ip6_tunnel:  xmit: Local address not yet configured! netlink: 54 bytes leftover after parsing attributes in process `syz-executor.3'. ====================================================== [ INFO: possible circular locking dependency detected ] 4.9.141+ #1 Not tainted ------------------------------------------------------- syz-executor.0/15378 is trying to acquire lock: (&sig->cred_guard_mutex){+.+.+.}, at: [] lock_trace+0x44/0xc0 fs/proc/base.c:431 but task is already holding lock: (&p->lock){+.+.+.}, at: [] seq_read+0xdd/0x12d0 fs/seq_file.c:178 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (&p->lock){+.+.+.}: lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756 __mutex_lock_common kernel/locking/mutex.c:521 [inline] mutex_lock_nested+0xc0/0x900 kernel/locking/mutex.c:621 seq_read+0xdd/0x12d0 fs/seq_file.c:178 proc_reg_read+0xfd/0x180 fs/proc/inode.c:203 do_loop_readv_writev.part.1+0xd5/0x280 fs/read_write.c:718 do_loop_readv_writev fs/read_write.c:707 [inline] do_readv_writev+0x56e/0x7b0 fs/read_write.c:873 vfs_readv+0x84/0xc0 fs/read_write.c:897 kernel_readv fs/splice.c:363 [inline] default_file_splice_read+0x451/0x7f0 fs/splice.c:435 do_splice_to+0x10c/0x170 fs/splice.c:899 do_splice fs/splice.c:1192 [inline] SYSC_splice fs/splice.c:1416 [inline] SyS_splice+0x10d2/0x14d0 fs/splice.c:1399 do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285 entry_SYSCALL_64_after_swapgs+0x5d/0xdb -> #1 (&pipe->mutex/1){+.+.+.}: lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756 __mutex_lock_common kernel/locking/mutex.c:521 [inline] mutex_lock_nested+0xc0/0x900 kernel/locking/mutex.c:621 __pipe_lock fs/pipe.c:87 [inline] fifo_open+0x15c/0x9e0 fs/pipe.c:921 do_dentry_open+0x3ef/0xc90 fs/open.c:766 vfs_open+0x11c/0x210 fs/open.c:879 do_last fs/namei.c:3410 [inline] path_openat+0x542/0x2790 fs/namei.c:3534 do_filp_open+0x197/0x270 fs/namei.c:3568 do_open_execat+0x10f/0x640 fs/exec.c:844 do_execveat_common.isra.14+0x687/0x1ed0 fs/exec.c:1723 do_execve fs/exec.c:1829 [inline] SYSC_execve fs/exec.c:1910 [inline] SyS_execve+0x42/0x50 fs/exec.c:1905 do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285 entry_SYSCALL_64_after_swapgs+0x5d/0xdb -> #0 (&sig->cred_guard_mutex){+.+.+.}: check_prev_add kernel/locking/lockdep.c:1828 [inline] check_prevs_add kernel/locking/lockdep.c:1938 [inline] validate_chain kernel/locking/lockdep.c:2265 [inline] __lock_acquire+0x3189/0x4a10 kernel/locking/lockdep.c:3345 lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756 __mutex_lock_common kernel/locking/mutex.c:521 [inline] mutex_lock_killable_nested+0xcc/0x9f0 kernel/locking/mutex.c:641 lock_trace+0x44/0xc0 fs/proc/base.c:431 proc_pid_syscall+0xa9/0x260 fs/proc/base.c:663 proc_single_show+0xfd/0x170 fs/proc/base.c:785 seq_read+0x4b6/0x12d0 fs/seq_file.c:240 do_loop_readv_writev.part.1+0xd5/0x280 fs/read_write.c:718 do_loop_readv_writev fs/read_write.c:707 [inline] do_readv_writev+0x56e/0x7b0 fs/read_write.c:873 vfs_readv+0x84/0xc0 fs/read_write.c:897 kernel_readv fs/splice.c:363 [inline] default_file_splice_read+0x451/0x7f0 fs/splice.c:435 do_splice_to+0x10c/0x170 fs/splice.c:899 splice_direct_to_actor+0x23f/0x7e0 fs/splice.c:971 do_splice_direct+0x1a3/0x270 fs/splice.c:1080 do_sendfile+0x4f0/0xc30 fs/read_write.c:1393 SYSC_sendfile64 fs/read_write.c:1454 [inline] SyS_sendfile64+0x144/0x160 fs/read_write.c:1440 do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285 entry_SYSCALL_64_after_swapgs+0x5d/0xdb other info that might help us debug this: Chain exists of: &sig->cred_guard_mutex --> &pipe->mutex/1 --> &p->lock Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&p->lock); lock(&pipe->mutex/1); lock(&p->lock); lock(&sig->cred_guard_mutex); *** DEADLOCK *** 2 locks held by syz-executor.0/15378: #0: (sb_writers#7){.+.+.+}, at: [] file_start_write include/linux/fs.h:2640 [inline] #0: (sb_writers#7){.+.+.+}, at: [] do_sendfile+0xa80/0xc30 fs/read_write.c:1392 #1: (&p->lock){+.+.+.}, at: [] seq_read+0xdd/0x12d0 fs/seq_file.c:178 stack backtrace: CPU: 0 PID: 15378 Comm: syz-executor.0 Not tainted 4.9.141+ #1 ffff8801cd736e38 ffffffff81b42e79 ffffffff83caa0e0 ffffffff83ca4e30 ffffffff83ca2fd0 ffff8801cbffa0b8 ffff8801cbff97c0 ffff8801cd736e80 ffffffff813fee40 0000000000000002 00000000cbffa098 0000000000000002 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_circular_bug.cold.36+0x2f7/0x432 kernel/locking/lockdep.c:1202 [] check_prev_add kernel/locking/lockdep.c:1828 [inline] [] check_prevs_add kernel/locking/lockdep.c:1938 [inline] [] validate_chain kernel/locking/lockdep.c:2265 [inline] [] __lock_acquire+0x3189/0x4a10 kernel/locking/lockdep.c:3345 [] lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756 [] __mutex_lock_common kernel/locking/mutex.c:521 [inline] [] mutex_lock_killable_nested+0xcc/0x9f0 kernel/locking/mutex.c:641 [] lock_trace+0x44/0xc0 fs/proc/base.c:431 [] proc_pid_syscall+0xa9/0x260 fs/proc/base.c:663 [] proc_single_show+0xfd/0x170 fs/proc/base.c:785 [] seq_read+0x4b6/0x12d0 fs/seq_file.c:240 [] do_loop_readv_writev.part.1+0xd5/0x280 fs/read_write.c:718 [] do_loop_readv_writev fs/read_write.c:707 [inline] [] do_readv_writev+0x56e/0x7b0 fs/read_write.c:873 [] vfs_readv+0x84/0xc0 fs/read_write.c:897 [] kernel_readv fs/splice.c:363 [inline] [] default_file_splice_read+0x451/0x7f0 fs/splice.c:435 [] do_splice_to+0x10c/0x170 fs/splice.c:899 [] splice_direct_to_actor+0x23f/0x7e0 fs/splice.c:971 [] do_splice_direct+0x1a3/0x270 fs/splice.c:1080 [] do_sendfile+0x4f0/0xc30 fs/read_write.c:1393 [] SYSC_sendfile64 fs/read_write.c:1454 [inline] [] SyS_sendfile64+0x144/0x160 fs/read_write.c:1440 [] do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285 [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb netlink: 32 bytes leftover after parsing attributes in process `syz-executor.5'. ip6_tunnel:  xmit: Local address not yet configured! audit: type=1400 audit(1574600284.615:182): avc: denied { create } for pid=15418 comm="syz-executor.1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_scsitransport_socket permissive=1 ip6_tunnel: ip6tnl1 xmit: Local address not yet configured! ip6_tunnel: ip6tnl1 xmit: Local address not yet configured! ip6_tunnel: ip6tnl1 xmit: Local address not yet configured! IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready qtaguid: iface_stat: create6(lo): no inet dev IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready qtaguid: iface_stat: create6(lo): no inet dev ip6_tunnel: ip6tnl1 xmit: Local address not yet configured! IPv6: ADDRCONF(NETDEV_CHANGE): ip_vti0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): ip_vti0: link becomes ready Dead loop on virtual device ip6_vti0, fix it urgently! Dead loop on virtual device ip6_vti0, fix it urgently! IPv6: ADDRCONF(NETDEV_CHANGE): ip_vti0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): ip_vti0: link becomes ready Dead loop on virtual device ip6_vti0, fix it urgently! Dead loop on virtual device ip6_vti0, fix it urgently! device lo entered promiscuous mode device ip_vti0 entered promiscuous mode device ip6_vti0 entered promiscuous mode device sit0 entered promiscuous mode device ip6tnl0 entered promiscuous mode device syz_tun entered promiscuous mode device sit1 entered promiscuous mode device vlan0 entered promiscuous mode device vti0 entered promiscuous mode device sit2 entered promiscuous mode device vti1 entered promiscuous mode device vti2 entered promiscuous mode device vti3 entered promiscuous mode device vti4 entered promiscuous mode device sit3 entered promiscuous mode device sit4 entered promiscuous mode device sit5 entered promiscuous mode device sit6 entered promiscuous mode device sit7 entered promiscuous mode device vti5 entered promiscuous mode device sit8 entered promiscuous mode device sit9 entered promiscuous mode device sit10 entered promiscuous mode device sit11 entered promiscuous mode device vti6 entered promiscuous mode device sit12 entered promiscuous mode device sit13 entered promiscuous mode device sit14 entered promiscuous mode device sit15 entered promiscuous mode device sit16 entered promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): ip_vti0: link becomes ready ip6_tunnel: ip6tnl1 xmit: Local address not yet configured! ip6_tunnel:  xmit: Local address not yet configured! audit: type=1400 audit(1574600288.805:183): avc: denied { getopt } for pid=15582 comm="syz-executor.1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): ip_vti0: link becomes ready ip6_tunnel: ip6tnl1 xmit: Local address not yet configured! ip6_tunnel: ip6tnl1 xmit: Local address not yet configured! input: syz1 as /devices/virtual/input/input54 device lo left promiscuous mode qtaguid: iface_stat: create(lo): no inet dev qtaguid: iface_stat: create6(lo): no inet dev IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready qtaguid: iface_stat: create6(lo): no inet dev qtaguid: iface_stat: create(lo): no inet dev input: syz1 as /devices/virtual/input/input55 qtaguid: iface_stat: create6(lo): no inet dev IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready qtaguid: iface_stat: create6(lo): no inet dev device lo entered promiscuous mode ip6_tunnel: ip6tnl1 xmit: Local address not yet configured! binder: 15664:15666 got transaction with invalid offset (274877906944, min 0 max 88) or object. binder: 15664:15666 transaction failed 29201/-22, size 88-24 line 3199 ip6_tunnel:  xmit: Local address not yet configured! binder: 15664:15666 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: 15664:15666 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: undelivered TRANSACTION_ERROR: 29201 binder: 15664:15680 got transaction with invalid offset (274877906944, min 0 max 88) or object. binder: 15664:15680 transaction failed 29201/-22, size 88-24 line 3199 audit: type=1400 audit(1574600291.145:184): avc: denied { transfer } for pid=15664 comm="syz-executor.3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 binder: 15664:15680 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: 15664:15680 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: 15664:15666 got transaction with invalid offset (0, min 24 max 88) or object. binder: 15664:15666 transaction failed 29201/-22, size 88-24 line 3199 binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29201 tc_dump_action: action bad kind netlink: 8 bytes leftover after parsing attributes in process `syz-executor.3'. ip6_tunnel:  xmit: Local address not yet configured! tc_dump_action: action bad kind input: syz0 as /devices/virtual/input/input56 selinux_nlmsg_perm: 2712 callbacks suppressed SELinux: unrecognized netlink message: protocol=0 nlmsg_type=43595 sclass=netlink_route_socket pig=15809 comm=syz-executor.4 SELinux: unrecognized netlink message: protocol=6 nlmsg_type=0 sclass=netlink_xfrm_socket pig=15852 comm=syz-executor.1 SELinux: unrecognized netlink message: protocol=6 nlmsg_type=0 sclass=netlink_xfrm_socket pig=15852 comm=syz-executor.1 SELinux: unrecognized netlink message: protocol=6 nlmsg_type=0 sclass=netlink_xfrm_socket pig=15852 comm=syz-executor.1 SELinux: unrecognized netlink message: protocol=6 nlmsg_type=0 sclass=netlink_xfrm_socket pig=15852 comm=syz-executor.1 SELinux: unrecognized netlink message: protocol=6 nlmsg_type=0 sclass=netlink_xfrm_socket pig=15852 comm=syz-executor.1 SELinux: unrecognized netlink message: protocol=6 nlmsg_type=0 sclass=netlink_xfrm_socket pig=15852 comm=syz-executor.1 SELinux: unrecognized netlink message: protocol=6 nlmsg_type=0 sclass=netlink_xfrm_socket pig=15852 comm=syz-executor.1 SELinux: unrecognized netlink message: protocol=6 nlmsg_type=0 sclass=netlink_xfrm_socket pig=15852 comm=syz-executor.1 SELinux: unrecognized netlink message: protocol=6 nlmsg_type=0 sclass=netlink_xfrm_socket pig=15852 comm=syz-executor.1