====================================================== WARNING: possible circular locking dependency detected 4.14.232-syzkaller #0 Not tainted ------------------------------------------------------ syz-executor.5/21204 is trying to acquire lock: (&table[i].mutex){+.+.}, at: [] ip_set_nfnl_put+0x11a/0x310 net/netfilter/ipset/ip_set_core.c:732 but task is already holding lock: (&xt[i].mutex){+.+.}, at: [] xt_find_table_lock+0x38/0x3d0 net/netfilter/x_tables.c:1088 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&xt[i].mutex){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 match_revfn+0x43/0x210 net/netfilter/x_tables.c:332 xt_find_revision+0x8d/0x1d0 net/netfilter/x_tables.c:380 nfnl_compat_get+0x1f7/0x870 net/netfilter/nft_compat.c:678 nfnetlink_rcv_msg+0x9bb/0xc00 net/netfilter/nfnetlink.c:214 netlink_rcv_skb+0x125/0x390 net/netlink/af_netlink.c:2433 nfnetlink_rcv+0x1ab/0x1da0 net/netfilter/nfnetlink.c:515 netlink_unicast_kernel net/netlink/af_netlink.c:1287 [inline] netlink_unicast+0x437/0x610 net/netlink/af_netlink.c:1313 netlink_sendmsg+0x62e/0xb80 net/netlink/af_netlink.c:1878 sock_sendmsg_nosec net/socket.c:646 [inline] sock_sendmsg+0xb5/0x100 net/socket.c:656 ___sys_sendmsg+0x6c8/0x800 net/socket.c:2062 __sys_sendmsg+0xa3/0x120 net/socket.c:2096 SYSC_sendmsg net/socket.c:2107 [inline] SyS_sendmsg+0x27/0x40 net/socket.c:2103 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb -> #0 (&table[i].mutex){+.+.}: lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 ip_set_nfnl_put+0x11a/0x310 net/netfilter/ipset/ip_set_core.c:732 set_target_v1_destroy+0xd7/0x150 net/netfilter/xt_set.c:392 cleanup_entry+0x1fd/0x2d0 net/ipv4/netfilter/ip_tables.c:666 __do_replace+0x38d/0x570 net/ipv4/netfilter/ip_tables.c:1086 do_replace net/ipv4/netfilter/ip_tables.c:1142 [inline] do_ipt_set_ctl+0x256/0x3a0 net/ipv4/netfilter/ip_tables.c:1676 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x5f/0xb0 net/netfilter/nf_sockopt.c:115 ip_setsockopt net/ipv4/ip_sockglue.c:1255 [inline] ip_setsockopt+0x94/0xb0 net/ipv4/ip_sockglue.c:1240 udp_setsockopt+0x45/0x80 net/ipv4/udp.c:2452 SYSC_setsockopt net/socket.c:1865 [inline] SyS_setsockopt+0x110/0x1e0 net/socket.c:1844 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&xt[i].mutex); lock(&table[i].mutex); lock(&xt[i].mutex); lock(&table[i].mutex); *** DEADLOCK *** 1 lock held by syz-executor.5/21204: #0: (&xt[i].mutex){+.+.}, at: [] xt_find_table_lock+0x38/0x3d0 net/netfilter/x_tables.c:1088 stack backtrace: CPU: 0 PID: 21204 Comm: syz-executor.5 Not tainted 4.14.232-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x281 lib/dump_stack.c:58 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258 check_prev_add kernel/locking/lockdep.c:1905 [inline] check_prevs_add kernel/locking/lockdep.c:2022 [inline] validate_chain kernel/locking/lockdep.c:2464 [inline] __lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 ip_set_nfnl_put+0x11a/0x310 net/netfilter/ipset/ip_set_core.c:732 set_target_v1_destroy+0xd7/0x150 net/netfilter/xt_set.c:392 cleanup_entry+0x1fd/0x2d0 net/ipv4/netfilter/ip_tables.c:666 __do_replace+0x38d/0x570 net/ipv4/netfilter/ip_tables.c:1086 do_replace net/ipv4/netfilter/ip_tables.c:1142 [inline] do_ipt_set_ctl+0x256/0x3a0 net/ipv4/netfilter/ip_tables.c:1676 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x5f/0xb0 net/netfilter/nf_sockopt.c:115 ip_setsockopt net/ipv4/ip_sockglue.c:1255 [inline] ip_setsockopt+0x94/0xb0 net/ipv4/ip_sockglue.c:1240 udp_setsockopt+0x45/0x80 net/ipv4/udp.c:2452 SYSC_setsockopt net/socket.c:1865 [inline] SyS_setsockopt+0x110/0x1e0 net/socket.c:1844 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb RIP: 0033:0x4665d9 RSP: 002b:00007f0e0e7ca188 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 000000000056c008 RCX: 00000000004665d9 RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000004 RBP: 00000000004bfcb9 R08: 0000000000000260 R09: 0000000000000000 R10: 0000000020000c40 R11: 0000000000000246 R12: 000000000056c008 R13: 00007ffec844df0f R14: 00007f0e0e7ca300 R15: 0000000000022000 ip_tables: iptables: counters copy to user failed while replacing table ip_tables: iptables: counters copy to user failed while replacing table ip_tables: iptables: counters copy to user failed while replacing table ip_tables: iptables: counters copy to user failed while replacing table input: syz0 as /devices/virtual/input/input28 input: syz0 as /devices/virtual/input/input29 input: syz0 as /devices/virtual/input/input30 netlink: 12 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'. input: syz0 as /devices/virtual/input/input32 PF_BRIDGE: RTM_SETLINK with unknown ifindex input: syz0 as /devices/virtual/input/input33 netlink: 16 bytes leftover after parsing attributes in process `syz-executor.5'. input: syz0 as /devices/virtual/input/input36 netlink: 4 bytes leftover after parsing attributes in process `syz-executor.1'. input: syz0 as /devices/virtual/input/input38 netlink: 4 bytes leftover after parsing attributes in process `syz-executor.1'. input: syz0 as /devices/virtual/input/input41 input: syz0 as /devices/virtual/input/input43 audit: type=1400 audit(1621216234.560:74): apparmor="DENIED" operation="change_hat" info="unconfined can not change_hat" error=-1 profile="unconfined" pid=21759 comm="syz-executor.1" netlink: 16 bytes leftover after parsing attributes in process `syz-executor.3'. netlink: 20 bytes leftover after parsing attributes in process `syz-executor.1'. AppArmor: change_hat: Invalid input, NULL hat and NULL magic input: syz0 as /devices/virtual/input/input46 input: syz0 as /devices/virtual/input/input47 nla_parse: 3 callbacks suppressed netlink: 12 bytes leftover after parsing attributes in process `syz-executor.4'. netlink: 12 bytes leftover after parsing attributes in process `syz-executor.4'. new mount options do not match the existing superblock, will be ignored new mount options do not match the existing superblock, will be ignored new mount options do not match the existing superblock, will be ignored new mount options do not match the existing superblock, will be ignored new mount options do not match the existing superblock, will be ignored audit: type=1326 audit(1621216238.480:75): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=22317 comm="syz-executor.3" exe="/root/syz-executor.3" sig=31 arch=c000003e syscall=202 compat=0 ip=0x4665d9 code=0x0 audit: type=1326 audit(1621216238.520:76): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=22317 comm="syz-executor.3" exe="/root/syz-executor.3" sig=31 arch=c000003e syscall=3 compat=0 ip=0x4193eb code=0x0