth0_vlan left promiscuous mode print_req_error: I/O error, dev loop5, sector 0 UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/22 14:59 (1000)