===================================== WARNING: bad unlock balance detected! 4.16.0-rc2+ #323 Not tainted ------------------------------------- syz-executor1/7470 is trying to release lock (rcu_read_lock_bh) at: [] rcu_read_unlock_bh include/linux/rcupdate.h:722 [inline] [] hashlimit_mt_common.isra.10+0x1beb/0x2610 net/netfilter/xt_hashlimit.c:777 but there are no more locks to release! other info that might help us debug this: 3 locks held by syz-executor1/7470: #0: (sk_lock-AF_INET6){+.+.}, at: [<000000001bcd3ca3>] lock_sock include/net/sock.h:1463 [inline] #0: (sk_lock-AF_INET6){+.+.}, at: [<000000001bcd3ca3>] sctp_sendmsg+0xc1e/0x35e0 net/sctp/socket.c:1723 #1: (rcu_read_lock){....}, at: [<000000005f5dd045>] sctp_v6_xmit+0x2e5/0x630 net/sctp/ipv6.c:222 #2: (rcu_read_lock){....}, at: [<0000000099795714>] ip6_autoflowlabel net/ipv6/ip6_output.c:291 [inline] #2: (rcu_read_lock){....}, at: [<0000000099795714>] ip6_xmit+0xe9d/0x2260 net/ipv6/ip6_output.c:249 stack backtrace: CPU: 0 PID: 7470 Comm: syz-executor1 Not tainted 4.16.0-rc2+ #323 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 print_unlock_imbalance_bug+0x12f/0x140 kernel/locking/lockdep.c:3484 __lock_release kernel/locking/lockdep.c:3691 [inline] lock_release+0x6fe/0xa40 kernel/locking/lockdep.c:3939 rcu_lock_release include/linux/rcupdate.h:249 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:724 [inline] hashlimit_mt_common.isra.10+0x1c08/0x2610 net/netfilter/xt_hashlimit.c:777 hashlimit_mt+0x78/0x90 net/netfilter/xt_hashlimit.c:846 ip6t_do_table+0x98d/0x1a30 net/ipv6/netfilter/ip6_tables.c:319 ip6table_filter_hook+0x65/0x80 net/ipv6/netfilter/ip6table_filter.c:41 nf_hook_entry_hookfn include/linux/netfilter.h:120 [inline] nf_hook_slow+0xba/0x1a0 net/netfilter/core.c:483 nf_hook include/linux/netfilter.h:243 [inline] NF_HOOK include/linux/netfilter.h:286 [inline] ip6_xmit+0x10ec/0x2260 net/ipv6/ip6_output.c:277 sctp_v6_xmit+0x438/0x630 net/sctp/ipv6.c:225 sctp_packet_transmit+0x225e/0x3750 net/sctp/output.c:638 sctp_outq_flush+0xabb/0x4060 net/sctp/outqueue.c:911 sctp_outq_uncork+0x5a/0x70 net/sctp/outqueue.c:776 sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1807 [inline] sctp_side_effects net/sctp/sm_sideeffect.c:1210 [inline] sctp_do_sm+0x4e0/0x6ed0 net/sctp/sm_sideeffect.c:1181 sctp_primitive_ASSOCIATE+0x9d/0xd0 net/sctp/primitive.c:88 sctp_sendmsg+0x13bd/0x35e0 net/sctp/socket.c:1985 inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:764 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg+0xca/0x110 net/socket.c:640 SYSC_sendto+0x361/0x5c0 net/socket.c:1747 SyS_sendto+0x40/0x50 net/socket.c:1715 do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x453da9 RSP: 002b:00007f874ddf2c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007f874ddf36d4 RCX: 0000000000453da9 RDX: 0000000000000001 RSI: 00000000203aa000 RDI: 0000000000000013 RBP: 000000000072bea0 R08: 0000000020749fe4 R09: 000000000000001c R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000000004ba R14: 00000000006f7210 R15: 0000000000000000 kauditd_printk_skb: 2 callbacks suppressed audit: type=1400 audit(1519219700.154:58): avc: denied { ioctl } for pid=7606 comm="syz-executor6" path="socket:[21707]" dev="sockfs" ino=21707 ioctlcmd=0x8903 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 netlink: 'syz-executor6': attribute type 1 has an invalid length. netlink: 'syz-executor6': attribute type 1 has an invalid length. audit: type=1400 audit(1519219700.243:59): avc: denied { setuid } for pid=7620 comm="syz-executor2" capability=7 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1519219700.245:60): avc: denied { ipc_lock } for pid=7623 comm="syz-executor5" capability=14 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 xt_connbytes: Forcing CT accounting to be enabled audit: type=1400 audit(1519219700.351:61): avc: denied { bind } for pid=7653 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1326 audit(1519219700.480:62): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=7696 comm="syz-executor6" exe="/root/syz-executor6" sig=31 arch=c000003e syscall=202 compat=0 ip=0x453da9 code=0x0 xt_connbytes: Forcing CT accounting to be enabled DRBG: could not allocate digest TFM handle: hmac(sha512) binder: 7885:7886 BC_FREE_BUFFER u0000000000000000 no match binder: 7885:7887 BC_FREE_BUFFER u0000000000000000 no match binder: 7895:7898 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 7895:7911 ioctl 5414 20000040 returned -22 binder: 7895:7911 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 7895:7898 ioctl 5414 20000040 returned -22 netlink: 'syz-executor4': attribute type 21 has an invalid length. netlink: 'syz-executor4': attribute type 21 has an invalid length. audit: type=1400 audit(1519219701.366:63): avc: denied { map } for pid=7973 comm="syz-executor7" path="/87/file0/bus" dev="ramfs" ino=22695 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ramfs_t:s0 tclass=file permissive=1 sg_write: data in/out 250/1 bytes for SCSI command 0x67-- guessing data in; program syz-executor4 not setting count and/or reply_len properly sg_write: data in/out 250/1 bytes for SCSI command 0x67-- guessing data in; program syz-executor4 not setting count and/or reply_len properly netlink: 180 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 180 bytes leftover after parsing attributes in process `syz-executor3'. x_tables: ip6_tables: REDIRECT target: used from hooks PREROUTING/INPUT, but only usable from PREROUTING/OUTPUT x_tables: ip6_tables: REDIRECT target: used from hooks PREROUTING/INPUT, but only usable from PREROUTING/OUTPUT QAT: Invalid ioctl audit: type=1400 audit(1519219702.702:64): avc: denied { map } for pid=8102 comm="syz-executor5" path="/dev/sg0" dev="devtmpfs" ino=76 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file permissive=1 QAT: Invalid ioctl audit: type=1400 audit(1519219702.804:65): avc: denied { setfcap } for pid=8141 comm="syz-executor2" capability=31 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1519219702.861:66): avc: denied { set_context_mgr } for pid=8157 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 binder: BINDER_SET_CONTEXT_MGR already set binder: 8157:8162 ioctl 40046207 0 returned -16 do_dccp_getsockopt: sockopt(PACKET_SIZE) is deprecated: fix your app do_dccp_getsockopt: sockopt(PACKET_SIZE) is deprecated: fix your app audit: type=1400 audit(1519219703.010:67): avc: denied { create } for pid=8204 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_fib_lookup_socket permissive=1 QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl syz-executor3 (8380) used greatest stack depth: 14032 bytes left xt_TCPMSS: Only works on TCP SYN packets xt_TCPMSS: Only works on TCP SYN packets x_tables: ip6_tables: eui64 match: used from hooks INPUT/FORWARD/OUTPUT, but only valid from PREROUTING/INPUT/FORWARD x_tables: ip6_tables: eui64 match: used from hooks INPUT/FORWARD/OUTPUT, but only valid from PREROUTING/INPUT/FORWARD autofs4:pid:8525:check_dev_ioctl_version: ioctl control interface version mismatch: kernel(1.1), user(1.458752), cmd(0x0000937e) autofs4:pid:8525:validate_dev_ioctl: invalid device control module version supplied for cmd(0x0000937e) autofs4:pid:8541:check_dev_ioctl_version: ioctl control interface version mismatch: kernel(1.1), user(1.458752), cmd(0x0000937e) autofs4:pid:8541:validate_dev_ioctl: invalid device control module version supplied for cmd(0x0000937e) device syz2 entered promiscuous mode binder: 8637:8646 ERROR: BC_REGISTER_LOOPER called without request QAT: Invalid ioctl QAT: Invalid ioctl binder: 8637:8656 ERROR: BC_REGISTER_LOOPER called without request TCP: request_sock_TCPv6: Possible SYN flooding on port 20022. Sending cookies. Check SNMP counters. bridge0: port 1(gretap0) entered blocking state bridge0: port 1(gretap0) entered disabled state device gretap0 entered promiscuous mode bridge0: port 1(gretap0) entered blocking state bridge0: port 1(gretap0) entered forwarding state IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready xt_TPROXY: Can be used only in combination with either -p tcp or -p udp kauditd_printk_skb: 6 callbacks suppressed audit: type=1326 audit(1519219705.161:73): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=8955 comm="syz-executor6" exe="/root/syz-executor6" sig=9 arch=c000003e syscall=202 compat=0 ip=0x453da9 code=0x0 dccp_close: ABORT with 85 bytes unread audit: type=1400 audit(1519219705.249:74): avc: denied { setopt } for pid=8985 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 xt_connbytes: Forcing CT accounting to be enabled audit: type=1400 audit(1519219705.771:75): avc: denied { call } for pid=9194 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 SELinux: policydb version -408483133 does not match my version range 15-31 SELinux: failed to load policy binder: 9194:9210 ioctl 8904 20000000 returned -22 binder: 9194:9210 ioctl 5456 20000040 returned -22 binder: send failed reply for transaction 5 to 9194:9197 binder: 9194:9197 transaction failed 29189/-22, size 0-0 line 2842 binder: 9194:9210 ioctl 8904 20000000 returned -22 binder: 9194:9197 ioctl 5456 20000040 returned -22 syz-executor0: vmalloc: allocation failure, allocated 2809421824 of 4294971392 bytes, mode:0x14010c0(GFP_KERNEL|__GFP_NORETRY), nodemask=(null) syz-executor0 cpuset=/ mems_allowed=0 syz-executor0: vmalloc: allocation failure, allocated 2783596544 of 4294971392 bytes, mode:0x14010c0(GFP_KERNEL|__GFP_NORETRY), nodemask=(null) CPU: 0 PID: 9204 Comm: syz-executor0 Not tainted 4.16.0-rc2+ #323 syz-executor0 cpuset= Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 / mems_allowed=0 warn_alloc+0x19a/0x2b0 mm/page_alloc.c:3306 __vmalloc_area_node mm/vmalloc.c:1718 [inline] __vmalloc_node_range+0x482/0x650 mm/vmalloc.c:1759 __vmalloc_node mm/vmalloc.c:1804 [inline] __vmalloc_node_flags_caller+0x50/0x60 mm/vmalloc.c:1826 kvmalloc_node+0x82/0xd0 mm/util.c:428 kvmalloc include/linux/mm.h:541 [inline] xt_alloc_table_info+0x63/0xe0 net/netfilter/x_tables.c:1016 do_replace net/ipv6/netfilter/ip6_tables.c:1149 [inline] do_ip6t_set_ctl+0x29b/0x5f0 net/ipv6/netfilter/ip6_tables.c:1686 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115 ipv6_setsockopt+0x10b/0x130 net/ipv6/ipv6_sockglue.c:927 rawv6_setsockopt+0x4a/0xf0 net/ipv6/raw.c:1060 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2975 SYSC_setsockopt net/socket.c:1849 [inline] SyS_setsockopt+0x189/0x360 net/socket.c:1828 do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x453da9 RSP: 002b:00007f25f35f3c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 00007f25f35f46d4 RCX: 0000000000453da9 RDX: 0000000000000040 RSI: 0000000000000029 RDI: 0000000000000013 RBP: 000000000072bea0 R08: 0000000000000076 R09: 0000000000000000 R10: 0000000020000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000000004d5 R14: 00000000006f7498 R15: 0000000000000000 CPU: 1 PID: 9206 Comm: syz-executor0 Not tainted 4.16.0-rc2+ #323 Mem-Info: Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 active_anon:101526 inactive_anon:62 isolated_anon:0 active_file:4751 inactive_file:5259 isolated_file:0 unevictable:0 dirty:137 writeback:0 unstable:0 slab_reclaimable:9693 slab_unreclaimable:88258 mapped:24254 shmem:70 pagetables:721 bounce:0 free:24185 free_pcp:0 free_cma:0 warn_alloc+0x19a/0x2b0 mm/page_alloc.c:3306 Node 0 active_anon:406104kB inactive_anon:248kB active_file:19004kB inactive_file:21036kB unevictable:0kB isolated(anon):0kB isolated(file):0kB mapped:97016kB dirty:548kB writeback:0kB shmem:280kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 163840kB writeback_tmp:0kB unstable:0kB all_unreclaimable? no Node 0 __vmalloc_area_node mm/vmalloc.c:1718 [inline] __vmalloc_node_range+0x482/0x650 mm/vmalloc.c:1759 __vmalloc_node mm/vmalloc.c:1804 [inline] __vmalloc_node_flags_caller+0x50/0x60 mm/vmalloc.c:1826 DMA free:15908kB min:164kB low:204kB high:244kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:15992kB managed:15908kB mlocked:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB kvmalloc_node+0x82/0xd0 mm/util.c:428 kvmalloc include/linux/mm.h:541 [inline] xt_alloc_table_info+0x63/0xe0 net/netfilter/x_tables.c:1016 lowmem_reserve[]: do_replace net/ipv6/netfilter/ip6_tables.c:1149 [inline] do_ip6t_set_ctl+0x29b/0x5f0 net/ipv6/netfilter/ip6_tables.c:1686 0 2868 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115 ipv6_setsockopt+0x10b/0x130 net/ipv6/ipv6_sockglue.c:927 6378 rawv6_setsockopt+0x4a/0xf0 net/ipv6/raw.c:1060 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2975 SYSC_setsockopt net/socket.c:1849 [inline] SyS_setsockopt+0x189/0x360 net/socket.c:1828 6378 Node 0 do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287 DMA32 free:43840kB min:30316kB low:37892kB high:45468kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:3129292kB managed:2939944kB mlocked:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB lowmem_reserve[]: 0 entry_SYSCALL_64_after_hwframe+0x42/0xb7 0 RIP: 0033:0x453da9 RSP: 002b:00007f25f35d2c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 00007f25f35d36d4 RCX: 0000000000453da9 3510 RDX: 0000000000000040 RSI: 0000000000000029 RDI: 0000000000000015 RBP: 000000000072bf58 R08: 0000000000000076 R09: 0000000000000000 R10: 0000000020000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000000004d5 R14: 00000000006f7498 R15: 0000000000000001 3510 Node 0 Normal free:37376kB min:37100kB low:46372kB high:55644kB active_anon:406104kB inactive_anon:248kB active_file:18860kB inactive_file:21396kB unevictable:0kB writepending:548kB present:4718592kB managed:3594328kB mlocked:0kB kernel_stack:3968kB pagetables:2884kB bounce:0kB free_pcp:92kB local_pcp:0kB free_cma:0kB lowmem_reserve[]: 0 0 0 0 Node 0 DMA: 1*4kB (U) 0*8kB 0*16kB 1*32kB (U) 2*64kB (U) 1*128kB (U) 1*256kB (U) 0*512kB 1*1024kB (U) 1*2048kB (M) 3*4096kB (M) = 15908kB Node 0 DMA32: 4*4kB (M) 4*8kB (UM) 2*16kB (M) 3*32kB (M) 2*64kB (M) 2*128kB (M) 2*256kB (M) 2*512kB (M) 3*1024kB (M) 1*2048kB (M) 9*4096kB (UM) = 44080kB Node 0 Normal: 740*4kB (ME) 225*8kB (MEH) 121*16kB (MH) 40*32kB (MEH) 14*64kB (M) 10*128kB (MH) 5*256kB (MEH) 5*512kB (ME) 5*1024kB (ME) 5*2048kB (M) 2*4096kB (M) = 37544kB Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB 10109 total pagecache pages 0 pages in swap cache Swap cache stats: add 0, delete 0, find 0/0 Free swap = 0kB Total swap = 0kB 1965969 pages RAM 0 pages HighMem/MovableOnly 328424 pages reserved Cannot find set identified by id 0 to match Protocol error: SET target dimension is over the limit!