===============================
[ INFO: suspicious RCU usage. ]
4.9.141+ #1 Not tainted
-------------------------------
net/ipv6/ip6_fib.c:1471 suspicious rcu_dereference_protected() usage!

other info that might help us debug this:


rcu_scheduler_active = 2, debug_locks = 0
4 locks held by syz-executor.2/23430:
 #0:  (rtnl_mutex){+.+.+.}, at: [<ffffffff823412d7>] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:70
 #1:  (&(&net->ipv6.fib6_gc_lock)->rlock){+.-...}, at: [<ffffffff826ef796>] spin_trylock_bh include/linux/spinlock.h:367 [inline]
 #1:  (&(&net->ipv6.fib6_gc_lock)->rlock){+.-...}, at: [<ffffffff826ef796>] fib6_run_gc+0x226/0x2c0 net/ipv6/ip6_fib.c:1817
 #2:  (rcu_read_lock){......}, at: [<ffffffff826e6c70>] __fib6_clean_all+0x0/0x220 net/ipv6/ip6_fib.c:1703
 #3:  (&tb->tb6_lock){++--..}, at: [<ffffffff826e6d50>] __fib6_clean_all+0xe0/0x220 net/ipv6/ip6_fib.c:1717

stack backtrace:
CPU: 1 PID: 23430 Comm: syz-executor.2 Not tainted 4.9.141+ #1
 ffff880195de75f8 ffffffff81b42e79 ffff88017fc4df00 0000000000000000
 0000000000000002 ffffffff82cc2480 ffffed0032bbcf0d ffff880195de7628
 ffffffff813fe948 ffff8801d50a1180 ffff880195de7818 ffff8801d50a1180
Call Trace:
 [<ffffffff81b42e79>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81b42e79>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff813fe948>] lockdep_rcu_suspicious.cold.32+0x110/0x141 kernel/locking/lockdep.c:4455
 [<ffffffff826eed80>] fib6_del+0x810/0xb10 net/ipv6/ip6_fib.c:1470
 [<ffffffff826ef2a0>] fib6_clean_node+0x220/0x4c0 net/ipv6/ip6_fib.c:1657
 [<ffffffff826e6545>] fib6_walk_continue+0x3e5/0x640 net/ipv6/ip6_fib.c:1583
 [<ffffffff826e6b01>] fib6_walk+0x91/0xf0 net/ipv6/ip6_fib.c:1628
 [<ffffffff826e6c33>] fib6_clean_tree+0xd3/0x110 net/ipv6/ip6_fib.c:1702
 [<ffffffff826e6d69>] __fib6_clean_all+0xf9/0x220 net/ipv6/ip6_fib.c:1718
 [<ffffffff826ef687>] fib6_clean_all net/ipv6/ip6_fib.c:1729 [inline]
 [<ffffffff826ef687>] fib6_run_gc+0x117/0x2c0 net/ipv6/ip6_fib.c:1826
 [<ffffffff826fa99c>] ndisc_netdev_event+0x2ac/0x350 net/ipv6/ndisc.c:1750
 [<ffffffff811478d4>] notifier_call_chain+0xb4/0x1d0 kernel/notifier.c:93
 [<ffffffff81147a5d>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 [<ffffffff81147a5d>] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401
 [<ffffffff822f4a45>] call_netdevice_notifiers_info+0x55/0x70 net/core/dev.c:1647
 [<ffffffff822f5764>] call_netdevice_notifiers net/core/dev.c:1663 [inline]
 [<ffffffff822f5764>] dev_close_many+0x2e4/0x6a0 net/core/dev.c:1456
 [<ffffffff823031ac>] rollback_registered_many+0x3ac/0xb50 net/core/dev.c:6838
 [<ffffffff82303a3e>] rollback_registered+0xee/0x1b0 net/core/dev.c:6901
 [<ffffffff8230d5fa>] unregister_netdevice_queue+0x1aa/0x230 net/core/dev.c:7888
 [<ffffffff81ed1e91>] unregister_netdevice include/linux/netdevice.h:2465 [inline]
 [<ffffffff81ed1e91>] __tun_detach+0x821/0xa00 drivers/net/tun.c:575
 [<ffffffff81ed20b4>] tun_detach drivers/net/tun.c:585 [inline]
 [<ffffffff81ed20b4>] tun_chr_close+0x44/0x60 drivers/net/tun.c:2392
 [<ffffffff81510293>] __fput+0x263/0x700 fs/file_table.c:208
 [<ffffffff815107b5>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff8113dc4c>] task_work_run+0x10c/0x180 kernel/task_work.c:116
 [<ffffffff81003e49>] tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 [<ffffffff81003e49>] exit_to_usermode_loop+0x129/0x150 arch/x86/entry/common.c:162
 [<ffffffff81005932>] prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
 [<ffffffff81005932>] syscall_return_slowpath arch/x86/entry/common.c:263 [inline]
 [<ffffffff81005932>] do_syscall_64+0x3e2/0x550 arch/x86/entry/common.c:290
 [<ffffffff82817893>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
netlink: 48 bytes leftover after parsing attributes in process `syz-executor.0'.
netlink: 48 bytes leftover after parsing attributes in process `syz-executor.0'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.3'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.4'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.4'.
IPv6: ADDRCONF(NETDEV_CHANGE): eql: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): eql: link becomes ready
audit: type=1400 audit(1554632304.573:198): avc:  denied  { bind } for  pid=23511 comm="syz-executor.5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
IPv6: ADDRCONF(NETDEV_CHANGE): eql: link becomes ready
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.3'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.3'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.2'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.2'.
netlink: 16 bytes leftover after parsing attributes in process `syz-executor.2'.
binder: 23646:23649 transaction failed 29189/-22, size 72-24 line 3013
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.3'.
binder_alloc: binder_alloc_mmap_handler: 23646 20001000-20004000 already mapped failed -16
binder: 23646:23649 transaction failed 29189/-22, size 72-24 line 3013
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.3'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.4'.
binder: 23723:23725 transaction failed 29189/-22, size 137438953472-0 line 3013
binder: 23723:23729 transaction failed 29189/-22, size 137438953472-0 line 3013
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29189
selinux_nlmsg_perm: 5 callbacks suppressed
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=14 sclass=netlink_route_socket pig=23736 comm=syz-executor.1
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=14 sclass=netlink_route_socket pig=23736 comm=syz-executor.1
hid-generic 0000:0000:0000.000D: unknown main item tag 0x0
hid-generic 0000:0000:0000.000D: unknown main item tag 0x0
hid-generic 0000:0000:0000.000D: unknown main item tag 0x0
hid-generic 0000:0000:0000.000D: unknown main item tag 0x0
hid-generic 0000:0000:0000.000D: unknown main item tag 0x0
hid-generic 0000:0000:0000.000D: unknown main item tag 0x0
hid-generic 0000:0000:0000.000D: unknown main item tag 0x0
hid-generic 0000:0000:0000.000D: unknown main item tag 0x0
hid-generic 0000:0000:0000.000D: unknown main item tag 0x0
hid-generic 0000:0000:0000.000D: unknown main item tag 0x0
hid-generic 0000:0000:0000.000D: unknown main item tag 0x0
hid-generic 0000:0000:0000.000D: hidraw0: <UNKNOWN> HID v0.00 Device [syz1] on syz1
hid-generic 0000:0000:0000.000E: unknown main item tag 0x0
hid-generic 0000:0000:0000.000E: unknown main item tag 0x0
hid-generic 0000:0000:0000.000E: unknown main item tag 0x0
hid-generic 0000:0000:0000.000E: unknown main item tag 0x0
hid-generic 0000:0000:0000.000E: unknown main item tag 0x0
hid-generic 0000:0000:0000.000E: unknown main item tag 0x0
hid-generic 0000:0000:0000.000E: unknown main item tag 0x0
hid-generic 0000:0000:0000.000E: unknown main item tag 0x0
hid-generic 0000:0000:0000.000E: unknown main item tag 0x0
hid-generic 0000:0000:0000.000E: unknown main item tag 0x0
hid-generic 0000:0000:0000.000E: unknown main item tag 0x0
hid-generic 0000:0000:0000.000E: hidraw0: <UNKNOWN> HID v0.00 Device [syz1] on syz1
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.3'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.0'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.3'.
keychord: invalid keycode count 0
keychord: invalid keycode count 0
binder: 23884:23885 tried to acquire reference to desc 0, got 1 instead
binder: 23884:23885 BC_INCREFS_DONE u0000000000000000 node 111 cookie mismatch 0000000000000004 != 0000000000000000
binder: 23884:23885 got transaction to invalid handle
binder: 23884:23885 transaction failed 29201/-22, size 0-0 line 3013
binder: BINDER_SET_CONTEXT_MGR already set
binder: 23884:23885 ioctl 40046207 0 returned -16
binder: 23884:23894 tried to acquire reference to desc 0, got 1 instead
binder: BINDER_SET_CONTEXT_MGR already set
binder: 23884:23894 ioctl 40046207 0 returned -16
binder: 23884:23895 tried to acquire reference to desc 0, got 1 instead
binder: 23884:23895 BC_INCREFS_DONE u0000000000000000 node 111 cookie mismatch 0000000000000004 != 0000000000000000
binder: 23884:23895 got transaction to invalid handle
binder: 23884:23895 transaction failed 29201/-22, size 0-0 line 3013
nla_parse: 2 callbacks suppressed
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.3'.
netlink: 5 bytes leftover after parsing attributes in process `syz-executor.4'.
audit: type=1400 audit(1554632311.803:199): avc:  denied  { setopt } for  pid=23984 comm="syz-executor.4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1
netlink: 5 bytes leftover after parsing attributes in process `syz-executor.4'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.3'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.3'.