netlink: 36 bytes leftover after parsing attributes in process `syz-executor4'. ====================================================== [ INFO: possible circular locking dependency detected ] SELinux: unrecognized netlink message: protocol=6 nlmsg_type=4835 sclass=netlink_xfrm_socket SELinux: unrecognized netlink message: protocol=6 nlmsg_type=4835 sclass=netlink_xfrm_socket 4.4.162+ #117 Not tainted ------------------------------------------------------- syz-executor1/4461 is trying to acquire lock: (rtnl_mutex){+.+.+.}, at: [ 105.632436] audit: type=1400 audit(1540541235.673:13): avc: denied { setattr } for pid=4429 comm="syz-executor2" name="control" dev="tmpfs" ino=12901 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tpm_device_t:s0 tclass=dir permissive=1 [] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:70 but task is already holding lock: (sk_lock-AF_INET6){+.+.+.}, at: [] lock_sock include/net/sock.h:1493 [inline] (sk_lock-AF_INET6){+.+.+.}, at: [] do_ipv6_setsockopt.isra.4+0x252/0x2d50 net/ipv6/ipv6_sockglue.c:166 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: [] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592 [] lock_sock_nested+0xc6/0x120 net/core/sock.c:2459 [] lock_sock include/net/sock.h:1493 [inline] [] do_ipv6_setsockopt.isra.4+0x1d2/0x2d50 net/ipv6/ipv6_sockglue.c:166 [] ipv6_setsockopt+0x97/0x130 net/ipv6/ipv6_sockglue.c:904 [] tcp_setsockopt+0x88/0xe0 net/ipv4/tcp.c:2643 [] sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:2659 [] SYSC_setsockopt net/socket.c:1780 [inline] [] SyS_setsockopt+0x166/0x260 net/socket.c:1759 [] entry_SYSCALL_64_fastpath+0x1e/0x9a [] check_prev_add kernel/locking/lockdep.c:1853 [inline] [] check_prevs_add kernel/locking/lockdep.c:1958 [inline] [] validate_chain kernel/locking/lockdep.c:2144 [inline] [] __lock_acquire+0x3e6c/0x5f10 kernel/locking/lockdep.c:3213 [] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592 [] __mutex_lock_common kernel/locking/mutex.c:521 [inline] [] mutex_lock_nested+0xbb/0x8d0 kernel/locking/mutex.c:621 [] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:70 [] ipv6_sock_mc_close+0x10e/0x350 net/ipv6/mcast.c:288 [] do_ipv6_setsockopt.isra.4+0xd07/0x2d50 net/ipv6/ipv6_sockglue.c:202 [] ipv6_setsockopt+0x97/0x130 net/ipv6/ipv6_sockglue.c:904 [] udpv6_setsockopt+0x4a/0x90 net/ipv6/udp.c:1436 [] sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:2659 [] SYSC_setsockopt net/socket.c:1780 [inline] [] SyS_setsockopt+0x166/0x260 net/socket.c:1759 [] entry_SYSCALL_64_fastpath+0x1e/0x9a other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(sk_lock-AF_INET6); lock(rtnl_mutex); lock(sk_lock-AF_INET6); lock(rtnl_mutex); *** DEADLOCK *** 1 lock held by syz-executor1/4461: #0: (sk_lock-AF_INET6){+.+.+.}, at: [] lock_sock include/net/sock.h:1493 [inline] #0: (sk_lock-AF_INET6){+.+.+.}, at: [] do_ipv6_setsockopt.isra.4+0x252/0x2d50 net/ipv6/ipv6_sockglue.c:166 stack backtrace: CPU: 0 PID: 4461 Comm: syz-executor1 Not tainted 4.4.162+ #117 0000000000000000 5911eec383ab8f0d ffff8800a699f5a8 ffffffff81a994bd ffffffff83a85b10 ffffffff83ac48d0 ffffffff83a85b10 ffff8801d1ee67e8 ffff8801d1ee5f00 ffff8800a699f5f0 ffffffff813a834a 0000000000000001 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] print_circular_bug.cold.34+0x2f7/0x432 kernel/locking/lockdep.c:1226 [] check_prev_add kernel/locking/lockdep.c:1853 [inline] [] check_prevs_add kernel/locking/lockdep.c:1958 [inline] [] validate_chain kernel/locking/lockdep.c:2144 [inline] [] __lock_acquire+0x3e6c/0x5f10 kernel/locking/lockdep.c:3213 [] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592 [] __mutex_lock_common kernel/locking/mutex.c:521 [inline] [] mutex_lock_nested+0xbb/0x8d0 kernel/locking/mutex.c:621 [] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:70 [] ipv6_sock_mc_close+0x10e/0x350 net/ipv6/mcast.c:288 [] do_ipv6_setsockopt.isra.4+0xd07/0x2d50 net/ipv6/ipv6_sockglue.c:202 [] ipv6_setsockopt+0x97/0x130 net/ipv6/ipv6_sockglue.c:904 [] udpv6_setsockopt+0x4a/0x90 net/ipv6/udp.c:1436 [] sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:2659 [] SYSC_setsockopt net/socket.c:1780 [inline] [] SyS_setsockopt+0x166/0x260 net/socket.c:1759 [] entry_SYSCALL_64_fastpath+0x1e/0x9a audit: type=1400 audit(1540541236.283:14): avc: denied { relabelfrom } for pid=4429 comm="syz-executor2" name="control" dev="tmpfs" ino=12901 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tpm_device_t:s0 tclass=dir permissive=1 audit: type=1400 audit(1540541236.313:15): avc: denied { getattr } for pid=2115 comm="syz-executor2" path="/46/control" dev="tmpfs" ino=12901 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tpm_device_t:s0 tclass=dir permissive=1 audit: type=1400 audit(1540541236.363:16): avc: denied { read } for pid=2115 comm="syz-executor2" name="control" dev="tmpfs" ino=12901 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tpm_device_t:s0 tclass=dir permissive=1 audit: type=1400 audit(1540541236.403:17): avc: denied { open } for pid=2115 comm="syz-executor2" path="/46/control" dev="tmpfs" ino=12901 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tpm_device_t:s0 tclass=dir permissive=1 audit: type=1400 audit(1540541236.433:18): avc: denied { rmdir } for pid=2115 comm="syz-executor2" name="control" dev="tmpfs" ino=12901 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tpm_device_t:s0 tclass=dir permissive=1 SELinux: unrecognized netlink message: protocol=4 nlmsg_type=45 sclass=netlink_tcpdiag_socket SELinux: unrecognized netlink message: protocol=6 nlmsg_type=55681 sclass=netlink_xfrm_socket SELinux: unrecognized netlink message: protocol=6 nlmsg_type=55681 sclass=netlink_xfrm_socket binder: binder_mmap: 4602 20ffd000-20fff000 bad vm_flags failed -1 binder: 4602:4605 got reply transaction with no transaction stack binder: 4602:4605 transaction failed 29201/-71, size 32-32 line 2922 SELinux: unrecognized netlink message: protocol=4 nlmsg_type=45 sclass=netlink_tcpdiag_socket binder: BINDER_SET_CONTEXT_MGR already set binder: 4602:4605 ioctl 40046207 0 returned -16 binder: BINDER_SET_CONTEXT_MGR already set binder: binder_mmap: 4602 20ffd000-20fff000 bad vm_flags failed -1 binder: 4602:4616 ioctl 40046207 0 returned -16 binder: 4602:4618 got reply transaction with no transaction stack binder: 4602:4618 transaction failed 29201/-71, size 32-32 line 2922 binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29201 SELinux: unrecognized netlink message: protocol=6 nlmsg_type=63651 sclass=netlink_xfrm_socket syz-executor4 uses obsolete (PF_INET,SOCK_PACKET) netlink: 8 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor4'. SELinux: unrecognized netlink message: protocol=6 nlmsg_type=16741 sclass=netlink_xfrm_socket SELinux: unrecognized netlink message: protocol=6 nlmsg_type=16741 sclass=netlink_xfrm_socket device lo entered promiscuous mode audit: type=1400 audit(1540541240.313:19): avc: denied { write } for pid=4956 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 device lo left promiscuous mode device lo entered promiscuous mode netlink: 8 bytes leftover after parsing attributes in process `syz-executor4'. audit: type=1326 audit(1540541241.103:20): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=5017 comm="syz-executor2" exe="/root/syz-executor2" sig=31 arch=c000003e syscall=228 compat=0 ip=0x45a3ca code=0x0 audit: type=1326 audit(1540541241.903:21): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=5017 comm="syz-executor2" exe="/root/syz-executor2" sig=31 arch=c000003e syscall=228 compat=0 ip=0x45a3ca code=0x0 netlink: 8 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor4'. capability: warning: `syz-executor0' uses 32-bit capabilities (legacy support in use) netlink: 8 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor4'. rtc rtc0: __rtc_set_alarm: err=-22 netlink: 36 bytes leftover after parsing attributes in process `syz-executor4'. audit: type=1400 audit(1540541243.973:22): avc: denied { relabelto } for pid=5255 comm="syz-executor4" name="UNIX" dev="sockfs" ino=15532 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crond_unit_file_t:s0 tclass=unix_stream_socket permissive=1