=============================== [ INFO: suspicious RCU usage. ] 4.4.174+ #4 Not tainted ------------------------------- net/ipv6/ip6_fib.c:1465 suspicious rcu_dereference_protected() usage! audit: type=1400 audit(1554684305.259:39): avc: denied { getopt } for pid=4585 comm="syz-executor.5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1400 audit(1554684305.259:40): avc: denied { write } for pid=4585 comm="syz-executor.5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 netlink: 5 bytes leftover after parsing attributes in process `syz-executor.5'. other info that might help us debug this: rcu_scheduler_active = 1, debug_locks = 0 6 locks held by syz-executor.4/4547: #0: (&pipe->mutex/1){+.+.+.}, at: [] pipe_lock_nested fs/pipe.c:65 [inline] #0: (&pipe->mutex/1){+.+.+.}, at: [] pipe_lock fs/pipe.c:73 [inline] #0: (&pipe->mutex/1){+.+.+.}, at: [] pipe_wait+0x1b8/0x1e0 fs/pipe.c:121 #1: (&mm->mmap_sem){++++++}, at: [] __do_page_fault+0x1d1/0x7f0 arch/x86/mm/fault.c:1182 #2: (((&net->ipv6.ip6_fib_timer))){+.-...}, at: [] lockdep_copy_map include/linux/lockdep.h:165 [inline] #2: (((&net->ipv6.ip6_fib_timer))){+.-...}, at: [] call_timer_fn+0xde/0x850 kernel/time/timer.c:1175 #3: (fib6_gc_lock){+.-...}, at: [] spin_lock_bh include/linux/spinlock.h:307 [inline] #3: (fib6_gc_lock){+.-...}, at: [] fib6_run_gc+0x3a/0x230 net/ipv6/ip6_fib.c:1811 #4: (rcu_read_lock){......}, at: [] __fib6_clean_all+0x0/0x240 net/ipv6/ip6_fib.c:1698 #5: (&tb->tb6_lock){++--..}, at: [] __fib6_clean_all+0xe8/0x240 net/ipv6/ip6_fib.c:1712 stack backtrace: CPU: 1 PID: 4547 Comm: syz-executor.4 Not tainted 4.4.174+ #4 0000000000000000 fbc613343e7625a1 ffff8801db707940 ffffffff81aad1a1 ffff8800b923ec40 0000000000000000 0000000000000001 00000000000005b9 ffff8801d2278000 ffff8801db707970 ffffffff813ab7d6 ffff8801db707b90 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x120 lib/dump_stack.c:51 [] lockdep_rcu_suspicious.cold+0x10a/0x149 kernel/locking/lockdep.c:4305 [] fib6_del+0x7ea/0xae0 net/ipv6/ip6_fib.c:1465 [] fib6_clean_node+0x29c/0x500 net/ipv6/ip6_fib.c:1652 [] fib6_walk_continue+0x3e0/0x630 net/ipv6/ip6_fib.c:1578 [] fib6_walk+0x91/0xe0 net/ipv6/ip6_fib.c:1623 [] fib6_clean_tree+0xe8/0x120 net/ipv6/ip6_fib.c:1697 [] __fib6_clean_all+0x100/0x240 net/ipv6/ip6_fib.c:1713 [] fib6_clean_all net/ipv6/ip6_fib.c:1724 [inline] [] fib6_run_gc+0xaf/0x230 net/ipv6/ip6_fib.c:1821 [] fib6_gc_timer_cb+0x1d/0x30 net/ipv6/ip6_fib.c:1836 [] call_timer_fn+0x18d/0x850 kernel/time/timer.c:1185 [] __run_timers kernel/time/timer.c:1261 [inline] [] run_timer_softirq+0x51f/0xb70 kernel/time/timer.c:1444 [] __do_softirq+0x226/0xa3f kernel/softirq.c:273 [] invoke_softirq kernel/softirq.c:350 [inline] [] irq_exit+0x10a/0x150 kernel/softirq.c:391 [] exiting_irq arch/x86/include/asm/apic.h:652 [inline] [] smp_apic_timer_interrupt+0x7e/0xb0 arch/x86/kernel/apic/apic.c:926 [] apic_timer_interrupt+0x9d/0xb0 arch/x86/entry/entry_64.S:768 [] ? __read_once_size include/linux/compiler.h:218 [inline] [] ? atomic_read arch/x86/include/asm/atomic.h:26 [inline] [] ? static_key_count include/linux/jump_label.h:172 [inline] [] ? static_key_false include/linux/jump_label.h:182 [inline] [] ? trace_mm_page_alloc include/trace/events/kmem.h:217 [inline] [] ? __alloc_pages_nodemask+0x2ad/0x14b0 mm/page_alloc.c:3319 [] __alloc_pages include/linux/gfp.h:415 [inline] [] __alloc_pages_node include/linux/gfp.h:428 [inline] [] alloc_pages_node include/linux/gfp.h:442 [inline] [] alloc_zeroed_user_highpage_movable include/linux/highmem.h:183 [inline] [] wp_page_copy.isra.0+0x812/0xc70 mm/memory.c:2163 [] do_wp_page+0x23a/0x1340 mm/memory.c:2441 [] handle_pte_fault mm/memory.c:3362 [inline] [] __handle_mm_fault mm/memory.c:3474 [inline] [] handle_mm_fault+0x1614/0x3140 mm/memory.c:3503 [] __do_page_fault+0x28e/0x7f0 arch/x86/mm/fault.c:1243 [] do_page_fault+0x28/0x30 arch/x86/mm/fault.c:1306 [] page_fault+0x25/0x30 arch/x86/entry/entry_64.S:1064 [] pipe_to_user+0xb0/0x160 fs/splice.c:1545 [] splice_from_pipe_feed fs/splice.c:776 [inline] [] __splice_from_pipe+0x37e/0x7a0 fs/splice.c:901 [] vmsplice_to_user+0x1bd/0x1e0 fs/splice.c:1580 [] SYSC_vmsplice fs/splice.c:1661 [inline] [] SyS_vmsplice+0x114/0x140 fs/splice.c:1644 [] entry_SYSCALL_64_fastpath+0x1e/0x9a netlink: 5 bytes leftover after parsing attributes in process `syz-executor.5'. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=26159 sclass=netlink_route_socket SELinux: unrecognized netlink message: protocol=0 nlmsg_type=26159 sclass=netlink_route_socket