===================================== WARNING: bad unlock balance detected! 4.16.0-rc2+ #323 Not tainted ------------------------------------- syz-executor0/8231 is trying to release lock (rcu_read_lock_bh) at: [] rcu_read_unlock_bh include/linux/rcupdate.h:722 [inline] [] hashlimit_mt_common.isra.10+0x1beb/0x2610 net/netfilter/xt_hashlimit.c:777 but there are no more locks to release! other info that might help us debug this: 3 locks held by syz-executor0/8231: #0: (sk_lock-AF_INET6){+.+.}, at: [<000000001c510a61>] lock_sock include/net/sock.h:1463 [inline] #0: (sk_lock-AF_INET6){+.+.}, at: [<000000001c510a61>] sctp_sendmsg+0xc1e/0x35e0 net/sctp/socket.c:1723 #1: (rcu_read_lock){....}, at: [<00000000aa5339b8>] sctp_v6_xmit+0x2e5/0x630 net/sctp/ipv6.c:222 #2: (rcu_read_lock){....}, at: [<000000004c7188b0>] ip6_autoflowlabel net/ipv6/ip6_output.c:291 [inline] #2: (rcu_read_lock){....}, at: [<000000004c7188b0>] ip6_xmit+0xe9d/0x2260 net/ipv6/ip6_output.c:249 stack backtrace: CPU: 1 PID: 8231 Comm: syz-executor0 Not tainted 4.16.0-rc2+ #323 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 print_unlock_imbalance_bug+0x12f/0x140 kernel/locking/lockdep.c:3484 __lock_release kernel/locking/lockdep.c:3691 [inline] lock_release+0x6fe/0xa40 kernel/locking/lockdep.c:3939 rcu_lock_release include/linux/rcupdate.h:249 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:724 [inline] hashlimit_mt_common.isra.10+0x1c08/0x2610 net/netfilter/xt_hashlimit.c:777 hashlimit_mt+0x78/0x90 net/netfilter/xt_hashlimit.c:846 ip6t_do_table+0x98d/0x1a30 net/ipv6/netfilter/ip6_tables.c:319 ip6table_filter_hook+0x65/0x80 net/ipv6/netfilter/ip6table_filter.c:41 nf_hook_entry_hookfn include/linux/netfilter.h:120 [inline] nf_hook_slow+0xba/0x1a0 net/netfilter/core.c:483 nf_hook include/linux/netfilter.h:243 [inline] NF_HOOK include/linux/netfilter.h:286 [inline] ip6_xmit+0x10ec/0x2260 net/ipv6/ip6_output.c:277 sctp_v6_xmit+0x438/0x630 net/sctp/ipv6.c:225 sctp_packet_transmit+0x225e/0x3750 net/sctp/output.c:638 sctp_outq_flush+0xabb/0x4060 net/sctp/outqueue.c:911 sctp_outq_uncork+0x5a/0x70 net/sctp/outqueue.c:776 sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1807 [inline] sctp_side_effects net/sctp/sm_sideeffect.c:1210 [inline] sctp_do_sm+0x4e0/0x6ed0 net/sctp/sm_sideeffect.c:1181 sctp_primitive_ASSOCIATE+0x9d/0xd0 net/sctp/primitive.c:88 sctp_sendmsg+0x13bd/0x35e0 net/sctp/socket.c:1985 inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:764 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg+0xca/0x110 net/socket.c:640 SYSC_sendto+0x361/0x5c0 net/socket.c:1747 SyS_sendto+0x40/0x50 net/socket.c:1715 do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x453da9 RSP: 002b:00007fd6191ecc68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007fd6191ed6d4 RCX: 0000000000453da9 RDX: 0000000000000001 RSI: 00000000203aa000 RDI: 0000000000000013 RBP: 000000000072bf58 R08: 0000000020749fe4 R09: 000000000000001c R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000000004ba R14: 00000000006f7210 R15: 0000000000000001 audit: type=1400 audit(1519213570.578:57): avc: denied { setopt } for pid=8237 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. device eql entered promiscuous mode audit: type=1400 audit(1519213571.782:58): avc: denied { create } for pid=8657 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_rdma_socket permissive=1 kernel msg: ebtables bug: please report to author: counter_offset != totalcnt kernel msg: ebtables bug: please report to author: counter_offset != totalcnt x_tables: ip_tables: socket match: used from hooks OUTPUT, but only valid from PREROUTING/INPUT audit: type=1400 audit(1519213572.256:59): avc: denied { map } for pid=8795 comm="syz-executor1" path="socket:[23142]" dev="sockfs" ino=23142 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=rawip_socket permissive=1 TCP: request_sock_TCP: Possible SYN flooding on port 20018. Sending cookies. Check SNMP counters. audit: type=1400 audit(1519213572.501:60): avc: denied { setopt } for pid=8885 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_crypto_socket permissive=1 kernel msg: ebtables bug: please report to author: entries_size too small kernel msg: ebtables bug: please report to author: counter_offset != totalcnt kernel msg: ebtables bug: please report to author: counter_offset != totalcnt device eql entered promiscuous mode Trying to set illegal importance in message Trying to set illegal importance in message Cannot find map_set index 0 as target xt_HMARK: spi-set and port-set can't be combined Cannot find map_set index 0 as target xt_HMARK: spi-set and port-set can't be combined audit: type=1400 audit(1519213574.317:61): avc: denied { relabelto } for pid=9458 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=packet permissive=1 9pnet_virtio: no channels available for device ./control 9pnet_virtio: no channels available for device ./control audit: type=1400 audit(1519213574.389:62): avc: denied { send } for pid=9458 comm="syz-executor0" saddr=::1 src=20002 daddr=::1 dest=20002 netif=lo scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=packet permissive=1 audit: type=1400 audit(1519213574.389:63): avc: denied { recv } for pid=9458 comm="syz-executor0" saddr=::1 src=20002 daddr=::1 dest=20002 netif=lo scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=packet permissive=1 audit: type=1400 audit(1519213574.443:64): avc: denied { send } for pid=9458 comm="syz-executor0" saddr=::1 src=20002 daddr=::1 dest=20002 netif=lo scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=packet permissive=1 QAT: Invalid ioctl binder: 9538:9544 unknown command 0 binder: 9538:9544 ioctl c0306201 20012000 returned -22 binder: 9538:9544 unknown command 0 binder: 9538:9544 ioctl c0306201 20012000 returned -22 netlink: 188 bytes leftover after parsing attributes in process `syz-executor6'. xt_connbytes: Forcing CT accounting to be enabled netlink: 188 bytes leftover after parsing attributes in process `syz-executor6'. audit: type=1400 audit(1519213574.834:65): avc: denied { lock } for pid=9598 comm="syz-executor6" path="socket:[25168]" dev="sockfs" ino=25168 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 netlink: 3 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor4'. ieee80211 phy2: Selected rate control algorithm 'minstrel_ht' ieee80211 phy3: Selected rate control algorithm 'minstrel_ht' IPVS: ftp: loaded support on port[0] = 21 x_tables: ip6_tables: MASQUERADE target: used from hooks INPUT/POSTROUTING, but only usable from POSTROUTING x_tables: ip6_tables: MASQUERADE target: used from hooks INPUT/POSTROUTING, but only usable from POSTROUTING SELinux: unrecognized netlink message: protocol=4 nlmsg_type=2836 sclass=netlink_tcpdiag_socket pig=10017 comm=syz-executor3 SELinux: unrecognized netlink message: protocol=4 nlmsg_type=2836 sclass=netlink_tcpdiag_socket pig=10031 comm=syz-executor3 kernel msg: ebtables bug: please report to author: entry offsets not in right order kernel msg: ebtables bug: please report to author: entry offsets not in right order netlink: 'syz-executor3': attribute type 1 has an invalid length. netlink: 'syz-executor3': attribute type 1 has an invalid length. QAT: Invalid ioctl QAT: Invalid ioctl autofs4:pid:10374:validate_dev_ioctl: invalid path supplied for cmd(0x0000937e) autofs4:pid:10375:validate_dev_ioctl: invalid path supplied for cmd(0x0000937e) xt_connbytes: Forcing CT accounting to be enabled x_tables: ip6_tables: mh match: only valid for protocol 135 x_tables: ip6_tables: mh match: only valid for protocol 135 mip6: mip6_destopt_init_state: state's mode is not 2: 0 SELinux: policydb magic number 0xeb19f9af does not match expected magic number 0xf97cff8c SELinux: failed to load policy SELinux: policydb magic number 0xeb19f9af does not match expected magic number 0xf97cff8c SELinux: failed to load policy SELinux: policydb magic number 0xeb19f9af does not match expected magic number 0xf97cff8c SELinux: failed to load policy SELinux: policydb magic number 0xeb19f9af does not match expected magic number 0xf97cff8c SELinux: failed to load policy xt_CT: netfilter: NOTRACK target is deprecated, use CT instead or upgrade iptables audit: type=1400 audit(1519213579.037:66): avc: denied { ipc_lock } for pid=10828 comm="syz-executor3" capability=14 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 RDS: rds_bind could not find a transport for 172.20.0.170, load rds_tcp or rds_rdma? RDS: rds_bind could not find a transport for 172.20.0.170, load rds_tcp or rds_rdma? netlink: 'syz-executor1': attribute type 1 has an invalid length. netlink: 'syz-executor1': attribute type 1 has an invalid length. device syz2 entered promiscuous mode device syz2 left promiscuous mode