netlink: 12 bytes leftover after parsing attributes in process `syz-executor.0'. ip_tables: iptables: counters copy to user failed while replacing table (unnamed net_device) (uninitialized): option updelay: invalid value (18446744073709551615) ============================= WARNING: suspicious RCU usage 4.14.282-syzkaller #0 Not tainted ----------------------------- net/netfilter/nf_queue.c:244 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 4 locks held by syz-executor.2/10405: #0: (rtnl_mutex){+.+.}, at: [] rtnl_lock net/core/rtnetlink.c:72 [inline] #0: (rtnl_mutex){+.+.}, at: [] rtnetlink_rcv_msg+0x31d/0xb10 net/core/rtnetlink.c:4317 #1: (console_lock){+.+.}, at: [] vprintk_func+0x58/0x160 kernel/printk/printk_safe.c:409 #2: (rcu_callback){....}, at: [] __rcu_reclaim kernel/rcu/rcu.h:185 [inline] #2: (rcu_callback){....}, at: [] rcu_do_batch kernel/rcu/tree.c:2699 [inline] #2: (rcu_callback){....}, at: [] invoke_rcu_callbacks kernel/rcu/tree.c:2962 [inline] #2: (rcu_callback){....}, at: [] __rcu_process_callbacks kernel/rcu/tree.c:2929 [inline] #2: (rcu_callback){....}, at: [] rcu_process_callbacks+0x84e/0x1180 kernel/rcu/tree.c:2946 #3: (&(&inst->lock)->rlock){+.-.}, at: [] spin_lock_bh include/linux/spinlock.h:322 [inline] #3: (&(&inst->lock)->rlock){+.-.}, at: [] nfqnl_flush+0x2f/0x2a0 net/netfilter/nfnetlink_queue.c:232 stack backtrace: CPU: 1 PID: 10405 Comm: syz-executor.2 Not tainted 4.14.282-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x281 lib/dump_stack.c:58 nf_reinject+0x56e/0x700 net/netfilter/nf_queue.c:244 nfqnl_flush+0x1ab/0x2a0 net/netfilter/nfnetlink_queue.c:237 instance_destroy_rcu+0x19/0x30 net/netfilter/nfnetlink_queue.c:171 __rcu_reclaim kernel/rcu/rcu.h:195 [inline] rcu_do_batch kernel/rcu/tree.c:2699 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2962 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2929 [inline] rcu_process_callbacks+0x780/0x1180 kernel/rcu/tree.c:2946 __do_softirq+0x24d/0x9ff kernel/softirq.c:288 invoke_softirq kernel/softirq.c:368 [inline] irq_exit+0x193/0x240 kernel/softirq.c:409 exiting_irq arch/x86/include/asm/apic.h:638 [inline] smp_apic_timer_interrupt+0x141/0x5e0 arch/x86/kernel/apic/apic.c:1106 apic_timer_interrupt+0x93/0xa0 arch/x86/entry/entry_64.S:793 RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:779 [inline] RIP: 0010:console_unlock+0xbeb/0xf20 kernel/printk/printk.c:2417 RSP: 0018:ffff888066f86fb8 EFLAGS: 00000216 ORIG_RAX: ffffffffffffff10 RAX: 0000000000040000 RBX: 0000000000000200 RCX: ffffc9000a406000 RDX: 00000000000175b6 RSI: ffffffff81440094 RDI: 0000000000000216 RBP: 0000000000000000 R08: ffffffff8b9b82b8 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff83d27eb0 R13: ffffffff89620e70 R14: dffffc0000000000 R15: 000000000000006a vprintk_emit+0x224/0x620 kernel/printk/printk.c:1925 vprintk_func+0x58/0x160 kernel/printk/printk_safe.c:409 printk+0x9e/0xbc kernel/printk/printk.c:1998 __netdev_printk.cold+0x94/0x17a net/core/dev.c:8601 netdev_err+0xc5/0xf0 net/core/dev.c:8645 bond_opt_error_interpret drivers/net/bonding/bond_options.c:615 [inline] __bond_opt_set+0x7de/0x960 drivers/net/bonding/bond_options.c:675 bond_changelink+0x3a8/0x1960 drivers/net/bonding/bond_netlink.c:210 bond_newlink+0x29/0x80 drivers/net/bonding/bond_netlink.c:449 rtnl_newlink+0xf7c/0x1830 net/core/rtnetlink.c:2730 rtnetlink_rcv_msg+0x3be/0xb10 net/core/rtnetlink.c:4322 netlink_rcv_skb+0x125/0x390 net/netlink/af_netlink.c:2454 netlink_unicast_kernel net/netlink/af_netlink.c:1296 [inline] netlink_unicast+0x437/0x610 net/netlink/af_netlink.c:1322 netlink_sendmsg+0x648/0xbc0 net/netlink/af_netlink.c:1893 sock_sendmsg_nosec net/socket.c:646 [inline] sock_sendmsg+0xb5/0x100 net/socket.c:656 ___sys_sendmsg+0x6c8/0x800 net/socket.c:2062 __sys_sendmsg+0xa3/0x120 net/socket.c:2096 SYSC_sendmsg net/socket.c:2107 [inline] SyS_sendmsg+0x27/0x40 net/socket.c:2103 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb RIP: 0033:0x7f38cc9a4109 RSP: 002b:00007f38cb2f8168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f38ccab7030 RCX: 00007f38cc9a4109 RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000004 RBP: 00007f38cc9fe0ad R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffe0b96729f R14: 00007f38cb2f8300 R15: 0000000000022000 (unnamed net_device) (uninitialized): option updelay: allowed values 0 - 2147483647 (unnamed net_device) (uninitialized): option updelay: invalid value (18446744073709551615) (unnamed net_device) (uninitialized): option updelay: allowed values 0 - 2147483647 netlink: 12 bytes leftover after parsing attributes in process `syz-executor.0'. ip_tables: iptables: counters copy to user failed while replacing table (unnamed net_device) (uninitialized): option updelay: invalid value (18446744073709551615) (unnamed net_device) (uninitialized): option updelay: allowed values 0 - 2147483647 (unnamed net_device) (uninitialized): option updelay: invalid value (18446744073709551615) netlink: 12 bytes leftover after parsing attributes in process `syz-executor.0'. (unnamed net_device) (uninitialized): option updelay: allowed values 0 - 2147483647 ip_tables: iptables: counters copy to user failed while replacing table netlink: 12 bytes leftover after parsing attributes in process `syz-executor.0'. ip_tables: iptables: counters copy to user failed while replacing table Zero length message leads to an empty skb (syz-executor.2,10695,1):ocfs2_parse_options:1498 ERROR: Invalid heartbeat mount options (syz-executor.2,10695,1):ocfs2_fill_super:1217 ERROR: status = -22 (syz-executor.2,10720,0):ocfs2_parse_options:1498 ERROR: Invalid heartbeat mount options (syz-executor.2,10720,0):ocfs2_fill_super:1217 ERROR: status = -22 (syz-executor.2,10763,0):ocfs2_parse_options:1498 ERROR: Invalid heartbeat mount options (syz-executor.2,10763,0):ocfs2_fill_super:1217 ERROR: status = -22 REISERFS (device loop5): found reiserfs format "3.6" with non-standard journal REISERFS (device loop5): using ordered data mode reiserfs: using flush barriers REISERFS (device loop5): journal params: device loop5, size 15748, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 REISERFS (device loop5): checking transaction log (loop5) (syz-executor.2,10806,0):ocfs2_parse_options:1498 ERROR: Invalid heartbeat mount options (syz-executor.2,10806,0):ocfs2_fill_super:1217 ERROR: status = -22 REISERFS (device loop5): Using r5 hash to sort names REISERFS (device loop5): Created .reiserfs_priv - reserved for xattr storage. IPVS: ftp: loaded support on port[0] = 21 EXT4-fs error (device sda1): swap_inode_boot_loader:114: inode #5: comm syz-executor.0: iget: checksum invalid EXT4-fs error (device sda1): swap_inode_boot_loader:114: inode #5: comm syz-executor.4: iget: checksum invalid L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. EXT4-fs error (device sda1): swap_inode_boot_loader:114: inode #5: comm syz-executor.0: iget: checksum invalid EXT4-fs error (device sda1): swap_inode_boot_loader:114: inode #5: comm syz-executor.4: iget: checksum invalid kauditd_printk_skb: 8 callbacks suppressed audit: type=1804 audit(1654608975.100:20): pid=11025 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.5" name="/root/syzkaller-testdir979561924/syzkaller.7ZIRxy/54/cgroup.controllers" dev="sda1" ino=14099 res=1 ====================================================== WARNING: the mand mount option is being deprecated and will be removed in v5.15! ====================================================== EXT4-fs error (device sda1): swap_inode_boot_loader:114: inode #5: comm syz-executor.0: iget: checksum invalid EXT4-fs error (device sda1): swap_inode_boot_loader:114: inode #5: comm syz-executor.4: iget: checksum invalid XFS (loop2): Invalid superblock magic number