ip_tables: iptables: counters copy to user failed while replacing table
======================================================
WARNING: possible circular locking dependency detected
4.14.264-syzkaller #0 Not tainted
------------------------------------------------------
kworker/u4:59/10445 is trying to acquire lock:
(&table[i].mutex){+.+.}, at: [<ffffffff85f039bd>] nf_tables_netdev_event+0x10d/0x4d0 net/netfilter/nf_tables_netdev.c:122
but task is already holding lock:
(rtnl_mutex){+.+.}, at: [<ffffffff864b36a0>] ip6gre_exit_net+0x70/0x570 net/ipv6/ip6_gre.c:1207
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #2 (rtnl_mutex){+.+.}:
__mutex_lock_common kernel/locking/mutex.c:756 [inline]
__mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
unregister_netdevice_notifier+0x5e/0x2b0 net/core/dev.c:1630
tee_tg_destroy+0x5c/0xb0 net/netfilter/xt_TEE.c:123
cleanup_entry+0x1fd/0x2d0 net/ipv4/netfilter/ip_tables.c:666
__do_replace+0x38d/0x570 net/ipv4/netfilter/ip_tables.c:1086
do_replace net/ipv4/netfilter/ip_tables.c:1142 [inline]
do_ipt_set_ctl+0x256/0x3a0 net/ipv4/netfilter/ip_tables.c:1676
nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
nf_setsockopt+0x5f/0xb0 net/netfilter/nf_sockopt.c:115
ip_setsockopt net/ipv4/ip_sockglue.c:1255 [inline]
ip_setsockopt+0x94/0xb0 net/ipv4/ip_sockglue.c:1240
tcp_setsockopt+0x7b/0xc0 net/ipv4/tcp.c:2828
SYSC_setsockopt net/socket.c:1865 [inline]
SyS_setsockopt+0x110/0x1e0 net/socket.c:1844
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
-> #1 (&xt[i].mutex){+.+.}:
__mutex_lock_common kernel/locking/mutex.c:756 [inline]
__mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
match_revfn+0x43/0x210 net/netfilter/x_tables.c:332
xt_find_revision+0x8d/0x1d0 net/netfilter/x_tables.c:380
nfnl_compat_get+0x1f7/0x870 net/netfilter/nft_compat.c:678
nfnetlink_rcv_msg+0x9bb/0xc00 net/netfilter/nfnetlink.c:214
netlink_rcv_skb+0x125/0x390 net/netlink/af_netlink.c:2446
nfnetlink_rcv+0x1ab/0x1da0 net/netfilter/nfnetlink.c:515
netlink_unicast_kernel net/netlink/af_netlink.c:1294 [inline]
netlink_unicast+0x437/0x610 net/netlink/af_netlink.c:1320
netlink_sendmsg+0x648/0xbc0 net/netlink/af_netlink.c:1891
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xb5/0x100 net/socket.c:656
___sys_sendmsg+0x6c8/0x800 net/socket.c:2062
__sys_sendmsg+0xa3/0x120 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x27/0x40 net/socket.c:2103
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
-> #0 (&table[i].mutex){+.+.}:
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__mutex_lock_common kernel/locking/mutex.c:756 [inline]
__mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
nf_tables_netdev_event+0x10d/0x4d0 net/netfilter/nf_tables_netdev.c:122
notifier_call_chain+0x108/0x1a0 kernel/notifier.c:93
call_netdevice_notifiers_info net/core/dev.c:1667 [inline]
call_netdevice_notifiers net/core/dev.c:1683 [inline]
rollback_registered_many+0x765/0xba0 net/core/dev.c:7211
unregister_netdevice_many.part.0+0x18/0x2e0 net/core/dev.c:8293
unregister_netdevice_many+0x36/0x50 net/core/dev.c:8292
ip6gre_exit_net+0x41e/0x570 net/ipv6/ip6_gre.c:1209
ops_exit_list+0xad/0x160 net/core/net_namespace.c:142
cleanup_net+0x3b3/0x840 net/core/net_namespace.c:487
process_one_work+0x793/0x14a0 kernel/workqueue.c:2117
worker_thread+0x5cc/0xff0 kernel/workqueue.c:2251
kthread+0x30d/0x420 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
other info that might help us debug this:
Chain exists of:
&table[i].mutex --> &xt[i].mutex --> rtnl_mutex
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(rtnl_mutex);
lock(&xt[i].mutex);
lock(rtnl_mutex);
lock(&table[i].mutex);
*** DEADLOCK ***
4 locks held by kworker/u4:59/10445:
#0: ("%s""netns"){+.+.}, at: [<ffffffff81364b80>] process_one_work+0x6b0/0x14a0 kernel/workqueue.c:2088
#1: (net_cleanup_work){+.+.}, at: [<ffffffff81364bb6>] process_one_work+0x6e6/0x14a0 kernel/workqueue.c:2092
#2: (net_mutex){+.+.}, at: [<ffffffff85c1dd80>] cleanup_net+0x110/0x840 net/core/net_namespace.c:453
#3: (rtnl_mutex){+.+.}, at: [<ffffffff864b36a0>] ip6gre_exit_net+0x70/0x570 net/ipv6/ip6_gre.c:1207
stack backtrace:
CPU: 1 PID: 10445 Comm: kworker/u4:59 Not tainted 4.14.264-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: netns cleanup_net
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x281 lib/dump_stack.c:58
print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258
check_prev_add kernel/locking/lockdep.c:1905 [inline]
check_prevs_add kernel/locking/lockdep.c:2022 [inline]
validate_chain kernel/locking/lockdep.c:2464 [inline]
__lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__mutex_lock_common kernel/locking/mutex.c:756 [inline]
__mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
nf_tables_netdev_event+0x10d/0x4d0 net/netfilter/nf_tables_netdev.c:122
notifier_call_chain+0x108/0x1a0 kernel/notifier.c:93
call_netdevice_notifiers_info net/core/dev.c:1667 [inline]
call_netdevice_notifiers net/core/dev.c:1683 [inline]
rollback_registered_many+0x765/0xba0 net/core/dev.c:7211
unregister_netdevice_many.part.0+0x18/0x2e0 net/core/dev.c:8293
unregister_netdevice_many+0x36/0x50 net/core/dev.c:8292
ip6gre_exit_net+0x41e/0x570 net/ipv6/ip6_gre.c:1209
ops_exit_list+0xad/0x160 net/core/net_namespace.c:142
cleanup_net+0x3b3/0x840 net/core/net_namespace.c:487
process_one_work+0x793/0x14a0 kernel/workqueue.c:2117
worker_thread+0x5cc/0xff0 kernel/workqueue.c:2251
kthread+0x30d/0x420 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
ip_tables: iptables: counters copy to user failed while replacing table
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.2'.
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.2'.
print_req_error: I/O error, dev loop7, sector 64
print_req_error: I/O error, dev loop7, sector 256
UDF-fs: error (device loop7): udf_read_tagged: read failed, block=256, location=256
print_req_error: I/O error, dev loop7, sector 512
UDF-fs: error (device loop7): udf_read_tagged: read failed, block=512, location=512
UDF-fs: warning (device loop7): udf_load_vrs: No anchor found
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.5'.
UDF-fs: Scanning with blocksize 512 failed
print_req_error: I/O error, dev loop7, sector 64
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.2'.
print_req_error: I/O error, dev loop7, sector 512
UDF-fs: error (device loop7): udf_read_tagged: read failed, block=256, location=256
print_req_error: I/O error, dev loop7, sector 1024
UDF-fs: error (device loop7): udf_read_tagged: read failed, block=512, location=512
UDF-fs: warning (device loop7): udf_load_vrs: No anchor found
UDF-fs: Scanning with blocksize 1024 failed
print_req_error: I/O error, dev loop7, sector 64
print_req_error: I/O error, dev loop7, sector 1024
UDF-fs: error (device loop7): udf_read_tagged: read failed, block=256, location=256
print_req_error: I/O error, dev loop7, sector 2048
UDF-fs: error (device loop7): udf_read_tagged: read failed, block=512, location=512
UDF-fs: warning (device loop7): udf_load_vrs: No anchor found
UDF-fs: Scanning with blocksize 2048 failed
print_req_error: I/O error, dev loop7, sector 64
UDF-fs: error (device loop7): udf_read_tagged: read failed, block=256, location=256
UDF-fs: error (device loop7): udf_read_tagged: read failed, block=512, location=512
UDF-fs: warning (device loop7): udf_load_vrs: No anchor found
UDF-fs: Scanning with blocksize 4096 failed
UDF-fs: warning (device loop7): udf_fill_super: No partition found (1)
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.5'.
UDF-fs: error (device loop7): udf_read_tagged: read failed, block=256, location=256
UDF-fs: error (device loop7): udf_read_tagged: read failed, block=512, location=512
UDF-fs: error (device loop9): udf_read_tagged: read failed, block=256, location=256
UDF-fs: warning (device loop7): udf_load_vrs: No anchor found
UDF-fs: Scanning with blocksize 512 failed
UDF-fs: error (device loop7): udf_read_tagged: read failed, block=256, location=256
UDF-fs: error (device loop9): udf_read_tagged: read failed, block=512, location=512
UDF-fs: error (device loop7): udf_read_tagged: read failed, block=512, location=512
UDF-fs: warning (device loop9): udf_load_vrs: No anchor found
UDF-fs: warning (device loop7): udf_load_vrs: No anchor found
UDF-fs: Scanning with blocksize 512 failed
UDF-fs: error (device loop9): udf_read_tagged: read failed, block=256, location=256
UDF-fs: Scanning with blocksize 1024 failed
UDF-fs: error (device loop7): udf_read_tagged: read failed, block=256, location=256
UDF-fs: error (device loop9): udf_read_tagged: read failed, block=512, location=512
UDF-fs: error (device loop7): udf_read_tagged: read failed, block=512, location=512
UDF-fs: warning (device loop7): udf_load_vrs: No anchor found
UDF-fs: Scanning with blocksize 2048 failed
UDF-fs: error (device loop7): udf_read_tagged: read failed, block=256, location=256
UDF-fs: warning (device loop9): udf_load_vrs: No anchor found
UDF-fs: error (device loop7): udf_read_tagged: read failed, block=512, location=512
UDF-fs: Scanning with blocksize 1024 failed
UDF-fs: error (device loop9): udf_read_tagged: read failed, block=256, location=256
UDF-fs: warning (device loop7): udf_load_vrs: No anchor found
UDF-fs: Scanning with blocksize 4096 failed
UDF-fs: error (device loop9): udf_read_tagged: read failed, block=512, location=512
UDF-fs: warning (device loop7): udf_fill_super: No partition found (1)
UDF-fs: warning (device loop9): udf_load_vrs: No anchor found
UDF-fs: Scanning with blocksize 2048 failed
UDF-fs: error (device loop9): udf_read_tagged: read failed, block=256, location=256
UDF-fs: error (device loop9): udf_read_tagged: read failed, block=512, location=512
UDF-fs: warning (device loop9): udf_load_vrs: No anchor found
UDF-fs: Scanning with blocksize 4096 failed
UDF-fs: warning (device loop9): udf_fill_super: No partition found (1)
UDF-fs: error (device loop7): udf_read_tagged: read failed, block=256, location=256
UDF-fs: error (device loop9): udf_read_tagged: read failed, block=256, location=256
UDF-fs: error (device loop7): udf_read_tagged: read failed, block=512, location=512
UDF-fs: warning (device loop7): udf_load_vrs: No anchor found
UDF-fs: error (device loop9): udf_read_tagged: read failed, block=512, location=512
UDF-fs: warning (device loop9): udf_load_vrs: No anchor found
UDF-fs: Scanning with blocksize 512 failed
UDF-fs: error (device loop9): udf_read_tagged: read failed, block=256, location=256
UDF-fs: Scanning with blocksize 512 failed
UDF-fs: error (device loop9): udf_read_tagged: read failed, block=512, location=512
UDF-fs: error (device loop7): udf_read_tagged: read failed, block=256, location=256
UDF-fs: warning (device loop9): udf_load_vrs: No anchor found
UDF-fs: Scanning with blocksize 1024 failed
UDF-fs: error (device loop7): udf_read_tagged: read failed, block=512, location=512
UDF-fs: error (device loop9): udf_read_tagged: read failed, block=256, location=256
PM: Starting manual resume from disk
UDF-fs: warning (device loop7): udf_load_vrs: No anchor found
UDF-fs: error (device loop9): udf_read_tagged: read failed, block=512, location=512
UDF-fs: Scanning with blocksize 1024 failed
UDF-fs: warning (device loop9): udf_load_vrs: No anchor found
PM: Image not found (code -5)
UDF-fs: error (device loop7): udf_read_tagged: read failed, block=256, location=256
UDF-fs: Scanning with blocksize 2048 failed
UDF-fs: error (device loop9): udf_read_tagged: read failed, block=256, location=256
PM: Starting manual resume from disk
UDF-fs: error (device loop9): udf_read_tagged: read failed, block=512, location=512
UDF-fs: error (device loop7): udf_read_tagged: read failed, block=512, location=512
PM: Image not found (code -5)
UDF-fs: warning (device loop9): udf_load_vrs: No anchor found
UDF-fs: Scanning with blocksize 4096 failed
UDF-fs: warning (device loop7): udf_load_vrs: No anchor found
UDF-fs: warning (device loop9): udf_fill_super: No partition found (1)
UDF-fs: Scanning with blocksize 2048 failed
UDF-fs: error (device loop7): udf_read_tagged: read failed, block=256, location=256
UDF-fs: error (device loop7): udf_read_tagged: read failed, block=512, location=512
UDF-fs: warning (device loop7): udf_load_vrs: No anchor found
UDF-fs: Scanning with blocksize 4096 failed
UDF-fs: warning (device loop7): udf_fill_super: No partition found (1)
PM: Starting manual resume from disk
UDF-fs: error (device loop9): udf_read_tagged: read failed, block=256, location=256
UDF-fs: error (device loop7): udf_read_tagged: read failed, block=256, location=256
PM: Image not found (code -5)
UDF-fs: error (device loop9): udf_read_tagged: read failed, block=512, location=512
UDF-fs: error (device loop7): udf_read_tagged: read failed, block=512, location=512
UDF-fs: warning (device loop9): udf_load_vrs: No anchor found
PM: Starting manual resume from disk
UDF-fs: warning (device loop7): udf_load_vrs: No anchor found
UDF-fs: Scanning with blocksize 512 failed
PM: Image not found (code -5)
UDF-fs: error (device loop9): udf_read_tagged: read failed, block=256, location=256
UDF-fs: Scanning with blocksize 512 failed
UDF-fs: error (device loop9): udf_read_tagged: read failed, block=512, location=512
UDF-fs: error (device loop7): udf_read_tagged: read failed, block=256, location=256
UDF-fs: warning (device loop9): udf_load_vrs: No anchor found
UDF-fs: Scanning with blocksize 1024 failed
UDF-fs: error (device loop7): udf_read_tagged: read failed, block=512, location=512
UDF-fs: error (device loop9): udf_read_tagged: read failed, block=256, location=256
UDF-fs: error (device loop9): udf_read_tagged: read failed, block=512, location=512
UDF-fs: warning (device loop7): udf_load_vrs: No anchor found
UDF-fs: warning (device loop9): udf_load_vrs: No anchor found
UDF-fs: Scanning with blocksize 1024 failed
UDF-fs: error (device loop7): udf_read_tagged: read failed, block=256, location=256
UDF-fs: Scanning with blocksize 2048 failed
UDF-fs: error (device loop7): udf_read_tagged: read failed, block=512, location=512
UDF-fs: error (device loop9): udf_read_tagged: read failed, block=256, location=256
UDF-fs: warning (device loop7): udf_load_vrs: No anchor found
UDF-fs: error (device loop9): udf_read_tagged: read failed, block=512, location=512
UDF-fs: Scanning with blocksize 2048 failed
UDF-fs: warning (device loop9): udf_load_vrs: No anchor found
UDF-fs: error (device loop7): udf_read_tagged: read failed, block=256, location=256
UDF-fs: Scanning with blocksize 4096 failed
UDF-fs: error (device loop7): udf_read_tagged: read failed, block=512, location=512
UDF-fs: warning (device loop9): udf_fill_super: No partition found (1)
UDF-fs: warning (device loop7): udf_load_vrs: No anchor found
UDF-fs: Scanning with blocksize 4096 failed
UDF-fs: warning (device loop7): udf_fill_super: No partition found (1)
overlayfs: fs on 'file0' does not support file handles, falling back to index=off.
overlayfs: fs on './file0' does not support file handles, falling back to index=off.
overlayfs: fs on 'file0' does not support file handles, falling back to index=off.
overlayfs: fs on './file0' does not support file handles, falling back to index=off.
overlayfs: fs on 'file0' does not support file handles, falling back to index=off.
overlayfs: fs on 'file0' does not support file handles, falling back to index=off.
overlayfs: fs on './file0' does not support file handles, falling back to index=off.
overlayfs: fs on 'file0' does not support file handles, falling back to index=off.
overlayfs: fs on './file0' does not support file handles, falling back to index=off.
overlayfs: fs on './file0' does not support file handles, falling back to index=off.
overlayfs: fs on 'file0' does not support file handles, falling back to index=off.
overlayfs: fs on 'file0' does not support file handles, falling back to index=off.
overlayfs: fs on './file0' does not support file handles, falling back to index=off.
overlayfs: fs on 'file0' does not support file handles, falling back to index=off.
overlayfs: fs on './file0' does not support file handles, falling back to index=off.
overlayfs: fs on './file0' does not support file handles, falling back to index=off.
overlayfs: fs on 'file0' does not support file handles, falling back to index=off.
overlayfs: fs on './file0' does not support file handles, falling back to index=off.
overlayfs: fs on 'file0' does not support file handles, falling back to index=off.
overlayfs: fs on './file0' does not support file handles, falling back to index=off.
L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details.
caif:caif_disconnect_client(): nothing to disconnect
caif:caif_disconnect_client(): nothing to disconnect
caif:caif_disconnect_client(): nothing to disconnect
caif:caif_disconnect_client(): nothing to disconnect
======================================================
WARNING: the mand mount option is being deprecated and
will be removed in v5.15!
======================================================
XFS (loop2): unknown mount option [logbufs=00000000000000000008].
XFS (loop2): unknown mount option [logbufs=00000000000000000008].
XFS (loop2): unknown mount option [logbufs=00000000000000000008].
ip6_tunnel: ip6gretap0 xmit: Local address not yet configured!
ip6_tunnel: ip6gretap0 xmit: Local address not yet configured!
ip6_tunnel: ip6gretap0 xmit: Local address not yet configured!
XFS (loop2): unknown mount option [logbufs=00000000000000000008].
ip6_tunnel: ip6gretap0 xmit: Local address not yet configured!
*** Guest State ***
CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7
CR4: actual=0x0000000000002050, shadow=0x0000000000000000, gh_mask=ffffffffffffe871
CR3 = 0x00000000fffbc000
RSP = 0x0000000000000000 RIP = 0x0000000000000231
RFLAGS=0x00000246 DR7 = 0x0000000000000400
Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000
CS: sel=0x0000, attr=0x0009b, limit=0x0000ffff, base=0x0000000000000000
DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000
SS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000
ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000
FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000
GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000
GDTR: limit=0x0000ffff, base=0x0000000000000000
LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000
IDTR: limit=0x0000ffff, base=0x0000000000000000
TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000
EFER = 0x0000000000000000 PAT = 0x0007040600070406
DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000
Interruptibility = 00000001 ActivityState = 00000000
*** Host State ***
RIP = 0xffffffff81160b1e RSP = 0xffff8880565479b8
CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040
FSBase=00007ff1ea06d700 GSBase=ffff8880ba500000 TRBase=fffffe000003e000
GDTBase=fffffe000003c000 IDTBase=fffffe0000000000
CR0=0000000080050033 CR3=00000000aba60000 CR4=00000000003426e0
Sysenter RSP=fffffe000003e000 CS:RIP=0010:ffffffff87401690
EFER = 0x0000000000000d01 PAT = 0x0407050600070106
*** Control State ***
PinBased=0000003f CPUBased=b699edfa SecondaryExec=000000e2
EntryControls=0000d1ff ExitControls=002fefff
ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000
VMEntry: intr_info=80000202 errcode=00000000 ilen=00000000
VMExit: intr_info=00000000 errcode=00000000 ilen=00000003
reason=80000021 qualification=0000000000000003
IDTVectoring: info=00000000 errcode=00000000
TSC Offset = 0xffffff921d48682a
EPT pointer = 0x000000009c80f01e
Virtual processor ID = 0x0001
ip6_tunnel: ip6gretap0 xmit: Local address not yet configured!