netlink: 'syz-executor1': attribute type 1 has an invalid length. ===================================== WARNING: bad unlock balance detected! 4.16.0-rc2+ #323 Not tainted ------------------------------------- syz-executor2/7676 is trying to release lock (rcu_read_lock_bh) at: [] rcu_read_unlock_bh include/linux/rcupdate.h:722 [inline] [] hashlimit_mt_common.isra.10+0x1beb/0x2610 net/netfilter/xt_hashlimit.c:777 but there are no more locks to release! other info that might help us debug this: 3 locks held by syz-executor2/7676: #0: (sk_lock-AF_INET6){+.+.}, at: [<0000000056b9cac9>] lock_sock include/net/sock.h:1463 [inline] #0: (sk_lock-AF_INET6){+.+.}, at: [<0000000056b9cac9>] sctp_sendmsg+0xc1e/0x35e0 net/sctp/socket.c:1723 #1: (rcu_read_lock){....}, at: [<000000002ab5ac87>] sctp_v6_xmit+0x2e5/0x630 net/sctp/ipv6.c:222 #2: (rcu_read_lock){....}, at: [<00000000489d4286>] ip6_autoflowlabel net/ipv6/ip6_output.c:291 [inline] #2: (rcu_read_lock){....}, at: [<00000000489d4286>] ip6_xmit+0xe9d/0x2260 net/ipv6/ip6_output.c:249 stack backtrace: CPU: 0 PID: 7676 Comm: syz-executor2 Not tainted 4.16.0-rc2+ #323 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 print_unlock_imbalance_bug+0x12f/0x140 kernel/locking/lockdep.c:3484 __lock_release kernel/locking/lockdep.c:3691 [inline] lock_release+0x6fe/0xa40 kernel/locking/lockdep.c:3939 rcu_lock_release include/linux/rcupdate.h:249 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:724 [inline] hashlimit_mt_common.isra.10+0x1c08/0x2610 net/netfilter/xt_hashlimit.c:777 hashlimit_mt+0x78/0x90 net/netfilter/xt_hashlimit.c:846 ip6t_do_table+0x98d/0x1a30 net/ipv6/netfilter/ip6_tables.c:319 ip6table_filter_hook+0x65/0x80 net/ipv6/netfilter/ip6table_filter.c:41 nf_hook_entry_hookfn include/linux/netfilter.h:120 [inline] nf_hook_slow+0xba/0x1a0 net/netfilter/core.c:483 nf_hook include/linux/netfilter.h:243 [inline] NF_HOOK include/linux/netfilter.h:286 [inline] ip6_xmit+0x10ec/0x2260 net/ipv6/ip6_output.c:277 sctp_v6_xmit+0x438/0x630 net/sctp/ipv6.c:225 sctp_packet_transmit+0x225e/0x3750 net/sctp/output.c:638 sctp_outq_flush+0xabb/0x4060 net/sctp/outqueue.c:911 sctp_outq_uncork+0x5a/0x70 net/sctp/outqueue.c:776 sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1807 [inline] sctp_side_effects net/sctp/sm_sideeffect.c:1210 [inline] sctp_do_sm+0x4e0/0x6ed0 net/sctp/sm_sideeffect.c:1181 sctp_primitive_ASSOCIATE+0x9d/0xd0 net/sctp/primitive.c:88 sctp_sendmsg+0x13bd/0x35e0 net/sctp/socket.c:1985 inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:764 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg+0xca/0x110 net/socket.c:640 SYSC_sendto+0x361/0x5c0 net/socket.c:1747 SyS_sendto+0x40/0x50 net/socket.c:1715 do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x453da9 RSP: 002b:00007fdb45502c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007fdb455036d4 RCX: 0000000000453da9 RDX: 0000000000000001 RSI: 00000000203aa000 RDI: 0000000000000013 RBP: 000000000072bea0 R08: 0000000020749fe4 R09: 000000000000001c R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000000004ba R14: 00000000006f7210 R15: 0000000000000000 TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. audit: type=1400 audit(1519221037.153:50): avc: denied { map } for pid=7702 comm="syz-executor3" path="/dev/audio" dev="devtmpfs" ino=9111 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sound_device_t:s0 tclass=chr_file permissive=1 device eql entered promiscuous mode audit: type=1401 audit(1519221037.312:51): op=setxattr invalid_context="" audit: type=1401 audit(1519221037.323:52): op=setxattr invalid_context="" binder: 7769:7782 transaction failed 29189/-22, size 0-0 line 2842 binder: 7769:7782 transaction failed 29189/-22, size 0-0 line 2842 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 syz-executor3 (7818) used greatest stack depth: 15888 bytes left QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl netlink: 188 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 188 bytes leftover after parsing attributes in process `syz-executor2'. IPv4: Oversized IP packet from 127.0.0.1 IPv4: Oversized IP packet from 127.0.0.1 audit: type=1400 audit(1519221038.942:53): avc: denied { name_bind } for pid=8129 comm="syz-executor6" src=20024 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=dccp_socket permissive=1 audit: type=1400 audit(1519221038.943:54): avc: denied { node_bind } for pid=8129 comm="syz-executor6" saddr=::1 src=20024 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:node_t:s0 tclass=dccp_socket permissive=1 ALSA: seq fatal error: cannot create timer (-22) ALSA: seq fatal error: cannot create timer (-22) audit: type=1400 audit(1519221039.258:55): avc: denied { write } for pid=8248 comm="syz-executor0" name="net" dev="proc" ino=24114 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=dir permissive=1 audit: type=1400 audit(1519221039.259:56): avc: denied { add_name } for pid=8248 comm="syz-executor0" name="pfkey" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=dir permissive=1 xt_CT: You must specify a L4 protocol, and not use inversions on it. xt_CT: You must specify a L4 protocol, and not use inversions on it. device eql entered promiscuous mode device bridge0 entered promiscuous mode sctp: [Deprecated]: syz-executor7 (pid 8378) Use of int in max_burst socket option. Use struct sctp_assoc_value instead device bridge0 left promiscuous mode device bridge0 entered promiscuous mode sctp: [Deprecated]: syz-executor7 (pid 8378) Use of int in max_burst socket option. Use struct sctp_assoc_value instead device bridge0 left promiscuous mode QAT: Invalid ioctl QAT: Invalid ioctl sock: sock_set_timeout: `syz-executor7' (pid 8585) tries to set negative timeout sock: sock_set_timeout: `syz-executor7' (pid 8600) tries to set negative timeout x_tables: ip_tables: icmp match: only valid for protocol 1 x_tables: ip_tables: icmp match: only valid for protocol 1 device eql entered promiscuous mode SELinux: failed to load policy dccp_invalid_packet: P.type (REQUEST) not Data || [Data]Ack, while P.X == 0 dccp_invalid_packet: P.type (REQUEST) not Data || [Data]Ack, while P.X == 0 IPVS: ftp: loaded support on port[0] = 21 IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready x_tables: ip6_tables: rpfilter match: used from hooks PREROUTING/OUTPUT, but only valid from PREROUTING x_tables: ip6_tables: rpfilter match: used from hooks PREROUTING/OUTPUT, but only valid from PREROUTING Dead loop on virtual device ip6_vti0, fix it urgently! Dead loop on virtual device ip6_vti0, fix it urgently! kauditd_printk_skb: 3 callbacks suppressed audit: type=1400 audit(1519221043.037:60): avc: denied { map } for pid=9109 comm="syz-executor4" path="/dev/snd/pcmC6D1c" dev="devtmpfs" ino=26198 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:device_t:s0 tclass=file permissive=1 audit: type=1400 audit(1519221043.138:61): avc: denied { setopt } for pid=9129 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1400 audit(1519221043.914:62): avc: denied { setfcap } for pid=9230 comm="syz-executor2" capability=31 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 device eql entered promiscuous mode TCP: request_sock_TCP: Possible SYN flooding on port 20022. Sending cookies. Check SNMP counters. could not allocate digest TFM handle mcryptd(sha512-avx) could not allocate digest TFM handle mcryptd(sha512-avx) TCP: request_sock_TCP: Possible SYN flooding on port 20010. Sending cookies. Check SNMP counters. audit: type=1400 audit(1519221044.565:63): avc: denied { map } for pid=9452 comm="syz-executor1" path="/dev/loop0" dev="devtmpfs" ino=17088 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1 audit: type=1400 audit(1519221044.609:64): avc: denied { map } for pid=9468 comm="syz-executor7" path="/selinux/status" dev="selinuxfs" ino=19 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1 netlink: 'syz-executor0': attribute type 21 has an invalid length. netlink: 'syz-executor0': attribute type 21 has an invalid length. kernel msg: ebtables bug: please report to author: Valid hook without chain kernel msg: ebtables bug: please report to author: Valid hook without chain ipt_ECN: cannot use TCP operations on a non-tcp rule ipt_ECN: cannot use TCP operations on a non-tcp rule sctp: [Deprecated]: syz-executor2 (pid 9671) Use of struct sctp_assoc_value in delayed_ack socket option. Use struct sctp_sack_info instead binder: release 9779:9780 transaction 11 out, still active binder: undelivered TRANSACTION_COMPLETE binder: BINDER_SET_CONTEXT_MGR already set binder_alloc: binder_alloc_mmap_handler: 9779 20000000-20002000 already mapped failed -16 binder: 9779:9799 ioctl 40046207 0 returned -16 binder_alloc: 9779: binder_alloc_buf, no vma binder: 9779:9780 transaction failed 29189/-3, size 40-0 line 2957 binder: undelivered TRANSACTION_ERROR: 29189 binder: send failed reply for transaction 11, target dead netlink: 5 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 'syz-executor6': attribute type 1 has an invalid length. audit: type=1400 audit(1519221045.996:65): avc: denied { map } for pid=9931 comm="syz-executor5" path="/172/file0/bus" dev="ramfs" ino=29847 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ramfs_t:s0 tclass=file permissive=1 netlink: 'syz-executor6': attribute type 1 has an invalid length. xt_CT: You must specify a L4 protocol, and not use inversions on it. xt_CT: You must specify a L4 protocol, and not use inversions on it. audit: type=1326 audit(1519221046.158:66): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=9997 comm="syz-executor2" exe="/root/syz-executor2" sig=9 arch=c000003e syscall=202 compat=0 ip=0x453da9 code=0x0