device syz2 left promiscuous mode ================================ WARNING: inconsistent lock state 4.15.0-rc9+ #283 Not tainted -------------------------------- inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage. syz-executor4/13618 [HC0[0]:SC1[1]:HE1:SE0] takes: (&(&est->lock)->rlock){+.?.}, at: [<00000000a5ac9069>] spin_lock include/linux/spinlock.h:310 [inline] (&(&est->lock)->rlock){+.?.}, at: [<00000000a5ac9069>] est_fetch_counters+0x4f/0x150 net/core/gen_estimator.c:70 {SOFTIRQ-ON-W} state was registered at: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3914 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144 spin_lock include/linux/spinlock.h:310 [inline] est_fetch_counters+0x4f/0x150 net/core/gen_estimator.c:70 gen_new_estimator+0x317/0x770 net/core/gen_estimator.c:162 xt_rateest_tg_checkentry+0x487/0xaa0 net/netfilter/xt_RATEEST.c:135 xt_check_target+0x22c/0x7d0 net/netfilter/x_tables.c:845 check_target net/ipv4/netfilter/ip_tables.c:518 [inline] find_check_entry.isra.8+0x8c8/0xcb0 net/ipv4/netfilter/ip_tables.c:559 translate_table+0xed1/0x1610 net/ipv4/netfilter/ip_tables.c:730 do_replace net/ipv4/netfilter/ip_tables.c:1148 [inline] do_ipt_set_ctl+0x370/0x5f0 net/ipv4/netfilter/ip_tables.c:1682 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115 ip_setsockopt+0xa1/0xb0 net/ipv4/ip_sockglue.c:1256 sctp_setsockopt+0x2a0/0x5de0 net/sctp/socket.c:4074 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2968 SYSC_setsockopt net/socket.c:1831 [inline] SyS_setsockopt+0x189/0x360 net/socket.c:1810 entry_SYSCALL_64_fastpath+0x29/0xa0 irq event stamp: 1798 hardirqs last enabled at (1798): [<00000000466cab1f>] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:168 [inline] hardirqs last enabled at (1798): [<00000000466cab1f>] _raw_spin_unlock_irq+0x27/0x70 kernel/locking/spinlock.c:192 hardirqs last disabled at (1797): [<00000000a314568f>] __raw_spin_lock_irq include/linux/spinlock_api_smp.h:126 [inline] hardirqs last disabled at (1797): [<00000000a314568f>] _raw_spin_lock_irq+0x3c/0x80 kernel/locking/spinlock.c:160 softirqs last enabled at (1544): [<000000007d8a5970>] __do_softirq+0x7a0/0xb85 kernel/softirq.c:311 softirqs last disabled at (1795): [<0000000095297c29>] invoke_softirq kernel/softirq.c:365 [inline] softirqs last disabled at (1795): [<0000000095297c29>] irq_exit+0x1cc/0x200 kernel/softirq.c:405 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&(&est->lock)->rlock); lock(&(&est->lock)->rlock); *** DEADLOCK *** 2 locks held by syz-executor4/13618: #0: (&mm->mmap_sem){++++}, at: [<00000000ffcd802b>] do_mprotect_pkey+0x17e/0x900 mm/mprotect.c:420 #1: ((&est->timer)){+.-.}, at: [<00000000f32f9d71>] lockdep_copy_map include/linux/lockdep.h:178 [inline] #1: ((&est->timer)){+.-.}, at: [<00000000f32f9d71>] call_timer_fn+0x1c6/0x820 kernel/time/timer.c:1308 stack backtrace: CPU: 0 PID: 13618 Comm: syz-executor4 Not tainted 4.15.0-rc9+ #283 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 print_usage_bug+0x377/0x38c kernel/locking/lockdep.c:2537 valid_state kernel/locking/lockdep.c:2550 [inline] mark_lock_irq kernel/locking/lockdep.c:2744 [inline] mark_lock+0xf61/0x1430 kernel/locking/lockdep.c:3142 mark_irqflags kernel/locking/lockdep.c:3020 [inline] __lock_acquire+0x173a/0x3e00 kernel/locking/lockdep.c:3383 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3914 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144 spin_lock include/linux/spinlock.h:310 [inline] est_fetch_counters+0x4f/0x150 net/core/gen_estimator.c:70 est_timer+0x97/0x7c0 net/core/gen_estimator.c:85 call_timer_fn+0x228/0x820 kernel/time/timer.c:1318 expire_timers kernel/time/timer.c:1355 [inline] __run_timers+0x7ee/0xb70 kernel/time/timer.c:1658 run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1684 __do_softirq+0x2d7/0xb85 kernel/softirq.c:285 invoke_softirq kernel/softirq.c:365 [inline] irq_exit+0x1cc/0x200 kernel/softirq.c:405 exiting_irq arch/x86/include/asm/apic.h:541 [inline] smp_apic_timer_interrupt+0x16b/0x700 arch/x86/kernel/apic/apic.c:1052 apic_timer_interrupt+0xa9/0xb0 arch/x86/entry/entry_64.S:937 RIP: 0010:memcmp+0xae/0x160 lib/string.c:861 RSP: 0018:ffff8801c36ef870 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff11 RAX: 00000000000000de RBX: ffff8801c36ef930 RCX: 0000000000000000 RDX: ffff8801c36ef970 RSI: ffff8801d21db8f0 RDI: 0000000000000000 RBP: ffff8801c36ef898 R08: 0000000000000000 R09: 1ffff100386ddedf R10: 0000000015c88f6a R11: 000000001e8ada51 R12: dffffc0000000000 R13: 0000000000000058 R14: ffff8801d21db8c0 R15: ffff8801c36ef918 find_stack lib/stackdepot.c:176 [inline] depot_save_stack+0x12c/0x490 lib/stackdepot.c:225 save_stack+0xa3/0xd0 mm/kasan/kasan.c:453 set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489 kmem_cache_alloc+0x12e/0x760 mm/slab.c:3544 anon_vma_chain_alloc mm/rmap.c:128 [inline] anon_vma_clone+0x139/0x700 mm/rmap.c:268 __split_vma+0x2f7/0x7b0 mm/mmap.c:2584 split_vma+0x8f/0xc0 mm/mmap.c:2627 mprotect_fixup+0x3f5/0x640 mm/mprotect.c:354 do_mprotect_pkey+0x57d/0x900 mm/mprotect.c:492 SYSC_mprotect mm/mprotect.c:517 [inline] SyS_mprotect+0x2a/0x40 mm/mprotect.c:514 entry_SYSCALL_64_fastpath+0x29/0xa0 RIP: 0033:0x453397 RSP: 002b:0000000000a2f2c8 EFLAGS: 00000246 ORIG_RAX: 000000000000000a RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 0000000000453397 RDX: 0000000000000000 RSI: 0000000000001000 RDI: 00007efc8ce10000 RBP: 0000000000a2f3b0 R08: 00000000006fd280 R09: 00000000006fd280 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000a2f3c0 R13: 00007efc8ce30700 R14: 0000000000000026 R15: 0000000000000002 device eql entered promiscuous mode kvm [13720]: vcpu0, guest rIP: 0xfff0 Hyper-V uhandled wrmsr: 0x40000020 data 0x9 device eql entered promiscuous mode device eql entered promiscuous mode device eql entered promiscuous mode device eql entered promiscuous mode device eql entered promiscuous mode device eql entered promiscuous mode device eql entered promiscuous mode device eql entered promiscuous mode binder_alloc: binder_alloc_mmap_handler: 13794 20000000-20002000 already mapped failed -16 device eql entered promiscuous mode IPv6: Can't replace route, no match found IPv6: Can't replace route, no match found kauditd_printk_skb: 55 callbacks suppressed audit: type=1400 audit(1517128469.508:1786): avc: denied { setgid } for pid=14063 comm="syz-executor3" capability=6 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 xt_CT: netfilter: NOTRACK target is deprecated, use CT instead or upgrade iptables irq bypass consumer (token 000000007fe0503a) registration fails: -16 irq bypass consumer (token 00000000e45883da) registration fails: -16 irq bypass consumer (token 00000000e24ca640) registration fails: -16 irq bypass consumer (token 00000000f975ef95) registration fails: -16 irq bypass consumer (token 00000000cac61bd3) registration fails: -16 l2tp_core: tunl 59: sockfd_lookup(fd=0) returned -88 l2tp_core: tunl 59: sockfd_lookup(fd=0) returned -88 l2tp_core: tunl 59: sockfd_lookup(fd=0) returned -88 l2tp_core: tunl 59: sockfd_lookup(fd=0) returned -88 l2tp_core: tunl 59: sockfd_lookup(fd=0) returned -88 audit: type=1400 audit(1517128472.982:1787): avc: denied { map } for pid=14828 comm="syz-executor0" path="/dev/loop0" dev="devtmpfs" ino=107504 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:device_t:s0 tclass=file permissive=1 audit: type=1326 audit(1517128473.203:1788): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=14897 comm="syz-executor3" exe="/root/syz-executor3" sig=0 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517128473.240:1789): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=14897 comm="syz-executor3" exe="/root/syz-executor3" sig=0 arch=c000003e syscall=257 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517128473.240:1790): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=14897 comm="syz-executor3" exe="/root/syz-executor3" sig=0 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517128473.240:1791): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=14897 comm="syz-executor3" exe="/root/syz-executor3" sig=0 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517128473.242:1792): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=14897 comm="syz-executor3" exe="/root/syz-executor3" sig=0 arch=c000003e syscall=162 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517128473.266:1793): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=14897 comm="syz-executor3" exe="/root/syz-executor3" sig=0 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517128473.266:1794): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=14897 comm="syz-executor3" exe="/root/syz-executor3" sig=0 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517128473.270:1795): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=14897 comm="syz-executor3" exe="/root/syz-executor3" sig=0 arch=c000003e syscall=288 compat=0 ip=0x453299 code=0x7ffc0000 netlink: 'syz-executor3': attribute type 16 has an invalid length. netlink: 'syz-executor3': attribute type 16 has an invalid length. kauditd_printk_skb: 101 callbacks suppressed audit: type=1326 audit(1517128475.147:1897): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=15338 comm="syz-executor7" exe="/root/syz-executor7" sig=0 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517128475.198:1898): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=15338 comm="syz-executor7" exe="/root/syz-executor7" sig=0 arch=c000003e syscall=119 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517128475.199:1899): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=15338 comm="syz-executor7" exe="/root/syz-executor7" sig=0 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517128475.199:1900): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=15338 comm="syz-executor7" exe="/root/syz-executor7" sig=0 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517128475.201:1901): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=15338 comm="syz-executor7" exe="/root/syz-executor7" sig=0 arch=c000003e syscall=9 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517128475.201:1902): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=15338 comm="syz-executor7" exe="/root/syz-executor7" sig=0 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517128475.201:1903): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=15338 comm="syz-executor7" exe="/root/syz-executor7" sig=0 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517128475.201:1904): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=15338 comm="syz-executor7" exe="/root/syz-executor7" sig=0 arch=c000003e syscall=317 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517128475.226:1905): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=15338 comm="syz-executor7" exe="/root/syz-executor7" sig=0 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517128475.226:1906): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=15338 comm="syz-executor7" exe="/root/syz-executor7" sig=0 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x7ffc0000 PPPIOCDETACH file->f_count=2 PPPIOCDETACH file->f_count=2