============================= WARNING: suspicious RCU usage 4.15.0+ #307 Not tainted ----------------------------- ./include/linux/rcupdate.h:302 Illegal context switch in RCU read-side critical section! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by syz-executor2/5276: #0: (rcu_read_lock){....}, at: [<00000000ab88f78b>] __rds_conn_create+0xe46/0x1b50 net/rds/connection.c:218 stack backtrace: CPU: 0 PID: 5276 Comm: syz-executor2 Not tainted 4.15.0+ #307 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 lockdep_rcu_suspicious+0x123/0x170 kernel/locking/lockdep.c:4592 rcu_preempt_sleep_check include/linux/rcupdate.h:301 [inline] ___might_sleep+0x385/0x470 kernel/sched/core.c:6093 __might_sleep+0x95/0x190 kernel/sched/core.c:6081 slab_pre_alloc_hook mm/slab.h:420 [inline] slab_alloc mm/slab.c:3365 [inline] kmem_cache_alloc+0x2a2/0x760 mm/slab.c:3539 binder: 5299:5300 ERROR: BC_REGISTER_LOOPER called without request rds_tcp_conn_alloc+0xa7/0x4e0 net/rds/tcp.c:296 binder: 5300 RLIMIT_NICE not set binder: 5300 RLIMIT_NICE not set __rds_conn_create+0x112f/0x1b50 net/rds/connection.c:227 binder: 5299:5305 got reply transaction with bad transaction stack, transaction 2 has target 5299:5300 binder: 5299:5305 transaction failed 29201/-71, size 0-0 line 2772 binder: release 5299:5300 transaction 2 in, still active binder: send failed reply for transaction 2 to 5299:5305 binder: undelivered TRANSACTION_COMPLETE rds_conn_create_outgoing+0x3f/0x50 net/rds/connection.c:309 binder: undelivered TRANSACTION_ERROR: 29201 rds_sendmsg+0xda3/0x2390 net/rds/send.c:1126 binder: undelivered TRANSACTION_ERROR: 29189 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg+0xca/0x110 net/socket.c:640 SYSC_sendto+0x361/0x5c0 net/socket.c:1747 SyS_sendto+0x40/0x50 net/socket.c:1715 do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x26/0x9b RIP: 0033:0x453a59 RSP: 002b:00007fc49b6c1c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007fc49b6c26d4 RCX: 0000000000453a59 RDX: 0000000000000000 RSI: 0000000020fc2000 RDI: 0000000000000014 RBP: 000000000071bea0 R08: 000000002069affb R09: 0000000000000010 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000000004b9 R14: 00000000006f71f8 R15: 0000000000000000 BUG: sleeping function called from invalid context at mm/slab.h:420 in_atomic(): 1, irqs_disabled(): 0, pid: 5276, name: syz-executor2 1 lock held by syz-executor2/5276: binder: 5299:5300 ERROR: BC_REGISTER_LOOPER called without request #0: (rcu_read_lock){....}, at: [<00000000ab88f78b>] __rds_conn_create+0xe46/0x1b50 net/rds/connection.c:218 binder: 5300 RLIMIT_NICE not set CPU: 0 PID: 5276 Comm: syz-executor2 Not tainted 4.15.0+ #307 binder: 5300 RLIMIT_NICE not set Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 binder: release 5299:5305 transaction 5 out, still active ___might_sleep+0x2b2/0x470 kernel/sched/core.c:6128 binder: undelivered TRANSACTION_COMPLETE __might_sleep+0x95/0x190 kernel/sched/core.c:6081 binder: release 5299:5300 transaction 5 in, still active slab_pre_alloc_hook mm/slab.h:420 [inline] slab_alloc mm/slab.c:3365 [inline] kmem_cache_alloc+0x2a2/0x760 mm/slab.c:3539 rds_tcp_conn_alloc+0xa7/0x4e0 net/rds/tcp.c:296 binder: send failed reply for transaction 5, target dead __rds_conn_create+0x112f/0x1b50 net/rds/connection.c:227 rds_conn_create_outgoing+0x3f/0x50 net/rds/connection.c:309 rds_sendmsg+0xda3/0x2390 net/rds/send.c:1126 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg+0xca/0x110 net/socket.c:640 SYSC_sendto+0x361/0x5c0 net/socket.c:1747 SyS_sendto+0x40/0x50 net/socket.c:1715 do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x26/0x9b RIP: 0033:0x453a59 RSP: 002b:00007fc49b6c1c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007fc49b6c26d4 RCX: 0000000000453a59 RDX: 0000000000000000 RSI: 0000000020fc2000 RDI: 0000000000000014 RBP: 000000000071bea0 R08: 000000002069affb R09: 0000000000000010 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000000004b9 R14: 00000000006f71f8 R15: 0000000000000000 kauditd_printk_skb: 5 callbacks suppressed audit: type=1400 audit(1518264027.399:24): avc: denied { prog_load } for pid=5319 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 binder: 5330:5332 ERROR: BC_REGISTER_LOOPER called without request binder: 5332 RLIMIT_NICE not set binder: 5328:5339 ERROR: BC_REGISTER_LOOPER called without request binder: 5339 RLIMIT_NICE not set binder: 5330:5342 got reply transaction with bad transaction stack, transaction 8 has target 5330:0 binder: 5330:5342 transaction failed 29201/-71, size 0-0 line 2772 binder: 5328:5344 got reply transaction with bad transaction stack, transaction 10 has target 5328:0 binder: 5328:5344 transaction failed 29201/-71, size 0-0 line 2772 binder: 5332 RLIMIT_NICE not set audit: type=1400 audit(1518264028.007:25): avc: denied { ioctl } for pid=5345 comm="syz-executor3" path="socket:[14042]" dev="sockfs" ino=14042 ioctlcmd=0x89e2 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=sock_file permissive=1 binder: release 5330:5332 transaction 8 in, still active binder: send failed reply for transaction 8 to 5330:5342 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29189 binder: send failed reply for transaction 10 to 5328:5344 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29189 binder: 5371:5373 ERROR: BC_REGISTER_LOOPER called without request binder: 5373 RLIMIT_NICE not set binder: 5373 RLIMIT_NICE not set binder: 5373 RLIMIT_NICE not set binder_alloc: 5371: binder_alloc_buf, no vma binder: 5371:5373 transaction failed 29189/-3, size 0-0 line 2957 binder: send failed reply for transaction 13 to 5371:5375 binder: undelivered TRANSACTION_ERROR: 29190 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 binder: 5380:5387 ERROR: BC_REGISTER_LOOPER called without request binder: 5387 RLIMIT_NICE not set binder: 5380:5395 got reply transaction with bad transaction stack, transaction 16 has target 5380:0 binder: 5380:5395 transaction failed 29201/-71, size 0-0 line 2772 binder: 5387 RLIMIT_NICE not set binder: release 5380:5387 transaction 16 in, still active binder: send failed reply for transaction 16 to 5380:5395 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29189 binder: 5429:5434 ERROR: BC_REGISTER_LOOPER called without request binder: 5434 RLIMIT_NICE not set binder_alloc: 5429: binder_alloc_buf, no vma binder: 5429:5443 transaction failed 29189/-3, size 0-0 line 2957 mip6: mip6_rthdr_init_state: spi is not 0: 4043571200 mip6: mip6_rthdr_init_state: spi is not 0: 4043571200 binder: undelivered TRANSACTION_ERROR: 29189 binder: 5463:5464 ERROR: BC_REGISTER_LOOPER called without request binder: 5464 RLIMIT_NICE not set audit: type=1400 audit(1518264029.086:26): avc: denied { map_create } for pid=5461 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 binder_alloc: 5463: binder_alloc_buf, no vma binder: 5463:5467 transaction failed 29189/-3, size 0-0 line 2957 binder: undelivered TRANSACTION_ERROR: 29189 binder: 5479:5488 ERROR: BC_REGISTER_LOOPER called without request binder: 5488 RLIMIT_NICE not set binder_alloc: 5479: binder_alloc_buf, no vma binder: 5479:5497 transaction failed 29189/-3, size 0-0 line 2957 binder: undelivered TRANSACTION_ERROR: 29189 binder: 5507:5512 ERROR: BC_REGISTER_LOOPER called without request binder: 5512 RLIMIT_NICE not set ALSA: seq fatal error: cannot create timer (-22) encrypted_key: insufficient parameters specified ALSA: seq fatal error: cannot create timer (-22) encrypted_key: insufficient parameters specified netlink: 'syz-executor5': attribute type 1 has an invalid length. netlink: 'syz-executor5': attribute type 1 has an invalid length. netlink: 'syz-executor5': attribute type 1 has an invalid length. netlink: 'syz-executor5': attribute type 1 has an invalid length. netlink: 'syz-executor5': attribute type 1 has an invalid length. netlink: 'syz-executor5': attribute type 1 has an invalid length. BUG: sleeping function called from invalid context at mm/slab.h:420 in_atomic(): 1, irqs_disabled(): 0, pid: 5731, name: syz-executor7 1 lock held by syz-executor7/5731: #0: (rcu_read_lock){....}, at: [<00000000ab88f78b>] __rds_conn_create+0xe46/0x1b50 net/rds/connection.c:218 CPU: 0 PID: 5731 Comm: syz-executor7 Tainted: G W 4.15.0+ #307 audit: type=1400 audit(1518264030.080:27): avc: denied { map_read map_write } for pid=5737 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 ___might_sleep+0x2b2/0x470 kernel/sched/core.c:6128 __might_sleep+0x95/0x190 kernel/sched/core.c:6081 slab_pre_alloc_hook mm/slab.h:420 [inline] slab_alloc mm/slab.c:3365 [inline] kmem_cache_alloc_trace+0x299/0x740 mm/slab.c:3605 kmalloc include/linux/slab.h:512 [inline] kzalloc include/linux/slab.h:701 [inline] rds_loop_conn_alloc+0xc8/0x380 net/rds/loop.c:126 __rds_conn_create+0x112f/0x1b50 net/rds/connection.c:227 rds_conn_create_outgoing+0x3f/0x50 net/rds/connection.c:309 rds_sendmsg+0xda3/0x2390 net/rds/send.c:1126 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg+0xca/0x110 net/socket.c:640 SYSC_sendto+0x361/0x5c0 net/socket.c:1747 SyS_sendto+0x40/0x50 net/socket.c:1715 do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x26/0x9b RIP: 0033:0x453a59 RSP: 002b:00007fd4ea15bc68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007fd4ea15c6d4 RCX: 0000000000453a59 RDX: 0000000000000000 RSI: 000000002056a000 RDI: 0000000000000013 RBP: 000000000071bea0 R08: 0000000020ec8000 R09: 0000000000000010 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000000004b9 R14: 00000000006f71f8 R15: 0000000000000000 syz-executor4 uses obsolete (PF_INET,SOCK_PACKET) audit: type=1400 audit(1518264030.607:28): avc: denied { node_bind } for pid=5771 comm="syz-executor1" saddr=::ffff:172.20.0.187 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:node_t:s0 tclass=dccp_socket permissive=1 netlink: 'syz-executor5': attribute type 1 has an invalid length. TCP: request_sock_TCPv6: Possible SYN flooding on port 20010. Sending cookies. Check SNMP counters. netlink: 'syz-executor5': attribute type 1 has an invalid length. sctp: [Deprecated]: syz-executor0 (pid 5838) Use of int in max_burst socket option deprecated. Use struct sctp_assoc_value instead sctp: [Deprecated]: syz-executor0 (pid 5847) Use of int in max_burst socket option deprecated. Use struct sctp_assoc_value instead sock: sock_set_timeout: `syz-executor6' (pid 5860) tries to set negative timeout audit: type=1400 audit(1518264030.957:29): avc: denied { validate_trans } for pid=5854 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=security permissive=1 sock: sock_set_timeout: `syz-executor6' (pid 5860) tries to set negative timeout RDS: rds_bind could not find a transport for 172.20.0.0, load rds_tcp or rds_rdma? sctp: [Deprecated]: syz-executor0 (pid 5881) Use of int in max_burst socket option deprecated. Use struct sctp_assoc_value instead audit: type=1400 audit(1518264031.127:30): avc: denied { name_bind } for pid=5875 comm="syz-executor6" src=20024 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=dccp_socket permissive=1 RDS: rds_bind could not find a transport for 172.20.0.0, load rds_tcp or rds_rdma? netlink: 'syz-executor5': attribute type 1 has an invalid length. audit: type=1400 audit(1518264031.155:31): avc: denied { name_connect } for pid=5875 comm="syz-executor6" dest=20024 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=dccp_socket permissive=1 netlink: 'syz-executor5': attribute type 1 has an invalid length. netlink: 'syz-executor5': attribute type 1 has an invalid length. device eql entered promiscuous mode sock: sock_set_timeout: `syz-executor0' (pid 6118) tries to set negative timeout sock: sock_set_timeout: `syz-executor0' (pid 6118) tries to set negative timeout device syz7 entered promiscuous mode device syz7 left promiscuous mode device syz7 entered promiscuous mode device syz7 left promiscuous mode audit: type=1400 audit(1518264032.301:32): avc: denied { ipc_owner } for pid=6181 comm="syz-executor4" capability=15 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 device syz7 entered promiscuous mode device syz7 left promiscuous mode device syz7 entered promiscuous mode device syz7 left promiscuous mode device syz7 entered promiscuous mode device syz7 left promiscuous mode netlink: 12 bytes leftover after parsing attributes in process `syz-executor6'. PF_BRIDGE: br_mdb_parse() with invalid attr audit: type=1400 audit(1518264032.743:33): avc: denied { ipc_lock } for pid=6305 comm="syz-executor1" capability=14 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 netlink: 'syz-executor5': attribute type 1 has an invalid length. netlink: 'syz-executor5': attribute type 1 has an invalid length. netlink: 'syz-executor5': attribute type 1 has an invalid length. binder: 6506:6512 got transaction with fd, -1, but target does not allow fds binder: 6506:6512 transaction failed 29201/-1, size 24-8 line 3062 binder_alloc: binder_alloc_mmap_handler: 6506 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder_alloc: 6506: binder_alloc_buf, no vma binder: 6506:6530 transaction failed 29189/-3, size 24-8 line 2957 binder: 6506:6512 ioctl 40046207 0 returned -16 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 audit: type=1401 audit(1518264033.682:34): op=setxattr invalid_context="" audit: type=1401 audit(1518264033.707:35): op=setxattr invalid_context="" xt_connbytes: Forcing CT accounting to be enabled PPPIOCDETACH file->f_count=3 audit: type=1400 audit(1518264033.910:36): avc: denied { prog_run } for pid=6554 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 PPPIOCDETACH file->f_count=2 PPPIOCDETACH file->f_count=2 PPPIOCDETACH file->f_count=2 PPPIOCDETACH file->f_count=2 binder: 6726 RLIMIT_NICE not set binder: 6723:6734 tried to acquire reference to desc 0, got 1 instead binder: 6723:6734 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 6723:6726 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: 6723:6734 BC_DEAD_BINDER_DONE 0000000000000000 not found binder: 6726 RLIMIT_NICE not set device syz7 entered promiscuous mode device syz7 left promiscuous mode device syz7 entered promiscuous mode device syz7 left promiscuous mode device syz7 entered promiscuous mode device syz7 left promiscuous mode device syz7 entered promiscuous mode device syz7 left promiscuous mode device syz7 entered promiscuous mode device syz7 left promiscuous mode device syz7 entered promiscuous mode device syz7 left promiscuous mode