====================================================== WARNING: possible circular locking dependency detected 4.16.0-rc1+ #314 Not tainted ------------------------------------------------------ syz-executor0/6250 is trying to acquire lock: (sk_lock-AF_INET){+.+.}, at: [<000000004e822e54>] lock_sock include/net/sock.h:1463 [inline] (sk_lock-AF_INET){+.+.}, at: [<000000004e822e54>] do_ip_setsockopt.isra.12+0x1d9/0x3210 net/ipv4/ip_sockglue.c:646 but task is already holding lock: (rtnl_mutex){+.+.}, at: [<00000000d2185e02>] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (rtnl_mutex){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908 rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74 unregister_netdevice_notifier+0x91/0x4e0 net/core/dev.c:1673 tee_tg_destroy+0x61/0xc0 net/netfilter/xt_TEE.c:123 cleanup_entry+0x218/0x350 net/ipv4/netfilter/ip_tables.c:654 __do_replace+0x79d/0xa50 net/ipv4/netfilter/ip_tables.c:1089 do_replace net/ipv4/netfilter/ip_tables.c:1145 [inline] do_ipt_set_ctl+0x40f/0x5f0 net/ipv4/netfilter/ip_tables.c:1675 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115 ip_setsockopt+0x97/0xa0 net/ipv4/ip_sockglue.c:1259 udp_setsockopt+0x45/0x80 net/ipv4/udp.c:2401 ipv6_setsockopt+0xa0/0x130 net/ipv6/ipv6_sockglue.c:917 tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2905 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2975 SYSC_setsockopt net/socket.c:1849 [inline] SyS_setsockopt+0x189/0x360 net/socket.c:1828 do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 -> #1 (&xt[i].mutex){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908 xt_find_table_lock+0x3e/0x3e0 net/netfilter/x_tables.c:1046 xt_request_find_table_lock+0x28/0xc0 net/netfilter/x_tables.c:1093 get_info+0x154/0x690 net/ipv6/netfilter/ip6_tables.c:989 do_arpt_get_ctl+0x2a9/0xa00 net/ipv4/netfilter/arp_tables.c:1481 nf_sockopt net/netfilter/nf_sockopt.c:104 [inline] nf_getsockopt+0x6a/0xc0 net/netfilter/nf_sockopt.c:122 ip_getsockopt+0x15c/0x220 net/ipv4/ip_sockglue.c:1571 tcp_getsockopt+0x82/0xd0 net/ipv4/tcp.c:3359 sock_common_getsockopt+0x95/0xd0 net/core/sock.c:2934 SYSC_getsockopt net/socket.c:1880 [inline] SyS_getsockopt+0x178/0x340 net/socket.c:1862 do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 -> #0 (sk_lock-AF_INET){+.+.}: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920 lock_sock_nested+0xc2/0x110 net/core/sock.c:2777 lock_sock include/net/sock.h:1463 [inline] do_ip_setsockopt.isra.12+0x1d9/0x3210 net/ipv4/ip_sockglue.c:646 ip_setsockopt+0x3a/0xa0 net/ipv4/ip_sockglue.c:1252 raw_setsockopt+0xb7/0xd0 net/ipv4/raw.c:870 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2975 SYSC_setsockopt net/socket.c:1849 [inline] SyS_setsockopt+0x189/0x360 net/socket.c:1828 do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 other info that might help us debug this: Chain exists of: sk_lock-AF_INET --> &xt[i].mutex --> rtnl_mutex Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(rtnl_mutex); lock(&xt[i].mutex); lock(rtnl_mutex); lock(sk_lock-AF_INET); *** DEADLOCK *** 1 lock held by syz-executor0/6250: #0: (rtnl_mutex){+.+.}, at: [<00000000d2185e02>] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74 stack backtrace: CPU: 1 PID: 6250 Comm: syz-executor0 Not tainted 4.16.0-rc1+ #314 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 print_circular_bug.isra.38+0x2cd/0x2dc kernel/locking/lockdep.c:1223 check_prev_add kernel/locking/lockdep.c:1863 [inline] check_prevs_add kernel/locking/lockdep.c:1976 [inline] validate_chain kernel/locking/lockdep.c:2417 [inline] __lock_acquire+0x30a8/0x3e00 kernel/locking/lockdep.c:3431 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920 lock_sock_nested+0xc2/0x110 net/core/sock.c:2777 lock_sock include/net/sock.h:1463 [inline] do_ip_setsockopt.isra.12+0x1d9/0x3210 net/ipv4/ip_sockglue.c:646 ip_setsockopt+0x3a/0xa0 net/ipv4/ip_sockglue.c:1252 raw_setsockopt+0xb7/0xd0 net/ipv4/raw.c:870 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2975 SYSC_setsockopt net/socket.c:1849 [inline] SyS_setsockopt+0x189/0x360 net/socket.c:1828 do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x453a59 RSP: 002b:00007f9729627c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 00007f97296286d4 RCX: 0000000000453a59 RDX: 0000000000000029 RSI: 0000000000000000 RDI: 0000000000000013 RBP: 000000000071bf58 R08: 000000000000002c R09: 0000000000000000 R10: 0000000020a36000 R11: 0000000000000246 R12: 00000000ffffffff R13: 0000000000000524 R14: 00000000006f7c00 R15: 0000000000000001 device lo entered promiscuous mode QAT: Invalid ioctl device lo left promiscuous mode QAT: Invalid ioctl audit: type=1400 audit(1518787909.370:46): avc: denied { map } for pid=6277 comm="syz-executor6" path=2F6D656D66643A64657620202864656C6574656429 dev="tmpfs" ino=16305 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=file permissive=1 bpf: check failed: parse error xt_connbytes: Forcing CT accounting to be enabled QAT: Invalid ioctl audit: type=1400 audit(1518787910.006:47): avc: denied { ioctl } for pid=6488 comm="syz-executor1" path="socket:[17625]" dev="sockfs" ino=17625 ioctlcmd=0x5411 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 audit: type=1400 audit(1518787910.088:48): avc: denied { getopt } for pid=6507 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 audit: type=1400 audit(1518787910.237:49): avc: denied { ioctl } for pid=6540 comm="syz-executor5" path="socket:[17786]" dev="sockfs" ino=17786 ioctlcmd=0x8981 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 xt_HL: invalid or unknown mode 3 xt_HL: invalid or unknown mode 3 QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl Cannot find del_set index 0 as target QAT: Invalid ioctl QAT: Invalid ioctl capability: warning: `syz-executor3' uses deprecated v2 capabilities in a way that may be insecure netlink: 'syz-executor6': attribute type 1 has an invalid length. netlink: 'syz-executor6': attribute type 1 has an invalid length. x_tables: ip6_tables: TCPOPTSTRIP target: only valid in mangle table, not security device syz7 entered promiscuous mode x_tables: ip6_tables: TCPOPTSTRIP target: only valid in mangle table, not security device syz7 left promiscuous mode IPVS: Scheduler module ip_vs_ÿÿÿÿÿm¸`x.©JݼÁÞ„ÞDBíCÿ°+òˆÿÿ not found IPVS: Scheduler module ip_vs_ÿÿÿÿÿm¸`x.©JݼÁÞ„ÞDBíCÿ°+òˆÿÿ not found ipt_REJECT: ECHOREPLY no longer supported. ipt_REJECT: ECHOREPLY no longer supported. netlink: 'syz-executor1': attribute type 3 has an invalid length. netlink: 'syz-executor1': attribute type 3 has an invalid length. binder: BINDER_SET_CONTEXT_MGR already set binder: 7321:7331 ioctl 40046207 0 returned -16 ieee80211 phy2: Selected rate control algorithm 'minstrel_ht' ieee80211 phy3: Selected rate control algorithm 'minstrel_ht' QAT: Invalid ioctl QAT: Invalid ioctl syz-executor1 (7443) used greatest stack depth: 15712 bytes left audit: type=1400 audit(1518787913.163:50): avc: denied { map } for pid=7468 comm="syz-executor1" path="/dev/usbmon0" dev="devtmpfs" ino=9139 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usbmon_device_t:s0 tclass=chr_file permissive=1 audit: type=1400 audit(1518787913.172:51): avc: denied { map } for pid=7474 comm="syz-executor5" path="/dev/snd/pcmC0D0c" dev="devtmpfs" ino=1173 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sound_device_t:s0 tclass=chr_file permissive=1 audit: type=1400 audit(1518787913.892:52): avc: denied { setopt } for pid=7557 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl openvswitch: netlink: ufid size 20 bytes exceeds the range (1, 16) openvswitch: netlink: ufid size 20 bytes exceeds the range (1, 16) QAT: Invalid ioctl ptrace attach of "/root/syz-executor5"[4106] was attempted by "/root/syz-executor5"[7763] ptrace attach of "/root/syz-executor5"[4106] was attempted by "/root/syz-executor5"[7778] audit: type=1400 audit(1518787914.778:53): avc: denied { transfer } for pid=7793 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 binder: 7793:7801 BC_ACQUIRE_DONE node 9 has no pending acquire request binder_alloc: binder_alloc_mmap_handler: 7793 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 7793:7822 ioctl 40046207 0 returned -16 binder_alloc: 7793: binder_alloc_buf, no vma binder: 7793:7822 transaction failed 29189/-3, size 80-16 line 2957 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 7793:7801 transaction 10 out, still active binder: unexpected work type, 4, not freed binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 10, target dead QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl TCP: request_sock_TCP: Possible SYN flooding on port 20010. Sending cookies. Check SNMP counters. device bridge0 entered promiscuous mode device bridge0 left promiscuous mode device bridge0 entered promiscuous mode device bridge0 left promiscuous mode binder: 8177:8189 transaction failed 29189/-22, size 0-0 line 2842 sctp: [Deprecated]: syz-executor0 (pid 8186) Use of int in max_burst socket option. Use struct sctp_assoc_value instead binder: 8177:8189 transaction failed 29189/-22, size 0-0 line 2842 sctp: [Deprecated]: syz-executor0 (pid 8212) Use of int in max_burst socket option. Use struct sctp_assoc_value instead binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 x_tables: ip6_tables: mh match: only valid for protocol 135 device eql entered promiscuous mode can: request_module (can-proto-5) failed. mip6: mip6_rthdr_init_state: state's mode is not 2: 0 can: request_module (can-proto-5) failed. mip6: mip6_rthdr_init_state: state's mode is not 2: 0 --map-set only usable from mangle table kvm [8432]: vcpu0, guest rIP: 0xfff0 Hyper-V unhandled rdmsr: 0x40000074 kvm [8432]: vcpu0, guest rIP: 0xfff0 Hyper-V unhandled rdmsr: 0x40000074 --map-set only usable from mangle table device syz0 entered promiscuous mode device syz0 left promiscuous mode xt_connbytes: Forcing CT accounting to be enabled audit: type=1400 audit(1518787917.484:54): avc: denied { setattr } for pid=8578 comm="syz-executor7" name="map_files" dev="proc" ino=22767 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=dir permissive=1 audit: type=1400 audit(1518787917.704:55): avc: denied { net_admin } for pid=4100 comm="syz-executor7" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1518787917.719:56): avc: denied { map } for pid=8637 comm="syz-executor1" path="socket:[24097]" dev="sockfs" ino=24097 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 audit: type=1400 audit(1518787917.774:57): avc: denied { net_admin } for pid=4097 comm="syz-executor1" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1518787917.827:58): avc: denied { dac_read_search } for pid=8649 comm="syz-executor3" capability=2 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1518787917.853:59): avc: denied { dac_override } for pid=8649 comm="syz-executor3" capability=1 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 IPv4: Oversized IP packet from 127.0.0.1 netlink: 216 bytes leftover after parsing attributes in process `syz-executor0'. IPv4: Oversized IP packet from 127.0.0.1 netlink: 216 bytes leftover after parsing attributes in process `syz-executor0'. rfkill: input handler disabled rfkill: input handler enabled xt_limit: Overflow, try lower: 0/0 xt_limit: Overflow, try lower: 0/0 l2tp_core: tunl 59: sockfd_lookup(fd=0) returned -88 kauditd_printk_skb: 7 callbacks suppressed audit: type=1400 audit(1518787918.458:67): avc: denied { map } for pid=8859 comm="syz-executor7" path="/dev/sg0" dev="devtmpfs" ino=9132 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file permissive=1