attempt to access beyond end of device Buffer I/O error on dev loop5, logical block 16, lost async page write loop0: rw=2049, want=17, limit=16 ============================= WARNING: suspicious RCU usage 4.14.281-syzkaller #0 Not tainted ----------------------------- net/netfilter/nf_queue.c:244 suspicious rcu_dereference_check() usage! other info that might help us debug this: netlink: 12 bytes leftover after parsing attributes in process `syz-executor.4'. rcu_scheduler_active = 2, debug_locks = 1 2 locks held by syz-executor.5/10111: Buffer I/O error on dev loop0, logical block 16, lost async page write #0: (rcu_callback){....}, at: [] __rcu_reclaim kernel/rcu/rcu.h:185 [inline] #0: (rcu_callback){....}, at: [] rcu_do_batch kernel/rcu/tree.c:2699 [inline] #0: (rcu_callback){....}, at: [] invoke_rcu_callbacks kernel/rcu/tree.c:2962 [inline] #0: (rcu_callback){....}, at: [] __rcu_process_callbacks kernel/rcu/tree.c:2929 [inline] #0: (rcu_callback){....}, at: [] rcu_process_callbacks+0x84e/0x1180 kernel/rcu/tree.c:2946 #1: (&(&inst->lock)->rlock){+.-.}, at: [] spin_lock_bh include/linux/spinlock.h:322 [inline] #1: (&(&inst->lock)->rlock){+.-.}, at: [] nfqnl_flush+0x2f/0x2a0 net/netfilter/nfnetlink_queue.c:232 stack backtrace: CPU: 0 PID: 10111 Comm: syz-executor.5 Not tainted 4.14.281-syzkaller #0 ip_tables: iptables: counters copy to user failed while replacing table Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x281 lib/dump_stack.c:58 nf_reinject+0x56e/0x700 net/netfilter/nf_queue.c:244 nfqnl_flush+0x1ab/0x2a0 net/netfilter/nfnetlink_queue.c:237 instance_destroy_rcu+0x19/0x30 net/netfilter/nfnetlink_queue.c:171 __rcu_reclaim kernel/rcu/rcu.h:195 [inline] rcu_do_batch kernel/rcu/tree.c:2699 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2962 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2929 [inline] rcu_process_callbacks+0x780/0x1180 kernel/rcu/tree.c:2946 __do_softirq+0x24d/0x9ff kernel/softirq.c:288 invoke_softirq kernel/softirq.c:368 [inline] irq_exit+0x193/0x240 kernel/softirq.c:409 exiting_irq arch/x86/include/asm/apic.h:638 [inline] smp_apic_timer_interrupt+0x141/0x5e0 arch/x86/kernel/apic/apic.c:1106 apic_timer_interrupt+0x93/0xa0 arch/x86/entry/entry_64.S:793 RIP: 0033:0x7f38aa300fa8 RSP: 002b:00007ffe8e864940 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff10 RAX: 00007f38aa238a10 RBX: 00007f38aa22eb68 RCX: ffffffff8319ffb0 RDX: ffffffff8319ffb5 RSI: 00007f38aa22eb70 RDI: ffffffff8319ffb0 RBP: 00007f38aa22aa28 R08: 00007f38aa2434a8 R09: 000000000d7ce5ee R10: 0000000000000000 R11: 0000000000000000 R12: 00007f38aa22aa20 R13: 00007f38aa22eb68 R14: 00007f38aa22aa18 R15: 000000000000001d netlink: 12 bytes leftover after parsing attributes in process `syz-executor.4'. ip_tables: iptables: counters copy to user failed while replacing table attempt to access beyond end of device loop0: rw=2049, want=17, limit=16 Buffer I/O error on dev loop0, logical block 16, lost async page write attempt to access beyond end of device loop5: rw=2049, want=17, limit=16 Buffer I/O error on dev loop5, logical block 16, lost async page write attempt to access beyond end of device loop0: rw=2049, want=17, limit=16 Buffer I/O error on dev loop0, logical block 16, lost async page write attempt to access beyond end of device loop5: rw=2049, want=17, limit=16 Buffer I/O error on dev loop5, logical block 16, lost async page write netlink: 24 bytes leftover after parsing attributes in process `syz-executor.2'. Zero length message leads to an empty skb audit: type=1800 audit(1653474958.982:9): pid=10270 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed" comm="syz-executor.5" name="SYSV00000000" dev="hugetlbfs" ino=0 res=0 audit: type=1800 audit(1653474959.112:10): pid=10281 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed" comm="syz-executor.5" name="SYSV00000000" dev="hugetlbfs" ino=32769 res=0 audit: type=1800 audit(1653474959.642:11): pid=10292 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed" comm="syz-executor.4" name="SYSV00000000" dev="hugetlbfs" ino=98307 res=0 ====================================================== WARNING: the mand mount option is being deprecated and will be removed in v5.15! ====================================================== audit: type=1800 audit(1653474959.732:12): pid=10300 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed" comm="syz-executor.5" name="SYSV00000000" dev="hugetlbfs" ino=65538 res=0 audit: type=1800 audit(1653474959.762:13): pid=10306 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed" comm="syz-executor.4" name="SYSV00000000" dev="hugetlbfs" ino=131076 res=0 audit: type=1800 audit(1653474959.852:14): pid=10315 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed" comm="syz-executor.4" name="SYSV00000000" dev="hugetlbfs" ino=163845 res=0 audit: type=1800 audit(1653474959.852:15): pid=10311 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed" comm="syz-executor.5" name="SYSV00000000" dev="hugetlbfs" ino=98307 res=0 audit: type=1800 audit(1653474959.972:16): pid=10319 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed" comm="syz-executor.5" name="SYSV00000000" dev="hugetlbfs" ino=131076 res=0 L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. audit: type=1326 audit(1653474963.682:17): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=10504 comm="syz-executor.3" exe="/root/syz-executor.3" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7f3836325109 code=0x7ffc0000 audit: type=1326 audit(1653474963.682:18): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=10504 comm="syz-executor.3" exe="/root/syz-executor.3" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7f3836325109 code=0x7ffc0000 audit: type=1326 audit(1653474963.712:19): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=10504 comm="syz-executor.3" exe="/root/syz-executor.3" sig=0 arch=c000003e syscall=317 compat=0 ip=0x7f3836325109 code=0x7ffc0000 audit: type=1326 audit(1653474963.712:20): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=10504 comm="syz-executor.3" exe="/root/syz-executor.3" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7f3836325109 code=0x7ffc0000 audit: type=1326 audit(1653474963.712:21): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=10504 comm="syz-executor.3" exe="/root/syz-executor.3" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7f3836325109 code=0x7ffc0000 audit: type=1326 audit(1653474963.712:22): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=10504 comm="syz-executor.3" exe="/root/syz-executor.3" sig=0 arch=c000003e syscall=298 compat=0 ip=0x7f3836325109 code=0x7ffc0000 audit: type=1326 audit(1653474963.712:23): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=10504 comm="syz-executor.3" exe="/root/syz-executor.3" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7f3836325109 code=0x7ffc0000 audit: type=1326 audit(1653474963.712:24): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=10504 comm="syz-executor.3" exe="/root/syz-executor.3" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7f3836325109 code=0x7ffc0000 audit: type=1326 audit(1653474963.712:25): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=10504 comm="syz-executor.3" exe="/root/syz-executor.3" sig=0 arch=c000003e syscall=2 compat=0 ip=0x7f3836325109 code=0x7ffc0000 audit: type=1326 audit(1653474963.712:26): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=10504 comm="syz-executor.3" exe="/root/syz-executor.3" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7f3836325109 code=0x7ffc0000 audit: type=1326 audit(1653474963.712:27): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=10504 comm="syz-executor.3" exe="/root/syz-executor.3" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7f3836325109 code=0x7ffc0000 audit: type=1326 audit(1653474963.712:28): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=10504 comm="syz-executor.3" exe="/root/syz-executor.3" sig=0 arch=c000003e syscall=257 compat=0 ip=0x7f3836325109 code=0x7ffc0000