============================= WARNING: suspicious RCU usage 4.15.0-rc9+ #207 Not tainted ----------------------------- net/ipv6/ip6_fib.c:1731 suspicious rcu_dereference_protected() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 4 locks held by syz-executor5/10770: #0: ((&net->ipv6.ip6_fib_timer)){+.-.}, at: [<000000008d3754f7>] lockdep_copy_map include/linux/lockdep.h:178 [inline] #0: ((&net->ipv6.ip6_fib_timer)){+.-.}, at: [<000000008d3754f7>] call_timer_fn+0x1c6/0x820 kernel/time/timer.c:1308 #1: (&(&net->ipv6.fib6_gc_lock)->rlock){+.-.}, at: [<00000000506936d1>] spin_lock_bh include/linux/spinlock.h:315 [inline] #1: (&(&net->ipv6.fib6_gc_lock)->rlock){+.-.}, at: [<00000000506936d1>] fib6_run_gc+0x9d/0x3c0 net/ipv6/ip6_fib.c:2043 #2: (rcu_read_lock){....}, at: [<00000000bc255445>] __fib6_clean_all+0x0/0x3a0 net/ipv6/ip6_fib.c:1583 #3: (&(&tb->tb6_lock)->rlock){+.-.}, at: [<00000000be86e9b5>] spin_lock_bh include/linux/spinlock.h:315 [inline] #3: (&(&tb->tb6_lock)->rlock){+.-.}, at: [<00000000be86e9b5>] __fib6_clean_all+0x1d0/0x3a0 net/ipv6/ip6_fib.c:1984 stack backtrace: CPU: 1 PID: 10770 Comm: syz-executor5 Not tainted 4.15.0-rc9+ #207 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 lockdep_rcu_suspicious+0x123/0x170 kernel/locking/lockdep.c:4585 fib6_del+0xc9c/0x12c0 net/ipv6/ip6_fib.c:1730 fib6_clean_node+0x42e/0x580 net/ipv6/ip6_fib.c:1921 fib6_walk_continue+0x46c/0x8a0 net/ipv6/ip6_fib.c:1844 fib6_walk+0x91/0xf0 net/ipv6/ip6_fib.c:1892 fib6_clean_tree+0x1e6/0x340 net/ipv6/ip6_fib.c:1969 __fib6_clean_all+0x1f4/0x3a0 net/ipv6/ip6_fib.c:1985 fib6_clean_all net/ipv6/ip6_fib.c:1996 [inline] fib6_run_gc+0x16b/0x3c0 net/ipv6/ip6_fib.c:2052 fib6_gc_timer_cb+0x20/0x30 net/ipv6/ip6_fib.c:2069 call_timer_fn+0x228/0x820 kernel/time/timer.c:1318 expire_timers kernel/time/timer.c:1355 [inline] __run_timers+0x7ee/0xb70 kernel/time/timer.c:1658 run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1684 __do_softirq+0x2d7/0xb85 kernel/softirq.c:285 invoke_softirq kernel/softirq.c:365 [inline] irq_exit+0x1cc/0x200 kernel/softirq.c:405 exiting_irq arch/x86/include/asm/apic.h:541 [inline] smp_apic_timer_interrupt+0x16b/0x700 arch/x86/kernel/apic/apic.c:1052 apic_timer_interrupt+0xa9/0xb0 arch/x86/entry/entry_64.S:937 RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:777 [inline] RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline] RIP: 0010:_raw_spin_unlock_irqrestore+0x5e/0xba kernel/locking/spinlock.c:184 RSP: 0018:ffff8801ad70ea10 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff11 RAX: dffffc0000000000 RBX: 0000000000000282 RCX: 0000000000000000 RDX: 1ffffffff0d1918d RSI: 0000000000000001 RDI: 0000000000000282 RBP: ffff8801ad70ea20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff87f8f1e8 R13: ffff8801ad70ebd8 R14: 0000000000000000 R15: dffffc0000000000 __debug_check_no_obj_freed lib/debugobjects.c:758 [inline] debug_check_no_obj_freed+0x3da/0xf1f lib/debugobjects.c:774 free_pages_prepare mm/page_alloc.c:1065 [inline] free_pcp_prepare mm/page_alloc.c:1079 [inline] free_unref_page_prepare mm/page_alloc.c:2622 [inline] free_unref_page+0x31f/0x9e0 mm/page_alloc.c:2672 __put_single_page mm/swap.c:79 [inline] __put_page+0xf9/0x160 mm/swap.c:113 put_page include/linux/mm.h:865 [inline] free_page_and_swap_cache+0x496/0x620 mm/swap_state.c:307 __tlb_remove_table arch/x86/include/asm/tlb.h:30 [inline] tlb_remove_table+0x245/0x370 mm/memory.c:384 ___pmd_free_tlb+0xc1/0x130 arch/x86/mm/pgtable.c:76 __pmd_free_tlb arch/x86/include/asm/pgalloc.h:124 [inline] free_pmd_range mm/memory.c:474 [inline] free_pud_range mm/memory.c:492 [inline] free_p4d_range mm/memory.c:526 [inline] free_pgd_range+0x8dd/0xd90 mm/memory.c:606 free_pgtables+0x270/0x330 mm/memory.c:638 exit_mmap+0x291/0x500 mm/mmap.c:3039 __mmput kernel/fork.c:923 [inline] mmput+0x223/0x6d0 kernel/fork.c:944 exit_mm kernel/exit.c:544 [inline] do_exit+0x90a/0x1ad0 kernel/exit.c:852 do_group_exit+0x149/0x400 kernel/exit.c:968 get_signal+0x73f/0x16c0 kernel/signal.c:2335 do_signal+0x90/0x1eb0 arch/x86/kernel/signal.c:809 exit_to_usermode_loop+0x214/0x310 arch/x86/entry/common.c:158 prepare_exit_to_usermode arch/x86/entry/common.c:195 [inline] syscall_return_slowpath+0x490/0x550 arch/x86/entry/common.c:264 ret_from_fork+0x15/0x50 arch/x86/entry/entry_64.S:534 RIP: 0033:0x4558a9 RSP: 002b:00007fbc6e73bdb0 EFLAGS: 00000202 ORIG_RAX: 0000000000000038 RAX: 0000000000000000 RBX: 00007fbc6e73c700 RCX: 00000000004558a9 RDX: 00007fbc6e73c9d0 RSI: 00007fbc6e73bdb0 RDI: 00000000003d0f00 RBP: 0000000000a2f850 R08: 00007fbc6e73c700 R09: 00007fbc6e73c700 R10: 00007fbc6e73c9d0 R11: 0000000000000202 R12: 0000000000000000 R13: 0000000000a2f7cf R14: 00007fbc6e73c9c0 R15: 0000000000000002 syz1: Invalid MTU -2147483647 requested, hw min 68 syz1: Invalid MTU -2147483647 requested, hw min 68 netlink: 'syz-executor1': attribute type 6 has an invalid length. netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'. openvswitch: netlink: Flow set message rejected, Key attribute missing. netlink: 'syz-executor1': attribute type 6 has an invalid length. netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 9 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 9 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 'syz-executor3': attribute type 2 has an invalid length. netlink: 'syz-executor3': attribute type 2 has an invalid length. netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'. sctp: [Deprecated]: syz-executor3 (pid 11566) Use of int in maxseg socket option. Use struct sctp_assoc_value instead netlink: 'syz-executor1': attribute type 1 has an invalid length. netlink: 'syz-executor1': attribute type 1 has an invalid length. sctp: [Deprecated]: syz-executor3 (pid 11566) Use of struct sctp_assoc_value in delayed_ack socket option. Use struct sctp_sack_info instead sctp: [Deprecated]: syz-executor3 (pid 11583) Use of int in maxseg socket option. Use struct sctp_assoc_value instead sctp: [Deprecated]: syz-executor3 (pid 11583) Use of struct sctp_assoc_value in delayed_ack socket option. Use struct sctp_sack_info instead FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 1 PID: 11809 Comm: syz-executor2 Not tainted 4.15.0-rc9+ #207 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:421 [inline] slab_alloc_node mm/slab.c:3289 [inline] kmem_cache_alloc_node+0x56/0x760 mm/slab.c:3632 __alloc_skb+0xf1/0x780 net/core/skbuff.c:193 alloc_skb include/linux/skbuff.h:983 [inline] nlmsg_new include/net/netlink.h:511 [inline] inet6_ifa_notify net/ipv6/addrconf.c:4975 [inline] __ipv6_ifa_notify+0x117/0xaa0 net/ipv6/addrconf.c:5535 ipv6_ifa_notify+0xd9/0x1c0 net/ipv6/addrconf.c:5579 ipv6_del_addr+0x472/0xb70 net/ipv6/addrconf.c:1254 inet6_addr_del+0x2ff/0x5b0 net/ipv6/addrconf.c:2928 addrconf_del_ifaddr+0x139/0x1c0 net/ipv6/addrconf.c:2973 inet6_ioctl+0x86/0x1e0 net/ipv6/af_inet6.c:525 sock_do_ioctl+0x65/0xb0 net/socket.c:958 sock_ioctl+0x2c2/0x440 net/socket.c:1055 vfs_ioctl fs/ioctl.c:46 [inline] do_vfs_ioctl+0x1b1/0x1520 fs/ioctl.c:686 SYSC_ioctl fs/ioctl.c:701 [inline] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692 entry_SYSCALL_64_fastpath+0x29/0xa0 RIP: 0033:0x452f19 RSP: 002b:00007f331beaec58 EFLAGS: 00000212 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f331beaeaa0 RCX: 0000000000452f19 RDX: 0000000020000000 RSI: 0000000000008936 RDI: 0000000000000013 RBP: 00007f331beaea90 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b7c96 R13: 00007f331beaebc8 R14: 00000000004b7c96 R15: 0000000000000000 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 1 PID: 11854 Comm: syz-executor2 Not tainted 4.15.0-rc9+ #207 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:421 [inline] slab_alloc_node mm/slab.c:3289 [inline] kmem_cache_alloc_node_trace+0x5a/0x750 mm/slab.c:3651 __do_kmalloc_node mm/slab.c:3671 [inline] __kmalloc_node_track_caller+0x33/0x70 mm/slab.c:3686 __kmalloc_reserve.isra.39+0x41/0xd0 net/core/skbuff.c:137 __alloc_skb+0x13b/0x780 net/core/skbuff.c:205 alloc_skb include/linux/skbuff.h:983 [inline] nlmsg_new include/net/netlink.h:511 [inline] inet6_ifa_notify net/ipv6/addrconf.c:4975 [inline] __ipv6_ifa_notify+0x117/0xaa0 net/ipv6/addrconf.c:5535 ipv6_ifa_notify+0xd9/0x1c0 net/ipv6/addrconf.c:5579 ipv6_del_addr+0x472/0xb70 net/ipv6/addrconf.c:1254 inet6_addr_del+0x2ff/0x5b0 net/ipv6/addrconf.c:2928 addrconf_del_ifaddr+0x139/0x1c0 net/ipv6/addrconf.c:2973 inet6_ioctl+0x86/0x1e0 net/ipv6/af_inet6.c:525 sock_do_ioctl+0x65/0xb0 net/socket.c:958 sock_ioctl+0x2c2/0x440 net/socket.c:1055 vfs_ioctl fs/ioctl.c:46 [inline] do_vfs_ioctl+0x1b1/0x1520 fs/ioctl.c:686 SYSC_ioctl fs/ioctl.c:701 [inline] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692 entry_SYSCALL_64_fastpath+0x29/0xa0 RIP: 0033:0x452f19 RSP: 002b:00007f331beaec58 EFLAGS: 00000212 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f331beaeaa0 RCX: 0000000000452f19 RDX: 0000000020000000 RSI: 0000000000008936 RDI: 0000000000000013 RBP: 00007f331beaea90 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b7c96 R13: 00007f331beaebc8 R14: 00000000004b7c96 R15: 0000000000000000 netlink: 28 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 9 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 9 bytes leftover after parsing attributes in process `syz-executor5'. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=260 sclass=netlink_route_socket pig=12191 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=260 sclass=netlink_route_socket pig=12204 comm=syz-executor5 device syz1 entered promiscuous mode device syz1 left promiscuous mode device syz1 entered promiscuous mode device syz1 left promiscuous mode netlink: 'syz-executor0': attribute type 2 has an invalid length. netlink: 'syz-executor0': attribute type 2 has an invalid length. sctp: [Deprecated]: syz-executor4 (pid 12438) Use of int in max_burst socket option deprecated. Use struct sctp_assoc_value instead netlink: 2 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 12 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 12 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 'syz-executor0': attribute type 12 has an invalid length. nla_parse: 2 callbacks suppressed netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'. SELinux: unrecognized netlink message: protocol=4 nlmsg_type=4278 sclass=netlink_tcpdiag_socket pig=13074 comm=syz-executor6 SELinux: unrecognized netlink message: protocol=4 nlmsg_type=4278 sclass=netlink_tcpdiag_socket pig=13074 comm=syz-executor6 device syz0 entered promiscuous mode device syz0 left promiscuous mode