netlink: 'syz-executor2': attribute type 1 has an invalid length. ============================= WARNING: suspicious RCU usage 4.15.0-rc9+ #212 Not tainted ----------------------------- ./include/linux/rcupdate.h:302 Illegal context switch in RCU read-side critical section! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 0 4 locks held by syz-executor6/7265: #0: (&mm->mmap_sem){++++}, at: [<00000000dfc996b6>] __do_page_fault+0x32d/0xc90 arch/x86/mm/fault.c:1359 #1: (&p->pi_lock){-.-.}, at: [<00000000c126db39>] try_to_wake_up+0xbc/0x1600 kernel/sched/core.c:1988 #2: (&rq->lock){-.-.}, at: [<0000000018536881>] rq_lock kernel/sched/sched.h:1766 [inline] #2: (&rq->lock){-.-.}, at: [<0000000018536881>] ttwu_queue kernel/sched/core.c:1863 [inline] #2: (&rq->lock){-.-.}, at: [<0000000018536881>] try_to_wake_up+0xa29/0x1600 kernel/sched/core.c:2078 #3: (rcu_read_lock){....}, at: [<00000000c944b287>] trace_sched_stat_runtime include/trace/events/sched.h:413 [inline] #3: (rcu_read_lock){....}, at: [<00000000c944b287>] update_curr+0x31c/0xa60 kernel/sched/fair.c:846 stack backtrace: CPU: 1 PID: 7265 Comm: syz-executor6 Not tainted 4.15.0-rc9+ #212 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 lockdep_rcu_suspicious+0x123/0x170 kernel/locking/lockdep.c:4585 rcu_preempt_sleep_check include/linux/rcupdate.h:301 [inline] ___might_sleep+0x385/0x470 kernel/sched/core.c:6025 clear_huge_page+0x19b/0x730 mm/memory.c:4598 __do_huge_pmd_anonymous_page mm/huge_memory.c:570 [inline] do_huge_pmd_anonymous_page+0x59c/0x1b00 mm/huge_memory.c:728 create_huge_pmd mm/memory.c:3834 [inline] __handle_mm_fault+0x1a0c/0x3ce0 mm/memory.c:4038 handle_mm_fault+0x334/0x8d0 mm/memory.c:4104 __do_page_fault+0x5c9/0xc90 arch/x86/mm/fault.c:1430 do_page_fault+0xee/0x720 arch/x86/mm/fault.c:1505 page_fault+0x4c/0x60 arch/x86/entry/entry_64.S:1260 RIP: 0033:0x405a1b RSP: 002b:0000000000a2f460 EFLAGS: 00010246 RAX: 00000000205b9fe0 RBX: 000000000071bea0 RCX: 0000000000000000 RDX: bcfc905659c72c0d RSI: 0000000000000000 RDI: 00000000011af848 RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000063 R10: 0000000000a2f460 R11: 0000000000000206 R12: 0000000000000002 R13: fffffffffffffffe R14: 000000000071ca20 R15: ffffffffffffffff ====================================================== WARNING: possible circular locking dependency detected 4.15.0-rc9+ #212 Not tainted ------------------------------------------------------ syz-executor1/7271 is trying to acquire lock: (rtnl_mutex){+.+.}, at: [<00000000cce5850e>] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74 but task is already holding lock: (sk_lock-AF_INET){+.+.}, at: [<00000000ff311f60>] lock_sock include/net/sock.h:1463 [inline] (sk_lock-AF_INET){+.+.}, at: [<00000000ff311f60>] ip_setsockopt+0x8c/0xb0 net/ipv4/ip_sockglue.c:1259 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (sk_lock-AF_INET){+.+.}: lock_sock_nested+0xc2/0x110 net/core/sock.c:2780 lock_sock include/net/sock.h:1463 [inline] do_ip_setsockopt.isra.12+0x1d9/0x3210 net/ipv4/ip_sockglue.c:646 ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1252 udp_setsockopt+0x45/0x80 net/ipv4/udp.c:2401 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2978 SYSC_setsockopt net/socket.c:1849 [inline] SyS_setsockopt+0x189/0x360 net/socket.c:1828 entry_SYSCALL_64_fastpath+0x29/0xa0 -> #0 (rtnl_mutex){+.+.}: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3914 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908 rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74 register_netdevice_notifier+0xad/0x860 net/core/dev.c:1607 clusterip_config_init net/ipv4/netfilter/ipt_CLUSTERIP.c:261 [inline] clusterip_tg_check+0xeb9/0x1570 net/ipv4/netfilter/ipt_CLUSTERIP.c:478 xt_check_target+0x22c/0x7d0 net/netfilter/x_tables.c:845 check_target net/ipv4/netfilter/ip_tables.c:518 [inline] find_check_entry.isra.8+0x8c8/0xcb0 net/ipv4/netfilter/ip_tables.c:559 translate_table+0xed1/0x1610 net/ipv4/netfilter/ip_tables.c:730 do_replace net/ipv4/netfilter/ip_tables.c:1146 [inline] do_ipt_set_ctl+0x370/0x5f0 net/ipv4/netfilter/ip_tables.c:1680 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115 ip_setsockopt+0xa1/0xb0 net/ipv4/ip_sockglue.c:1260 raw_setsockopt+0xb7/0xd0 net/ipv4/raw.c:870 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2978 SYSC_setsockopt net/socket.c:1849 [inline] SyS_setsockopt+0x189/0x360 net/socket.c:1828 entry_SYSCALL_64_fastpath+0x29/0xa0 other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(sk_lock-AF_INET); lock(rtnl_mutex); lock(sk_lock-AF_INET); lock(rtnl_mutex); *** DEADLOCK *** 1 lock held by syz-executor1/7271: #0: (sk_lock-AF_INET){+.+.}, at: [<00000000ff311f60>] lock_sock include/net/sock.h:1463 [inline] #0: (sk_lock-AF_INET){+.+.}, at: [<00000000ff311f60>] ip_setsockopt+0x8c/0xb0 net/ipv4/ip_sockglue.c:1259 stack backtrace: CPU: 0 PID: 7271 Comm: syz-executor1 Not tainted 4.15.0-rc9+ #212 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 print_circular_bug.isra.37+0x2cd/0x2dc kernel/locking/lockdep.c:1218 check_prev_add kernel/locking/lockdep.c:1858 [inline] check_prevs_add kernel/locking/lockdep.c:1971 [inline] validate_chain kernel/locking/lockdep.c:2412 [inline] __lock_acquire+0x30a8/0x3e00 kernel/locking/lockdep.c:3426 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3914 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908 rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74 register_netdevice_notifier+0xad/0x860 net/core/dev.c:1607 clusterip_config_init net/ipv4/netfilter/ipt_CLUSTERIP.c:261 [inline] clusterip_tg_check+0xeb9/0x1570 net/ipv4/netfilter/ipt_CLUSTERIP.c:478 xt_check_target+0x22c/0x7d0 net/netfilter/x_tables.c:845 check_target net/ipv4/netfilter/ip_tables.c:518 [inline] find_check_entry.isra.8+0x8c8/0xcb0 net/ipv4/netfilter/ip_tables.c:559 translate_table+0xed1/0x1610 net/ipv4/netfilter/ip_tables.c:730 do_replace net/ipv4/netfilter/ip_tables.c:1146 [inline] do_ipt_set_ctl+0x370/0x5f0 net/ipv4/netfilter/ip_tables.c:1680 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115 ip_setsockopt+0xa1/0xb0 net/ipv4/ip_sockglue.c:1260 raw_setsockopt+0xb7/0xd0 net/ipv4/raw.c:870 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2978 SYSC_setsockopt net/socket.c:1849 [inline] SyS_setsockopt+0x189/0x360 net/socket.c:1828 entry_SYSCALL_64_fastpath+0x29/0xa0 RIP: 0033:0x453299 RSP: 002b:00007fed3d2bfc58 EFLAGS: 00000212 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000453299 RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000013 RBP: 00000000000005c5 R08: 00000000000002f8 R09: 0000000000000000 R10: 000000002000b000 R11: 0000000000000212 R12: 00000000006f7b18 R13: 00000000ffffffff R14: 00007fed3d2c06d4 R15: 0000000000000000 ipt_CLUSTERIP: ipt_CLUSTERIP is deprecated and it will removed soon, use xt_cluster instead ipt_ECN: new ECT codepoint 9 out of mask nla_parse: 2 callbacks suppressed netlink: 9 bytes leftover after parsing attributes in process `syz-executor6'. ipt_ECN: new ECT codepoint 9 out of mask netlink: 9 bytes leftover after parsing attributes in process `syz-executor6'. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=35576 sclass=netlink_route_socket pig=7417 comm=syz-executor3 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=35576 sclass=netlink_route_socket pig=7434 comm=syz-executor3 sctp: [Deprecated]: syz-executor7 (pid 7524) Use of int in maxseg socket option. Use struct sctp_assoc_value instead sctp: [Deprecated]: syz-executor7 (pid 7530) Use of int in maxseg socket option. Use struct sctp_assoc_value instead syz-executor1 (7650) used greatest stack depth: 14064 bytes left netlink: 'syz-executor7': attribute type 1 has an invalid length. ieee80211 phy2: Selected rate control algorithm 'minstrel_ht' netlink: 'syz-executor7': attribute type 1 has an invalid length. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7753 comm=syz-executor6 ieee80211 phy3: Selected rate control algorithm 'minstrel_ht' kauditd_printk_skb: 1 callbacks suppressed audit: type=1400 audit(1517092186.900:46): avc: denied { create } for pid=7801 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_fib_lookup_socket permissive=1 audit: type=1400 audit(1517092186.901:47): avc: denied { connect } for pid=7801 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_fib_lookup_socket permissive=1 audit: type=1400 audit(1517092186.902:48): avc: denied { write } for pid=7801 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_fib_lookup_socket permissive=1 ipt_REJECT: TCP_RESET invalid for non-tcp ipt_REJECT: ECHOREPLY no longer supported. ipt_REJECT: ECHOREPLY no longer supported. insert transport fail, errno -17 netlink: 144 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 144 bytes leftover after parsing attributes in process `syz-executor7'. l2tp_core: tunl 2: fd 20 wrong protocol, got 1, expected 17 net_ratelimit: 3 callbacks suppressed Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable audit: type=1400 audit(1517092187.982:49): avc: denied { setopt } for pid=8218 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_crypto_socket permissive=1 audit: type=1400 audit(1517092188.566:50): avc: denied { connect } for pid=8453 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=socket permissive=1 sctp: [Deprecated]: syz-executor5 (pid 8489) Use of int in max_burst socket option. Use struct sctp_assoc_value instead sctp: [Deprecated]: syz-executor5 (pid 8489) Use of int in max_burst socket option. Use struct sctp_assoc_value instead audit: type=1400 audit(1517092188.757:51): avc: denied { ioctl } for pid=8537 comm="syz-executor0" path="socket:[18375]" dev="sockfs" ino=18375 ioctlcmd=0x8933 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_crypto_socket permissive=1 skbuff: bad partial csum: csum=0/65535 len=14 skbuff: bad partial csum: csum=0/65535 len=14 netlink: 7 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 7 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 7 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 7 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 'syz-executor6': attribute type 16 has an invalid length. netlink: 240 bytes leftover after parsing attributes in process `syz-executor1'. xt_CT: netfilter: NOTRACK target is deprecated, use CT instead or upgrade iptables xt_CT: You must specify a L4 protocol, and not use inversions on it. xt_CT: You must specify a L4 protocol, and not use inversions on it. audit: type=1400 audit(1517092189.405:52): avc: denied { accept } for pid=8787 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_crypto_socket permissive=1 IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready audit: type=1400 audit(1517092189.797:53): avc: denied { map } for pid=8936 comm="syz-executor2" path="socket:[19740]" dev="sockfs" ino=19740 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_socket permissive=1 IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready audit: type=1400 audit(1517092190.385:54): avc: denied { bind } for pid=9172 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 netlink: 40 bytes leftover after parsing attributes in process `syz-executor4'. sctp: [Deprecated]: syz-executor5 (pid 9342) Use of int in maxseg socket option. Use struct sctp_assoc_value instead sctp: [Deprecated]: syz-executor5 (pid 9342) Use of int in maxseg socket option. Use struct sctp_assoc_value instead dccp_close: ABORT with 254 bytes unread xt_socket: unknown flags 0xf2 xt_socket: unknown flags 0xf2 ieee80211 phy4: Selected rate control algorithm 'minstrel_ht' ieee80211 phy5: Selected rate control algorithm 'minstrel_ht' audit: type=1400 audit(1517092191.215:55): avc: denied { create } for pid=9481 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_connector_socket permissive=1 TCP: request_sock_TCPv6: Possible SYN flooding on port 20026. Sending cookies. Check SNMP counters. kauditd_printk_skb: 1 callbacks suppressed audit: type=1400 audit(1517092192.057:57): avc: denied { map } for pid=9762 comm="syz-executor2" path="socket:[20445]" dev="sockfs" ino=20445 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=rawip_socket permissive=1 device syz3 entered promiscuous mode device syz3 left promiscuous mode Cannot find add_set index 0 as target nla_parse: 1 callbacks suppressed netlink: 40 bytes leftover after parsing attributes in process `syz-executor3'. sctp: [Deprecated]: syz-executor0 (pid 9991) Use of int in max_burst socket option. Use struct sctp_assoc_value instead sctp: [Deprecated]: syz-executor0 (pid 9991) Use of int in max_burst socket option. Use struct sctp_assoc_value instead ieee80211 phy6: Selected rate control algorithm 'minstrel_ht' ieee80211 phy7: Selected rate control algorithm 'minstrel_ht' netlink: 16 bytes leftover after parsing attributes in process `syz-executor0'. dccp_invalid_packet: P.Data Offset(66) too large dccp_invalid_packet: P.Data Offset(66) too large netlink: 7 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 7 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 'syz-executor5': attribute type 4 has an invalid length. netlink: 'syz-executor5': attribute type 4 has an invalid length. RDS: rds_bind could not find a transport for 172.20.0.187, load rds_tcp or rds_rdma? RDS: rds_bind could not find a transport for 172.20.0.187, load rds_tcp or rds_rdma? netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'.