============================= WARNING: suspicious RCU usage 4.15.0+ #308 Not tainted ----------------------------- ./include/net/inet_sock.h:136 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by syz-executor0/5629: #0: (sk_lock-AF_INET6){+.+.}, at: [<0000000000cc81dd>] lock_sock include/net/sock.h:1463 [inline] #0: (sk_lock-AF_INET6){+.+.}, at: [<0000000000cc81dd>] sock_setsockopt+0x16b/0x1af0 net/core/sock.c:717 stack backtrace: CPU: 0 PID: 5629 Comm: syz-executor0 Not tainted 4.15.0+ #308 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 lockdep_rcu_suspicious+0x123/0x170 kernel/locking/lockdep.c:4592 ireq_opt_deref include/net/inet_sock.h:135 [inline] inet_csk_route_req+0x824/0xca0 net/ipv4/inet_connection_sock.c:543 dccp_v4_send_response+0xa7/0x650 net/dccp/ipv4.c:485 dccp_v4_conn_request+0x9ee/0x11b0 net/dccp/ipv4.c:633 dccp_v6_conn_request+0xd30/0x1410 net/dccp/ipv6.c:317 dccp_rcv_state_process+0x574/0x1620 net/dccp/input.c:612 dccp_v4_do_rcv+0xf1/0x160 net/dccp/ipv4.c:682 dccp_v6_do_rcv+0x86a/0xa70 net/dccp/ipv6.c:578 sk_backlog_rcv include/net/sock.h:908 [inline] __release_sock+0x124/0x360 net/core/sock.c:2271 release_sock+0xa4/0x2a0 net/core/sock.c:2786 sock_setsockopt+0x528/0x1af0 net/core/sock.c:1068 SYSC_setsockopt net/socket.c:1845 [inline] SyS_setsockopt+0x2ff/0x360 net/socket.c:1828 do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x26/0x9b RIP: 0033:0x453a59 RSP: 002b:00007faed2df4c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 00007faed2df56d4 RCX: 0000000000453a59 RDX: 000000000000001a RSI: 0000000000000001 RDI: 0000000000000013 RBP: 000000000071bea0 R08: 0000000000000010 R09: 0000000000000000 R10: 0000000020dec000 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000000004dc R14: 00000000006f7540 R15: 0000000000000000 ============================= WARNING: suspicious RCU usage 4.15.0+ #308 Not tainted ----------------------------- ./include/net/inet_sock.h:136 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by syz-executor0/5629: #0: (sk_lock-AF_INET6){+.+.}, at: [<0000000000cc81dd>] lock_sock include/net/sock.h:1463 [inline] #0: (sk_lock-AF_INET6){+.+.}, at: [<0000000000cc81dd>] sock_setsockopt+0x16b/0x1af0 net/core/sock.c:717 stack backtrace: CPU: 0 PID: 5629 Comm: syz-executor0 Not tainted 4.15.0+ #308 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 lockdep_rcu_suspicious+0x123/0x170 kernel/locking/lockdep.c:4592 ireq_opt_deref include/net/inet_sock.h:135 [inline] dccp_v4_send_response+0x4b6/0x650 net/dccp/ipv4.c:496 dccp_v4_conn_request+0x9ee/0x11b0 net/dccp/ipv4.c:633 dccp_v6_conn_request+0xd30/0x1410 net/dccp/ipv6.c:317 dccp_rcv_state_process+0x574/0x1620 net/dccp/input.c:612 dccp_v4_do_rcv+0xf1/0x160 net/dccp/ipv4.c:682 dccp_v6_do_rcv+0x86a/0xa70 net/dccp/ipv6.c:578 sk_backlog_rcv include/net/sock.h:908 [inline] __release_sock+0x124/0x360 net/core/sock.c:2271 release_sock+0xa4/0x2a0 net/core/sock.c:2786 sock_setsockopt+0x528/0x1af0 net/core/sock.c:1068 SYSC_setsockopt net/socket.c:1845 [inline] SyS_setsockopt+0x2ff/0x360 net/socket.c:1828 do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x26/0x9b RIP: 0033:0x453a59 RSP: 002b:00007faed2df4c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 00007faed2df56d4 RCX: 0000000000453a59 RDX: 000000000000001a RSI: 0000000000000001 RDI: 0000000000000013 RBP: 000000000071bea0 R08: 0000000000000010 R09: 0000000000000000 R10: 0000000020dec000 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000000004dc R14: 00000000006f7540 R15: 0000000000000000 binder: 5673:5677 BC_DEAD_BINDER_DONE 0000000000000000 not found binder: 5673:5677 got reply transaction with no transaction stack binder: 5673:5677 transaction failed 29201/-71, size 0-8 line 2757 binder: 5673:5677 BC_DEAD_BINDER_DONE 0000000000000000 not found binder: 5673:5677 got reply transaction with no transaction stack binder: 5673:5677 transaction failed 29201/-71, size 0-8 line 2757 binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29201 IPv6: Can't replace route, no match found IPv6: Can't replace route, no match found mmap: syz-executor3 (5754) uses deprecated remap_file_pages() syscall. See Documentation/vm/remap_file_pages.txt. netlink: 20 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 20 bytes leftover after parsing attributes in process `syz-executor0'. audit: type=1400 audit(1518359287.232:35): avc: denied { map } for pid=5940 comm="syz-executor6" path="socket:[15826]" dev="sockfs" ino=15826 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=socket permissive=1 IPVS: length: 696 != 8 IPVS: length: 696 != 8 audit: type=1400 audit(1518359287.503:36): avc: denied { set_context_mgr } for pid=6011 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 binder: 6011:6021 BC_INCREFS_DONE node 3 has no pending increfs request binder: BINDER_SET_CONTEXT_MGR already set binder: 6011:6021 ioctl 40046207 0 returned -16 QAT: Invalid ioctl SELinux: unknown mount option QAT: Invalid ioctl kauditd_printk_skb: 2 callbacks suppressed audit: type=1400 audit(1518359288.514:39): avc: denied { map } for pid=6257 comm="syz-executor7" path="/dev/usbmon0" dev="devtmpfs" ino=9093 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usbmon_device_t:s0 tclass=chr_file permissive=1 audit: type=1400 audit(1518359288.644:40): avc: denied { map } for pid=6283 comm="syz-executor4" path=2F6D656D66643A2F7B06202864656C6574656429 dev="tmpfs" ino=16311 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=file permissive=1 audit: type=1400 audit(1518359288.706:41): avc: denied { setuid } for pid=6306 comm="syz-executor2" capability=7 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 netlink: 208 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 208 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 'syz-executor4': attribute type 29 has an invalid length. netlink: 'syz-executor4': attribute type 29 has an invalid length. audit: type=1400 audit(1518359289.269:42): avc: denied { map } for pid=6459 comm="syz-executor2" path="/dev/snd/pcmC0D0c" dev="devtmpfs" ino=171 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sound_device_t:s0 tclass=chr_file permissive=1 binder: 6488:6492 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 6488:6497 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: 6488:6492 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 6492 RLIMIT_NICE not set binder: 6488:6492 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 x_tables: ip6_tables: icmp6 match: only valid for protocol 58 x_tables: ip6_tables: icmp6 match: only valid for protocol 58 audit: type=1400 audit(1518359290.035:43): avc: denied { map } for pid=6629 comm="syz-executor3" path="/dev/rfkill" dev="devtmpfs" ino=1038 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:wireless_device_t:s0 tclass=chr_file permissive=1 x_tables: ip6_tables: icmp6 match: only valid for protocol 58 IPv6: NLM_F_REPLACE set, but no existing node found! IPv6: NLM_F_REPLACE set, but no existing node found! audit: type=1400 audit(1518359290.343:44): avc: denied { map } for pid=6727 comm="syz-executor7" path=2F616E6F6E5F6875676570616765202864656C6574656429 dev="hugetlbfs" ino=17284 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:hugetlbfs_t:s0 tclass=file permissive=1 xt_connbytes: Forcing CT accounting to be enabled audit: type=1400 audit(1518359291.326:45): avc: denied { setfcap } for pid=6973 comm="syz-executor4" capability=31 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1518359291.501:46): avc: denied { ioctl } for pid=7011 comm="syz-executor3" path="socket:[18296]" dev="sockfs" ino=18296 ioctlcmd=0x8903 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1400 audit(1518359291.827:47): avc: denied { map } for pid=7081 comm="syz-executor0" path="/selinux/checkreqprot" dev="selinuxfs" ino=15 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1 netlink: 'syz-executor7': attribute type 10 has an invalid length. netlink: 'syz-executor7': attribute type 10 has an invalid length. netlink: 'syz-executor1': attribute type 1 has an invalid length. netlink: 'syz-executor1': attribute type 1 has an invalid length. audit: type=1400 audit(1518359293.218:48): avc: denied { write } for pid=7419 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=socket permissive=1 audit: type=1400 audit(1518359294.078:49): avc: denied { map } for pid=7613 comm="modprobe" path="/bin/kmod" dev="sda1" ino=1440 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 audit: type=1400 audit(1518359294.078:50): avc: denied { net_raw } for pid=7614 comm="syz-executor1" capability=13 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1518359294.078:51): avc: denied { net_admin } for pid=7614 comm="syz-executor1" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1518359294.125:52): avc: denied { sys_admin } for pid=7602 comm="syz-executor3" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1518359294.125:53): avc: denied { dac_override } for pid=7602 comm="syz-executor3" capability=1 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1518359294.218:54): avc: denied { map } for pid=7635 comm="modprobe" path="/bin/kmod" dev="sda1" ino=1440 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 audit: type=1400 audit(1518359294.245:55): avc: denied { net_admin } for pid=4152 comm="syz-executor6" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1