binder: 7937:7950 ioctl c0306201 200000c0 returned -14 =============================== [ INFO: suspicious RCU usage. ] 4.9.205-syzkaller #0 Not tainted ------------------------------- include/linux/inetdevice.h:205 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 0 4 locks held by syz-executor.4/7954: #0: (rcu_read_lock_bh){......}, at: [<0000000095765b02>] ip_finish_output2+0x20b/0x1280 net/ipv4/ip_output.c:198 #1: (rcu_read_lock_bh){......}, at: [<00000000289b5ab6>] __dev_queue_xmit+0x1d4/0x1bd0 net/core/dev.c:3407 #2: (_xmit_TUNNEL6#2){+.-...}, at: [<0000000003224c99>] spin_lock include/linux/spinlock.h:302 [inline] #2: (_xmit_TUNNEL6#2){+.-...}, at: [<0000000003224c99>] __netif_tx_lock include/linux/netdevice.h:3573 [inline] #2: (_xmit_TUNNEL6#2){+.-...}, at: [<0000000003224c99>] __dev_queue_xmit+0x1116/0x1bd0 net/core/dev.c:3469 #3: (slock-AF_INET){+.-...}, at: [<00000000c231ef01>] spin_trylock include/linux/spinlock.h:312 [inline] #3: (slock-AF_INET){+.-...}, at: [<00000000c231ef01>] icmp_xmit_lock net/ipv4/icmp.c:220 [inline] #3: (slock-AF_INET){+.-...}, at: [<00000000c231ef01>] __icmp_send+0x48b/0x1420 net/ipv4/icmp.c:656 stack backtrace: CPU: 0 PID: 7954 Comm: syz-executor.4 Not tainted 4.9.205-syzkaller #0 ffff88019de6edd8 ffffffff81b55e6b ffff8801d627bc80 0000000000000000 0000000000000002 00000000000000cd ffff8801a2ec4740 ffff88019de6ee08 ffffffff81406997 ffff8801d627bcd8 ffff88019de6ef28 ffff8801cf218000 Call Trace: [<00000000103ee07d>] __dump_stack lib/dump_stack.c:15 [inline] [<00000000103ee07d>] dump_stack+0xcb/0x130 lib/dump_stack.c:56 [<0000000004e03ede>] lockdep_rcu_suspicious.cold+0x10a/0x149 kernel/locking/lockdep.c:4458 [<00000000542ff370>] __in_dev_get_rcu include/linux/inetdevice.h:205 [inline] [<00000000542ff370>] fib_compute_spec_dst+0x6c4/0xcc0 net/ipv4/fib_frontend.c:284 [<000000003d758925>] __ip_options_echo+0x4be/0x13e0 net/ipv4/ip_options.c:177 [<000000008f073795>] __icmp_send+0x648/0x1420 net/ipv4/icmp.c:685 [<0000000015682fba>] ipv4_send_dest_unreach net/ipv4/route.c:1203 [inline] [<0000000015682fba>] ipv4_link_failure+0x460/0x850 net/ipv4/route.c:1210 [<0000000020ec21de>] dst_link_failure include/net/dst.h:490 [inline] [<0000000020ec21de>] vti6_xmit net/ipv6/ip6_vti.c:522 [inline] [<0000000020ec21de>] vti6_tnl_xmit+0xb08/0x17f0 net/ipv6/ip6_vti.c:561 [<00000000e1eab2b3>] __netdev_start_xmit include/linux/netdevice.h:4072 [inline] [<00000000e1eab2b3>] netdev_start_xmit include/linux/netdevice.h:4081 [inline] [<00000000e1eab2b3>] xmit_one net/core/dev.c:2977 [inline] [<00000000e1eab2b3>] dev_hard_start_xmit+0x195/0x8b0 net/core/dev.c:2993 [<00000000dbed70d1>] __dev_queue_xmit+0x11a3/0x1bd0 net/core/dev.c:3473 [<0000000060ddc3a4>] dev_queue_xmit+0x18/0x20 net/core/dev.c:3506 [<000000000b74be99>] neigh_direct_output+0x16/0x20 net/core/neighbour.c:1368 [<0000000013438e44>] dst_neigh_output include/net/dst.h:470 [inline] [<0000000013438e44>] ip_finish_output2+0x6a2/0x1280 net/ipv4/ip_output.c:225 [<000000008e2f052d>] ip_finish_output+0x3c4/0xce0 net/ipv4/ip_output.c:313 [<00000000c9a714dc>] NF_HOOK_COND include/linux/netfilter.h:246 [inline] [<00000000c9a714dc>] ip_output+0x1ec/0x5b0 net/ipv4/ip_output.c:401 [<0000000021a06bef>] dst_output include/net/dst.h:507 [inline] [<0000000021a06bef>] NF_HOOK_THRESH include/linux/netfilter.h:232 [inline] [<0000000021a06bef>] NF_HOOK include/linux/netfilter.h:255 [inline] [<0000000021a06bef>] raw_send_hdrinc net/ipv4/raw.c:421 [inline] [<0000000021a06bef>] raw_sendmsg+0x1c5c/0x23e0 net/ipv4/raw.c:643 [<00000000a3a48c86>] inet_sendmsg+0x202/0x4d0 net/ipv4/af_inet.c:766 [<000000001710c89c>] sock_sendmsg_nosec net/socket.c:649 [inline] [<000000001710c89c>] sock_sendmsg+0xbe/0x110 net/socket.c:659 [<00000000d1e76743>] sock_write_iter+0x235/0x3d0 net/socket.c:857 [<000000002b9896de>] new_sync_write fs/read_write.c:498 [inline] [<000000002b9896de>] __vfs_write+0x3c1/0x560 fs/read_write.c:511 [<000000008b15c5e5>] vfs_write+0x185/0x520 fs/read_write.c:559 [<0000000094f686a8>] SYSC_write fs/read_write.c:607 [inline] [<0000000094f686a8>] SyS_write+0x121/0x270 fs/read_write.c:599 [<0000000087fe8848>] do_syscall_64+0x1ad/0x5c0 arch/x86/entry/common.c:288 [<00000000f0aab02e>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb binder: 7968:7978 ioctl c0306201 200000c0 returned -14 binder: 7994:8009 ioctl c0306201 200000c0 returned -14 binder: 8025:8035 ioctl c0306201 200000c0 returned -14 binder: 8055:8067 ioctl c0306201 200000c0 returned -14 binder: 8086:8098 ioctl c0306201 200000c0 returned -14 binder: 8115:8121 ioctl c0306201 200000c0 returned -14 binder: 8135:8139 ioctl c0306201 200000c0 returned -14 binder: 8149:8154 ioctl c0306201 200000c0 returned -14 binder: 8165:8174 ioctl c0306201 200000c0 returned -14 binder: 8182:8184 ioctl c0306201 200000c0 returned -14 binder: 8189:8191 ioctl c0306201 200000c0 returned -14 binder: 8198:8199 ioctl c0306201 200000c0 returned -14 binder: 8203:8206 ioctl c0306201 200000c0 returned -14 binder: 8215:8218 ioctl c0306201 200000c0 returned -14 binder: 8227:8228 ioctl c0306201 200000c0 returned -14 binder: 8254:8256 ioctl c0306201 200000c0 returned -14 binder: 8262:8271 ioctl c0306201 200000c0 returned -14 binder: 8279:8284 ioctl c0306201 200000c0 returned -14 binder: 8376:8384 ioctl c0306201 200000c0 returned -14 binder: 8395:8403 ioctl c0306201 200000c0 returned -14 PPPIOCDETACH file->f_count=2 PPPIOCDETACH file->f_count=2 PPPIOCDETACH file->f_count=2 binder: 8415:8425 ioctl c0306201 200000c0 returned -14 PPPIOCDETACH file->f_count=2 binder: 8444:8446 ioctl 40046205 0 returned -22 binder: 8444:8458 ioctl c0306201 200000c0 returned -14 PPPIOCDETACH file->f_count=2 binder: 8473:8479 ioctl 40046205 0 returned -22 binder: 8473:8485 ioctl c0306201 200000c0 returned -14 binder: 8500:8501 ioctl 40046205 0 returned -22 binder: 8500:8504 ioctl c0306201 200000c0 returned -14 PPPIOCDETACH file->f_count=2 binder: 8514:8531 ioctl c0306201 200000c0 returned -14 PPPIOCDETACH file->f_count=2 PPPIOCDETACH file->f_count=2 binder: 8566:8567 ioctl c0306201 200000c0 returned -14 PPPIOCDETACH file->f_count=2 binder: 8655:8658 ioctl c0306201 200000c0 returned -14 PPPIOCDETACH file->f_count=2 binder: 8721:8722 ioctl c0306201 200000c0 returned -14 binder: 8725:8726 ioctl c0306201 200000c0 returned -14 binder: 8742:8743 ioctl c0306201 200000c0 returned -14