======================================================
WARNING: possible circular locking dependency detected
4.14.302-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.0/11093 is trying to acquire lock:
 (&xt[i].mutex){+.+.}, at: [<ffffffff85f1f2b3>] match_revfn+0x43/0x210 net/netfilter/x_tables.c:332

but task is already holding lock:
 (&table[i].mutex){+.+.}, at: [<ffffffff85e4b036>] nfnl_lock net/netfilter/nfnetlink.c:61 [inline]
 (&table[i].mutex){+.+.}, at: [<ffffffff85e4b036>] nfnetlink_rcv_msg+0x726/0xc00 net/netfilter/nfnetlink.c:209

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #2 (&table[i].mutex){+.+.}:
       __mutex_lock_common kernel/locking/mutex.c:756 [inline]
       __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
       nf_tables_netdev_event+0x10d/0x4d0 net/netfilter/nf_tables_netdev.c:122
       notifier_call_chain+0x108/0x1a0 kernel/notifier.c:93
       call_netdevice_notifiers_info net/core/dev.c:1667 [inline]
       call_netdevice_notifiers net/core/dev.c:1683 [inline]
       rollback_registered_many+0x765/0xbb0 net/core/dev.c:7211
       unregister_netdevice_many.part.0+0x18/0x2e0 net/core/dev.c:8293
       unregister_netdevice_many+0x36/0x50 net/core/dev.c:8292
       ip6gre_exit_net+0x41e/0x570 net/ipv6/ip6_gre.c:1209
       ops_exit_list+0xad/0x160 net/core/net_namespace.c:142
       cleanup_net+0x3b3/0x840 net/core/net_namespace.c:487
       process_one_work+0x793/0x14a0 kernel/workqueue.c:2117
       worker_thread+0x5cc/0xff0 kernel/workqueue.c:2251
       kthread+0x30d/0x420 kernel/kthread.c:232
       ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:406

-> #1 (rtnl_mutex){+.+.}:
       __mutex_lock_common kernel/locking/mutex.c:756 [inline]
       __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
       unregister_netdevice_notifier+0x5e/0x2b0 net/core/dev.c:1630
       tee_tg_destroy+0x5c/0xb0 net/netfilter/xt_TEE.c:123
       cleanup_entry+0x232/0x310 net/ipv6/netfilter/ip6_tables.c:685
       __do_replace+0x38d/0x580 net/ipv4/netfilter/arp_tables.c:930
       do_replace net/ipv6/netfilter/ip6_tables.c:1162 [inline]
       do_ip6t_set_ctl+0x256/0x3b0 net/ipv6/netfilter/ip6_tables.c:1688
       nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
       nf_setsockopt+0x5f/0xb0 net/netfilter/nf_sockopt.c:115
       ipv6_setsockopt+0xc0/0x120 net/ipv6/ipv6_sockglue.c:944
       tcp_setsockopt+0x7b/0xc0 net/ipv4/tcp.c:2831
       SYSC_setsockopt net/socket.c:1865 [inline]
       SyS_setsockopt+0x110/0x1e0 net/socket.c:1844
       do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x5e/0xd3

-> #0 (&xt[i].mutex){+.+.}:
       lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
       __mutex_lock_common kernel/locking/mutex.c:756 [inline]
       __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
       match_revfn+0x43/0x210 net/netfilter/x_tables.c:332
       xt_find_revision+0x8d/0x1d0 net/netfilter/x_tables.c:380
       nfnl_compat_get+0x1f7/0x870 net/netfilter/nft_compat.c:678
       nfnetlink_rcv_msg+0x9bb/0xc00 net/netfilter/nfnetlink.c:214
       netlink_rcv_skb+0x125/0x390 net/netlink/af_netlink.c:2454
       nfnetlink_rcv+0x1ab/0x1da0 net/netfilter/nfnetlink.c:515
       netlink_unicast_kernel net/netlink/af_netlink.c:1296 [inline]
       netlink_unicast+0x437/0x610 net/netlink/af_netlink.c:1322
       netlink_sendmsg+0x648/0xbc0 net/netlink/af_netlink.c:1893
       sock_sendmsg_nosec net/socket.c:646 [inline]
       sock_sendmsg+0xb5/0x100 net/socket.c:656
       ___sys_sendmsg+0x6c8/0x800 net/socket.c:2062
       __sys_sendmsg+0xa3/0x120 net/socket.c:2096
       SYSC_sendmsg net/socket.c:2107 [inline]
       SyS_sendmsg+0x27/0x40 net/socket.c:2103
       do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x5e/0xd3

other info that might help us debug this:

Chain exists of:
  &xt[i].mutex --> rtnl_mutex --> &table[i].mutex

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&table[i].mutex);
                               lock(rtnl_mutex);
                               lock(&table[i].mutex);
  lock(&xt[i].mutex);

 *** DEADLOCK ***

1 lock held by syz-executor.0/11093:
 #0:  (&table[i].mutex){+.+.}, at: [<ffffffff85e4b036>] nfnl_lock net/netfilter/nfnetlink.c:61 [inline]
 #0:  (&table[i].mutex){+.+.}, at: [<ffffffff85e4b036>] nfnetlink_rcv_msg+0x726/0xc00 net/netfilter/nfnetlink.c:209

stack backtrace:
CPU: 0 PID: 11093 Comm: syz-executor.0 Not tainted 4.14.302-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x281 lib/dump_stack.c:58
 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258
 check_prev_add kernel/locking/lockdep.c:1905 [inline]
 check_prevs_add kernel/locking/lockdep.c:2022 [inline]
 validate_chain kernel/locking/lockdep.c:2464 [inline]
 __lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491
 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
 __mutex_lock_common kernel/locking/mutex.c:756 [inline]
 __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
 match_revfn+0x43/0x210 net/netfilter/x_tables.c:332
 xt_find_revision+0x8d/0x1d0 net/netfilter/x_tables.c:380
 nfnl_compat_get+0x1f7/0x870 net/netfilter/nft_compat.c:678
 nfnetlink_rcv_msg+0x9bb/0xc00 net/netfilter/nfnetlink.c:214
 netlink_rcv_skb+0x125/0x390 net/netlink/af_netlink.c:2454
 nfnetlink_rcv+0x1ab/0x1da0 net/netfilter/nfnetlink.c:515
 netlink_unicast_kernel net/netlink/af_netlink.c:1296 [inline]
 netlink_unicast+0x437/0x610 net/netlink/af_netlink.c:1322
 netlink_sendmsg+0x648/0xbc0 net/netlink/af_netlink.c:1893
 sock_sendmsg_nosec net/socket.c:646 [inline]
 sock_sendmsg+0xb5/0x100 net/socket.c:656
 ___sys_sendmsg+0x6c8/0x800 net/socket.c:2062
 __sys_sendmsg+0xa3/0x120 net/socket.c:2096
 SYSC_sendmsg net/socket.c:2107 [inline]
 SyS_sendmsg+0x27/0x40 net/socket.c:2103
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x5e/0xd3
RIP: 0033:0x7f38868f50a9
RSP: 002b:00007f3884e67168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f3886a14f80 RCX: 00007f38868f50a9
RDX: 0000000000000000 RSI: 0000000020000100 RDI: 0000000000000003
RBP: 00007f3886950ae9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffcf6f2e9ef R14: 00007f3884e67300 R15: 0000000000022000
BTRFS info (device loop1): allowing degraded mounts
BTRFS info (device loop1): trying to use backup root at mount time
BTRFS info (device loop1): disabling tree log
BTRFS info (device loop1): enabling auto defrag
BTRFS info (device loop1): using free space tree
BTRFS info (device loop1): has skinny extents
BTRFS warning (device loop1): get dev_stats failed, device not found
overlayfs: unrecognized mount option "loW÷òdirú.:file0" or missing value
BTRFS info (device loop1): allowing degraded mounts
BTRFS info (device loop1): trying to use backup root at mount time
BTRFS info (device loop1): disabling tree log
BTRFS info (device loop1): enabling auto defrag
BTRFS info (device loop1): using free space tree
BTRFS info (device loop1): has skinny extents
BTRFS warning (device loop1): get dev_stats failed, device not found
overlayfs: unrecognized mount option "loW÷òdirú.:file0" or missing value
NILFS (loop5): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
BTRFS info (device loop1): allowing degraded mounts
BTRFS info (device loop1): trying to use backup root at mount time
BTRFS info (device loop1): disabling tree log
BTRFS info (device loop1): enabling auto defrag
BTRFS info (device loop1): using free space tree
BTRFS info (device loop1): has skinny extents
BTRFS warning (device loop1): get dev_stats failed, device not found
ip6_tunnel: ip6tnl1 xmit: Local address not yet configured!
BTRFS info (device loop1): allowing degraded mounts
BTRFS info (device loop1): trying to use backup root at mount time
BTRFS info (device loop1): disabling tree log
BTRFS info (device loop1): enabling auto defrag
BTRFS info (device loop1): using free space tree
BTRFS info (device loop1): has skinny extents
BTRFS warning (device loop1): get dev_stats failed, device not found
overlayfs: unrecognized mount option "loW÷òdirú.:file0" or missing value
bridge0: port 4(team0) entered blocking state
bridge0: port 4(team0) entered disabled state
overlayfs: unrecognized mount option "loW÷òdirú.:file0" or missing value
device team0 entered promiscuous mode
device team_slave_0 entered promiscuous mode
device team_slave_1 entered promiscuous mode
bridge0: port 4(team0) entered blocking state
bridge0: port 4(team0) entered forwarding state
XFS (loop5): Mounting V4 Filesystem
XFS (loop5): Ending clean mount
attempt to access beyond end of device
loop5: rw=4096, want=2972161268572422215, limit=65536
XFS (loop5): Unmounting Filesystem
XFS (loop5): Mounting V4 Filesystem
XFS (loop5): Ending clean mount
attempt to access beyond end of device
loop5: rw=4096, want=2972161268572422215, limit=65536
XFS (loop5): Unmounting Filesystem
device macvtap0 entered promiscuous mode
device macvtap0 left promiscuous mode
device macvtap0 entered promiscuous mode
device macvtap0 left promiscuous mode
device macvtap0 entered promiscuous mode
device macvtap0 left promiscuous mode
XFS (loop5): Mounting V4 Filesystem
XFS (loop5): Ending clean mount
attempt to access beyond end of device
loop5: rw=4096, want=2972161268572422215, limit=65536
XFS (loop5): Unmounting Filesystem
device macvtap0 entered promiscuous mode
device macvtap0 left promiscuous mode
mmap: syz-executor.3 (11590) uses deprecated remap_file_pages() syscall. See Documentation/vm/remap_file_pages.txt.
audit: type=1800 audit(1672772417.670:57): pid=11589 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.2" name="bus" dev="loop2" ino=18 res=0
NILFS (loop2): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
audit: type=1800 audit(1672772417.690:58): pid=11589 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.2" name="bus" dev="loop2" ino=18 res=0
XFS (loop5): Mounting V4 Filesystem
XFS (loop5): Ending clean mount
attempt to access beyond end of device
loop5: rw=4096, want=2972161268572422215, limit=65536
XFS (loop5): Unmounting Filesystem
syz-executor.0 uses obsolete (PF_INET,SOCK_PACKET)
NILFS (loop2): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
audit: type=1800 audit(1672772418.160:59): pid=11632 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.2" name="bus" dev="loop2" ino=18 res=0
audit: type=1800 audit(1672772418.190:60): pid=11632 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.2" name="bus" dev="loop2" ino=18 res=0
EXT4-fs error (device loop5): ext4_orphan_get:1265: comm syz-executor.5: bad orphan inode 34020
EXT4-fs (loop5): mounted filesystem without journal. Opts: ,errors=continue
f2fs_msg: 62 callbacks suppressed
F2FS-fs (loop0): Wrong CP boundary, start(512) end(1536) blocks(1536)
F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock
F2FS-fs (loop0): Unrecognized mount option "whint_mode=fs-based" or missing value
F2FS-fs (loop0): Wrong CP boundary, start(512) end(1536) blocks(1536)
F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock
F2FS-fs (loop0): Unrecognized mount option "whint_mode=fs-based" or missing value
audit: type=1800 audit(1672772418.930:61): pid=11700 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.2" name="bus" dev="loop2" ino=18 res=0
NILFS (loop2): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
EXT4-fs error (device loop4): ext4_orphan_get:1265: comm syz-executor.4: bad orphan inode 34020
audit: type=1800 audit(1672772418.930:62): pid=11700 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.2" name="bus" dev="loop2" ino=18 res=0
EXT4-fs (loop4): mounted filesystem without journal. Opts: ,errors=continue
EXT4-fs error (device loop5): ext4_orphan_get:1265: comm syz-executor.5: bad orphan inode 34020
EXT4-fs (loop5): mounted filesystem without journal. Opts: ,errors=continue
NILFS (loop2): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
audit: type=1800 audit(1672772419.810:63): pid=11768 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.2" name="bus" dev="loop2" ino=18 res=0
audit: type=1800 audit(1672772419.810:64): pid=11768 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.2" name="bus" dev="loop2" ino=18 res=0
EXT4-fs error (device loop4): ext4_orphan_get:1265: comm syz-executor.4: bad orphan inode 34020
EXT4-fs (loop4): mounted filesystem without journal. Opts: ,errors=continue
EXT4-fs error (device loop5): ext4_orphan_get:1265: comm syz-executor.5: bad orphan inode 34020
EXT4-fs (loop5): mounted filesystem without journal. Opts: ,errors=continue
unregister_netdevice: waiting for ip6gre0 to become free. Usage count = -1
NILFS (loop3): invalid segment: Checksum error in segment payload
NILFS (loop3): trying rollback from an earlier position
NILFS (loop3): recovery complete
NILFS (loop3): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
EXT4-fs error (device loop5): ext4_orphan_get:1265: comm syz-executor.5: bad orphan inode 34020
EXT4-fs (loop5): mounted filesystem without journal. Opts: ,errors=continue
EXT4-fs error (device loop4): ext4_orphan_get:1265: comm syz-executor.4: bad orphan inode 34020
EXT4-fs (loop4): mounted filesystem without journal. Opts: ,errors=continue