BUG: sleeping function called from invalid context at net/core/sock.c:2772 in_atomic(): 1, irqs_disabled(): 0, pid: 502, name: kworker/u4:4 5 locks held by kworker/u4:4/502: #0: ((wq_completion)"%s""netns"){+.+.}, at: [<000000007aff6592>] process_one_work+0xaaf/0x1af0 kernel/workqueue.c:2084 #1: (net_cleanup_work){+.+.}, at: [<00000000db1ce350>] process_one_work+0xb01/0x1af0 kernel/workqueue.c:2088 #2: (net_sem){++++}, at: [<000000003feb1f24>] cleanup_net+0x23f/0xd20 net/core/net_namespace.c:494 #3: (net_mutex){+.+.}, at: [<00000000ddbf0f3e>] cleanup_net+0xa7d/0xd20 net/core/net_namespace.c:496 #4: (&(&srv->idr_lock)->rlock){+...}, at: [<00000000007b218a>] spin_lock_bh include/linux/spinlock.h:315 [inline] #4: (&(&srv->idr_lock)->rlock){+...}, at: [<00000000007b218a>] tipc_topsrv_stop+0x231/0x610 net/tipc/topsrv.c:685 CPU: 0 PID: 502 Comm: kworker/u4:4 Not tainted 4.16.0-rc1+ #232 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 ___might_sleep+0x2b2/0x470 kernel/sched/core.c:6128 __might_sleep+0x95/0x190 kernel/sched/core.c:6081 lock_sock_nested+0x37/0x110 net/core/sock.c:2772 lock_sock include/net/sock.h:1463 [inline] tipc_release+0x103/0xff0 net/tipc/socket.c:572 sock_release+0x8d/0x1e0 net/socket.c:594 tipc_topsrv_stop+0x3c0/0x610 net/tipc/topsrv.c:696 tipc_exit_net+0x15/0x40 net/tipc/core.c:96 ops_exit_list.isra.6+0xae/0x150 net/core/net_namespace.c:148 cleanup_net+0x6ba/0xd20 net/core/net_namespace.c:529 process_one_work+0xbbf/0x1af0 kernel/workqueue.c:2113 worker_thread+0x223/0x1990 kernel/workqueue.c:2247 kthread+0x33c/0x400 kernel/kthread.c:238 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:429 syz-executor5 uses obsolete (PF_INET,SOCK_PACKET) xt_connbytes: Forcing CT accounting to be enabled sctp: [Deprecated]: syz-executor0 (pid 5492) Use of int in max_burst socket option deprecated. Use struct sctp_assoc_value instead sctp: [Deprecated]: syz-executor0 (pid 5492) Use of int in max_burst socket option deprecated. Use struct sctp_assoc_value instead syz-executor1 (5486) used greatest stack depth: 15824 bytes left netlink: 'syz-executor5': attribute type 21 has an invalid length. netlink: 'syz-executor5': attribute type 21 has an invalid length. netlink: 'syz-executor6': attribute type 1 has an invalid length. netlink: 'syz-executor6': attribute type 1 has an invalid length. netlink: 'syz-executor6': attribute type 1 has an invalid length. netlink: 'syz-executor6': attribute type 1 has an invalid length. Cannot find set identified by id 1 to match Cannot find set identified by id 1 to match xt_l2tp: v2 tid > 0xffff: 4294967295 xt_l2tp: v2 tid > 0xffff: 4294967295 xt_connbytes: Forcing CT accounting to be enabled kauditd_printk_skb: 14 callbacks suppressed audit: type=1400 audit(1519063559.487:36): avc: denied { setopt } for pid=6157 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 x_tables: ip6_tables: TPROXY target: used from hooks OUTPUT, but only usable from PREROUTING netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. audit: type=1400 audit(1519063559.625:37): avc: denied { bind } for pid=6196 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. audit: type=1400 audit(1519063559.856:38): avc: denied { getattr } for pid=6238 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 openvswitch: netlink: Flow actions attr not present in new flow. audit: type=1400 audit(1519063559.901:39): avc: denied { read } for pid=6238 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 openvswitch: netlink: Flow actions attr not present in new flow. xt_CT: You must specify a L4 protocol, and not use inversions on it. xt_CT: You must specify a L4 protocol, and not use inversions on it. netlink: 11 bytes leftover after parsing attributes in process `syz-executor3'. xt_limit: Overflow, try lower: 2147483648/8 kernel msg: ebtables bug: please report to author: bad policy netlink: 20 bytes leftover after parsing attributes in process `syz-executor5'. xt_l2tp: wrong L2TP version: 0 xt_l2tp: wrong L2TP version: 0 audit: type=1400 audit(1519063561.567:40): avc: denied { name_connect } for pid=6720 comm="syz-executor7" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=dccp_socket permissive=1 xt_CT: You must specify a L4 protocol, and not use inversions on it. ====================================================== WARNING: possible circular locking dependency detected xt_CT: You must specify a L4 protocol, and not use inversions on it. 4.16.0-rc1+ #232 Tainted: G W ------------------------------------------------------ syz-executor7/6732 is trying to acquire lock: (rtnl_mutex){+.+.}, at: [<00000000d9564b58>] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74 but task is already holding lock: (&xt[i].mutex){+.+.}, at: [<000000003d946be9>] xt_find_table_lock+0x3e/0x3e0 net/netfilter/x_tables.c:1046 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (&xt[i].mutex){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908 xt_find_table_lock+0x3e/0x3e0 net/netfilter/x_tables.c:1046 xt_request_find_table_lock+0x28/0xc0 net/netfilter/x_tables.c:1093 get_info+0x154/0x690 net/ipv6/netfilter/ip6_tables.c:989 do_ip6t_get_ctl+0x159/0xaf0 net/ipv6/netfilter/ip6_tables.c:1710 nf_sockopt net/netfilter/nf_sockopt.c:104 [inline] nf_getsockopt+0x6a/0xc0 net/netfilter/nf_sockopt.c:122 ipv6_getsockopt+0x1df/0x2e0 net/ipv6/ipv6_sockglue.c:1371 tcp_getsockopt+0x82/0xd0 net/ipv4/tcp.c:3359 sock_common_getsockopt+0x95/0xd0 net/core/sock.c:2938 SYSC_getsockopt net/socket.c:1881 [inline] SyS_getsockopt+0x178/0x340 net/socket.c:1863 do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x26/0x9b -> #1 (sk_lock-AF_INET6){+.+.}: lock_sock_nested+0xc2/0x110 net/core/sock.c:2781 lock_sock include/net/sock.h:1463 [inline] do_ipv6_setsockopt.isra.8+0x3c5/0x39d0 net/ipv6/ipv6_sockglue.c:167 ipv6_setsockopt+0xd7/0x130 net/ipv6/ipv6_sockglue.c:922 tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2905 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2979 SYSC_setsockopt net/socket.c:1850 [inline] SyS_setsockopt+0x189/0x360 net/socket.c:1829 do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x26/0x9b -> #0 (rtnl_mutex){+.+.}: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908 rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74 unregister_netdevice_notifier+0x91/0x4e0 net/core/dev.c:1673 tee_tg_destroy+0x61/0xc0 net/netfilter/xt_TEE.c:123 cleanup_entry+0x242/0x380 net/ipv6/netfilter/ip6_tables.c:673 __do_replace+0x7ac/0xa70 net/ipv6/netfilter/ip6_tables.c:1108 do_replace net/ipv6/netfilter/ip6_tables.c:1164 [inline] do_ip6t_set_ctl+0x40f/0x5f0 net/ipv6/netfilter/ip6_tables.c:1686 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115 ipv6_setsockopt+0x10b/0x130 net/ipv6/ipv6_sockglue.c:927 dccp_setsockopt+0x85/0xd0 net/dccp/proto.c:576 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2979 SYSC_setsockopt net/socket.c:1850 [inline] SyS_setsockopt+0x189/0x360 net/socket.c:1829 do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x26/0x9b other info that might help us debug this: Chain exists of: rtnl_mutex --> sk_lock-AF_INET6 --> &xt[i].mutex Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&xt[i].mutex); lock(sk_lock-AF_INET6); lock(&xt[i].mutex); lock(rtnl_mutex); *** DEADLOCK *** 1 lock held by syz-executor7/6732: #0: (&xt[i].mutex){+.+.}, at: [<000000003d946be9>] xt_find_table_lock+0x3e/0x3e0 net/netfilter/x_tables.c:1046 stack backtrace: CPU: 0 PID: 6732 Comm: syz-executor7 Tainted: G W 4.16.0-rc1+ #232 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 print_circular_bug.isra.38+0x2cd/0x2dc kernel/locking/lockdep.c:1223 check_prev_add kernel/locking/lockdep.c:1863 [inline] check_prevs_add kernel/locking/lockdep.c:1976 [inline] validate_chain kernel/locking/lockdep.c:2417 [inline] __lock_acquire+0x30a8/0x3e00 kernel/locking/lockdep.c:3431 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908 rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74 unregister_netdevice_notifier+0x91/0x4e0 net/core/dev.c:1673 tee_tg_destroy+0x61/0xc0 net/netfilter/xt_TEE.c:123 cleanup_entry+0x242/0x380 net/ipv6/netfilter/ip6_tables.c:673 __do_replace+0x7ac/0xa70 net/ipv6/netfilter/ip6_tables.c:1108 do_replace net/ipv6/netfilter/ip6_tables.c:1164 [inline] do_ip6t_set_ctl+0x40f/0x5f0 net/ipv6/netfilter/ip6_tables.c:1686 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115 ipv6_setsockopt+0x10b/0x130 net/ipv6/ipv6_sockglue.c:927 dccp_setsockopt+0x85/0xd0 net/dccp/proto.c:576 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2979 SYSC_setsockopt net/socket.c:1850 [inline] SyS_setsockopt+0x189/0x360 net/socket.c:1829 do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x26/0x9b RIP: 0033:0x453d69 RSP: 002b:00007f7c9fa67c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 00007f7c9fa686d4 RCX: 0000000000453d69 RDX: 0000000000000040 RSI: 0000000000000029 RDI: 0000000000000013 RBP: 000000000072bf58 R08: 00000000000005b8 R09: 0000000000000000 R10: 000000002001d000 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000000004d5 R14: 00000000006f7498 R15: 0000000000000001 xt_connbytes: Forcing CT accounting to be enabled device syz6 entered promiscuous mode device bridge0 entered promiscuous mode device bridge0 left promiscuous mode device bridge0 entered promiscuous mode device bridge0 left promiscuous mode kernel msg: ebtables bug: please report to author: bad policy kernel msg: ebtables bug: please report to author: bad policy xt_CT: netfilter: NOTRACK target is deprecated, use CT instead or upgrade iptables IPVS: length: 24 != 8 IPVS: length: 24 != 8 BUG: sleeping function called from invalid context at mm/slab.h:420 in_atomic(): 1, irqs_disabled(): 0, pid: 7100, name: syz-executor2 INFO: lockdep is turned off. CPU: 1 PID: 7100 Comm: syz-executor2 Tainted: G W 4.16.0-rc1+ #232 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 ___might_sleep+0x2b2/0x470 kernel/sched/core.c:6128 __might_sleep+0x95/0x190 kernel/sched/core.c:6081 slab_pre_alloc_hook mm/slab.h:420 [inline] slab_alloc mm/slab.c:3365 [inline] kmem_cache_alloc_trace+0x299/0x740 mm/slab.c:3605 kmalloc include/linux/slab.h:512 [inline] kzalloc include/linux/slab.h:701 [inline] rds_loop_conn_alloc+0xc8/0x380 net/rds/loop.c:126 __rds_conn_create+0x112f/0x1b50 net/rds/connection.c:227 rds_conn_create_outgoing+0x3f/0x50 net/rds/connection.c:309 rds_sendmsg+0xe63/0x2550 net/rds/send.c:1153 sock_sendmsg_nosec net/socket.c:629 [inline] sock_sendmsg+0xca/0x110 net/socket.c:639 SYSC_sendto+0x361/0x5c0 net/socket.c:1748 SyS_sendto+0x40/0x50 net/socket.c:1716 do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x26/0x9b RIP: 0033:0x453d69 RSP: 002b:00007f9ba1099c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007f9ba109a6d4 RCX: 0000000000453d69 RDX: 0000000000000000 RSI: 0000000020fc2000 RDI: 0000000000000013 RBP: 000000000072bea0 R08: 000000002069affb R09: 0000000000000010 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000000004b9 R14: 00000000006f71f8 R15: 0000000000000000 Cannot find set identified by id 934 to match ipt_REJECT: TCP_RESET invalid for non-tcp ipt_REJECT: TCP_RESET invalid for non-tcp IPVS: length: 24 != 8 xt_connbytes: Forcing CT accounting to be enabled IPVS: length: 24 != 8 audit: type=1400 audit(1519063563.936:41): avc: denied { name_bind } for pid=7210 comm="syz-executor3" src=20012 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=dccp_socket permissive=1 audit: type=1400 audit(1519063563.937:42): avc: denied { node_bind } for pid=7210 comm="syz-executor3" saddr=::1 src=20012 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:node_t:s0 tclass=dccp_socket permissive=1 Cannot find set identified by id 6 to match IPv4: Oversized IP packet from 127.0.0.1 audit: type=1400 audit(1519063564.174:43): avc: denied { ioctl } for pid=7290 comm="syz-executor1" path="socket:[18367]" dev="sockfs" ino=18367 ioctlcmd=0x89a1 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_crypto_socket permissive=1 audit: type=1400 audit(1519063564.241:44): avc: denied { accept } for pid=7290 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_crypto_socket permissive=1 validate_nla: 2 callbacks suppressed netlink: 'syz-executor4': attribute type 33 has an invalid length. netlink: 'syz-executor4': attribute type 33 has an invalid length. audit: type=1400 audit(1519063564.445:45): avc: denied { getopt } for pid=7370 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 xt_l2tp: v2 sid > 0xffff: 268435456 device bridge0 entered promiscuous mode xt_CT: netfilter: NOTRACK target is deprecated, use CT instead or upgrade iptables device bridge0 left promiscuous mode device bridge0 entered promiscuous mode device bridge0 left promiscuous mode Dead loop on virtual device ip6_vti0, fix it urgently! xt_CT: You must specify a L4 protocol, and not use inversions on it. device lo entered promiscuous mode xt_CT: You must specify a L4 protocol, and not use inversions on it. device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode xt_CT: netfilter: NOTRACK target is deprecated, use CT instead or upgrade iptables do_dccp_setsockopt: sockopt(CHANGE_L/R) is deprecated: fix your app do_dccp_setsockopt: sockopt(CHANGE_L/R) is deprecated: fix your app sock: sock_set_timeout: `syz-executor7' (pid 7675) tries to set negative timeout sock: sock_set_timeout: `syz-executor7' (pid 7675) tries to set negative timeout netlink: 'syz-executor4': attribute type 1 has an invalid length. netlink: 'syz-executor4': attribute type 1 has an invalid length. netlink: 'syz-executor4': attribute type 1 has an invalid length. netlink: 'syz-executor4': attribute type 1 has an invalid length. syz5: FDB only supports static addresses syz5: FDB only supports static addresses SELinux: unrecognized netlink message: protocol=9 nlmsg_type=24 sclass=netlink_audit_socket pig=7890 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=24 sclass=netlink_audit_socket pig=7898 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=4 nlmsg_type=36 sclass=netlink_tcpdiag_socket pig=7904 comm=syz-executor4 SELinux: unrecognized netlink message: protocol=4 nlmsg_type=36 sclass=netlink_tcpdiag_socket pig=7904 comm=syz-executor4 device syz2 entered promiscuous mode