netlink: 12 bytes leftover after parsing attributes in process `syz-executor.1'.
ip_tables: iptables: counters copy to user failed while replacing table
=============================
WARNING: suspicious RCU usage
4.14.280-syzkaller #0 Not tainted
-----------------------------
netlink: 12 bytes leftover after parsing attributes in process `syz-executor.1'.
net/netfilter/nf_queue.c:244 suspicious rcu_dereference_check() usage!

other info that might help us debug this:


rcu_scheduler_active = 2, debug_locks = 1
3 locks held by syz-executor.3/10017:
 #0:  (&mm->mmap_sem){++++}, at: [<ffffffff812413a9>] __do_page_fault+0x2b9/0xad0 arch/x86/mm/fault.c:1371
 #1:  (rcu_callback){....}, at: [<ffffffff8146dbde>] __rcu_reclaim kernel/rcu/rcu.h:185 [inline]
 #1:  (rcu_callback){....}, at: [<ffffffff8146dbde>] rcu_do_batch kernel/rcu/tree.c:2699 [inline]
 #1:  (rcu_callback){....}, at: [<ffffffff8146dbde>] invoke_rcu_callbacks kernel/rcu/tree.c:2962 [inline]
 #1:  (rcu_callback){....}, at: [<ffffffff8146dbde>] __rcu_process_callbacks kernel/rcu/tree.c:2929 [inline]
 #1:  (rcu_callback){....}, at: [<ffffffff8146dbde>] rcu_process_callbacks+0x84e/0x1180 kernel/rcu/tree.c:2946
 #2:  (&(&inst->lock)->rlock){+.-.}, at: [<ffffffff85e4ca9f>] spin_lock_bh include/linux/spinlock.h:322 [inline]
 #2:  (&(&inst->lock)->rlock){+.-.}, at: [<ffffffff85e4ca9f>] nfqnl_flush+0x2f/0x2a0 net/netfilter/nfnetlink_queue.c:232

stack backtrace:
CPU: 0 PID: 10017 Comm: syz-executor.3 Not tainted 4.14.280-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <IRQ>
ip_tables: iptables: counters copy to user failed while replacing table
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x281 lib/dump_stack.c:58
 nf_reinject+0x56e/0x700 net/netfilter/nf_queue.c:244
 nfqnl_flush+0x1ab/0x2a0 net/netfilter/nfnetlink_queue.c:237
 instance_destroy_rcu+0x19/0x30 net/netfilter/nfnetlink_queue.c:171
 __rcu_reclaim kernel/rcu/rcu.h:195 [inline]
 rcu_do_batch kernel/rcu/tree.c:2699 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:2962 [inline]
 __rcu_process_callbacks kernel/rcu/tree.c:2929 [inline]
 rcu_process_callbacks+0x780/0x1180 kernel/rcu/tree.c:2946
 __do_softirq+0x24d/0x9ff kernel/softirq.c:288
 invoke_softirq kernel/softirq.c:368 [inline]
 irq_exit+0x193/0x240 kernel/softirq.c:409
 exiting_irq arch/x86/include/asm/apic.h:638 [inline]
 smp_apic_timer_interrupt+0x141/0x5e0 arch/x86/kernel/apic/apic.c:1106
 apic_timer_interrupt+0x93/0xa0 arch/x86/entry/entry_64.S:793
 </IRQ>
RIP: 0010:clear_page_erms+0x7/0x10 arch/x86/lib/clear_page_64.S:50
RSP: 0000:ffff8880b4e17c08 EFLAGS: 00010246 ORIG_RAX: ffffffffffffff10
RAX: 0000000000000000 RBX: ffff888000000000 RCX: 00000000000007c0
RDX: 1ffff1100c94228f RSI: 00000000ffffffff RDI: ffff88805a2fb840
RBP: 00000000000000fb R08: 0000000000037b28 R09: 0000000000000008
R10: ffffffffffffffe8 R11: ffff888064a10240 R12: ffff888064a10240
R13: ffffea0001688000 R14: 0000000000000000 R15: dffffc0000000000
 clear_page arch/x86/include/asm/page_64.h:45 [inline]
 clear_user_page arch/x86/include/asm/page.h:28 [inline]
 clear_user_highpage include/linux/highmem.h:137 [inline]
 clear_huge_page+0x114/0x7b0 mm/memory.c:4743
 __do_huge_pmd_anonymous_page mm/huge_memory.c:574 [inline]
 do_huge_pmd_anonymous_page+0x93b/0x1700 mm/huge_memory.c:731
 create_huge_pmd mm/memory.c:3997 [inline]
 __handle_mm_fault+0x2ac4/0x4620 mm/memory.c:4200
 handle_mm_fault+0x455/0x9c0 mm/memory.c:4266
 __do_page_fault+0x549/0xad0 arch/x86/mm/fault.c:1442
 page_fault+0x45/0x50 arch/x86/entry/entry_64.S:1123
RIP: 8d8fa130:0x7f1270aeaf60
RSP: 0000:00007ffe8d8fa108 EFLAGS: 0001cb19
netlink: 12 bytes leftover after parsing attributes in process `syz-executor.1'.
ip_tables: iptables: counters copy to user failed while replacing table
EXT4-fs (loop3): mounted filesystem without journal. Opts: ,errors=continue
EXT4-fs (loop3): mounted filesystem without journal. Opts: ,errors=continue
ldm_validate_privheads(): Disk read failed.
 loop5: p1 < > p2 < > p4
arp_tables: arptables: counters copy to user failed while replacing table
loop5: partition table partially beyond EOD, truncated
syz-executor.4 (10149) used greatest stack depth: 23840 bytes left
arp_tables: arptables: counters copy to user failed while replacing table
loop5: p1 start 335762607 is beyond EOD, truncated
can: request_module (can-proto-0) failed.
loop5: p2 size 2 extends beyond EOD, truncated
loop5: p4 size 2097152 extends beyond EOD, truncated
arp_tables: arptables: counters copy to user failed while replacing table
arp_tables: arptables: counters copy to user failed while replacing table
arp_tables: arptables: counters copy to user failed while replacing table
ldm_validate_privheads(): Disk read failed.
 loop5: p1 < > p2 < > p4
arp_tables: arptables: counters copy to user failed while replacing table
loop5: partition table partially beyond EOD, truncated
loop5: p1 start 335762607 is beyond EOD, truncated
can: request_module (can-proto-0) failed.
can: request_module (can-proto-0) failed.
loop5: p2 size 2 extends beyond EOD, truncated
loop5: p4 size 2097152 extends beyond EOD, truncated
ldm_validate_privheads(): Disk read failed.
 loop5: p1 < > p2 < > p4
loop5: partition table partially beyond EOD, truncated
loop5: p1 start 335762607 is beyond EOD, truncated
loop5: p2 size 2 extends beyond EOD, truncated
loop5: p4 size 2097152 extends beyond EOD, truncated
can: request_module (can-proto-0) failed.
can: request_module (can-proto-0) failed.
ldm_validate_privheads(): Disk read failed.
 loop5: p1 < > p2 < > p4
loop5: partition table partially beyond EOD, truncated
loop5: p1 start 335762607 is beyond EOD, truncated
loop5: p2 size 2 extends beyond EOD, truncated
loop5: p4 size 2097152 extends beyond EOD, truncated
can: request_module (can-proto-0) failed.
ldm_validate_privheads(): Disk read failed.
 loop5: p1 < > p2 < > p4
loop5: partition table partially beyond EOD, truncated
loop5: p1 start 335762607 is beyond EOD, truncated
loop5: p2 size 2 extends beyond EOD, truncated
loop5: p4 size 2097152 extends beyond EOD, truncated
can: request_module (can-proto-0) failed.
ldm_validate_privheads(): Disk read failed.
 loop5: p1 < > p2 < > p4
loop5: partition table partially beyond EOD, truncated
loop5: p1 start 335762607 is beyond EOD, truncated
loop5: p2 size 2 extends beyond EOD, truncated
loop5: p4 size 2097152 extends beyond EOD, truncated
ldm_validate_privheads(): Disk read failed.
 loop5: p1 < > p2 < > p4
loop5: partition table partially beyond EOD, truncated
loop5: p1 start 335762607 is beyond EOD, truncated
loop5: p2 size 2 extends beyond EOD, truncated
loop5: p4 size 2097152 extends beyond EOD, truncated
Attempt to read inode for relocated directory
Attempt to read inode for relocated directory
Attempt to read inode for relocated directory
Attempt to read inode for relocated directory
Attempt to read inode for relocated directory
Attempt to read inode for relocated directory
Attempt to read inode for relocated directory
mkiss: ax0: crc mode is auto.
mkiss: ax0: crc mode is auto.
mkiss: ax0: crc mode is auto.