EXT4-fs error (device loop1): ext4_mb_generate_buddy:754: group 0, block bitmap and bg descriptor inconsistent: 50 vs 25 free clusters
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.4'.
======================================================
WARNING: possible circular locking dependency detected
4.14.284-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.4/15570 is trying to acquire lock:
(&xt[i].mutex){+.+.}, at: [<ffffffff85f1cfde>] xt_find_target+0x3e/0x1e0 net/netfilter/x_tables.c:232
but task is already holding lock:
(rtnl_mutex){+.+.}, at: [<ffffffff85c8959d>] rtnl_lock net/core/rtnetlink.c:72 [inline]
(rtnl_mutex){+.+.}, at: [<ffffffff85c8959d>] rtnetlink_rcv_msg+0x31d/0xb10 net/core/rtnetlink.c:4317
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (rtnl_mutex){+.+.}:
__mutex_lock_common kernel/locking/mutex.c:756 [inline]
__mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
unregister_netdevice_notifier+0x5e/0x2b0 net/core/dev.c:1630
tee_tg_destroy+0x5c/0xb0 net/netfilter/xt_TEE.c:123
cleanup_entry+0x1fd/0x2d0 net/ipv4/netfilter/ip_tables.c:666
__do_replace+0x38d/0x570 net/ipv4/netfilter/ip_tables.c:1086
do_replace net/ipv4/netfilter/ip_tables.c:1142 [inline]
do_ipt_set_ctl+0x256/0x3a0 net/ipv4/netfilter/ip_tables.c:1676
nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
nf_setsockopt+0x5f/0xb0 net/netfilter/nf_sockopt.c:115
ip_setsockopt net/ipv4/ip_sockglue.c:1255 [inline]
ip_setsockopt+0x94/0xb0 net/ipv4/ip_sockglue.c:1240
tcp_setsockopt+0x7b/0xc0 net/ipv4/tcp.c:2830
SYSC_setsockopt net/socket.c:1865 [inline]
SyS_setsockopt+0x110/0x1e0 net/socket.c:1844
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
-> #0 (&xt[i].mutex){+.+.}:
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__mutex_lock_common kernel/locking/mutex.c:756 [inline]
__mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
xt_find_target+0x3e/0x1e0 net/netfilter/x_tables.c:232
xt_request_find_target net/netfilter/x_tables.c:261 [inline]
xt_request_find_target+0x72/0xe0 net/netfilter/x_tables.c:254
ipt_init_target+0xb9/0x250 net/sched/act_ipt.c:45
__tcf_ipt_init+0x48d/0xc00 net/sched/act_ipt.c:168
tcf_xt_init+0x43/0x50 net/sched/act_ipt.c:210
tcf_action_init_1+0x51a/0x9e0 net/sched/act_api.c:691
tcf_action_init+0x26d/0x400 net/sched/act_api.c:760
tcf_action_add net/sched/act_api.c:1088 [inline]
tc_ctl_action+0x2e3/0x510 net/sched/act_api.c:1140
rtnetlink_rcv_msg+0x3be/0xb10 net/core/rtnetlink.c:4322
netlink_rcv_skb+0x125/0x390 net/netlink/af_netlink.c:2454
netlink_unicast_kernel net/netlink/af_netlink.c:1296 [inline]
netlink_unicast+0x437/0x610 net/netlink/af_netlink.c:1322
netlink_sendmsg+0x648/0xbc0 net/netlink/af_netlink.c:1893
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xb5/0x100 net/socket.c:656
sock_no_sendpage+0xe2/0x110 net/core/sock.c:2610
kernel_sendpage net/socket.c:3407 [inline]
sock_sendpage+0xdf/0x140 net/socket.c:871
pipe_to_sendpage+0x226/0x2d0 fs/splice.c:451
splice_from_pipe_feed fs/splice.c:502 [inline]
__splice_from_pipe+0x326/0x7a0 fs/splice.c:626
splice_from_pipe fs/splice.c:661 [inline]
generic_splice_sendpage+0xc1/0x110 fs/splice.c:832
do_splice_from fs/splice.c:851 [inline]
do_splice fs/splice.c:1147 [inline]
SYSC_splice fs/splice.c:1402 [inline]
SyS_splice+0xd59/0x1380 fs/splice.c:1382
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(rtnl_mutex);
lock(&xt[i].mutex);
lock(rtnl_mutex);
lock(&xt[i].mutex);
*** DEADLOCK ***
2 locks held by syz-executor.4/15570:
#0: (&pipe->mutex/1){+.+.}, at: [<ffffffff8188a238>] pipe_lock_nested fs/pipe.c:82 [inline]
#0: (&pipe->mutex/1){+.+.}, at: [<ffffffff8188a238>] pipe_lock+0x58/0x70 fs/pipe.c:90
#1: (rtnl_mutex){+.+.}, at: [<ffffffff85c8959d>] rtnl_lock net/core/rtnetlink.c:72 [inline]
#1: (rtnl_mutex){+.+.}, at: [<ffffffff85c8959d>] rtnetlink_rcv_msg+0x31d/0xb10 net/core/rtnetlink.c:4317
stack backtrace:
CPU: 0 PID: 15570 Comm: syz-executor.4 Not tainted 4.14.284-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x281 lib/dump_stack.c:58
print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258
check_prev_add kernel/locking/lockdep.c:1905 [inline]
check_prevs_add kernel/locking/lockdep.c:2022 [inline]
validate_chain kernel/locking/lockdep.c:2464 [inline]
__lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491
lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
__mutex_lock_common kernel/locking/mutex.c:756 [inline]
__mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
xt_find_target+0x3e/0x1e0 net/netfilter/x_tables.c:232
xt_request_find_target net/netfilter/x_tables.c:261 [inline]
xt_request_find_target+0x72/0xe0 net/netfilter/x_tables.c:254
ipt_init_target+0xb9/0x250 net/sched/act_ipt.c:45
__tcf_ipt_init+0x48d/0xc00 net/sched/act_ipt.c:168
tcf_xt_init+0x43/0x50 net/sched/act_ipt.c:210
tcf_action_init_1+0x51a/0x9e0 net/sched/act_api.c:691
tcf_action_init+0x26d/0x400 net/sched/act_api.c:760
tcf_action_add net/sched/act_api.c:1088 [inline]
tc_ctl_action+0x2e3/0x510 net/sched/act_api.c:1140
rtnetlink_rcv_msg+0x3be/0xb10 net/core/rtnetlink.c:4322
netlink_rcv_skb+0x125/0x390 net/netlink/af_netlink.c:2454
netlink_unicast_kernel net/netlink/af_netlink.c:1296 [inline]
netlink_unicast+0x437/0x610 net/netlink/af_netlink.c:1322
netlink_sendmsg+0x648/0xbc0 net/netlink/af_netlink.c:1893
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xb5/0x100 net/socket.c:656
sock_no_sendpage+0xe2/0x110 net/core/sock.c:2610
kernel_sendpage net/socket.c:3407 [inline]
sock_sendpage+0xdf/0x140 net/socket.c:871
pipe_to_sendpage+0x226/0x2d0 fs/splice.c:451
splice_from_pipe_feed fs/splice.c:502 [inline]
__splice_from_pipe+0x326/0x7a0 fs/splice.c:626
splice_from_pipe fs/splice.c:661 [inline]
generic_splice_sendpage+0xc1/0x110 fs/splice.c:832
do_splice_from fs/splice.c:851 [inline]
do_splice fs/splice.c:1147 [inline]
SYSC_splice fs/splice.c:1402 [inline]
SyS_splice+0xd59/0x1380 fs/splice.c:1382
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x7f5316ed6109
RSP: 002b:00007f531582a168 EFLAGS: 00000246 ORIG_RAX: 0000000000000113
RAX: ffffffffffffffda RBX: 00007f5316fe9030 RCX: 00007f5316ed6109
RDX: 0000000000000005 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007f5316f3005d R08: 000000000004ffe0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffc8b77c40f R14: 00007f531582a300 R15: 0000000000022000
x_tables: ip_tables: .0 target: invalid size 8 (kernel) != (user) 6
kvm: vcpu 0: requested 128 ns lapic timer period limited to 500000 ns
EXT4-fs (loop1): mounted filesystem without journal. Opts: ,errors=continue
VFS: could not find a valid V7 on loop4.
EXT4-fs error (device loop1): ext4_mb_generate_buddy:754: group 0, block bitmap and bg descriptor inconsistent: 50 vs 25 free clusters
VFS: could not find a valid V7 on loop4.
VFS: could not find a valid V7 on loop2.
EXT4-fs (loop1): mounted filesystem without journal. Opts: ,errors=continue
EXT4-fs error (device loop1): ext4_mb_generate_buddy:754: group 0, block bitmap and bg descriptor inconsistent: 50 vs 25 free clusters
VFS: could not find a valid V7 on loop4.
VFS: could not find a valid V7 on loop5.
VFS: could not find a valid V7 on loop2.
EXT4-fs (loop1): mounted filesystem without journal. Opts: ,errors=continue
VFS: could not find a valid V7 on loop4.
EXT4-fs error (device loop1): ext4_mb_generate_buddy:754: group 0, block bitmap and bg descriptor inconsistent: 50 vs 25 free clusters
VFS: could not find a valid V7 on loop2.
VFS: could not find a valid V7 on loop5.
VFS: could not find a valid V7 on loop4.
VFS: could not find a valid V7 on loop2.
VFS: could not find a valid V7 on loop5.
VFS: could not find a valid V7 on loop1.
VFS: could not find a valid V7 on loop4.
VFS: could not find a valid V7 on loop2.
VFS: could not find a valid V7 on loop1.
VFS: could not find a valid V7 on loop4.
VFS: could not find a valid V7 on loop2.
VFS: could not find a valid V7 on loop1.
vhci_hcd: Failed attach request for unsupported USB speed: UNKNOWN
vhci_hcd: Failed attach request for unsupported USB speed: UNKNOWN
vhci_hcd: Failed attach request for unsupported USB speed: UNKNOWN
vhci_hcd: Failed attach request for unsupported USB speed: UNKNOWN
vhci_hcd: Failed attach request for unsupported USB speed: UNKNOWN
vhci_hcd: Failed attach request for unsupported USB speed: UNKNOWN
vhci_hcd: Failed attach request for unsupported USB speed: UNKNOWN
vhci_hcd: Failed attach request for unsupported USB speed: UNKNOWN
vhci_hcd: Failed attach request for unsupported USB speed: UNKNOWN
vhci_hcd: Failed attach request for unsupported USB speed: UNKNOWN
vhci_hcd: Failed attach request for unsupported USB speed: UNKNOWN
vhci_hcd: Failed attach request for unsupported USB speed: UNKNOWN
vhci_hcd: Failed attach request for unsupported USB speed: UNKNOWN
overlayfs: fs on 'file0' does not support file handles, falling back to index=off.
overlayfs: fs on './file0' does not support file handles, falling back to index=off.
overlayfs: fs on 'file0' does not support file handles, falling back to index=off.
audit: type=1800 audit(1655451132.796:38): pid=16095 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.0" name="bus" dev="loop0" ino=22 res=0
overlayfs: fs on 'file0' does not support file handles, falling back to index=off.
hpfs: Bad magic ... probably not HPFS
hpfs: Bad magic ... probably not HPFS
overlayfs: fs on './file0' does not support file handles, falling back to index=off.
overlayfs: fs on './file0' does not support file handles, falling back to index=off.
overlayfs: fs on 'file0' does not support file handles, falling back to index=off.
overlayfs: fs on './file0' does not support file handles, falling back to index=off.
overlayfs: fs on 'file0' does not support file handles, falling back to index=off.
overlayfs: fs on './file0' does not support file handles, falling back to index=off.
overlayfs: fs on 'file0' does not support file handles, falling back to index=off.
overlayfs: fs on 'file0' does not support file handles, falling back to index=off.
hpfs: Bad magic ... probably not HPFS
hpfs: Bad magic ... probably not HPFS
overlayfs: fs on './file0' does not support file handles, falling back to index=off.
overlayfs: fs on './file0' does not support file handles, falling back to index=off.
audit: type=1800 audit(1655451133.846:39): pid=16165 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.0" name="bus" dev="loop0" ino=23 res=0
audit: type=1800 audit(1655451133.896:40): pid=16170 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.4" name="bus" dev="loop4" ino=24 res=0
audit: type=1800 audit(1655451134.066:41): pid=16187 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.1" name="bus" dev="loop1" ino=25 res=0
audit: type=1800 audit(1655451134.946:42): pid=16235 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.0" name="bus" dev="loop0" ino=26 res=0
audit: type=1800 audit(1655451134.976:43): pid=16238 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.4" name="bus" dev="loop4" ino=27 res=0
audit: type=1800 audit(1655451135.046:44): pid=16256 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.1" name="bus" dev="loop1" ino=28 res=0
block nbd5: shutting down sockets
block nbd5: shutting down sockets
block nbd5: shutting down sockets
audit: type=1800 audit(1655451136.007:45): pid=16297 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.0" name="bus" dev="loop0" ino=29 res=0
block nbd5: shutting down sockets
audit: type=1800 audit(1655451136.027:46): pid=16305 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.1" name="bus" dev="loop1" ino=30 res=0
audit: type=1800 audit(1655451136.067:47): pid=16307 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.4" name="bus" dev="loop4" ino=31 res=0