ip6_tables: ip6tables: counters copy to user failed while replacing table ====================================================== WARNING: possible circular locking dependency detected 4.14.232-syzkaller #0 Not tainted ------------------------------------------------------ syz-executor.0/7981 is trying to acquire lock: (&table[i].mutex){+.+.}, at: [] ip_set_nfnl_put+0x11a/0x310 net/netfilter/ipset/ip_set_core.c:732 but task is already holding lock: (&xt[i].mutex){+.+.}, at: [] xt_find_table_lock+0x38/0x3d0 net/netfilter/x_tables.c:1088 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&xt[i].mutex){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 match_revfn+0x43/0x210 net/netfilter/x_tables.c:332 xt_find_revision+0x8d/0x1d0 net/netfilter/x_tables.c:380 nfnl_compat_get+0x1f7/0x870 net/netfilter/nft_compat.c:678 nfnetlink_rcv_msg+0x9bb/0xc00 net/netfilter/nfnetlink.c:214 netlink_rcv_skb+0x125/0x390 net/netlink/af_netlink.c:2433 nfnetlink_rcv+0x1ab/0x1da0 net/netfilter/nfnetlink.c:515 netlink_unicast_kernel net/netlink/af_netlink.c:1287 [inline] netlink_unicast+0x437/0x610 net/netlink/af_netlink.c:1313 netlink_sendmsg+0x62e/0xb80 net/netlink/af_netlink.c:1878 sock_sendmsg_nosec net/socket.c:646 [inline] sock_sendmsg+0xb5/0x100 net/socket.c:656 ___sys_sendmsg+0x6c8/0x800 net/socket.c:2062 __sys_sendmsg+0xa3/0x120 net/socket.c:2096 SYSC_sendmsg net/socket.c:2107 [inline] SyS_sendmsg+0x27/0x40 net/socket.c:2103 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb -> #0 (&table[i].mutex){+.+.}: lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 ip_set_nfnl_put+0x11a/0x310 net/netfilter/ipset/ip_set_core.c:732 set_target_v1_destroy+0x100/0x150 net/netfilter/xt_set.c:394 cleanup_entry+0x232/0x310 net/ipv6/netfilter/ip6_tables.c:684 __do_replace+0x38d/0x580 net/ipv6/netfilter/ip6_tables.c:1105 do_replace net/ipv6/netfilter/ip6_tables.c:1161 [inline] do_ip6t_set_ctl+0x256/0x3b0 net/ipv6/netfilter/ip6_tables.c:1687 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x5f/0xb0 net/netfilter/nf_sockopt.c:115 ipv6_setsockopt+0xc0/0x120 net/ipv6/ipv6_sockglue.c:937 tcp_setsockopt+0x7b/0xc0 net/ipv4/tcp.c:2828 SYSC_setsockopt net/socket.c:1865 [inline] SyS_setsockopt+0x110/0x1e0 net/socket.c:1844 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&xt[i].mutex); lock(&table[i].mutex); lock(&xt[i].mutex); lock(&table[i].mutex); *** DEADLOCK *** 1 lock held by syz-executor.0/7981: #0: (&xt[i].mutex){+.+.}, at: [] xt_find_table_lock+0x38/0x3d0 net/netfilter/x_tables.c:1088 stack backtrace: CPU: 1 PID: 7981 Comm: syz-executor.0 Not tainted 4.14.232-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x281 lib/dump_stack.c:58 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258 check_prev_add kernel/locking/lockdep.c:1905 [inline] check_prevs_add kernel/locking/lockdep.c:2022 [inline] validate_chain kernel/locking/lockdep.c:2464 [inline] __lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 ip_set_nfnl_put+0x11a/0x310 net/netfilter/ipset/ip_set_core.c:732 set_target_v1_destroy+0x100/0x150 net/netfilter/xt_set.c:394 cleanup_entry+0x232/0x310 net/ipv6/netfilter/ip6_tables.c:684 __do_replace+0x38d/0x580 net/ipv6/netfilter/ip6_tables.c:1105 do_replace net/ipv6/netfilter/ip6_tables.c:1161 [inline] do_ip6t_set_ctl+0x256/0x3b0 net/ipv6/netfilter/ip6_tables.c:1687 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x5f/0xb0 net/netfilter/nf_sockopt.c:115 ipv6_setsockopt+0xc0/0x120 net/ipv6/ipv6_sockglue.c:937 tcp_setsockopt+0x7b/0xc0 net/ipv4/tcp.c:2828 SYSC_setsockopt net/socket.c:1865 [inline] SyS_setsockopt+0x110/0x1e0 net/socket.c:1844 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb RIP: 0033:0x467c1a RSP: 002b:00007ffc4642c688 EFLAGS: 00000202 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 0000000000000029 RCX: 0000000000467c1a RDX: 0000000000000040 RSI: 0000000000000029 RDI: 0000000000000003 RBP: 00007ffc4642c6b0 R08: 00000000000003b8 R09: 0079746972756365 R10: 00000000005446a0 R11: 0000000000000202 R12: 00007ffc4642c710 R13: 0000000000000003 R14: 00007ffc4642c6ac R15: 0000000000544640 xt_hashlimit: max too large, truncated to 1048576 x_tables: ip6_tables: mh match: only valid for protocol 135 nla_parse: 1 callbacks suppressed netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor.4'. --map-set only usable from mangle table netlink: 8 bytes leftover after parsing attributes in process `syz-executor.3'. netlink: 32 bytes leftover after parsing attributes in process `syz-executor.5'. --map-set only usable from mangle table audit: type=1326 audit(1621393048.328:124): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=28848 comm="syz-executor.4" exe="/root/syz-executor.4" sig=31 arch=c000003e syscall=202 compat=0 ip=0x4665d9 code=0xffff0000 --map-set only usable from mangle table A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. --map-set only usable from mangle table audit: type=1326 audit(1621393049.108:125): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=28848 comm="syz-executor.4" exe="/root/syz-executor.4" sig=31 arch=c000003e syscall=202 compat=0 ip=0x4665d9 code=0xffff0000 A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. audit: type=1326 audit(1621393049.608:126): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=28976 comm="syz-executor.4" exe="/root/syz-executor.4" sig=31 arch=c000003e syscall=202 compat=0 ip=0x4665d9 code=0x0 print_req_error: I/O error, dev loop4, sector 0 audit: type=1800 audit(1621393050.978:127): pid=29241 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.3" name="file0" dev="sda1" ino=15269 res=0 audit: type=1800 audit(1621393051.431:128): pid=29327 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.1" name="file0" dev="sda1" ino=13872 res=0 audit: type=1800 audit(1621393052.301:129): pid=29371 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.2" name="file0" dev="sda1" ino=14194 res=0 netlink: 416 bytes leftover after parsing attributes in process `syz-executor.5'. netlink: 168 bytes leftover after parsing attributes in process `syz-executor.5'. audit: type=1800 audit(1621393053.041:130): pid=29457 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.2" name="file0" dev="sda1" ino=14417 res=0 netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'. audit: type=1800 audit(1621393053.041:131): pid=29457 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.2" name="file0" dev="sda1" ino=14417 res=0 tmpfs: No value for mount option 'h?' netlink: 416 bytes leftover after parsing attributes in process `syz-executor.5'. netlink: 168 bytes leftover after parsing attributes in process `syz-executor.5'. tmpfs: No value for mount option 'h?' netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'. netlink: 4588 bytes leftover after parsing attributes in process `syz-executor.0'. tmpfs: No value for mount option 'h?' netlink: 416 bytes leftover after parsing attributes in process `syz-executor.5'. netlink: 168 bytes leftover after parsing attributes in process `syz-executor.5'. tmpfs: No value for mount option 'h?' netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'. IPVS: ftp: loaded support on port[0] = 21 IPVS: ftp: loaded support on port[0] = 21