================================ WARNING: inconsistent lock state 4.15.0-rc9+ #283 Not tainted -------------------------------- inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage. syz-executor6/13483 [HC0[0]:SC1[1]:HE1:SE0] takes: (&(&est->lock)->rlock){+.?.}, at: [<00000000e89af7d8>] spin_lock include/linux/spinlock.h:310 [inline] (&(&est->lock)->rlock){+.?.}, at: [<00000000e89af7d8>] est_fetch_counters+0x4f/0x150 net/core/gen_estimator.c:70 {SOFTIRQ-ON-W} state was registered at: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3914 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144 spin_lock include/linux/spinlock.h:310 [inline] est_fetch_counters+0x4f/0x150 net/core/gen_estimator.c:70 gen_new_estimator+0x317/0x770 net/core/gen_estimator.c:162 xt_rateest_tg_checkentry+0x487/0xaa0 net/netfilter/xt_RATEEST.c:135 xt_check_target+0x22c/0x7d0 net/netfilter/x_tables.c:845 check_target net/ipv6/netfilter/ip6_tables.c:538 [inline] find_check_entry.isra.7+0x935/0xcf0 net/ipv6/netfilter/ip6_tables.c:580 translate_table+0xf52/0x1690 net/ipv6/netfilter/ip6_tables.c:749 do_replace net/ipv6/netfilter/ip6_tables.c:1167 [inline] do_ip6t_set_ctl+0x370/0x5f0 net/ipv6/netfilter/ip6_tables.c:1693 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115 ipv6_setsockopt+0x115/0x150 net/ipv6/ipv6_sockglue.c:928 udpv6_setsockopt+0x45/0x80 net/ipv6/udp.c:1452 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2968 SYSC_setsockopt net/socket.c:1831 [inline] SyS_setsockopt+0x189/0x360 net/socket.c:1810 entry_SYSCALL_64_fastpath+0x29/0xa0 irq event stamp: 904 hardirqs last enabled at (904): [<00000000fee0421d>] restore_regs_and_return_to_kernel+0x0/0x21 hardirqs last disabled at (903): [<000000006bba32f5>] apic_timer_interrupt+0xa4/0xb0 arch/x86/entry/entry_64.S:937 softirqs last enabled at (692): [<0000000081148d05>] __do_softirq+0x7a0/0xb85 kernel/softirq.c:311 softirqs last disabled at (899): [<000000000f98d3e0>] invoke_softirq kernel/softirq.c:365 [inline] softirqs last disabled at (899): [<000000000f98d3e0>] irq_exit+0x1cc/0x200 kernel/softirq.c:405 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&(&est->lock)->rlock); lock(&(&est->lock)->rlock); *** DEADLOCK *** 1 lock held by syz-executor6/13483: #0: ((&est->timer)){+.-.}, at: [<00000000e2329455>] lockdep_copy_map include/linux/lockdep.h:178 [inline] #0: ((&est->timer)){+.-.}, at: [<00000000e2329455>] call_timer_fn+0x1c6/0x820 kernel/time/timer.c:1308 stack backtrace: CPU: 1 PID: 13483 Comm: syz-executor6 Not tainted 4.15.0-rc9+ #283 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 print_usage_bug+0x377/0x38c kernel/locking/lockdep.c:2537 valid_state kernel/locking/lockdep.c:2550 [inline] mark_lock_irq kernel/locking/lockdep.c:2744 [inline] mark_lock+0xf61/0x1430 kernel/locking/lockdep.c:3142 mark_irqflags kernel/locking/lockdep.c:3020 [inline] __lock_acquire+0x173a/0x3e00 kernel/locking/lockdep.c:3383 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3914 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144 spin_lock include/linux/spinlock.h:310 [inline] est_fetch_counters+0x4f/0x150 net/core/gen_estimator.c:70 est_timer+0x97/0x7c0 net/core/gen_estimator.c:85 call_timer_fn+0x228/0x820 kernel/time/timer.c:1318 expire_timers kernel/time/timer.c:1355 [inline] __run_timers+0x7ee/0xb70 kernel/time/timer.c:1658 run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1684 __do_softirq+0x2d7/0xb85 kernel/softirq.c:285 invoke_softirq kernel/softirq.c:365 [inline] irq_exit+0x1cc/0x200 kernel/softirq.c:405 exiting_irq arch/x86/include/asm/apic.h:541 [inline] smp_apic_timer_interrupt+0x16b/0x700 arch/x86/kernel/apic/apic.c:1052 apic_timer_interrupt+0xa9/0xb0 arch/x86/entry/entry_64.S:937 RIP: 0033:0x4069c2 RSP: 002b:0000000000a2f440 EFLAGS: 00000202 ORIG_RAX: ffffffffffffff11 RAX: ffffffff819fb7f1 RBX: 000000000071bea0 RCX: 0000000000001de5 RDX: 00007f9a035ef008 RSI: 0000000000000a61 RDI: 0000000077a11c57 RBP: 000000000000786e R08: 00000000f596bde8 R09: 000000000000007c R10: 0000000000a2f460 R11: 0000000000000000 R12: 0000000000000319 R13: 00000000f63eaba6 R14: 0000000000003c80 R15: 000000000000004d xt_SECMARK: mode already set to 1 cannot mix with rules for mode 0 xt_SECMARK: mode already set to 1 cannot mix with rules for mode 0 audit: type=1326 audit(1517133239.226:584): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=13531 comm="syz-executor5" exe="/root/syz-executor5" sig=0 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517133239.226:585): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=13531 comm="syz-executor5" exe="/root/syz-executor5" sig=0 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517133239.227:586): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=13531 comm="syz-executor5" exe="/root/syz-executor5" sig=0 arch=c000003e syscall=257 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517133239.227:587): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=13531 comm="syz-executor5" exe="/root/syz-executor5" sig=0 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517133239.229:588): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=13531 comm="syz-executor5" exe="/root/syz-executor5" sig=0 arch=c000003e syscall=314 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517133239.229:589): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=13531 comm="syz-executor5" exe="/root/syz-executor5" sig=0 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517133239.231:590): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=13531 comm="syz-executor5" exe="/root/syz-executor5" sig=0 arch=c000003e syscall=9 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517133239.232:591): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=13531 comm="syz-executor5" exe="/root/syz-executor5" sig=0 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517133239.233:592): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=13531 comm="syz-executor5" exe="/root/syz-executor5" sig=0 arch=c000003e syscall=298 compat=0 ip=0x453299 code=0x7ffc0000 TCP: request_sock_TCPv6: Possible SYN flooding on port 20018. Sending cookies. Check SNMP counters. device syz1 entered promiscuous mode device syz1 left promiscuous mode device syz1 entered promiscuous mode device syz1 left promiscuous mode device eql entered promiscuous mode binder: 13691:13718 tried to acquire reference to desc 0, got 1 instead binder: 13691:13718 IncRefs 0 refcount change on invalid ref 0 ret -22 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=260 sclass=netlink_route_socket pig=13855 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=260 sclass=netlink_route_socket pig=13855 comm=syz-executor5 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 1 PID: 14150 Comm: syz-executor1 Not tainted 4.15.0-rc9+ #283 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:421 [inline] slab_alloc mm/slab.c:3368 [inline] kmem_cache_alloc_trace+0x4b/0x750 mm/slab.c:3608 kmalloc include/linux/slab.h:499 [inline] kzalloc include/linux/slab.h:688 [inline] alloc_pipe_info+0xb1/0x350 fs/pipe.c:628 splice_direct_to_actor+0x64a/0x820 fs/splice.c:920 do_splice_direct+0x29b/0x3c0 fs/splice.c:1061 do_sendfile+0x5c9/0xe80 fs/read_write.c:1413 SYSC_sendfile64 fs/read_write.c:1468 [inline] SyS_sendfile64+0xbd/0x160 fs/read_write.c:1460 entry_SYSCALL_64_fastpath+0x29/0xa0 RIP: 0033:0x453299 RSP: 002b:00007ff150099c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000028 RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000453299 RDX: 000000002045f000 RSI: 0000000000000014 RDI: 0000000000000013 RBP: 0000000000000631 R08: 0000000000000000 R09: 0000000000000000 R10: 00000000000000fc R11: 0000000000000212 R12: 00000000006f8538 R13: 00000000ffffffff R14: 00007ff15009a6d4 R15: 0000000000000000 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 0 PID: 14167 Comm: syz-executor1 Not tainted 4.15.0-rc9+ #283 binder: 14165 RLIMIT_NICE not set Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 binder: 14165 RLIMIT_NICE not set binder: 14158:14174 ioctl c0306201 20007000 returned -14 binder: release 14158:14165 transaction 35 out, still active binder: release 14158:14165 transaction 34 in, still active binder: undelivered TRANSACTION_COMPLETE fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 binder: BINDER_SET_CONTEXT_MGR already set binder: 14158:14174 ioctl 40046207 0 returned -16 binder_alloc: 14158: binder_alloc_buf, no vma binder: 14158:14174 transaction failed 29189/-3, size 0-0 line 2903 binder: 14158:14174 ioctl c0306201 20007000 returned -14 binder: 14165 RLIMIT_NICE not set binder_alloc: 14158: binder_alloc_buf, no vma binder: 14158:14165 transaction failed 29189/-3, size 0-0 line 2903 binder: undelivered TRANSACTION_ERROR: 29189 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:421 [inline] slab_alloc mm/slab.c:3368 [inline] __do_kmalloc mm/slab.c:3706 [inline] __kmalloc+0x63/0x760 mm/slab.c:3717 kmalloc_array include/linux/slab.h:618 [inline] kcalloc include/linux/slab.h:629 [inline] alloc_pipe_info+0x135/0x350 fs/pipe.c:645 splice_direct_to_actor+0x64a/0x820 fs/splice.c:920 do_splice_direct+0x29b/0x3c0 fs/splice.c:1061 do_sendfile+0x5c9/0xe80 fs/read_write.c:1413 SYSC_sendfile64 fs/read_write.c:1468 [inline] SyS_sendfile64+0xbd/0x160 fs/read_write.c:1460 entry_SYSCALL_64_fastpath+0x29/0xa0 RIP: 0033:0x453299 RSP: 002b:00007ff150099c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000028 RAX: ffffffffffffffda RBX: 00007ff150099950 RCX: 0000000000453299 RDX: 000000002045f000 RSI: 0000000000000014 RDI: 0000000000000013 RBP: 00007ff150099940 R08: 0000000000000000 R09: 0000000000000000 R10: 00000000000000fc R11: 0000000000000212 R12: 00000000004b7d6f R13: 00007ff150099ac8 R14: 00000000004b7d7a R15: 0000000000000000 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 14158:14174 transaction 34 out, still active binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 35, target dead binder: send failed reply for transaction 34, target dead FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 1 PID: 14187 Comm: syz-executor1 Not tainted 4.15.0-rc9+ #283 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:421 [inline] slab_alloc_node mm/slab.c:3289 [inline] kmem_cache_alloc_node_trace+0x5a/0x750 mm/slab.c:3651 __do_kmalloc_node mm/slab.c:3671 [inline] __kmalloc_node+0x33/0x70 mm/slab.c:3679 kmalloc_node include/linux/slab.h:541 [inline] kvmalloc_node+0x99/0xd0 mm/util.c:397 kvmalloc include/linux/mm.h:541 [inline] kvmalloc_array include/linux/mm.h:557 [inline] get_pages_array lib/iov_iter.c:1097 [inline] pipe_get_pages_alloc lib/iov_iter.c:1123 [inline] iov_iter_get_pages_alloc+0x7be/0x1340 lib/iov_iter.c:1144 default_file_splice_read+0x1cf/0xae0 fs/splice.c:390 do_splice_to+0x10a/0x160 fs/splice.c:880 splice_direct_to_actor+0x242/0x820 fs/splice.c:952 do_splice_direct+0x29b/0x3c0 fs/splice.c:1061 do_sendfile+0x5c9/0xe80 fs/read_write.c:1413 SYSC_sendfile64 fs/read_write.c:1468 [inline] SyS_sendfile64+0xbd/0x160 fs/read_write.c:1460 entry_SYSCALL_64_fastpath+0x29/0xa0 RIP: 0033:0x453299 RSP: 002b:00007ff150099c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000028 RAX: ffffffffffffffda RBX: 00007ff150099950 RCX: 0000000000453299 RDX: 000000002045f000 RSI: 0000000000000014 RDI: 0000000000000013 RBP: 00007ff150099940 R08: 0000000000000000 R09: 0000000000000000 R10: 00000000000000fc R11: 0000000000000212 R12: 00000000004b7d6f R13: 00007ff150099ac8 R14: 00000000004b7d7a R15: 0000000000000000 device eql entered promiscuous mode xt_HMARK: proto mask must be zero with L3 mode xt_HMARK: proto mask must be zero with L3 mode FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 0 PID: 14667 Comm: syz-executor0 Not tainted 4.15.0-rc9+ #283 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:421 [inline] slab_alloc mm/slab.c:3368 [inline] kmem_cache_alloc+0x47/0x760 mm/slab.c:3542 dst_alloc+0x11f/0x1a0 net/core/dst.c:107 rt_dst_alloc+0xe9/0x540 net/ipv4/route.c:1500 __mkroute_output net/ipv4/route.c:2242 [inline] ip_route_output_key_hash_rcu+0xa59/0x2f20 net/ipv4/route.c:2470 ip_route_output_key_hash+0x20b/0x370 net/ipv4/route.c:2299 __ip_route_output_key include/net/route.h:125 [inline] ip_route_output_flow+0x26/0xa0 net/ipv4/route.c:2553 udp_sendmsg+0x19d3/0x2cf0 net/ipv4/udp.c:1019 inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:763 sock_sendmsg_nosec net/socket.c:638 [inline] sock_sendmsg+0xca/0x110 net/socket.c:648 SYSC_sendto+0x361/0x5c0 net/socket.c:1729 SyS_sendto+0x40/0x50 net/socket.c:1697 entry_SYSCALL_64_fastpath+0x29/0xa0 RIP: 0033:0x453299 RSP: 002b:00007f0f06c00c58 EFLAGS: 00000212 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007f0f06c00aa0 RCX: 0000000000453299 RDX: 00000000000005c1 RSI: 0000000020a3d000 RDI: 0000000000000015 RBP: 00007f0f06c00a90 R08: 00000000209b1ff0 R09: 0000000000000010 R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b8096 R13: 00007f0f06c00bc8 R14: 00000000004b8096 R15: 0000000000000000