============================= WARNING: suspicious RCU usage 4.15.0-rc9+ #284 Not tainted ----------------------------- binder: 6460 RLIMIT_NICE not set net/tipc/bearer.c:177 suspicious rcu_dereference_protected() usage! binder: BINDER_SET_CONTEXT_MGR already set binder: 6459:6479 ioctl 40046207 0 returned -16 binder: 6459:6473 BC_FREE_BUFFER u000000002000c000 no match binder_alloc: 6459: binder_alloc_buf, no vma binder: 6459:6460 transaction failed 29189/-3, size 0-0 line 2903 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_COMPLETE other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 2 locks held by syz-executor3/6442: #0: (cb_lock){++++}, at: [<00000000dc0dd038>] genl_rcv+0x19/0x40 net/netlink/genetlink.c:634 #1: (genl_mutex){+.+.}, at: [<00000000360a13af>] genl_lock net/netlink/genetlink.c:33 [inline] #1: (genl_mutex){+.+.}, at: [<00000000360a13af>] genl_rcv_msg+0x115/0x140 net/netlink/genetlink.c:622 stack backtrace: CPU: 1 PID: 6442 Comm: syz-executor3 Not tainted 4.15.0-rc9+ #284 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 lockdep_rcu_suspicious+0x123/0x170 kernel/locking/lockdep.c:4587 tipc_bearer_find+0x2b4/0x3b0 net/tipc/bearer.c:177 tipc_nl_compat_link_set+0x329/0x9f0 net/tipc/netlink_compat.c:729 __tipc_nl_compat_doit net/tipc/netlink_compat.c:288 [inline] tipc_nl_compat_doit+0x15b/0x670 net/tipc/netlink_compat.c:335 tipc_nl_compat_handle net/tipc/netlink_compat.c:1119 [inline] tipc_nl_compat_recv+0x1135/0x18f0 net/tipc/netlink_compat.c:1201 genl_family_rcv_msg+0x7b7/0xfb0 net/netlink/genetlink.c:599 genl_rcv_msg+0xb2/0x140 net/netlink/genetlink.c:624 netlink_rcv_skb+0x14b/0x380 net/netlink/af_netlink.c:2409 genl_rcv+0x28/0x40 net/netlink/genetlink.c:635 netlink_unicast_kernel net/netlink/af_netlink.c:1275 [inline] netlink_unicast+0x4ee/0x700 net/netlink/af_netlink.c:1301 netlink_sendmsg+0xa4a/0xe60 net/netlink/af_netlink.c:1864 sock_sendmsg_nosec net/socket.c:638 [inline] sock_sendmsg+0xca/0x110 net/socket.c:648 ___sys_sendmsg+0x767/0x8b0 net/socket.c:2028 __sys_sendmsg+0xe5/0x210 net/socket.c:2062 SYSC_sendmsg net/socket.c:2073 [inline] SyS_sendmsg+0x2d/0x50 net/socket.c:2069 entry_SYSCALL_64_fastpath+0x29/0xa0 RIP: 0033:0x453299 RSP: 002b:00007f7006242c58 EFLAGS: 00000212 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f7006243700 RCX: 0000000000453299 RDX: 0000000000000000 RSI: 0000000020003000 RDI: 0000000000000013 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000000 R13: 0000000000a2f33f R14: 00007f70062439c0 R15: 0000000000000000 QAT: Invalid ioctl QAT: Invalid ioctl netlink: 'syz-executor1': attribute type 17 has an invalid length. kauditd_printk_skb: 59 callbacks suppressed audit: type=1400 audit(1517210671.223:187): avc: denied { transfer } for pid=6865 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 binder: 6865:6868 Release 1 refcount change on invalid ref 0 ret -22 QAT: Invalid ioctl QAT: Invalid ioctl audit: type=1326 audit(1517210671.313:188): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=6862 comm="syz-executor0" exe="/root/syz-executor0" sig=0 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x7ffc0000 binder_alloc: binder_alloc_mmap_handler: 6865 20000000-20002000 already mapped failed -16 binder_alloc: 6865: binder_alloc_buf, no vma binder: 6865:6886 transaction failed 29189/-3, size 40-8 line 2903 binder: BINDER_SET_CONTEXT_MGR already set binder: 6865:6868 ioctl 40046207 0 returned -16 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 6865:6868 transaction 6 out, still active binder: send failed reply for transaction 6, target dead binder: undelivered transaction 9, process died. x_tables: ip_tables: REJECT target: only valid in filter table, not ilter x_tables: ip_tables: REJECT target: only valid in filter table, not ilter audit: type=1400 audit(1517210671.802:189): avc: denied { read } for pid=6989 comm="syz-executor0" path="socket:[17134]" dev="sockfs" ino=17134 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 netlink: 3 bytes leftover after parsing attributes in process `syz-executor7'. audit: type=1400 audit(1517210671.938:190): avc: denied { getopt } for pid=7005 comm="syz-executor7" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 netlink: 3 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor7'. audit: type=1326 audit(1517210672.239:191): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=7057 comm="syz-executor7" exe="/root/syz-executor7" sig=0 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517210672.240:192): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=7057 comm="syz-executor7" exe="/root/syz-executor7" sig=0 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517210672.240:193): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=7057 comm="syz-executor7" exe="/root/syz-executor7" sig=0 arch=c000003e syscall=16 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517210672.240:194): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=7057 comm="syz-executor7" exe="/root/syz-executor7" sig=0 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517210672.240:195): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=7057 comm="syz-executor7" exe="/root/syz-executor7" sig=0 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517210672.240:196): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=7057 comm="syz-executor7" exe="/root/syz-executor7" sig=0 arch=c000003e syscall=8 compat=0 ip=0x453299 code=0x7ffc0000 sctp: [Deprecated]: syz-executor2 (pid 7140) Use of struct sctp_assoc_value in delayed_ack socket option. Use struct sctp_sack_info instead sctp: [Deprecated]: syz-executor2 (pid 7160) Use of struct sctp_assoc_value in delayed_ack socket option. Use struct sctp_sack_info instead device eql entered promiscuous mode syz-executor5 (7504) used greatest stack depth: 15936 bytes left sctp: [Deprecated]: syz-executor7 (pid 7582) Use of int in maxseg socket option. Use struct sctp_assoc_value instead sctp: [Deprecated]: syz-executor7 (pid 7582) Use of int in maxseg socket option. Use struct sctp_assoc_value instead binder_alloc: 7660: binder_alloc_buf size 4323024526343405584 failed, no address space binder_alloc: allocated: 0 (num: 0 largest: 0), free: 8192 (num: 1 largest: 8192) binder: 7660:7663 transaction failed 29201/-28, size 4323024526343405580-0 line 2903 binder: undelivered TRANSACTION_ERROR: 29201 binder_alloc: 7660: binder_alloc_buf, no vma binder: 7660:7665 transaction failed 29189/-3, size 4323024526343405580-0 line 2903 binder: undelivered TRANSACTION_ERROR: 29189 netlink: 'syz-executor6': attribute type 17 has an invalid length. netlink: 'syz-executor6': attribute type 17 has an invalid length. binder: 7786 RLIMIT_NICE not set binder: BINDER_SET_CONTEXT_MGR already set binder: 7783:7803 ioctl 40046207 0 returned -16 binder: 7783:7786 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 netlink: 'syz-executor6': attribute type 1 has an invalid length. netlink: 'syz-executor6': attribute type 1 has an invalid length. QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl IPVS: ftp: loaded support on port[0] = 21 IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready QAT: Invalid ioctl QAT: Invalid ioctl kauditd_printk_skb: 73 callbacks suppressed audit: type=1326 audit(1517210678.085:270): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=8132 comm="syz-executor2" exe="/root/syz-executor2" sig=0 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517210678.097:271): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=8132 comm="syz-executor2" exe="/root/syz-executor2" sig=0 arch=c000003e syscall=179 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517210678.097:272): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=8132 comm="syz-executor2" exe="/root/syz-executor2" sig=0 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517210678.097:273): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=8132 comm="syz-executor2" exe="/root/syz-executor2" sig=0 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517210678.102:274): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=8132 comm="syz-executor2" exe="/root/syz-executor2" sig=0 arch=c000003e syscall=2 compat=0 ip=0x40d591 code=0x7ffc0000 audit: type=1326 audit(1517210678.102:275): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=8132 comm="syz-executor2" exe="/root/syz-executor2" sig=0 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517210678.105:276): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=8132 comm="syz-executor2" exe="/root/syz-executor2" sig=0 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517210678.116:277): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=8132 comm="syz-executor2" exe="/root/syz-executor2" sig=0 arch=c000003e syscall=55 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517210678.117:278): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=8132 comm="syz-executor2" exe="/root/syz-executor2" sig=0 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x7ffc0000 kvm [8188]: vcpu0, guest rIP: 0xfff0 Hyper-V unhandled rdmsr: 0x40000085 binder: 8204:8211 got transaction with invalid offset (40, min 24 max 40) or object. binder: 8204:8211 transaction failed 29201/-22, size 40-16 line 2966 kvm [8188]: vcpu0, guest rIP: 0xfff0 Hyper-V unhandled rdmsr: 0x40000085 rfkill: input handler disabled binder: BINDER_SET_CONTEXT_MGR already set binder: 8204:8217 ioctl 40046207 0 returned -16 binder: undelivered TRANSACTION_ERROR: 29201 kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 0 PID: 8201 Comm: syz-executor2 Not tainted 4.15.0-rc9+ #284 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:native_write_cr4+0x4/0x10 arch/x86/include/asm/special_insns.h:76 RSP: 0018:ffff8801cf72f068 EFLAGS: 00010093 RAX: ffff8801d03140c0 RBX: 00000000001606f0 RCX: ffffffff811a3202 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000001606f0 RBP: ffff8801cf72f068 R08: 1ffff10039ee5d69 R09: 0000000000000004 R10: ffff8801cf72efd8 R11: 0000000000000004 R12: 0000000000000093 R13: ffff8801d03140c0 R14: ffff8801db21d130 R15: ffff8801db21d130 FS: 00007fbf56d37700(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000006fb45c CR3: 0000000006a22004 CR4: 00000000001626f0 DR0: 0000000020000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Call Trace: __write_cr4 arch/x86/include/asm/paravirt.h:76 [inline] __cr4_set arch/x86/include/asm/tlbflush.h:252 [inline] cr4_clear_bits arch/x86/include/asm/tlbflush.h:275 [inline] kvm_cpu_vmxoff arch/x86/kvm/vmx.c:3589 [inline] hardware_disable+0x34a/0x4b0 arch/x86/kvm/vmx.c:3595 kvm_arch_hardware_disable+0x35/0xd0 arch/x86/kvm/x86.c:8004 hardware_disable_nolock+0x30/0x40 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3310 on_each_cpu+0xca/0x1b0 kernel/smp.c:604 hardware_disable_all_nolock+0x3e/0x50 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3328 hardware_disable_all arch/x86/kvm/../../../virt/kvm/kvm_main.c:3334 [inline] kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:742 [inline] kvm_put_kvm+0x956/0xdf0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:755 kvm_vm_release+0x42/0x50 arch/x86/kvm/../../../virt/kvm/kvm_main.c:766 __fput+0x327/0x7e0 fs/file_table.c:210 ____fput+0x15/0x20 fs/file_table.c:244 task_work_run+0x199/0x270 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0x9bb/0x1ad0 kernel/exit.c:865 do_group_exit+0x149/0x400 kernel/exit.c:968 get_signal+0x73f/0x16c0 kernel/signal.c:2335 do_signal+0x90/0x1eb0 arch/x86/kernel/signal.c:809