sctp: [Deprecated]: syz-executor4 (pid 5515) Use of int in maxseg socket option. Use struct sctp_assoc_value instead BUG: sleeping function called from invalid context at net/core/sock.c:2772 in_atomic(): 1, irqs_disabled(): 0, pid: 1645, name: kworker/u4:4 5 locks held by kworker/u4:4/1645: #0: ((wq_completion)"%s""netns"){+.+.}, at: [<000000008270b5bc>] process_one_work+0xaaf/0x1af0 kernel/workqueue.c:2084 #1: (net_cleanup_work){+.+.}, at: [<000000009f8e8687>] process_one_work+0xb01/0x1af0 kernel/workqueue.c:2088 #2: (net_sem){++++}, at: [<000000001b69f476>] cleanup_net+0x23f/0xd20 net/core/net_namespace.c:494 #3: (net_mutex){+.+.}, at: [<00000000efd24e3e>] cleanup_net+0xa7d/0xd20 net/core/net_namespace.c:496 #4: (&(&srv->idr_lock)->rlock){+...}, at: [<00000000e3916b53>] spin_lock_bh include/linux/spinlock.h:315 [inline] #4: (&(&srv->idr_lock)->rlock){+...}, at: [<00000000e3916b53>] tipc_topsrv_stop+0x231/0x610 net/tipc/topsrv.c:685 CPU: 0 PID: 1645 Comm: kworker/u4:4 Not tainted 4.16.0-rc1+ #232 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net sctp: [Deprecated]: syz-executor4 (pid 5531) Use of int in maxseg socket option. Use struct sctp_assoc_value instead Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 netlink: 'syz-executor5': attribute type 3 has an invalid length. ___might_sleep+0x2b2/0x470 kernel/sched/core.c:6128 __might_sleep+0x95/0x190 kernel/sched/core.c:6081 lock_sock_nested+0x37/0x110 net/core/sock.c:2772 lock_sock include/net/sock.h:1463 [inline] tipc_release+0x103/0xff0 net/tipc/socket.c:572 netlink: 3 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 'syz-executor5': attribute type 3 has an invalid length. sock_release+0x8d/0x1e0 net/socket.c:594 netlink: 3 bytes leftover after parsing attributes in process `syz-executor5'. tipc_topsrv_stop+0x3c0/0x610 net/tipc/topsrv.c:696 tipc_exit_net+0x15/0x40 net/tipc/core.c:96 ops_exit_list.isra.6+0xae/0x150 net/core/net_namespace.c:148 cleanup_net+0x6ba/0xd20 net/core/net_namespace.c:529 process_one_work+0xbbf/0x1af0 kernel/workqueue.c:2113 worker_thread+0x223/0x1990 kernel/workqueue.c:2247 kthread+0x33c/0x400 kernel/kthread.c:238 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:429 mip6: mip6_rthdr_init_state: spi is not 0: 3590586368 xt_CONNSECMARK: target only valid in the 'mangle' or 'security' tables, not 'broute'. netlink: 16 bytes leftover after parsing attributes in process `syz-executor2'. xt_CONNSECMARK: target only valid in the 'mangle' or 'security' tables, not 'broute'. netlink: 16 bytes leftover after parsing attributes in process `syz-executor2'. ====================================================== WARNING: possible circular locking dependency detected 4.16.0-rc1+ #232 Tainted: G W ------------------------------------------------------ syz-executor0/5690 is trying to acquire lock: (rtnl_mutex){+.+.}, at: [<000000009063ff32>] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74 but task is already holding lock: (&xt[i].mutex){+.+.}, at: [<00000000f0817a92>] xt_find_table_lock+0x3e/0x3e0 net/netfilter/x_tables.c:1046 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (&xt[i].mutex){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908 xt_find_table_lock+0x3e/0x3e0 net/netfilter/x_tables.c:1046 xt_request_find_table_lock+0x28/0xc0 net/netfilter/x_tables.c:1093 get_info+0x154/0x690 net/ipv6/netfilter/ip6_tables.c:989 do_ip6t_get_ctl+0x159/0xaf0 net/ipv6/netfilter/ip6_tables.c:1710 nf_sockopt net/netfilter/nf_sockopt.c:104 [inline] nf_getsockopt+0x6a/0xc0 net/netfilter/nf_sockopt.c:122 ipv6_getsockopt+0x1df/0x2e0 net/ipv6/ipv6_sockglue.c:1371 tcp_getsockopt+0x82/0xd0 net/ipv4/tcp.c:3359 sock_common_getsockopt+0x95/0xd0 net/core/sock.c:2938 SYSC_getsockopt net/socket.c:1881 [inline] SyS_getsockopt+0x178/0x340 net/socket.c:1863 do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x26/0x9b -> #1 (sk_lock-AF_INET6){+.+.}: lock_sock_nested+0xc2/0x110 net/core/sock.c:2781 lock_sock include/net/sock.h:1463 [inline] do_ipv6_setsockopt.isra.8+0x3c5/0x39d0 net/ipv6/ipv6_sockglue.c:167 ipv6_setsockopt+0xd7/0x130 net/ipv6/ipv6_sockglue.c:922 udpv6_setsockopt+0x45/0x80 net/ipv6/udp.c:1422 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2979 SYSC_setsockopt net/socket.c:1850 [inline] SyS_setsockopt+0x189/0x360 net/socket.c:1829 do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x26/0x9b -> #0 (rtnl_mutex){+.+.}: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908 rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74 unregister_netdevice_notifier+0x91/0x4e0 net/core/dev.c:1673 tee_tg_destroy+0x61/0xc0 net/netfilter/xt_TEE.c:123 cleanup_entry+0x218/0x350 net/ipv4/netfilter/ip_tables.c:654 __do_replace+0x79d/0xa50 net/ipv4/netfilter/ip_tables.c:1089 do_replace net/ipv4/netfilter/ip_tables.c:1145 [inline] do_ipt_set_ctl+0x40f/0x5f0 net/ipv4/netfilter/ip_tables.c:1675 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115 ip_setsockopt+0x97/0xa0 net/ipv4/ip_sockglue.c:1261 udp_setsockopt+0x45/0x80 net/ipv4/udp.c:2401 ipv6_setsockopt+0xa0/0x130 net/ipv6/ipv6_sockglue.c:917 tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2905 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2979 SYSC_setsockopt net/socket.c:1850 [inline] SyS_setsockopt+0x189/0x360 net/socket.c:1829 do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x26/0x9b other info that might help us debug this: Chain exists of: rtnl_mutex --> sk_lock-AF_INET6 --> &xt[i].mutex Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&xt[i].mutex); lock(sk_lock-AF_INET6); lock(&xt[i].mutex); lock(rtnl_mutex); *** DEADLOCK *** 1 lock held by syz-executor0/5690: #0: (&xt[i].mutex){+.+.}, at: [<00000000f0817a92>] xt_find_table_lock+0x3e/0x3e0 net/netfilter/x_tables.c:1046 stack backtrace: CPU: 0 PID: 5690 Comm: syz-executor0 Tainted: G W 4.16.0-rc1+ #232 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 print_circular_bug.isra.38+0x2cd/0x2dc kernel/locking/lockdep.c:1223 check_prev_add kernel/locking/lockdep.c:1863 [inline] check_prevs_add kernel/locking/lockdep.c:1976 [inline] validate_chain kernel/locking/lockdep.c:2417 [inline] __lock_acquire+0x30a8/0x3e00 kernel/locking/lockdep.c:3431 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908 rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74 unregister_netdevice_notifier+0x91/0x4e0 net/core/dev.c:1673 tee_tg_destroy+0x61/0xc0 net/netfilter/xt_TEE.c:123 cleanup_entry+0x218/0x350 net/ipv4/netfilter/ip_tables.c:654 __do_replace+0x79d/0xa50 net/ipv4/netfilter/ip_tables.c:1089 do_replace net/ipv4/netfilter/ip_tables.c:1145 [inline] do_ipt_set_ctl+0x40f/0x5f0 net/ipv4/netfilter/ip_tables.c:1675 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115 ip_setsockopt+0x97/0xa0 net/ipv4/ip_sockglue.c:1261 udp_setsockopt+0x45/0x80 net/ipv4/udp.c:2401 ipv6_setsockopt+0xa0/0x130 net/ipv6/ipv6_sockglue.c:917 tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2905 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2979 SYSC_setsockopt net/socket.c:1850 [inline] SyS_setsockopt+0x189/0x360 net/socket.c:1829 do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x26/0x9b RIP: 0033:0x453da9 RSP: 002b:00007f8512f4ec68 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 00007f8512f4f6d4 RCX: 0000000000453da9 RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000013 RBP: 000000000072bf58 R08: 0000000000000338 R09: 0000000000000000 R10: 0000000020000ca0 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000000004d6 R14: 00000000006f74b0 R15: 0000000000000001 netlink: 11 bytes leftover after parsing attributes in process `syz-executor1'. x_tables: ip_tables: recent.0 match: invalid size 216 (kernel) != (user) 232 netlink: 11 bytes leftover after parsing attributes in process `syz-executor1'. xt_CT: netfilter: NOTRACK target is deprecated, use CT instead or upgrade iptables syz-executor7 uses obsolete (PF_INET,SOCK_PACKET) netlink: 17 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 17 bytes leftover after parsing attributes in process `syz-executor7'. dst_release: dst:0000000057a5666e refcnt:-1 openvswitch: netlink: ufid size 20 bytes exceeds the range (1, 16) openvswitch: netlink: Flow set message rejected, Key attribute missing. openvswitch: netlink: ufid size 20 bytes exceeds the range (1, 16) openvswitch: netlink: Flow set message rejected, Key attribute missing. xt_l2tp: missing protocol rule (udp|l2tpip) xt_TCPMSS: Only works on TCP SYN packets xt_TCPMSS: Only works on TCP SYN packets netlink: 'syz-executor6': attribute type 1 has an invalid length. openvswitch: netlink: Flow actions attr not present in new flow. netlink: 'syz-executor6': attribute type 1 has an invalid length. xt_connbytes: Forcing CT accounting to be enabled xt_connbytes: Forcing CT accounting to be enabled kernel msg: ebtables bug: please report to author: Couldn't copy entries from userspace sctp: [Deprecated]: syz-executor6 (pid 6385) Use of struct sctp_assoc_value in delayed_ack socket option. Use struct sctp_sack_info instead kernel msg: ebtables bug: please report to author: Couldn't copy entries from userspace IPv4: Oversized IP packet from 127.0.0.1 kauditd_printk_skb: 20 callbacks suppressed audit: type=1400 audit(1519116508.882:42): avc: denied { getopt } for pid=6607 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_crypto_socket permissive=1 device syz5 entered promiscuous mode device syz5 left promiscuous mode SELinux: unrecognized netlink message: protocol=4 nlmsg_type=29 sclass=netlink_tcpdiag_socket pig=6672 comm=syz-executor0 SELinux: unrecognized netlink message: protocol=4 nlmsg_type=29 sclass=netlink_tcpdiag_socket pig=6672 comm=syz-executor0 xt_connbytes: Forcing CT accounting to be enabled audit: type=1400 audit(1519116509.280:43): avc: denied { prog_run } for pid=6759 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 net_ratelimit: 5 callbacks suppressed IPv4: Oversized IP packet from 127.0.0.1 IPv4: Oversized IP packet from 127.0.0.1 kernel msg: ebtables bug: please report to author: counter_offset != totalcnt kernel msg: ebtables bug: please report to author: counter_offset != totalcnt ip_tables: iptables: counters copy to user failed while replacing table ip_tables: iptables: counters copy to user failed while replacing table Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable x_tables: ip6_tables: rpfilter match: used from hooks PREROUTING/OUTPUT, but only valid from PREROUTING x_tables: ip6_tables: rpfilter match: used from hooks PREROUTING/OUTPUT, but only valid from PREROUTING xt_ecn: cannot match TCP bits in rule for non-tcp packets xt_ecn: cannot match TCP bits in rule for non-tcp packets xt_hashlimit: max count of 1 reached TCP: request_sock_TCPv6: Possible SYN flooding on port 20030. Sending cookies. Check SNMP counters. x_tables: ip6_tables: icmp6 match: only valid for protocol 58 audit: type=1400 audit(1519116510.486:44): avc: denied { setopt } for pid=7261 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 x_tables: ip6_tables: icmp6 match: only valid for protocol 58 netlink: 8 bytes leftover after parsing attributes in process `syz-executor3'. device syz7 entered promiscuous mode xt_DSCP: dscp fc out of range xt_DSCP: dscp fc out of range netlink: 8 bytes leftover after parsing attributes in process `syz-executor3'. device syz7 left promiscuous mode syz-executor4 (7359) used greatest stack depth: 14384 bytes left audit: type=1400 audit(1519116511.045:45): avc: denied { getattr } for pid=7508 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_crypto_socket permissive=1 x_tables: eb_tables: cgroup match: used from hooks OUTPUT, but only valid from INPUT/OUTPUT/POSTROUTING audit: type=1400 audit(1519116511.273:46): avc: denied { bind } for pid=7602 comm="syz-executor7" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 xt_CT: No such helper "snmp" xt_CT: No such helper "snmp" xt_connbytes: Forcing CT accounting to be enabled audit: type=1400 audit(1519116511.726:47): avc: denied { connect } for pid=7825 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1400 audit(1519116511.798:48): avc: denied { map } for pid=7849 comm="syz-executor1" path="socket:[20228]" dev="sockfs" ino=20228 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=socket permissive=1 kernel msg: ebtables bug: please report to author: counter_offset != totalcnt netlink: 'syz-executor2': attribute type 3 has an invalid length. netlink: 'syz-executor2': attribute type 3 has an invalid length. TCP: request_sock_TCPv6: Possible SYN flooding on port 20026. Sending cookies. Check SNMP counters. audit: type=1400 audit(1519116512.523:49): avc: denied { map } for pid=8186 comm="syz-executor1" path="socket:[21615]" dev="sockfs" ino=21615 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=tcp_socket permissive=1 RDS: rds_bind could not find a transport for 224.0.0.1, load rds_tcp or rds_rdma? RDS: rds_bind could not find a transport for 224.0.0.1, load rds_tcp or rds_rdma? netlink: 3404 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 3404 bytes leftover after parsing attributes in process `syz-executor5'. x_tables: ip6_tables: conntrack.1 match: invalid size 152 (kernel) != (user) 160 x_tables: ip6_tables: conntrack.1 match: invalid size 152 (kernel) != (user) 160 xt_nfacct: accounting object with name `syz0' does not exists TCP: request_sock_TCPv6: Possible SYN flooding on port 20030. Sending cookies. Check SNMP counters. xt_nfacct: accounting object with name `syz0' does not exists netlink: 'syz-executor4': attribute type 18 has an invalid length. netlink: 'syz-executor4': attribute type 18 has an invalid length. xt_connbytes: Forcing CT accounting to be enabled audit: type=1400 audit(1519116513.236:50): avc: denied { connect } for pid=8491 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 BUG: sleeping function called from invalid context at mm/slab.h:420 in_atomic(): 1, irqs_disabled(): 0, pid: 8606, name: syz-executor4 INFO: lockdep is turned off. CPU: 0 PID: 8606 Comm: syz-executor4 Tainted: G W 4.16.0-rc1+ #232 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 ___might_sleep+0x2b2/0x470 kernel/sched/core.c:6128 __might_sleep+0x95/0x190 kernel/sched/core.c:6081 slab_pre_alloc_hook mm/slab.h:420 [inline] slab_alloc mm/slab.c:3365 [inline] kmem_cache_alloc_trace+0x299/0x740 mm/slab.c:3605 kmalloc include/linux/slab.h:512 [inline] kzalloc include/linux/slab.h:701 [inline] rds_loop_conn_alloc+0xc8/0x380 net/rds/loop.c:126 __rds_conn_create+0x112f/0x1b50 net/rds/connection.c:227 rds_conn_create_outgoing+0x3f/0x50 net/rds/connection.c:309 rds_sendmsg+0xe63/0x2550 net/rds/send.c:1153 sock_sendmsg_nosec net/socket.c:629 [inline] sock_sendmsg+0xca/0x110 net/socket.c:639 SYSC_sendto+0x361/0x5c0 net/socket.c:1748 SyS_sendto+0x40/0x50 net/socket.c:1716 do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x26/0x9b RIP: 0033:0x453da9 RSP: 002b:00007fcfdb1aec68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007fcfdb1af6d4 RCX: 0000000000453da9 RDX: 0000000000000001 RSI: 00000000203edfff RDI: 0000000000000013 RBP: 000000000072bea0 R08: 0000000020dfcff0 R09: 0000000000000010 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000000004b9 R14: 00000000006f71f8 R15: 0000000000000000 netlink: 'syz-executor2': attribute type 21 has an invalid length. ip_tunnel: non-ECT from 0.0.8.0 with TOS=0x1 netlink: 'syz-executor2': attribute type 21 has an invalid length. netlink: 'syz-executor4': attribute type 4 has an invalid length. netlink: 'syz-executor4': attribute type 4 has an invalid length. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=28033 sclass=netlink_route_socket pig=8846 comm=syz-executor6 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=28033 sclass=netlink_route_socket pig=8846 comm=syz-executor6 sctp: [Deprecated]: syz-executor3 (pid 8920) Use of struct sctp_assoc_value in delayed_ack socket option. Use struct sctp_sack_info instead sctp: [Deprecated]: syz-executor3 (pid 8921) Use of struct sctp_assoc_value in delayed_ack socket option. Use struct sctp_sack_info instead Protocol error: SET target dimension is over the limit! Protocol error: SET target dimension is over the limit!