TCP: request_sock_TCPv6: Possible SYN flooding on port 20018. Sending cookies.  Check SNMP counters.


=============================
WARNING: suspicious RCU usage
4.15.0-rc9+ #213 Not tainted
-----------------------------
./include/linux/rcupdate.h:302 Illegal context switch in RCU read-side critical section!

other info that might help us debug this:


rcu_scheduler_active = 2, debug_locks = 0
4 locks held by syz-executor1/5269:
 #0:  (&mm->mmap_sem){++++}, at: [<000000008a4f5d36>] __do_page_fault+0x32d/0xc90 arch/x86/mm/fault.c:1359
 #1:  (&p->pi_lock){-.-.}, at: [<0000000036d9ace9>] try_to_wake_up+0xbc/0x1600 kernel/sched/core.c:1988
 #2:  (&rq->lock){-.-.}, at: [<0000000096a4077e>] rq_lock kernel/sched/sched.h:1766 [inline]
 #2:  (&rq->lock){-.-.}, at: [<0000000096a4077e>] ttwu_queue kernel/sched/core.c:1863 [inline]
 #2:  (&rq->lock){-.-.}, at: [<0000000096a4077e>] try_to_wake_up+0xa29/0x1600 kernel/sched/core.c:2078
 #3:  (rcu_read_lock){....}, at: [<0000000048926a65>] trace_sched_stat_runtime include/trace/events/sched.h:413 [inline]
 #3:  (rcu_read_lock){....}, at: [<0000000048926a65>] update_curr+0x31c/0xa60 kernel/sched/fair.c:846

stack backtrace:
CPU: 0 PID: 5269 Comm: syz-executor1 Not tainted 4.15.0-rc9+ #213
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x257 lib/dump_stack.c:53
 lockdep_rcu_suspicious+0x123/0x170 kernel/locking/lockdep.c:4585
 rcu_preempt_sleep_check include/linux/rcupdate.h:301 [inline]
 ___might_sleep+0x385/0x470 kernel/sched/core.c:6025
 clear_huge_page+0x24f/0x730 mm/memory.c:4601
 __do_huge_pmd_anonymous_page mm/huge_memory.c:570 [inline]
 do_huge_pmd_anonymous_page+0x59c/0x1b00 mm/huge_memory.c:728
 create_huge_pmd mm/memory.c:3834 [inline]
 __handle_mm_fault+0x1a0c/0x3ce0 mm/memory.c:4038
 handle_mm_fault+0x334/0x8d0 mm/memory.c:4104
 __do_page_fault+0x5c9/0xc90 arch/x86/mm/fault.c:1430
 do_page_fault+0xee/0x720 arch/x86/mm/fault.c:1505
 page_fault+0x4c/0x60 arch/x86/entry/entry_64.S:1260
RIP: 0033:0x43a7a1
RSP: 002b:0000000000a2f498 EFLAGS: 00010247
RAX: aa62be74caa17bc7 RBX: 0000000000000004 RCX: 0000000000000000
RDX: 000000000000003a RSI: 00000000007202a0 RDI: 0000000020253fc6
RBP: 0000000000000004 R08: 71723122186adbac R09: 22ce08ba301e4859
R10: e496981b6e96dee1 R11: 0000000000000206 R12: 0000000000000001
R13: fffffffffffffffe R14: 000000000071ca20 R15: ffffffffffffffff
================================
WARNING: inconsistent lock state
4.15.0-rc9+ #213 Not tainted
--------------------------------
inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
syz-executor5/5268 [HC0[0]:SC1[1]:HE1:SE0] takes:
 (&(&est->lock)->rlock){+.?.}, at: [<00000000c8a330d2>] spin_lock include/linux/spinlock.h:310 [inline]
 (&(&est->lock)->rlock){+.?.}, at: [<00000000c8a330d2>] est_fetch_counters+0x4f/0x150 net/core/gen_estimator.c:70
{SOFTIRQ-ON-W} state was registered at:
  lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3914
  __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
  _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144
  spin_lock include/linux/spinlock.h:310 [inline]
  est_fetch_counters+0x4f/0x150 net/core/gen_estimator.c:70
  gen_new_estimator+0x317/0x770 net/core/gen_estimator.c:162
  xt_rateest_tg_checkentry+0x487/0xaa0 net/netfilter/xt_RATEEST.c:135
  xt_check_target+0x22c/0x7d0 net/netfilter/x_tables.c:845
  check_target net/ipv6/netfilter/ip6_tables.c:538 [inline]
  find_check_entry.isra.7+0x935/0xcf0 net/ipv6/netfilter/ip6_tables.c:580
  translate_table+0xf52/0x1690 net/ipv6/netfilter/ip6_tables.c:749
  do_replace net/ipv6/netfilter/ip6_tables.c:1165 [inline]
  do_ip6t_set_ctl+0x370/0x5f0 net/ipv6/netfilter/ip6_tables.c:1691
  nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
  nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115
  ipv6_setsockopt+0x115/0x150 net/ipv6/ipv6_sockglue.c:928
  udpv6_setsockopt+0x45/0x80 net/ipv6/udp.c:1422
  sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2978
  SYSC_setsockopt net/socket.c:1849 [inline]
  SyS_setsockopt+0x189/0x360 net/socket.c:1828
  entry_SYSCALL_64_fastpath+0x29/0xa0
irq event stamp: 878
hardirqs last  enabled at (878): [<000000006b1d5732>] restore_regs_and_return_to_kernel+0x0/0x21
hardirqs last disabled at (877): [<00000000083cf226>] apic_timer_interrupt+0xa4/0xb0 arch/x86/entry/entry_64.S:937
softirqs last  enabled at (710): [<000000003f2dc76d>] __do_softirq+0x7a0/0xb85 kernel/softirq.c:311
softirqs last disabled at (833): [<00000000998469f1>] invoke_softirq kernel/softirq.c:365 [inline]
softirqs last disabled at (833): [<00000000998469f1>] irq_exit+0x1cc/0x200 kernel/softirq.c:405

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(&(&est->lock)->rlock);
  <Interrupt>
    lock(&(&est->lock)->rlock);

 *** DEADLOCK ***

2 locks held by syz-executor5/5268:
 #0:  (&mm->mmap_sem){++++}, at: [<000000008a4f5d36>] __do_page_fault+0x32d/0xc90 arch/x86/mm/fault.c:1359
 #1:  ((&est->timer)){+.-.}, at: [<0000000061f2ef86>] lockdep_copy_map include/linux/lockdep.h:178 [inline]
 #1:  ((&est->timer)){+.-.}, at: [<0000000061f2ef86>] call_timer_fn+0x1c6/0x820 kernel/time/timer.c:1308

stack backtrace:
CPU: 1 PID: 5268 Comm: syz-executor5 Not tainted 4.15.0-rc9+ #213
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x257 lib/dump_stack.c:53
 print_usage_bug+0x377/0x38c kernel/locking/lockdep.c:2537
 valid_state kernel/locking/lockdep.c:2550 [inline]
 mark_lock_irq kernel/locking/lockdep.c:2744 [inline]
 mark_lock+0xf61/0x1430 kernel/locking/lockdep.c:3142
 mark_irqflags kernel/locking/lockdep.c:3020 [inline]
 __lock_acquire+0x173a/0x3e00 kernel/locking/lockdep.c:3383
 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3914
 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
 _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144
 spin_lock include/linux/spinlock.h:310 [inline]
 est_fetch_counters+0x4f/0x150 net/core/gen_estimator.c:70
 est_timer+0x97/0x7c0 net/core/gen_estimator.c:85
 call_timer_fn+0x228/0x820 kernel/time/timer.c:1318
 expire_timers kernel/time/timer.c:1355 [inline]
 __run_timers+0x7ee/0xb70 kernel/time/timer.c:1658
 run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1684
 __do_softirq+0x2d7/0xb85 kernel/softirq.c:285
 invoke_softirq kernel/softirq.c:365 [inline]
 irq_exit+0x1cc/0x200 kernel/softirq.c:405
 exiting_irq arch/x86/include/asm/apic.h:541 [inline]
 smp_apic_timer_interrupt+0x16b/0x700 arch/x86/kernel/apic/apic.c:1052
 apic_timer_interrupt+0xa9/0xb0 arch/x86/entry/entry_64.S:937
 </IRQ>
RIP: 0010:___might_sleep+0x3c7/0x470 kernel/sched/core.c:6025
RSP: 0000:ffff8801bf17f628 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff11
RAX: 0000000000000001 RBX: 1ffff10037e2fec5 RCX: ffffffff819cd54a
RDX: 0000000000000000 RSI: ffffffff86b41540 RDI: ffff8801bdbf2974
RBP: ffff8801bf17f6a8 R08: 0000160000000000 R09: 0000000000000000
R10: ffffffffffffffe8 R11: 0000000000000000 R12: 0000000000000000
R13: ffffffff85f18b80 R14: 00000000000011ea R15: 0000000006a1df80
 clear_huge_page+0x37d/0x730 mm/memory.c:4586
 __do_huge_pmd_anonymous_page mm/huge_memory.c:570 [inline]
 do_huge_pmd_anonymous_page+0x59c/0x1b00 mm/huge_memory.c:728
 create_huge_pmd mm/memory.c:3834 [inline]
 __handle_mm_fault+0x1a0c/0x3ce0 mm/memory.c:4038
 handle_mm_fault+0x334/0x8d0 mm/memory.c:4104
 __do_page_fault+0x5c9/0xc90 arch/x86/mm/fault.c:1430
 do_page_fault+0xee/0x720 arch/x86/mm/fault.c:1505
 page_fault+0x4c/0x60 arch/x86/entry/entry_64.S:1260
RIP: 0033:0x405ad1
RSP: 002b:0000000000a2f460 EFLAGS: 00010246
RAX: 0000000020be9ffc RBX: 000000000071bea0 RCX: 0000000000000098
RDX: 14fceadfa527e12d RSI: 0000000000000000 RDI: 00000000022ba848
RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000009
R10: 0000000000a2f460 R11: 0000000000000206 R12: 0000000000000003
R13: fffffffffffffffe R14: 000000000071ca20 R15: 0000000000000001
TCP: request_sock_TCPv6: Possible SYN flooding on port 20018. Sending cookies.  Check SNMP counters.
Cannot find add_set index 0 as target
Cannot find add_set index 0 as target
netlink: 'syz-executor1': attribute type 21 has an invalid length.
netlink: 'syz-executor3': attribute type 21 has an invalid length.
netlink: 'syz-executor3': attribute type 5 has an invalid length.
netlink: 'syz-executor3': attribute type 21 has an invalid length.
netlink: 'syz-executor3': attribute type 5 has an invalid length.
syz-executor3 (5483) used greatest stack depth: 15648 bytes left
netlink: 16 bytes leftover after parsing attributes in process `syz-executor5'.
netlink: 16 bytes leftover after parsing attributes in process `syz-executor5'.
x_tables: ip_tables: .0 target: invalid size 8 (kernel) != (user) 3
RDS: rds_bind could not find a transport for 172.20.0.170, load rds_tcp or rds_rdma?
RDS: rds_bind could not find a transport for 172.20.0.170, load rds_tcp or rds_rdma?
IPVS: length: 24 != 8
kauditd_printk_skb: 10 callbacks suppressed
audit: type=1400 audit(1517155250.946:32): avc:  denied  { accept } for  pid=6024 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1
audit: type=1400 audit(1517155250.987:33): avc:  denied  { map } for  pid=6042 comm="syz-executor1" path="socket:[14841]" dev="sockfs" ino=14841 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=packet_socket permissive=1
device syz7 entered promiscuous mode
FAULT_INJECTION: forcing a failure.
name fail_page_alloc, interval 1, probability 0, space 0, times 1
CPU: 0 PID: 6174 Comm: syz-executor6 Not tainted 4.15.0-rc9+ #213
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x257 lib/dump_stack.c:53
 fail_dump lib/fault-inject.c:51 [inline]
 should_fail+0x8c0/0xa40 lib/fault-inject.c:149
 should_fail_alloc_page mm/page_alloc.c:2948 [inline]
 prepare_alloc_pages mm/page_alloc.c:4187 [inline]
 __alloc_pages_nodemask+0x338/0xd80 mm/page_alloc.c:4226
 alloc_pages_current+0xb6/0x1e0 mm/mempolicy.c:2036
 alloc_pages include/linux/gfp.h:492 [inline]
 skb_page_frag_refill+0x358/0x5f0 net/core/sock.c:2211
 tun_build_skb.isra.51+0x2f0/0x1810 drivers/net/tun.c:1630
 tun_get_user+0x17d0/0x3940 drivers/net/tun.c:1800
 tun_chr_write_iter+0xb9/0x160 drivers/net/tun.c:1986
 call_write_iter include/linux/fs.h:1772 [inline]
 do_iter_readv_writev+0x525/0x7f0 fs/read_write.c:653
 do_iter_write+0x154/0x540 fs/read_write.c:932
 vfs_writev+0x18a/0x340 fs/read_write.c:977
 do_writev+0xfc/0x2a0 fs/read_write.c:1012
 SYSC_writev fs/read_write.c:1085 [inline]
 SyS_writev+0x27/0x30 fs/read_write.c:1082
 entry_SYSCALL_64_fastpath+0x29/0xa0
RIP: 0033:0x453171
RSP: 002b:00007f993a7e1b80 EFLAGS: 00000293 ORIG_RAX: 0000000000000014
RAX: ffffffffffffffda RBX: 00007f993a7e1aa0 RCX: 0000000000453171
RDX: 0000000000000001 RSI: 00007f993a7e1bd0 RDI: 0000000000000012
RBP: 00007f993a7e1a90 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000437 R11: 0000000000000293 R12: 00000000004b8096
R13: 00007f993a7e1bc8 R14: 00000000004b8096 R15: 0000000000000000
mip6: mip6_destopt_init_state: spi is not 0: 3640918016
mip6: mip6_destopt_init_state: spi is not 0: 3640918016
netlink: 8 bytes leftover after parsing attributes in process `syz-executor2'.
openvswitch: netlink: Flow set message rejected, Key attribute missing.
audit: type=1400 audit(1517155251.972:34): avc:  denied  { setopt } for  pid=6259 comm="syz-executor7" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
sctp: [Deprecated]: syz-executor3 (pid 6281) Use of struct sctp_assoc_value in delayed_ack socket option.
Use struct sctp_sack_info instead
openvswitch: netlink: Flow set message rejected, Key attribute missing.
sctp: [Deprecated]: syz-executor3 (pid 6283) Use of struct sctp_assoc_value in delayed_ack socket option.
Use struct sctp_sack_info instead
audit: type=1400 audit(1517155252.007:35): avc:  denied  { getattr } for  pid=6279 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
dccp_xmit_packet: Payload too large (65423) for featneg.
dccp_xmit_packet: Payload too large (65423) for featneg.
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=260 sclass=netlink_route_socket pig=6358 comm=syz-executor7
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=260 sclass=netlink_route_socket pig=6358 comm=syz-executor7
l2tp_core: tunl 1: fd 19 wrong protocol, got 1, expected 17
l2tp_core: tunl 1: fd 19 wrong protocol, got 1, expected 17
sctp: [Deprecated]: syz-executor1 (pid 6507) Use of int in max_burst socket option deprecated.
Use struct sctp_assoc_value instead
sctp: [Deprecated]: syz-executor1 (pid 6507) Use of int in max_burst socket option deprecated.
Use struct sctp_assoc_value instead
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 7 Comm: ksoftirqd/0 Not tainted 4.15.0-rc9+ #213
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:ip6t_do_table+0x12de/0x19d0 net/ipv6/netfilter/ip6_tables.c:360
RSP: 0018:ffff8801d9f3eab0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff8801c1220980 RCX: ffffffff84d5f422
RDX: 0000000000000100 RSI: 0000000000000000 RDI: ffff8801c1220ade
RBP: ffff8801d9f3ecb8 R08: ffff8801d9f3edb0 R09: 0000000000000000
R10: 00000000000000d0 R11: ffffffff86b41580 R12: 0000000000000001
R13: 0000000000000000 R14: dffffc0000000000 R15: ffff8801c1220a50
FS:  0000000000000000(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000205ebfe0 CR3: 0000000006a22004 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 ip6table_security_hook+0x65/0x80 net/ipv6/netfilter/ip6table_security.c:45
 nf_hook_entry_hookfn include/linux/netfilter.h:120 [inline]
 nf_hook_slow+0xba/0x1a0 net/netfilter/core.c:483
 nf_hook include/linux/netfilter.h:243 [inline]
 NF_HOOK include/linux/netfilter.h:286 [inline]
 ip6_input+0x35c/0x560 net/ipv6/ip6_input.c:327
 dst_input include/net/dst.h:449 [inline]
 ip6_rcv_finish+0x297/0x8c0 net/ipv6/ip6_input.c:71
 NF_HOOK include/linux/netfilter.h:288 [inline]
 ipv6_rcv+0xf37/0x1fa0 net/ipv6/ip6_input.c:208
 __netif_receive_skb_core+0x1a41/0x3460 net/core/dev.c:4547
 __netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4612
 process_backlog+0x203/0x740 net/core/dev.c:5292
 napi_poll net/core/dev.c:5690 [inline]
 net_rx_action+0x792/0x1910 net/core/dev.c:5756
 __do_softirq+0x2d7/0xb85 kernel/softirq.c:285
 run_ksoftirqd+0x50/0x100 kernel/softirq.c:666
 smpboot_thread_fn+0x450/0x7c0 kernel/smpboot.c:164
 kthread+0x33c/0x400 kernel/kthread.c:238
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:541
Code: 41 f6 87 83 00 00 00 04 75 37 e8 be 3f 9a fc 8b 85 54 fe ff ff 48 8b b5 90 fe ff ff 4c 8d 2c c6 44 8d 60 01 4c 89 e8 48 c1 e8 03 <42> 80 3c 30 00 0f 85 5c 03 00 00 4d 89 7d 00 44 89 a5 54 fe ff 
RIP: ip6t_do_table+0x12de/0x19d0 net/ipv6/netfilter/ip6_tables.c:360 RSP: ffff8801d9f3eab0
---[ end trace 7608e94876f8d6a7 ]---