====================================================== WARNING: possible circular locking dependency detected 4.14.284-syzkaller #0 Not tainted ------------------------------------------------------ syz-executor.4/12345 is trying to acquire lock: (&xt[i].mutex){+.+.}, at: [] xt_find_target+0x3e/0x1e0 net/netfilter/x_tables.c:232 but task is already holding lock: (rtnl_mutex){+.+.}, at: [] rtnl_lock net/core/rtnetlink.c:72 [inline] (rtnl_mutex){+.+.}, at: [] rtnetlink_rcv_msg+0x31d/0xb10 net/core/rtnetlink.c:4317 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: audit: type=1800 audit(1656059506.379:9): pid=12354 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.5" name="bus" dev="sda1" ino=14199 res=0 -> #1 (rtnl_mutex){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 unregister_netdevice_notifier+0x5e/0x2b0 net/core/dev.c:1630 tee_tg_destroy+0x5c/0xb0 net/netfilter/xt_TEE.c:123 cleanup_entry+0x232/0x310 net/ipv6/netfilter/ip6_tables.c:685 __do_replace+0x38d/0x580 net/ipv6/netfilter/ip6_tables.c:1106 do_replace net/ipv6/netfilter/ip6_tables.c:1162 [inline] do_ip6t_set_ctl+0x256/0x3b0 net/ipv6/netfilter/ip6_tables.c:1688 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x5f/0xb0 net/netfilter/nf_sockopt.c:115 ipv6_setsockopt+0xc0/0x120 net/ipv6/ipv6_sockglue.c:937 tcp_setsockopt+0x7b/0xc0 net/ipv4/tcp.c:2830 SYSC_setsockopt net/socket.c:1865 [inline] SyS_setsockopt+0x110/0x1e0 net/socket.c:1844 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb -> #0 (&xt[i].mutex){+.+.}: lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 xt_find_target+0x3e/0x1e0 net/netfilter/x_tables.c:232 xt_request_find_target net/netfilter/x_tables.c:261 [inline] xt_request_find_target+0x72/0xe0 net/netfilter/x_tables.c:254 ipt_init_target+0xb9/0x250 net/sched/act_ipt.c:45 __tcf_ipt_init+0x48d/0xc00 net/sched/act_ipt.c:168 tcf_xt_init+0x43/0x50 net/sched/act_ipt.c:210 tcf_action_init_1+0x51a/0x9e0 net/sched/act_api.c:691 tcf_action_init+0x26d/0x400 net/sched/act_api.c:760 tcf_action_add net/sched/act_api.c:1088 [inline] tc_ctl_action+0x2e3/0x510 net/sched/act_api.c:1140 rtnetlink_rcv_msg+0x3be/0xb10 net/core/rtnetlink.c:4322 netlink_rcv_skb+0x125/0x390 net/netlink/af_netlink.c:2454 netlink_unicast_kernel net/netlink/af_netlink.c:1296 [inline] netlink_unicast+0x437/0x610 net/netlink/af_netlink.c:1322 netlink_sendmsg+0x648/0xbc0 net/netlink/af_netlink.c:1893 sock_sendmsg_nosec net/socket.c:646 [inline] sock_sendmsg+0xb5/0x100 net/socket.c:656 sock_no_sendpage+0xe2/0x110 net/core/sock.c:2610 kernel_sendpage net/socket.c:3407 [inline] sock_sendpage+0xdf/0x140 net/socket.c:871 pipe_to_sendpage+0x226/0x2d0 fs/splice.c:451 splice_from_pipe_feed fs/splice.c:502 [inline] __splice_from_pipe+0x326/0x7a0 fs/splice.c:626 splice_from_pipe fs/splice.c:661 [inline] generic_splice_sendpage+0xc1/0x110 fs/splice.c:832 do_splice_from fs/splice.c:851 [inline] do_splice fs/splice.c:1147 [inline] SYSC_splice fs/splice.c:1402 [inline] SyS_splice+0xd59/0x1380 fs/splice.c:1382 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(rtnl_mutex); lock(&xt[i].mutex); lock(rtnl_mutex); lock(&xt[i].mutex); *** DEADLOCK *** 2 locks held by syz-executor.4/12345: #0: (&pipe->mutex/1){+.+.}, at: [] pipe_lock_nested fs/pipe.c:82 [inline] #0: (&pipe->mutex/1){+.+.}, at: [] pipe_lock+0x58/0x70 fs/pipe.c:90 #1: (rtnl_mutex){+.+.}, at: [] rtnl_lock net/core/rtnetlink.c:72 [inline] #1: (rtnl_mutex){+.+.}, at: [] rtnetlink_rcv_msg+0x31d/0xb10 net/core/rtnetlink.c:4317 stack backtrace: CPU: 0 PID: 12345 Comm: syz-executor.4 Not tainted 4.14.284-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x281 lib/dump_stack.c:58 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258 check_prev_add kernel/locking/lockdep.c:1905 [inline] check_prevs_add kernel/locking/lockdep.c:2022 [inline] validate_chain kernel/locking/lockdep.c:2464 [inline] __lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 xt_find_target+0x3e/0x1e0 net/netfilter/x_tables.c:232 xt_request_find_target net/netfilter/x_tables.c:261 [inline] xt_request_find_target+0x72/0xe0 net/netfilter/x_tables.c:254 ipt_init_target+0xb9/0x250 net/sched/act_ipt.c:45 __tcf_ipt_init+0x48d/0xc00 net/sched/act_ipt.c:168 tcf_xt_init+0x43/0x50 net/sched/act_ipt.c:210 tcf_action_init_1+0x51a/0x9e0 net/sched/act_api.c:691 tcf_action_init+0x26d/0x400 net/sched/act_api.c:760 tcf_action_add net/sched/act_api.c:1088 [inline] tc_ctl_action+0x2e3/0x510 net/sched/act_api.c:1140 rtnetlink_rcv_msg+0x3be/0xb10 net/core/rtnetlink.c:4322 netlink_rcv_skb+0x125/0x390 net/netlink/af_netlink.c:2454 netlink_unicast_kernel net/netlink/af_netlink.c:1296 [inline] netlink_unicast+0x437/0x610 net/netlink/af_netlink.c:1322 netlink_sendmsg+0x648/0xbc0 net/netlink/af_netlink.c:1893 sock_sendmsg_nosec net/socket.c:646 [inline] sock_sendmsg+0xb5/0x100 net/socket.c:656 sock_no_sendpage+0xe2/0x110 net/core/sock.c:2610 kernel_sendpage net/socket.c:3407 [inline] sock_sendpage+0xdf/0x140 net/socket.c:871 pipe_to_sendpage+0x226/0x2d0 fs/splice.c:451 splice_from_pipe_feed fs/splice.c:502 [inline] __splice_from_pipe+0x326/0x7a0 fs/splice.c:626 splice_from_pipe fs/splice.c:661 [inline] generic_splice_sendpage+0xc1/0x110 fs/splice.c:832 do_splice_from fs/splice.c:851 [inline] do_splice fs/splice.c:1147 [inline] SYSC_splice fs/splice.c:1402 [inline] SyS_splice+0xd59/0x1380 fs/splice.c:1382 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb RIP: 0033:0x7f57ae3ee109 RSP: 002b:00007f57acd42168 EFLAGS: 00000246 ORIG_RAX: 0000000000000113 RAX: ffffffffffffffda RBX: 00007f57ae501030 RCX: 00007f57ae3ee109 RDX: 0000000000000006 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007f57ae44805d R08: 000000000004ffe0 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffe60670c4f R14: 00007f57acd42300 R15: 0000000000022000 audit: type=1800 audit(1656059507.189:10): pid=12368 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed" comm="syz-executor.5" name="SYSV00000000" dev="hugetlbfs" ino=0 res=0 audit: type=1800 audit(1656059507.269:11): pid=12382 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed" comm="syz-executor.1" name="SYSV00000000" dev="hugetlbfs" ino=0 res=0 netlink: 4 bytes leftover after parsing attributes in process `syz-executor.4'. audit: type=1800 audit(1656059507.309:12): pid=12385 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed" comm="syz-executor.5" name="SYSV00000000" dev="hugetlbfs" ino=32768 res=0 audit: type=1800 audit(1656059507.459:13): pid=12402 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed" comm="syz-executor.5" name="SYSV00000000" dev="hugetlbfs" ino=65537 res=0 audit: type=1800 audit(1656059507.479:14): pid=12397 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed" comm="syz-executor.1" name="SYSV00000000" dev="hugetlbfs" ino=32768 res=0 audit: type=1800 audit(1656059508.149:15): pid=12427 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed" comm="syz-executor.5" name="SYSV00000000" dev="hugetlbfs" ino=98306 res=0 netlink: 4 bytes leftover after parsing attributes in process `syz-executor.4'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor.4'. 9pnet: Insufficient options for proto=fd 9pnet: Insufficient options for proto=fd 9pnet: Insufficient options for proto=fd 9pnet: Insufficient options for proto=fd 9pnet: Insufficient options for proto=fd 9pnet: Insufficient options for proto=fd 9pnet: Insufficient options for proto=fd 9pnet: Insufficient options for proto=fd 9pnet: Insufficient options for proto=fd 9pnet: Insufficient options for proto=fd 9pnet: Insufficient options for proto=fd 9pnet: Insufficient options for proto=fd 9pnet: Insufficient options for proto=fd 9pnet: Insufficient options for proto=fd 9pnet: Insufficient options for proto=fd 9pnet: Insufficient options for proto=fd 9pnet: Insufficient options for proto=fd 9pnet: Insufficient options for proto=fd 9pnet: Insufficient options for proto=fd 9pnet: Insufficient options for proto=fd 9pnet: Insufficient options for proto=fd 9pnet: Insufficient options for proto=fd 9pnet: Insufficient options for proto=fd 9pnet: Insufficient options for proto=fd 9pnet: Insufficient options for proto=fd netlink: 12 bytes leftover after parsing attributes in process `syz-executor.2'.