audit: type=1400 audit(1548475224.915:2833): avc:  denied  { read } for  pid=25551 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
audit: type=1400 audit(1548475225.075:2834): avc:  denied  { create } for  pid=25551 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
======================================================
[ INFO: possible circular locking dependency detected ]
4.4.171+ #12 Not tainted
-------------------------------------------------------
syz-executor5/25553 is trying to acquire lock:
 (&(&q->lock)->rlock){+.-...}, at: [<ffffffff823b9c1a>] spin_lock include/linux/spinlock.h:302 [inline]
 (&(&q->lock)->rlock){+.-...}, at: [<ffffffff823b9c1a>] ip_defrag+0x32a/0x3dd0 net/ipv4/ip_fragment.c:680

but task is already holding lock:
 (_xmit_NETROM){+.-...}, at: [<ffffffff822b1208>] spin_lock include/linux/spinlock.h:302 [inline]
 (_xmit_NETROM){+.-...}, at: [<ffffffff822b1208>] __netif_tx_lock include/linux/netdevice.h:3306 [inline]
 (_xmit_NETROM){+.-...}, at: [<ffffffff822b1208>] sch_direct_xmit+0x238/0x700 net/sched/sch_generic.c:163

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 (_xmit_NETROM){+.-...}:
       [<ffffffff81205d5e>] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592
       [<ffffffff8270dc72>] __mutex_lock_common kernel/locking/mutex.c:521 [inline]
       [<ffffffff8270dc72>] mutex_lock_interruptible_nested+0xd2/0xce0 kernel/locking/mutex.c:650
       [<ffffffff825917e0>] unix_stream_sendpage+0x2f0/0x9e0 net/unix/af_unix.c:1978
       [<ffffffff821d79b5>] kernel_sendpage+0x95/0xf0 net/socket.c:3320
       [<ffffffff821d7a9b>] sock_sendpage+0x8b/0xc0 net/socket.c:793
       [<ffffffff81530afd>] pipe_to_sendpage+0x28d/0x3d0 fs/splice.c:724
       [<ffffffff8153374e>] splice_from_pipe_feed fs/splice.c:776 [inline]
       [<ffffffff8153374e>] __splice_from_pipe+0x37e/0x7a0 fs/splice.c:901
       [<ffffffff815367c8>] splice_from_pipe+0x108/0x170 fs/splice.c:936
       [<ffffffff8153686c>] generic_splice_sendpage+0x3c/0x50 fs/splice.c:1109
       [<ffffffff81537911>] do_splice_from fs/splice.c:1128 [inline]
       [<ffffffff81537911>] do_splice fs/splice.c:1404 [inline]
       [<ffffffff81537911>] SYSC_splice fs/splice.c:1707 [inline]
       [<ffffffff81537911>] SyS_splice+0xd71/0x13a0 fs/splice.c:1690
       [<ffffffff82717fe1>] entry_SYSCALL_64_fastpath+0x1e/0x9a

-> #0 (&(&q->lock)->rlock){+.-...}:
       [<ffffffff81202b76>] check_prev_add kernel/locking/lockdep.c:1853 [inline]
       [<ffffffff81202b76>] check_prevs_add kernel/locking/lockdep.c:1958 [inline]
       [<ffffffff81202b76>] validate_chain kernel/locking/lockdep.c:2144 [inline]
       [<ffffffff81202b76>] __lock_acquire+0x37d6/0x4f50 kernel/locking/lockdep.c:3213
       [<ffffffff81205d5e>] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592
       [<ffffffff827170f8>] __raw_spin_lock include/linux/spinlock_api_smp.h:144 [inline]
       [<ffffffff827170f8>] _raw_spin_lock+0x38/0x50 kernel/locking/spinlock.c:151
       [<ffffffff823b9c1a>] spin_lock include/linux/spinlock.h:302 [inline]
       [<ffffffff823b9c1a>] ip_defrag+0x32a/0x3dd0 net/ipv4/ip_fragment.c:680
       [<ffffffff823bda96>] ip_check_defrag net/ipv4/ip_fragment.c:728 [inline]
       [<ffffffff823bda96>] ip_check_defrag+0x3d6/0x740 net/ipv4/ip_fragment.c:695
       [<ffffffff826df20e>] packet_rcv_fanout+0x51e/0x5f0 net/packet/af_packet.c:1458
       [<ffffffff822441e8>] deliver_skb net/core/dev.c:1842 [inline]
       [<ffffffff822441e8>] dev_queue_xmit_nit net/core/dev.c:1898 [inline]
       [<ffffffff822441e8>] xmit_one net/core/dev.c:2777 [inline]
       [<ffffffff822441e8>] dev_hard_start_xmit+0x288/0x11e0 net/core/dev.c:2797
       [<ffffffff822b1286>] sch_direct_xmit+0x2b6/0x700 net/sched/sch_generic.c:165
       [<ffffffff82246154>] __dev_xmit_skb net/core/dev.c:2979 [inline]
       [<ffffffff82246154>] __dev_queue_xmit+0xd24/0x1bb0 net/core/dev.c:3197
       [<ffffffff82246ff8>] dev_queue_xmit+0x18/0x20 net/core/dev.c:3263
       [<ffffffff823c56a2>] neigh_hh_output include/net/neighbour.h:486 [inline]
       [<ffffffff823c56a2>] dst_neigh_output include/net/dst.h:459 [inline]
       [<ffffffff823c56a2>] ip_finish_output2+0xbf2/0x1280 net/ipv4/ip_output.c:213
       [<ffffffff823c7d9c>] ip_do_fragment+0x187c/0x1f70 net/ipv4/ip_output.c:635
       [<ffffffff823cbabb>] ip_fragment.constprop.0+0x14b/0x200 net/ipv4/ip_output.c:505
       [<ffffffff823cbf29>] ip_finish_output+0x3b9/0xc60 net/ipv4/ip_output.c:286
       [<ffffffff823cf731>] NF_HOOK_COND include/linux/netfilter.h:240 [inline]
       [<ffffffff823cf731>] ip_mc_output+0x251/0xae0 net/ipv4/ip_output.c:347
       [<ffffffff823ccf5c>] dst_output include/net/dst.h:498 [inline]
       [<ffffffff823ccf5c>] ip_local_out+0x9c/0x180 net/ipv4/ip_output.c:119
       [<ffffffff823d2d4e>] ip_send_skb+0x3e/0xc0 net/ipv4/ip_output.c:1453
       [<ffffffff82478bcd>] udp_send_skb+0x4fd/0xc70 net/ipv4/udp.c:842
       [<ffffffff8247938e>] udp_push_pending_frames+0x4e/0xe0 net/ipv4/udp.c:870
       [<ffffffff8248062e>] udp_sendpage+0x2ae/0x410 net/ipv4/udp.c:1183
       [<ffffffff824aa093>] inet_sendpage+0x223/0x520 net/ipv4/af_inet.c:772
       [<ffffffff821d79b5>] kernel_sendpage+0x95/0xf0 net/socket.c:3320
       [<ffffffff821d7a9b>] sock_sendpage+0x8b/0xc0 net/socket.c:793
       [<ffffffff81530afd>] pipe_to_sendpage+0x28d/0x3d0 fs/splice.c:724
       [<ffffffff8153374e>] splice_from_pipe_feed fs/splice.c:776 [inline]
       [<ffffffff8153374e>] __splice_from_pipe+0x37e/0x7a0 fs/splice.c:901
       [<ffffffff815367c8>] splice_from_pipe+0x108/0x170 fs/splice.c:936
       [<ffffffff8153686c>] generic_splice_sendpage+0x3c/0x50 fs/splice.c:1109
       [<ffffffff81537911>] do_splice_from fs/splice.c:1128 [inline]
       [<ffffffff81537911>] do_splice fs/splice.c:1404 [inline]
       [<ffffffff81537911>] SYSC_splice fs/splice.c:1707 [inline]
       [<ffffffff81537911>] SyS_splice+0xd71/0x13a0 fs/splice.c:1690
       [<ffffffff82717fe1>] entry_SYSCALL_64_fastpath+0x1e/0x9a

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(_xmit_NETROM);
                               lock(&(&q->lock)->rlock);
                               lock(_xmit_NETROM);
  lock(&(&q->lock)->rlock);

 *** DEADLOCK ***

6 locks held by syz-executor5/25553:
 #0:  (&pipe->mutex/1){+.+.+.}, at: [<ffffffff814af493>] pipe_lock_nested fs/pipe.c:65 [inline]
 #0:  (&pipe->mutex/1){+.+.+.}, at: [<ffffffff814af493>] pipe_lock+0x63/0x80 fs/pipe.c:73
 #1:  (sk_lock-AF_INET){+.+.+.}, at: [<ffffffff824804b2>] lock_sock include/net/sock.h:1497 [inline]
 #1:  (sk_lock-AF_INET){+.+.+.}, at: [<ffffffff824804b2>] udp_sendpage+0x132/0x410 net/ipv4/udp.c:1160
 #2:  (rcu_read_lock_bh){......}, at: [<ffffffff823c4cbb>] ip_finish_output2+0x20b/0x1280 net/ipv4/ip_output.c:193
 #3:  (rcu_read_lock_bh){......}, at: [<ffffffff82245607>] __dev_queue_xmit+0x1d7/0x1bb0 net/core/dev.c:3161
 #4:  (_xmit_NETROM){+.-...}, at: [<ffffffff822b1208>] spin_lock include/linux/spinlock.h:302 [inline]
 #4:  (_xmit_NETROM){+.-...}, at: [<ffffffff822b1208>] __netif_tx_lock include/linux/netdevice.h:3306 [inline]
 #4:  (_xmit_NETROM){+.-...}, at: [<ffffffff822b1208>] sch_direct_xmit+0x238/0x700 net/sched/sch_generic.c:163
 #5:  (rcu_read_lock){......}, at: [<ffffffff82244013>] xmit_one net/core/dev.c:2776 [inline]
 #5:  (rcu_read_lock){......}, at: [<ffffffff82244013>] dev_hard_start_xmit+0xb3/0x11e0 net/core/dev.c:2797

stack backtrace:
CPU: 0 PID: 25553 Comm: syz-executor5 Not tainted 4.4.171+ #12
 0000000000000000 ad643d487c62a031 ffff8800838c6d70 ffffffff81aacd31
 ffffffff84057a80 ffff8801a5898000 ffffffff83af37c0 ffffffff83ad5520
 ffffffff83af37c0 ffff8800838c6dc0 ffffffff813abad4 ffff8800838c6ea0
Call Trace:
 [<ffffffff81aacd31>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81aacd31>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
 [<ffffffff813abad4>] print_circular_bug.cold+0x2f7/0x44e kernel/locking/lockdep.c:1226
 [<ffffffff81202b76>] check_prev_add kernel/locking/lockdep.c:1853 [inline]
 [<ffffffff81202b76>] check_prevs_add kernel/locking/lockdep.c:1958 [inline]
 [<ffffffff81202b76>] validate_chain kernel/locking/lockdep.c:2144 [inline]
 [<ffffffff81202b76>] __lock_acquire+0x37d6/0x4f50 kernel/locking/lockdep.c:3213
 [<ffffffff81205d5e>] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592
 [<ffffffff827170f8>] __raw_spin_lock include/linux/spinlock_api_smp.h:144 [inline]
 [<ffffffff827170f8>] _raw_spin_lock+0x38/0x50 kernel/locking/spinlock.c:151
 [<ffffffff823b9c1a>] spin_lock include/linux/spinlock.h:302 [inline]
 [<ffffffff823b9c1a>] ip_defrag+0x32a/0x3dd0 net/ipv4/ip_fragment.c:680
 [<ffffffff823bda96>] ip_check_defrag net/ipv4/ip_fragment.c:728 [inline]
 [<ffffffff823bda96>] ip_check_defrag+0x3d6/0x740 net/ipv4/ip_fragment.c:695
 [<ffffffff826df20e>] packet_rcv_fanout+0x51e/0x5f0 net/packet/af_packet.c:1458
 [<ffffffff822441e8>] deliver_skb net/core/dev.c:1842 [inline]
 [<ffffffff822441e8>] dev_queue_xmit_nit net/core/dev.c:1898 [inline]
 [<ffffffff822441e8>] xmit_one net/core/dev.c:2777 [inline]
 [<ffffffff822441e8>] dev_hard_start_xmit+0x288/0x11e0 net/core/dev.c:2797
 [<ffffffff822b1286>] sch_direct_xmit+0x2b6/0x700 net/sched/sch_generic.c:165
 [<ffffffff82246154>] __dev_xmit_skb net/core/dev.c:2979 [inline]
 [<ffffffff82246154>] __dev_queue_xmit+0xd24/0x1bb0 net/core/dev.c:3197
 [<ffffffff82246ff8>] dev_queue_xmit+0x18/0x20 net/core/dev.c:3263
 [<ffffffff823c56a2>] neigh_hh_output include/net/neighbour.h:486 [inline]
 [<ffffffff823c56a2>] dst_neigh_output include/net/dst.h:459 [inline]
 [<ffffffff823c56a2>] ip_finish_output2+0xbf2/0x1280 net/ipv4/ip_output.c:213
 [<ffffffff823c7d9c>] ip_do_fragment+0x187c/0x1f70 net/ipv4/ip_output.c:635
 [<ffffffff823cbabb>] ip_fragment.constprop.0+0x14b/0x200 net/ipv4/ip_output.c:505
 [<ffffffff823cbf29>] ip_finish_output+0x3b9/0xc60 net/ipv4/ip_output.c:286
 [<ffffffff823cf731>] NF_HOOK_COND include/linux/netfilter.h:240 [inline]
 [<ffffffff823cf731>] ip_mc_output+0x251/0xae0 net/ipv4/ip_output.c:347
 [<ffffffff823ccf5c>] dst_output include/net/dst.h:498 [inline]
 [<ffffffff823ccf5c>] ip_local_out+0x9c/0x180 net/ipv4/ip_output.c:119
 [<ffffffff823d2d4e>] ip_send_skb+0x3e/0xc0 net/ipv4/ip_output.c:1453
 [<ffffffff82478bcd>] udp_send_skb+0x4fd/0xc70 net/ipv4/udp.c:842
 [<ffffffff8247938e>] udp_push_pending_frames+0x4e/0xe0 net/ipv4/udp.c:870
 [<ffffffff8248062e>] udp_sendpage+0x2ae/0x410 net/ipv4/udp.c:1183
 [<ffffffff824aa093>] inet_sendpage+0x223/0x520 net/ipv4/af_inet.c:772
 [<ffffffff821d79b5>] kernel_sendpage+0x95/0xf0 net/socket.c:3320
 [<ffffffff821d7a9b>] sock_sendpage+0x8b/0xc0 net/socket.c:793
 [<ffffffff81530afd>] pipe_to_sendpage+0x28d/0x3d0 fs/splice.c:724
 [<ffffffff8153374e>] splice_from_pipe_feed fs/splice.c:776 [inline]
 [<ffffffff8153374e>] __splice_from_pipe+0x37e/0x7a0 fs/splice.c:901
 [<ffffffff815367c8>] splice_from_pipe+0x108/0x170 fs/splice.c:936
 [<ffffffff8153686c>] generic_splice_sendpage+0x3c/0x50 fs/splice.c:1109
 [<ffffffff81537911>] do_splice_from fs/splice.c:1128 [inline]
 [<ffffffff81537911>] do_splice fs/splice.c:1404 [inline]
 [<ffffffff81537911>] SYSC_splice fs/splice.c:1707 [inline]
 [<ffffffff81537911>] SyS_splice+0xd71/0x13a0 fs/splice.c:1690
 [<ffffffff82717fe1>] entry_SYSCALL_64_fastpath+0x1e/0x9a
audit: type=1400 audit(1548475229.285:2835): avc:  denied  { create } for  pid=25648 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1
audit: type=1400 audit(1548475229.385:2836): avc:  denied  { create } for  pid=25648 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1