============================= WARNING: suspicious RCU usage 4.14.232-syzkaller #0 Not tainted ----------------------------- net/ipv4/tcp_ipv4.c:918 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 4 locks held by kworker/u4:3/181: #0: ("%s""netns"){+.+.}, at: [] process_one_work+0x6b0/0x14a0 kernel/workqueue.c:2087 #1: (net_cleanup_work){+.+.}, at: [] process_one_work+0x6e6/0x14a0 kernel/workqueue.c:2091 #2: (net_mutex){+.+.}, at: [] cleanup_net+0x110/0x840 net/core/net_namespace.c:450 #3: (rtnl_mutex){+.+.}, at: [] netdev_run_todo+0x20e/0xad0 net/core/dev.c:7926 stack backtrace: CPU: 1 PID: 181 Comm: kworker/u4:3 Not tainted 4.14.232-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x281 lib/dump_stack.c:58 tcp_md5_do_lookup+0x3b4/0x510 net/ipv4/tcp_ipv4.c:918 tcp_established_options+0x94/0x410 net/ipv4/tcp_output.c:690 __tcp_transmit_skb+0x286/0x2cb0 net/ipv4/tcp_output.c:1032 tcp_transmit_skb net/ipv4/tcp_output.c:1149 [inline] tcp_send_active_reset+0x40b/0x5c0 net/ipv4/tcp_output.c:3159 tcp_disconnect+0x159/0x1890 net/ipv4/tcp.c:2341 rds_tcp_conn_paths_destroy net/rds/tcp.c:515 [inline] rds_tcp_kill_sock net/rds/tcp.c:544 [inline] rds_tcp_dev_event+0x73f/0xa30 net/rds/tcp.c:573 notifier_call_chain+0x108/0x1a0 kernel/notifier.c:93 call_netdevice_notifiers_info net/core/dev.c:1667 [inline] call_netdevice_notifiers net/core/dev.c:1683 [inline] netdev_run_todo+0x242/0xad0 net/core/dev.c:7927 default_device_exit_batch+0x2e2/0x380 net/core/dev.c:8747 ops_exit_list+0xf9/0x150 net/core/net_namespace.c:145 cleanup_net+0x3b3/0x840 net/core/net_namespace.c:484 process_one_work+0x793/0x14a0 kernel/workqueue.c:2116 worker_thread+0x5cc/0xff0 kernel/workqueue.c:2250 kthread+0x30d/0x420 kernel/kthread.c:232 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404 input: syz1 as /devices/virtual/input/input6 ============================= WARNING: suspicious RCU usage 4.14.232-syzkaller #0 Not tainted ----------------------------- include/net/sock.h:1800 suspicious rcu_dereference_protected() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 4 locks held by kworker/u4:3/181: #0: ("%s""netns"){+.+.}, at: [] process_one_work+0x6b0/0x14a0 kernel/workqueue.c:2087 #1: (net_cleanup_work){+.+.}, at: [] process_one_work+0x6e6/0x14a0 kernel/workqueue.c:2091 #2: (net_mutex){+.+.}, at: [] cleanup_net+0x110/0x840 net/core/net_namespace.c:450 #3: (rtnl_mutex){+.+.}, at: [] netdev_run_todo+0x20e/0xad0 net/core/dev.c:7926 stack backtrace: CPU: 0 PID: 181 Comm: kworker/u4:3 Not tainted 4.14.232-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x281 lib/dump_stack.c:58 __sk_dst_set include/net/sock.h:1800 [inline] __sk_dst_reset include/net/sock.h:1820 [inline] tcp_disconnect+0x1412/0x1890 net/ipv4/tcp.c:2383 rds_tcp_conn_paths_destroy net/rds/tcp.c:515 [inline] rds_tcp_kill_sock net/rds/tcp.c:544 [inline] rds_tcp_dev_event+0x73f/0xa30 net/rds/tcp.c:573 notifier_call_chain+0x108/0x1a0 kernel/notifier.c:93 call_netdevice_notifiers_info net/core/dev.c:1667 [inline] call_netdevice_notifiers net/core/dev.c:1683 [inline] netdev_run_todo+0x242/0xad0 net/core/dev.c:7927 default_device_exit_batch+0x2e2/0x380 net/core/dev.c:8747 ops_exit_list+0xf9/0x150 net/core/net_namespace.c:145 cleanup_net+0x3b3/0x840 net/core/net_namespace.c:484 process_one_work+0x793/0x14a0 kernel/workqueue.c:2116 worker_thread+0x5cc/0xff0 kernel/workqueue.c:2250 kthread+0x30d/0x420 kernel/kthread.c:232 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404 netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'. team0: Cannot enslave team device to itself kauditd_printk_skb: 1 callbacks suppressed audit: type=1804 audit(1620538266.639:622): pid=19433 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.4" name="/root/syzkaller-testdir496865744/syzkaller.qO06ZQ/243/file0/bus" dev="ramfs" ino=64474 res=1 tmpfs: No value for mount option 'uid>18446744073709551615' batman_adv: batadv0: Adding interface: team0 audit: type=1804 audit(1620538266.709:623): pid=19439 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="ToMToU" comm="syz-executor.4" name="/root/syzkaller-testdir496865744/syzkaller.qO06ZQ/243/file0/bus" dev="ramfs" ino=64474 res=1 audit: type=1804 audit(1620538266.709:624): pid=19439 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="ToMToU" comm="syz-executor.4" name="/root/syzkaller-testdir496865744/syzkaller.qO06ZQ/243/file0/bus" dev="ramfs" ino=64474 res=1 batman_adv: batadv0: The MTU of interface team0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. audit: type=1804 audit(1620538266.779:625): pid=19439 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.4" name="/root/syzkaller-testdir496865744/syzkaller.qO06ZQ/243/file0/file0/bus" dev="ramfs" ino=64490 res=1 batman_adv: batadv0: Interface activated: team0 new mount options do not match the existing superblock, will be ignored batman_adv: batadv0: Interface deactivated: team0 batman_adv: batadv0: Removing interface: team0 team0: Cannot enslave team device to itself batman_adv: batadv0: Adding interface: team0 batman_adv: batadv0: The MTU of interface team0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. new mount options do not match the existing superblock, will be ignored batman_adv: batadv0: Interface activated: team0 batman_adv: batadv0: Interface deactivated: team0 batman_adv: batadv0: Removing interface: team0 team0: Cannot enslave team device to itself batman_adv: batadv0: Adding interface: team0 batman_adv: batadv0: The MTU of interface team0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. hub 9-0:1.0: USB hub found hub 9-0:1.0: 8 ports detected batman_adv: batadv0: Interface activated: team0 overlayfs: failed to resolve './fe1': -2 IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready overlayfs: failed to resolve './fe1': -2 IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready A link change request failed with some changes committed already. Interface geneve2 may have been left with an inconsistent configuration, please check. A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. audit: type=1800 audit(1620538269.049:626): pid=19496 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.5" name="bus" dev="sda1" ino=14066 res=0 audit: type=1800 audit(1620538269.099:627): pid=19496 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.5" name="bus" dev="sda1" ino=14066 res=0 hid-generic 0000:0000:0000.0001: item fetching failed at offset 0/1 hid-generic: probe of 0000:0000:0000.0001 failed with error -22 hid-generic 0000:0000:0000.0002: item fetching failed at offset 0/1 hid-generic: probe of 0000:0000:0000.0002 failed with error -22 IPVS: ftp: loaded support on port[0] = 21 netlink: 20 bytes leftover after parsing attributes in process `syz-executor.4'. netlink: 20 bytes leftover after parsing attributes in process `syz-executor.4'. hub 1-0:1.0: USB hub found hub 1-0:1.0: 1 port detected : renamed from caif0 A link change request failed with some changes committed already. Interface  may have been left with an inconsistent configuration, please check. batman_adv: batadv0: Interface deactivated: batadv_slave_0 batman_adv: batadv0: Removing interface: batadv_slave_0 team0: Device batadv_slave_0 is up. Set it down before adding it as a team port netlink: 24 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.2'. F2FS-fs (loop2): Invalid blocksize (1), supports only 4KB F2FS-fs (loop2): Can't find valid F2FS filesystem in 1th superblock F2FS-fs (loop2): Magic Mismatch, valid(0xf2f52010) - read(0x0) F2FS-fs (loop2): Can't find valid F2FS filesystem in 2th superblock F2FS-fs (loop2): Invalid blocksize (1), supports only 4KB F2FS-fs (loop2): Can't find valid F2FS filesystem in 1th superblock F2FS-fs (loop2): Magic Mismatch, valid(0xf2f52010) - read(0x0) F2FS-fs (loop2): Can't find valid F2FS filesystem in 2th superblock ip_tables: iptables: counters copy to user failed while replacing table ip_tables: iptables: counters copy to user failed while replacing table F2FS-fs (loop2): Invalid blocksize (1), supports only 4KB netlink: 48 bytes leftover after parsing attributes in process `syz-executor.3'. F2FS-fs (loop2): Can't find valid F2FS filesystem in 1th superblock netlink: 48 bytes leftover after parsing attributes in process `syz-executor.3'. audit: type=1800 audit(1620538273.280:628): pid=19959 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.2" name="bus" dev="sda1" ino=14164 res=0 audit: type=1800 audit(1620538273.310:629): pid=19951 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.2" name="bus" dev="sda1" ino=14164 res=0 EXT4-fs error (device sda1): swap_inode_boot_loader:114: inode #5: comm syz-executor.4: iget: checksum invalid overlayfs: filesystem on './file0' not supported as upperdir netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'. netlink: 40 bytes leftover after parsing attributes in process `syz-executor.3'. audit: type=1800 audit(1620538274.090:630): pid=20000 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.2" name="bus" dev="sda1" ino=14165 res=0 EXT4-fs (loop3): ext4_check_descriptors: Checksum for group 0 failed (60935!=0) audit: type=1800 audit(1620538274.130:631): pid=20000 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.2" name="bus" dev="sda1" ino=14165 res=0 EXT4-fs (loop3): orphan cleanup on readonly fs overlayfs: unrecognized mount option "nfs_export=on" or missing value EXT4-fs error (device loop3): ext4_orphan_get:1266: comm syz-executor.3: bad orphan inode 33554432 EXT4-fs (loop3): mounted filesystem without journal. Opts: ,errors=continue new mount options do not match the existing superblock, will be ignored option changes via remount are deprecated (pid=20030 comm=syz-executor.2) netlink: 24 bytes leftover after parsing attributes in process `syz-executor.3'. netlink: 40 bytes leftover after parsing attributes in process `syz-executor.3'. audit: type=1800 audit(1620538274.510:632): pid=20055 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.3" name="bus" dev="sda1" ino=14147 res=0 TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. audit: type=1800 audit(1620538274.510:633): pid=20055 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.3" name="bus" dev="sda1" ino=14147 res=0 overlayfs: fs on './file0' does not support file handles, falling back to index=off. tmpfs: No value for mount option '00000000000000060928' overlayfs: 'file0' not a directory overlayfs: './file0' not a directory FAT-fs (loop3): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1) audit: type=1804 audit(1620538275.190:634): pid=20099 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="open_writers" comm="syz-executor.3" name="/root/syzkaller-testdir272024821/syzkaller.6jbDMX/303/file0/bus" dev="loop3" ino=132 res=1 audit: type=1804 audit(1620538275.270:635): pid=20113 uid=0 auid=4294967295 ses=4294967295 op="invalid_pcr" cause="ToMToU" comm="syz-executor.3" name="/root/syzkaller-testdir272024821/syzkaller.6jbDMX/303/file0/bus" dev="loop3" ino=132 res=1