============================================= [ INFO: possible recursive locking detected ] 4.9.148+ #3 Not tainted --------------------------------------------- syz-executor0/5021 is trying to acquire lock: (_xmit_TUNNEL6#2){+.-...}, at: [] spin_lock include/linux/spinlock.h:302 [inline] (_xmit_TUNNEL6#2){+.-...}, at: [] __netif_tx_lock include/linux/netdevice.h:3570 [inline] (_xmit_TUNNEL6#2){+.-...}, at: [] __dev_queue_xmit+0x1116/0x1bd0 net/core/dev.c:3469 but task is already holding lock: (_xmit_TUNNEL6#2){+.-...}, at: [] spin_lock include/linux/spinlock.h:302 [inline] (_xmit_TUNNEL6#2){+.-...}, at: [] __netif_tx_lock include/linux/netdevice.h:3570 [inline] (_xmit_TUNNEL6#2){+.-...}, at: [] __dev_queue_xmit+0x1116/0x1bd0 net/core/dev.c:3469 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(_xmit_TUNNEL6#2); lock(_xmit_TUNNEL6#2); *** DEADLOCK *** input: syz1 as /devices/virtual/input/input37 May be due to missing lock nesting notation 6 locks held by syz-executor0/5021: #0: (rcu_read_lock_bh){......}, at: [] ip_finish_output2+0x20b/0x1280 net/ipv4/ip_output.c:198 #1: (rcu_read_lock_bh){......}, at: [] __dev_queue_xmit+0x1d4/0x1bd0 net/core/dev.c:3407 #2: (_xmit_TUNNEL6#2){+.-...}, at: [] spin_lock include/linux/spinlock.h:302 [inline] #2: (_xmit_TUNNEL6#2){+.-...}, at: [] __netif_tx_lock include/linux/netdevice.h:3570 [inline] #2: (_xmit_TUNNEL6#2){+.-...}, at: [] __dev_queue_xmit+0x1116/0x1bd0 net/core/dev.c:3469 #3: (slock-AF_INET){+.-...}, at: [] spin_trylock include/linux/spinlock.h:312 [inline] #3: (slock-AF_INET){+.-...}, at: [] icmp_xmit_lock net/ipv4/icmp.c:220 [inline] #3: (slock-AF_INET){+.-...}, at: [] icmp_send+0x484/0x1410 net/ipv4/icmp.c:655 #4: (rcu_read_lock_bh){......}, at: [] ip_finish_output2+0x20b/0x1280 net/ipv4/ip_output.c:198 #5: (rcu_read_lock_bh){......}, at: [] __dev_queue_xmit+0x1d4/0x1bd0 net/core/dev.c:3407 stack backtrace: CPU: 0 PID: 5021 Comm: syz-executor0 Not tainted 4.9.148+ #3 ffff8801732ee600 ffffffff81b456e1 ffffffff8424cd80 ffffffff83ccc510 ffffffff83ccc510 f5fec735e74a353d ffff88019f4f17c0 ffff8801732ee7a0 ffffffff81400f5c 0000000000000005 ffff88019f4f17c0 ffff8801732ee7c0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x120 lib/dump_stack.c:51 [] print_deadlock_bug kernel/locking/lockdep.c:1727 [inline] [] check_deadlock kernel/locking/lockdep.c:1771 [inline] [] validate_chain kernel/locking/lockdep.c:2249 [inline] [] __lock_acquire.cold+0x384/0x734 kernel/locking/lockdep.c:3345 [] lock_acquire+0x133/0x3d0 kernel/locking/lockdep.c:3756 [] __raw_spin_lock include/linux/spinlock_api_smp.h:144 [inline] [] _raw_spin_lock+0x38/0x50 kernel/locking/spinlock.c:151 [] spin_lock include/linux/spinlock.h:302 [inline] [] __netif_tx_lock include/linux/netdevice.h:3570 [inline] [] __dev_queue_xmit+0x1116/0x1bd0 net/core/dev.c:3469 audit: type=1400 audit(2000000266.694:179): avc: denied { ioctl } for pid=5016 comm="syz-executor5" path="socket:[183630]" dev="sockfs" ino=183630 ioctlcmd=0x89a0 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [] dev_queue_xmit+0x18/0x20 net/core/dev.c:3506 [] neigh_direct_output+0x16/0x20 net/core/neighbour.c:1365 [] dst_neigh_output include/net/dst.h:470 [inline] [] ip_finish_output2+0x6a2/0x1280 net/ipv4/ip_output.c:225 [] ip_finish_output+0x3c4/0xce0 net/ipv4/ip_output.c:313 [] NF_HOOK_COND include/linux/netfilter.h:246 [inline] [] ip_output+0x1ec/0x5b0 net/ipv4/ip_output.c:401 [] dst_output include/net/dst.h:507 [inline] [] ip_local_out+0x9c/0x180 net/ipv4/ip_output.c:124 [] ip_send_skb+0x3e/0xc0 net/ipv4/ip_output.c:1489 [] ip_push_pending_frames+0x64/0x80 net/ipv4/ip_output.c:1509 [] icmp_push_reply+0x39e/0x510 net/ipv4/icmp.c:381 [] icmp_send+0xacf/0x1410 net/ipv4/icmp.c:727 [] ipv4_link_failure+0x29/0x1d0 net/ipv4/route.c:1178 [] dst_link_failure include/net/dst.h:490 [inline] [] vti6_xmit net/ipv6/ip6_vti.c:521 [inline] [] vti6_tnl_xmit+0xb03/0x17e0 net/ipv6/ip6_vti.c:560 [] __netdev_start_xmit include/linux/netdevice.h:4069 [inline] [] netdev_start_xmit include/linux/netdevice.h:4078 [inline] [] xmit_one net/core/dev.c:2977 [inline] [] dev_hard_start_xmit+0x195/0x8b0 net/core/dev.c:2993 [] __dev_queue_xmit+0x11a3/0x1bd0 net/core/dev.c:3473 [] dev_queue_xmit+0x18/0x20 net/core/dev.c:3506 [] neigh_direct_output+0x16/0x20 net/core/neighbour.c:1365 [] dst_neigh_output include/net/dst.h:470 [inline] [] ip_finish_output2+0x6a2/0x1280 net/ipv4/ip_output.c:225 [] ip_finish_output+0x3c4/0xce0 net/ipv4/ip_output.c:313 [] NF_HOOK_COND include/linux/netfilter.h:246 [inline] [] ip_output+0x1ec/0x5b0 net/ipv4/ip_output.c:401 [] dst_output include/net/dst.h:507 [inline] [] ip_local_out+0x9c/0x180 net/ipv4/ip_output.c:124 [] ip_send_skb+0x3e/0xc0 net/ipv4/ip_output.c:1489 [] udp_send_skb+0x4fc/0xc60 net/ipv4/udp.c:833 [] udp_sendmsg+0x1634/0x1c60 net/ipv4/udp.c:1057 [] udpv6_sendmsg+0x12af/0x2430 net/ipv6/udp.c:1086 [] inet_sendmsg+0x202/0x4d0 net/ipv4/af_inet.c:770 [] sock_sendmsg_nosec net/socket.c:648 [inline] [] sock_sendmsg+0xbe/0x110 net/socket.c:658 [] ___sys_sendmsg+0x387/0x8b0 net/socket.c:1982 [] __sys_sendmmsg+0x164/0x3d0 net/socket.c:2072 [] SYSC_sendmmsg net/socket.c:2103 [inline] [] SyS_sendmmsg+0x35/0x60 net/socket.c:2098 [] do_syscall_64+0x1ad/0x570 arch/x86/entry/common.c:285 [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb audit: type=1400 audit(2000000267.448:180): avc: denied { write } for pid=5062 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1