============================= WARNING: suspicious RCU usage 4.15.0-rc9+ #215 Not tainted ----------------------------- ./include/linux/rcupdate.h:302 Illegal context switch in RCU read-side critical section! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 0 3 locks held by syz-executor5/23358: #0: (&mm->mmap_sem){++++}, at: [<0000000038bef826>] __do_page_fault+0x32d/0xc90 arch/x86/mm/fault.c:1359 #1: (rcu_callback){....}, at: [<00000000edc603a9>] __rcu_reclaim kernel/rcu/rcu.h:185 [inline] #1: (rcu_callback){....}, at: [<00000000edc603a9>] rcu_do_batch kernel/rcu/tree.c:2758 [inline] #1: (rcu_callback){....}, at: [<00000000edc603a9>] invoke_rcu_callbacks kernel/rcu/tree.c:3012 [inline] #1: (rcu_callback){....}, at: [<00000000edc603a9>] __rcu_process_callbacks kernel/rcu/tree.c:2979 [inline] #1: (rcu_callback){....}, at: [<00000000edc603a9>] rcu_process_callbacks+0xe57/0x17f0 kernel/rcu/tree.c:2996 #2: (rcu_read_lock){....}, at: [<000000006fe82a05>] __is_insn_slot_addr+0x0/0x330 kernel/kprobes.c:207 stack backtrace: CPU: 0 PID: 23358 Comm: syz-executor5 Not tainted 4.15.0-rc9+ #215 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 lockdep_rcu_suspicious+0x123/0x170 kernel/locking/lockdep.c:4585 rcu_preempt_sleep_check include/linux/rcupdate.h:301 [inline] ___might_sleep+0x385/0x470 kernel/sched/core.c:6025 clear_huge_page+0xa5/0x730 mm/memory.c:4577 __do_huge_pmd_anonymous_page mm/huge_memory.c:570 [inline] do_huge_pmd_anonymous_page+0x59c/0x1b00 mm/huge_memory.c:728 create_huge_pmd mm/memory.c:3834 [inline] __handle_mm_fault+0x1a0c/0x3ce0 mm/memory.c:4038 handle_mm_fault+0x334/0x8d0 mm/memory.c:4104 __do_page_fault+0x5c9/0xc90 arch/x86/mm/fault.c:1430 do_page_fault+0xee/0x720 arch/x86/mm/fault.c:1505 page_fault+0x4c/0x60 arch/x86/entry/entry_64.S:1260 RIP: 0033:0x43a6e1 RSP: 002b:0000000000a2f498 EFLAGS: 00010202 RAX: 00000000202bf000 RBX: 000000000071ca20 RCX: 0000000000007973 RDX: 000000000000000a RSI: 0000000000720c70 RDI: 00000000202bf000 RBP: 0000000000000006 R08: 0000000000000000 R09: 0000000000000004 R10: 0000000000a2f460 R11: 0000000000000000 R12: 0000000000000003 R13: fffffffffffffffe R14: 000000000071ca20 R15: ffffffffffffffff ================================ WARNING: inconsistent lock state 4.15.0-rc9+ #215 Not tainted -------------------------------- inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage. syz-executor2/4167 [HC0[0]:SC1[1]:HE1:SE0] takes: (&(&est->lock)->rlock){+.?.}, at: [<00000000c3eac52a>] spin_lock include/linux/spinlock.h:310 [inline] (&(&est->lock)->rlock){+.?.}, at: [<00000000c3eac52a>] est_fetch_counters+0x4f/0x150 net/core/gen_estimator.c:70 {SOFTIRQ-ON-W} state was registered at: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3914 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144 spin_lock include/linux/spinlock.h:310 [inline] est_fetch_counters+0x4f/0x150 net/core/gen_estimator.c:70 gen_new_estimator+0x317/0x770 net/core/gen_estimator.c:162 xt_rateest_tg_checkentry+0x487/0xaa0 net/netfilter/xt_RATEEST.c:135 xt_check_target+0x22c/0x7d0 net/netfilter/x_tables.c:845 check_target net/ipv4/netfilter/ip_tables.c:518 [inline] find_check_entry.isra.8+0x8c8/0xcb0 net/ipv4/netfilter/ip_tables.c:559 translate_table+0xed1/0x1610 net/ipv4/netfilter/ip_tables.c:730 do_replace net/ipv4/netfilter/ip_tables.c:1146 [inline] do_ipt_set_ctl+0x370/0x5f0 net/ipv4/netfilter/ip_tables.c:1680 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115 ip_setsockopt+0xa1/0xb0 net/ipv4/ip_sockglue.c:1260 sctp_setsockopt+0x2b6/0x61d0 net/sctp/socket.c:4141 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2978 SYSC_setsockopt net/socket.c:1849 [inline] SyS_setsockopt+0x189/0x360 net/socket.c:1828 entry_SYSCALL_64_fastpath+0x29/0xa0 irq event stamp: 2050750 hardirqs last enabled at (2050750): [<0000000006aac2f6>] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:168 [inline] hardirqs last enabled at (2050750): [<0000000006aac2f6>] _raw_spin_unlock_irq+0x27/0x70 kernel/locking/spinlock.c:192 hardirqs last disabled at (2050749): [<00000000d9f154af>] __raw_spin_lock_irq include/linux/spinlock_api_smp.h:126 [inline] hardirqs last disabled at (2050749): [<00000000d9f154af>] _raw_spin_lock_irq+0x3c/0x80 kernel/locking/spinlock.c:160 softirqs last enabled at (2050738): [<00000000d862b50d>] lock_sock_nested+0x91/0x110 net/core/sock.c:2775 softirqs last disabled at (2050747): [<000000005388a69f>] invoke_softirq kernel/softirq.c:365 [inline] softirqs last disabled at (2050747): [<000000005388a69f>] irq_exit+0x1cc/0x200 kernel/softirq.c:405 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&(&est->lock)->rlock); lock(&(&est->lock)->rlock); *** DEADLOCK *** 3 locks held by syz-executor2/4167: #0: (sk_lock-AF_INET){+.+.}, at: [<000000004b50d6fa>] lock_sock include/net/sock.h:1463 [inline] #0: (sk_lock-AF_INET){+.+.}, at: [<000000004b50d6fa>] ip_getsockopt+0x143/0x220 net/ipv4/ip_sockglue.c:1576 #1: (&xt[i].mutex){+.+.}, at: [<00000000d1470512>] xt_find_table_lock+0x3e/0x3e0 net/netfilter/x_tables.c:1036 #2: ((&est->timer)){+.-.}, at: [<00000000f58e96d8>] lockdep_copy_map include/linux/lockdep.h:178 [inline] #2: ((&est->timer)){+.-.}, at: [<00000000f58e96d8>] call_timer_fn+0x1c6/0x820 kernel/time/timer.c:1308 stack backtrace: CPU: 1 PID: 4167 Comm: syz-executor2 Not tainted 4.15.0-rc9+ #215 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 print_usage_bug+0x377/0x38c kernel/locking/lockdep.c:2537 valid_state kernel/locking/lockdep.c:2550 [inline] mark_lock_irq kernel/locking/lockdep.c:2744 [inline] mark_lock+0xf61/0x1430 kernel/locking/lockdep.c:3142 mark_irqflags kernel/locking/lockdep.c:3020 [inline] __lock_acquire+0x173a/0x3e00 kernel/locking/lockdep.c:3383 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3914 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144 spin_lock include/linux/spinlock.h:310 [inline] est_fetch_counters+0x4f/0x150 net/core/gen_estimator.c:70 est_timer+0x97/0x7c0 net/core/gen_estimator.c:85 call_timer_fn+0x228/0x820 kernel/time/timer.c:1318 expire_timers kernel/time/timer.c:1355 [inline] __run_timers+0x7ee/0xb70 kernel/time/timer.c:1658 run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1684 __do_softirq+0x2d7/0xb85 kernel/softirq.c:285 invoke_softirq kernel/softirq.c:365 [inline] irq_exit+0x1cc/0x200 kernel/softirq.c:405 exiting_irq arch/x86/include/asm/apic.h:541 [inline] smp_apic_timer_interrupt+0x16b/0x700 arch/x86/kernel/apic/apic.c:1052 apic_timer_interrupt+0xa9/0xb0 arch/x86/entry/entry_64.S:937 RIP: 0010:rol32 include/linux/bitops.h:102 [inline] RIP: 0010:jhash2 include/linux/jhash.h:128 [inline] RIP: 0010:hash_stack lib/stackdepot.c:161 [inline] RIP: 0010:depot_save_stack+0x66/0x490 lib/stackdepot.c:217 RSP: 0018:ffff8801b260f6d0 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff11 RAX: 0000000007093e86 RBX: 00000000ca9bad4e RCX: 0000000000000014 RDX: ffff8801b260f758 RSI: 00000000014080c0 RDI: ffff8801b260f728 RBP: ffff8801b260f718 R08: 0000000000000000 R09: 1ffff100364c1ea4 R10: 000000003926ec8c R11: 00000000cb6241ad R12: 000000000000000d R13: 00000000014080c0 R14: ffff8801b3ef24c8 R15: ffff8801b260f740 save_stack+0xa3/0xd0 mm/kasan/kasan.c:453 set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551 __do_kmalloc_node mm/slab.c:3672 [inline] __kmalloc_node+0x47/0x70 mm/slab.c:3679 kmalloc_node include/linux/slab.h:541 [inline] __vmalloc_area_node mm/vmalloc.c:1686 [inline] __vmalloc_node_range+0x1a1/0x650 mm/vmalloc.c:1759 __vmalloc_node mm/vmalloc.c:1804 [inline] __vmalloc_node_flags mm/vmalloc.c:1818 [inline] vzalloc+0x45/0x50 mm/vmalloc.c:1857 alloc_counters.isra.11+0x9a/0x7d0 net/ipv4/netfilter/ip_tables.c:813 copy_entries_to_user net/ipv4/netfilter/ip_tables.c:835 [inline] get_entries net/ipv4/netfilter/ip_tables.c:1035 [inline] do_ipt_get_ctl+0x63b/0xac0 net/ipv4/netfilter/ip_tables.c:1708 nf_sockopt net/netfilter/nf_sockopt.c:104 [inline] nf_getsockopt+0x6a/0xc0 net/netfilter/nf_sockopt.c:122 ip_getsockopt+0x15c/0x220 net/ipv4/ip_sockglue.c:1577 tcp_getsockopt+0x82/0xd0 net/ipv4/tcp.c:3353 sock_common_getsockopt+0x95/0xd0 net/core/sock.c:2937 SYSC_getsockopt net/socket.c:1880 [inline] SyS_getsockopt+0x178/0x340 net/socket.c:1862 entry_SYSCALL_64_fastpath+0x29/0xa0 RIP: 0033:0x455d6a RSP: 002b:0000000000a2f598 EFLAGS: 00000216 ORIG_RAX: 0000000000000037 RAX: ffffffffffffffda RBX: 00000000006f9cd0 RCX: 0000000000455d6a RDX: 0000000000000041 RSI: 0000000000000000 RDI: 0000000000000013 RBP: 00000000006f9cd0 R08: 0000000000a2f5bc R09: 0000000000004000 R10: 0000000000a2f620 R11: 0000000000000216 R12: 0000000000000013 R13: 00000000006fb968 R14: 0000000000019d17 R15: 0000000000000001 RDS: rds_bind could not find a transport for 224.0.0.1, load rds_tcp or rds_rdma? sctp: [Deprecated]: syz-executor0 (pid 23555) Use of struct sctp_assoc_value in delayed_ack socket option. Use struct sctp_sack_info instead sctp: [Deprecated]: syz-executor0 (pid 23555) Use of struct sctp_assoc_value in delayed_ack socket option. Use struct sctp_sack_info instead netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 'syz-executor4': attribute type 11 has an invalid length. netlink: 'syz-executor4': attribute type 11 has an invalid length. sctp: [Deprecated]: syz-executor5 (pid 24061) Use of int in maxseg socket option. Use struct sctp_assoc_value instead sctp: [Deprecated]: syz-executor5 (pid 24072) Use of int in maxseg socket option. Use struct sctp_assoc_value instead Cannot find add_set index 29783 as target Cannot find add_set index 29783 as target IPv4: Oversized IP packet from 127.0.0.1 netlink: 'syz-executor0': attribute type 10 has an invalid length. FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 1 PID: 24283 Comm: syz-executor6 Not tainted 4.15.0-rc9+ #215 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:421 [inline] slab_alloc mm/slab.c:3368 [inline] __do_kmalloc mm/slab.c:3706 [inline] __kmalloc+0x63/0x760 mm/slab.c:3717 kmalloc include/linux/slab.h:504 [inline] sock_kmalloc+0x112/0x190 net/core/sock.c:1989 af_alg_alloc_areq+0x74/0x2f0 crypto/af_alg.c:1096 _aead_recvmsg crypto/algif_aead.c:158 [inline] aead_recvmsg+0x42c/0x1cf0 crypto/algif_aead.c:335 sock_recvmsg_nosec net/socket.c:803 [inline] sock_recvmsg+0xc9/0x110 net/socket.c:810 ___sys_recvmsg+0x2a4/0x640 net/socket.c:2205 __sys_recvmsg+0xe2/0x210 net/socket.c:2250 SYSC_recvmsg net/socket.c:2262 [inline] SyS_recvmsg+0x2d/0x50 net/socket.c:2257 entry_SYSCALL_64_fastpath+0x29/0xa0 RIP: 0033:0x453299 RSP: 002b:00007fcec24c4c58 EFLAGS: 00000212 ORIG_RAX: 000000000000002f RAX: ffffffffffffffda RBX: 00007fcec24c4aa0 RCX: 0000000000453299 RDX: 0000000000000000 RSI: 00000000206e3000 RDI: 0000000000000014 RBP: 00007fcec24c4a90 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b8096 R13: 00007fcec24c4bc8 R14: 00000000004b8096 R15: 0000000000000000 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 0 PID: 24302 Comm: syz-executor6 Not tainted 4.15.0-rc9+ #215 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:421 [inline] slab_alloc mm/slab.c:3368 [inline] __do_kmalloc mm/slab.c:3706 [inline] __kmalloc+0x63/0x760 mm/slab.c:3717 kmalloc include/linux/slab.h:504 [inline] sock_kmalloc+0x112/0x190 net/core/sock.c:1989 _aead_recvmsg crypto/algif_aead.c:259 [inline] aead_recvmsg+0x103b/0x1cf0 crypto/algif_aead.c:335 sock_recvmsg_nosec net/socket.c:803 [inline] sock_recvmsg+0xc9/0x110 net/socket.c:810 ___sys_recvmsg+0x2a4/0x640 net/socket.c:2205 __sys_recvmsg+0xe2/0x210 net/socket.c:2250 SYSC_recvmsg net/socket.c:2262 [inline] SyS_recvmsg+0x2d/0x50 net/socket.c:2257 entry_SYSCALL_64_fastpath+0x29/0xa0 RIP: 0033:0x453299 RSP: 002b:00007fcec24c4c58 EFLAGS: 00000212 ORIG_RAX: 000000000000002f RAX: ffffffffffffffda RBX: 00007fcec24c4aa0 RCX: 0000000000453299 RDX: 0000000000000000 RSI: 00000000206e3000 RDI: 0000000000000014 RBP: 00007fcec24c4a90 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b8096 R13: 00007fcec24c4bc8 R14: 00000000004b8096 R15: 0000000000000000 xt_TCPMSS: Only works on TCP SYN packets sctp: [Deprecated]: syz-executor5 (pid 24320) Use of int in maxseg socket option. Use struct sctp_assoc_value instead xt_TCPMSS: Only works on TCP SYN packets sctp: [Deprecated]: syz-executor5 (pid 24320) Use of int in maxseg socket option. Use struct sctp_assoc_value instead netlink: 12 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 12 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. device syz2 entered promiscuous mode device syz2 left promiscuous mode atomic_op 00000000f9ef3e22 conn xmit_atomic (null) sctp: [Deprecated]: syz-executor1 (pid 24649) Use of int in maxseg socket option. Use struct sctp_assoc_value instead sctp: [Deprecated]: syz-executor1 (pid 24662) Use of int in maxseg socket option. Use struct sctp_assoc_value instead netlink: 'syz-executor4': attribute type 1 has an invalid length. PF_BRIDGE: br_mdb_parse() with non-bridge can: request_module (can-proto-0) failed. can: request_module (can-proto-0) failed. dccp_close: ABORT with 214 bytes unread IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE IPv6: NLM_F_CREATE should be set when creating new route IPv6: NLM_F_CREATE should be set when creating new route IPv6: NLM_F_CREATE should be set when creating new route SELinux: unrecognized netlink message: protocol=0 nlmsg_type=26437 sclass=netlink_route_socket pig=24933 comm=syz-executor4 device bridge0 entered promiscuous mode IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE device bridge0 left promiscuous mode SELinux: unrecognized netlink message: protocol=0 nlmsg_type=26437 sclass=netlink_route_socket pig=24942 comm=syz-executor4 audit: type=1400 audit(1517263703.501:74): avc: denied { map } for pid=24966 comm="syz-executor3" path="socket:[45305]" dev="sockfs" ino=45305 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=packet_socket permissive=1 netlink: 'syz-executor2': attribute type 33 has an invalid length. A link change request failed with some changes committed already. Interface syz2 may have been left with an inconsistent configuration, please check. netlink: 'syz-executor2': attribute type 33 has an invalid length. IPv4: Oversized IP packet from 172.20.5.15 IPv4: Oversized IP packet from 127.0.0.1 IPv4: Oversized IP packet from 127.0.0.1 audit: type=1400 audit(1517263704.206:75): avc: denied { shutdown } for pid=25204 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 sctp: [Deprecated]: syz-executor5 (pid 25267) Use of int in max_burst socket option. Use struct sctp_assoc_value instead sctp: [Deprecated]: syz-executor5 (pid 25267) Use of int in max_burst socket option. Use struct sctp_assoc_value instead SELinux: unrecognized netlink message: protocol=0 nlmsg_type=260 sclass=netlink_route_socket pig=25360 comm=syz-executor7 ieee80211 phy14: Selected rate control algorithm 'minstrel_ht' sctp: [Deprecated]: syz-executor1 (pid 25359) Use of struct sctp_assoc_value in delayed_ack socket option. Use struct sctp_sack_info instead SELinux: unrecognized netlink message: protocol=0 nlmsg_type=260 sclass=netlink_route_socket pig=25371 comm=syz-executor7 ieee80211 phy15: Selected rate control algorithm 'minstrel_ht' sctp: [Deprecated]: syz-executor1 (pid 25380) Use of struct sctp_assoc_value in delayed_ack socket option. Use struct sctp_sack_info instead ipt_CLUSTERIP: ipt_CLUSTERIP is deprecated and it will removed soon, use xt_cluster instead ipt_CLUSTERIP: ipt_CLUSTERIP is deprecated and it will removed soon, use xt_cluster instead sctp: [Deprecated]: syz-executor4 (pid 25599) Use of int in maxseg socket option. Use struct sctp_assoc_value instead sctp: [Deprecated]: syz-executor4 (pid 25599) Use of int in maxseg socket option. Use struct sctp_assoc_value instead device syz7 left promiscuous mode xt_l2tp: missing protocol rule (udp|l2tpip) xt_l2tp: missing protocol rule (udp|l2tpip) audit: type=1400 audit(1517263706.548:76): avc: denied { map } for pid=26063 comm="syz-executor0" path="socket:[47150]" dev="sockfs" ino=47150 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=1 nla_parse: 6 callbacks suppressed netlink: 8 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor6'. mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium SELinux: unrecognized netlink message: protocol=0 nlmsg_type=57722 sclass=netlink_route_socket pig=26198 comm=syz-executor7 SELinux: unrecognized netlink message: protocol=4 nlmsg_type=28 sclass=netlink_tcpdiag_socket pig=26207 comm=syz-executor1 SELinux: unrecognized netlink message: protocol=4 nlmsg_type=28 sclass=netlink_tcpdiag_socket pig=26210 comm=syz-executor1