============================= WARNING: suspicious RCU usage 4.15.0+ #308 Not tainted ----------------------------- ./include/linux/rcupdate.h:302 Illegal context switch in RCU read-side critical section! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by syz-executor1/5373: #0: (rcu_read_lock){....}, at: [<00000000011e19e7>] __rds_conn_create+0xe46/0x1b50 net/rds/connection.c:218 stack backtrace: kauditd_printk_skb: 2 callbacks suppressed audit: type=1400 audit(1518368578.239:21): avc: denied { map } for pid=5384 comm="syz-executor4" path=2F616E6F6E5F6875676570616765202864656C6574656429 dev="hugetlbfs" ino=15418 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:hugetlbfs_t:s0 tclass=file permissive=1 CPU: 0 PID: 5373 Comm: syz-executor1 Not tainted 4.15.0+ #308 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 lockdep_rcu_suspicious+0x123/0x170 kernel/locking/lockdep.c:4592 rcu_preempt_sleep_check include/linux/rcupdate.h:301 [inline] ___might_sleep+0x385/0x470 kernel/sched/core.c:6093 __might_sleep+0x95/0x190 kernel/sched/core.c:6081 slab_pre_alloc_hook mm/slab.h:420 [inline] slab_alloc mm/slab.c:3365 [inline] kmem_cache_alloc+0x2a2/0x760 mm/slab.c:3539 rds_tcp_conn_alloc+0xa7/0x4e0 net/rds/tcp.c:296 __rds_conn_create+0x112f/0x1b50 net/rds/connection.c:227 rds_conn_create_outgoing+0x3f/0x50 net/rds/connection.c:309 rds_sendmsg+0xda3/0x2390 net/rds/send.c:1126 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg+0xca/0x110 net/socket.c:640 ___sys_sendmsg+0x767/0x8b0 net/socket.c:2046 __sys_sendmsg+0xe5/0x210 net/socket.c:2080 SYSC_sendmsg net/socket.c:2091 [inline] SyS_sendmsg+0x2d/0x50 net/socket.c:2087 do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x26/0x9b RIP: 0033:0x453a59 RSP: 002b:00007f961a3ebc68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f961a3ec6d4 RCX: 0000000000453a59 RDX: 0000000000000000 RSI: 0000000020006fc8 RDI: 0000000000000014 RBP: 000000000071bea0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000000004b5 R14: 00000000006f7198 R15: 0000000000000000 BUG: sleeping function called from invalid context at mm/slab.h:420 in_atomic(): 1, irqs_disabled(): 0, pid: 5373, name: syz-executor1 1 lock held by syz-executor1/5373: #0: (rcu_read_lock){....}, at: [<00000000011e19e7>] __rds_conn_create+0xe46/0x1b50 net/rds/connection.c:218 CPU: 0 PID: 5373 Comm: syz-executor1 Not tainted 4.15.0+ #308 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 ___might_sleep+0x2b2/0x470 kernel/sched/core.c:6128 __might_sleep+0x95/0x190 kernel/sched/core.c:6081 slab_pre_alloc_hook mm/slab.h:420 [inline] slab_alloc mm/slab.c:3365 [inline] kmem_cache_alloc+0x2a2/0x760 mm/slab.c:3539 rds_tcp_conn_alloc+0xa7/0x4e0 net/rds/tcp.c:296 __rds_conn_create+0x112f/0x1b50 net/rds/connection.c:227 rds_conn_create_outgoing+0x3f/0x50 net/rds/connection.c:309 rds_sendmsg+0xda3/0x2390 net/rds/send.c:1126 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg+0xca/0x110 net/socket.c:640 ___sys_sendmsg+0x767/0x8b0 net/socket.c:2046 __sys_sendmsg+0xe5/0x210 net/socket.c:2080 SYSC_sendmsg net/socket.c:2091 [inline] SyS_sendmsg+0x2d/0x50 net/socket.c:2087 do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x26/0x9b RIP: 0033:0x453a59 RSP: 002b:00007f961a3ebc68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f961a3ec6d4 RCX: 0000000000453a59 RDX: 0000000000000000 RSI: 0000000020006fc8 RDI: 0000000000000014 RBP: 000000000071bea0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000000004b5 R14: 00000000006f7198 R15: 0000000000000000 atomic_op 00000000743583d6 conn xmit_atomic (null) capability: warning: `syz-executor4' uses 32-bit capabilities (legacy support in use) audit: type=1400 audit(1518368579.279:22): avc: denied { create } for pid=5457 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 audit: type=1400 audit(1518368579.280:23): avc: denied { write } for pid=5457 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 audit: type=1400 audit(1518368579.349:24): avc: denied { net_bind_service } for pid=1232 comm="kworker/u5:0" capability=10 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=cap_userns permissive=1 tc_ctl_action: received NO action attribs audit: type=1400 audit(1518368579.432:25): avc: denied { net_bind_service } for pid=5472 comm="syz-executor5" capability=10 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 tc_ctl_action: received NO action attribs audit: type=1400 audit(1518368579.735:26): avc: denied { name_bind } for pid=5578 comm="syz-executor2" src=20008 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=dccp_socket permissive=1 xt_connbytes: Forcing CT accounting to be enabled audit: type=1400 audit(1518368579.735:27): avc: denied { node_bind } for pid=5578 comm="syz-executor2" saddr=::1 src=20008 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:node_t:s0 tclass=dccp_socket permissive=1 audit: type=1400 audit(1518368579.773:28): avc: denied { name_connect } for pid=5578 comm="syz-executor2" dest=20008 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=dccp_socket permissive=1 audit: type=1400 audit(1518368579.868:29): avc: denied { prog_load } for pid=5600 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 audit: type=1400 audit(1518368579.895:30): avc: denied { prog_run } for pid=5600 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 netlink: 'syz-executor2': attribute type 15 has an invalid length. netlink: 'syz-executor2': attribute type 15 has an invalid length. mmap: syz-executor6 (5675) uses deprecated remap_file_pages() syscall. See Documentation/vm/remap_file_pages.txt. dccp_xmit_packet: Payload too large (65423) for featneg. dccp_xmit_packet: Payload too large (65423) for featneg. binder: 5764:5767 ioctl c018620b 2009cfe8 returned -14 binder: 5764:5767 ioctl c018620b 2009cfe8 returned -14 xt_connbytes: Forcing CT accounting to be enabled x_tables: ip_tables: tcp match: only valid for protocol 6 ip6t_rpfilter: unknown options encountered ip6t_rpfilter: unknown options encountered netlink: 'syz-executor1': attribute type 1 has an invalid length. netlink: 'syz-executor1': attribute type 1 has an invalid length. FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 1 CPU: 1 PID: 6001 Comm: syz-executor3 Tainted: G W 4.15.0+ #308 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:422 [inline] slab_alloc_node mm/slab.c:3286 [inline] kmem_cache_alloc_node+0x56/0x760 mm/slab.c:3629 __alloc_skb+0xf1/0x780 net/core/skbuff.c:193 alloc_skb include/linux/skbuff.h:983 [inline] netlink_alloc_large_skb net/netlink/af_netlink.c:1180 [inline] netlink_sendmsg+0xa86/0xe60 net/netlink/af_netlink.c:1872 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg+0xca/0x110 net/socket.c:640 ___sys_sendmsg+0x767/0x8b0 net/socket.c:2046 __sys_sendmsg+0xe5/0x210 net/socket.c:2080 SYSC_sendmsg net/socket.c:2091 [inline] SyS_sendmsg+0x2d/0x50 net/socket.c:2087 do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x26/0x9b RIP: 0033:0x453a59 RSP: 002b:00007f38df94ac68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f38df94b6d4 RCX: 0000000000453a59 RDX: 0000000000000000 RSI: 0000000020004000 RDI: 0000000000000013 RBP: 000000000071bea0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000014 R13: 00000000000004a6 R14: 00000000006f7030 R15: 0000000000000000 netlink: 20 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 20 bytes leftover after parsing attributes in process `syz-executor3'. QAT: Invalid ioctl QAT: Invalid ioctl nla_parse: 13 callbacks suppressed netlink: 20 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 20 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 20 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 20 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 20 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 20 bytes leftover after parsing attributes in process `syz-executor3'. device eql entered promiscuous mode netlink: 20 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 20 bytes leftover after parsing attributes in process `syz-executor3'. device syz6 entered promiscuous mode netlink: 20 bytes leftover after parsing attributes in process `syz-executor3'. kauditd_printk_skb: 13 callbacks suppressed audit: type=1400 audit(1518368583.329:44): avc: denied { set_context_mgr } for pid=6400 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 binder_alloc: 6400: binder_alloc_buf, no vma audit: type=1400 audit(1518368583.350:45): avc: denied { call } for pid=6400 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 binder: 6400:6404 transaction failed 29189/-3, size 80-16 line 2957 device syz6 left promiscuous mode netlink: 20 bytes leftover after parsing attributes in process `syz-executor3'. xprt_adjust_timeout: rq_timeout = 0! binder: undelivered TRANSACTION_ERROR: 29189 audit: type=1400 audit(1518368583.850:46): avc: denied { setgid } for pid=6504 comm="syz-executor6" capability=6 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1518368584.074:47): avc: denied { getopt } for pid=6543 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1400 audit(1518368584.078:48): avc: denied { setuid } for pid=6543 comm="syz-executor3" capability=7 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1518368585.118:49): avc: denied { map } for pid=6562 comm="syz-executor2" path="/dev/sg0" dev="devtmpfs" ino=1119 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file permissive=1 QAT: Invalid ioctl audit: type=1400 audit(1518368585.770:50): avc: denied { accept } for pid=6746 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1326 audit(1518368586.328:51): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=6869 comm="syz-executor4" exe="/root/syz-executor4" sig=31 arch=c000003e syscall=202 compat=0 ip=0x453a59 code=0x0 TCP: request_sock_TCPv6: Possible SYN flooding on port 20006. Sending cookies. Check SNMP counters. xt_SECMARK: invalid security context 'system_u:object_r:udev_var_run_t:-0' Unknown options in mask 430 audit: type=1400 audit(1518368586.596:52): avc: denied { map } for pid=6975 comm="syz-executor0" path="/dev/binder0" dev="devtmpfs" ino=9136 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1 Unknown options in mask 430 binder: 6975:6981 ERROR: BC_REGISTER_LOOPER called without request binder: BINDER_SET_CONTEXT_MGR already set binder: 6975:6987 ioctl 40046207 0 returned -16 binder: 6975:6981 ERROR: BC_REGISTER_LOOPER called without request binder_alloc: 6975: binder_alloc_buf, no vma binder: 6975:6987 transaction failed 29189/-3, size 0-0 line 2957 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 6975:6981 transaction 5 out, still active binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 5, target dead SELinux: policydb magic number 0x30 does not match expected magic number 0xf97cff8c SELinux: failed to load policy nla_parse: 33 callbacks suppressed netlink: 20 bytes leftover after parsing attributes in process `syz-executor3'. x86/PAT: syz-executor0:7262 map pfn RAM range req write-combining for [mem 0x1a9380000-0x1a9381fff], got write-back netlink: 20 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 20 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 20 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 20 bytes leftover after parsing attributes in process `syz-executor3'. sctp: [Deprecated]: syz-executor5 (pid 7322) Use of struct sctp_assoc_value in delayed_ack socket option. Use struct sctp_sack_info instead netlink: 20 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 20 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 20 bytes leftover after parsing attributes in process `syz-executor3'. binder: 7343:7349 ioctl c0306201 20abb000 returned -14 SELinux: policydb magic number 0x30 does not match expected magic number 0xf97cff8c SELinux: failed to load policy netlink: 20 bytes leftover after parsing attributes in process `syz-executor3'. binder: 7343:7349 ioctl c0306201 20abb000 returned -14 xt_connbytes: Forcing CT accounting to be enabled xt_CONNSECMARK: target only valid in the 'mangle' or 'security' tables, not 'raw'. SELinux: policydb magic number 0x30 does not match expected magic number 0xf97cff8c netlink: 20 bytes leftover after parsing attributes in process `syz-executor3'. SELinux: failed to load policy xt_CONNSECMARK: target only valid in the 'mangle' or 'security' tables, not 'raw'.