EXT4-fs error (device loop2): ext4_mb_generate_buddy:754: group 0, block bitmap and bg descriptor inconsistent: 100 vs 41 free clusters
ip6_tables: ip6tables: counters copy to user failed while replacing table
======================================================
WARNING: possible circular locking dependency detected
4.14.302-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.5/8012 is trying to acquire lock:
 (rtnl_mutex){+.+.}, at: [<ffffffff85c3018e>] unregister_netdevice_notifier+0x5e/0x2b0 net/core/dev.c:1630

but task is already holding lock:
 (&xt[i].mutex){+.+.}, at: [<ffffffff85f20938>] xt_find_table_lock+0x38/0x3d0 net/netfilter/x_tables.c:1088

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #2 (&xt[i].mutex){+.+.}:
       __mutex_lock_common kernel/locking/mutex.c:756 [inline]
       __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
       match_revfn+0x43/0x210 net/netfilter/x_tables.c:332
       xt_find_revision+0x8d/0x1d0 net/netfilter/x_tables.c:380
       nfnl_compat_get+0x1f7/0x870 net/netfilter/nft_compat.c:678
       nfnetlink_rcv_msg+0x9bb/0xc00 net/netfilter/nfnetlink.c:214
       netlink_rcv_skb+0x125/0x390 net/netlink/af_netlink.c:2454
       nfnetlink_rcv+0x1ab/0x1da0 net/netfilter/nfnetlink.c:515
       netlink_unicast_kernel net/netlink/af_netlink.c:1296 [inline]
       netlink_unicast+0x437/0x610 net/netlink/af_netlink.c:1322
       netlink_sendmsg+0x648/0xbc0 net/netlink/af_netlink.c:1893
       sock_sendmsg_nosec net/socket.c:646 [inline]
       sock_sendmsg+0xb5/0x100 net/socket.c:656
       ___sys_sendmsg+0x6c8/0x800 net/socket.c:2062
       __sys_sendmsg+0xa3/0x120 net/socket.c:2096
       SYSC_sendmsg net/socket.c:2107 [inline]
       SyS_sendmsg+0x27/0x40 net/socket.c:2103
       do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x5e/0xd3

-> #1 (&table[i].mutex){+.+.}:
       __mutex_lock_common kernel/locking/mutex.c:756 [inline]
       __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
       nf_tables_netdev_event+0x10d/0x4d0 net/netfilter/nf_tables_netdev.c:122
       notifier_call_chain+0x108/0x1a0 kernel/notifier.c:93
       call_netdevice_notifiers_info net/core/dev.c:1667 [inline]
       call_netdevice_notifiers net/core/dev.c:1683 [inline]
       rollback_registered_many+0x765/0xbb0 net/core/dev.c:7211
       rollback_registered+0xca/0x170 net/core/dev.c:7253
       unregister_netdevice_queue+0x1b4/0x360 net/core/dev.c:8274
       unregister_netdevice include/linux/netdevice.h:2444 [inline]
       __tun_detach+0xca2/0xf60 drivers/net/tun.c:584
       tun_detach drivers/net/tun.c:594 [inline]
       tun_chr_close+0x41/0x60 drivers/net/tun.c:2732
       __fput+0x25f/0x7a0 fs/file_table.c:210
       task_work_run+0x11f/0x190 kernel/task_work.c:113
       tracehook_notify_resume include/linux/tracehook.h:191 [inline]
       exit_to_usermode_loop+0x1ad/0x200 arch/x86/entry/common.c:164
       prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
       syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
       do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
       entry_SYSCALL_64_after_hwframe+0x5e/0xd3

-> #0 (rtnl_mutex){+.+.}:
       lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
       __mutex_lock_common kernel/locking/mutex.c:756 [inline]
       __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
       unregister_netdevice_notifier+0x5e/0x2b0 net/core/dev.c:1630
       tee_tg_destroy+0x5c/0xb0 net/netfilter/xt_TEE.c:123
       cleanup_entry+0x232/0x310 net/ipv6/netfilter/ip6_tables.c:685
       __do_replace+0x38d/0x580 net/ipv4/netfilter/arp_tables.c:930
       do_replace net/ipv6/netfilter/ip6_tables.c:1162 [inline]
       do_ip6t_set_ctl+0x256/0x3b0 net/ipv6/netfilter/ip6_tables.c:1688
       nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
       nf_setsockopt+0x5f/0xb0 net/netfilter/nf_sockopt.c:115
       ipv6_setsockopt+0xc0/0x120 net/ipv6/ipv6_sockglue.c:944
       tcp_setsockopt+0x7b/0xc0 net/ipv4/tcp.c:2831
       SYSC_setsockopt net/socket.c:1865 [inline]
       SyS_setsockopt+0x110/0x1e0 net/socket.c:1844
       do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x5e/0xd3

other info that might help us debug this:

Chain exists of:
  rtnl_mutex --> &table[i].mutex --> &xt[i].mutex

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&xt[i].mutex);
                               lock(&table[i].mutex);
                               lock(&xt[i].mutex);
  lock(rtnl_mutex);

 *** DEADLOCK ***

1 lock held by syz-executor.5/8012:
 #0:  (&xt[i].mutex){+.+.}, at: [<ffffffff85f20938>] xt_find_table_lock+0x38/0x3d0 net/netfilter/x_tables.c:1088

stack backtrace:
CPU: 1 PID: 8012 Comm: syz-executor.5 Not tainted 4.14.302-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x281 lib/dump_stack.c:58
 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258
 check_prev_add kernel/locking/lockdep.c:1905 [inline]
 check_prevs_add kernel/locking/lockdep.c:2022 [inline]
 validate_chain kernel/locking/lockdep.c:2464 [inline]
 __lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491
 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
 __mutex_lock_common kernel/locking/mutex.c:756 [inline]
 __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
 unregister_netdevice_notifier+0x5e/0x2b0 net/core/dev.c:1630
 tee_tg_destroy+0x5c/0xb0 net/netfilter/xt_TEE.c:123
 cleanup_entry+0x232/0x310 net/ipv6/netfilter/ip6_tables.c:685
 __do_replace+0x38d/0x580 net/ipv4/netfilter/arp_tables.c:930
 do_replace net/ipv6/netfilter/ip6_tables.c:1162 [inline]
 do_ip6t_set_ctl+0x256/0x3b0 net/ipv6/netfilter/ip6_tables.c:1688
 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
 nf_setsockopt+0x5f/0xb0 net/netfilter/nf_sockopt.c:115
 ipv6_setsockopt+0xc0/0x120 net/ipv6/ipv6_sockglue.c:944
 tcp_setsockopt+0x7b/0xc0 net/ipv4/tcp.c:2831
 SYSC_setsockopt net/socket.c:1865 [inline]
 SyS_setsockopt+0x110/0x1e0 net/socket.c:1844
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x5e/0xd3
RIP: 0033:0x7fb0d0a4671a
RSP: 002b:00007ffcd561d158 EFLAGS: 00000202 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 0000000000000029 RCX: 00007fb0d0a4671a
RDX: 0000000000000040 RSI: 0000000000000029 RDI: 0000000000000003
RBP: 00007ffcd561d180 R08: 00000000000003b8 R09: ffffffffff000000
R10: 00007fb0d0b3cbc0 R11: 0000000000000202 R12: 00007ffcd561d1e0
R13: 0000000000000003 R14: 00007ffcd561d17c R15: 00007fb0d0b3cb60
EXT4-fs (loop2): 1 orphan inode deleted
EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue
ip6_tables: ip6tables: counters copy to user failed while replacing table
ip6_tables: ip6tables: counters copy to user failed while replacing table
ip6_tables: ip6tables: counters copy to user failed while replacing table
hfs: part requires an argument
hfs: unable to parse mount options
EXT4-fs error (device loop2): ext4_mb_generate_buddy:754: group 0, block bitmap and bg descriptor inconsistent: 100 vs 41 free clusters
EXT4-fs (loop2): 1 orphan inode deleted
EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue
print_req_error: I/O error, dev loop1, sector 0
hfs: part requires an argument
hfs: unable to parse mount options
print_req_error: I/O error, dev loop1, sector 0
hfs: part requires an argument
hfs: unable to parse mount options
syz-executor.2 uses obsolete (PF_INET,SOCK_PACKET)
hfs: part requires an argument
device syzkaller1 entered promiscuous mode
hfs: unable to parse mount options
device syzkaller1 entered promiscuous mode
XFS (loop1): Mounting V4 Filesystem
XFS (loop1): Ending clean mount
syz-executor.1 (11062) used greatest stack depth: 23936 bytes left
XFS (loop1): Unmounting Filesystem
device syzkaller1 entered promiscuous mode
kauditd_printk_skb: 24 callbacks suppressed
audit: type=1800 audit(1672839993.939:23): pid=11142 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.0" name="file0" dev="sda1" ino=14056 res=0
device syzkaller1 entered promiscuous mode
audit: type=1800 audit(1672839994.839:24): pid=11205 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.0" name="file0" dev="sda1" ino=14056 res=0
audit: type=1800 audit(1672839995.719:25): pid=11232 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.2" name="file0" dev="sda1" ino=14118 res=0
audit: type=1804 audit(1672839995.759:26): pid=11232 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.2" name="/root/syzkaller-testdir2764048908/syzkaller.RMxvfo/41/file0" dev="sda1" ino=14118 res=1
audit: type=1800 audit(1672839995.929:27): pid=11281 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.2" name="file0" dev="sda1" ino=14108 res=0
audit: type=1800 audit(1672839995.959:28): pid=11280 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.4" name="file0" dev="sda1" ino=14114 res=0
audit: type=1800 audit(1672839995.959:29): pid=11276 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.5" name="file0" dev="sda1" ino=14115 res=0
audit: type=1804 audit(1672839995.969:30): pid=11280 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.4" name="/root/syzkaller-testdir2058417172/syzkaller.8BYYEN/62/file0" dev="sda1" ino=14114 res=1
audit: type=1804 audit(1672839995.979:32): pid=11301 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.2" name="/root/syzkaller-testdir2764048908/syzkaller.RMxvfo/42/file0" dev="sda1" ino=14108 res=1
audit: type=1804 audit(1672839995.979:31): pid=11276 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.5" name="/root/syzkaller-testdir2946159062/syzkaller.xah4hf/47/file0" dev="sda1" ino=14115 res=1
device lo entered promiscuous mode
======================================================
WARNING: the mand mount option is being deprecated and
         will be removed in v5.15!
======================================================
Y�4��`Ҙ: renamed from lo
UDF-fs: warning (device loop2): udf_load_vrs: No VRS found
UDF-fs: Scanning with blocksize 512 failed
UDF-fs: warning (device loop2): udf_load_vrs: No VRS found
UDF-fs: Scanning with blocksize 1024 failed
UDF-fs: warning (device loop2): udf_load_vrs: No VRS found
UDF-fs: Scanning with blocksize 2048 failed
UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/22 14:59 (1000)
new mount options do not match the existing superblock, will be ignored
device lo entered promiscuous mode
device lo entered promiscuous mode
Y�4��`Ҙ: renamed from lo
Y�4��`Ҙ: renamed from lo
device lo entered promiscuous mode
Y�4��`Ҙ: renamed from lo
new mount options do not match the existing superblock, will be ignored
new mount options do not match the existing superblock, will be ignored
new mount options do not match the existing superblock, will be ignored
new mount options do not match the existing superblock, will be ignored
UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/22 14:59 (1000)
unregister_netdevice: waiting for ip6gre0 to become free. Usage count = -1
new mount options do not match the existing superblock, will be ignored
EXT4-fs (loop4): mounted filesystem without journal. Opts: ,errors=continue
EXT4-fs error (device loop4): ext4_validate_block_bitmap:405: comm syz-executor.4: bg 0: block 2: invalid block bitmap
new mount options do not match the existing superblock, will be ignored
kauditd_printk_skb: 12 callbacks suppressed
audit: type=1800 audit(1672839999.720:45): pid=11622 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.1" name="file0" dev="sda1" ino=14104 res=0
device veth0_vlan left promiscuous mode
print_req_error: I/O error, dev loop5, sector 0
UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/22 14:59 (1000)