netlink: 'syz-executor.5': attribute type 2 has an invalid length. ============================= WARNING: suspicious RCU usage 4.19.84 #0 Not tainted ----------------------------- include/linux/radix-tree.h:241 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 2 locks held by syz-executor.3/15195: #0: 0000000013df6f7c (&sb->s_type->i_mutex_key#12){+.+.}, at: inode_lock include/linux/fs.h:747 [inline] #0: 0000000013df6f7c (&sb->s_type->i_mutex_key#12){+.+.}, at: memfd_add_seals mm/memfd.c:199 [inline] #0: 0000000013df6f7c (&sb->s_type->i_mutex_key#12){+.+.}, at: memfd_fcntl+0x235/0x1750 mm/memfd.c:249 #1: 00000000d2396063 (&(&(&mapping->i_pages)->xa_lock)->rlock){-.-.}, at: spin_lock_irq include/linux/spinlock.h:354 [inline] #1: 00000000d2396063 (&(&(&mapping->i_pages)->xa_lock)->rlock){-.-.}, at: memfd_tag_pins mm/memfd.c:42 [inline] #1: 00000000d2396063 (&(&(&mapping->i_pages)->xa_lock)->rlock){-.-.}, at: memfd_wait_for_pins mm/memfd.c:83 [inline] #1: 00000000d2396063 (&(&(&mapping->i_pages)->xa_lock)->rlock){-.-.}, at: memfd_add_seals mm/memfd.c:217 [inline] #1: 00000000d2396063 (&(&(&mapping->i_pages)->xa_lock)->rlock){-.-.}, at: memfd_fcntl+0x4bc/0x1750 mm/memfd.c:249 stack backtrace: CPU: 1 PID: 15195 Comm: syz-executor.3 Not tainted 4.19.84 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x197/0x210 lib/dump_stack.c:118 lockdep_rcu_suspicious+0x153/0x15d kernel/locking/lockdep.c:4539 radix_tree_deref_slot include/linux/radix-tree.h:241 [inline] radix_tree_deref_slot include/linux/radix-tree.h:239 [inline] memfd_tag_pins mm/memfd.c:44 [inline] memfd_wait_for_pins mm/memfd.c:83 [inline] memfd_add_seals mm/memfd.c:217 [inline] memfd_fcntl+0xfdf/0x1750 mm/memfd.c:249 do_fcntl+0x200/0x1020 fs/fcntl.c:421 __do_sys_fcntl fs/fcntl.c:463 [inline] __se_sys_fcntl fs/fcntl.c:448 [inline] __x64_sys_fcntl+0x16d/0x1e0 fs/fcntl.c:448 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45a639 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f4cccc19c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000048 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a639 RDX: 0000000000000008 RSI: 0000000000000409 RDI: 0000000000000004 RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4cccc1a6d4 R13: 00000000004c1068 R14: 00000000004d3c60 R15: 00000000ffffffff netlink: 'syz-executor.5': attribute type 2 has an invalid length. input: syz1 as /devices/virtual/input/input8 device nr0 entered promiscuous mode net_ratelimit: 30 callbacks suppressed protocol 88fb is buggy, dev hsr_slave_0 protocol 88fb is buggy, dev hsr_slave_1 protocol 88fb is buggy, dev hsr_slave_0 protocol 88fb is buggy, dev hsr_slave_1 device nr0 entered promiscuous mode audit: type=1400 audit(1574251931.174:4451): avc: denied { set_context_mgr } for pid=15309 comm="syz-executor.1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 binder: 15309:15311 unknown command 25362 protocol 88fb is buggy, dev hsr_slave_0 protocol 88fb is buggy, dev hsr_slave_1 binder: 15309:15311 ioctl c0306201 20000080 returned -22 input: ryz as /devices/virtual/input/input10 protocol 88fb is buggy, dev hsr_slave_0 protocol 88fb is buggy, dev hsr_slave_1 device nr0 entered promiscuous mode *** Guest State *** CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 device nr0 entered promiscuous mode CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 protocol 88fb is buggy, dev hsr_slave_0 protocol 88fb is buggy, dev hsr_slave_1 CR3 = 0x0000000000000000 RSP = 0x0000000000000f80 RIP = 0x0000000000000000 RFLAGS=0x00000002 DR7 = 0x0000000000000400 Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 CS: sel=0x0000, attr=0x0009b, limit=0x0000ffff, base=0x0000000000000000 device nr0 entered promiscuous mode DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 SS: sel=0x0000, attr=0x00081, limit=0x0000ffff, base=0x0000000000000000 ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 GDTR: limit=0x000007ff, base=0x0000000000001000 LDTR: sel=0x0008, attr=0x04082, limit=0x000007ff, base=0x0000000000001800 IDTR: limit=0x0000ffff, base=0x0000000000000000 TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 EFER = 0x0000000000000000 PAT = 0x0007040600070406 overlayfs: fs on './file0' does not support file handles, falling back to index=off,nfs_export=off. DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 Interruptibility = 00000000 ActivityState = 00000000 *** Host State *** RIP = 0xffffffff811ced13 RSP = 0xffff8880459578c0 CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 FSBase=00007f4cccbf9700 GSBase=ffff8880ae800000 TRBase=fffffe0000034000 GDTBase=fffffe0000032000 IDTBase=fffffe0000000000 CR0=0000000080050033 CR3=00000000547c4000 CR4=00000000001426f0 Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff87001400 EFER = 0x0000000000000d01 PAT = 0x0407050600070106 *** Control State *** PinBased=0000003f CPUBased=b5986dfa SecondaryExec=000000ea EntryControls=0000d1ff ExitControls=002fefff ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 VMExit: intr_info=00000000 errcode=00000000 ilen=00000000 reason=80000021 qualification=0000000000000000 IDTVectoring: info=00000000 errcode=00000000 TSC Offset = 0xfffffef02ffeec23 EPT pointer = 0x000000007ee6d01e Virtual processor ID = 0x0001 device nr0 entered promiscuous mode validate_nla: 10 callbacks suppressed netlink: 'syz-executor.5': attribute type 2 has an invalid length. device nr0 entered promiscuous mode netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'. netlink: 'syz-executor.5': attribute type 2 has an invalid length. netlink: 'syz-executor.5': attribute type 2 has an invalid length. netlink: 'syz-executor.5': attribute type 2 has an invalid length. netlink: 'syz-executor.5': attribute type 2 has an invalid length. ldm_parse_privhead(): Cannot find PRIVHEAD structure. LDM database is corrupt. Aborting. IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready ldm_validate_privheads(): Cannot find PRIVHEAD 1. loop1: p1 p3 IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready netlink: 'syz-executor.5': attribute type 2 has an invalid length. ldm_parse_privhead(): Cannot find PRIVHEAD structure. LDM database is corrupt. Aborting. ldm_validate_privheads(): Cannot find PRIVHEAD 1. loop1: p1 p3 device nr0 entered promiscuous mode netlink: 'syz-executor.5': attribute type 2 has an invalid length. netlink: 'syz-executor.5': attribute type 2 has an invalid length. device nr0 entered promiscuous mode ntfs: (device loop3): parse_options(): Unrecognized mount option euid>00000000000000000000. ntfs: (device loop3): parse_options(): Unrecognized mount option smackfstransmute. netlink: 'syz-executor.5': attribute type 2 has an invalid length. ntfs: (device loop3): parse_options(): Unrecognized mount option fsmagic. ntfs: (device loop3): parse_options(): Unrecognized mount option . netlink: 'syz-executor.5': attribute type 2 has an invalid length. device nr0 entered promiscuous mode ntfs: (device loop3): parse_options(): Unrecognized mount option euid>00000000000000000000. ntfs: (device loop3): parse_options(): Unrecognized mount option smackfstransmute. ntfs: (device loop3): parse_options(): Unrecognized mount option fsmagic. ntfs: (device loop3): parse_options(): Unrecognized mount option . device nr0 entered promiscuous mode net_ratelimit: 25 callbacks suppressed protocol 88fb is buggy, dev hsr_slave_0 protocol 88fb is buggy, dev hsr_slave_0 protocol 88fb is buggy, dev hsr_slave_1 protocol 88fb is buggy, dev hsr_slave_1 device nr0 entered promiscuous mode protocol 88fb is buggy, dev hsr_slave_0 protocol 88fb is buggy, dev hsr_slave_1 IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready protocol 88fb is buggy, dev hsr_slave_0 protocol 88fb is buggy, dev hsr_slave_1 device nr0 entered promiscuous mode SELinux: Context unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 is not valid (left unmapped). protocol 88fb is buggy, dev hsr_slave_0 protocol 88fb is buggy, dev hsr_slave_1 device nr0 entered promiscuous mode FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 1 PID: 15836 Comm: syz-executor.4 Not tainted 4.19.84 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x197/0x210 lib/dump_stack.c:118 fail_dump lib/fault-inject.c:51 [inline] should_fail.cold+0xa/0x1b lib/fault-inject.c:149 __should_failslab+0x121/0x190 mm/failslab.c:32 should_failslab+0x9/0x14 mm/slab_common.c:1557 slab_pre_alloc_hook mm/slab.h:424 [inline] slab_alloc mm/slab.c:3383 [inline] kmem_cache_alloc+0x2ae/0x700 mm/slab.c:3557 getname_flags fs/namei.c:140 [inline] getname_flags+0xd6/0x5b0 fs/namei.c:129 getname fs/namei.c:211 [inline] do_symlinkat+0x8b/0x290 fs/namei.c:4142 __do_sys_symlink fs/namei.c:4172 [inline] __se_sys_symlink fs/namei.c:4170 [inline] __x64_sys_symlink+0x59/0x80 fs/namei.c:4170 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45a639 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f4147b59c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000058 RAX: ffffffffffffffda RBX: 00007f4147b59c90 RCX: 000000000045a639 RDX: 0000000000000000 RSI: 00000000200002c0 RDI: 0000000020000140 RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4147b5a6d4 R13: 00000000004c9c60 R14: 00000000004e17f0 R15: 0000000000000003 device nr0 entered promiscuous mode validate_nla: 61 callbacks suppressed netlink: 'syz-executor.3': attribute type 3 has an invalid length. netlink: 'syz-executor.5': attribute type 2 has an invalid length. netlink: 'syz-executor.3': attribute type 3 has an invalid length. libceph: connect [d::]:6789 error -101 libceph: mon0 [d::]:6789 connect error netlink: 'syz-executor.5': attribute type 2 has an invalid length. FAULT_INJECTION: forcing a failure. name fail_page_alloc, interval 1, probability 0, space 0, times 0 CPU: 0 PID: 15899 Comm: syz-executor.4 Not tainted 4.19.84 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 netlink: 'syz-executor.5': attribute type 2 has an invalid length. Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x197/0x210 lib/dump_stack.c:118 fail_dump lib/fault-inject.c:51 [inline] should_fail.cold+0xa/0x1b lib/fault-inject.c:149 should_fail_alloc_page mm/page_alloc.c:3086 [inline] prepare_alloc_pages mm/page_alloc.c:4344 [inline] __alloc_pages_nodemask+0x1ee/0x750 mm/page_alloc.c:4391 __alloc_pages include/linux/gfp.h:496 [inline] __alloc_pages_node include/linux/gfp.h:509 [inline] kmem_getpages mm/slab.c:1412 [inline] cache_grow_begin+0x91/0x8c0 mm/slab.c:2682 cache_alloc_refill mm/slab.c:3049 [inline] ____cache_alloc mm/slab.c:3132 [inline] ____cache_alloc mm/slab.c:3115 [inline] __do_cache_alloc mm/slab.c:3354 [inline] slab_alloc mm/slab.c:3389 [inline] kmem_cache_alloc+0x63b/0x700 mm/slab.c:3557 getname_flags fs/namei.c:140 [inline] getname_flags+0xd6/0x5b0 fs/namei.c:129 getname fs/namei.c:211 [inline] do_symlinkat+0x8b/0x290 fs/namei.c:4142 __do_sys_symlink fs/namei.c:4172 [inline] __se_sys_symlink fs/namei.c:4170 [inline] __x64_sys_symlink+0x59/0x80 fs/namei.c:4170 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45a639 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f4147b59c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000058 RAX: ffffffffffffffda RBX: 00007f4147b59c90 RCX: 000000000045a639 RDX: 0000000000000000 RSI: 00000000200002c0 RDI: 0000000020000140 RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4147b5a6d4 R13: 00000000004c9c60 R14: 00000000004e17f0 R15: 0000000000000003 device nr0 entered promiscuous mode netlink: 'syz-executor.5': attribute type 2 has an invalid length. FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 0 PID: 15918 Comm: syz-executor.4 Not tainted 4.19.84 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x197/0x210 lib/dump_stack.c:118 fail_dump lib/fault-inject.c:51 [inline] should_fail.cold+0xa/0x1b lib/fault-inject.c:149 __should_failslab+0x121/0x190 mm/failslab.c:32 should_failslab+0x9/0x14 mm/slab_common.c:1557 slab_pre_alloc_hook mm/slab.h:424 [inline] slab_alloc mm/slab.c:3383 [inline] kmem_cache_alloc+0x2ae/0x700 mm/slab.c:3557 __d_alloc+0x2e/0x9c0 fs/dcache.c:1610 d_alloc+0x4d/0x280 fs/dcache.c:1694 __lookup_hash+0xcd/0x190 fs/namei.c:1542 filename_create+0x1a7/0x4f0 fs/namei.c:3636 user_path_create fs/namei.c:3693 [inline] do_symlinkat+0xf3/0x290 fs/namei.c:4146 __do_sys_symlink fs/namei.c:4172 [inline] __se_sys_symlink fs/namei.c:4170 [inline] __x64_sys_symlink+0x59/0x80 fs/namei.c:4170 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45a639 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f4147b59c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000058 RAX: ffffffffffffffda RBX: 00007f4147b59c90 RCX: 000000000045a639 RDX: 0000000000000000 RSI: 00000000200002c0 RDI: 0000000020000140 RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4147b5a6d4 R13: 00000000004c9c60 R14: 00000000004e17f0 R15: 0000000000000003 device nr0 entered promiscuous mode netlink: 'syz-executor.5': attribute type 2 has an invalid length. FAULT_INJECTION: forcing a failure. name fail_page_alloc, interval 1, probability 0, space 0, times 0 CPU: 0 PID: 15942 Comm: syz-executor.4 Not tainted 4.19.84 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x197/0x210 lib/dump_stack.c:118 fail_dump lib/fault-inject.c:51 [inline] should_fail.cold+0xa/0x1b lib/fault-inject.c:149 should_fail_alloc_page mm/page_alloc.c:3086 [inline] prepare_alloc_pages mm/page_alloc.c:4344 [inline] __alloc_pages_nodemask+0x1ee/0x750 mm/page_alloc.c:4391 __alloc_pages include/linux/gfp.h:496 [inline] __alloc_pages_node include/linux/gfp.h:509 [inline] kmem_getpages mm/slab.c:1412 [inline] cache_grow_begin+0x91/0x8c0 mm/slab.c:2682 cache_alloc_refill mm/slab.c:3049 [inline] ____cache_alloc mm/slab.c:3132 [inline] ____cache_alloc mm/slab.c:3115 [inline] __do_cache_alloc mm/slab.c:3354 [inline] slab_alloc mm/slab.c:3389 [inline] kmem_cache_alloc+0x63b/0x700 mm/slab.c:3557 getname_flags fs/namei.c:140 [inline] getname_flags+0xd6/0x5b0 fs/namei.c:129 getname fs/namei.c:211 [inline] user_path_create fs/namei.c:3693 [inline] do_symlinkat+0xe1/0x290 fs/namei.c:4146 __do_sys_symlink fs/namei.c:4172 [inline] __se_sys_symlink fs/namei.c:4170 [inline] __x64_sys_symlink+0x59/0x80 fs/namei.c:4170 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45a639 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f4147b59c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000058 RAX: ffffffffffffffda RBX: 00007f4147b59c90 RCX: 000000000045a639 RDX: 0000000000000000 RSI: 00000000200002c0 RDI: 0000000020000140 RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4147b5a6d4 R13: 00000000004c9c60 R14: 00000000004e17f0 R15: 0000000000000003 netlink: 22 bytes leftover after parsing attributes in process `syz-executor.5'.