============================= WARNING: suspicious RCU usage 4.15.0+ #200 Not tainted ----------------------------- ./include/linux/inetdevice.h:216 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 2 locks held by syz-executor2/10509: #0: ((&im->timer)){+.-.}, at: [<00000000d1933844>] lockdep_copy_map include/linux/lockdep.h:178 [inline] #0: ((&im->timer)){+.-.}, at: [<00000000d1933844>] call_timer_fn+0x1c6/0x820 kernel/time/timer.c:1316 #1: (&(&im->lock)->rlock){+.-.}, at: [<000000003fdc0234>] spin_lock_bh include/linux/spinlock.h:315 [inline] #1: (&(&im->lock)->rlock){+.-.}, at: [<000000003fdc0234>] igmpv3_send_report+0x98/0x5b0 net/ipv4/igmp.c:600 stack backtrace: CPU: 0 PID: 10509 Comm: syz-executor2 Not tainted 4.15.0+ #200 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 lockdep_rcu_suspicious+0x123/0x170 kernel/locking/lockdep.c:4592 __in_dev_get_rcu include/linux/inetdevice.h:216 [inline] igmpv3_get_srcaddr net/ipv4/igmp.c:329 [inline] igmpv3_newpack+0xeef/0x12e0 net/ipv4/igmp.c:389 add_grhead.isra.27+0x235/0x300 net/ipv4/igmp.c:432 add_grec+0xbd3/0x1170 net/ipv4/igmp.c:565 igmpv3_send_report+0xd5/0x5b0 net/ipv4/igmp.c:605 igmp_send_report+0xc43/0x1050 net/ipv4/igmp.c:722 igmp_timer_expire+0x322/0x5c0 net/ipv4/igmp.c:831 call_timer_fn+0x228/0x820 kernel/time/timer.c:1326 expire_timers kernel/time/timer.c:1363 [inline] __run_timers+0x7ee/0xb70 kernel/time/timer.c:1666 run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692 __do_softirq+0x2d7/0xb85 kernel/softirq.c:285 invoke_softirq kernel/softirq.c:365 [inline] irq_exit+0x1cc/0x200 kernel/softirq.c:405 exiting_irq arch/x86/include/asm/apic.h:541 [inline] smp_apic_timer_interrupt+0x16b/0x700 arch/x86/kernel/apic/apic.c:1052 apic_timer_interrupt+0xa9/0xb0 arch/x86/entry/entry_64.S:938 RIP: 0010:memset_erms+0x9/0x10 arch/x86/lib/memset_64.S:65 RSP: 0018:ffff8801bcb0dc88 EFLAGS: 00010206 ORIG_RAX: ffffffffffffff11 RAX: dffffc00000000ff RBX: ffffea0006828000 RCX: 000000000002a3c0 RDX: 0000000000040000 RSI: 00000000000000ff RDI: ffffed0034155c40 RBP: ffff8801bcb0dc90 R08: 1ffff10034140000 R09: ffffed0034140000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801bcb0e468 R13: 0000000000000009 R14: 00000000001a0a00 R15: 0000000000000200 free_pages_prepare mm/page_alloc.c:1071 [inline] __free_pages_ok+0x783/0x31e0 mm/page_alloc.c:1260 free_compound_page+0x5c/0x70 mm/page_alloc.c:601 free_transhuge_page+0x2d2/0x430 mm/huge_memory.c:2732 __put_compound_page+0x88/0xc0 mm/swap.c:95 release_pages+0x64b/0x1230 mm/swap.c:788 free_pages_and_swap_cache+0x2ad/0x400 mm/swap_state.c:322 tlb_flush_mmu_free+0xb4/0x160 mm/memory.c:260 zap_pte_range mm/memory.c:1408 [inline] zap_pmd_range mm/memory.c:1445 [inline] zap_pud_range mm/memory.c:1474 [inline] zap_p4d_range mm/memory.c:1495 [inline] unmap_page_range+0x181e/0x22e0 mm/memory.c:1516 unmap_single_vma+0x15f/0x2d0 mm/memory.c:1561 unmap_vmas+0xf1/0x1b0 mm/memory.c:1591 exit_mmap+0x23a/0x500 mm/mmap.c:3020 __mmput kernel/fork.c:947 [inline] mmput+0x223/0x6c0 kernel/fork.c:968 exit_mm kernel/exit.c:544 [inline] do_exit+0x90a/0x1ad0 kernel/exit.c:852 do_group_exit+0x149/0x400 kernel/exit.c:968 get_signal+0x73a/0x16d0 kernel/signal.c:2469 do_signal+0x90/0x1eb0 arch/x86/kernel/signal.c:809 exit_to_usermode_loop+0x258/0x2f0 arch/x86/entry/common.c:161 prepare_exit_to_usermode arch/x86/entry/common.c:195 [inline] syscall_return_slowpath arch/x86/entry/common.c:264 [inline] do_syscall_32_irqs_on arch/x86/entry/common.c:333 [inline] do_fast_syscall_32+0xbfd/0xf9d arch/x86/entry/common.c:389 entry_SYSENTER_compat+0x54/0x63 arch/x86/entry/entry_64_compat.S:129 RIP: 0023:0xf7fa7c79 RSP: 002b:00000000f778210c EFLAGS: 00000296 ORIG_RAX: 00000000000000f0 RAX: fffffffffffffe00 RBX: 000000000813af98 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 bridge0: port 1(syz7) entered blocking state bridge0: port 1(syz7) entered disabled state device syz7 entered promiscuous mode bridge0: port 1(syz7) entered blocking state bridge0: port 1(syz7) entered forwarding state IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready netlink: 'syz-executor1': attribute type 21 has an invalid length. netlink: 'syz-executor1': attribute type 21 has an invalid length. ptrace attach of "/root/syz-executor1"[4088] was attempted by "/root/syz-executor1"[10654] Cannot find add_set index 49282 as target Cannot find add_set index 49282 as target ptrace attach of "/root/syz-executor1"[4088] was attempted by "/root/syz-executor1"[10654] x_tables: ip_tables: osf match: only valid for protocol 6 device syz1 entered promiscuous mode device syz1 left promiscuous mode *** Guest State *** CR0: actual=0xffffffff9ffffffc, shadow=0xfffffffffffffffc, gh_mask=fffffffffffffff7 CR4: actual=0x000000000000205e, shadow=0x000000000000001e, gh_mask=ffffffffffffe871 CR3 = 0x0000000000000000 RSP = 0x0000000000000000 RIP = 0x0000000000008000 RFLAGS=0x00010002 DR7 = 0x0000000000000400 Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 CS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 DS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 SS: sel=0x0000, attr=0x10000, limit=0x0001f002, base=0x0000000000000000 ES: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 FS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 GS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 GDTR: limit=0x00000000, base=0x0000000000000000 LDTR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 IDTR: limit=0x00000000, base=0x0000000000000000 TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 EFER = 0x0000000000000000 PAT = 0x0007040600070406 DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 Interruptibility = 00000008 ActivityState = 00000000 *** Host State *** RIP = 0xffffffff811bdff4 RSP = 0xffff8801bda7f3d8 CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 FSBase=0000000000000000 GSBase=ffff8801db500000 TRBase=fffffe0000003000 GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 CR0=0000000080050033 CR3=00000001d87db005 CR4=00000000001626e0 Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff85a01b70 EFER = 0x0000000000000d01 PAT = 0x0000000000000000 *** Control State *** PinBased=0000003f CPUBased=b6986dfa SecondaryExec=000000c2 EntryControls=0000d1ff ExitControls=0023efff ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 VMEntry: intr_info=80000306 errcode=00000000 ilen=00000000 VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 reason=80000021 qualification=0000000000000000 IDTVectoring: info=00000000 errcode=00000000 TSC Offset = 0xffffffd7bc191af5 EPT pointer = 0x00000001cdfd401e SELinux: unrecognized netlink message: protocol=0 nlmsg_type=59919 sclass=netlink_route_socket pig=10913 comm=syz-executor2 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=59919 sclass=netlink_route_socket pig=10928 comm=syz-executor2 binder: 11000:11004 IncRefs 0 refcount change on invalid ref 2048 ret -22 binder: 11000:11004 unknown command 1818587951 binder: 11000:11004 ioctl c0306201 20008fd0 returned -22 device eql entered promiscuous mode QAT: Invalid ioctl QAT: Invalid ioctl x_tables: ip_tables: osf match: only valid for protocol 6 x_tables: ip_tables: osf match: only valid for protocol 6 binder: 11250:11259 unknown command 0 binder: 11250:11259 ioctl c0306201 20008fd0 returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder_alloc: binder_alloc_mmap_handler: 11250 20000000-20002000 already mapped failed -16 binder: 11250:11259 got new transaction with bad transaction stack, transaction 23 has target 11250:0 binder: 11250:11259 transaction failed 29201/-71, size 80-0 line 2815 binder: 11250:11269 ioctl 40046207 0 returned -16 binder: release 11250:11259 transaction 23 out, still active binder: undelivered TRANSACTION_COMPLETE device eql entered promiscuous mode binder: undelivered TRANSACTION_ERROR: 29201 binder: send failed reply for transaction 23, target dead FAULT_INJECTION: forcing a failure. name fail_page_alloc, interval 1, probability 0, space 0, times 1 CPU: 0 PID: 11310 Comm: syz-executor4 Not tainted 4.15.0+ #200 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_fail_alloc_page mm/page_alloc.c:2955 [inline] prepare_alloc_pages mm/page_alloc.c:4194 [inline] __alloc_pages_nodemask+0x338/0xd80 mm/page_alloc.c:4233 alloc_pages_current+0xb6/0x1e0 mm/mempolicy.c:2055 alloc_pages include/linux/gfp.h:492 [inline] skb_page_frag_refill+0x358/0x5f0 net/core/sock.c:2211 tun_build_skb.isra.50+0x2f0/0x1810 drivers/net/tun.c:1630 tun_get_user+0x17d0/0x3940 drivers/net/tun.c:1800 tun_chr_write_iter+0xb9/0x160 drivers/net/tun.c:1986 call_write_iter include/linux/fs.h:1781 [inline] do_iter_readv_writev+0x55c/0x830 fs/read_write.c:653 do_iter_write+0x154/0x540 fs/read_write.c:932 compat_writev+0x225/0x420 fs/read_write.c:1246 do_compat_writev+0x115/0x220 fs/read_write.c:1267 C_SYSC_writev fs/read_write.c:1278 [inline] compat_SyS_writev+0x26/0x30 fs/read_write.c:1274 do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline] do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389 entry_SYSENTER_compat+0x54/0x63 arch/x86/entry/entry_64_compat.S:129 RIP: 0023:0xf7f93c79 RSP: 002b:00000000f778f014 EFLAGS: 00000296 ORIG_RAX: 0000000000000092 RAX: ffffffffffffffda RBX: 0000000000000012 RCX: 00000000f778f064 RDX: 0000000000000001 RSI: 00000000000005d4 RDI: 00000000f778fb28 RBP: 0000000008111670 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 audit: type=1400 audit(1517490901.147:64): avc: denied { map } for pid=11411 comm="syz-executor5" path="socket:[26162]" dev="sockfs" ino=26162 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=tcp_socket permissive=1 sock: sock_set_timeout: `syz-executor4' (pid 11417) tries to set negative timeout *** Guest State *** CR0: actual=0xffffffff9ffffffc, shadow=0xfffffffffffffffc, gh_mask=fffffffffffffff7 CR4: actual=0x0000000000002040, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 CR3 = 0x0000000000000000 RSP = 0x0000000000000000 RIP = 0x000000000000fff0 RFLAGS=0x00010002 DR7 = 0x0000000000000400 Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 CS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 DS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 SS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 ES: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 FS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 GS: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 GDTR: limit=0x00000000, base=0x0000000000000000 LDTR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 IDTR: limit=0x00000000, base=0x0000000000000000 TR: sel=0x0000, attr=0x10000, limit=0x00000000, base=0x0000000000000000 EFER = 0x0000000000000000 PAT = 0x0007040600070406 DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 Interruptibility = 00000000 ActivityState = 00000000 *** Host State *** RIP = 0xffffffff811bdff4 RSP = 0xffff8801ce18f3d8 CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 FSBase=0000000000000000 GSBase=ffff8801db500000 TRBase=fffffe0000034000 GDTBase=fffffe0000032000 IDTBase=fffffe0000000000 CR0=0000000080050033 CR3=00000001cde0d002 CR4=00000000001626e0 Sysenter RSP=fffffe0000033200 CS:RIP=0010:ffffffff85a01b70 EFER = 0x0000000000000d01 PAT = 0x0000000000000000 *** Control State *** PinBased=0000003f CPUBased=b6986dfa SecondaryExec=000000c2 EntryControls=0000d1ff ExitControls=0023efff ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 VMEntry: intr_info=80000306 errcode=00000000 ilen=00000000 VMExit: intr_info=00000000 errcode=00000000 ilen=00000003 reason=80000021 qualification=0000000000000000 IDTVectoring: info=00000000 errcode=00000000 TSC Offset = 0xffffffd64819c643 EPT pointer = 0x00000001b79b801e sock: sock_set_timeout: `syz-executor4' (pid 11396) tries to set negative timeout audit: type=1400 audit(1517490901.149:65): avc: denied { net_admin } for pid=9783 comm="syz-executor0" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1517490901.149:66): avc: denied { map_create } for pid=11410 comm="syz-executor7" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 audit: type=1400 audit(1517490901.149:67): avc: denied { map_read map_write } for pid=11410 comm="syz-executor7" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 audit: type=1400 audit(1517490901.192:68): avc: denied { map_create } for pid=11410 comm="syz-executor7" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 audit: type=1400 audit(1517490901.193:69): avc: denied { map_read map_write } for pid=11410 comm="syz-executor7" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 audit: type=1400 audit(1517490901.203:70): avc: denied { net_admin } for pid=8955 comm="syz-executor5" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1517490901.206:71): avc: denied { net_admin } for pid=8955 comm="syz-executor5" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1517490901.209:72): avc: denied { net_admin } for pid=11420 comm="syz-executor0" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1517490901.214:73): avc: denied { net_admin } for pid=8955 comm="syz-executor5" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 1 CPU: 0 PID: 11442 Comm: syz-executor3 Not tainted 4.15.0+ #200 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:418 [inline] slab_alloc_node mm/slab.c:3285 [inline] kmem_cache_alloc_node_trace+0x5a/0x750 mm/slab.c:3647 __do_kmalloc_node mm/slab.c:3667 [inline] __kmalloc_node+0x33/0x70 mm/slab.c:3675 kmalloc_node include/linux/slab.h:541 [inline] kvmalloc_node+0x99/0xd0 mm/util.c:419 kvmalloc include/linux/mm.h:541 [inline] seq_buf_alloc fs/seq_file.c:29 [inline] seq_read+0x7cd/0x13d0 fs/seq_file.c:205 proc_reg_read+0xef/0x170 fs/proc/inode.c:217 __vfs_read+0xef/0xa00 fs/read_write.c:411 vfs_read+0x11e/0x350 fs/read_write.c:447 SYSC_pread64 fs/read_write.c:611 [inline] SyS_pread64+0x15b/0x190 fs/read_write.c:598 sys32_pread+0x39/0x50 arch/x86/ia32/sys_ia32.c:180 do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline] do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389 entry_SYSENTER_compat+0x54/0x63 arch/x86/entry/entry_64_compat.S:129 RIP: 0023:0xf7fb4c79 RSP: 002b:00000000f77b008c EFLAGS: 00000296 ORIG_RAX: 00000000000000b4 RAX: ffffffffffffffda RBX: 0000000000000013 RCX: 0000000020f81800 RDX: 00000000ffffff92 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 netlink: 'syz-executor2': attribute type 21 has an invalid length. netlink: 'syz-executor2': attribute type 21 has an invalid length. TCP: request_sock_TCP: Possible SYN flooding on port 20030. Sending cookies. Check SNMP counters. QAT: Invalid ioctl QAT: Invalid ioctl binder: BINDER_SET_CONTEXT_MGR already set binder: 11661:11682 ioctl 40046207 0 returned -16 SELinux: unrecognized netlink message: protocol=4 nlmsg_type=25 sclass=netlink_tcpdiag_socket pig=11728 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=11855 comm=syz-executor2 dccp_close: ABORT with 1 bytes unread SELinux: unrecognized netlink message: protocol=0 nlmsg_type=55321 sclass=netlink_route_socket pig=11884 comm=syz-executor1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=55321 sclass=netlink_route_socket pig=11902 comm=syz-executor1 binder: 12047 RLIMIT_NICE not set binder_alloc: 12044: binder_alloc_buf, no vma binder: 12044:12062 transaction failed 29189/-3, size 112-16 line 2903 binder: 12047 RLIMIT_NICE not set binder: BINDER_SET_CONTEXT_MGR already set binder: 12044:12065 ioctl 40046207 0 returned -16 binder_alloc: 12044: binder_alloc_buf, no vma binder: 12044:12047 transaction failed 29189/-3, size 112-16 line 2903 binder: undelivered TRANSACTION_ERROR: 29189