[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 18.758138] audit: type=1400 audit(1519153758.186:6): avc: denied { map } for pid=4098 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 18.793916] sshd (4096) used greatest stack depth: 16736 bytes left Warning: Permanently added '10.128.0.28' (ECDSA) to the list of known hosts. net.ipv6.conf.syz0.accept_dad = 0 net.ipv6.conf.syz0.router_solicitations = 0 [ 25.121626] audit: type=1400 audit(1519153764.549:7): avc: denied { map } for pid=4112 comm="syzkaller328896" path="/root/syzkaller328896244" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 25.155480] IPVS: ftp: loaded support on port[0] = 21 RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported [ 25.372812] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument executing program [ 25.699253] [ 25.700893] ===================================== [ 25.705701] WARNING: bad unlock balance detected! [ 25.710513] 4.16.0-rc2+ #234 Not tainted [ 25.714539] ------------------------------------- [ 25.719348] syzkaller328896/4113 is trying to release lock (rcu_read_lock_bh) at: [ 25.726952] [] hashlimit_mt_common.isra.10+0x1beb/0x2610 [ 25.733938] but there are no more locks to release! [ 25.738930] [ 25.738930] other info that might help us debug this: [ 25.745565] 5 locks held by syzkaller328896/4113: [ 25.750371] #0: (&xt[i].mutex){+.+.}, at: [<00000000e25f8766>] xt_find_table_lock+0x273/0x3e0 [ 25.759191] #1: (&mm->mmap_sem){++++}, at: [<00000000ddbf9e55>] __do_page_fault+0x32d/0xc90 [ 25.767833] #2: ((&idev->mc_ifc_timer)){+.-.}, at: [<00000000a3fd7105>] call_timer_fn+0x1c6/0x820 [ 25.777002] #3: (rcu_read_lock){....}, at: [<000000002c1e31d6>] mld_sendpack+0x180/0xe70 [ 25.785391] #4: (rcu_read_lock){....}, at: [<000000002489df61>] nf_hook.constprop.37+0x0/0x830 [ 25.794289] [ 25.794289] stack backtrace: [ 25.798753] CPU: 1 PID: 4113 Comm: syzkaller328896 Not tainted 4.16.0-rc2+ #234 [ 25.806165] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 25.815520] Call Trace: [ 25.818071] [ 25.820197] dump_stack+0x194/0x257 [ 25.823793] ? arch_local_irq_restore+0x53/0x53 [ 25.828433] ? hashlimit_mt_common.isra.10+0x1beb/0x2610 [ 25.833852] print_unlock_imbalance_bug+0x12f/0x140 [ 25.838844] lock_release+0x6fe/0xa40 [ 25.842620] ? hashlimit_mt_common.isra.10+0x1beb/0x2610 [ 25.848048] ? lock_downgrade+0x980/0x980 [ 25.852177] ? lock_release+0xa40/0xa40 [ 25.856129] ? __raw_spin_lock_init+0x1c/0x100 [ 25.860682] ? do_raw_spin_trylock+0x190/0x190 [ 25.865239] hashlimit_mt_common.isra.10+0x1c08/0x2610 [ 25.870494] ? lock_downgrade+0x980/0x980 [ 25.874625] ? dsthash_find+0x5b0/0x5b0 [ 25.878570] ? __lock_acquire+0x664/0x3e00 [ 25.882773] ? is_bpf_text_address+0x7b/0x120 [ 25.887237] ? lock_downgrade+0x95a/0x980 [ 25.891361] ? rcutorture_record_progress+0x10/0x10 [ 25.896350] ? __kernel_text_address+0xd/0x40 [ 25.900813] ? unwind_get_return_address+0x61/0xa0 [ 25.905711] hashlimit_mt+0x78/0x90 [ 25.909307] ? hashlimit_mt+0x78/0x90 [ 25.913076] ip6t_do_table+0x98d/0x1a30 [ 25.917029] ? kmem_cache_alloc_trace+0x136/0x740 [ 25.921857] ? mld_sendpack+0x617/0xe70 [ 25.925805] ? ip6t_error+0x60/0x60 [ 25.929428] ? sock_common_setsockopt+0x95/0xd0 [ 25.934071] ? check_noncircular+0x20/0x20 [ 25.938281] ? lock_acquire+0x1d5/0x580 [ 25.942232] ? lock_acquire+0x1d5/0x580 [ 25.946188] ? igmp6_mcf_seq_next+0x660/0x660 [ 25.950657] ? lock_release+0xa40/0xa40 [ 25.954604] ip6table_raw_hook+0x65/0x80 [ 25.958639] nf_hook_slow+0xba/0x1a0 [ 25.962326] nf_hook.constprop.37+0x3f6/0x830 [ 25.966791] ? igmp6_mcf_seq_next+0x660/0x660 [ 25.971260] ? trace_hardirqs_on+0xd/0x10 [ 25.975386] ? __local_bh_enable_ip+0x121/0x230 [ 25.980038] ? _raw_spin_unlock_bh+0x30/0x40 [ 25.984422] ? rt6_uncached_list_add+0x1b7/0x240 [ 25.989148] ? rt6_fill_node+0x18b0/0x18b0 [ 25.993352] ? icmp6_dst_alloc+0x475/0x660 [ 25.997562] ? ip6_mc_leave_src+0x1d0/0x1d0 [ 26.001856] ? icmpv6_flow_init+0x1f6/0x270 [ 26.006154] mld_sendpack+0x6c2/0xe70 [ 26.009949] ? nf_hook.constprop.37+0x830/0x830 [ 26.014598] ? mark_held_locks+0xaf/0x100 [ 26.018721] ? trace_hardirqs_on+0xd/0x10 [ 26.022841] ? __local_bh_enable_ip+0x121/0x230 [ 26.027481] mld_ifc_timer_expire+0x3d9/0x770 [ 26.031958] call_timer_fn+0x228/0x820 [ 26.035820] ? mld_dad_timer_expire+0x100/0x100 [ 26.040466] ? process_timeout+0x40/0x40 [ 26.044508] ? __run_timers+0x7e3/0xb70 [ 26.048455] ? lock_downgrade+0x980/0x980 [ 26.052572] ? debug_object_deactivate+0x364/0x560 [ 26.057467] ? lock_release+0xa40/0xa40 [ 26.061420] ? mark_held_locks+0xaf/0x100 [ 26.065542] ? trace_hardirqs_on_caller+0x19e/0x5c0 [ 26.070531] ? mld_dad_timer_expire+0x100/0x100 [ 26.075170] ? mld_dad_timer_expire+0x100/0x100 [ 26.079816] __run_timers+0x7ee/0xb70 [ 26.083595] ? trigger_dyntick_cpu.isra.29+0x150/0x150 [ 26.088844] ? timerqueue_add+0x1e9/0x280 [ 26.092961] ? check_noncircular+0x20/0x20 [ 26.097163] ? enqueue_hrtimer+0x177/0x4b0 [ 26.101366] ? lock_release+0xa40/0xa40 [ 26.105310] ? retrigger_next_event+0x1e0/0x1e0 [ 26.109947] ? print_irqtrace_events+0x270/0x270 [ 26.114670] ? check_noncircular+0x20/0x20 [ 26.118872] ? clockevents_program_event+0x163/0x2e0 [ 26.123947] ? lock_downgrade+0x980/0x980 [ 26.128066] ? __lock_is_held+0xb6/0x140 [ 26.132097] run_timer_softirq+0x4c/0x70 [ 26.136128] __do_softirq+0x2d7/0xb85 [ 26.139899] ? ktime_get+0x26f/0x3a0 [ 26.143582] ? __irqentry_text_end+0x1f8ad4/0x1f8ad4 [ 26.148653] ? check_noncircular+0x20/0x20 [ 26.152857] ? native_apic_msr_write+0x5c/0x80 [ 26.157405] ? lapic_next_event+0x54/0x80 [ 26.161519] ? clockevents_program_event+0x108/0x2e0 [ 26.166591] ? tick_program_event+0x83/0x100 [ 26.170967] ? __lock_is_held+0xb6/0x140 [ 26.174999] irq_exit+0x1cc/0x200 [ 26.178428] smp_apic_timer_interrupt+0x16b/0x700 [ 26.183235] ? smp_reschedule_interrupt+0xe6/0x650 [ 26.188135] ? smp_call_function_single_interrupt+0x640/0x640 [ 26.193987] ? _raw_spin_lock+0x32/0x40 [ 26.197930] ? _raw_spin_unlock+0x22/0x30 [ 26.202047] ? handle_edge_irq+0x2b4/0x7c0 [ 26.206249] ? task_prio+0x50/0x50 [ 26.209761] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 26.214572] apic_timer_interrupt+0x8e/0xa0 [ 26.218866] [ 26.221074] RIP: 0010:clear_page_erms+0x7/0x10 [ 26.225621] RSP: 0018:ffff8801bd7e7058 EFLAGS: 00010246 ORIG_RAX: ffffffffffffff12 [ 26.233294] RAX: 0000000000000000 RBX: dffffc0000000000 RCX: 0000000000000040 [ 26.240531] RDX: ffff8801b6262180 RSI: 0000160000000000 RDI: ffff8801c9905fc0 [ 26.247767] RBP: ffff8801bd7e70a8 R08: 000000000002fc50 R09: 0000000000000000 [ 26.255005] R10: ffffffffffffffe8 R11: 0000000000000000 R12: ffffea0007260000 [ 26.262250] R13: 0000000000000092 R14: 0000000000000049 R15: 0000000000000105 [ 26.269501] ? clear_huge_page+0x112/0x730 [ 26.273705] ? __raw_spin_lock_init+0x2d/0x100 [ 26.278256] do_huge_pmd_anonymous_page+0x599/0x1b00 [ 26.283329] ? __thp_get_unmapped_area+0x130/0x130 [ 26.288230] ? __lock_acquire+0x664/0x3e00 [ 26.292431] ? __lock_acquire+0x664/0x3e00 [ 26.296634] ? kernel_text_address+0x102/0x140 [ 26.301186] ? __is_insn_slot_addr+0x1fc/0x330 [ 26.305737] ? lock_downgrade+0x980/0x980 [ 26.309918] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 26.315076] ? modules_open+0xa0/0xa0 [ 26.318846] ? trace_raw_output_xdp_redirect_map_err+0x440/0x440 [ 26.324968] ? is_bpf_text_address+0x7b/0x120 [ 26.329436] ? lock_downgrade+0x980/0x980 [ 26.333567] ? lock_release+0xa40/0xa40 [ 26.337514] ? __free_insn_slot+0x5c0/0x5c0 [ 26.341812] ? rcutorture_record_progress+0x10/0x10 [ 26.346802] ? is_bpf_text_address+0xa4/0x120 [ 26.351278] ? kernel_text_address+0x102/0x140 [ 26.355841] __handle_mm_fault+0x1a0c/0x3ce0 [ 26.360227] ? __pmd_alloc+0x4e0/0x4e0 [ 26.364086] ? check_noncircular+0x20/0x20 [ 26.368293] ? print_lockdep_cache.isra.32+0x109/0x109 [ 26.373544] ? find_held_lock+0x35/0x1d0 [ 26.377582] ? handle_mm_fault+0x270/0x970 [ 26.381791] ? lock_downgrade+0x980/0x980 [ 26.385926] handle_mm_fault+0x35c/0x970 [ 26.389972] ? __handle_mm_fault+0x3ce0/0x3ce0 [ 26.394531] ? vmacache_find+0x5f/0x280 [ 26.398474] ? find_vma+0x30/0x150 [ 26.401987] __do_page_fault+0x5c9/0xc90 [ 26.406028] ? mm_fault_error+0x2c0/0x2c0 [ 26.410151] ? kfree+0xd9/0x260 [ 26.413415] ? xt_free_table_info+0x110/0x170 [ 26.417882] ? __do_replace+0x810/0xa70 [ 26.421825] ? check_noncircular+0x20/0x20 [ 26.426034] ? rawv6_setsockopt+0x4a/0xf0 [ 26.430150] ? sock_common_setsockopt+0x95/0xd0 [ 26.434789] do_page_fault+0xee/0x730 [ 26.438564] ? __do_page_fault+0xc90/0xc90 [ 26.442768] ? find_held_lock+0x35/0x1d0 [ 26.446801] ? __might_fault+0x110/0x1d0 [ 26.450834] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 26.455648] page_fault+0x62/0x90 [ 26.459070] RIP: 0010:copy_user_generic_unrolled+0x89/0xc0 [ 26.464656] RSP: 0018:ffff8801bd7e79b8 EFLAGS: 00010206 [ 26.469988] RAX: fffff52000303206 RBX: 0000000000000030 RCX: 0000000000000006 [ 26.477228] RDX: 0000000000000000 RSI: ffffc90001819000 RDI: 0000000020849fd0 [ 26.484469] RBP: ffff8801bd7e79e8 R08: 0000000000000000 R09: fffff52000303206 [ 26.491708] R10: 0000000000000006 R11: fffff52000303205 R12: 0000000020849fd0 [ 26.498946] R13: ffffc90001819000 R14: 00007ffffffff000 R15: 000000002084a000 [ 26.506193] ? _copy_to_user+0x9b/0xc0 [ 26.510055] __do_replace+0x840/0xa70 [ 26.513827] ? compat_table_info+0x4a0/0x4a0 [ 26.518213] ? kasan_check_write+0x14/0x20 [ 26.522419] ? _copy_from_user+0x99/0x110 [ 26.526550] do_ip6t_set_ctl+0x40f/0x5f0 [ 26.530593] ? translate_compat_table+0x1c50/0x1c50 [ 26.535580] ? mutex_unlock+0xd/0x10 [ 26.539264] ? nf_sockopt_find.constprop.0+0x1a7/0x220 [ 26.544508] nf_setsockopt+0x67/0xc0 [ 26.548190] ipv6_setsockopt+0x10b/0x130 [ 26.552219] rawv6_setsockopt+0x4a/0xf0 [ 26.556163] sock_common_setsockopt+0x95/0xd0 [ 26.560630] SyS_setsockopt+0x189/0x360 [ 26.564575] ? SyS_recv+0x40/0x40 [ 26.568000] ? mm_fault_error+0x2c0/0x2c0 [ 26.572120] ? move_addr_to_kernel+0x60/0x60 [ 26.576496] ? do_syscall_64+0xb6/0x940 [ 26.580447] ? SyS_recv+0x40/0x40 [ 26.583868] do_syscall_64+0x280/0x940 [ 26.587724] ? __do_page_fault+0xc90/0xc90 [ 26.591926] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 26.596658] ? syscall_return_slowpath+0x550/0x550 [ 26.601557] ? syscall_return_slowpath+0x2ac/0x550 [ 26.606452] ? prepare_exit_to_usermode+0x350/0x350 [ 26.611440] ? retint_user+0x18/0x18 [ 26.615121] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 26.619938] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 26.625092] RIP: 0033:0x44c939 [ 26.628253] RSP: 002b:00007ffe2c1258b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 [ 26.635937] RAX: ffffffffffffffda RBX: 0000000000000068 RCX: 000000000044c939 [ 26.643177] RDX: 0000000000000040 RSI: 0000000000000029 RDI: 0000000000000004 [ 26.650414] RBP: 00000000004aea