netlink: 72 bytes leftover after parsing attributes in process `syz-executor.1'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor.3'. ====================================================== WARNING: possible circular locking dependency detected 4.14.291-syzkaller #0 Not tainted ------------------------------------------------------ syz-executor.3/13574 is trying to acquire lock: (&xt[i].mutex){+.+.}, at: [] xt_find_target+0x3e/0x1e0 net/netfilter/x_tables.c:232 but task is already holding lock: (rtnl_mutex){+.+.}, at: [] rtnl_lock net/core/rtnetlink.c:72 [inline] (rtnl_mutex){+.+.}, at: [] rtnetlink_rcv_msg+0x31d/0xb10 net/core/rtnetlink.c:4317 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (rtnl_mutex){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 unregister_netdevice_notifier+0x5e/0x2b0 net/core/dev.c:1630 tee_tg_destroy+0x5c/0xb0 net/netfilter/xt_TEE.c:123 cleanup_entry+0x1fd/0x2d0 net/ipv4/netfilter/ip_tables.c:666 __do_replace+0x38d/0x570 net/ipv4/netfilter/ip_tables.c:1086 do_replace net/ipv4/netfilter/ip_tables.c:1142 [inline] do_ipt_set_ctl+0x256/0x3a0 net/ipv4/netfilter/ip_tables.c:1676 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x5f/0xb0 net/netfilter/nf_sockopt.c:115 ip_setsockopt net/ipv4/ip_sockglue.c:1255 [inline] ip_setsockopt+0x94/0xb0 net/ipv4/ip_sockglue.c:1240 tcp_setsockopt+0x7b/0xc0 net/ipv4/tcp.c:2830 SYSC_setsockopt net/socket.c:1865 [inline] SyS_setsockopt+0x110/0x1e0 net/socket.c:1844 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb -> #0 (&xt[i].mutex){+.+.}: lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 xt_find_target+0x3e/0x1e0 net/netfilter/x_tables.c:232 xt_request_find_target net/netfilter/x_tables.c:261 [inline] xt_request_find_target+0x72/0xe0 net/netfilter/x_tables.c:254 ipt_init_target+0xb9/0x250 net/sched/act_ipt.c:45 __tcf_ipt_init+0x48d/0xc00 net/sched/act_ipt.c:168 tcf_xt_init+0x43/0x50 net/sched/act_ipt.c:210 tcf_action_init_1+0x51a/0x9e0 net/sched/act_api.c:691 tcf_action_init+0x26d/0x400 net/sched/act_api.c:760 tcf_action_add net/sched/act_api.c:1088 [inline] tc_ctl_action+0x2e3/0x510 net/sched/act_api.c:1140 rtnetlink_rcv_msg+0x3be/0xb10 net/core/rtnetlink.c:4322 netlink_rcv_skb+0x125/0x390 net/netlink/af_netlink.c:2454 netlink_unicast_kernel net/netlink/af_netlink.c:1296 [inline] netlink_unicast+0x437/0x610 net/netlink/af_netlink.c:1322 netlink_sendmsg+0x648/0xbc0 net/netlink/af_netlink.c:1893 sock_sendmsg_nosec net/socket.c:646 [inline] sock_sendmsg+0xb5/0x100 net/socket.c:656 sock_no_sendpage+0xe2/0x110 net/core/sock.c:2610 kernel_sendpage net/socket.c:3407 [inline] sock_sendpage+0xdf/0x140 net/socket.c:871 pipe_to_sendpage+0x226/0x2d0 fs/splice.c:451 splice_from_pipe_feed fs/splice.c:502 [inline] __splice_from_pipe+0x326/0x7a0 fs/splice.c:626 splice_from_pipe fs/splice.c:661 [inline] generic_splice_sendpage+0xc1/0x110 fs/splice.c:832 do_splice_from fs/splice.c:851 [inline] do_splice fs/splice.c:1145 [inline] SYSC_splice fs/splice.c:1400 [inline] SyS_splice+0xd59/0x1380 fs/splice.c:1380 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(rtnl_mutex); lock(&xt[i].mutex); lock(rtnl_mutex); lock(&xt[i].mutex); *** DEADLOCK *** 2 locks held by syz-executor.3/13574: #0: (&pipe->mutex/1){+.+.}, at: [] pipe_lock_nested fs/pipe.c:82 [inline] #0: (&pipe->mutex/1){+.+.}, at: [] pipe_lock+0x58/0x70 fs/pipe.c:90 #1: (rtnl_mutex){+.+.}, at: [] rtnl_lock net/core/rtnetlink.c:72 [inline] #1: (rtnl_mutex){+.+.}, at: [] rtnetlink_rcv_msg+0x31d/0xb10 net/core/rtnetlink.c:4317 stack backtrace: CPU: 1 PID: 13574 Comm: syz-executor.3 Not tainted 4.14.291-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x281 lib/dump_stack.c:58 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258 check_prev_add kernel/locking/lockdep.c:1905 [inline] check_prevs_add kernel/locking/lockdep.c:2022 [inline] validate_chain kernel/locking/lockdep.c:2464 [inline] __lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 xt_find_target+0x3e/0x1e0 net/netfilter/x_tables.c:232 xt_request_find_target net/netfilter/x_tables.c:261 [inline] xt_request_find_target+0x72/0xe0 net/netfilter/x_tables.c:254 ipt_init_target+0xb9/0x250 net/sched/act_ipt.c:45 __tcf_ipt_init+0x48d/0xc00 net/sched/act_ipt.c:168 tcf_xt_init+0x43/0x50 net/sched/act_ipt.c:210 tcf_action_init_1+0x51a/0x9e0 net/sched/act_api.c:691 tcf_action_init+0x26d/0x400 net/sched/act_api.c:760 tcf_action_add net/sched/act_api.c:1088 [inline] tc_ctl_action+0x2e3/0x510 net/sched/act_api.c:1140 rtnetlink_rcv_msg+0x3be/0xb10 net/core/rtnetlink.c:4322 netlink_rcv_skb+0x125/0x390 net/netlink/af_netlink.c:2454 netlink_unicast_kernel net/netlink/af_netlink.c:1296 [inline] netlink_unicast+0x437/0x610 net/netlink/af_netlink.c:1322 netlink_sendmsg+0x648/0xbc0 net/netlink/af_netlink.c:1893 sock_sendmsg_nosec net/socket.c:646 [inline] sock_sendmsg+0xb5/0x100 net/socket.c:656 sock_no_sendpage+0xe2/0x110 net/core/sock.c:2610 kernel_sendpage net/socket.c:3407 [inline] sock_sendpage+0xdf/0x140 net/socket.c:871 pipe_to_sendpage+0x226/0x2d0 fs/splice.c:451 splice_from_pipe_feed fs/splice.c:502 [inline] __splice_from_pipe+0x326/0x7a0 fs/splice.c:626 splice_from_pipe fs/splice.c:661 [inline] generic_splice_sendpage+0xc1/0x110 fs/splice.c:832 do_splice_from fs/splice.c:851 [inline] do_splice fs/splice.c:1145 [inline] SYSC_splice fs/splice.c:1400 [inline] SyS_splice+0xd59/0x1380 fs/splice.c:1380 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb RIP: 0033:0x7fc2df7ee279 RSP: 002b:00007fc2de142168 EFLAGS: 00000246 ORIG_RAX: 0000000000000113 RAX: ffffffffffffffda RBX: 00007fc2df901050 RCX: 00007fc2df7ee279 RDX: 0000000000000007 RSI: 0000000000000000 RDI: 0000000000000004 RBP: 00007fc2df8482e9 R08: 000000000004ffe0 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fffd88e98df R14: 00007fc2de142300 R15: 0000000000022000 netlink: 4 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor.3'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.4'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor.3'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.4'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor.3'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.4'. netlink: 96 bytes leftover after parsing attributes in process `syz-executor.5'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.4'. netlink: 96 bytes leftover after parsing attributes in process `syz-executor.5'. TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. netlink: 96 bytes leftover after parsing attributes in process `syz-executor.5'. TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. netlink: 96 bytes leftover after parsing attributes in process `syz-executor.5'. base_sock_release(ffff8880507041c0) sk=ffff8880916a0e40 kvm: vcpu 0: requested 128 ns lapic timer period limited to 500000 ns TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters.