possible deadlock in do_ip_getsockopt (2)
10 views
Skip to first unread message
syzbot
Feb 9, 2018, 10:58:04 AM2/9/18
to syzkaller-upst...@googlegroups.com
Hello,
syzbot hit the following crash on net-next commit
617aebe6a97efa539cc4b8a52adccd89596e6be0 (Sun Feb 4 00:25:42 2018 +0000)
Merge tag 'usercopy-v4.16-rc1' of
git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
So far this crash happened 3 times on
https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master.
Unfortunately, I don't have any reproducer for this crash yet.
Raw console output is attached.
compiler: gcc (GCC) 7.1.1 20170620
.config is attached.
CC: [da...@davemloft.net kuz...@ms2.inr.ac.ru linux-...@vger.kernel.org
net...@vger.kernel.org yosh...@linux-ipv6.org]
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+785714...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
======================================================
WARNING: possible circular locking dependency detected
4.15.0+ #221 Not tainted
------------------------------------------------------
syz-executor1/6283 is trying to acquire lock:
(sk_lock-AF_INET){+.+.}, at: [<0000000075c3d11e>] lock_sock
include/net/sock.h:1463 [inline]
(sk_lock-AF_INET){+.+.}, at: [<0000000075c3d11e>]
do_ip_getsockopt+0x1b3/0x2170 net/ipv4/ip_sockglue.c:1329
but task is already holding lock:
(rtnl_mutex){+.+.}, at: [<0000000058d7a825>] rtnl_lock+0x17/0x20
net/core/rtnetlink.c:74
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #2 (rtnl_mutex){+.+.}:
__mutex_lock_common kernel/locking/mutex.c:756 [inline]
__mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893
mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908
rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74
unregister_netdevice_notifier+0x91/0x4e0 net/core/dev.c:1673
clusterip_config_entry_put net/ipv4/netfilter/ipt_CLUSTERIP.c:114
[inline]
clusterip_tg_destroy+0x389/0x6e0
net/ipv4/netfilter/ipt_CLUSTERIP.c:518
cleanup_entry+0x218/0x350 net/ipv4/netfilter/ip_tables.c:654
__do_replace+0x79d/0xa50 net/ipv4/netfilter/ip_tables.c:1089
do_replace net/ipv4/netfilter/ip_tables.c:1145 [inline]
do_ipt_set_ctl+0x40f/0x5f0 net/ipv4/netfilter/ip_tables.c:1675
nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115
ip_setsockopt+0x97/0xa0 net/ipv4/ip_sockglue.c:1259
tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2905
sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2975
SYSC_setsockopt net/socket.c:1849 [inline]
SyS_setsockopt+0x189/0x360 net/socket.c:1828
entry_SYSCALL_64_fastpath+0x29/0xa0
-> #1 (&xt[i].mutex){+.+.}:
__mutex_lock_common kernel/locking/mutex.c:756 [inline]
__mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893
mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908
xt_find_table_lock+0x3e/0x3e0 net/netfilter/x_tables.c:1041
xt_request_find_table_lock+0x28/0xc0 net/netfilter/x_tables.c:1088
get_info+0x154/0x690 net/ipv6/netfilter/ip6_tables.c:989
do_ipt_get_ctl+0x159/0xac0 net/ipv4/netfilter/ip_tables.c:1699
nf_sockopt net/netfilter/nf_sockopt.c:104 [inline]
nf_getsockopt+0x6a/0xc0 net/netfilter/nf_sockopt.c:122
ip_getsockopt+0x15c/0x220 net/ipv4/ip_sockglue.c:1571
tcp_getsockopt+0x82/0xd0 net/ipv4/tcp.c:3359
sock_common_getsockopt+0x95/0xd0 net/core/sock.c:2934
SYSC_getsockopt net/socket.c:1880 [inline]
SyS_getsockopt+0x178/0x340 net/socket.c:1862
entry_SYSCALL_64_fastpath+0x29/0xa0
-> #0 (sk_lock-AF_INET){+.+.}:
lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920
lock_sock_nested+0xc2/0x110 net/core/sock.c:2777
lock_sock include/net/sock.h:1463 [inline]
do_ip_getsockopt+0x1b3/0x2170 net/ipv4/ip_sockglue.c:1329
ip_getsockopt+0x90/0x220 net/ipv4/ip_sockglue.c:1560
tcp_getsockopt+0x82/0xd0 net/ipv4/tcp.c:3359
sock_common_getsockopt+0x95/0xd0 net/core/sock.c:2934
SYSC_getsockopt net/socket.c:1880 [inline]
SyS_getsockopt+0x178/0x340 net/socket.c:1862
entry_SYSCALL_64_fastpath+0x29/0xa0
other info that might help us debug this:
Chain exists of:
sk_lock-AF_INET --> &xt[i].mutex --> rtnl_mutex
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(rtnl_mutex);
lock(&xt[i].mutex);
lock(rtnl_mutex);
lock(sk_lock-AF_INET);
*** DEADLOCK ***
1 lock held by syz-executor1/6283:
#0: (rtnl_mutex){+.+.}, at: [<0000000058d7a825>] rtnl_lock+0x17/0x20
net/core/rtnetlink.c:74
stack backtrace:
CPU: 0 PID: 6283 Comm: syz-executor1 Not tainted 4.15.0+ #221
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
print_circular_bug.isra.38+0x2cd/0x2dc kernel/locking/lockdep.c:1223
check_prev_add kernel/locking/lockdep.c:1863 [inline]
check_prevs_add kernel/locking/lockdep.c:1976 [inline]
validate_chain kernel/locking/lockdep.c:2417 [inline]
__lock_acquire+0x30a8/0x3e00 kernel/locking/lockdep.c:3431
lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920
lock_sock_nested+0xc2/0x110 net/core/sock.c:2777
lock_sock include/net/sock.h:1463 [inline]
do_ip_getsockopt+0x1b3/0x2170 net/ipv4/ip_sockglue.c:1329
ip_getsockopt+0x90/0x220 net/ipv4/ip_sockglue.c:1560
tcp_getsockopt+0x82/0xd0 net/ipv4/tcp.c:3359
sock_common_getsockopt+0x95/0xd0 net/core/sock.c:2934
SYSC_getsockopt net/socket.c:1880 [inline]
SyS_getsockopt+0x178/0x340 net/socket.c:1862
entry_SYSCALL_64_fastpath+0x29/0xa0
RIP: 0033:0x453299
RSP: 002b:00007fe19de99c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000037
RAX: ffffffffffffffda RBX: 000000000071bf58 RCX: 0000000000453299
RDX: 0000000000000029 RSI: 0000000000000000 RDI: 0000000000000013
RBP: 000000000000052b R08: 0000000020a5b000 R09: 0000000000000000
R10: 0000000020296000 R11: 0000000000000212 R12: 00000000006f6ca8
R13: 00000000ffffffff R14: 00007fe19de9a6d4 R15: 0000000000000003
sock: sock_set_timeout: `syz-executor6' (pid 6391) tries to set negative
timeout
sock: sock_set_timeout: `syz-executor6' (pid 6391) tries to set negative
timeout
netlink: 'syz-executor3': attribute type 1 has an invalid length.
netlink: 'syz-executor3': attribute type 1 has an invalid length.
device syz5 entered promiscuous mode
device syz5 left promiscuous mode
device syz5 entered promiscuous mode
device syz5 left promiscuous mode
ipt_REJECT: TCP_RESET invalid for non-tcp
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=35
sclass=netlink_route_socket pig=6573 comm=syz-executor6
ipt_REJECT: TCP_RESET invalid for non-tcp
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=35
sclass=netlink_route_socket pig=6593 comm=syz-executor6
kauditd_printk_skb: 15 callbacks suppressed
audit: type=1400 audit(1517843347.929:37): avc: denied { net_broadcast }
for pid=6619 comm="syz-executor3" capability=11
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns
permissive=1
audit: type=1400 audit(1517843347.932:38): avc: denied { create } for
pid=6620 comm="syz-executor2"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_fib_lookup_socket permissive=1
audit: type=1400 audit(1517843347.934:39): avc: denied { getattr } for
pid=6620 comm="syz-executor2"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_fib_lookup_socket permissive=1
audit: type=1400 audit(1517843347.938:40): avc: denied { write } for
pid=6620 comm="syz-executor2" path="socket:[15245]" dev="sockfs" ino=15245
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_fib_lookup_socket permissive=1
SELinux: unrecognized netlink message: protocol=6 nlmsg_type=0
sclass=netlink_xfrm_socket pig=6664 comm=syz-executor3
syz-executor1 (6676) used greatest stack depth: 13904 bytes left
Cannot find add_set index 65407 as target
device syz5 entered promiscuous mode
sctp: [Deprecated]: syz-executor7 (pid 6755) Use of int in max_burst socket
option deprecated.
Use struct sctp_assoc_value instead
Cannot find add_set index 65407 as target
sctp: [Deprecated]: syz-executor7 (pid 6777) Use of int in max_burst socket
option deprecated.
Use struct sctp_assoc_value instead
Cannot find add_set index 0 as target
IPVS: length: 760 != 24
audit: type=1400 audit(1517843348.499:41): avc: denied { getattr } for
pid=6830 comm="syz-executor5"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_netfilter_socket permissive=1
IPVS: length: 760 != 24
audit: type=1400 audit(1517843348.546:42): avc: denied { ioctl } for
pid=6857 comm="syz-executor4" path="socket:[16540]" dev="sockfs" ino=16540
ioctlcmd=0x89e2 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=sock_file
permissive=1
netlink: 3 bytes leftover after parsing attributes in process
`syz-executor0'.
netlink: 3 bytes leftover after parsing attributes in process
`syz-executor0'.
audit: type=1400 audit(1517843348.608:43): avc: denied { getopt } for
pid=6870 comm="syz-executor0"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_netfilter_socket permissive=1
netlink: 3 bytes leftover after parsing attributes in process
`syz-executor0'.
netlink: 3 bytes leftover after parsing attributes in process
`syz-executor0'.
dccp_invalid_packet: P.Data Offset(4) too small
netlink: 8 bytes leftover after parsing attributes in process
`syz-executor3'.
netlink: 8 bytes leftover after parsing attributes in process
`syz-executor3'.
dccp_invalid_packet: P.Data Offset(4) too small
can: request_module (can-proto-0) failed.
audit: type=1400 audit(1517843349.229:44): avc: denied { read } for
pid=7112 comm="syz-executor7"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_netfilter_socket permissive=1
xt_TCPMSS: Only works on TCP SYN packets
xt_TCPMSS: Only works on TCP SYN packets
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0
sclass=netlink_route_socket pig=7178 comm=syz-executor3
sctp: [Deprecated]: syz-executor5 (pid 7195) Use of int in maxseg socket
option.
Use struct sctp_assoc_value instead
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0
sclass=netlink_route_socket pig=7186 comm=syz-executor3
sctp: [Deprecated]: syz-executor5 (pid 7195) Use of int in maxseg socket
option.
Use struct sctp_assoc_value instead
sock: sock_set_timeout: `syz-executor7' (pid 7233) tries to set negative
timeout
sock: sock_set_timeout: `syz-executor7' (pid 7240) tries to set negative
timeout
xt_HMARK: spi-set and port-set can't be combined
xt_HMARK: proto mask must be zero with L3 mode
xt_HMARK: proto mask must be zero with L3 mode
netlink: 'syz-executor7': attribute type 21 has an invalid length.
netlink: 'syz-executor7': attribute type 21 has an invalid length.
netlink: 3 bytes leftover after parsing attributes in process
`syz-executor1'.
audit: type=1400 audit(1517843350.317:45): avc: denied { map } for
pid=7549 comm="syz-executor5" path="pipe:[17847]" dev="pipefs" ino=17847
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=fifo_file
permissive=1
netlink: 3 bytes leftover after parsing attributes in process
`syz-executor1'.
netlink: 3 bytes leftover after parsing attributes in process
`syz-executor1'.
raw_sendmsg: syz-executor4 forgot to set AF_INET. Fix it!
netlink: 'syz-executor4': attribute type 3 has an invalid length.
netlink: 'syz-executor4': attribute type 3 has an invalid length.
ip6t_REJECT: TCP_RESET illegal for non-tcp
ip6t_REJECT: TCP_RESET illegal for non-tcp
netlink: 'syz-executor7': attribute type 6 has an invalid length.
audit: type=1400 audit(1517843352.020:46): avc: denied { ioctl } for
pid=8252 comm="syz-executor7" path="socket:[18403]" dev="sockfs" ino=18403
ioctlcmd=0x8904 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_netfilter_socket permissive=1
kauditd_printk_skb: 2 callbacks suppressed
audit: type=1400 audit(1517843353.056:49): avc: denied { getopt } for
pid=8681 comm="syz-executor5"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=system_u:object_r:unlabeled_t:s0 tclass=socket permissive=1
xt_TCPMSS: Only works on TCP SYN packets
xt_TCPMSS: Only works on TCP SYN packets
device syz3 entered promiscuous mode
x_tables: ip_tables: icmp match: only valid for protocol 1
sctp: [Deprecated]: syz-executor6 (pid 8864) Use of struct sctp_assoc_value
in delayed_ack socket option.
Use struct sctp_sack_info instead
x_tables: ip_tables: icmp match: only valid for protocol 1
sctp: [Deprecated]: syz-executor6 (pid 8864) Use of struct sctp_assoc_value
in delayed_ack socket option.
Use struct sctp_sack_info instead
xt_HMARK: hash modulus can't be zero
audit: type=1400 audit(1517843353.731:50): avc: denied { map } for
pid=8946 comm="syz-executor4" path="socket:[19866]" dev="sockfs" ino=19866
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=tcp_socket
permissive=1
sock: sock_set_timeout: `syz-executor3' (pid 8953) tries to set negative
timeout
audit: type=1400 audit(1517843353.956:51): avc: denied { shutdown } for
pid=9038 comm="syz-executor0"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_generic_socket permissive=1
netlink: 'syz-executor0': attribute type 1 has an invalid length.
netlink: 'syz-executor0': attribute type 1 has an invalid length.
netlink: 136 bytes leftover after parsing attributes in process
`syz-executor0'.
netlink: 136 bytes leftover after parsing attributes in process
`syz-executor0'.
IPv6: Can't replace route, no match found
IPv6: Can't replace route, no match found
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=17
sclass=netlink_tcpdiag_socket pig=9289 comm=syz-executor2
netlink: 7 bytes leftover after parsing attributes in process
`syz-executor4'.
PF_BRIDGE: br_mdb_parse() with invalid ifindex
netlink: 7 bytes leftover after parsing attributes in process
`syz-executor4'.
PF_BRIDGE: br_mdb_parse() with invalid ifindex
sctp: [Deprecated]: syz-executor5 (pid 9525) Use of struct sctp_assoc_value
in delayed_ack socket option.
Use struct sctp_sack_info instead
xt_AUDIT: Audit type out of range (valid range: 0..2)
xt_AUDIT: Audit type out of range (valid range: 0..2)
audit: type=1400 audit(1517843355.279:52): avc: denied { map } for
pid=9533 comm="syz-executor3" path="socket:[20301]" dev="sockfs" ino=20301
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_route_socket permissive=1
sctp: [Deprecated]: syz-executor5 (pid 9575) Use of struct sctp_assoc_value
in delayed_ack socket option.
Use struct sctp_sack_info instead
IPv4: Oversized IP packet from 127.0.0.1
audit: type=1400 audit(1517843355.643:53): avc: denied { getattr } for
pid=9644 comm="syz-executor0"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_generic_socket permissive=1
Cannot find add_set index 0 as target
mip6: mip6_destopt_init_state: spi is not 0: 3875799040
netlink: 9 bytes leftover after parsing attributes in process
`syz-executor1'.
A link change request failed with some changes committed already. Interface
lo may have been left with an inconsistent configuration, please check.
netlink: 3 bytes leftover after parsing attributes in process
`syz-executor6'.
netlink: 3 bytes leftover after parsing attributes in process
`syz-executor6'.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20026. Sending
cookies. Check SNMP counters.
netlink: 'syz-executor2': attribute type 4 has an invalid length.
syz2: Invalid MTU 18 requested, hw min 68
netlink: 'syz-executor2': attribute type 4 has an invalid length.
syz2: Invalid MTU 18 requested, hw min 68
xt_TCPMSS: Only works on TCP SYN packets
netlink: 'syz-executor2': attribute type 4 has an invalid length.
syz2: Invalid MTU 18 requested, hw min 68
audit: type=1400 audit(1517843356.360:54): avc: denied { setopt } for
pid=9943 comm="syz-executor7"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=system_u:object_r:unlabeled_t:s0 tclass=socket permissive=1
ipt_rpfilter: unknown options encountered
ip_tables: iptables: counters copy to user failed while replacing table
device syz5 left promiscuous mode
ipt_rpfilter: unknown options encountered
ip_tables: iptables: counters copy to user failed while replacing table
netlink: 'syz-executor1': attribute type 1 has an invalid length.
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
To upstream this report, please reply with:
#syz upstream
syzbot hit the following crash on net-next commit
617aebe6a97efa539cc4b8a52adccd89596e6be0 (Sun Feb 4 00:25:42 2018 +0000)
Merge tag 'usercopy-v4.16-rc1' of
git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
So far this crash happened 3 times on
https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master.
Unfortunately, I don't have any reproducer for this crash yet.
Raw console output is attached.
compiler: gcc (GCC) 7.1.1 20170620
.config is attached.
CC: [da...@davemloft.net kuz...@ms2.inr.ac.ru linux-...@vger.kernel.org
net...@vger.kernel.org yosh...@linux-ipv6.org]
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+785714...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
======================================================
WARNING: possible circular locking dependency detected
4.15.0+ #221 Not tainted
------------------------------------------------------
syz-executor1/6283 is trying to acquire lock:
(sk_lock-AF_INET){+.+.}, at: [<0000000075c3d11e>] lock_sock
include/net/sock.h:1463 [inline]
(sk_lock-AF_INET){+.+.}, at: [<0000000075c3d11e>]
do_ip_getsockopt+0x1b3/0x2170 net/ipv4/ip_sockglue.c:1329
but task is already holding lock:
(rtnl_mutex){+.+.}, at: [<0000000058d7a825>] rtnl_lock+0x17/0x20
net/core/rtnetlink.c:74
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #2 (rtnl_mutex){+.+.}:
__mutex_lock_common kernel/locking/mutex.c:756 [inline]
__mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893
mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908
rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74
unregister_netdevice_notifier+0x91/0x4e0 net/core/dev.c:1673
clusterip_config_entry_put net/ipv4/netfilter/ipt_CLUSTERIP.c:114
[inline]
clusterip_tg_destroy+0x389/0x6e0
net/ipv4/netfilter/ipt_CLUSTERIP.c:518
cleanup_entry+0x218/0x350 net/ipv4/netfilter/ip_tables.c:654
__do_replace+0x79d/0xa50 net/ipv4/netfilter/ip_tables.c:1089
do_replace net/ipv4/netfilter/ip_tables.c:1145 [inline]
do_ipt_set_ctl+0x40f/0x5f0 net/ipv4/netfilter/ip_tables.c:1675
nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115
ip_setsockopt+0x97/0xa0 net/ipv4/ip_sockglue.c:1259
tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2905
sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2975
SYSC_setsockopt net/socket.c:1849 [inline]
SyS_setsockopt+0x189/0x360 net/socket.c:1828
entry_SYSCALL_64_fastpath+0x29/0xa0
-> #1 (&xt[i].mutex){+.+.}:
__mutex_lock_common kernel/locking/mutex.c:756 [inline]
__mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893
mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908
xt_find_table_lock+0x3e/0x3e0 net/netfilter/x_tables.c:1041
xt_request_find_table_lock+0x28/0xc0 net/netfilter/x_tables.c:1088
get_info+0x154/0x690 net/ipv6/netfilter/ip6_tables.c:989
do_ipt_get_ctl+0x159/0xac0 net/ipv4/netfilter/ip_tables.c:1699
nf_sockopt net/netfilter/nf_sockopt.c:104 [inline]
nf_getsockopt+0x6a/0xc0 net/netfilter/nf_sockopt.c:122
ip_getsockopt+0x15c/0x220 net/ipv4/ip_sockglue.c:1571
tcp_getsockopt+0x82/0xd0 net/ipv4/tcp.c:3359
sock_common_getsockopt+0x95/0xd0 net/core/sock.c:2934
SYSC_getsockopt net/socket.c:1880 [inline]
SyS_getsockopt+0x178/0x340 net/socket.c:1862
entry_SYSCALL_64_fastpath+0x29/0xa0
-> #0 (sk_lock-AF_INET){+.+.}:
lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920
lock_sock_nested+0xc2/0x110 net/core/sock.c:2777
lock_sock include/net/sock.h:1463 [inline]
do_ip_getsockopt+0x1b3/0x2170 net/ipv4/ip_sockglue.c:1329
ip_getsockopt+0x90/0x220 net/ipv4/ip_sockglue.c:1560
tcp_getsockopt+0x82/0xd0 net/ipv4/tcp.c:3359
sock_common_getsockopt+0x95/0xd0 net/core/sock.c:2934
SYSC_getsockopt net/socket.c:1880 [inline]
SyS_getsockopt+0x178/0x340 net/socket.c:1862
entry_SYSCALL_64_fastpath+0x29/0xa0
other info that might help us debug this:
Chain exists of:
sk_lock-AF_INET --> &xt[i].mutex --> rtnl_mutex
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(rtnl_mutex);
lock(&xt[i].mutex);
lock(rtnl_mutex);
lock(sk_lock-AF_INET);
*** DEADLOCK ***
1 lock held by syz-executor1/6283:
#0: (rtnl_mutex){+.+.}, at: [<0000000058d7a825>] rtnl_lock+0x17/0x20
net/core/rtnetlink.c:74
stack backtrace:
CPU: 0 PID: 6283 Comm: syz-executor1 Not tainted 4.15.0+ #221
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
print_circular_bug.isra.38+0x2cd/0x2dc kernel/locking/lockdep.c:1223
check_prev_add kernel/locking/lockdep.c:1863 [inline]
check_prevs_add kernel/locking/lockdep.c:1976 [inline]
validate_chain kernel/locking/lockdep.c:2417 [inline]
__lock_acquire+0x30a8/0x3e00 kernel/locking/lockdep.c:3431
lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920
lock_sock_nested+0xc2/0x110 net/core/sock.c:2777
lock_sock include/net/sock.h:1463 [inline]
do_ip_getsockopt+0x1b3/0x2170 net/ipv4/ip_sockglue.c:1329
ip_getsockopt+0x90/0x220 net/ipv4/ip_sockglue.c:1560
tcp_getsockopt+0x82/0xd0 net/ipv4/tcp.c:3359
sock_common_getsockopt+0x95/0xd0 net/core/sock.c:2934
SYSC_getsockopt net/socket.c:1880 [inline]
SyS_getsockopt+0x178/0x340 net/socket.c:1862
entry_SYSCALL_64_fastpath+0x29/0xa0
RIP: 0033:0x453299
RSP: 002b:00007fe19de99c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000037
RAX: ffffffffffffffda RBX: 000000000071bf58 RCX: 0000000000453299
RDX: 0000000000000029 RSI: 0000000000000000 RDI: 0000000000000013
RBP: 000000000000052b R08: 0000000020a5b000 R09: 0000000000000000
R10: 0000000020296000 R11: 0000000000000212 R12: 00000000006f6ca8
R13: 00000000ffffffff R14: 00007fe19de9a6d4 R15: 0000000000000003
sock: sock_set_timeout: `syz-executor6' (pid 6391) tries to set negative
timeout
sock: sock_set_timeout: `syz-executor6' (pid 6391) tries to set negative
timeout
netlink: 'syz-executor3': attribute type 1 has an invalid length.
netlink: 'syz-executor3': attribute type 1 has an invalid length.
device syz5 entered promiscuous mode
device syz5 left promiscuous mode
device syz5 entered promiscuous mode
device syz5 left promiscuous mode
ipt_REJECT: TCP_RESET invalid for non-tcp
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=35
sclass=netlink_route_socket pig=6573 comm=syz-executor6
ipt_REJECT: TCP_RESET invalid for non-tcp
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=35
sclass=netlink_route_socket pig=6593 comm=syz-executor6
kauditd_printk_skb: 15 callbacks suppressed
audit: type=1400 audit(1517843347.929:37): avc: denied { net_broadcast }
for pid=6619 comm="syz-executor3" capability=11
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns
permissive=1
audit: type=1400 audit(1517843347.932:38): avc: denied { create } for
pid=6620 comm="syz-executor2"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_fib_lookup_socket permissive=1
audit: type=1400 audit(1517843347.934:39): avc: denied { getattr } for
pid=6620 comm="syz-executor2"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_fib_lookup_socket permissive=1
audit: type=1400 audit(1517843347.938:40): avc: denied { write } for
pid=6620 comm="syz-executor2" path="socket:[15245]" dev="sockfs" ino=15245
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_fib_lookup_socket permissive=1
SELinux: unrecognized netlink message: protocol=6 nlmsg_type=0
sclass=netlink_xfrm_socket pig=6664 comm=syz-executor3
syz-executor1 (6676) used greatest stack depth: 13904 bytes left
Cannot find add_set index 65407 as target
device syz5 entered promiscuous mode
sctp: [Deprecated]: syz-executor7 (pid 6755) Use of int in max_burst socket
option deprecated.
Use struct sctp_assoc_value instead
Cannot find add_set index 65407 as target
sctp: [Deprecated]: syz-executor7 (pid 6777) Use of int in max_burst socket
option deprecated.
Use struct sctp_assoc_value instead
Cannot find add_set index 0 as target
IPVS: length: 760 != 24
audit: type=1400 audit(1517843348.499:41): avc: denied { getattr } for
pid=6830 comm="syz-executor5"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_netfilter_socket permissive=1
IPVS: length: 760 != 24
audit: type=1400 audit(1517843348.546:42): avc: denied { ioctl } for
pid=6857 comm="syz-executor4" path="socket:[16540]" dev="sockfs" ino=16540
ioctlcmd=0x89e2 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=sock_file
permissive=1
netlink: 3 bytes leftover after parsing attributes in process
`syz-executor0'.
netlink: 3 bytes leftover after parsing attributes in process
`syz-executor0'.
audit: type=1400 audit(1517843348.608:43): avc: denied { getopt } for
pid=6870 comm="syz-executor0"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_netfilter_socket permissive=1
netlink: 3 bytes leftover after parsing attributes in process
`syz-executor0'.
netlink: 3 bytes leftover after parsing attributes in process
`syz-executor0'.
dccp_invalid_packet: P.Data Offset(4) too small
netlink: 8 bytes leftover after parsing attributes in process
`syz-executor3'.
netlink: 8 bytes leftover after parsing attributes in process
`syz-executor3'.
dccp_invalid_packet: P.Data Offset(4) too small
can: request_module (can-proto-0) failed.
audit: type=1400 audit(1517843349.229:44): avc: denied { read } for
pid=7112 comm="syz-executor7"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_netfilter_socket permissive=1
xt_TCPMSS: Only works on TCP SYN packets
xt_TCPMSS: Only works on TCP SYN packets
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0
sclass=netlink_route_socket pig=7178 comm=syz-executor3
sctp: [Deprecated]: syz-executor5 (pid 7195) Use of int in maxseg socket
option.
Use struct sctp_assoc_value instead
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0
sclass=netlink_route_socket pig=7186 comm=syz-executor3
sctp: [Deprecated]: syz-executor5 (pid 7195) Use of int in maxseg socket
option.
Use struct sctp_assoc_value instead
sock: sock_set_timeout: `syz-executor7' (pid 7233) tries to set negative
timeout
sock: sock_set_timeout: `syz-executor7' (pid 7240) tries to set negative
timeout
xt_HMARK: spi-set and port-set can't be combined
xt_HMARK: proto mask must be zero with L3 mode
xt_HMARK: proto mask must be zero with L3 mode
netlink: 'syz-executor7': attribute type 21 has an invalid length.
netlink: 'syz-executor7': attribute type 21 has an invalid length.
netlink: 3 bytes leftover after parsing attributes in process
`syz-executor1'.
audit: type=1400 audit(1517843350.317:45): avc: denied { map } for
pid=7549 comm="syz-executor5" path="pipe:[17847]" dev="pipefs" ino=17847
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=fifo_file
permissive=1
netlink: 3 bytes leftover after parsing attributes in process
`syz-executor1'.
netlink: 3 bytes leftover after parsing attributes in process
`syz-executor1'.
raw_sendmsg: syz-executor4 forgot to set AF_INET. Fix it!
netlink: 'syz-executor4': attribute type 3 has an invalid length.
netlink: 'syz-executor4': attribute type 3 has an invalid length.
ip6t_REJECT: TCP_RESET illegal for non-tcp
ip6t_REJECT: TCP_RESET illegal for non-tcp
netlink: 'syz-executor7': attribute type 6 has an invalid length.
audit: type=1400 audit(1517843352.020:46): avc: denied { ioctl } for
pid=8252 comm="syz-executor7" path="socket:[18403]" dev="sockfs" ino=18403
ioctlcmd=0x8904 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_netfilter_socket permissive=1
kauditd_printk_skb: 2 callbacks suppressed
audit: type=1400 audit(1517843353.056:49): avc: denied { getopt } for
pid=8681 comm="syz-executor5"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=system_u:object_r:unlabeled_t:s0 tclass=socket permissive=1
xt_TCPMSS: Only works on TCP SYN packets
xt_TCPMSS: Only works on TCP SYN packets
device syz3 entered promiscuous mode
x_tables: ip_tables: icmp match: only valid for protocol 1
sctp: [Deprecated]: syz-executor6 (pid 8864) Use of struct sctp_assoc_value
in delayed_ack socket option.
Use struct sctp_sack_info instead
x_tables: ip_tables: icmp match: only valid for protocol 1
sctp: [Deprecated]: syz-executor6 (pid 8864) Use of struct sctp_assoc_value
in delayed_ack socket option.
Use struct sctp_sack_info instead
xt_HMARK: hash modulus can't be zero
audit: type=1400 audit(1517843353.731:50): avc: denied { map } for
pid=8946 comm="syz-executor4" path="socket:[19866]" dev="sockfs" ino=19866
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=tcp_socket
permissive=1
sock: sock_set_timeout: `syz-executor3' (pid 8953) tries to set negative
timeout
audit: type=1400 audit(1517843353.956:51): avc: denied { shutdown } for
pid=9038 comm="syz-executor0"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_generic_socket permissive=1
netlink: 'syz-executor0': attribute type 1 has an invalid length.
netlink: 'syz-executor0': attribute type 1 has an invalid length.
netlink: 136 bytes leftover after parsing attributes in process
`syz-executor0'.
netlink: 136 bytes leftover after parsing attributes in process
`syz-executor0'.
IPv6: Can't replace route, no match found
IPv6: Can't replace route, no match found
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=17
sclass=netlink_tcpdiag_socket pig=9289 comm=syz-executor2
netlink: 7 bytes leftover after parsing attributes in process
`syz-executor4'.
PF_BRIDGE: br_mdb_parse() with invalid ifindex
netlink: 7 bytes leftover after parsing attributes in process
`syz-executor4'.
PF_BRIDGE: br_mdb_parse() with invalid ifindex
sctp: [Deprecated]: syz-executor5 (pid 9525) Use of struct sctp_assoc_value
in delayed_ack socket option.
Use struct sctp_sack_info instead
xt_AUDIT: Audit type out of range (valid range: 0..2)
xt_AUDIT: Audit type out of range (valid range: 0..2)
audit: type=1400 audit(1517843355.279:52): avc: denied { map } for
pid=9533 comm="syz-executor3" path="socket:[20301]" dev="sockfs" ino=20301
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_route_socket permissive=1
sctp: [Deprecated]: syz-executor5 (pid 9575) Use of struct sctp_assoc_value
in delayed_ack socket option.
Use struct sctp_sack_info instead
IPv4: Oversized IP packet from 127.0.0.1
audit: type=1400 audit(1517843355.643:53): avc: denied { getattr } for
pid=9644 comm="syz-executor0"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_generic_socket permissive=1
Cannot find add_set index 0 as target
mip6: mip6_destopt_init_state: spi is not 0: 3875799040
netlink: 9 bytes leftover after parsing attributes in process
`syz-executor1'.
A link change request failed with some changes committed already. Interface
lo may have been left with an inconsistent configuration, please check.
netlink: 3 bytes leftover after parsing attributes in process
`syz-executor6'.
netlink: 3 bytes leftover after parsing attributes in process
`syz-executor6'.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20026. Sending
cookies. Check SNMP counters.
netlink: 'syz-executor2': attribute type 4 has an invalid length.
syz2: Invalid MTU 18 requested, hw min 68
netlink: 'syz-executor2': attribute type 4 has an invalid length.
syz2: Invalid MTU 18 requested, hw min 68
xt_TCPMSS: Only works on TCP SYN packets
netlink: 'syz-executor2': attribute type 4 has an invalid length.
syz2: Invalid MTU 18 requested, hw min 68
audit: type=1400 audit(1517843356.360:54): avc: denied { setopt } for
pid=9943 comm="syz-executor7"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=system_u:object_r:unlabeled_t:s0 tclass=socket permissive=1
ipt_rpfilter: unknown options encountered
ip_tables: iptables: counters copy to user failed while replacing table
device syz5 left promiscuous mode
ipt_rpfilter: unknown options encountered
ip_tables: iptables: counters copy to user failed while replacing table
netlink: 'syz-executor1': attribute type 1 has an invalid length.
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
To upstream this report, please reply with:
#syz upstream
Dmitry Vyukov
Feb 11, 2018, 3:38:52 AM2/11/18
to syzbot, 'Dmitry Vyukov' via syzkaller-upstream-moderation
#syz fix: netfilter: drop outermost socket lock in getsockopt()
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-upstream-moderation" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-upstream-m...@googlegroups.com.
> To post to this group, send email to
> syzkaller-upst...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-upstream-moderation/94eb2c077938cf144a0564c9970f%40google.com.
> For more options, visit https://groups.google.com/d/optout.
> You received this message because you are subscribed to the Google Groups
> "syzkaller-upstream-moderation" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-upstream-m...@googlegroups.com.
> To post to this group, send email to
> syzkaller-upst...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-upstream-moderation/94eb2c077938cf144a0564c9970f%40google.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages