syz-executor.5 (10215) used greatest stack depth: 25128 bytes left
=============================
WARNING: suspicious RCU usage
4.14.278-syzkaller #0 Not tainted
-----------------------------
net/netfilter/nf_queue.c:244 suspicious rcu_dereference_check() usage!

other info that might help us debug this:


rcu_scheduler_active = 2, debug_locks = 1
3 locks held by syz-executor.2/10221:
 #0:  (&pipe->mutex/1){+.+.}, at: [<ffffffff8188acf1>] pipe_lock_nested fs/pipe.c:82 [inline]
 #0:  (&pipe->mutex/1){+.+.}, at: [<ffffffff8188acf1>] pipe_lock fs/pipe.c:90 [inline]
 #0:  (&pipe->mutex/1){+.+.}, at: [<ffffffff8188acf1>] pipe_wait+0x171/0x190 fs/pipe.c:138
 #1:  (rcu_callback){....}, at: [<ffffffff8146dbde>] __rcu_reclaim kernel/rcu/rcu.h:185 [inline]
 #1:  (rcu_callback){....}, at: [<ffffffff8146dbde>] rcu_do_batch kernel/rcu/tree.c:2699 [inline]
 #1:  (rcu_callback){....}, at: [<ffffffff8146dbde>] invoke_rcu_callbacks kernel/rcu/tree.c:2962 [inline]
 #1:  (rcu_callback){....}, at: [<ffffffff8146dbde>] __rcu_process_callbacks kernel/rcu/tree.c:2929 [inline]
 #1:  (rcu_callback){....}, at: [<ffffffff8146dbde>] rcu_process_callbacks+0x84e/0x1180 kernel/rcu/tree.c:2946
 #2:  (&(&inst->lock)->rlock){+.-.}, at: [<ffffffff85e4caaf>] spin_lock_bh include/linux/spinlock.h:322 [inline]
 #2:  (&(&inst->lock)->rlock){+.-.}, at: [<ffffffff85e4caaf>] nfqnl_flush+0x2f/0x2a0 net/netfilter/nfnetlink_queue.c:232
ip_tables: iptables: counters copy to user failed while replacing table

stack backtrace:
CPU: 0 PID: 10221 Comm: syz-executor.2 Not tainted 4.14.278-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x281 lib/dump_stack.c:58
 nf_reinject+0x56e/0x700 net/netfilter/nf_queue.c:244
 nfqnl_flush+0x1ab/0x2a0 net/netfilter/nfnetlink_queue.c:237
 instance_destroy_rcu+0x19/0x30 net/netfilter/nfnetlink_queue.c:171
 __rcu_reclaim kernel/rcu/rcu.h:195 [inline]
 rcu_do_batch kernel/rcu/tree.c:2699 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:2962 [inline]
 __rcu_process_callbacks kernel/rcu/tree.c:2929 [inline]
 rcu_process_callbacks+0x780/0x1180 kernel/rcu/tree.c:2946
 __do_softirq+0x24d/0x9ff kernel/softirq.c:288
 invoke_softirq kernel/softirq.c:368 [inline]
 irq_exit+0x193/0x240 kernel/softirq.c:409
 exiting_irq arch/x86/include/asm/apic.h:638 [inline]
 smp_apic_timer_interrupt+0x141/0x5e0 arch/x86/kernel/apic/apic.c:1106
 apic_timer_interrupt+0x93/0xa0 arch/x86/entry/entry_64.S:793
 </IRQ>
RIP: 0010:unwind_next_frame+0x857/0x17d0 arch/x86/kernel/unwind_orc.c:356
RSP: 0018:ffff8880633bf4c0 EFLAGS: 00000a06 ORIG_RAX: ffffffffffffff10
RAX: dffffc0000000000 RBX: 1ffff1100c677e9f RCX: ffffffff8a7468da
RDX: 1ffff1100c677eb7 RSI: 0000000000000001 RDI: 0000000000000001
RBP: 0000000000000001 R08: ffffffff8a7468de R09: ffffffff8a7468df
R10: 0000000000023497 R11: 0000000000066071 R12: ffff8880633bf5b5
R13: ffff8880633bf5b8 R14: ffff8880633bf5d0 R15: ffff8880633bf580
 __save_stack_trace+0x90/0x160 arch/x86/kernel/stacktrace.c:44
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551
 kmem_cache_alloc_node_trace+0x153/0x400 mm/slab.c:3661
 kmalloc_node include/linux/slab.h:526 [inline]
 alloc_vmap_area+0xf0/0x7c0 mm/vmalloc.c:420
 __get_vm_area_node+0x126/0x340 mm/vmalloc.c:1414
 __vmalloc_node_range mm/vmalloc.c:1762 [inline]
 __vmalloc_node mm/vmalloc.c:1818 [inline]
 __vmalloc_node_flags mm/vmalloc.c:1832 [inline]
 vmalloc+0x98/0x150 mm/vmalloc.c:1854
 netlink_alloc_large_skb net/netlink/af_netlink.c:1173 [inline]
 netlink_sendmsg+0x434/0xbc0 net/netlink/af_netlink.c:1868
 sock_sendmsg_nosec net/socket.c:646 [inline]
 sock_sendmsg+0xb5/0x100 net/socket.c:656
 sock_no_sendpage+0xe2/0x110 net/core/sock.c:2610
 kernel_sendpage net/socket.c:3407 [inline]
 sock_sendpage+0xdf/0x140 net/socket.c:871
 pipe_to_sendpage+0x226/0x2d0 fs/splice.c:451
 splice_from_pipe_feed fs/splice.c:502 [inline]
 __splice_from_pipe+0x326/0x7a0 fs/splice.c:626
 splice_from_pipe fs/splice.c:661 [inline]
 generic_splice_sendpage+0xc1/0x110 fs/splice.c:832
 do_splice_from fs/splice.c:851 [inline]
 do_splice fs/splice.c:1147 [inline]
 SYSC_splice fs/splice.c:1402 [inline]
 SyS_splice+0xd59/0x1380 fs/splice.c:1382
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x7f3898f7e0e9
RSP: 002b:00007f38978d2168 EFLAGS: 00000246 ORIG_RAX: 0000000000000113
RAX: ffffffffffffffda RBX: 00007f3899091030 RCX: 00007f3898f7e0e9
RDX: 0000000000000016 RSI: 0000000000000000 RDI: 0000000000000011
RBP: 00007f3898fd808d R08: 000000000004ffe0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fff5b3d675f R14: 00007f38978d2300 R15: 0000000000022000
ip_tables: iptables: counters copy to user failed while replacing table
syz-executor.2 (10221) used greatest stack depth: 24672 bytes left
ip_tables: iptables: counters copy to user failed while replacing table
ip_tables: iptables: counters copy to user failed while replacing table
ip_tables: iptables: counters copy to user failed while replacing table
ip_tables: iptables: counters copy to user failed while replacing table
Process accounting resumed
Process accounting resumed
Process accounting resumed
Process accounting resumed
Process accounting resumed
Process accounting resumed
Process accounting resumed
Failed to enqueue queue_pair DETACH event datagram for context (ID=0x0)
EXT4-fs (loop1): mounted filesystem without journal. Opts: ,errors=continue
EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue
EXT4-fs (loop1): mounted filesystem without journal. Opts: ,errors=continue
EXT4-fs (loop1): mounted filesystem without journal. Opts: ,errors=continue
EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue
openvswitch: netlink: Flow actions attr not present in new flow.
REISERFS warning (device loop3): sh-2021 reiserfs_fill_super: can not find reiserfs on loop3
EXT4-fs (loop1): mounted filesystem without journal. Opts: ,errors=continue
audit: type=1800 audit(1652483508.925:32): pid=10547 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.4" name="bus" dev="sda1" ino=14066 res=0
openvswitch: netlink: Flow actions attr not present in new flow.
FAT-fs (loop5): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1)
audit: type=1800 audit(1652483509.055:33): pid=10558 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.4" name="bus" dev="sda1" ino=14078 res=0
openvswitch: netlink: Flow actions attr not present in new flow.
EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue
REISERFS warning (device loop3): sh-2021 reiserfs_fill_super: can not find reiserfs on loop3
FAT-fs (loop5): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1)
audit: type=1800 audit(1652483509.325:34): pid=10576 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.4" name="bus" dev="sda1" ino=14067 res=0
FAT-fs (loop5): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1)
FAT-fs (loop1): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1)
audit: type=1800 audit(1652483509.655:35): pid=10598 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.4" name="bus" dev="sda1" ino=14082 res=0
FAT-fs (loop1): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1)
REISERFS warning (device loop3): sh-2021 reiserfs_fill_super: can not find reiserfs on loop3
FAT-fs (loop5): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1)
FAT-fs (loop1): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1)
FAT-fs (loop5): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1)
REISERFS warning (device loop3): sh-2021 reiserfs_fill_super: can not find reiserfs on loop3
FAT-fs (loop1): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1)
FAT-fs (loop5): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1)
FAT-fs (loop1): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1)
FAT-fs (loop5): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1)
FAT-fs (loop5): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1)
JFS: discard option not supported on device
JFS: discard option not supported on device
isofs_fill_super: root inode is not a directory. Corrupted media?
JFS: discard option not supported on device
EXT4-fs (loop4): mounted filesystem without journal. Opts: ,errors=continue
isofs_fill_super: root inode is not a directory. Corrupted media?
JFS: discard option not supported on device
isofs_fill_super: root inode is not a directory. Corrupted media?
EXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue
EXT4-fs (loop4): mounted filesystem without journal. Opts: ,errors=continue
EXT4-fs (loop3): mounted filesystem without journal. Opts: ,errors=continue
isofs_fill_super: root inode is not a directory. Corrupted media?
EXT4-fs (loop5): mounted filesystem without journal. Opts: ,errors=continue
EXT4-fs (loop1): mounted filesystem without journal. Opts: ,errors=continue
EXT4-fs (loop5): mounted filesystem without journal. Opts: ,errors=continue
EXT4-fs (loop4): mounted filesystem without journal. Opts: ,errors=continue
EXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue
EXT4-fs (loop3): mounted filesystem without journal. Opts: ,errors=continue
EXT4-fs (loop1): mounted filesystem without journal. Opts: ,errors=continue
EXT4-fs (loop4): mounted filesystem without journal. Opts: ,errors=continue
EXT4-fs (loop5): mounted filesystem without journal. Opts: ,errors=continue
EXT4-fs (loop3): mounted filesystem without journal. Opts: ,errors=continue
EXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue
EXT4-fs (loop1): mounted filesystem without journal. Opts: ,errors=continue
xt_TCPMSS: path-MTU clamping only supported in FORWARD, OUTPUT and POSTROUTING hooks
XFS (loop0): Invalid superblock magic number
MTD: Attempt to mount non-MTD device "/dev/loop0"
xt_TCPMSS: path-MTU clamping only supported in FORWARD, OUTPUT and POSTROUTING hooks
print_req_error: I/O error, dev loop0, sector 0
xt_TCPMSS: path-MTU clamping only supported in FORWARD, OUTPUT and POSTROUTING hooks
device batadv0 entered promiscuous mode
lo: Cannot use loopback or non-ethernet device as HSR slave.
xt_TCPMSS: path-MTU clamping only supported in FORWARD, OUTPUT and POSTROUTING hooks
device batadv0 left promiscuous mode