audit: type=1400 audit(1518204143.464:41): avc: denied { setopt } for pid=6900 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=socket permissive=1 ============================= WARNING: suspicious RCU usage 4.15.0+ #221 Not tainted ----------------------------- net/tipc/bearer.c:177 suspicious rcu_dereference_protected() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 2 locks held by syz-executor4/6901: #0: (cb_lock){++++}, at: [<000000008c9298c3>] genl_rcv+0x19/0x40 net/netlink/genetlink.c:634 #1: (genl_mutex){+.+.}, at: [<00000000976f2987>] genl_lock net/netlink/genetlink.c:33 [inline] #1: (genl_mutex){+.+.}, at: [<00000000976f2987>] genl_rcv_msg+0x115/0x140 net/netlink/genetlink.c:622 stack backtrace: CPU: 0 PID: 6901 Comm: syz-executor4 Not tainted 4.15.0+ #221 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 audit: type=1400 audit(1518204143.493:42): avc: denied { ioctl } for pid=6900 comm="syz-executor2" path="socket:[17511]" dev="sockfs" ino=17511 ioctlcmd=0x8905 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=sock_file permissive=1 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 lockdep_rcu_suspicious+0x123/0x170 kernel/locking/lockdep.c:4592 tipc_bearer_find+0x2b4/0x3b0 net/tipc/bearer.c:177 tipc_nl_compat_link_set+0x329/0x9f0 net/tipc/netlink_compat.c:729 __tipc_nl_compat_doit net/tipc/netlink_compat.c:288 [inline] tipc_nl_compat_doit+0x15b/0x670 net/tipc/netlink_compat.c:335 tipc_nl_compat_handle net/tipc/netlink_compat.c:1119 [inline] tipc_nl_compat_recv+0x1135/0x18f0 net/tipc/netlink_compat.c:1201 genl_family_rcv_msg+0x7b7/0xfb0 net/netlink/genetlink.c:599 genl_rcv_msg+0xb2/0x140 net/netlink/genetlink.c:624 netlink_rcv_skb+0x14b/0x380 net/netlink/af_netlink.c:2442 genl_rcv+0x28/0x40 net/netlink/genetlink.c:635 netlink_unicast_kernel net/netlink/af_netlink.c:1308 [inline] netlink_unicast+0x4c4/0x6b0 net/netlink/af_netlink.c:1334 netlink_sendmsg+0xa4a/0xe60 net/netlink/af_netlink.c:1897 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg+0xca/0x110 net/socket.c:640 ___sys_sendmsg+0x767/0x8b0 net/socket.c:2046 __sys_sendmsg+0xe5/0x210 net/socket.c:2080 SYSC_sendmsg net/socket.c:2091 [inline] SyS_sendmsg+0x2d/0x50 net/socket.c:2087 entry_SYSCALL_64_fastpath+0x29/0xa0 RIP: 0033:0x4537d9 RSP: 002b:00007fbfe08dac58 EFLAGS: 00000212 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 00000000004537d9 RDX: 0000000000000000 RSI: 0000000020003000 RDI: 0000000000000013 RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006ef0d0 R13: 00000000ffffffff R14: 00007fbfe08db6d4 R15: 0000000000000000 Dead loop on virtual device ip6_vti0, fix it urgently! Dead loop on virtual device ip6_vti0, fix it urgently! syz-executor4 (7067) used greatest stack depth: 15408 bytes left netlink: 'syz-executor7': attribute type 21 has an invalid length. netlink: 'syz-executor3': attribute type 18 has an invalid length. netlink: 'syz-executor7': attribute type 5 has an invalid length. netlink: 'syz-executor3': attribute type 18 has an invalid length. netlink: 'syz-executor7': attribute type 21 has an invalid length. netlink: 'syz-executor7': attribute type 5 has an invalid length. sctp: [Deprecated]: syz-executor7 (pid 7444) Use of int in max_burst socket option deprecated. Use struct sctp_assoc_value instead sctp: [Deprecated]: syz-executor7 (pid 7444) Use of int in max_burst socket option deprecated. Use struct sctp_assoc_value instead IPv4: Oversized IP packet from 127.0.0.1 IPv4: Oversized IP packet from 127.0.0.1 IPv4: Oversized IP packet from 127.0.0.1 syz-executor4 (7761) used greatest stack depth: 13632 bytes left sctp: [Deprecated]: syz-executor4 (pid 7814) Use of int in maxseg socket option. Use struct sctp_assoc_value instead kauditd_printk_skb: 4 callbacks suppressed audit: type=1400 audit(1518204147.312:47): avc: denied { ioctl } for pid=7950 comm="syz-executor7" path="socket:[20542]" dev="sockfs" ino=20542 ioctlcmd=0x89a0 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 nla_parse: 2 callbacks suppressed netlink: 8 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor7'. sctp: [Deprecated]: syz-executor5 (pid 8097) Use of int in maxseg socket option. Use struct sctp_assoc_value instead sctp: [Deprecated]: syz-executor5 (pid 8097) Use of int in maxseg socket option. Use struct sctp_assoc_value instead NFQUEUE: number of total queues is 0 NFQUEUE: number of total queues is 0 NFQUEUE: number of total queues is 0 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=8370 comm=syz-executor2 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=8370 comm=syz-executor2 FAULT_INJECTION: forcing a failure. name fail_page_alloc, interval 1, probability 0, space 0, times 1 CPU: 1 PID: 8437 Comm: syz-executor3 Not tainted 4.15.0+ #221 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_fail_alloc_page mm/page_alloc.c:2955 [inline] prepare_alloc_pages mm/page_alloc.c:4194 [inline] __alloc_pages_nodemask+0x338/0xd80 mm/page_alloc.c:4233 netlink: 7 bytes leftover after parsing attributes in process `syz-executor5'. alloc_pages_current+0xb6/0x1e0 mm/mempolicy.c:2055 alloc_pages include/linux/gfp.h:492 [inline] skb_page_frag_refill+0x358/0x5f0 net/core/sock.c:2208 FAULT_INJECTION: forcing a failure. name fail_page_alloc, interval 1, probability 0, space 0, times 1 tun_build_skb.isra.50+0x2f0/0x1810 drivers/net/tun.c:1630 tun_get_user+0x17d0/0x3940 drivers/net/tun.c:1800 tun_chr_write_iter+0xb9/0x160 drivers/net/tun.c:1986 call_write_iter include/linux/fs.h:1781 [inline] do_iter_readv_writev+0x55c/0x830 fs/read_write.c:653 do_iter_write+0x154/0x540 fs/read_write.c:932 vfs_writev+0x18a/0x340 fs/read_write.c:977 do_writev+0xfc/0x2a0 fs/read_write.c:1012 SYSC_writev fs/read_write.c:1085 [inline] SyS_writev+0x27/0x30 fs/read_write.c:1082 entry_SYSCALL_64_fastpath+0x29/0xa0 RIP: 0033:0x4536b1 RSP: 002b:00007f65f33e6b80 EFLAGS: 00000293 ORIG_RAX: 0000000000000014 RAX: ffffffffffffffda RBX: 00007f65f33e6aa0 RCX: 00000000004536b1 RDX: 0000000000000001 RSI: 00007f65f33e6bd0 RDI: 0000000000000012 RBP: 00007f65f33e6a90 R08: 0000000000000000 R09: 0000000000000000 R10: 000000000000003e R11: 0000000000000293 R12: 00000000004b863a R13: 00007f65f33e6bc8 R14: 00000000004b863a R15: 0000000000000000 CPU: 0 PID: 8470 Comm: syz-executor7 Not tainted 4.15.0+ #221 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_fail_alloc_page mm/page_alloc.c:2955 [inline] prepare_alloc_pages mm/page_alloc.c:4194 [inline] __alloc_pages_nodemask+0x338/0xd80 mm/page_alloc.c:4233 alloc_pages_current+0xb6/0x1e0 mm/mempolicy.c:2055 alloc_pages include/linux/gfp.h:492 [inline] skb_page_frag_refill+0x358/0x5f0 net/core/sock.c:2208 tun_build_skb.isra.50+0x2f0/0x1810 drivers/net/tun.c:1630 tun_get_user+0x17d0/0x3940 drivers/net/tun.c:1800 tun_chr_write_iter+0xb9/0x160 drivers/net/tun.c:1986 call_write_iter include/linux/fs.h:1781 [inline] do_iter_readv_writev+0x55c/0x830 fs/read_write.c:653 do_iter_write+0x154/0x540 fs/read_write.c:932 vfs_writev+0x18a/0x340 fs/read_write.c:977 do_writev+0xfc/0x2a0 fs/read_write.c:1012 SYSC_writev fs/read_write.c:1085 [inline] SyS_writev+0x27/0x30 fs/read_write.c:1082 entry_SYSCALL_64_fastpath+0x29/0xa0 RIP: 0033:0x4536b1 RSP: 002b:00007fa94b86ab80 EFLAGS: 00000293 ORIG_RAX: 0000000000000014 RAX: ffffffffffffffda RBX: 00007fa94b86aaa0 RCX: 00000000004536b1 RDX: 0000000000000001 RSI: 00007fa94b86abd0 RDI: 0000000000000012 RBP: 00007fa94b86aa90 R08: 0000000000000000 R09: 0000000000000000 R10: 000000000000002a R11: 0000000000000293 R12: 00000000004b863a R13: 00007fa94b86abc8 R14: 00000000004b863a R15: 0000000000000000 audit: type=1400 audit(1518204150.337:48): avc: denied { listen } for pid=8617 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 syz-executor5 (8689) used greatest stack depth: 12128 bytes left FAULT_INJECTION: forcing a failure. name fail_page_alloc, interval 1, probability 0, space 0, times 0 CPU: 0 PID: 8914 Comm: syz-executor4 Not tainted 4.15.0+ #221 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_fail_alloc_page mm/page_alloc.c:2955 [inline] prepare_alloc_pages mm/page_alloc.c:4194 [inline] __alloc_pages_nodemask+0x338/0xd80 mm/page_alloc.c:4233 audit: type=1400 audit(1518204151.374:49): avc: denied { create } for pid=8936 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_fib_lookup_socket permissive=1 alloc_pages_current+0xb6/0x1e0 mm/mempolicy.c:2055 alloc_pages include/linux/gfp.h:492 [inline] skb_page_frag_refill+0x358/0x5f0 net/core/sock.c:2208 x_tables: ip6_tables: CLASSIFY target: used from hooks INPUT/OUTPUT, but only usable from FORWARD/OUTPUT/POSTROUTING tun_build_skb.isra.50+0x2f0/0x1810 drivers/net/tun.c:1630 audit: type=1400 audit(1518204151.404:50): avc: denied { ioctl } for pid=8936 comm="syz-executor2" path="socket:[21688]" dev="sockfs" ino=21688 ioctlcmd=0x8946 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_fib_lookup_socket permissive=1 x_tables: ip6_tables: CLASSIFY target: used from hooks INPUT/OUTPUT, but only usable from FORWARD/OUTPUT/POSTROUTING tun_get_user+0x17d0/0x3940 drivers/net/tun.c:1800 tun_chr_write_iter+0xb9/0x160 drivers/net/tun.c:1986 call_write_iter include/linux/fs.h:1781 [inline] do_iter_readv_writev+0x55c/0x830 fs/read_write.c:653 do_iter_write+0x154/0x540 fs/read_write.c:932 vfs_writev+0x18a/0x340 fs/read_write.c:977 do_writev+0xfc/0x2a0 fs/read_write.c:1012 SYSC_writev fs/read_write.c:1085 [inline] SyS_writev+0x27/0x30 fs/read_write.c:1082 entry_SYSCALL_64_fastpath+0x29/0xa0 RIP: 0033:0x4536b1 RSP: 002b:00007fbfe08dab80 EFLAGS: 00000293 ORIG_RAX: 0000000000000014 RAX: ffffffffffffffda RBX: 00007fbfe08daaa0 RCX: 00000000004536b1 RDX: 0000000000000001 RSI: 00007fbfe08dabd0 RDI: 0000000000000012 RBP: 00007fbfe08daa90 R08: 0000000000000000 R09: 0000000000000000 R10: 000000000000002a R11: 0000000000000293 R12: 00000000004b863a R13: 00007fbfe08dabc8 R14: 00000000004b863a R15: 0000000000000000 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 0 PID: 8962 Comm: syz-executor6 Not tainted 4.15.0+ #221 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:422 [inline] slab_alloc mm/slab.c:3365 [inline] kmem_cache_alloc_trace+0x4b/0x750 mm/slab.c:3605 kmalloc include/linux/slab.h:512 [inline] kzalloc include/linux/slab.h:701 [inline] ip6_setup_cork+0x104c/0x1740 net/ipv6/ip6_output.c:1181 ip6_make_skb+0x2df/0x5e0 net/ipv6/ip6_output.c:1749 udpv6_sendmsg+0x27fc/0x3400 net/ipv6/udp.c:1310 inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:764 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg+0xca/0x110 net/socket.c:640 SYSC_sendto+0x361/0x5c0 net/socket.c:1747 SyS_sendto+0x40/0x50 net/socket.c:1715 entry_SYSCALL_64_fastpath+0x29/0xa0 RIP: 0033:0x4537d9 RSP: 002b:00007f0bc351fc58 EFLAGS: 00000212 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007f0bc351faa0 RCX: 00000000004537d9 RDX: 0000000000000b11 RSI: 00000000204ce000 RDI: 0000000000000013 RBP: 00007f0bc351fa90 R08: 0000000020e26fe4 R09: 000000000000001c R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b863a R13: 00007f0bc351fbc8 R14: 00000000004b863a R15: 0000000000000000 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 0 PID: 9006 Comm: syz-executor6 Not tainted 4.15.0+ #221 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:422 [inline] slab_alloc mm/slab.c:3365 [inline] __do_kmalloc mm/slab.c:3703 [inline] __kmalloc_track_caller+0x5f/0x760 mm/slab.c:3720 kmemdup+0x24/0x50 mm/util.c:118 kmemdup include/linux/string.h:418 [inline] ip6_opt_dup net/ipv6/ip6_output.c:1133 [inline] ip6_setup_cork+0x594/0x1740 net/ipv6/ip6_output.c:1194 ip6_make_skb+0x2df/0x5e0 net/ipv6/ip6_output.c:1749 udpv6_sendmsg+0x27fc/0x3400 net/ipv6/udp.c:1310 inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:764 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg+0xca/0x110 net/socket.c:640 SYSC_sendto+0x361/0x5c0 net/socket.c:1747 SyS_sendto+0x40/0x50 net/socket.c:1715 entry_SYSCALL_64_fastpath+0x29/0xa0 RIP: 0033:0x4537d9 RSP: 002b:00007f0bc351fc58 EFLAGS: 00000212 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007f0bc351faa0 RCX: 00000000004537d9 RDX: 0000000000000b11 RSI: 00000000204ce000 RDI: 0000000000000013 RBP: 00007f0bc351fa90 R08: 0000000020e26fe4 R09: 000000000000001c R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b863a R13: 00007f0bc351fbc8 R14: 00000000004b863a R15: 0000000000000000 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 1 PID: 9079 Comm: syz-executor6 Not tainted 4.15.0+ #221 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:422 [inline] slab_alloc_node mm/slab.c:3286 [inline] kmem_cache_alloc_node+0x56/0x760 mm/slab.c:3629 __alloc_skb+0xf1/0x780 net/core/skbuff.c:193 alloc_skb include/linux/skbuff.h:983 [inline] alloc_skb_with_frags+0x10d/0x750 net/core/skbuff.c:5188 sock_alloc_send_pskb+0x787/0x9b0 net/core/sock.c:2085 sock_alloc_send_skb+0x32/0x40 net/core/sock.c:2102 __ip6_append_data.isra.44+0x1c38/0x3390 net/ipv6/ip6_output.c:1409 ip6_make_skb+0x386/0x5e0 net/ipv6/ip6_output.c:1757 udpv6_sendmsg+0x27fc/0x3400 net/ipv6/udp.c:1310 inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:764 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg+0xca/0x110 net/socket.c:640 SYSC_sendto+0x361/0x5c0 net/socket.c:1747 SyS_sendto+0x40/0x50 net/socket.c:1715 entry_SYSCALL_64_fastpath+0x29/0xa0 RIP: 0033:0x4537d9 RSP: 002b:00007f0bc351fc58 EFLAGS: 00000212 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007f0bc351faa0 RCX: 00000000004537d9 RDX: 0000000000000b11 RSI: 00000000204ce000 RDI: 0000000000000013 RBP: 00007f0bc351fa90 R08: 0000000020e26fe4 R09: 000000000000001c R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b863a R13: 00007f0bc351fbc8 R14: 00000000004b863a R15: 0000000000000000 CPU: 0 PID: 9095 Comm: syz-executor0 Not tainted 4.15.0+ #221 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:422 [inline] slab_alloc mm/slab.c:3365 [inline] kmem_cache_alloc+0x47/0x760 mm/slab.c:3539 anon_vma_chain_alloc mm/rmap.c:128 [inline] __anon_vma_prepare+0xbc/0x6b0 mm/rmap.c:182 anon_vma_prepare include/linux/rmap.h:153 [inline] do_huge_pmd_anonymous_page+0x1124/0x1b00 mm/huge_memory.c:678 create_huge_pmd mm/memory.c:3860 [inline] __handle_mm_fault+0x1a0c/0x3ce0 mm/memory.c:4064 handle_mm_fault+0x38f/0x930 mm/memory.c:4130 __do_page_fault+0x5c9/0xc90 arch/x86/mm/fault.c:1426 do_page_fault+0xee/0x720 arch/x86/mm/fault.c:1501 page_fault+0x2c/0x60 arch/x86/entry/entry_64.S:1261 RIP: 0010:__get_user_4+0x1b/0x30 arch/x86/lib/getuser.S:70 RSP: 0018:ffff8801d324fe08 EFLAGS: 00010287 RAX: 0000000020af4003 RBX: 0000000020af4000 RCX: ffffffff819b8228 RDX: ffff8801bbd12440 RSI: ffffc9000221d000 RDI: 0000000000000282 RBP: ffff8801d324fe48 R08: 0000000000000000 R09: 1ffff1003a649f9e R10: ffff8801d324fcb8 R11: 0000000000000000 R12: ffff8801ccc74500