audit: type=1400 audit(1548475224.915:2833): avc: denied { read } for pid=25551 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 audit: type=1400 audit(1548475225.075:2834): avc: denied { create } for pid=25551 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 ====================================================== [ INFO: possible circular locking dependency detected ] 4.4.171+ #12 Not tainted ------------------------------------------------------- syz-executor5/25553 is trying to acquire lock: (&(&q->lock)->rlock){+.-...}, at: [] spin_lock include/linux/spinlock.h:302 [inline] (&(&q->lock)->rlock){+.-...}, at: [] ip_defrag+0x32a/0x3dd0 net/ipv4/ip_fragment.c:680 but task is already holding lock: (_xmit_NETROM){+.-...}, at: [] spin_lock include/linux/spinlock.h:302 [inline] (_xmit_NETROM){+.-...}, at: [] __netif_tx_lock include/linux/netdevice.h:3306 [inline] (_xmit_NETROM){+.-...}, at: [] sch_direct_xmit+0x238/0x700 net/sched/sch_generic.c:163 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (_xmit_NETROM){+.-...}: [] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592 [] __mutex_lock_common kernel/locking/mutex.c:521 [inline] [] mutex_lock_interruptible_nested+0xd2/0xce0 kernel/locking/mutex.c:650 [] unix_stream_sendpage+0x2f0/0x9e0 net/unix/af_unix.c:1978 [] kernel_sendpage+0x95/0xf0 net/socket.c:3320 [] sock_sendpage+0x8b/0xc0 net/socket.c:793 [] pipe_to_sendpage+0x28d/0x3d0 fs/splice.c:724 [] splice_from_pipe_feed fs/splice.c:776 [inline] [] __splice_from_pipe+0x37e/0x7a0 fs/splice.c:901 [] splice_from_pipe+0x108/0x170 fs/splice.c:936 [] generic_splice_sendpage+0x3c/0x50 fs/splice.c:1109 [] do_splice_from fs/splice.c:1128 [inline] [] do_splice fs/splice.c:1404 [inline] [] SYSC_splice fs/splice.c:1707 [inline] [] SyS_splice+0xd71/0x13a0 fs/splice.c:1690 [] entry_SYSCALL_64_fastpath+0x1e/0x9a -> #0 (&(&q->lock)->rlock){+.-...}: [] check_prev_add kernel/locking/lockdep.c:1853 [inline] [] check_prevs_add kernel/locking/lockdep.c:1958 [inline] [] validate_chain kernel/locking/lockdep.c:2144 [inline] [] __lock_acquire+0x37d6/0x4f50 kernel/locking/lockdep.c:3213 [] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592 [] __raw_spin_lock include/linux/spinlock_api_smp.h:144 [inline] [] _raw_spin_lock+0x38/0x50 kernel/locking/spinlock.c:151 [] spin_lock include/linux/spinlock.h:302 [inline] [] ip_defrag+0x32a/0x3dd0 net/ipv4/ip_fragment.c:680 [] ip_check_defrag net/ipv4/ip_fragment.c:728 [inline] [] ip_check_defrag+0x3d6/0x740 net/ipv4/ip_fragment.c:695 [] packet_rcv_fanout+0x51e/0x5f0 net/packet/af_packet.c:1458 [] deliver_skb net/core/dev.c:1842 [inline] [] dev_queue_xmit_nit net/core/dev.c:1898 [inline] [] xmit_one net/core/dev.c:2777 [inline] [] dev_hard_start_xmit+0x288/0x11e0 net/core/dev.c:2797 [] sch_direct_xmit+0x2b6/0x700 net/sched/sch_generic.c:165 [] __dev_xmit_skb net/core/dev.c:2979 [inline] [] __dev_queue_xmit+0xd24/0x1bb0 net/core/dev.c:3197 [] dev_queue_xmit+0x18/0x20 net/core/dev.c:3263 [] neigh_hh_output include/net/neighbour.h:486 [inline] [] dst_neigh_output include/net/dst.h:459 [inline] [] ip_finish_output2+0xbf2/0x1280 net/ipv4/ip_output.c:213 [] ip_do_fragment+0x187c/0x1f70 net/ipv4/ip_output.c:635 [] ip_fragment.constprop.0+0x14b/0x200 net/ipv4/ip_output.c:505 [] ip_finish_output+0x3b9/0xc60 net/ipv4/ip_output.c:286 [] NF_HOOK_COND include/linux/netfilter.h:240 [inline] [] ip_mc_output+0x251/0xae0 net/ipv4/ip_output.c:347 [] dst_output include/net/dst.h:498 [inline] [] ip_local_out+0x9c/0x180 net/ipv4/ip_output.c:119 [] ip_send_skb+0x3e/0xc0 net/ipv4/ip_output.c:1453 [] udp_send_skb+0x4fd/0xc70 net/ipv4/udp.c:842 [] udp_push_pending_frames+0x4e/0xe0 net/ipv4/udp.c:870 [] udp_sendpage+0x2ae/0x410 net/ipv4/udp.c:1183 [] inet_sendpage+0x223/0x520 net/ipv4/af_inet.c:772 [] kernel_sendpage+0x95/0xf0 net/socket.c:3320 [] sock_sendpage+0x8b/0xc0 net/socket.c:793 [] pipe_to_sendpage+0x28d/0x3d0 fs/splice.c:724 [] splice_from_pipe_feed fs/splice.c:776 [inline] [] __splice_from_pipe+0x37e/0x7a0 fs/splice.c:901 [] splice_from_pipe+0x108/0x170 fs/splice.c:936 [] generic_splice_sendpage+0x3c/0x50 fs/splice.c:1109 [] do_splice_from fs/splice.c:1128 [inline] [] do_splice fs/splice.c:1404 [inline] [] SYSC_splice fs/splice.c:1707 [inline] [] SyS_splice+0xd71/0x13a0 fs/splice.c:1690 [] entry_SYSCALL_64_fastpath+0x1e/0x9a other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(_xmit_NETROM); lock(&(&q->lock)->rlock); lock(_xmit_NETROM); lock(&(&q->lock)->rlock); *** DEADLOCK *** 6 locks held by syz-executor5/25553: #0: (&pipe->mutex/1){+.+.+.}, at: [] pipe_lock_nested fs/pipe.c:65 [inline] #0: (&pipe->mutex/1){+.+.+.}, at: [] pipe_lock+0x63/0x80 fs/pipe.c:73 #1: (sk_lock-AF_INET){+.+.+.}, at: [] lock_sock include/net/sock.h:1497 [inline] #1: (sk_lock-AF_INET){+.+.+.}, at: [] udp_sendpage+0x132/0x410 net/ipv4/udp.c:1160 #2: (rcu_read_lock_bh){......}, at: [] ip_finish_output2+0x20b/0x1280 net/ipv4/ip_output.c:193 #3: (rcu_read_lock_bh){......}, at: [] __dev_queue_xmit+0x1d7/0x1bb0 net/core/dev.c:3161 #4: (_xmit_NETROM){+.-...}, at: [] spin_lock include/linux/spinlock.h:302 [inline] #4: (_xmit_NETROM){+.-...}, at: [] __netif_tx_lock include/linux/netdevice.h:3306 [inline] #4: (_xmit_NETROM){+.-...}, at: [] sch_direct_xmit+0x238/0x700 net/sched/sch_generic.c:163 #5: (rcu_read_lock){......}, at: [] xmit_one net/core/dev.c:2776 [inline] #5: (rcu_read_lock){......}, at: [] dev_hard_start_xmit+0xb3/0x11e0 net/core/dev.c:2797 stack backtrace: CPU: 0 PID: 25553 Comm: syz-executor5 Not tainted 4.4.171+ #12 0000000000000000 ad643d487c62a031 ffff8800838c6d70 ffffffff81aacd31 ffffffff84057a80 ffff8801a5898000 ffffffff83af37c0 ffffffff83ad5520 ffffffff83af37c0 ffff8800838c6dc0 ffffffff813abad4 ffff8800838c6ea0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x120 lib/dump_stack.c:51 [] print_circular_bug.cold+0x2f7/0x44e kernel/locking/lockdep.c:1226 [] check_prev_add kernel/locking/lockdep.c:1853 [inline] [] check_prevs_add kernel/locking/lockdep.c:1958 [inline] [] validate_chain kernel/locking/lockdep.c:2144 [inline] [] __lock_acquire+0x37d6/0x4f50 kernel/locking/lockdep.c:3213 [] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592 [] __raw_spin_lock include/linux/spinlock_api_smp.h:144 [inline] [] _raw_spin_lock+0x38/0x50 kernel/locking/spinlock.c:151 [] spin_lock include/linux/spinlock.h:302 [inline] [] ip_defrag+0x32a/0x3dd0 net/ipv4/ip_fragment.c:680 [] ip_check_defrag net/ipv4/ip_fragment.c:728 [inline] [] ip_check_defrag+0x3d6/0x740 net/ipv4/ip_fragment.c:695 [] packet_rcv_fanout+0x51e/0x5f0 net/packet/af_packet.c:1458 [] deliver_skb net/core/dev.c:1842 [inline] [] dev_queue_xmit_nit net/core/dev.c:1898 [inline] [] xmit_one net/core/dev.c:2777 [inline] [] dev_hard_start_xmit+0x288/0x11e0 net/core/dev.c:2797 [] sch_direct_xmit+0x2b6/0x700 net/sched/sch_generic.c:165 [] __dev_xmit_skb net/core/dev.c:2979 [inline] [] __dev_queue_xmit+0xd24/0x1bb0 net/core/dev.c:3197 [] dev_queue_xmit+0x18/0x20 net/core/dev.c:3263 [] neigh_hh_output include/net/neighbour.h:486 [inline] [] dst_neigh_output include/net/dst.h:459 [inline] [] ip_finish_output2+0xbf2/0x1280 net/ipv4/ip_output.c:213 [] ip_do_fragment+0x187c/0x1f70 net/ipv4/ip_output.c:635 [] ip_fragment.constprop.0+0x14b/0x200 net/ipv4/ip_output.c:505 [] ip_finish_output+0x3b9/0xc60 net/ipv4/ip_output.c:286 [] NF_HOOK_COND include/linux/netfilter.h:240 [inline] [] ip_mc_output+0x251/0xae0 net/ipv4/ip_output.c:347 [] dst_output include/net/dst.h:498 [inline] [] ip_local_out+0x9c/0x180 net/ipv4/ip_output.c:119 [] ip_send_skb+0x3e/0xc0 net/ipv4/ip_output.c:1453 [] udp_send_skb+0x4fd/0xc70 net/ipv4/udp.c:842 [] udp_push_pending_frames+0x4e/0xe0 net/ipv4/udp.c:870 [] udp_sendpage+0x2ae/0x410 net/ipv4/udp.c:1183 [] inet_sendpage+0x223/0x520 net/ipv4/af_inet.c:772 [] kernel_sendpage+0x95/0xf0 net/socket.c:3320 [] sock_sendpage+0x8b/0xc0 net/socket.c:793 [] pipe_to_sendpage+0x28d/0x3d0 fs/splice.c:724 [] splice_from_pipe_feed fs/splice.c:776 [inline] [] __splice_from_pipe+0x37e/0x7a0 fs/splice.c:901 [] splice_from_pipe+0x108/0x170 fs/splice.c:936 [] generic_splice_sendpage+0x3c/0x50 fs/splice.c:1109 [] do_splice_from fs/splice.c:1128 [inline] [] do_splice fs/splice.c:1404 [inline] [] SYSC_splice fs/splice.c:1707 [inline] [] SyS_splice+0xd71/0x13a0 fs/splice.c:1690 [] entry_SYSCALL_64_fastpath+0x1e/0x9a audit: type=1400 audit(1548475229.285:2835): avc: denied { create } for pid=25648 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1400 audit(1548475229.385:2836): avc: denied { create } for pid=25648 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1