============================= WARNING: suspicious RCU usage 4.15.0-rc6-next-20180102+ #86 Not tainted ----------------------------- net/netfilter/ipset/ip_set_core.c:2057 suspicious rcu_dereference_protected() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 3 locks held by kworker/u4:2/45: #0: ((wq_completion)"%s""netns"){+.+.}, at: [<00000000fce17ee9>] process_one_work+0x71f/0x14a0 kernel/workqueue.c:2083 #1: (net_cleanup_work){+.+.}, at: [<000000000a04408d>] process_one_work+0x757/0x14a0 kernel/workqueue.c:2087 #2: (net_mutex){+.+.}, at: [<000000003b8c2a8f>] cleanup_net+0x139/0x8b0 net/core/net_namespace.c:450 stack backtrace: CPU: 0 PID: 45 Comm: kworker/u4:2 Not tainted 4.15.0-rc6-next-20180102+ #86 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x137/0x198 lib/dump_stack.c:53 lockdep_rcu_suspicious+0x123/0x170 kernel/locking/lockdep.c:4585 ip_set_net_exit+0x2c6/0x480 net/netfilter/ipset/ip_set_core.c:2057 ops_exit_list.isra.6+0xae/0x150 net/core/net_namespace.c:142 cleanup_net+0x3f3/0x8b0 net/core/net_namespace.c:484 process_one_work+0x801/0x14a0 kernel/workqueue.c:2112 worker_thread+0xe0/0x1010 kernel/workqueue.c:2246 kthread+0x33c/0x400 kernel/kthread.c:238 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:524 kauditd_printk_skb: 165 callbacks suppressed audit: type=1326 audit(1514913352.696:685): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=7682 comm="syz-executor4" exe="/root/syz-executor4" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452ac9 code=0x7ffc0000 audit: type=1326 audit(1514913352.699:686): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=7682 comm="syz-executor4" exe="/root/syz-executor4" sig=0 arch=c000003e syscall=2 compat=0 ip=0x40ce01 code=0x7ffc0000 netlink: 1 bytes leftover after parsing attributes in process `syz-executor6'. audit: type=1326 audit(1514913352.700:687): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=7682 comm="syz-executor4" exe="/root/syz-executor4" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452ac9 code=0x7ffc0000 audit: type=1326 audit(1514913352.700:688): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=7682 comm="syz-executor4" exe="/root/syz-executor4" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452ac9 code=0x7ffc0000 audit: type=1326 audit(1514913352.703:689): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=7682 comm="syz-executor4" exe="/root/syz-executor4" sig=0 arch=c000003e syscall=8 compat=0 ip=0x452ac9 code=0x7ffc0000 device gre0 entered promiscuous mode audit: type=1326 audit(1514913352.705:690): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=7682 comm="syz-executor4" exe="/root/syz-executor4" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452ac9 code=0x7ffc0000 audit: type=1326 audit(1514913352.708:691): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=7682 comm="syz-executor4" exe="/root/syz-executor4" sig=0 arch=c000003e syscall=2 compat=0 ip=0x40ce01 code=0x7ffc0000 audit: type=1326 audit(1514913352.708:692): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=7682 comm="syz-executor4" exe="/root/syz-executor4" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452ac9 code=0x7ffc0000 audit: type=1326 audit(1514913352.712:693): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=7682 comm="syz-executor4" exe="/root/syz-executor4" sig=0 arch=c000003e syscall=16 compat=0 ip=0x452ac9 code=0x7ffc0000 audit: type=1326 audit(1514913352.713:694): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=7682 comm="syz-executor4" exe="/root/syz-executor4" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452ac9 code=0x7ffc0000 ptrace attach of "/root/syz-executor4"[3701] was attempted by "/root/syz-executor4"[7838] ptrace attach of "/root/syz-executor4"[3701] was attempted by "/root/syz-executor4"[7852] binder: 7874 RLIMIT_NICE not set binder: 7871:7874 IncRefs 0 refcount change on invalid ref 2 ret -22 binder: 7871:7874 got reply transaction with no transaction stack binder: 7871:7874 transaction failed 29201/-71, size 0-72 line 2760 binder: 7871:7874 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: 7871:7885 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 7871:7874 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: 7874 RLIMIT_NICE not set binder: 7871:7885 IncRefs 0 refcount change on invalid ref 2 ret -22 binder: 7871:7885 got reply transaction with no transaction stack binder: 7871:7885 transaction failed 29201/-71, size 0-72 line 2760 binder: 7871:7874 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 7871:7874 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER binder: undelivered death notification, 0000000000000000 QAT: Invalid ioctl QAT: Invalid ioctl sock: sock_set_timeout: `syz-executor2' (pid 8008) tries to set negative timeout SELinux: unrecognized netlink message: protocol=9 nlmsg_type=33 sclass=netlink_audit_socket pig=8012 comm=syz-executor3 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=33 sclass=netlink_audit_socket pig=8015 comm=syz-executor3 capability: warning: `syz-executor7' uses deprecated v2 capabilities in a way that may be insecure kvm [8030]: vcpu0, guest rIP: 0xfff0 unimplemented MMIO_CONF_BASE wrmsr: 0x3e2d netlink: 2 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor3'. futex_wake_op: syz-executor5 tries to shift op by -65; fix this program futex_wake_op: syz-executor5 tries to shift op by -65; fix this program device syz6 entered promiscuous mode binder_alloc: binder_alloc_mmap_handler: 8287 209a1000-209a4000 already mapped failed -16 binder: 8292:8299 ERROR: BC_REGISTER_LOOPER called without request binder: 8299 RLIMIT_NICE not set binder: BINDER_SET_CONTEXT_MGR already set binder: 8292:8299 ioctl 40046207 0 returned -16 binder_alloc: 8292: binder_alloc_buf, no vma binder: 8292:8299 transaction failed 29189/-3, size 0-0 line 2960 binder: 8292:8305 got reply transaction with no transaction stack binder: 8292:8305 transaction failed 29201/-71, size 0-0 line 2760 binder: undelivered TRANSACTION_ERROR: 29189 binder_alloc: binder_alloc_mmap_handler: 8287 209a1000-209a4000 already mapped failed -16 binder: 8292:8305 ERROR: BC_REGISTER_LOOPER called without request binder: 8305 RLIMIT_NICE not set binder: BINDER_SET_CONTEXT_MGR already set binder: 8292:8299 ioctl 40046207 0 returned -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 8292:8305 ioctl 40046207 0 returned -16 binder_alloc: 8292: binder_alloc_buf, no vma binder: 8292:8299 transaction failed 29189/-3, size 0-0 line 2960 binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29189 8021q: VLANs not supported on lo 8021q: VLANs not supported on lo netlink: 40 bytes leftover after parsing attributes in process `syz-executor6'. binder: 8372:8386 got reply transaction with no transaction stack binder: 8372:8386 transaction failed 29201/-71, size 72-8 line 2760 binder: 8372:8375 got reply transaction with bad transaction stack, transaction 41 has target 8372:0 binder: 8372:8375 transaction failed 29201/-71, size 24-8 line 2775 binder: BINDER_SET_CONTEXT_MGR already set binder: 8372:8386 ioctl 40046207 0 returned -16 binder: 8372:8392 got reply transaction with no transaction stack binder: 8372:8392 transaction failed 29201/-71, size 72-8 line 2760 binder: undelivered TRANSACTION_ERROR: 29201 binder: release 8372:8375 transaction 41 out, still active binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29201 binder: send failed reply for transaction 41, target dead RDS: rds_bind could not find a transport for 126.255.255.255, load rds_tcp or rds_rdma? ptrace attach of "/root/syz-executor3"[3700] was attempted by "/root/syz-executor3"[8440] ptrace attach of "/root/syz-executor3"[3700] was attempted by "/root/syz-executor3"[8440] cgroup: cgroup2: unknown option "pĺNڬxvä|IDdBZ[Xں*]J{nU\sN u6e ~ Ms afg|dc|_Xz̸y0!w:z{" cgroup: cgroup2: unknown option "pĺNڬxvä|IDdBZ[Xں*]J{nU\sN u6e ~ Ms afg|dc|_Xz̸y0!w:z{" binder: BINDER_SET_CONTEXT_MGR already set binder: 8552:8553 ioctl 40046207 0 returned -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 8552:8559 ioctl 40046207 0 returned -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 8552:8559 ioctl 40046207 0 returned -16 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=256 sclass=netlink_route_socket pig=8583 comm=syz-executor4 binder: 8656 RLIMIT_NICE not set dccp_invalid_packet: invalid packet type binder: 8664 RLIMIT_NICE not set dccp_invalid_packet: invalid packet type binder: undelivered death notification, 0000000000000000 binder: undelivered death notification, 0000000000000000 netlink: 8 bytes leftover after parsing attributes in process `syz-executor5'. binder_alloc: binder_alloc_mmap_handler: 8717 209a1000-209a4000 already mapped failed -16 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=21 sclass=netlink_audit_socket pig=8786 comm=syz-executor4 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=21 sclass=netlink_audit_socket pig=8809 comm=syz-executor4 encrypted_key: insufficient parameters specified encrypted_key: insufficient parameters specified binder: 8870:8874 ERROR: BC_REGISTER_LOOPER called without request binder: 8874 RLIMIT_NICE not set binder_alloc: binder_alloc_mmap_handler: 8870 20000000-20002000 already mapped failed -16 binder: 8870:8874 ERROR: BC_REGISTER_LOOPER called without request binder: 8874 RLIMIT_NICE not set binder: 8925:8928 BC_DEAD_BINDER_DONE 0000000000000000 not found binder: 8925:8938 BC_DEAD_BINDER_DONE 0000000000000000 not found device syz3 entered promiscuous mode kauditd_printk_skb: 133 callbacks suppressed audit: type=1400 audit(1514913358.218:828): avc: denied { connect } for pid=8960 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1400 audit(1514913358.226:829): avc: denied { ioctl } for pid=8960 comm="syz-executor1" path="socket:[26100]" dev="sockfs" ino=26100 ioctlcmd=0x8915 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1400 audit(1514913358.470:830): avc: denied { getopt } for pid=9037 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 sctp: [Deprecated]: syz-executor4 (pid 9062) Use of int in max_burst socket option. Use struct sctp_assoc_value instead sctp: [Deprecated]: syz-executor4 (pid 9062) Use of int in max_burst socket option. Use struct sctp_assoc_value instead audit: type=1400 audit(1514913358.946:831): avc: denied { bind } for pid=9181 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 encrypted_key: master key parameter '' is invalid encrypted_key: master key parameter '' is invalid sd 0:0:1:0: [sg0] tag#0 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK sd 0:0:1:0: [sg0] tag#0 CDB: Test Unit Ready sd 0:0:1:0: [sg0] tag#0 CDB[00]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#0 CDB[10]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#0 CDB[20]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#0 CDB[30]: 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#0 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK sd 0:0:1:0: [sg0] tag#0 CDB: Test Unit Ready sd 0:0:1:0: [sg0] tag#0 CDB[00]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#0 CDB[10]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#0 CDB[20]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#0 CDB[30]: 00 00 00 00 00 00 00 00 00 00 00 00 irq bypass consumer (token 000000007eb44be7) registration fails: -16 audit: type=1400 audit(1514913360.950:832): avc: denied { getattr } for pid=9473 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 audit: type=1326 audit(1514913361.035:833): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=9505 comm="syz-executor6" exe="/root/syz-executor6" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452ac9 code=0x7ffc0000 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 9485 Comm: syz-executor3 Not tainted 4.15.0-rc6-next-20180102+ #86 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x137/0x198 lib/dump_stack.c:53 handle_userfault+0x744/0x1750 fs/userfaultfd.c:430 do_anonymous_page mm/memory.c:3171 [inline] handle_pte_fault mm/memory.c:3945 [inline] __handle_mm_fault+0x2fc5/0x3210 mm/memory.c:4071 handle_mm_fault+0x305/0x840 mm/memory.c:4108 __do_page_fault+0x59e/0xca0 arch/x86/mm/fault.c:1429 do_page_fault+0x78/0x490 arch/x86/mm/fault.c:1504 page_fault+0x2c/0x60 arch/x86/entry/entry_64.S:1243 RIP: 0010:fault_in_pages_readable include/linux/pagemap.h:601 [inline] RIP: 0010:iov_iter_fault_in_readable+0x1a7/0x410 lib/iov_iter.c:421 RSP: 0018:ffff8801bdb7fa08 EFLAGS: 00010246 RAX: 0000000000010000 RBX: 0000000020011fd2 RCX: ffffffff821c64c1 RDX: 000000000000010c RSI: ffffc90003426000 RDI: ffff8801bdb7fd30 RBP: ffff8801bdb7fae8 R08: 0000000000000000 R09: 0000000000000003 R10: ffff8801bdb7f978 R11: 0000000000000001 R12: 1ffff10037b6ff44 R13: ffff8801bdb7fac0 R14: 0000000000000000 R15: ffff8801bdb7fd28 generic_perform_write+0x195/0x4a0 mm/filemap.c:3128 __generic_file_write_iter+0x366/0x5b0 mm/filemap.c:3263 generic_file_write_iter+0x2f0/0x630 mm/filemap.c:3291 call_write_iter include/linux/fs.h:1775 [inline] new_sync_write fs/read_write.c:469 [inline] __vfs_write+0x550/0x740 fs/read_write.c:482 vfs_write+0x189/0x510 fs/read_write.c:544 SYSC_write fs/read_write.c:589 [inline] SyS_write+0xd4/0x1a0 fs/read_write.c:581 entry_SYSCALL_64_fastpath+0x23/0x9a RIP: 0033:0x452ac9 RSP: 002b:00007f6bd7002c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000452ac9 RDX: 0000000000000030 RSI: 0000000020011fd2 RDI: 0000000000000014 RBP: 00000000000003a3 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f37e8 R13: 00000000ffffffff R14: 00007f6bd70036d4 R15: 0000000000000000 audit: type=1326 audit(1514913361.035:834): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=9505 comm="syz-executor6" exe="/root/syz-executor6" sig=0 arch=c000003e syscall=2 compat=0 ip=0x40ce01 code=0x7ffc0000 audit: type=1326 audit(1514913361.035:835): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=9505 comm="syz-executor6" exe="/root/syz-executor6" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452ac9 code=0x7ffc0000 audit: type=1326 audit(1514913361.035:836): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=9505 comm="syz-executor6" exe="/root/syz-executor6" sig=0 arch=c000003e syscall=16 compat=0 ip=0x452ac9 code=0x7ffc0000 netlink: 3 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor3'. SELinux: unrecognized netlink message: protocol=4 nlmsg_type=24 sclass=netlink_tcpdiag_socket pig=9675 comm=syz-executor7 mip6: mip6_rthdr_init_state: spi is not 0: 3724804096 dccp_invalid_packet: P.Data Offset(66) too large dccp_invalid_packet: P.Data Offset(66) too large netlink: 1 bytes leftover after parsing attributes in process `syz-executor1'. binder: 9762:9773 ERROR: BC_REGISTER_LOOPER called without request binder: 9773 RLIMIT_NICE not set binder_alloc: 9762: binder_alloc_buf, no vma binder: 9762:9785 transaction failed 29189/-3, size 0-0 line 2960 binder: 9762:9785 ioctl c0306201 2000dfd0 returned -14 netlink: 1 bytes leftover after parsing attributes in process `syz-executor1'. binder: 9762:9785 ERROR: BC_REGISTER_LOOPER called without request binder: 9785 RLIMIT_NICE not set RDS: rds_bind could not find a transport for 172.20.7.170, load rds_tcp or rds_rdma? binder_alloc: 9762: binder_alloc_buf, no vma binder: 9762:9773 transaction failed 29189/-3, size 0-0 line 2960 binder: undelivered TRANSACTION_ERROR: 29189