=============================== [ INFO: suspicious RCU usage. ] 4.9.80-gb30d2b5 #28 Not tainted ------------------------------- net/ipv6/ip6_fib.c:1471 suspicious rcu_dereference_protected() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 0 3 locks held by syz-executor1/17380: #0: (rtnl_mutex){+.+.+.}, at: [] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:70 #1: (rcu_read_lock){......}, at: [] __fib6_clean_all+0x0/0x230 net/ipv6/ip6_fib.c:740 #2: (&tb->tb6_lock){++--..}, at: [] __fib6_clean_all+0xe0/0x230 net/ipv6/ip6_fib.c:1717 stack backtrace: CPU: 0 PID: 17380 Comm: syz-executor1 Not tainted 4.9.80-gb30d2b5 #28 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801afd37338 ffffffff81d94b69 ffff8801bc074800 0000000000000000 0000000000000002 ffffffff83f4be40 ffffed0035fa6eb7 ffff8801afd37368 ffffffff81238389 ffff8801c4f201c0 ffff8801c4f201c0 dffffc0000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] lockdep_rcu_suspicious+0x139/0x180 kernel/locking/lockdep.c:4455 [] fib6_del+0x6ab/0xa30 net/ipv6/ip6_fib.c:1470 [] fib6_clean_node+0x336/0x4a0 net/ipv6/ip6_fib.c:1657 [] fib6_walk_continue+0x39b/0x620 net/ipv6/ip6_fib.c:1583 [] fib6_walk+0xd9/0x150 net/ipv6/ip6_fib.c:1628 [] fib6_clean_tree+0xe5/0x130 net/ipv6/ip6_fib.c:1702 [] __fib6_clean_all+0xf9/0x230 net/ipv6/ip6_fib.c:1718 [] fib6_clean_all+0x27/0x30 net/ipv6/ip6_fib.c:1729 [] rt6_ifdown+0xa1/0x7f0 net/ipv6/route.c:2715 [] addrconf_ifdown+0xd0/0x10f0 net/ipv6/addrconf.c:3566 [] addrconf_notify+0x948/0x2230 net/ipv6/addrconf.c:3490 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1647 [] call_netdevice_notifiers net/core/dev.c:1663 [inline] [] __dev_notify_flags+0x197/0x270 net/core/dev.c:6500 [] dev_change_flags+0xf5/0x140 net/core/dev.c:6531 [] devinet_ioctl+0xe35/0x14b0 net/ipv4/devinet.c:1052 [] inet_ioctl+0x117/0x1c0 net/ipv4/af_inet.c:908 [] packet_ioctl+0x15b/0x250 net/packet/af_packet.c:4077 [] sock_do_ioctl+0x65/0xb0 net/socket.c:892 [] sock_ioctl+0x2e0/0x3d0 net/socket.c:978 [] vfs_ioctl fs/ioctl.c:43 [inline] [] do_vfs_ioctl+0x1aa/0x1140 fs/ioctl.c:679 [] SYSC_ioctl fs/ioctl.c:694 [inline] [] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 [] entry_SYSCALL_64_fastpath+0x29/0xe8 device syz1 entered promiscuous mode device syz1 left promiscuous mode device syz1 entered promiscuous mode devpts: called with bogus options devpts: called with bogus options binder: 17581:17584 ioctl 80404532 202ca000 returned -22 binder: 17581:17584 BC_CLEAR_DEATH_NOTIFICATION invalid ref 4 binder: 17581:17584 BC_DEAD_BINDER_DONE 0000000000000004 not found binder: 17581:17596 ioctl 400454d1 208b4fe4 returned -22 binder: 17581:17607 got transaction with invalid handle, 0 binder: 17581:17607 transaction failed 29201/-22, size 56-8 line 3219 binder: 17581:17607 ioctl 80404532 202ca000 returned -22 binder: 17581:17614 BC_CLEAR_DEATH_NOTIFICATION invalid ref 4 binder: 17581:17614 BC_DEAD_BINDER_DONE 0000000000000004 not found binder: 17581:17610 ioctl 400454d1 208b4fe4 returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 17581:17607 ioctl 40046207 0 returned -16 binder_alloc: 17581: binder_alloc_buf, no vma binder: 17581:17610 transaction failed 29189/-3, size 56-8 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 TCP: request_sock_TCP: Possible SYN flooding on port 20014. Sending cookies. Check SNMP counters. binder: BINDER_SET_CONTEXT_MGR already set binder: 17706:17711 ioctl 40046207 0 returned -16 binder: 17706:17726 BC_FREE_BUFFER u0000000020007f72 no match binder_alloc: binder_alloc_mmap_handler: 17706 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 17706:17726 ioctl 40046207 0 returned -16 binder_alloc: 17706: binder_alloc_buf, no vma binder: 17706:17732 transaction failed 29189/-3, size 40-8 line 3127 binder: BINDER_SET_CONTEXT_MGR already set binder: 17706:17726 ioctl 40046207 0 returned -16 binder: release 17706:17711 transaction 133 out, still active binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 binder: send failed reply for transaction 133, target dead device gre0 entered promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode binder: 17818:17819 got transaction with invalid offsets ptr binder: 17818:17819 transaction failed 29201/-14, size 0-10 line 3155 binder: undelivered TRANSACTION_ERROR: 29201 binder_alloc: 17818: binder_alloc_buf, no vma binder: 17818:17822 transaction failed 29189/-3, size 0-10 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 audit_printk_skb: 2128 callbacks suppressed audit: type=1400 audit(1517911094.220:12535): avc: denied { net_admin } for pid=3913 comm="syz-executor6" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1517911094.230:12536): avc: denied { net_admin } for pid=3904 comm="syz-executor4" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1517911094.240:12537): avc: denied { net_admin } for pid=5295 comm="syz-executor7" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1517911094.250:12538): avc: denied { net_admin } for pid=3902 comm="syz-executor3" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1517911094.260:12539): avc: denied { sys_admin } for pid=17830 comm="syz-executor0" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1517911094.270:12541): avc: denied { net_raw } for pid=17884 comm="syz-executor7" capability=13 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1517911094.270:12540): avc: denied { dac_override } for pid=17890 comm="syz-executor3" capability=1 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1517911094.290:12542): avc: denied { net_admin } for pid=17890 comm="syz-executor3" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1517911094.300:12543): avc: denied { net_admin } for pid=11991 comm="syz-executor0" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1517911094.300:12544): avc: denied { net_admin } for pid=3886 comm="syz-executor1" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 dummy0: renamed from gre0 netlink: 80 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 80 bytes leftover after parsing attributes in process `syz-executor2'. binder: 18294:18313 ioctl 8933 2056f000 returned -22 binder: 18294:18316 ioctl 8933 2056f000 returned -22 PF_BRIDGE: RTM_SETLINK with unknown ifindex PF_BRIDGE: RTM_SETLINK with unknown ifindex SELinux: unknown mount option SELinux: ebitmap: truncated map SELinux: ebitmap: truncated map device gre0 entered promiscuous mode device gre0 entered promiscuous mode device syz5 entered promiscuous mode device syz7 entered promiscuous mode IPVS: length: 24 != 8 IPVS: length: 24 != 8 Option 'f_ÂÝL»Ù' to dns_resolver key: bad/missing value Option 'f_ÂÝL»Ù' to dns_resolver key: bad/missing value device eql entered promiscuous mode IPVS: Creating netns size=2536 id=21 device gre0 entered promiscuous mode binder: release 18913:18922 transaction 143 out, still active binder: undelivered TRANSACTION_COMPLETE binder: 18913:18931 ERROR: BC_REGISTER_LOOPER called without request program syz-executor6 is using a deprecated SCSI ioctl, please convert it to SG_IO sd 0:0:1:0: ioctl_internal_command: ILLEGAL REQUEST asc=0x20 ascq=0x0 program syz-executor6 is using a deprecated SCSI ioctl, please convert it to SG_IO sd 0:0:1:0: ioctl_internal_command: ILLEGAL REQUEST asc=0x20 ascq=0x0 binder_alloc: binder_alloc_mmap_handler: 18913 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 18913:18944 ioctl 40046207 0 returned -16 binder_alloc: 18913: binder_alloc_buf, no vma binder: 18913:18931 transaction failed 29189/-3, size 0-0 line 3127 binder: release 18913:18931 transaction 143 in, still active binder: send failed reply for transaction 143, target dead IPv4: Oversized IP packet from 127.0.0.1 binder: 18993:18998 ERROR: BC_REGISTER_LOOPER called without request binder_alloc: 18993: binder_alloc_buf, no vma binder: 18993:19006 transaction failed 29189/-3, size 0-0 line 3127 binder: 18993:19011 got reply transaction with no transaction stack binder: 18993:19011 transaction failed 29201/-71, size 24-8 line 2920 binder: undelivered TRANSACTION_ERROR: 29189 binder: 18993:19006 IncRefs 0 refcount change on invalid ref 1 ret -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 18993:19011 ioctl 40046207 0 returned -16 binder: 18993:19006 ERROR: BC_REGISTER_LOOPER called without request binder_alloc: 18993: binder_alloc_buf, no vma binder: 18993:19011 transaction failed 29189/-3, size 0-0 line 3127 binder: 18993:19006 got reply transaction with no transaction stack binder: undelivered TRANSACTION_ERROR: 29189 binder: 18993:19006 transaction failed 29201/-71, size 24-8 line 2920 binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29201 audit_printk_skb: 2799 callbacks suppressed audit: type=1400 audit(1517911099.230:13478): avc: denied { net_admin } for pid=19070 comm="syz-executor6" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1517911099.240:13479): avc: denied { net_admin } for pid=3902 comm="syz-executor3" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1517911099.240:13480): avc: denied { net_admin } for pid=3902 comm="syz-executor3" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1517911099.240:13481): avc: denied { net_admin } for pid=3902 comm="syz-executor3" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1517911099.240:13482): avc: denied { net_admin } for pid=19073 comm="syz-executor1" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1517911099.250:13483): avc: denied { set_context_mgr } for pid=19078 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 binder: 19078:19081 BC_INCREFS_DONE node 150 has no pending increfs request audit: type=1400 audit(1517911099.260:13484): avc: denied { sys_admin } for pid=19077 comm="syz-executor5" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 binder: BINDER_SET_CONTEXT_MGR already set binder: 19078:19087 ioctl 40046207 0 returned -16 audit: type=1400 audit(1517911099.260:13485): avc: denied { net_admin } for pid=19073 comm="syz-executor1" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 device gre0 entered promiscuous mode binder: 19078:19087 BC_INCREFS_DONE u0000000000000000 no match audit: type=1400 audit(1517911099.260:13486): avc: denied { net_admin } for pid=19070 comm="syz-executor6" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1517911099.270:13487): avc: denied { net_admin } for pid=5295 comm="syz-executor7" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 mip6: mip6_rthdr_init_state: spi is not 0: 3607363584 netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'.