audit: type=1400 audit(1573715825.345:146): avc: denied { create } for pid=8448 comm="syz-executor.4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=0 ====================================================== [ INFO: possible circular locking dependency detected ] 4.4.174+ #17 Not tainted ------------------------------------------------------- syz-executor.4/8472 is trying to acquire lock: (&(&q->lock)->rlock){+.-...}, at: [] spin_lock include/linux/spinlock.h:302 [inline] (&(&q->lock)->rlock){+.-...}, at: [] ip_defrag+0x322/0x3b70 net/ipv4/ip_fragment.c:690 but task is already holding lock: (_xmit_NETROM){+.-...}, at: [] spin_lock include/linux/spinlock.h:302 [inline] (_xmit_NETROM){+.-...}, at: [] __netif_tx_lock include/linux/netdevice.h:3306 [inline] (_xmit_NETROM){+.-...}, at: [] sch_direct_xmit+0x238/0x700 net/sched/sch_generic.c:163 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: [] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592 [] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:112 [inline] [] _raw_spin_lock_irqsave+0x50/0x70 kernel/locking/spinlock.c:159 [] buffered_rmqueue mm/page_alloc.c:2315 [inline] [] get_page_from_freelist+0xeb3/0x1d00 mm/page_alloc.c:2661 [] __alloc_pages_nodemask+0x288/0x14b0 mm/page_alloc.c:3303 [] __alloc_pages include/linux/gfp.h:415 [inline] [] __alloc_pages_node include/linux/gfp.h:428 [inline] [] alloc_slab_page mm/slub.c:1436 [inline] [] allocate_slab mm/slub.c:1469 [inline] [] new_slab+0x8e/0x380 mm/slub.c:1549 [] new_slab_objects mm/slub.c:2319 [inline] [] ___slab_alloc.constprop.0+0x323/0x3e0 mm/slub.c:2476 [] __slab_alloc.isra.0.constprop.0+0x50/0xa0 mm/slub.c:2518 [] slab_alloc_node mm/slub.c:2581 [inline] [] slab_alloc mm/slub.c:2623 [inline] [] kmem_cache_alloc+0x214/0x2c0 mm/slub.c:2628 [] kmem_cache_zalloc include/linux/slab.h:610 [inline] [] key_alloc+0x375/0xf10 security/keys/key.c:275 [] construct_alloc_key security/keys/request_key.c:379 [inline] [] construct_key_and_link security/keys/request_key.c:479 [inline] [] request_key_and_link+0x4de/0xad0 security/keys/request_key.c:594 [] SYSC_request_key security/keys/keyctl.c:213 [inline] [] SyS_request_key+0x189/0x2f0 security/keys/keyctl.c:158 [] do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline] [] do_fast_syscall_32+0x32d/0xa90 arch/x86/entry/common.c:397 [] sysenter_flags_fixed+0xd/0x1a [] check_prev_add kernel/locking/lockdep.c:1853 [inline] [] check_prevs_add kernel/locking/lockdep.c:1958 [inline] [] validate_chain kernel/locking/lockdep.c:2144 [inline] [] __lock_acquire+0x37d6/0x4f50 kernel/locking/lockdep.c:3213 [] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592 [] __raw_spin_lock include/linux/spinlock_api_smp.h:144 [inline] [] _raw_spin_lock+0x38/0x50 kernel/locking/spinlock.c:151 [] spin_lock include/linux/spinlock.h:302 [inline] [] ip_defrag+0x322/0x3b70 net/ipv4/ip_fragment.c:690 [] ip_check_defrag net/ipv4/ip_fragment.c:738 [inline] [] ip_check_defrag+0x3d6/0x5b0 net/ipv4/ip_fragment.c:705 [] packet_rcv_fanout+0x51e/0x5f0 net/packet/af_packet.c:1458 [] deliver_skb net/core/dev.c:1842 [inline] [] dev_queue_xmit_nit net/core/dev.c:1898 [inline] [] xmit_one net/core/dev.c:2777 [inline] [] dev_hard_start_xmit+0x288/0x11e0 net/core/dev.c:2797 [] sch_direct_xmit+0x2b6/0x700 net/sched/sch_generic.c:165 [] __dev_xmit_skb net/core/dev.c:2979 [inline] [] __dev_queue_xmit+0xd24/0x1bb0 net/core/dev.c:3197 [] dev_queue_xmit+0x18/0x20 net/core/dev.c:3263 [] neigh_hh_output include/net/neighbour.h:486 [inline] [] dst_neigh_output include/net/dst.h:459 [inline] [] ip_finish_output2+0xbf2/0x1280 net/ipv4/ip_output.c:213 [] ip_do_fragment+0x187c/0x1f70 net/ipv4/ip_output.c:635 [] ip_fragment.constprop.0+0x14b/0x200 net/ipv4/ip_output.c:505 [] ip_finish_output+0x3b9/0xc60 net/ipv4/ip_output.c:286 [] NF_HOOK_COND include/linux/netfilter.h:240 [inline] [] ip_mc_output+0x251/0xae0 net/ipv4/ip_output.c:347 [] dst_output include/net/dst.h:498 [inline] [] ip_local_out+0x9c/0x180 net/ipv4/ip_output.c:119 [] ip_send_skb+0x3e/0xc0 net/ipv4/ip_output.c:1453 [] udp_send_skb+0x4fd/0xc70 net/ipv4/udp.c:842 [] udp_push_pending_frames+0x4e/0xe0 net/ipv4/udp.c:870 [] udp_sendpage+0x2ae/0x410 net/ipv4/udp.c:1183 [] inet_sendpage+0x223/0x520 net/ipv4/af_inet.c:772 [] kernel_sendpage+0x95/0xf0 net/socket.c:3320 [] sock_sendpage+0x8b/0xc0 net/socket.c:793 [] pipe_to_sendpage+0x28d/0x3d0 fs/splice.c:724 [] splice_from_pipe_feed fs/splice.c:776 [inline] [] __splice_from_pipe+0x37e/0x7a0 fs/splice.c:901 [] splice_from_pipe+0x108/0x170 fs/splice.c:936 [] generic_splice_sendpage+0x3c/0x50 fs/splice.c:1109 [] do_splice_from fs/splice.c:1128 [inline] [] do_splice fs/splice.c:1404 [inline] [] SYSC_splice fs/splice.c:1707 [inline] [] SyS_splice+0xd71/0x13a0 fs/splice.c:1690 [] do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline] [] do_fast_syscall_32+0x32d/0xa90 arch/x86/entry/common.c:397 [] sysenter_flags_fixed+0xd/0x1a other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(_xmit_NETROM); lock(&(&q->lock)->rlock); lock(_xmit_NETROM); lock(&(&q->lock)->rlock); *** DEADLOCK *** 6 locks held by syz-executor.4/8472: #0: (&pipe->mutex/1){+.+.+.}, at: [] pipe_lock_nested fs/pipe.c:65 [inline] #0: (&pipe->mutex/1){+.+.+.}, at: [] pipe_lock+0x63/0x80 fs/pipe.c:73 #1: (sk_lock-AF_INET){+.+.+.}, at: [] lock_sock include/net/sock.h:1497 [inline] #1: (sk_lock-AF_INET){+.+.+.}, at: [] udp_sendpage+0x132/0x410 net/ipv4/udp.c:1160 #2: (rcu_read_lock_bh){......}, at: [] ip_finish_output2+0x20b/0x1280 net/ipv4/ip_output.c:193 #3: (rcu_read_lock_bh){......}, at: [] __dev_queue_xmit+0x1d7/0x1bb0 net/core/dev.c:3161 #4: (_xmit_NETROM){+.-...}, at: [] spin_lock include/linux/spinlock.h:302 [inline] #4: (_xmit_NETROM){+.-...}, at: [] __netif_tx_lock include/linux/netdevice.h:3306 [inline] #4: (_xmit_NETROM){+.-...}, at: [] sch_direct_xmit+0x238/0x700 net/sched/sch_generic.c:163 #5: (rcu_read_lock){......}, at: [] xmit_one net/core/dev.c:2776 [inline] #5: (rcu_read_lock){......}, at: [] dev_hard_start_xmit+0xb3/0x11e0 net/core/dev.c:2797 stack backtrace: CPU: 0 PID: 8472 Comm: syz-executor.4 Not tainted 4.4.174+ #17 0000000000000000[ 186.178104] audit: type=1400 audit(1573715826.055:147): avc: denied { create } for pid=8446 comm="syz-executor.2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=0 4fea9ec4c7855e59 ffff8800b26decd0 ffffffff81aad1a1 ffffffff84057a80 ffff8800a5918000 ffffffff83ae9fe0 ffffffff83ad4e60 ffffffff83ae9fe0 ffff8800b26ded20 ffffffff813abcda ffff8800b26dee00 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x120 lib/dump_stack.c:51 [] print_circular_bug.cold+0x2f7/0x44e kernel/locking/lockdep.c:1226 [] check_prev_add kernel/locking/lockdep.c:1853 [inline] [] check_prevs_add kernel/locking/lockdep.c:1958 [inline] [] validate_chain kernel/locking/lockdep.c:2144 [inline] [] __lock_acquire+0x37d6/0x4f50 kernel/locking/lockdep.c:3213 audit: type=1400 audit(1573715826.135:148): avc: denied { create } for pid=8477 comm="syz-executor.5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=0 audit: type=1400 audit(1573715826.135:149): avc: denied { create } for pid=8477 comm="syz-executor.5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=0 [] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592 [] __raw_spin_lock include/linux/spinlock_api_smp.h:144 [inline] [] _raw_spin_lock+0x38/0x50 kernel/locking/spinlock.c:151 [] spin_lock include/linux/spinlock.h:302 [inline] [] ip_defrag+0x322/0x3b70 net/ipv4/ip_fragment.c:690 audit: type=1400 audit(1573715826.255:150): avc: denied { create } for pid=8481 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=0 [] ip_check_defrag net/ipv4/ip_fragment.c:738 [inline] [] ip_check_defrag+0x3d6/0x5b0 net/ipv4/ip_fragment.c:705 [] packet_rcv_fanout+0x51e/0x5f0 net/packet/af_packet.c:1458 [] deliver_skb net/core/dev.c:1842 [inline] [] dev_queue_xmit_nit net/core/dev.c:1898 [inline] [] xmit_one net/core/dev.c:2777 [inline] [] dev_hard_start_xmit+0x288/0x11e0 net/core/dev.c:2797 [] sch_direct_xmit+0x2b6/0x700 net/sched/sch_generic.c:165 [] __dev_xmit_skb net/core/dev.c:2979 [inline] [] __dev_queue_xmit+0xd24/0x1bb0 net/core/dev.c:3197 [] dev_queue_xmit+0x18/0x20 net/core/dev.c:3263 [] neigh_hh_output include/net/neighbour.h:486 [inline] [] dst_neigh_output include/net/dst.h:459 [inline] [] ip_finish_output2+0xbf2/0x1280 net/ipv4/ip_output.c:213 [] ip_do_fragment+0x187c/0x1f70 net/ipv4/ip_output.c:635 [] ip_fragment.constprop.0+0x14b/0x200 net/ipv4/ip_output.c:505 [] ip_finish_output+0x3b9/0xc60 net/ipv4/ip_output.c:286 [] NF_HOOK_COND include/linux/netfilter.h:240 [inline] [] ip_mc_output+0x251/0xae0 net/ipv4/ip_output.c:347 [] dst_output include/net/dst.h:498 [inline] [] ip_local_out+0x9c/0x180 net/ipv4/ip_output.c:119 [] ip_send_skb+0x3e/0xc0 net/ipv4/ip_output.c:1453 [] udp_send_skb+0x4fd/0xc70 net/ipv4/udp.c:842 [] udp_push_pending_frames+0x4e/0xe0 net/ipv4/udp.c:870 [] udp_sendpage+0x2ae/0x410 net/ipv4/udp.c:1183 [] inet_sendpage+0x223/0x520 net/ipv4/af_inet.c:772 [] kernel_sendpage+0x95/0xf0 net/socket.c:3320 [] sock_sendpage+0x8b/0xc0 net/socket.c:793 [] pipe_to_sendpage+0x28d/0x3d0 fs/splice.c:724 [] splice_from_pipe_feed fs/splice.c:776 [inline] [] __splice_from_pipe+0x37e/0x7a0 fs/splice.c:901 [] splice_from_pipe+0x108/0x170 fs/splice.c:936 [] generic_splice_sendpage+0x3c/0x50 fs/splice.c:1109 [] do_splice_from fs/splice.c:1128 [inline] [] do_splice fs/splice.c:1404 [inline] [] SYSC_splice fs/splice.c:1707 [inline] [] SyS_splice+0xd71/0x13a0 fs/splice.c:1690 [] do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline] [] do_fast_syscall_32+0x32d/0xa90 arch/x86/entry/common.c:397 [] sysenter_flags_fixed+0xd/0x1a audit: type=1400 audit(1573715826.775:151): avc: denied { create } for pid=8477 comm="syz-executor.5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=0 audit: type=1400 audit(1573715826.815:152): avc: denied { create } for pid=8477 comm="syz-executor.5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=0 audit: type=1400 audit(1573715826.975:153): avc: denied { create } for pid=8502 comm="syz-executor.4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=0 binder: 8567:8568 ioctl 40046207 0 returned -13 binder: 8567:8568 ERROR: BC_REGISTER_LOOPER called without request binder: 8567:8573 transaction failed 29189/-22, size 0-0 line 3014 binder: undelivered TRANSACTION_ERROR: 29189 binder: 8567:8568 ioctl 40046207 0 returned -13 binder: 8567:8573 ERROR: BC_REGISTER_LOOPER called without request binder: 8567:8632 transaction failed 29189/-22, size 0-0 line 3014 binder: undelivered TRANSACTION_ERROR: 29189 binder: 8636:8651 unknown command 0 binder: 8636:8651 ioctl c0306201 200000c0 returned -22 hid-generic 0000:0004:FFFFFFFD.000A: unknown main item tag 0x0 hid-generic 0000:0004:FFFFFFFD.000A: unknown main item tag 0x0 hid-generic 0000:0004:FFFFFFFD.000A: unknown main item tag 0x0 hid-generic 0000:0004:FFFFFFFD.000A: unknown main item tag 0x0 hid-generic 0000:0004:FFFFFFFD.000A: unknown main item tag 0x0 hid-generic 0000:0004:FFFFFFFD.000A: unknown main item tag 0x0 hid-generic 0000:0004:FFFFFFFD.000A: unknown main item tag 0x0 hid-generic 0000:0004:FFFFFFFD.000A: unknown main item tag 0x0 hid-generic 0000:0004:FFFFFFFD.000A: unknown main item tag 0x0 hid-generic 0000:0004:FFFFFFFD.000A: unknown main item tag 0x0 hid-generic 0000:0004:FFFFFFFD.000A: unknown main item tag 0x0 hid-generic 0000:0004:FFFFFFFD.000A: hidraw1: HID v0.00 Device [syz0] on sy hid-generic 0000:0004:FFFFFFFD.000B: unknown main item tag 0x0 hid-generic 0000:0004:FFFFFFFD.000B: unknown main item tag 0x0 hid-generic 0000:0004:FFFFFFFD.000B: unknown main item tag 0x0 hid-generic 0000:0004:FFFFFFFD.000B: unknown main item tag 0x0 hid-generic 0000:0004:FFFFFFFD.000B: unknown main item tag 0x0 hid-generic 0000:0004:FFFFFFFD.000B: unknown main item tag 0x0 hid-generic 0000:0004:FFFFFFFD.000B: unknown main item tag 0x0 hid-generic 0000:0004:FFFFFFFD.000B: unknown main item tag 0x0 hid-generic 0000:0004:FFFFFFFD.000B: unknown main item tag 0x0 hid-generic 0000:0004:FFFFFFFD.000B: unknown main item tag 0x0 hid-generic 0000:0004:FFFFFFFD.000B: unknown main item tag 0x0 hid-generic 0000:0004:FFFFFFFD.000B: hidraw2: HID v0.00 Device [syz0] on sy audit_printk_skb: 96 callbacks suppressed audit: type=1400 audit(1573715830.605:186): avc: denied { create } for pid=8743 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=0 audit: type=1400 audit(1573715830.685:187): avc: denied { create } for pid=8743 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=0 audit: type=1400 audit(1573715831.155:188): avc: denied { create } for pid=8753 comm="syz-executor.1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=0 audit: type=1400 audit(1573715831.155:189): avc: denied { create } for pid=8749 comm="syz-executor.2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=0 audit: type=1400 audit(1573715831.155:190): avc: denied { create } for pid=8749 comm="syz-executor.2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=0 audit: type=1400 audit(1573715831.155:191): avc: denied { create } for pid=8749 comm="syz-executor.2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=0 audit: type=1400 audit(1573715831.155:192): avc: denied { create } for pid=8749 comm="syz-executor.2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=0 audit: type=1400 audit(1573715831.285:193): avc: denied { create } for pid=8750 comm="syz-executor.5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=0 audit: type=1400 audit(1573715831.285:194): avc: denied { create } for pid=8761 comm="syz-executor.2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=0 audit: type=1400 audit(1573715831.285:195): avc: denied { create } for pid=8761 comm="syz-executor.2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=0 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=40531 sclass=netlink_route_socket SELinux: unrecognized netlink message: protocol=0 nlmsg_type=40531 sclass=netlink_route_socket IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready qtaguid: iface_stat: create6(lo): no inet dev IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready qtaguid: iface_stat: create6(lo): no inet dev IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready netlink: 8 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor.0'.