syz-executor4 (5559) used greatest stack depth: 13632 bytes left ====================================================== WARNING: possible circular locking dependency detected 4.15.0+ #221 Not tainted ------------------------------------------------------ syz-executor4/5615 is trying to acquire lock: (sk_lock-AF_INET){+.+.}, at: [<00000000cf79e8f4>] lock_sock include/net/sock.h:1463 [inline] (sk_lock-AF_INET){+.+.}, at: [<00000000cf79e8f4>] do_ip_setsockopt.isra.12+0x1d9/0x3210 net/ipv4/ip_sockglue.c:646 but task is already holding lock: (rtnl_mutex){+.+.}, at: [<000000002c5f39ec>] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (rtnl_mutex){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908 rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74 unregister_netdevice_notifier+0x91/0x4e0 net/core/dev.c:1673 clusterip_config_entry_put net/ipv4/netfilter/ipt_CLUSTERIP.c:114 [inline] clusterip_tg_destroy+0x389/0x6e0 net/ipv4/netfilter/ipt_CLUSTERIP.c:518 cleanup_entry+0x218/0x350 net/ipv4/netfilter/ip_tables.c:654 __do_replace+0x79d/0xa50 net/ipv4/netfilter/ip_tables.c:1089 do_replace net/ipv4/netfilter/ip_tables.c:1145 [inline] do_ipt_set_ctl+0x40f/0x5f0 net/ipv4/netfilter/ip_tables.c:1675 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115 ip_setsockopt+0x97/0xa0 net/ipv4/ip_sockglue.c:1259 tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2905 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2975 SYSC_setsockopt net/socket.c:1849 [inline] SyS_setsockopt+0x189/0x360 net/socket.c:1828 entry_SYSCALL_64_fastpath+0x29/0xa0 -> #1 (&xt[i].mutex){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908 xt_find_table_lock+0x3e/0x3e0 net/netfilter/x_tables.c:1041 xt_request_find_table_lock+0x28/0xc0 net/netfilter/x_tables.c:1088 get_info+0x154/0x690 net/ipv6/netfilter/ip6_tables.c:989 do_ipt_get_ctl+0x159/0xac0 net/ipv4/netfilter/ip_tables.c:1699 nf_sockopt net/netfilter/nf_sockopt.c:104 [inline] nf_getsockopt+0x6a/0xc0 net/netfilter/nf_sockopt.c:122 ip_getsockopt+0x15c/0x220 net/ipv4/ip_sockglue.c:1571 tcp_getsockopt+0x82/0xd0 net/ipv4/tcp.c:3359 sock_common_getsockopt+0x95/0xd0 net/core/sock.c:2934 SYSC_getsockopt net/socket.c:1880 [inline] SyS_getsockopt+0x178/0x340 net/socket.c:1862 entry_SYSCALL_64_fastpath+0x29/0xa0 -> #0 (sk_lock-AF_INET){+.+.}: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920 lock_sock_nested+0xc2/0x110 net/core/sock.c:2777 lock_sock include/net/sock.h:1463 [inline] do_ip_setsockopt.isra.12+0x1d9/0x3210 net/ipv4/ip_sockglue.c:646 ip_setsockopt+0x3a/0xa0 net/ipv4/ip_sockglue.c:1252 udp_setsockopt+0x45/0x80 net/ipv4/udp.c:2401 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2975 SYSC_setsockopt net/socket.c:1849 [inline] SyS_setsockopt+0x189/0x360 net/socket.c:1828 entry_SYSCALL_64_fastpath+0x29/0xa0 other info that might help us debug this: Chain exists of: sk_lock-AF_INET --> &xt[i].mutex --> rtnl_mutex Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(rtnl_mutex); lock(&xt[i].mutex); lock(rtnl_mutex); lock(sk_lock-AF_INET); *** DEADLOCK *** 1 lock held by syz-executor4/5615: #0: (rtnl_mutex){+.+.}, at: [<000000002c5f39ec>] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74 stack backtrace: CPU: 0 PID: 5615 Comm: syz-executor4 Not tainted 4.15.0+ #221 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 print_circular_bug.isra.38+0x2cd/0x2dc kernel/locking/lockdep.c:1223 check_prev_add kernel/locking/lockdep.c:1863 [inline] check_prevs_add kernel/locking/lockdep.c:1976 [inline] validate_chain kernel/locking/lockdep.c:2417 [inline] __lock_acquire+0x30a8/0x3e00 kernel/locking/lockdep.c:3431 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920 lock_sock_nested+0xc2/0x110 net/core/sock.c:2777 lock_sock include/net/sock.h:1463 [inline] do_ip_setsockopt.isra.12+0x1d9/0x3210 net/ipv4/ip_sockglue.c:646 ip_setsockopt+0x3a/0xa0 net/ipv4/ip_sockglue.c:1252 udp_setsockopt+0x45/0x80 net/ipv4/udp.c:2401 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2975 SYSC_setsockopt net/socket.c:1849 [inline] SyS_setsockopt+0x189/0x360 net/socket.c:1828 entry_SYSCALL_64_fastpath+0x29/0xa0 RIP: 0033:0x453299 RSP: 002b:00007f57ce9adc58 EFLAGS: 00000212 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000453299 RDX: 0000000000000030 RSI: 0000000000000000 RDI: 0000000000000013 RBP: 0000000000000580 R08: 0000000000000018 R09: 0000000000000000 R10: 0000000020e8c000 R11: 0000000000000212 R12: 00000000006f74a0 R13: 00000000ffffffff R14: 00007f57ce9ae6d4 R15: 0000000000000000 netlink: 'syz-executor3': attribute type 11 has an invalid length. netlink: 'syz-executor3': attribute type 11 has an invalid length. syz-executor6 uses obsolete (PF_INET,SOCK_PACKET) sit: non-ECT from 0.0.0.0 with TOS=0x7 device syz6 entered promiscuous mode device syz6 left promiscuous mode x_tables: ip_tables: .0 target: invalid size 8 (kernel) != (user) 3 x_tables: ip_tables: .0 target: invalid size 8 (kernel) != (user) 3 8021q: VLANs not supported on lo 8021q: VLANs not supported on lo netlink: 'syz-executor2': attribute type 3 has an invalid length. netlink: 'syz-executor2': attribute type 3 has an invalid length. netlink: 'syz-executor7': attribute type 1 has an invalid length. netlink: 'syz-executor7': attribute type 1 has an invalid length. sock: process `syz-executor2' is using obsolete setsockopt SO_BSDCOMPAT sock: process `syz-executor1' is using obsolete setsockopt SO_BSDCOMPAT SELinux: unrecognized netlink message: protocol=6 nlmsg_type=47119 sclass=netlink_xfrm_socket pig=6747 comm=syz-executor1 SNAT: multiple ranges no longer supported Trying to set illegal importance in message Trying to set illegal importance in message netlink: 'syz-executor5': attribute type 10 has an invalid length. netlink: 'syz-executor5': attribute type 10 has an invalid length. kauditd_printk_skb: 15 callbacks suppressed audit: type=1400 audit(1517911534.167:37): avc: denied { map } for pid=6941 comm="syz-executor7" path="socket:[17075]" dev="sockfs" ino=17075 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=rawip_socket permissive=1 xt_limit: Overflow, try lower: 0/0 audit: type=1400 audit(1517911534.328:38): avc: denied { accept } for pid=7001 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_crypto_socket permissive=1 audit: type=1400 audit(1517911534.387:39): avc: denied { shutdown } for pid=7026 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 netlink: 'syz-executor0': attribute type 16 has an invalid length. rdma_op 00000000eea3bf41 conn xmit_rdma (null) device bridge0 entered promiscuous mode device bridge0 left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode audit: type=1400 audit(1517911535.422:40): avc: denied { getattr } for pid=7476 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 audit: type=1400 audit(1517911535.558:41): avc: denied { read } for pid=7516 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 audit: type=1400 audit(1517911535.588:42): avc: denied { setopt } for pid=7516 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 validate_nla: 1 callbacks suppressed netlink: 'syz-executor0': attribute type 1 has an invalid length. netlink: 16 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 'syz-executor0': attribute type 1 has an invalid length. xt_TPROXY: Can be used only in combination with either -p tcp or -p udp xt_TPROXY: Can be used only in combination with either -p tcp or -p udp audit: type=1400 audit(1517911535.868:43): avc: denied { accept } for pid=7642 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 device syz7 entered promiscuous mode device syz7 left promiscuous mode device syz7 entered promiscuous mode device syz7 left promiscuous mode sctp: [Deprecated]: syz-executor4 (pid 7752) Use of int in maxseg socket option. Use struct sctp_assoc_value instead sctp: [Deprecated]: syz-executor4 (pid 7752) Use of int in maxseg socket option. Use struct sctp_assoc_value instead netlink: 1228 bytes leftover after parsing attributes in process `syz-executor7'. audit: type=1400 audit(1517911536.337:44): avc: denied { create } for pid=7804 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_fib_lookup_socket permissive=1 audit: type=1400 audit(1517911536.337:45): avc: denied { write } for pid=7804 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_fib_lookup_socket permissive=1 ip_tunnel: non-ECT from 0.0.0.0 with TOS=0x3 ip_tunnel: non-ECT from 0.0.0.0 with TOS=0x3 netlink: 20 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 20 bytes leftover after parsing attributes in process `syz-executor6'. audit: type=1400 audit(1517911536.942:46): avc: denied { create } for pid=8047 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_rdma_socket permissive=1 netlink: 4 bytes leftover after parsing attributes in process `syz-executor3'. openvswitch: netlink: Either Ethernet header or EtherType is required. netlink: 4 bytes leftover after parsing attributes in process `syz-executor3'. openvswitch: netlink: Either Ethernet header or EtherType is required. xt_CT: No such helper "snmp_trap" xt_CT: No such helper "snmp_trap" sctp: [Deprecated]: syz-executor3 (pid 8189) Use of int in maxseg socket option. Use struct sctp_assoc_value instead sctp: [Deprecated]: syz-executor3 (pid 8199) Use of int in maxseg socket option. Use struct sctp_assoc_value instead netlink: 4120 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 'syz-executor7': attribute type 7 has an invalid length. raw_sendmsg: syz-executor0 forgot to set AF_INET. Fix it! netlink: 'syz-executor7': attribute type 7 has an invalid length. dccp_close: ABORT with 242 bytes unread kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 0 PID: 8749 Comm: syz-executor4 Not tainted 4.15.0+ #221 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:ip6t_do_table+0x132d/0x1a30 net/ipv6/netfilter/ip6_tables.c:355 RSP: 0018:ffff8801db406c20 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff8801a957bb40 RCX: ffffffff84db22a1 RDX: 0000000000000100 RSI: 0000000000000000 RDI: ffff8801a957bc9e RBP: ffff8801db406e68 R08: ffff8801db406f60 R09: 0000000000000000 R10: 00000000000000d0 R11: ffffffff86b423c0 R12: 0000000000000001 R13: 0000000000000000 R14: dffffc0000000000 R15: ffff8801a957bc10 FS: 00007f57ce9ae700(0000) GS:ffff8801db400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020fcffe4 CR3: 00000001c6891002 CR4: 00000000001606f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ip6table_security_hook+0x65/0x80 net/ipv6/netfilter/ip6table_security.c:45 nf_hook_entry_hookfn include/linux/netfilter.h:120 [inline] nf_hook_slow+0xba/0x1a0 net/netfilter/core.c:483 nf_hook include/linux/netfilter.h:243 [inline] NF_HOOK include/linux/netfilter.h:286 [inline] ip6_input+0x35c/0x560 net/ipv6/ip6_input.c:327 dst_input include/net/dst.h:449 [inline] ip6_rcv_finish+0x297/0x8c0 net/ipv6/ip6_input.c:71 NF_HOOK include/linux/netfilter.h:288 [inline] ipv6_rcv+0xf37/0x1fa0 net/ipv6/ip6_input.c:208 __netif_receive_skb_core+0x1a41/0x3460 net/core/dev.c:4547 __netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4612 process_backlog+0x203/0x740 net/core/dev.c:5292 napi_poll net/core/dev.c:5690 [inline] net_rx_action+0x792/0x1910 net/core/dev.c:5756 __do_softirq+0x2d7/0xb85 kernel/softirq.c:285 do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1151 do_softirq.part.19+0x14d/0x190 kernel/softirq.c:329 do_softirq kernel/softirq.c:177 [inline] __local_bh_enable_ip+0x1ee/0x230 kernel/softirq.c:182 local_bh_enable include/linux/bottom_half.h:32 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:726 [inline] ip6_finish_output2+0xba0/0x23a0 net/ipv6/ip6_output.c:121 ip6_finish_output+0x698/0xaf0 net/ipv6/ip6_output.c:154 NF_HOOK_COND include/linux/netfilter.h:277 [inline] ip6_output+0x1eb/0x840 net/ipv6/ip6_output.c:171 dst_output include/net/dst.h:443 [inline] NF_HOOK include/linux/netfilter.h:288 [inline] ip6_xmit+0xe1f/0x2260 net/ipv6/ip6_output.c:277 sctp_v6_xmit+0x438/0x630 net/sctp/ipv6.c:225 sctp_packet_transmit+0x225e/0x3750 net/sctp/output.c:638 sctp_outq_flush+0xabb/0x4060 net/sctp/outqueue.c:911 sctp_outq_uncork+0x5a/0x70 net/sctp/outqueue.c:776 sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1807 [inline] sctp_side_effects net/sctp/sm_sideeffect.c:1210 [inline] sctp_do_sm+0x4e0/0x6ed0 net/sctp/sm_sideeffect.c:1181 sctp_primitive_ASSOCIATE+0x9d/0xd0 net/sctp/primitive.c:88 sctp_sendmsg+0x13bd/0x35e0 net/sctp/socket.c:1985 inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:764 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg+0xca/0x110 net/socket.c:640 SYSC_sendto+0x361/0x5c0 net/socket.c:1747 SyS_sendto+0x40/0x50 net/socket.c:1715 entry_SYSCALL_64_fastpath+0x29/0xa0 RIP: 0033:0x453299 RSP: 002b:00007f57ce9adc58 EFLAGS: 00000212 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000453299 RDX: 0000000000000001 RSI: 0000000020cb3fff RDI: 0000000000000013 RBP: 000000000000058a R08: 0000000020fcffe4 R09: 000000000000001c R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f7590 R13: 00000000ffffffff R14: 00007f57ce9ae6d4 R15: 0000000000000000 Code: 41 f6 87 83 00 00 00 04 75 37 e8 0f 83 95 fc 8b 85 14 fe ff ff 48 8b b5 50 fe ff ff 4c 8d 2c c6 44 8d 60 01 4c 89 e8 48 c1 e8 03 <42> 80 3c 30 00 0f 85 26 03 00 00 4d 89 7d 00 44 89 a5 14 fe ff RIP: ip6t_do_table+0x132d/0x1a30 net/ipv6/netfilter/ip6_tables.c:355 RSP: ffff8801db406c20 ---[ end trace 5c057570353915c6 ]---