binder: 17220:17224 got reply transaction with no transaction stack
binder: 17220:17224 transaction failed 29201/-71, size 0-0 line 2922
binder: undelivered TRANSACTION_ERROR: 29201
audit: type=1326 audit(1548551928.241:170): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=17208 comm="syz-executor3" exe="/root/syz-executor3" sig=9 arch=c000003e syscall=228 compat=0 ip=0x45aefa code=0x0
===============================
[ INFO: suspicious RCU usage. ]
4.4.171+ #12 Not tainted
-------------------------------
net/ipv6/ip6_fib.c:1465 suspicious rcu_dereference_protected() usage!

other info that might help us debug this:


rcu_scheduler_active = 1, debug_locks = 0
4 locks held by syz-executor1/3742:
 #0:  (rtnl_mutex){+.+.+.}, at: [<ffffffff8226dbe7>] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:70
 #1:  (fib6_gc_lock){+.-...}, at: [<ffffffff825f973c>] spin_trylock_bh include/linux/spinlock.h:367 [inline]
 #1:  (fib6_gc_lock){+.-...}, at: [<ffffffff825f973c>] fib6_run_gc+0x18c/0x230 net/ipv6/ip6_fib.c:1812
 #2:  (rcu_read_lock){......}, at: [<ffffffff825f1190>] __fib6_clean_all+0x0/0x240 net/ipv6/ip6_fib.c:1698
 #3:  (&tb->tb6_lock){++--..}, at: [<ffffffff825f1278>] __fib6_clean_all+0xe8/0x240 net/ipv6/ip6_fib.c:1712

stack backtrace:
CPU: 1 PID: 3742 Comm: syz-executor1 Not tainted 4.4.171+ #12
 0000000000000000 e8f0461385ba9fdb ffff8801d9077218 ffffffff81aacd31
 ffff8801d2351500 0000000000000000 0000000000000001 00000000000005b9
 ffff8800b6db97c0 ffff8801d9077248 ffffffff813ab5d0 ffff8801d9077468
Call Trace:
 [<ffffffff81aacd31>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81aacd31>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
 [<ffffffff813ab5d0>] lockdep_rcu_suspicious.cold+0x10a/0x149 kernel/locking/lockdep.c:4305
 [<ffffffff825f8d8a>] fib6_del+0x7ea/0xae0 net/ipv6/ip6_fib.c:1465
 [<ffffffff825f931c>] fib6_clean_node+0x29c/0x500 net/ipv6/ip6_fib.c:1652
 [<ffffffff825f0ae0>] fib6_walk_continue+0x3e0/0x630 net/ipv6/ip6_fib.c:1578
 [<ffffffff825f1021>] fib6_walk+0x91/0xe0 net/ipv6/ip6_fib.c:1623
 [<ffffffff825f1158>] fib6_clean_tree+0xe8/0x120 net/ipv6/ip6_fib.c:1697
 [<ffffffff825f1290>] __fib6_clean_all+0x100/0x240 net/ipv6/ip6_fib.c:1713
 [<ffffffff825f965f>] fib6_clean_all net/ipv6/ip6_fib.c:1724 [inline]
 [<ffffffff825f965f>] fib6_run_gc+0xaf/0x230 net/ipv6/ip6_fib.c:1821
 [<ffffffff82605a30>] ndisc_netdev_event+0x2b0/0x360 net/ipv6/ndisc.c:1707
 [<ffffffff81137c59>] notifier_call_chain+0xb9/0x1e0 kernel/notifier.c:93
 [<ffffffff81137dee>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 [<ffffffff81137dee>] raw_notifier_call_chain+0x2e/0x40 kernel/notifier.c:401
 [<ffffffff82226b96>] call_netdevice_notifiers_info+0x56/0x70 net/core/dev.c:1643
 [<ffffffff822277c3>] call_netdevice_notifiers net/core/dev.c:1659 [inline]
 [<ffffffff822277c3>] dev_close_many+0x2f3/0x6a0 net/core/dev.c:1452
 [<ffffffff82234080>] rollback_registered_many+0x3a0/0x9a0 net/core/dev.c:6350
 [<ffffffff82234772>] rollback_registered+0xf2/0x1b0 net/core/dev.c:6413
 [<ffffffff8223d05e>] unregister_netdevice_queue net/core/dev.c:7363 [inline]
 [<ffffffff8223d05e>] unregister_netdevice_queue+0x1ae/0x230 net/core/dev.c:7356
 [<ffffffff81e1f8bb>] unregister_netdevice include/linux/netdevice.h:2289 [inline]
 [<ffffffff81e1f8bb>] __tun_detach+0x86b/0xa50 drivers/net/tun.c:548
 [<ffffffff81e1fae6>] tun_detach drivers/net/tun.c:557 [inline]
 [<ffffffff81e1fae6>] tun_chr_close+0x46/0x60 drivers/net/tun.c:2263
 [<ffffffff8149c506>] __fput+0x246/0x710 fs/file_table.c:208
 [<ffffffff8149ca56>] ____fput+0x16/0x20 fs/file_table.c:244
 [<ffffffff8112f142>] task_work_run+0x202/0x2b0 kernel/task_work.c:115
 [<ffffffff810d8b2a>] exit_task_work include/linux/task_work.h:21 [inline]
 [<ffffffff810d8b2a>] do_exit+0x8ea/0x2a50 kernel/exit.c:755
 [<ffffffff810dee81>] do_group_exit+0x111/0x300 kernel/exit.c:885
 [<ffffffff81100887>] get_signal+0x517/0x1570 kernel/signal.c:2321
 [<ffffffff8100bd4c>] do_signal+0x9c/0x1840 arch/x86/kernel/signal.c:712
 [<ffffffff81003da7>] exit_to_usermode_loop+0x127/0x170 arch/x86/entry/common.c:184
 [<ffffffff8100569b>] prepare_exit_to_usermode arch/x86/entry/common.c:221 [inline]
 [<ffffffff8100569b>] syscall_return_slowpath+0x25b/0x2e0 arch/x86/entry/common.c:286
 [<ffffffff82718121>] int_ret_from_sys_call+0x25/0xa3
binder: 17249:17251 unknown command 536872128
binder: 17249:17251 ioctl c0306201 2000dfd0 returned -22
binder: 17249:17251 ioctl 4c82 0 returned -22
binder: 17249:17251 ioctl 4c81 0 returned -22
binder: 17249:17251 ioctl 54a1 0 returned -22
binder: 17249:17251 BC_DEAD_BINDER_DONE 0000000000000000 not found
binder: 17249:17251 tried to acquire reference to desc 0, got 1 instead
binder: 17249:17271 unknown command 536871808
binder: 17249:17274 unknown command 536872128
binder: 17249:17271 ioctl c0306201 20008fd0 returned -22
binder: 17249:17274 ioctl c0306201 2000dfd0 returned -22
binder: 17249:17271 ioctl 4c82 0 returned -22
binder: 17249:17251 ioctl 4c81 0 returned -22
binder: 17249:17271 ioctl 54a1 0 returned -22
audit: type=1326 audit(1548551930.681:171): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=17266 comm="syz-executor3" exe="/root/syz-executor3" sig=9 arch=c000003e syscall=228 compat=0 ip=0x45aefa code=0x0
binder: 17282:17283 unknown command 536872128
binder: 17282:17283 ioctl c0306201 2000dfd0 returned -22
binder: 17282:17283 ioctl 4c82 0 returned -22
binder: 17282:17283 ioctl 4c81 0 returned -22
binder: 17282:17283 ioctl 54a1 0 returned -22
binder: 17282:17283 BC_DEAD_BINDER_DONE 0000000000000000 not found
binder: 17293:17297 unknown command 536872128
binder: 17293:17297 ioctl c0306201 2000dfd0 returned -22
binder: 17293:17297 ioctl 4c82 0 returned -22
binder: 17293:17297 ioctl 4c81 0 returned -22
binder: 17293:17297 ioctl 54a1 0 returned -22
binder: 17293:17297 BC_DEAD_BINDER_DONE 0000000000000000 not found
audit: type=1326 audit(1548551933.611:172): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=17302 comm="syz-executor3" exe="/root/syz-executor3" sig=9 arch=c000003e syscall=228 compat=0 ip=0x45aefa code=0x0
binder: 17333:17338 unknown command 536872128
binder: 17333:17338 ioctl c0306201 2000dfd0 returned -22
binder: 17333:17338 ioctl 4c82 0 returned -22
binder: 17333:17338 ioctl 4c81 0 returned -22
binder: 17333:17338 ioctl 54a1 0 returned -22
audit: type=1326 audit(1548551933.991:173): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=17332 comm="syz-executor1" exe="/root/syz-executor1" sig=9 arch=c000003e syscall=228 compat=0 ip=0x45aefa code=0x0
binder: 17333:17350 BC_DEAD_BINDER_DONE 0000000000000000 not found
binder: 17356:17358 unknown command 536872128
binder: 17356:17358 ioctl c0306201 2000dfd0 returned -22
binder: 17356:17358 ioctl 4c82 0 returned -22
binder: 17356:17358 ioctl 4c81 0 returned -22
binder: 17356:17358 ioctl 54a1 0 returned -22
binder: 17372:17377 unknown command 536872128
binder: 17372:17377 ioctl c0306201 2000dfd0 returned -22
binder: 17372:17377 ioctl 4c82 0 returned -22
audit: type=1326 audit(1548551934.791:174): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=17374 comm="syz-executor3" exe="/root/syz-executor3" sig=9 arch=c000003e syscall=228 compat=0 ip=0x45aefa code=0x0
binder: 17372:17377 ioctl 4c81 0 returned -22
binder: 17392:17394 unknown command 536872128
binder: 17392:17394 ioctl c0306201 2000dfd0 returned -22
binder: 17392:17394 ioctl 4c82 0 returned -22
audit: type=1326 audit(1548551934.891:175): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=17385 comm="syz-executor1" exe="/root/syz-executor1" sig=9 arch=c000003e syscall=228 compat=0 ip=0x45aefa code=0x0
binder: 17395:17398 unknown command 536872128
binder: 17395:17398 ioctl c0306201 2000dfd0 returned -22
binder: 17401:17402 unknown command 536872128
binder: 17401:17402 ioctl c0306201 2000dfd0 returned -22
audit: type=1326 audit(1548551934.941:176): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=17387 comm="syz-executor5" exe="/root/syz-executor5" sig=9 arch=c000003e syscall=228 compat=0 ip=0x45aefa code=0x0
audit: type=1326 audit(1548551935.721:177): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=17417 comm="syz-executor3" exe="/root/syz-executor3" sig=9 arch=c000003e syscall=228 compat=0 ip=0x45aefa code=0x0
audit: type=1326 audit(1548551935.761:178): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=17423 comm="syz-executor1" exe="/root/syz-executor1" sig=9 arch=c000003e syscall=228 compat=0 ip=0x45aefa code=0x0
audit: type=1326 audit(1548551935.881:179): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=17446 comm="syz-executor5" exe="/root/syz-executor5" sig=9 arch=c000003e syscall=228 compat=0 ip=0x45aefa code=0x0
audit: type=1326 audit(1548551937.291:180): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=17468 comm="syz-executor3" exe="/root/syz-executor3" sig=9 arch=c000003e syscall=228 compat=0 ip=0x45aefa code=0x0