loop0: p254 start 1854537728 is beyond EOD, truncated loop0: p255 start 1854537728 is beyond EOD, truncated =============================== [ INFO: suspicious RCU usage. ] 4.9.205-syzkaller #0 Not tainted ------------------------------- include/linux/inetdevice.h:205 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 0 4 locks held by syz-executor.0/12929: #0: ( rcu_read_lock_bh ){......} , at: [<00000000f1c4abe5>] ip_finish_output2+0x20b/0x1280 net/ipv4/ip_output.c:198 #1: ( rcu_read_lock_bh ){......} , at: [<000000006636a76a>] __dev_queue_xmit+0x1d4/0x1bd0 net/core/dev.c:3407 #2: ( _xmit_TUNNEL6 #2 ){+.-...} , at: [<000000002f58574a>] spin_lock include/linux/spinlock.h:302 [inline] , at: [<000000002f58574a>] __netif_tx_lock include/linux/netdevice.h:3573 [inline] , at: [<000000002f58574a>] __dev_queue_xmit+0x1116/0x1bd0 net/core/dev.c:3469 #3: ( slock-AF_INET ){+.-...} , at: [<00000000cd0182aa>] spin_trylock include/linux/spinlock.h:312 [inline] , at: [<00000000cd0182aa>] icmp_xmit_lock net/ipv4/icmp.c:220 [inline] , at: [<00000000cd0182aa>] __icmp_send+0x48b/0x1420 net/ipv4/icmp.c:656 stack backtrace: CPU: 0 PID: 12929 Comm: syz-executor.0 Not tainted 4.9.205-syzkaller #0 ffff8801cca56dd8 ffffffff81b55e6b ffff8801d9471640 0000000000000000 0000000000000002 00000000000000cd ffff8801c86f97c0 ffff8801cca56e08 ffffffff81406997 ffff8801d9471698 ffff8801cca56f28 ffff8801c89a6600 Call Trace: [<000000007964c4fc>] __dump_stack lib/dump_stack.c:15 [inline] [<000000007964c4fc>] dump_stack+0xcb/0x130 lib/dump_stack.c:56 [<00000000a4265a65>] lockdep_rcu_suspicious.cold+0x10a/0x149 kernel/locking/lockdep.c:4458 [<0000000021c76988>] __in_dev_get_rcu include/linux/inetdevice.h:205 [inline] [<0000000021c76988>] fib_compute_spec_dst+0x6c4/0xcc0 net/ipv4/fib_frontend.c:284 [<00000000165cbe3e>] __ip_options_echo+0x4be/0x13e0 net/ipv4/ip_options.c:177 [<000000000198d5b1>] __icmp_send+0x648/0x1420 net/ipv4/icmp.c:685 [<000000008553ec1c>] ipv4_send_dest_unreach net/ipv4/route.c:1203 [inline] [<000000008553ec1c>] ipv4_link_failure+0x460/0x850 net/ipv4/route.c:1210 [<0000000028409945>] dst_link_failure include/net/dst.h:490 [inline] [<0000000028409945>] vti6_xmit net/ipv6/ip6_vti.c:522 [inline] [<0000000028409945>] vti6_tnl_xmit+0xb08/0x17f0 net/ipv6/ip6_vti.c:561 [<0000000008fd0905>] __netdev_start_xmit include/linux/netdevice.h:4072 [inline] [<0000000008fd0905>] netdev_start_xmit include/linux/netdevice.h:4081 [inline] [<0000000008fd0905>] xmit_one net/core/dev.c:2977 [inline] [<0000000008fd0905>] dev_hard_start_xmit+0x195/0x8b0 net/core/dev.c:2993 [<00000000b168b6bc>] __dev_queue_xmit+0x11a3/0x1bd0 net/core/dev.c:3473 [<00000000bd7cedd8>] dev_queue_xmit+0x18/0x20 net/core/dev.c:3506 [<000000003d518553>] neigh_direct_output+0x16/0x20 net/core/neighbour.c:1368 [<000000008a884430>] dst_neigh_output include/net/dst.h:470 [inline] [<000000008a884430>] ip_finish_output2+0x6a2/0x1280 net/ipv4/ip_output.c:225 [<000000005569f492>] ip_finish_output+0x3c4/0xce0 net/ipv4/ip_output.c:313 [<0000000073480c1c>] NF_HOOK_COND include/linux/netfilter.h:246 [inline] [<0000000073480c1c>] ip_output+0x1ec/0x5b0 net/ipv4/ip_output.c:401 [<0000000085575cf5>] dst_output include/net/dst.h:507 [inline] [<0000000085575cf5>] NF_HOOK_THRESH include/linux/netfilter.h:232 [inline] [<0000000085575cf5>] NF_HOOK include/linux/netfilter.h:255 [inline] [<0000000085575cf5>] raw_send_hdrinc net/ipv4/raw.c:421 [inline] [<0000000085575cf5>] raw_sendmsg+0x1c5c/0x23e0 net/ipv4/raw.c:643 [<000000002a89e951>] inet_sendmsg+0x202/0x4d0 net/ipv4/af_inet.c:766 [<0000000065ed19d7>] sock_sendmsg_nosec net/socket.c:649 [inline] [<0000000065ed19d7>] sock_sendmsg+0xbe/0x110 net/socket.c:659 [<00000000510477c2>] sock_write_iter+0x235/0x3d0 net/socket.c:857 [<0000000033e60a5c>] new_sync_write fs/read_write.c:498 [inline] [<0000000033e60a5c>] __vfs_write+0x3c1/0x560 fs/read_write.c:511 [<000000006f5b0ecf>] vfs_write+0x185/0x520 fs/read_write.c:559 [<00000000894347f1>] SYSC_write fs/read_write.c:607 [inline] [<00000000894347f1>] SyS_write+0x121/0x270 fs/read_write.c:599 [<00000000db1a1c38>] do_syscall_64+0x1ad/0x5c0 arch/x86/entry/common.c:288 [<000000009ae821fd>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb truncated loop2: p4 start 1854537728 is beyond EOD, truncated loop2: p5 start 1854537728 is beyond EOD, truncated loop2: p6 start 1854537728 is beyond EOD, truncated loop2: p7 start 1854537728 is beyond EOD, truncated loop2: p8 start 1854537728 is beyond EOD, truncated loop2: p9 start 1854537728 is beyond EOD, truncated loop2: p10 start 1854537728 is beyond EOD, truncated loop2: p11 start 1854537728 is beyond EOD, truncated loop2: p12 start 1854537728 is beyond EOD, truncated loop2: p13 start 1854537728 is beyond EOD, truncated loop2: p14 start 1854537728 is beyond EOD, truncated loop2: p15 start 1854537728 is beyond EOD, truncated loop2: p16 start 1854537728 is beyond EOD, truncated loop2: p17 start 1854537728 is beyond EOD, truncated loop2: p18 start 1854537728 is beyond EOD, truncated loop2: p19 start 1854537728 is beyond EOD, truncated loop2: p20 start 1854537728 is beyond EOD, truncated loop2: p21 start 1854537728 is beyond EOD, truncated loop2: p22 start 1854537728 is beyond EOD, truncated loop2: p23 start 1854537728 is beyond EOD, truncated loop2: p24 start 1854537728 is beyond EOD, truncated loop2: p25 start 1854537728 is beyond EOD, truncated loop2: p26 start 1854537728 is beyond EOD, truncated loop2: p27 start 1854537728 is beyond EOD, truncated loop2: p28 start 1854537728 is beyond EOD, truncated loop2: p29 start 1854537728 is beyond EOD, truncated loop2: p30 start 1854537728 is beyond EOD, truncated loop2: p31 start 1854537728 is beyond EOD, truncated loop2: p32 start 1854537728 is beyond EOD, truncated loop2: p33 start 1854537728 is beyond EOD, truncated loop2: p34 start 1854537728 is beyond EOD, truncated loop2: p35 start 1854537728 is beyond EOD, truncated loop2: p36 start 1854537728 is beyond EOD, truncated loop2: p37 start 1854537728 is beyond EOD, truncated loop2: p38 start 1854537728 is beyond EOD, truncated loop2: p39 start 1854537728 is beyond EOD, truncated loop2: p40 start 1854537728 is beyond EOD, truncated loop2: p41 start 1854537728 is beyond EOD, truncated loop2: p42 start 1854537728 is beyond EOD, truncated loop2: p43 start 1854537728 is beyond EOD, truncated loop2: p44 start 1854537728 is beyond EOD, truncated loop2: p45 start 1854537728 is beyond EOD, truncated loop2: p46 start 1854537728 is beyond EOD, truncated loop2: p47 start 1854537728 is beyond EOD, truncated loop2: p48 start 1854537728 is beyond EOD, truncated loop2: p49 start 1854537728 is beyond EOD, truncated loop2: p50 start 1854537728 is beyond EOD, truncated loop2: p51 start 1854537728 is beyond EOD, truncated loop2: p52 start 1854537728 is beyond EOD, truncated loop2: p53 start 1854537728 is beyond EOD, truncated loop2: p54 start 1854537728 is beyond EOD, truncated loop2: p55 start 1854537728 is beyond EOD, truncated loop2: p56 start 1854537728 is beyond EOD, truncated loop2: p57 start 1854537728 is beyond EOD, truncated loop2: p58 start 1854537728 is beyond EOD, truncated loop2: p59 start 1854537728 is beyond EOD, truncated loop2: p60 start 1854537728 is beyond EOD, truncated loop2: p61 start 1854537728 is beyond EOD, truncated loop2: p62 start 1854537728 is beyond EOD, truncated loop2: p63 start 1854537728 is beyond EOD, truncated loop2: p64 start 1854537728 is beyond EOD, truncated loop2: p65 start 1854537728 is beyond EOD, truncated loop2: p66 start 1854537728 is beyond EOD, truncated loop2: p67 start 1854537728 is beyond EOD, truncated loop2: p68 start 1854537728 is beyond EOD, truncated loop2: p69 start 1854537728 is beyond EOD, truncated loop2: p70 start 1854537728 is beyond EOD, truncated loop2: p71 start 1854537728 is beyond EOD, truncated loop2: p72 start 1854537728 is beyond EOD, truncated loop2: p73 start 1854537728 is beyond EOD, truncated loop2: p74 start 1854537728 is beyond EOD, truncated loop2: p75 start 1854537728 is beyond EOD, truncated loop2: p76 start 1854537728 is beyond EOD, truncated loop2: p77 start 1854537728 is beyond EOD, truncated loop2: p78 start 1854537728 is beyond EOD, truncated loop2: p79 start 1854537728 is beyond EOD, truncated loop2: p80 start 1854537728 is beyond EOD, truncated loop2: p81 start 1854537728 is beyond EOD, truncated loop2: p82 start 1854537728 is beyond EOD, truncated loop2: p83 start 1854537728 is beyond EOD, truncated loop2: p84 start 1854537728 is beyond EOD, truncated loop2: p85 start 1854537728 is beyond EOD, truncated loop2: p86 start 1854537728 is beyond EOD, truncated loop2: p87 start 1854537728 is beyond EOD, truncated loop2: p88 start 1854537728 is beyond EOD, truncated loop2: p89 start 1854537728 is beyond EOD, truncated loop2: p90 start 1854537728 is beyond EOD, truncated loop2: p91 start 1854537728 is beyond EOD, truncated loop2: p92 start 1854537728 is beyond EOD, truncated loop2: p93 start 1854537728 is beyond EOD, truncated loop2: p94 start 1854537728 is beyond EOD, truncated loop2: p95 start 1854537728 is beyond EOD, truncated loop2: p96 start 1854537728 is beyond EOD, truncated loop2: p97 start 1854537728 is beyond EOD, truncated loop2: p98 start 1854537728 is beyond EOD, truncated loop2: p99 start 1854537728 is beyond EOD, truncated loop2: p100 start 1854537728 is beyond EOD, truncated loop2: p101 start 1854537728 is beyond EOD, truncated loop2: p102 start 1854537728 is beyond EOD, truncated loop2: p103 start 1854537728 is beyond EOD, truncated loop2: p104 start 1854537728 is beyond EOD, truncated loop2: p105 start 1854537728 is beyond EOD, truncated loop2: p106 start 1854537728 is beyond EOD, truncated loop2: p107 start 1854537728 is beyond EOD, truncated loop2: p108 start 1854537728 is beyond EOD, truncated loop2: p109 start 1854537728 is beyond EOD, truncated loop2: p110 start 1854537728 is beyond EOD, truncated loop2: p111 start 1854537728 is beyond EOD, truncated loop2: p112 start 1854537728 is beyond EOD, truncated loop2: p113 start 1854537728 is beyond EOD, truncated loop2: p114 start 1854537728 is beyond EOD, truncated loop2: p115 start 1854537728 is beyond EOD, truncated loop2: p116 start 1854537728 is beyond EOD, truncated loop2: p117 start 1854537728 is beyond EOD, truncated loop2: p118 start 1854537728 is beyond EOD, truncated loop2: p119 start 1854537728 is beyond EOD, truncated loop2: p120 start 1854537728 is beyond EOD, truncated loop2: p121 start 1854537728 is beyond EOD, truncated loop2: p122 start 1854537728 is beyond EOD, truncated loop2: p123 start 1854537728 is beyond EOD, truncated loop2: p124 start 1854537728 is beyond EOD, truncated loop2: p125 start 1854537728 is beyond EOD, truncated loop2: p126 start 1854537728 is beyond EOD, truncated loop2: p127 start 1854537728 is beyond EOD, truncated loop2: p128 start 1854537728 is beyond EOD, truncated loop2: p129 start 1854537728 is beyond EOD, truncated loop2: p130 start 1854537728 is beyond EOD, truncated loop2: p131 start 1854537728 is beyond EOD, truncated loop2: p132 start 1854537728 is beyond EOD, truncated loop2: p133 start 1854537728 is beyond EOD, truncated loop2: p134 start 1854537728 is beyond EOD, truncated loop2: p135 start 1854537728 is beyond EOD, truncated loop2: p136 start 1854537728 is beyond EOD, truncated loop2: p137 start 1854537728 is beyond EOD, truncated loop2: p138 start 1854537728 is beyond EOD, truncated loop2: p139 start 1854537728 is beyond EOD, truncated loop2: p140 start 1854537728 is beyond EOD, truncated loop2: p141 start 1854537728 is beyond EOD, truncated loop2: p142 start 1854537728 is beyond EOD, truncated loop2: p143 start 1854537728 is beyond EOD, truncated loop2: p144 start 1854537728 is beyond EOD, truncated loop2: p145 start 1854537728 is beyond EOD, truncated loop2: p146 start 1854537728 is beyond EOD, truncated loop2: p147 start 1854537728 is beyond EOD, truncated loop2: p148 start 1854537728 is beyond EOD, truncated loop2: p149 start 1854537728 is beyond EOD, truncated loop2: p150 start 1854537728 is beyond EOD, truncated loop2: p151 start 1854537728 is beyond EOD, truncated loop2: p152 start 1854537728 is beyond EOD, truncated loop2: p153 start 1854537728 is beyond EOD, truncated loop2: p154 start 1854537728 is beyond EOD, truncated loop2: p155 start 1854537728 is beyond EOD, truncated loop2: p156 start 1854537728 is beyond EOD, truncated loop2: p157 start 1854537728 is beyond EOD, truncated loop2: p158 start 1854537728 is beyond EOD, truncated loop2: p159 start 1854537728 is beyond EOD, truncated loop2: p160 start 1854537728 is beyond EOD, truncated loop2: p161 start 1854537728 is beyond EOD, truncated loop2: p162 start 1854537728 is beyond EOD, truncated loop2: p163 start 1854537728 is beyond EOD, truncated loop2: p164 start 1854537728 is beyond EOD, truncated loop2: p165 start 1854537728 is beyond EOD, truncated loop2: p166 start 1854537728 is beyond EOD, truncated loop2: p167 start 1854537728 is beyond EOD, truncated loop2: p168 start 1854537728 is beyond EOD, truncated loop2: p169 start 1854537728 is beyond EOD, truncated loop2: p170 start 1854537728 is beyond EOD, truncated loop2: p171 start 1854537728 is beyond EOD, truncated loop2: p172 start 1854537728 is beyond EOD, truncated loop2: p173 start 1854537728 is beyond EOD, truncated loop2: p174 start 1854537728 is beyond EOD, truncated loop2: p175 start 1854537728 is beyond EOD, truncated loop2: p176 start 1854537728 is beyond EOD, truncated loop2: p177 start 1854537728 is beyond EOD, truncated loop2: p178 start 1854537728 is beyond EOD, truncated loop2: p179 start 1854537728 is beyond EOD, truncated loop2: p180 start 1854537728 is beyond EOD, truncated loop2: p181 start 1854537728 is beyond EOD, truncated loop2: p182 start 1854537728 is beyond EOD, truncated loop2: p183 start 1854537728 is beyond EOD, truncated loop2: p184 start 1854537728 is beyond EOD, truncated loop2: p185 start 1854537728 is beyond EOD, truncated loop2: p186 start 1854537728 is beyond EOD, truncated loop2: p187 start 1854537728 is beyond EOD, truncated loop2: p188 start 1854537728 is beyond EOD, truncated loop2: p189 start 1854537728 is beyond EOD, truncated loop2: p190 start 1854537728 is beyond EOD, truncated loop2: p191 start 1854537728 is beyond EOD, truncated loop2: p192 start 1854537728 is beyond EOD, truncated loop2: p193 start 1854537728 is beyond EOD, truncated loop2: p194 start 1854537728 is beyond EOD, truncated loop2: p195 start 1854537728 is beyond EOD, truncated loop2: p196 start 1854537728 is beyond EOD, truncated loop2: p197 start 1854537728 is beyond EOD, truncated loop2: p198 start 1854537728 is beyond EOD, truncated loop2: p199 start 1854537728 is beyond EOD, truncated loop2: p200 start 1854537728 is beyond EOD, truncated loop2: p201 start 1854537728 is beyond EOD, truncated loop2: p202 start 1854537728 is beyond EOD, truncated loop2: p203 start 1854537728 is beyond EOD, truncated loop2: p204 start 1854537728 is beyond EOD, truncated loop2: p205 start 1854537728 is beyond EOD, truncated loop2: p206 start 1854537728 is beyond EOD, truncated loop2: p207 start 1854537728 is beyond EOD, truncated loop2: p208 start 1854537728 is beyond EOD, truncated loop2: p209 start 1854537728 is beyond EOD, truncated loop2: p210 start 1854537728 is beyond EOD, truncated loop2: p211 start 1854537728 is beyond EOD, truncated loop2: p212 start 1854537728 is beyond EOD, truncated loop2: p213 start 1854537728 is beyond EOD, truncated loop2: p214 start 1854537728 is beyond EOD, truncated loop2: p215 start 1854537728 is beyond EOD, truncated loop2: p216 start 1854537728 is beyond EOD, truncated loop2: p217 start 1854537728 is beyond EOD, truncated loop2: p218 start 1854537728 is beyond EOD, truncated loop2: p219 start 1854537728 is beyond EOD, truncated loop2: p220 start 1854537728 is beyond EOD, truncated loop2: p221 start 1854537728 is beyond EOD, truncated loop2: p222 start 1854537728 is beyond EOD, truncated loop2: p223 start 1854537728 is beyond EOD, truncated loop2: p224 start 1854537728 is beyond EOD, truncated loop2: p225 start 1854537728 is beyond EOD, truncated loop2: p226 start 1854537728 is beyond EOD, truncated loop2: p227 start 1854537728 is beyond EOD, truncated loop2: p228 start 1854537728 is beyond EOD, truncated loop2: p229 start 1854537728 is beyond EOD, truncated loop2: p230 start 1854537728 is beyond EOD, truncated loop2: p231 start 1854537728 is beyond EOD, truncated loop2: p232 start 1854537728 is beyond EOD, truncated loop2: p233 start 1854537728 is beyond EOD, truncated loop2: p234 start 1854537728 is beyond EOD, truncated loop2: p235 start 1854537728 is beyond EOD, truncated loop2: p236 start 1854537728 is beyond EOD, truncated loop2: p237 start 1854537728 is beyond EOD, truncated loop2: p238 start 1854537728 is beyond EOD, truncated loop2: p239 start 1854537728 is beyond EOD, truncated loop2: p240 start 1854537728 is beyond EOD, truncated loop2: p241 start 1854537728 is beyond EOD, truncated loop2: p242 start 1854537728 is beyond EOD, truncated loop2: p243 start 1854537728 is beyond EOD, truncated loop2: p244 start 1854537728 is beyond EOD, truncated loop2: p245 start 1854537728 is beyond EOD, truncated loop2: p246 start 1854537728 is beyond EOD, truncated loop2: p247 start 1854537728 is beyond EOD, truncated loop2: p248 start 1854537728 is beyond EOD, truncated loop2: p249 start 1854537728 is beyond EOD, truncated loop2: p250 start 1854537728 is beyond EOD, truncated loop2: p251 start 1854537728 is beyond EOD, truncated loop2: p252 start 1854537728 is beyond EOD, truncated loop2: p253 start 1854537728 is beyond EOD, truncated loop2: p254 start 1854537728 is beyond EOD, truncated loop2: p255 start 1854537728 is beyond EOD, truncated binder: 13050 BINDER_GET_NODE_INFO_FOR_REF: only handle may be non-zero.[ 217.181936] binder: 13050:13051 ioctl c018620c 20000600 returned -22 binder: 13080 BINDER_GET_NODE_INFO_FOR_REF: only handle may be non-zero.[ 217.265498] binder: 13074 BINDER_GET_NODE_INFO_FOR_REF: only handle may be non-zero. binder: 13074:13082 ioctl c018620c 20000600 returned -22 binder: 13093 BINDER_GET_NODE_INFO_FOR_REF: only handle may be non-zero. binder: 13093:13098 ioctl c018620c 20000600 returned -22 binder: 13109 BINDER_GET_NODE_INFO_FOR_REF: only handle may be non-zero. binder: 13109:13111 ioctl c018620c 20000600 returned -22 binder: 13080:13084 ioctl c018620c 20000600 returned -22 binder: 13123 BINDER_GET_NODE_INFO_FOR_REF: only handle may be non-zero.[ 217.744229] binder: 13123:13128 ioctl c018620c 20000600 returned -22 binder: 13121 BINDER_GET_NODE_INFO_FOR_REF: only handle may be non-zero. binder: 13121:13131 ioctl c018620c 20000600 returned -22 binder: 13139 BINDER_GET_NODE_INFO_FOR_REF: only handle may be non-zero.[ 217.790900] binder: 13139:13141 ioctl c018620c 20000600 returned -22 binder: 13155 BINDER_GET_NODE_INFO_FOR_REF: only handle may be non-zero.[ 220.305130] binder: 13155:13161 ioctl c018620c 20000600 returned -22 binder: 13153 BINDER_GET_NODE_INFO_FOR_REF: only handle may be non-zero.[ 220.335681] binder: 13153:13160 ioctl c018620c 20000600 returned -22 : renamed from ip_vti0