IPVS: length: 4096 != 24 BUG: please report to dccp@vger.kernel.org => prev = 0, last = 0 at net/dccp/ccids/lib/packet_history.c:422/tfrc_rx_hist_sample_rtt() CPU: 0 PID: 30041 Comm: syz-executor.0 Not tainted 5.0.0+ #97 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x172/0x1f0 lib/dump_stack.c:113 tfrc_rx_hist_sample_rtt.cold+0x56/0x61 net/dccp/ccids/lib/packet_history.c:422 ccid3_hc_rx_packet_recv+0x5c6/0xeb0 net/dccp/ccids/ccid3.c:767 ccid_hc_rx_packet_recv net/dccp/ccid.h:185 [inline] dccp_deliver_input_to_ccids+0xee/0x280 net/dccp/input.c:180 dccp_rcv_established net/dccp/input.c:378 [inline] dccp_rcv_established+0x83/0xb0 net/dccp/input.c:368 dccp_v4_do_rcv+0x139/0x190 net/dccp/ipv4.c:659 sk_backlog_rcv include/net/sock.h:937 [inline] __sk_receive_skb+0x341/0xbf0 net/core/sock.c:527 dccp_v4_rcv+0xeaa/0x1bf1 net/dccp/ipv4.c:880 ip_protocol_deliver_rcu+0x60/0x8f0 net/ipv4/ip_input.c:208 ip_local_deliver_finish+0x23b/0x390 net/ipv4/ip_input.c:234 NF_HOOK include/linux/netfilter.h:289 [inline] NF_HOOK include/linux/netfilter.h:283 [inline] ip_local_deliver+0x1e9/0x520 net/ipv4/ip_input.c:255 dst_input include/net/dst.h:450 [inline] ip_rcv_finish+0x1e1/0x300 net/ipv4/ip_input.c:414 NF_HOOK include/linux/netfilter.h:289 [inline] NF_HOOK include/linux/netfilter.h:283 [inline] ip_rcv+0xe8/0x3f0 net/ipv4/ip_input.c:524 __netif_receive_skb_one_core+0x115/0x1a0 net/core/dev.c:4973 __netif_receive_skb+0x2c/0x1c0 net/core/dev.c:5083 process_backlog+0x206/0x750 net/core/dev.c:5923 napi_poll net/core/dev.c:6346 [inline] net_rx_action+0x4fa/0x1070 net/core/dev.c:6412 __do_softirq+0x266/0x95a kernel/softirq.c:292 do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1027 do_softirq.part.0+0x11a/0x170 kernel/softirq.c:337 do_softirq kernel/softirq.c:329 [inline] __local_bh_enable_ip+0x211/0x270 kernel/softirq.c:189 local_bh_enable include/linux/bottom_half.h:32 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:696 [inline] ip_finish_output2+0x99c/0x1740 net/ipv4/ip_output.c:231 ip_finish_output+0x73c/0xd50 net/ipv4/ip_output.c:317 NF_HOOK_COND include/linux/netfilter.h:278 [inline] ip_output+0x21f/0x670 net/ipv4/ip_output.c:405 dst_output include/net/dst.h:444 [inline] ip_local_out+0xc4/0x1b0 net/ipv4/ip_output.c:124 __ip_queue_xmit+0x86f/0x1bf0 net/ipv4/ip_output.c:505 ip_queue_xmit+0x5a/0x70 include/net/ip.h:198 dccp_transmit_skb+0x977/0x12c0 net/dccp/output.c:142 dccp_xmit_packet+0x1f6/0x660 net/dccp/output.c:281 dccp_write_xmit+0x181/0x1e0 net/dccp/output.c:363 dccp_sendmsg+0xa60/0xd00 net/dccp/proto.c:816 inet_sendmsg+0x147/0x5d0 net/ipv4/af_inet.c:798 sock_sendmsg_nosec net/socket.c:622 [inline] sock_sendmsg+0xdd/0x130 net/socket.c:632 __sys_sendto+0x262/0x380 net/socket.c:1809 __do_sys_sendto net/socket.c:1821 [inline] __se_sys_sendto net/socket.c:1817 [inline] __x64_sys_sendto+0xe1/0x1a0 net/socket.c:1817 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x457f29 Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f0ee0646c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 0000000000457f29 RDX: 000000000000009d RSI: 0000000020000400 RDI: 0000000000000005 RBP: 000000000073c040 R08: 0000000020000240 R09: 0000000000000040 R10: 0000000004008000 R11: 0000000000000246 R12: 00007f0ee06476d4 R13: 00000000004c56a8 R14: 00000000004d9630 R15: 00000000ffffffff IPVS: set_ctl: invalid protocol: 0 0.0.0.0:20004 dccp_close: ABORT with 466 bytes unread IPVS: ftp: loaded support on port[0] = 21 validate_nla: 9 callbacks suppressed netlink: 'syz-executor.4': attribute type 1 has an invalid length. Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable netlink: 'syz-executor.4': attribute type 1 has an invalid length. netlink: 'syz-executor.4': attribute type 1 has an invalid length. Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable IPVS: ftp: loaded support on port[0] = 21 netlink: 'syz-executor.4': attribute type 1 has an invalid length. netlink: 'syz-executor.4': attribute type 1 has an invalid length. audit: type=1800 audit(1551833996.477:134): pid=30192 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.0" name=6322757365742E6566666563746976655F6D656D73 dev="sda1" ino=16539 res=0 netlink: 'syz-executor.4': attribute type 1 has an invalid length. netlink: 'syz-executor.4': attribute type 1 has an invalid length. netlink: 'syz-executor.0': attribute type 1 has an invalid length. netlink: 'syz-executor.4': attribute type 1 has an invalid length. netlink: 'syz-executor.4': attribute type 1 has an invalid length. FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 0 PID: 30271 Comm: syz-executor.3 Not tainted 5.0.0+ #97 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x172/0x1f0 lib/dump_stack.c:113 fail_dump lib/fault-inject.c:51 [inline] should_fail.cold+0xa/0x1b lib/fault-inject.c:149 __should_failslab+0x121/0x190 mm/failslab.c:32 should_failslab+0x9/0x14 mm/slab_common.c:1604 slab_pre_alloc_hook mm/slab.h:423 [inline] slab_alloc mm/slab.c:3374 [inline] kmem_cache_alloc+0x47/0x6f0 mm/slab.c:3548 __build_skb+0x3e/0x310 net/core/skbuff.c:284 __napi_alloc_skb+0x1d2/0x300 net/core/skbuff.c:489 napi_alloc_skb include/linux/skbuff.h:2728 [inline] napi_get_frags net/core/dev.c:5734 [inline] napi_get_frags+0x65/0x140 net/core/dev.c:5729 tun_napi_alloc_frags drivers/net/tun.c:1484 [inline] tun_get_user+0x1681/0x3d70 drivers/net/tun.c:1845 tun_chr_write_iter+0xbd/0x160 drivers/net/tun.c:2019 call_write_iter include/linux/fs.h:1869 [inline] do_iter_readv_writev+0x5e0/0x8e0 fs/read_write.c:680 do_iter_write fs/read_write.c:956 [inline] do_iter_write+0x184/0x610 fs/read_write.c:937 vfs_writev+0x1b3/0x2f0 fs/read_write.c:1001 do_writev+0xf6/0x290 fs/read_write.c:1036 __do_sys_writev fs/read_write.c:1109 [inline] __se_sys_writev fs/read_write.c:1106 [inline] __x64_sys_writev+0x75/0xb0 fs/read_write.c:1106 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x457de1 Code: 75 14 b8 14 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 e4 b9 fb ff c3 48 83 ec 08 e8 1a 2d 00 00 48 89 04 24 b8 14 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 63 2d 00 00 48 89 d0 48 83 c4 08 48 3d 01 netlink: 8 bytes leftover after parsing attributes in process `syz-executor.4'. RSP: 002b:00007fe08ed35ba0 EFLAGS: 00000293 ORIG_RAX: 0000000000000014 RAX: ffffffffffffffda RBX: 00000000000003a5 RCX: 0000000000457de1 RDX: 0000000000000001 RSI: 00007fe08ed35bf0 RDI: 00000000000000f0 RBP: 0000000020007000 R08: 00000000000000f0 R09: 0000000000000000 R10: 0000000000000064 R11: 0000000000000293 R12: 00007fe08ed366d4 R13: 00000000004c65e1 R14: 00000000004dbac0 R15: 0000000000000004 netlink: 8 bytes leftover after parsing attributes in process `syz-executor.4'. FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 0 PID: 30341 Comm: syz-executor.3 Not tainted 5.0.0+ #97 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x172/0x1f0 lib/dump_stack.c:113 fail_dump lib/fault-inject.c:51 [inline] should_fail.cold+0xa/0x1b lib/fault-inject.c:149 __should_failslab+0x121/0x190 mm/failslab.c:32 should_failslab+0x9/0x14 mm/slab_common.c:1604 slab_pre_alloc_hook mm/slab.h:423 [inline] slab_alloc_node mm/slab.c:3295 [inline] kmem_cache_alloc_node_trace+0x5a/0x720 mm/slab.c:3655 __do_kmalloc_node mm/slab.c:3677 [inline] __kmalloc_node_track_caller+0x3d/0x70 mm/slab.c:3692 __kmalloc_reserve.isra.0+0x40/0xf0 net/core/skbuff.c:140 pskb_expand_head+0x14e/0xdd0 net/core/skbuff.c:1469 __skb_grow include/linux/skbuff.h:2591 [inline] tun_napi_alloc_frags drivers/net/tun.c:1490 [inline] tun_get_user+0x1e87/0x3d70 drivers/net/tun.c:1845 tun_chr_write_iter+0xbd/0x160 drivers/net/tun.c:2019 call_write_iter include/linux/fs.h:1869 [inline] do_iter_readv_writev+0x5e0/0x8e0 fs/read_write.c:680 do_iter_write fs/read_write.c:956 [inline] do_iter_write+0x184/0x610 fs/read_write.c:937 vfs_writev+0x1b3/0x2f0 fs/read_write.c:1001 do_writev+0xf6/0x290 fs/read_write.c:1036 __do_sys_writev fs/read_write.c:1109 [inline] __se_sys_writev fs/read_write.c:1106 [inline] __x64_sys_writev+0x75/0xb0 fs/read_write.c:1106 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x457de1 Code: 75 14 b8 14 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 e4 b9 fb ff c3 48 83 ec 08 e8 1a 2d 00 00 48 89 04 24 b8 14 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 63 2d 00 00 48 89 d0 48 83 c4 08 48 3d 01 RSP: 002b:00007fe08ecd2ba0 EFLAGS: 00000293 ORIG_RAX: 0000000000000014 RAX: ffffffffffffffda RBX: 00000000000003a5 RCX: 0000000000457de1 RDX: 0000000000000001 RSI: 00007fe08ecd2bf0 RDI: 00000000000000f0 RBP: 0000000020007000 R08: 00000000000000f0 R09: 0000000000000000 R10: 0000000000000064 R11: 0000000000000293 R12: 00007fe08ecd36d4 R13: 00000000004c65e1 R14: 00000000004dbac0 R15: 0000000000000003 IPVS: set_ctl: invalid protocol: 63 172.20.20.170:20003 netlink: 16 bytes leftover after parsing attributes in process `syz-executor.4'. audit: type=1804 audit(1551833999.747:135): pid=30375 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.0" name="/root/syzkaller-testdir182857046/syzkaller.Ska4p1/592/memory.events" dev="sda1" ino=16531 res=1 netlink: 16 bytes leftover after parsing attributes in process `syz-executor.4'. validate_nla: 11 callbacks suppressed netlink: 'syz-executor.4': attribute type 1 has an invalid length. netlink: 'syz-executor.1': attribute type 6 has an invalid length. netlink: 'syz-executor.4': attribute type 1 has an invalid length. netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'. audit: type=1804 audit(1551834000.387:136): pid=30367 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.0" name="/root/syzkaller-testdir182857046/syzkaller.Ska4p1/592/memory.events" dev="sda1" ino=16531 res=1 IPVS: set_ctl: invalid protocol: 63 172.20.20.170:20003 netlink: 'syz-executor.4': attribute type 1 has an invalid length. audit: type=1800 audit(1551834000.597:137): pid=30431 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed comm="syz-executor.0" name="memory.events" dev="sda1" ino=16531 res=0 netlink: 'syz-executor.4': attribute type 1 has an invalid length. audit: type=1804 audit(1551834000.747:138): pid=30444 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.2" name="/root/syzkaller-testdir540114860/syzkaller.zozRWA/736/memory.events" dev="sda1" ino=16529 res=1 netlink: 'syz-executor.4': attribute type 1 has an invalid length. audit: type=1804 audit(1551834001.027:139): pid=30444 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.2" name="/root/syzkaller-testdir540114860/syzkaller.zozRWA/736/memory.events" dev="sda1" ino=16529 res=1 netlink: 'syz-executor.4': attribute type 1 has an invalid length. netlink: 'syz-executor.4': attribute type 1 has an invalid length. audit: type=1804 audit(1551834001.077:140): pid=30444 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.2" name="/root/syzkaller-testdir540114860/syzkaller.zozRWA/736/memory.events" dev="sda1" ino=16529 res=1 netlink: 'syz-executor.4': attribute type 1 has an invalid length. netlink: 'syz-executor.4': attribute type 1 has an invalid length. netlink: 20 bytes leftover after parsing attributes in process `syz-executor.4'. netlink: 20 bytes leftover after parsing attributes in process `syz-executor.4'.