netlink: 4 bytes leftover after parsing attributes in process `syz-executor.3'. ====================================================== WARNING: possible circular locking dependency detected 4.14.281-syzkaller #0 Not tainted ------------------------------------------------------ syz-executor.3/13903 is trying to acquire lock: (&xt[i].mutex){+.+.}, at: [] xt_find_target+0x3e/0x1e0 net/netfilter/x_tables.c:232 but task is already holding lock: (rtnl_mutex){+.+.}, at: [] rtnl_lock net/core/rtnetlink.c:72 [inline] (rtnl_mutex){+.+.}, at: [] rtnetlink_rcv_msg+0x31d/0xb10 net/core/rtnetlink.c:4317 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (rtnl_mutex){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 unregister_netdevice_notifier+0x5e/0x2b0 net/core/dev.c:1630 tee_tg_destroy+0x5c/0xb0 net/netfilter/xt_TEE.c:123 cleanup_entry+0x1fd/0x2d0 net/ipv4/netfilter/ip_tables.c:666 __do_replace+0x38d/0x570 net/ipv4/netfilter/ip_tables.c:1086 do_replace net/ipv4/netfilter/ip_tables.c:1142 [inline] do_ipt_set_ctl+0x256/0x3a0 net/ipv4/netfilter/ip_tables.c:1676 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x5f/0xb0 net/netfilter/nf_sockopt.c:115 ip_setsockopt net/ipv4/ip_sockglue.c:1255 [inline] ip_setsockopt+0x94/0xb0 net/ipv4/ip_sockglue.c:1240 udp_setsockopt+0x45/0x80 net/ipv4/udp.c:2455 SYSC_setsockopt net/socket.c:1865 [inline] SyS_setsockopt+0x110/0x1e0 net/socket.c:1844 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb -> #0 (&xt[i].mutex){+.+.}: lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 xt_find_target+0x3e/0x1e0 net/netfilter/x_tables.c:232 xt_request_find_target net/netfilter/x_tables.c:261 [inline] xt_request_find_target+0x72/0xe0 net/netfilter/x_tables.c:254 ipt_init_target+0xb9/0x250 net/sched/act_ipt.c:45 __tcf_ipt_init+0x48d/0xc00 net/sched/act_ipt.c:168 tcf_xt_init+0x43/0x50 net/sched/act_ipt.c:210 tcf_action_init_1+0x51a/0x9e0 net/sched/act_api.c:691 tcf_action_init+0x26d/0x400 net/sched/act_api.c:760 tcf_action_add net/sched/act_api.c:1088 [inline] tc_ctl_action+0x2e3/0x510 net/sched/act_api.c:1140 rtnetlink_rcv_msg+0x3be/0xb10 net/core/rtnetlink.c:4322 netlink_rcv_skb+0x125/0x390 net/netlink/af_netlink.c:2454 netlink_unicast_kernel net/netlink/af_netlink.c:1296 [inline] netlink_unicast+0x437/0x610 net/netlink/af_netlink.c:1322 netlink_sendmsg+0x648/0xbc0 net/netlink/af_netlink.c:1893 sock_sendmsg_nosec net/socket.c:646 [inline] sock_sendmsg+0xb5/0x100 net/socket.c:656 sock_no_sendpage+0xe2/0x110 net/core/sock.c:2610 kernel_sendpage net/socket.c:3407 [inline] sock_sendpage+0xdf/0x140 net/socket.c:871 pipe_to_sendpage+0x226/0x2d0 fs/splice.c:451 splice_from_pipe_feed fs/splice.c:502 [inline] __splice_from_pipe+0x326/0x7a0 fs/splice.c:626 splice_from_pipe fs/splice.c:661 [inline] generic_splice_sendpage+0xc1/0x110 fs/splice.c:832 do_splice_from fs/splice.c:851 [inline] do_splice fs/splice.c:1147 [inline] SYSC_splice fs/splice.c:1402 [inline] SyS_splice+0xd59/0x1380 fs/splice.c:1382 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(rtnl_mutex); lock(&xt[i].mutex); lock(rtnl_mutex); lock(&xt[i].mutex); *** DEADLOCK *** 2 locks held by syz-executor.3/13903: #0: (&pipe->mutex/1){+.+.}, at: [] pipe_lock_nested fs/pipe.c:82 [inline] #0: (&pipe->mutex/1){+.+.}, at: [] pipe_lock+0x58/0x70 fs/pipe.c:90 #1: (rtnl_mutex){+.+.}, at: [] rtnl_lock net/core/rtnetlink.c:72 [inline] #1: (rtnl_mutex){+.+.}, at: [] rtnetlink_rcv_msg+0x31d/0xb10 net/core/rtnetlink.c:4317 stack backtrace: CPU: 0 PID: 13903 Comm: syz-executor.3 Not tainted 4.14.281-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x281 lib/dump_stack.c:58 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258 check_prev_add kernel/locking/lockdep.c:1905 [inline] check_prevs_add kernel/locking/lockdep.c:2022 [inline] validate_chain kernel/locking/lockdep.c:2464 [inline] __lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 xt_find_target+0x3e/0x1e0 net/netfilter/x_tables.c:232 xt_request_find_target net/netfilter/x_tables.c:261 [inline] xt_request_find_target+0x72/0xe0 net/netfilter/x_tables.c:254 ipt_init_target+0xb9/0x250 net/sched/act_ipt.c:45 __tcf_ipt_init+0x48d/0xc00 net/sched/act_ipt.c:168 tcf_xt_init+0x43/0x50 net/sched/act_ipt.c:210 tcf_action_init_1+0x51a/0x9e0 net/sched/act_api.c:691 tcf_action_init+0x26d/0x400 net/sched/act_api.c:760 tcf_action_add net/sched/act_api.c:1088 [inline] tc_ctl_action+0x2e3/0x510 net/sched/act_api.c:1140 rtnetlink_rcv_msg+0x3be/0xb10 net/core/rtnetlink.c:4322 netlink_rcv_skb+0x125/0x390 net/netlink/af_netlink.c:2454 netlink_unicast_kernel net/netlink/af_netlink.c:1296 [inline] netlink_unicast+0x437/0x610 net/netlink/af_netlink.c:1322 netlink_sendmsg+0x648/0xbc0 net/netlink/af_netlink.c:1893 sock_sendmsg_nosec net/socket.c:646 [inline] sock_sendmsg+0xb5/0x100 net/socket.c:656 sock_no_sendpage+0xe2/0x110 net/core/sock.c:2610 kernel_sendpage net/socket.c:3407 [inline] sock_sendpage+0xdf/0x140 net/socket.c:871 pipe_to_sendpage+0x226/0x2d0 fs/splice.c:451 splice_from_pipe_feed fs/splice.c:502 [inline] __splice_from_pipe+0x326/0x7a0 fs/splice.c:626 splice_from_pipe fs/splice.c:661 [inline] generic_splice_sendpage+0xc1/0x110 fs/splice.c:832 do_splice_from fs/splice.c:851 [inline] do_splice fs/splice.c:1147 [inline] SYSC_splice fs/splice.c:1402 [inline] SyS_splice+0xd59/0x1380 fs/splice.c:1382 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb RIP: 0033:0x7fe21976d109 RSP: 002b:00007fe2180c1168 EFLAGS: 00000246 ORIG_RAX: 0000000000000113 RAX: ffffffffffffffda RBX: 00007fe219880030 RCX: 00007fe21976d109 RDX: 000000000000000c RSI: 0000000000000000 RDI: 0000000000000008 RBP: 00007fe2197c708d R08: 000000000004ffe0 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fff0df37e3f R14: 00007fe2180c1300 R15: 0000000000022000 EXT4-fs error (device loop1): ext4_quota_enable:5739: comm syz-executor.1: Bad quota inode # 3 EXT4-fs warning (device loop1): ext4_enable_quotas:5779: Failed to enable quota tracking (type=-1, err=-116). Please run e2fsck to fix. FAT-fs (loop2): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1) EXT4-fs (loop1): mount failed SQUASHFS error: zstd decompression error: 2 SQUASHFS error: zstd decompression failed, data probably corrupt SQUASHFS error: squashfs_read_data failed to read block 0x4ec SQUASHFS error: Unable to read metadata cache entry [4ec] netlink: 4 bytes leftover after parsing attributes in process `syz-executor.3'. MINIX-fs: bad superblock SQUASHFS error: Unable to read inode 0x40126 EXT4-fs error (device loop1): ext4_quota_enable:5739: comm syz-executor.1: Bad quota inode # 3 EXT4-fs warning (device loop1): ext4_enable_quotas:5779: Failed to enable quota tracking (type=-1, err=-116). Please run e2fsck to fix. SQUASHFS error: zstd decompression error: 2 SQUASHFS error: zstd decompression failed, data probably corrupt SQUASHFS error: squashfs_read_data failed to read block 0x4ec SQUASHFS error: Unable to read metadata cache entry [4ec] SQUASHFS error: Unable to read inode 0x40126 EXT4-fs (loop1): mount failed SQUASHFS error: zstd decompression error: 2 SQUASHFS error: zstd decompression failed, data probably corrupt netlink: 4 bytes leftover after parsing attributes in process `syz-executor.3'. SQUASHFS error: squashfs_read_data failed to read block 0x4ec SQUASHFS error: Unable to read metadata cache entry [4ec] EXT4-fs error (device loop1): ext4_quota_enable:5739: comm syz-executor.1: Bad quota inode # 3 SQUASHFS error: Unable to read inode 0x40126 EXT4-fs warning (device loop1): ext4_enable_quotas:5779: Failed to enable quota tracking (type=-1, err=-116). Please run e2fsck to fix. EXT4-fs (loop1): mount failed SQUASHFS error: zstd decompression error: 2 SQUASHFS error: zstd decompression failed, data probably corrupt SQUASHFS error: squashfs_read_data failed to read block 0x4ec SQUASHFS error: Unable to read metadata cache entry [4ec] SQUASHFS error: Unable to read inode 0x40126 9pnet: Insufficient options for proto=fd netlink: 4 bytes leftover after parsing attributes in process `syz-executor.3'. Y4`Ҙ: renamed from lo UBIFS error (pid: 14123): cannot open "(null)", error -22 overlayfs: fs on 'file0' does not support file handles, falling back to index=off. overlayfs: fs on './file0' does not support file handles, falling back to index=off. Dev loop3: unable to read RDB block 1 loop3: unable to read partition table loop3: partition table beyond EOD, truncated loop_reread_partitions: partition scan of loop3 () failed (rc=-5) TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. Trying to free block not in datazone Trying to free block not in datazone TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. Trying to free block not in datazone Trying to free block not in datazone Trying to free block not in datazone Trying to free block not in datazone TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. Trying to free block not in datazone Trying to free block not in datazone Trying to free block not in datazone Trying to free block not in datazone Trying to free block not in datazone Trying to free block not in datazone Trying to free block not in datazone Trying to free block not in datazone print_req_error: I/O error, dev loop2, sector 36028797018963960 NILFS (loop2): unable to read secondary superblock (blocksize = 1024) NILFS (loop2): couldn't find nilfs on the device