R10: 0000000020b89fe4 R11: 0000000000000246 R12: 0000000000000014
R13: 00000000000005fc R14: 00000000006fc040 R15: 0000000000000003
list_del corruption. prev->next should be 00000000a59a877b, but was 0000000097ebab9e
Subscriber rejected, no memory
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:53!
invalid opcode: 0000 [#1] SMP PTI
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 9827 Comm: syz-executor6 Not tainted 4.16.0+ #87
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__list_del_entry_valid+0x37c/0x440 lib/list_debug.c:51
RSP: 0018:ffff8801a755f1a8 EFLAGS: 00010282
RAX: 0000000000000054 RBX: ffffffffffffffff RCX: 0000000000000000
RDX: 0000000000000000 RSI: aaaaaaaaaaaab000 RDI: ffffea0000000000
RBP: ffff8801a755f200 R08: 0000000000000000 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88015582a288
R13: 0000000000000000 R14: 00000000966000ce R15: 00000000966000ce
FS:  00007f291d0a4700(0000) GS:ffff88021fd00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ff3c5c8bdb8 CR3: 000000015caa2000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 __list_del_entry include/linux/list.h:117 [inline]
 list_del_init include/linux/list.h:159 [inline]
 tipc_nametbl_unsubscribe+0x4a1/0xa90 net/tipc/name_table.c:848
 tipc_subscrb_subscrp_delete+0x399/0x990 net/tipc/subscr.c:212
 tipc_subscrb_delete net/tipc/subscr.c:242 [inline]
 tipc_subscrb_release_cb+0x61/0x100 net/tipc/subscr.c:321
 tipc_topsrv_kern_unsubscr+0x54b/0x630 net/tipc/server.c:535
 tipc_group_delete+0x4c8/0x520 net/tipc/group.c:231
 tipc_sk_leave net/tipc/socket.c:2795 [inline]
 tipc_release+0x215/0x1730 net/tipc/socket.c:577
 sock_release net/socket.c:595 [inline]
 sock_close+0xe0/0x300 net/socket.c:1149
 __fput+0x49e/0xa10 fs/file_table.c:209
 ____fput+0x37/0x40 fs/file_table.c:243
 task_work_run+0x243/0x2c0 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0x10e1/0x38d0 kernel/exit.c:867
 do_group_exit+0x1a0/0x360 kernel/exit.c:970
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
 get_signal+0x1320/0x1f20 kernel/signal.c:2469
 do_signal+0xb8/0x1c80 arch/x86/kernel/signal.c:809
CPU: 0 PID: 9847 Comm: syz-executor5 Not tainted 4.16.0+ #87
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:53
 fail_dump lib/fault-inject.c:51 [inline]
 should_fail+0x87b/0xab0 lib/fault-inject.c:149
 exit_to_usermode_loop arch/x86/entry/common.c:162 [inline]
 prepare_exit_to_usermode+0x271/0x3a0 arch/x86/entry/common.c:196
 should_failslab+0x279/0x2a0 mm/failslab.c:32
 syscall_return_slowpath+0xe9/0x700 arch/x86/entry/common.c:265
 slab_pre_alloc_hook mm/slab.h:422 [inline]
 slab_alloc_node mm/slub.c:2663 [inline]
 slab_alloc mm/slub.c:2745 [inline]
 __kmalloc+0xc2/0x350 mm/slub.c:3785
 do_syscall_64+0x36d/0x430 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x3d/0xa2
 kmalloc include/linux/slab.h:517 [inline]
 tipc_subscrp_create net/tipc/subscr.c:270 [inline]
 tipc_subscrp_subscribe net/tipc/subscr.c:299 [inline]
 tipc_subscrb_rcv_cb+0x566/0xe80 net/tipc/subscr.c:345
RIP: 0033:0x455389
RSP: 002b:00007f291d0a3ce8 EFLAGS: 00000246
 ORIG_RAX: 00000000000000ca
 tipc_topsrv_kern_subscr+0x4ff/0x610 net/tipc/server.c:519
RAX: fffffffffffffe00 RBX: 000000000072bec8 RCX: 0000000000455389
 tipc_group_create+0x63e/0x9c0 net/tipc/group.c:194
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000072bec8
 tipc_sk_join net/tipc/socket.c:2761 [inline]
 tipc_setsockopt+0x120c/0x1e50 net/tipc/socket.c:2876
RBP: 000000000072bec8 R08: 0000000000000036 R09: 000000000072bea0
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000a3e81f R14: 00007f291d0a49c0 R15: 0000000000000000
Code: 
00 
48 
 SYSC_setsockopt+0x4b8/0x570 net/socket.c:1849
c7 
 SyS_setsockopt+0x76/0xa0 net/socket.c:1828
81 
 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
80 
0c 
 entry_SYSCALL_64_after_hwframe+0x3d/0xa2
00 
RIP: 0033:0x455389
00 
RSP: 002b:00007f77bb762c68 EFLAGS: 00000246
00 
 ORIG_RAX: 0000000000000036
00 
RAX: ffffffffffffffda RBX: 00007f77bb7636d4 RCX: 0000000000455389
00 
RDX: 0000000000000087 RSI: 000000000000010f RDI: 0000000000000013
00 c7 
RBP: 000000000072bea0 R08: 000000000000001c R09: 0000000000000000
81 
R10: 0000000020b89fe4 R11: 0000000000000246 R12: 0000000000000014
20 03 
R13: 00000000000005fc R14: 00000000006fc040 R15: 0000000000000004
00 
Subscription rejected, no memory
00 00 00 00 00 48 c7 c7 b5 f7 82 8a 31 c0 48 8b 75 c0 4c 89 e2 e8 a4 a7 51 fd <0f> 0b 66 90 eb fe 44 89 f7 e8 76 83 cb fd e9 88 fd ff ff 48 85 
RIP: __list_del_entry_valid+0x37c/0x440 lib/list_debug.c:51 RSP: ffff8801a755f1a8
---[ end trace 3b79b923f6faba61 ]---