===================================== WARNING: bad unlock balance detected! 4.16.0-rc2+ #323 Not tainted ------------------------------------- syz-executor4/6369 is trying to release lock (rcu_read_lock_bh) at: [] rcu_read_unlock_bh include/linux/rcupdate.h:722 [inline] [] hashlimit_mt_common.isra.10+0x1beb/0x2610 net/netfilter/xt_hashlimit.c:777 but there are no more locks to release! other info that might help us debug this: 3 locks held by syz-executor4/6369: #0: (sk_lock-AF_INET6){+.+.}, at: [<000000003cbee5c6>] lock_sock include/net/sock.h:1463 [inline] #0: (sk_lock-AF_INET6){+.+.}, at: [<000000003cbee5c6>] sctp_sendmsg+0xc1e/0x35e0 net/sctp/socket.c:1723 #1: (rcu_read_lock){....}, at: [<00000000ad94a69e>] sctp_v6_xmit+0x2e5/0x630 net/sctp/ipv6.c:222 #2: (rcu_read_lock){....}, at: [<0000000077b4b96b>] ip6_autoflowlabel net/ipv6/ip6_output.c:291 [inline] #2: (rcu_read_lock){....}, at: [<0000000077b4b96b>] ip6_xmit+0xe9d/0x2260 net/ipv6/ip6_output.c:249 stack backtrace: CPU: 0 PID: 6369 Comm: syz-executor4 Not tainted 4.16.0-rc2+ #323 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 print_unlock_imbalance_bug+0x12f/0x140 kernel/locking/lockdep.c:3484 __lock_release kernel/locking/lockdep.c:3691 [inline] lock_release+0x6fe/0xa40 kernel/locking/lockdep.c:3939 rcu_lock_release include/linux/rcupdate.h:249 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:724 [inline] hashlimit_mt_common.isra.10+0x1c08/0x2610 net/netfilter/xt_hashlimit.c:777 hashlimit_mt+0x78/0x90 net/netfilter/xt_hashlimit.c:846 ip6t_do_table+0x98d/0x1a30 net/ipv6/netfilter/ip6_tables.c:319 ip6table_filter_hook+0x65/0x80 net/ipv6/netfilter/ip6table_filter.c:41 nf_hook_entry_hookfn include/linux/netfilter.h:120 [inline] nf_hook_slow+0xba/0x1a0 net/netfilter/core.c:483 nf_hook include/linux/netfilter.h:243 [inline] NF_HOOK include/linux/netfilter.h:286 [inline] ip6_xmit+0x10ec/0x2260 net/ipv6/ip6_output.c:277 sctp_v6_xmit+0x438/0x630 net/sctp/ipv6.c:225 sctp_packet_transmit+0x225e/0x3750 net/sctp/output.c:638 sctp_outq_flush+0xabb/0x4060 net/sctp/outqueue.c:911 sctp_outq_uncork+0x5a/0x70 net/sctp/outqueue.c:776 sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1807 [inline] sctp_side_effects net/sctp/sm_sideeffect.c:1210 [inline] sctp_do_sm+0x4e0/0x6ed0 net/sctp/sm_sideeffect.c:1181 sctp_primitive_ASSOCIATE+0x9d/0xd0 net/sctp/primitive.c:88 sctp_sendmsg+0x13bd/0x35e0 net/sctp/socket.c:1985 inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:764 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg+0xca/0x110 net/socket.c:640 SYSC_sendto+0x361/0x5c0 net/socket.c:1747 SyS_sendto+0x40/0x50 net/socket.c:1715 do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x453da9 RSP: 002b:00007fecf74f0c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007fecf74f16d4 RCX: 0000000000453da9 RDX: 0000000000000001 RSI: 0000000020000000 RDI: 0000000000000013 RBP: 000000000072bea0 R08: 0000000020000640 R09: 000000000000001c R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000000004ba R14: 00000000006f7210 R15: 0000000000000000 device bridge0 entered promiscuous mode device bridge0 left promiscuous mode device syz3 entered promiscuous mode device syz3 left promiscuous mode device syz3 entered promiscuous mode device syz3 left promiscuous mode kauditd_printk_skb: 20 callbacks suppressed audit: type=1400 audit(1519221360.523:42): avc: denied { map } for pid=6542 comm="syz-executor1" path="/dev/sg0" dev="devtmpfs" ino=104 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file permissive=1 irq bypass consumer (token 0000000038ade277) registration fails: -16 audit: type=1400 audit(1519221360.676:43): avc: denied { name_connect } for pid=6603 comm="syz-executor7" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=dccp_socket permissive=1 xt_connbytes: Forcing CT accounting to be enabled x_tables: ip6_tables: eui64 match: used from hooks INPUT/FORWARD/OUTPUT, but only valid from PREROUTING/INPUT/FORWARD SELinux: unrecognized netlink message: protocol=0 nlmsg_type=55771 sclass=netlink_route_socket pig=6664 comm=syz-executor6 x_tables: ip6_tables: eui64 match: used from hooks INPUT/FORWARD/OUTPUT, but only valid from PREROUTING/INPUT/FORWARD audit: type=1400 audit(1519221361.055:44): avc: denied { read } for pid=6726 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 xt_dscp: dscp 7f out of range xt_dscp: dscp 7f out of range xt_addrtype: input interface limitation not valid in POSTROUTING and OUTPUT xt_addrtype: input interface limitation not valid in POSTROUTING and OUTPUT netlink: 3 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor7'. device eql entered promiscuous mode QAT: Invalid ioctl QAT: Invalid ioctl audit: type=1400 audit(1519221361.938:45): avc: denied { set_context_mgr } for pid=7034 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 xt_CT: netfilter: NOTRACK target is deprecated, use CT instead or upgrade iptables binder: BINDER_SET_CONTEXT_MGR already set syz-executor0 uses obsolete (PF_INET,SOCK_PACKET) binder: 7034:7048 ioctl 40046207 0 returned -16 binder: 7059:7067 got reply transaction with no transaction stack binder: 7059:7067 transaction failed 29201/-71, size 0-8 line 2757 capability: warning: `syz-executor4' uses deprecated v2 capabilities in a way that may be insecure binder: 7059:7060 BC_CLEAR_DEATH_NOTIFICATION invalid ref 1 binder_alloc: binder_alloc_mmap_handler: 7059 20265000-20279000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 7059:7067 ioctl 40046207 0 returned -16 binder: 7059:7060 got reply transaction with no transaction stack binder: 7059:7067 BC_CLEAR_DEATH_NOTIFICATION invalid ref 1 binder: 7059:7060 transaction failed 29201/-71, size 0-8 line 2757 audit: type=1400 audit(1519221362.166:46): avc: denied { dyntransition } for pid=7099 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0,c1 tclass=process permissive=1 dccp_invalid_packet: P.Data Offset(66) too large --map-set only usable from mangle table audit: type=1400 audit(1519221362.753:47): avc: denied { map } for pid=7310 comm="syz-executor2" path="/72/file0/bus" dev="ramfs" ino=19904 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ramfs_t:s0 tclass=file permissive=1 --map-set only usable from mangle table audit: type=1400 audit(1519221362.843:48): avc: denied { name_bind } for pid=7328 comm="syz-executor0" src=20000 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=dccp_socket permissive=1 audit: type=1400 audit(1519221362.843:49): avc: denied { node_bind } for pid=7328 comm="syz-executor0" saddr=::1 src=20000 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:node_t:s0 tclass=dccp_socket permissive=1 audit: type=1400 audit(1519221363.544:50): avc: denied { write } for pid=7417 comm="syz-executor5" name="net" dev="proc" ino=20054 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=dir permissive=1 audit: type=1400 audit(1519221363.544:51): avc: denied { add_name } for pid=7417 comm="syz-executor5" name="pfkey" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=dir permissive=1 QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl netlink: 29 bytes leftover after parsing attributes in process `syz-executor2'. QAT: Invalid ioctl QAT: Invalid ioctl x_tables: ip_tables: l2tp match: used from hooks POSTROUTING, but only valid from PREROUTING/INPUT/FORWARD/OUTPUT kernel msg: ebtables bug: please report to author: Couldn't copy entries from userspace x_tables: ip_tables: l2tp match: used from hooks POSTROUTING, but only valid from PREROUTING/INPUT/FORWARD/OUTPUT kernel msg: ebtables bug: please report to author: Couldn't copy entries from userspace x_tables: ip6_tables: REDIRECT target: used from hooks PREROUTING/INPUT/OUTPUT/POSTROUTING, but only usable from PREROUTING/OUTPUT x_tables: ip6_tables: REDIRECT target: used from hooks PREROUTING/INPUT/OUTPUT/POSTROUTING, but only usable from PREROUTING/OUTPUT SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7617 comm=syz-executor7 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7617 comm=syz-executor7 QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl Cannot find add_set index 0 as target Cannot find add_set index 0 as target Cannot find add_set index 0 as target Cannot find add_set index 0 as target mmap: syz-executor2 (7955): VmData 3985408 exceed data ulimit 0. Update limits or use boot option ignore_rlimit_data. QAT: Invalid ioctl binder: BINDER_SET_CONTEXT_MGR already set binder: 8000:8009 ioctl 40046207 0 returned -16 QAT: Invalid ioctl device eql entered promiscuous mode kernel msg: ebtables bug: please report to author: Total nentries is wrong kauditd_printk_skb: 4 callbacks suppressed audit: type=1400 audit(1519221365.765:56): avc: denied { relabelto } for pid=8204 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ldconfig_cache_t:s0 tclass=packet permissive=1 kernel msg: ebtables bug: please report to author: Total nentries is wrong binder: 8382:8394 ioctl 4c80 ffffffffffffffff returned -22 audit: type=1400 audit(1519221366.443:57): avc: denied { getopt } for pid=8382 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 binder: 8382:8404 ioctl 4c80 ffffffffffffffff returned -22 Cannot find set identified by id 0 to match x_tables: ip6_tables: icmp6 match: only valid for protocol 58 Cannot find set identified by id 0 to match audit: type=1400 audit(1519221366.660:58): avc: denied { map } for pid=8461 comm="syz-executor6" path="socket:[23458]" dev="sockfs" ino=23458 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=packet_socket permissive=1 audit: type=1400 audit(1519221366.951:59): avc: denied { validate_trans } for pid=8539 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=security permissive=1 rdma_op 0000000057009b21 conn xmit_rdma (null) rdma_op 0000000069081b8f conn xmit_rdma (null) kernel msg: ebtables bug: please report to author: Valid hook without chain audit: type=1400 audit(1519221367.396:60): avc: denied { getattr } for pid=8693 comm="syz-executor6" name="NETLINK" dev="sockfs" ino=24852 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl NFS: bad mount option value specified: v2ä QAT: Invalid ioctl QAT: Invalid ioctl x_tables: ip6_tables: DNPT target: used from hooks PREROUTING/INPUT/FORWARD/OUTPUT/POSTROUTING, but only usable from PREROUTING/OUTPUT QAT: Invalid ioctl binder_alloc: 8879: binder_alloc_buf failed to map page at 20265000 in userspace audit: type=1400 audit(1519221367.927:61): avc: denied { call } for pid=8879 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 binder: 8879:8892 transaction failed 29201/-12, size 0-0 line 2957 QAT: Invalid ioctl x_tables: ip6_tables: DNPT target: used from hooks PREROUTING/INPUT/FORWARD/OUTPUT/POSTROUTING, but only usable from PREROUTING/OUTPUT audit: type=1400 audit(1519221367.960:62): avc: denied { map_create } for pid=8882 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 audit: type=1400 audit(1519221367.961:63): avc: denied { dac_override } for pid=8882 comm="syz-executor6" capability=1 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1519221367.966:64): avc: denied { net_admin } for pid=4190 comm="syz-executor2" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1519221367.980:65): avc: denied { prog_load } for pid=8882 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 binder: BINDER_SET_CONTEXT_MGR already set binder_alloc: 8879: binder_alloc_buf, no vma binder: 8879:8906 transaction failed 29189/-3, size 0-0 line 2957 binder: 8879:8902 ioctl 40046207 0 returned -16 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 xt_CONNSECMARK: target only valid in the 'mangle' or 'security' tables, not 'filter'. xt_CONNSECMARK: target only valid in the 'mangle' or 'security' tables, not 'filter'.