netlink: 4 bytes leftover after parsing attributes in process `syz-executor.3'.
======================================================
WARNING: possible circular locking dependency detected
4.14.281-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.3/13903 is trying to acquire lock:
 (&xt[i].mutex){+.+.}, at: [<ffffffff85f1bfae>] xt_find_target+0x3e/0x1e0 net/netfilter/x_tables.c:232

but task is already holding lock:
 (rtnl_mutex){+.+.}, at: [<ffffffff85c8859d>] rtnl_lock net/core/rtnetlink.c:72 [inline]
 (rtnl_mutex){+.+.}, at: [<ffffffff85c8859d>] rtnetlink_rcv_msg+0x31d/0xb10 net/core/rtnetlink.c:4317

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 (rtnl_mutex){+.+.}:
       __mutex_lock_common kernel/locking/mutex.c:756 [inline]
       __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
       unregister_netdevice_notifier+0x5e/0x2b0 net/core/dev.c:1630
       tee_tg_destroy+0x5c/0xb0 net/netfilter/xt_TEE.c:123
       cleanup_entry+0x1fd/0x2d0 net/ipv4/netfilter/ip_tables.c:666
       __do_replace+0x38d/0x570 net/ipv4/netfilter/ip_tables.c:1086
       do_replace net/ipv4/netfilter/ip_tables.c:1142 [inline]
       do_ipt_set_ctl+0x256/0x3a0 net/ipv4/netfilter/ip_tables.c:1676
       nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
       nf_setsockopt+0x5f/0xb0 net/netfilter/nf_sockopt.c:115
       ip_setsockopt net/ipv4/ip_sockglue.c:1255 [inline]
       ip_setsockopt+0x94/0xb0 net/ipv4/ip_sockglue.c:1240
       udp_setsockopt+0x45/0x80 net/ipv4/udp.c:2455
       SYSC_setsockopt net/socket.c:1865 [inline]
       SyS_setsockopt+0x110/0x1e0 net/socket.c:1844
       do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x46/0xbb

-> #0 (&xt[i].mutex){+.+.}:
       lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
       __mutex_lock_common kernel/locking/mutex.c:756 [inline]
       __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
       xt_find_target+0x3e/0x1e0 net/netfilter/x_tables.c:232
       xt_request_find_target net/netfilter/x_tables.c:261 [inline]
       xt_request_find_target+0x72/0xe0 net/netfilter/x_tables.c:254
       ipt_init_target+0xb9/0x250 net/sched/act_ipt.c:45
       __tcf_ipt_init+0x48d/0xc00 net/sched/act_ipt.c:168
       tcf_xt_init+0x43/0x50 net/sched/act_ipt.c:210
       tcf_action_init_1+0x51a/0x9e0 net/sched/act_api.c:691
       tcf_action_init+0x26d/0x400 net/sched/act_api.c:760
       tcf_action_add net/sched/act_api.c:1088 [inline]
       tc_ctl_action+0x2e3/0x510 net/sched/act_api.c:1140
       rtnetlink_rcv_msg+0x3be/0xb10 net/core/rtnetlink.c:4322
       netlink_rcv_skb+0x125/0x390 net/netlink/af_netlink.c:2454
       netlink_unicast_kernel net/netlink/af_netlink.c:1296 [inline]
       netlink_unicast+0x437/0x610 net/netlink/af_netlink.c:1322
       netlink_sendmsg+0x648/0xbc0 net/netlink/af_netlink.c:1893
       sock_sendmsg_nosec net/socket.c:646 [inline]
       sock_sendmsg+0xb5/0x100 net/socket.c:656
       sock_no_sendpage+0xe2/0x110 net/core/sock.c:2610
       kernel_sendpage net/socket.c:3407 [inline]
       sock_sendpage+0xdf/0x140 net/socket.c:871
       pipe_to_sendpage+0x226/0x2d0 fs/splice.c:451
       splice_from_pipe_feed fs/splice.c:502 [inline]
       __splice_from_pipe+0x326/0x7a0 fs/splice.c:626
       splice_from_pipe fs/splice.c:661 [inline]
       generic_splice_sendpage+0xc1/0x110 fs/splice.c:832
       do_splice_from fs/splice.c:851 [inline]
       do_splice fs/splice.c:1147 [inline]
       SYSC_splice fs/splice.c:1402 [inline]
       SyS_splice+0xd59/0x1380 fs/splice.c:1382
       do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x46/0xbb

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(rtnl_mutex);
                               lock(&xt[i].mutex);
                               lock(rtnl_mutex);
  lock(&xt[i].mutex);

 *** DEADLOCK ***

2 locks held by syz-executor.3/13903:
 #0:  (&pipe->mutex/1){+.+.}, at: [<ffffffff81889ac8>] pipe_lock_nested fs/pipe.c:82 [inline]
 #0:  (&pipe->mutex/1){+.+.}, at: [<ffffffff81889ac8>] pipe_lock+0x58/0x70 fs/pipe.c:90
 #1:  (rtnl_mutex){+.+.}, at: [<ffffffff85c8859d>] rtnl_lock net/core/rtnetlink.c:72 [inline]
 #1:  (rtnl_mutex){+.+.}, at: [<ffffffff85c8859d>] rtnetlink_rcv_msg+0x31d/0xb10 net/core/rtnetlink.c:4317

stack backtrace:
CPU: 0 PID: 13903 Comm: syz-executor.3 Not tainted 4.14.281-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x281 lib/dump_stack.c:58
 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258
 check_prev_add kernel/locking/lockdep.c:1905 [inline]
 check_prevs_add kernel/locking/lockdep.c:2022 [inline]
 validate_chain kernel/locking/lockdep.c:2464 [inline]
 __lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491
 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
 __mutex_lock_common kernel/locking/mutex.c:756 [inline]
 __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
 xt_find_target+0x3e/0x1e0 net/netfilter/x_tables.c:232
 xt_request_find_target net/netfilter/x_tables.c:261 [inline]
 xt_request_find_target+0x72/0xe0 net/netfilter/x_tables.c:254
 ipt_init_target+0xb9/0x250 net/sched/act_ipt.c:45
 __tcf_ipt_init+0x48d/0xc00 net/sched/act_ipt.c:168
 tcf_xt_init+0x43/0x50 net/sched/act_ipt.c:210
 tcf_action_init_1+0x51a/0x9e0 net/sched/act_api.c:691
 tcf_action_init+0x26d/0x400 net/sched/act_api.c:760
 tcf_action_add net/sched/act_api.c:1088 [inline]
 tc_ctl_action+0x2e3/0x510 net/sched/act_api.c:1140
 rtnetlink_rcv_msg+0x3be/0xb10 net/core/rtnetlink.c:4322
 netlink_rcv_skb+0x125/0x390 net/netlink/af_netlink.c:2454
 netlink_unicast_kernel net/netlink/af_netlink.c:1296 [inline]
 netlink_unicast+0x437/0x610 net/netlink/af_netlink.c:1322
 netlink_sendmsg+0x648/0xbc0 net/netlink/af_netlink.c:1893
 sock_sendmsg_nosec net/socket.c:646 [inline]
 sock_sendmsg+0xb5/0x100 net/socket.c:656
 sock_no_sendpage+0xe2/0x110 net/core/sock.c:2610
 kernel_sendpage net/socket.c:3407 [inline]
 sock_sendpage+0xdf/0x140 net/socket.c:871
 pipe_to_sendpage+0x226/0x2d0 fs/splice.c:451
 splice_from_pipe_feed fs/splice.c:502 [inline]
 __splice_from_pipe+0x326/0x7a0 fs/splice.c:626
 splice_from_pipe fs/splice.c:661 [inline]
 generic_splice_sendpage+0xc1/0x110 fs/splice.c:832
 do_splice_from fs/splice.c:851 [inline]
 do_splice fs/splice.c:1147 [inline]
 SYSC_splice fs/splice.c:1402 [inline]
 SyS_splice+0xd59/0x1380 fs/splice.c:1382
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x7fe21976d109
RSP: 002b:00007fe2180c1168 EFLAGS: 00000246 ORIG_RAX: 0000000000000113
RAX: ffffffffffffffda RBX: 00007fe219880030 RCX: 00007fe21976d109
RDX: 000000000000000c RSI: 0000000000000000 RDI: 0000000000000008
RBP: 00007fe2197c708d R08: 000000000004ffe0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fff0df37e3f R14: 00007fe2180c1300 R15: 0000000000022000
EXT4-fs error (device loop1): ext4_quota_enable:5739: comm syz-executor.1: Bad quota inode # 3
EXT4-fs warning (device loop1): ext4_enable_quotas:5779: Failed to enable quota tracking (type=-1, err=-116). Please run e2fsck to fix.
FAT-fs (loop2): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1)
EXT4-fs (loop1): mount failed
SQUASHFS error: zstd decompression error: 2
SQUASHFS error: zstd decompression failed, data probably corrupt
SQUASHFS error: squashfs_read_data failed to read block 0x4ec
SQUASHFS error: Unable to read metadata cache entry [4ec]
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.3'.
MINIX-fs: bad superblock
SQUASHFS error: Unable to read inode 0x40126
EXT4-fs error (device loop1): ext4_quota_enable:5739: comm syz-executor.1: Bad quota inode # 3
EXT4-fs warning (device loop1): ext4_enable_quotas:5779: Failed to enable quota tracking (type=-1, err=-116). Please run e2fsck to fix.
SQUASHFS error: zstd decompression error: 2
SQUASHFS error: zstd decompression failed, data probably corrupt
SQUASHFS error: squashfs_read_data failed to read block 0x4ec
SQUASHFS error: Unable to read metadata cache entry [4ec]
SQUASHFS error: Unable to read inode 0x40126
EXT4-fs (loop1): mount failed
SQUASHFS error: zstd decompression error: 2
SQUASHFS error: zstd decompression failed, data probably corrupt
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.3'.
SQUASHFS error: squashfs_read_data failed to read block 0x4ec
SQUASHFS error: Unable to read metadata cache entry [4ec]
EXT4-fs error (device loop1): ext4_quota_enable:5739: comm syz-executor.1: Bad quota inode # 3
SQUASHFS error: Unable to read inode 0x40126
EXT4-fs warning (device loop1): ext4_enable_quotas:5779: Failed to enable quota tracking (type=-1, err=-116). Please run e2fsck to fix.
EXT4-fs (loop1): mount failed
SQUASHFS error: zstd decompression error: 2
SQUASHFS error: zstd decompression failed, data probably corrupt
SQUASHFS error: squashfs_read_data failed to read block 0x4ec
SQUASHFS error: Unable to read metadata cache entry [4ec]
SQUASHFS error: Unable to read inode 0x40126
9pnet: Insufficient options for proto=fd
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.3'.
Y�4��`Ҙ: renamed from lo
UBIFS error (pid: 14123): cannot open "(null)", error -22
overlayfs: fs on 'file0' does not support file handles, falling back to index=off.
overlayfs: fs on './file0' does not support file handles, falling back to index=off.
Dev loop3: unable to read RDB block 1
 loop3: unable to read partition table
loop3: partition table beyond EOD, truncated
loop_reread_partitions: partition scan of loop3 () failed (rc=-5)
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
Trying to free block not in datazone
Trying to free block not in datazone
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
Trying to free block not in datazone
Trying to free block not in datazone
Trying to free block not in datazone
Trying to free block not in datazone
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
Trying to free block not in datazone
Trying to free block not in datazone
Trying to free block not in datazone
Trying to free block not in datazone
Trying to free block not in datazone
Trying to free block not in datazone
Trying to free block not in datazone
Trying to free block not in datazone
print_req_error: I/O error, dev loop2, sector 36028797018963960
NILFS (loop2): unable to read secondary superblock (blocksize = 1024)
NILFS (loop2): couldn't find nilfs on the device