EXT4-fs error (device loop2): ext4_mb_generate_buddy:754: group 0, block bitmap and bg descriptor inconsistent: 100 vs 41 free clusters
ip6_tables: ip6tables: counters copy to user failed while replacing table
======================================================
WARNING: possible circular locking dependency detected
4.14.302-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.5/8012 is trying to acquire lock:
(rtnl_mutex){+.+.}, at: [<ffffffff85c3018e>] unregister_netdevice_notifier+0x5e/0x2b0 net/core/dev.c:1630
but task is already holding lock:
(&xt[i].mutex){+.+.}, at: [<ffffffff85f20938>] xt_find_table_lock+0x38/0x3d0 net/netfilter/x_tables.c:1088
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #2 (&xt[i].mutex){+.+.}:
__mutex_lock_common kernel/locking/mutex.c:756 [inline]
__mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
match_revfn+0x43/0x210 net/netfilter/x_tables.c:332
xt_find_revision+0x8d/0x1d0 net/netfilter/x_tables.c:380
nfnl_compat_get+0x1f7/0x870 net/netfilter/nft_compat.c:678
nfnetlink_rcv_msg+0x9bb/0xc00 net/netfilter/nfnetlink.c:214
netlink_rcv_skb+0x125/0x390 net/netlink/af_netlink.c:2454
nfnetlink_rcv+0x1ab/0x1da0 net/netfilter/nfnetlink.c:515
netlink_unicast_kernel net/netlink/af_netlink.c:1296 [inline]
netlink_unicast+0x437/0x610 net/netlink/af_netlink.c:1322
netlink_sendmsg+0x648/0xbc0 net/netlink/af_netlink.c:1893
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xb5/0x100 net/socket.c:656
___sys_sendmsg+0x6c8/0x800 net/socket.c:2062
__sys_sendmsg+0xa3/0x120 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x27/0x40 net/socket.c:2103
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x5e/0xd3
-> #1 (&table[i].mutex){+.+.}:
__mutex_lock_common kernel/locking/mutex.c:756 [inline]
__mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
nf_tables_netdev_event+0x10d/0x4d0 net/netfilter/nf_tables_netdev.c:122
notifier_call_chain+0x108/0x1a0 kernel/notifier.c:93
call_netdevice_notifiers_info net/core/dev.c:1667 [inline]
call_netdevice_notifiers net/core/dev.c:1683 [inline]
rollback_registered_many+0x765/0xbb0 net/core/dev.c:7211
rollback_registered+0xca/0x170 net/core/dev.c:7253
unregister_netdevice_queue+0x1b4/0x360 net/core/dev.c:8274
unregister_netdevice include/linux/netdevice.h:2444 [inline]
__tun_detach+0xca2/0xf60 drivers/net/tun.c:584
tun_detach drivers/net/tun.c:594 [inline]
tun_chr_close+0x41/0x60 drivers/net/tun.c:2732
__fput+0x25f/0x7a0 fs/file_table.c:210
task_work_run+0x11f/0x190 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x1ad/0x200 arch/x86/entry/common.c:164
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x5e/0xd3
-> #0 (rtnl_mutex){+.+.}:
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__mutex_lock_common kernel/locking/mutex.c:756 [inline]
__mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
unregister_netdevice_notifier+0x5e/0x2b0 net/core/dev.c:1630
tee_tg_destroy+0x5c/0xb0 net/netfilter/xt_TEE.c:123
cleanup_entry+0x232/0x310 net/ipv6/netfilter/ip6_tables.c:685
__do_replace+0x38d/0x580 net/ipv4/netfilter/arp_tables.c:930
do_replace net/ipv6/netfilter/ip6_tables.c:1162 [inline]
do_ip6t_set_ctl+0x256/0x3b0 net/ipv6/netfilter/ip6_tables.c:1688
nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
nf_setsockopt+0x5f/0xb0 net/netfilter/nf_sockopt.c:115
ipv6_setsockopt+0xc0/0x120 net/ipv6/ipv6_sockglue.c:944
tcp_setsockopt+0x7b/0xc0 net/ipv4/tcp.c:2831
SYSC_setsockopt net/socket.c:1865 [inline]
SyS_setsockopt+0x110/0x1e0 net/socket.c:1844
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x5e/0xd3
other info that might help us debug this:
Chain exists of:
rtnl_mutex --> &table[i].mutex --> &xt[i].mutex
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&xt[i].mutex);
lock(&table[i].mutex);
lock(&xt[i].mutex);
lock(rtnl_mutex);
*** DEADLOCK ***
1 lock held by syz-executor.5/8012:
#0: (&xt[i].mutex){+.+.}, at: [<ffffffff85f20938>] xt_find_table_lock+0x38/0x3d0 net/netfilter/x_tables.c:1088
stack backtrace:
CPU: 1 PID: 8012 Comm: syz-executor.5 Not tainted 4.14.302-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x281 lib/dump_stack.c:58
print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258
check_prev_add kernel/locking/lockdep.c:1905 [inline]
check_prevs_add kernel/locking/lockdep.c:2022 [inline]
validate_chain kernel/locking/lockdep.c:2464 [inline]
__lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__mutex_lock_common kernel/locking/mutex.c:756 [inline]
__mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
unregister_netdevice_notifier+0x5e/0x2b0 net/core/dev.c:1630
tee_tg_destroy+0x5c/0xb0 net/netfilter/xt_TEE.c:123
cleanup_entry+0x232/0x310 net/ipv6/netfilter/ip6_tables.c:685
__do_replace+0x38d/0x580 net/ipv4/netfilter/arp_tables.c:930
do_replace net/ipv6/netfilter/ip6_tables.c:1162 [inline]
do_ip6t_set_ctl+0x256/0x3b0 net/ipv6/netfilter/ip6_tables.c:1688
nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
nf_setsockopt+0x5f/0xb0 net/netfilter/nf_sockopt.c:115
ipv6_setsockopt+0xc0/0x120 net/ipv6/ipv6_sockglue.c:944
tcp_setsockopt+0x7b/0xc0 net/ipv4/tcp.c:2831
SYSC_setsockopt net/socket.c:1865 [inline]
SyS_setsockopt+0x110/0x1e0 net/socket.c:1844
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x5e/0xd3
RIP: 0033:0x7fb0d0a4671a
RSP: 002b:00007ffcd561d158 EFLAGS: 00000202 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 0000000000000029 RCX: 00007fb0d0a4671a
RDX: 0000000000000040 RSI: 0000000000000029 RDI: 0000000000000003
RBP: 00007ffcd561d180 R08: 00000000000003b8 R09: ffffffffff000000
R10: 00007fb0d0b3cbc0 R11: 0000000000000202 R12: 00007ffcd561d1e0
R13: 0000000000000003 R14: 00007ffcd561d17c R15: 00007fb0d0b3cb60
EXT4-fs (loop2): 1 orphan inode deleted
EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue
ip6_tables: ip6tables: counters copy to user failed while replacing table
ip6_tables: ip6tables: counters copy to user failed while replacing table
ip6_tables: ip6tables: counters copy to user failed while replacing table
hfs: part requires an argument
hfs: unable to parse mount options
EXT4-fs error (device loop2): ext4_mb_generate_buddy:754: group 0, block bitmap and bg descriptor inconsistent: 100 vs 41 free clusters
EXT4-fs (loop2): 1 orphan inode deleted
EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue
print_req_error: I/O error, dev loop1, sector 0
hfs: part requires an argument
hfs: unable to parse mount options
print_req_error: I/O error, dev loop1, sector 0
hfs: part requires an argument
hfs: unable to parse mount options
syz-executor.2 uses obsolete (PF_INET,SOCK_PACKET)
hfs: part requires an argument
device syzkaller1 entered promiscuous mode
hfs: unable to parse mount options
device syzkaller1 entered promiscuous mode
XFS (loop1): Mounting V4 Filesystem
XFS (loop1): Ending clean mount
syz-executor.1 (11062) used greatest stack depth: 23936 bytes left
XFS (loop1): Unmounting Filesystem
device syzkaller1 entered promiscuous mode
kauditd_printk_skb: 24 callbacks suppressed
audit: type=1800 audit(1672839993.939:23): pid=11142 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.0" name="file0" dev="sda1" ino=14056 res=0
device syzkaller1 entered promiscuous mode
audit: type=1800 audit(1672839994.839:24): pid=11205 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.0" name="file0" dev="sda1" ino=14056 res=0
audit: type=1800 audit(1672839995.719:25): pid=11232 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.2" name="file0" dev="sda1" ino=14118 res=0
audit: type=1804 audit(1672839995.759:26): pid=11232 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.2" name="/root/syzkaller-testdir2764048908/syzkaller.RMxvfo/41/file0" dev="sda1" ino=14118 res=1
audit: type=1800 audit(1672839995.929:27): pid=11281 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.2" name="file0" dev="sda1" ino=14108 res=0
audit: type=1800 audit(1672839995.959:28): pid=11280 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.4" name="file0" dev="sda1" ino=14114 res=0
audit: type=1800 audit(1672839995.959:29): pid=11276 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.5" name="file0" dev="sda1" ino=14115 res=0
audit: type=1804 audit(1672839995.969:30): pid=11280 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.4" name="/root/syzkaller-testdir2058417172/syzkaller.8BYYEN/62/file0" dev="sda1" ino=14114 res=1
audit: type=1804 audit(1672839995.979:32): pid=11301 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.2" name="/root/syzkaller-testdir2764048908/syzkaller.RMxvfo/42/file0" dev="sda1" ino=14108 res=1
audit: type=1804 audit(1672839995.979:31): pid=11276 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.5" name="/root/syzkaller-testdir2946159062/syzkaller.xah4hf/47/file0" dev="sda1" ino=14115 res=1
device lo entered promiscuous mode
======================================================
WARNING: the mand mount option is being deprecated and
will be removed in v5.15!
======================================================
Y�4��`Ҙ: renamed from lo
UDF-fs: warning (device loop2): udf_load_vrs: No VRS found
UDF-fs: Scanning with blocksize 512 failed
UDF-fs: warning (device loop2): udf_load_vrs: No VRS found
UDF-fs: Scanning with blocksize 1024 failed
UDF-fs: warning (device loop2): udf_load_vrs: No VRS found
UDF-fs: Scanning with blocksize 2048 failed
UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/22 14:59 (1000)
new mount options do not match the existing superblock, will be ignored
device lo entered promiscuous mode
device lo entered promiscuous mode
Y�4��`Ҙ: renamed from lo
Y�4��`Ҙ: renamed from lo
device lo entered promiscuous mode
Y�4��`Ҙ: renamed from lo
new mount options do not match the existing superblock, will be ignored
new mount options do not match the existing superblock, will be ignored
new mount options do not match the existing superblock, will be ignored
new mount options do not match the existing superblock, will be ignored
UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/22 14:59 (1000)
unregister_netdevice: waiting for ip6gre0 to become free. Usage count = -1
new mount options do not match the existing superblock, will be ignored
EXT4-fs (loop4): mounted filesystem without journal. Opts: ,errors=continue
EXT4-fs error (device loop4): ext4_validate_block_bitmap:405: comm syz-executor.4: bg 0: block 2: invalid block bitmap
new mount options do not match the existing superblock, will be ignored
kauditd_printk_skb: 12 callbacks suppressed
audit: type=1800 audit(1672839999.720:45): pid=11622 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.1" name="file0" dev="sda1" ino=14104 res=0
device veth0_vlan left promiscuous mode
print_req_error: I/O error, dev loop5, sector 0
UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/22 14:59 (1000)