audit: type=1400 audit(1575447303.941:28): avc: denied { create } for pid=11437 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_fib_lookup_socket permissive=1 =============================== [ INFO: suspicious RCU usage. ] 4.9.205-syzkaller #0 Not tainted ------------------------------- include/linux/inetdevice.h:205 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 0 4 locks held by syz-executor.2/11439: #0: (rcu_read_lock_bh){......}, at: [<0000000040071623>] ip_finish_output2+0x20b/0x1280 net/ipv4/ip_output.c:198 #1: (rcu_read_lock_bh){......}, at: [<00000000448501fc>] __dev_queue_xmit+0x1d4/0x1bd0 net/core/dev.c:3407 #2: (_xmit_TUNNEL6#2){+.-...}, at: [<0000000070208eed>] spin_lock include/linux/spinlock.h:302 [inline] #2: (_xmit_TUNNEL6#2){+.-...}, at: [<0000000070208eed>] __netif_tx_lock include/linux/netdevice.h:3573 [inline] #2: (_xmit_TUNNEL6#2){+.-...}, at: [<0000000070208eed>] __dev_queue_xmit+0x1116/0x1bd0 net/core/dev.c:3469 #3: (slock-AF_INET){+.-...}, at: [<000000007c70c95d>] spin_trylock include/linux/spinlock.h:312 [inline] #3: (slock-AF_INET){+.-...}, at: [<000000007c70c95d>] icmp_xmit_lock net/ipv4/icmp.c:220 [inline] #3: (slock-AF_INET){+.-...}, at: [<000000007c70c95d>] __icmp_send+0x48b/0x1420 net/ipv4/icmp.c:656 stack backtrace: CPU: 0 PID: 11439 Comm: syz-executor.2 Not tainted 4.9.205-syzkaller #0 ffff8801d9876dd8 ffffffff81b55e6b ffff8801d0873640 0000000000000000 0000000000000002 00000000000000cd ffff8801b60317c0 ffff8801d9876e08 ffffffff81406997 ffff8801d0873698 ffff8801d9876f28 ffff8801c9a5b300 Call Trace: [<000000001088a901>] __dump_stack lib/dump_stack.c:15 [inline] [<000000001088a901>] dump_stack+0xcb/0x130 lib/dump_stack.c:56 [<00000000d29a5c8a>] lockdep_rcu_suspicious.cold+0x10a/0x149 kernel/locking/lockdep.c:4458 [<000000007a2e065e>] __in_dev_get_rcu include/linux/inetdevice.h:205 [inline] [<000000007a2e065e>] fib_compute_spec_dst+0x6c4/0xcc0 net/ipv4/fib_frontend.c:284 [<000000002bccb755>] __ip_options_echo+0x4be/0x13e0 net/ipv4/ip_options.c:177 [<0000000099336fb0>] __icmp_send+0x648/0x1420 net/ipv4/icmp.c:685 [<0000000041bee347>] ipv4_send_dest_unreach net/ipv4/route.c:1203 [inline] [<0000000041bee347>] ipv4_link_failure+0x460/0x850 net/ipv4/route.c:1210 [<00000000a5c825b8>] dst_link_failure include/net/dst.h:490 [inline] [<00000000a5c825b8>] vti6_xmit net/ipv6/ip6_vti.c:522 [inline] [<00000000a5c825b8>] vti6_tnl_xmit+0xb08/0x17f0 net/ipv6/ip6_vti.c:561 [<0000000089e0ee82>] __netdev_start_xmit include/linux/netdevice.h:4072 [inline] [<0000000089e0ee82>] netdev_start_xmit include/linux/netdevice.h:4081 [inline] [<0000000089e0ee82>] xmit_one net/core/dev.c:2977 [inline] [<0000000089e0ee82>] dev_hard_start_xmit+0x195/0x8b0 net/core/dev.c:2993 [<000000003ac1a8f5>] __dev_queue_xmit+0x11a3/0x1bd0 net/core/dev.c:3473 [<000000002a5f41b0>] dev_queue_xmit+0x18/0x20 net/core/dev.c:3506 [<00000000ef55ad13>] neigh_direct_output+0x16/0x20 net/core/neighbour.c:1368 [<00000000bad4ecab>] dst_neigh_output include/net/dst.h:470 [inline] [<00000000bad4ecab>] ip_finish_output2+0x6a2/0x1280 net/ipv4/ip_output.c:225 [<000000006bce025a>] ip_finish_output+0x3c4/0xce0 net/ipv4/ip_output.c:313 [<000000000c19fc01>] NF_HOOK_COND include/linux/netfilter.h:246 [inline] [<000000000c19fc01>] ip_output+0x1ec/0x5b0 net/ipv4/ip_output.c:401 [<00000000b357d6c5>] dst_output include/net/dst.h:507 [inline] [<00000000b357d6c5>] NF_HOOK_THRESH include/linux/netfilter.h:232 [inline] [<00000000b357d6c5>] NF_HOOK include/linux/netfilter.h:255 [inline] [<00000000b357d6c5>] raw_send_hdrinc net/ipv4/raw.c:421 [inline] [<00000000b357d6c5>] raw_sendmsg+0x1c5c/0x23e0 net/ipv4/raw.c:643 [<000000009b7206ce>] inet_sendmsg+0x202/0x4d0 net/ipv4/af_inet.c:766 [<00000000e629d09f>] sock_sendmsg_nosec net/socket.c:649 [inline] [<00000000e629d09f>] sock_sendmsg+0xbe/0x110 net/socket.c:659 [<00000000b3e3e074>] sock_write_iter+0x235/0x3d0 net/socket.c:857 [<00000000bfe7ab69>] new_sync_write fs/read_write.c:498 [inline] [<00000000bfe7ab69>] __vfs_write+0x3c1/0x560 fs/read_write.c:511 [<0000000054730f02>] vfs_write+0x185/0x520 fs/read_write.c:559 [<0000000047a9e80d>] SYSC_write fs/read_write.c:607 [inline] [<0000000047a9e80d>] SyS_write+0x121/0x270 fs/read_write.c:599 [<000000009b05f9bf>] do_syscall_64+0x1ad/0x5c0 arch/x86/entry/common.c:288 [<0000000007c0475b>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb audit: type=1400 audit(1575447304.371:29): avc: denied { transfer } for pid=11464 comm="syz-executor.2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 binder: 11464:11465 got transaction with invalid parent offset or type binder: 11464:11465 transaction failed 29201/-22, size 88-24 line 3454 binder: undelivered TRANSACTION_ERROR: 29201 binder: BINDER_SET_CONTEXT_MGR already set binder: 11464:11465 ioctl 40046207 0 returned -16 binder: 11470:11471 got transaction with invalid parent offset or type binder: 11470:11471 transaction failed 29201/-22, size 88-24 line 3454 binder: undelivered TRANSACTION_ERROR: 29201 audit: type=1400 audit(1575447304.741:30): avc: denied { write } for pid=11437 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_fib_lookup_socket permissive=1 binder: 11489:11492 got transaction with invalid parent offset or type binder: 11486:11493 got transaction with invalid parent offset or type binder: 11486:11493 transaction failed 29201/-22, size 88-24 line 3454 binder: undelivered TRANSACTION_ERROR: 29201 binder: 11494:11497 got transaction with invalid parent offset or type binder: 11494:11497 transaction failed 29201/-22, size 88-24 line 3454 binder: undelivered TRANSACTION_ERROR: 29201 binder: 11500:11502 got transaction with invalid parent offset or type binder: 11500:11502 transaction failed 29201/-22, size 88-24 line 3454 binder: undelivered TRANSACTION_ERROR: 29201 binder: 11499:11503 got transaction with invalid parent offset or type binder: 11499:11503 transaction failed 29201/-22, size 88-24 line 3454 binder: undelivered TRANSACTION_ERROR: 29201 binder: 11510:11512 got transaction with invalid parent offset or type binder: 11510:11512 transaction failed 29201/-22, size 88-24 line 3454 binder: undelivered TRANSACTION_ERROR: 29201 binder: 11505:11511 got transaction with invalid parent offset or type binder: 11505:11511 transaction failed 29201/-22, size 88-24 line 3454 binder: undelivered TRANSACTION_ERROR: 29201 binder: 11522:11526 got transaction with invalid parent offset or type binder: 11522:11526 transaction failed 29201/-22, size 88-24 line 3454 binder: undelivered TRANSACTION_ERROR: 29201 binder: 11524:11525 got transaction with invalid parent offset or type binder: 11524:11525 transaction failed 29201/-22, size 88-24 line 3454 binder: undelivered TRANSACTION_ERROR: 29201 binder: 11530:11533 got transaction with invalid parent offset or type binder: 11530:11533 transaction failed 29201/-22, size 88-24 line 3454 binder: undelivered TRANSACTION_ERROR: 29201 binder: 11489:11492 transaction failed 29201/-22, size 88-24 line 3454 binder: undelivered TRANSACTION_ERROR: 29201 binder: 11549:11552 got transaction with invalid parent offset or type binder: 11553:11558 got transaction with invalid parent offset or type binder: 11553:11558 transaction failed 29201/-22, size 88-24 line 3454 binder: undelivered TRANSACTION_ERROR: 29201 binder: 11562:11571 got transaction with invalid parent offset or type binder: 11562:11571 transaction failed 29201/-22, size 88-24 line 3454 binder: undelivered TRANSACTION_ERROR: 29201 binder: 11549:11552 transaction failed 29201/-22, size 88-24 line 3454 binder: undelivered TRANSACTION_ERROR: 29201 binder: 11586:11593 got transaction with invalid parent offset or type binder: 11586:11593 transaction failed 29201/-22, size 88-24 line 3454 binder: undelivered TRANSACTION_ERROR: 29201