bisecting cause commit starting from fd786fb1d2cad70b9aaba8c73872cbf63262bd58 building syzkaller on 3334d684ce742ce58ad66b7dcb7a6d4da5185796 testing commit fd786fb1d2cad70b9aaba8c73872cbf63262bd58 with gcc (GCC) 8.1.0 kernel signature: 9a04560d63a42c7ef60b0c8524706e01a689993ac56319e3ddeae2f1471df341 run #0: crashed: WARNING: refcount bug in sk_alloc run #1: crashed: WARNING: refcount bug in sk_alloc run #2: crashed: WARNING: refcount bug in sk_alloc run #3: crashed: WARNING: refcount bug in sk_alloc run #4: crashed: WARNING: refcount bug in sk_alloc run #5: crashed: WARNING: refcount bug in __sk_destruct run #6: crashed: WARNING: refcount bug in sk_alloc run #7: crashed: WARNING: refcount bug in sk_alloc run #8: crashed: WARNING: refcount bug in sk_alloc run #9: crashed: WARNING: refcount bug in sk_alloc testing release v5.4 testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0 kernel signature: 1e80f4f1c69a230b4ec3c4cabac34b3aeddb890972e7e483a3135f8e5b170e02 run #0: crashed: BUG: corrupted list in cleanup_net run #1: crashed: WARNING in refcount_error_report run #2: crashed: WARNING in refcount_error_report run #3: crashed: WARNING in refcount_error_report run #4: crashed: WARNING in refcount_error_report run #5: crashed: WARNING in refcount_error_report run #6: crashed: WARNING in refcount_error_report run #7: crashed: WARNING in refcount_error_report run #8: crashed: WARNING in refcount_error_report run #9: crashed: WARNING in refcount_error_report testing release v5.3 testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0 kernel signature: 09f3c442eb720aa0139346d20c32e71e98035321b1512ad2734b7807c372965a run #0: crashed: WARNING in refcount_error_report run #1: crashed: WARNING in refcount_error_report run #2: crashed: WARNING in refcount_error_report run #3: crashed: BUG: corrupted list in cleanup_net run #4: crashed: WARNING in refcount_error_report run #5: crashed: WARNING in refcount_error_report run #6: crashed: WARNING in refcount_error_report run #7: crashed: BUG: corrupted list in cleanup_net run #8: crashed: BUG: corrupted list in cleanup_net run #9: crashed: KASAN: use-after-free Read in cleanup_net testing release v5.2 testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0 kernel signature: 29d88f3fbe01e5e2110ba9d13597347cd6ea4a5ae98951236b5be0dd9e008fd5 run #0: crashed: WARNING in refcount_error_report run #1: crashed: BUG: corrupted list in cleanup_net run #2: crashed: WARNING in refcount_error_report run #3: crashed: BUG: corrupted list in cleanup_net run #4: crashed: BUG: corrupted list in cleanup_net run #5: crashed: KASAN: use-after-free Read in cleanup_net run #6: crashed: BUG: corrupted list in cleanup_net run #7: crashed: KASAN: use-after-free Read in cleanup_net run #8: crashed: BUG: corrupted list in cleanup_net run #9: crashed: KASAN: use-after-free Read in cleanup_net testing release v5.1 testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0 kernel signature: f229c1490611649329d9cd20d5e1ec679f2e62fa37ebac636d714001a3907d44 run #0: crashed: BUG: corrupted list in cleanup_net run #1: crashed: WARNING in refcount_error_report run #2: crashed: BUG: corrupted list in cleanup_net run #3: crashed: WARNING in refcount_error_report run #4: crashed: WARNING in refcount_error_report run #5: crashed: WARNING in refcount_error_report run #6: crashed: WARNING in refcount_error_report run #7: crashed: WARNING in refcount_error_report run #8: crashed: WARNING in refcount_error_report run #9: crashed: KASAN: use-after-free Read in cleanup_net testing release v5.0 testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0 kernel signature: 56114c075a12736ae9fd5e4c3e61c2225c08530f7d848897ad5fa1db1b619cdc all runs: OK # git bisect start e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd 1c163f4c7b3f621efff9b28a47abb36f7378d783 Bisecting: 7074 revisions left to test after this (roughly 13 steps) [b5dd0c658c31b469ccff1b637e5124851e7a4a1c] Merge branch 'akpm' (patches from Andrew) testing commit b5dd0c658c31b469ccff1b637e5124851e7a4a1c with gcc (GCC) 8.1.0 kernel signature: 22b9f3ed7c894997878de1fd91af8c2f0ddad44f4d4286c18ec88694d8cc2de1 run #0: crashed: WARNING in corrupted run #1: crashed: WARNING in corrupted run #2: crashed: WARNING in ex_handler_refcount run #3: crashed: WARNING in ex_handler_refcount run #4: crashed: WARNING in refcount_error_report run #5: crashed: WARNING in corrupted run #6: crashed: WARNING in refcount_error_report run #7: crashed: WARNING in ex_handler_refcount run #8: crashed: BUG: corrupted list in corrupted run #9: crashed: BUG: corrupted list in cleanup_net # git bisect bad b5dd0c658c31b469ccff1b637e5124851e7a4a1c Bisecting: 3569 revisions left to test after this (roughly 12 steps) [3478588b5136966c80c571cf0006f08e9e5b8f04] Merge branch 'locking-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 3478588b5136966c80c571cf0006f08e9e5b8f04 with gcc (GCC) 8.1.0 kernel signature: b9ec04803c4230710f3350b4efa35f9520237eee7e2e802b39b93d13c4fddd29 run #0: crashed: WARNING in corrupted run #1: crashed: WARNING in corrupted run #2: crashed: WARNING in corrupted run #3: crashed: WARNING in corrupted run #4: crashed: KASAN: use-after-free Read in cleanup_net run #5: crashed: BUG: corrupted list in cleanup_net run #6: crashed: KASAN: use-after-free Read in cleanup_net run #7: crashed: KASAN: use-after-free Read in cleanup_net run #8: crashed: BUG: corrupted list in cleanup_net run #9: crashed: KASAN: use-after-free Read in cleanup_net # git bisect bad 3478588b5136966c80c571cf0006f08e9e5b8f04 Bisecting: 1673 revisions left to test after this (roughly 11 steps) [1a2566085650be593d464c4d73ac2d20ff67c058] Merge tag 'wireless-drivers-next-for-davem-2019-02-22' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next testing commit 1a2566085650be593d464c4d73ac2d20ff67c058 with gcc (GCC) 8.1.0 kernel signature: d6f00ed02b08a1bcf117cc21fa683a0f34198041af773bf66250ee24e20499d1 all runs: OK # git bisect good 1a2566085650be593d464c4d73ac2d20ff67c058 Bisecting: 1091 revisions left to test after this (roughly 10 steps) [18a4d8bf250a33c015955f0dec27259780ef6448] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net testing commit 18a4d8bf250a33c015955f0dec27259780ef6448 with gcc (GCC) 8.1.0 kernel signature: 111cebd886a14721006723a944d5fa9a7d290511f88077f0e08f23fc1540ff9f run #0: crashed: WARNING in ex_handler_refcount run #1: crashed: WARNING in ex_handler_refcount run #2: crashed: WARNING in refcount_error_report run #3: crashed: WARNING in corrupted run #4: crashed: WARNING in corrupted run #5: crashed: WARNING in refcount_error_report run #6: crashed: KASAN: use-after-free Read in cleanup_net run #7: crashed: KASAN: use-after-free Read in cleanup_net run #8: crashed: BUG: corrupted list in cleanup_net run #9: crashed: BUG: corrupted list in cleanup_net # git bisect bad 18a4d8bf250a33c015955f0dec27259780ef6448 Bisecting: 290 revisions left to test after this (roughly 8 steps) [844f01da9301a71fbed1e768837f4a1a6aa60529] mlxsw: spectrum_acl: Put vchunk migrate start/end code into separate functions testing commit 844f01da9301a71fbed1e768837f4a1a6aa60529 with gcc (GCC) 8.1.0 kernel signature: 61e93b12b5c0a95818ed4d76410c45eb9401082581b3cd93aa4a53eb7cb635bc run #0: crashed: BUG: corrupted list in corrupted run #1: crashed: WARNING in refcount_error_report run #2: crashed: WARNING in corrupted run #3: crashed: WARNING in refcount_error_report run #4: crashed: WARNING in corrupted run #5: crashed: WARNING in refcount_error_report run #6: crashed: BUG: corrupted list in corrupted run #7: crashed: BUG: corrupted list in cleanup_net run #8: crashed: KASAN: use-after-free Read in cleanup_net run #9: crashed: BUG: corrupted list in cleanup_net # git bisect bad 844f01da9301a71fbed1e768837f4a1a6aa60529 Bisecting: 137 revisions left to test after this (roughly 7 steps) [e8b47b53a172e74dd9907eb7810f02a1d09fb29b] Merge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next testing commit e8b47b53a172e74dd9907eb7810f02a1d09fb29b with gcc (GCC) 8.1.0 kernel signature: 85b36a576e093c397da8b72bda3a9f337c57542e47c49dea9bd1d595bde35a1f run #0: crashed: WARNING in ex_handler_refcount run #1: crashed: WARNING in refcount_error_report run #2: crashed: WARNING in refcount_error_report run #3: crashed: WARNING in refcount_error_report run #4: crashed: WARNING in ex_handler_refcount run #5: crashed: WARNING in ex_handler_refcount run #6: crashed: WARNING in corrupted run #7: crashed: KASAN: use-after-free Read in cleanup_net run #8: crashed: WARNING in corrupted run #9: crashed: KASAN: use-after-free Read in cleanup_net # git bisect bad e8b47b53a172e74dd9907eb7810f02a1d09fb29b Bisecting: 76 revisions left to test after this (roughly 6 steps) [6ca5081526228571a70ef0160fd44da3fe661ccb] net: dsa: microchip: remove unnecessary include headers testing commit 6ca5081526228571a70ef0160fd44da3fe661ccb with gcc (GCC) 8.1.0 kernel signature: ad4bcbb37fd740bfcdfbd4fe51be277fb3e1dbd84c43998a1a85a8dc301b4d64 run #0: crashed: BUG: corrupted list in corrupted run #1: crashed: WARNING in corrupted run #2: crashed: WARNING in corrupted run #3: crashed: WARNING in corrupted run #4: crashed: WARNING in corrupted run #5: crashed: WARNING in ex_handler_refcount run #6: crashed: WARNING in ex_handler_refcount run #7: crashed: BUG: corrupted list in cleanup_net run #8: crashed: KASAN: use-after-free Read in cleanup_net run #9: crashed: KASAN: use-after-free Read in cleanup_net # git bisect bad 6ca5081526228571a70ef0160fd44da3fe661ccb Bisecting: 37 revisions left to test after this (roughly 5 steps) [515d846773b05972b621675bbb344b9f80d47f26] Merge branch 'net-phy-aquantia-improve-and-extend-driver' testing commit 515d846773b05972b621675bbb344b9f80d47f26 with gcc (GCC) 8.1.0 kernel signature: cb8680635896af29af67f2ad89bdeb8abe5b83f482bb3df0a20b7ec66a37036b run #0: crashed: BUG: corrupted list in corrupted run #1: crashed: WARNING in corrupted run #2: crashed: WARNING in refcount_error_report run #3: crashed: WARNING in refcount_error_report run #4: crashed: WARNING in refcount_error_report run #5: crashed: BUG: corrupted list in cleanup_net run #6: crashed: BUG: corrupted list in cleanup_net run #7: crashed: BUG: corrupted list in cleanup_net run #8: crashed: BUG: corrupted list in cleanup_net run #9: crashed: BUG: corrupted list in cleanup_net # git bisect bad 515d846773b05972b621675bbb344b9f80d47f26 Bisecting: 18 revisions left to test after this (roughly 4 steps) [9ce8439718b6dfef2509dc72ec841740b14cc6d5] mlxsw: reg: Add new port type-speed fields for PTYS register testing commit 9ce8439718b6dfef2509dc72ec841740b14cc6d5 with gcc (GCC) 8.1.0 kernel signature: 5dc76e32186d19fd2d1f3539f4aa40706e6e7fb4c9b32807b8203ca79bd3ee63 run #0: crashed: WARNING in corrupted run #1: crashed: BUG: corrupted list in cleanup_net run #2: crashed: WARNING in corrupted run #3: crashed: WARNING in ex_handler_refcount run #4: crashed: WARNING in ex_handler_refcount run #5: crashed: WARNING in corrupted run #6: crashed: WARNING in ex_handler_refcount run #7: crashed: WARNING in refcount_error_report run #8: crashed: BUG: corrupted list in cleanup_net run #9: crashed: KASAN: use-after-free Read in corrupted # git bisect bad 9ce8439718b6dfef2509dc72ec841740b14cc6d5 Bisecting: 8 revisions left to test after this (roughly 3 steps) [923b55cf5078f2fe2f11d1b3a9b3d5ecf07a5efc] Merge branch 'net-Wformat-fixes' testing commit 923b55cf5078f2fe2f11d1b3a9b3d5ecf07a5efc with gcc (GCC) 8.1.0 kernel signature: d8d9f0187807cda2286351dbee19dfe5e9106783df0c919f0bf564d1191996ed run #0: crashed: WARNING in ex_handler_refcount run #1: crashed: WARNING in ex_handler_refcount run #2: crashed: WARNING in ex_handler_refcount run #3: crashed: WARNING in refcount_error_report run #4: crashed: WARNING in ex_handler_refcount run #5: crashed: WARNING in ex_handler_refcount run #6: crashed: WARNING in ex_handler_refcount run #7: crashed: KASAN: use-after-free Read in cleanup_net run #8: crashed: BUG: corrupted list in cleanup_net run #9: crashed: BUG: corrupted list in cleanup_net # git bisect bad 923b55cf5078f2fe2f11d1b3a9b3d5ecf07a5efc Bisecting: 4 revisions left to test after this (roughly 2 steps) [dccd3ab55ead650dda0eed652727a9a9d541b0b8] bpfilter: re-add header search paths to tools include to fix build error testing commit dccd3ab55ead650dda0eed652727a9a9d541b0b8 with gcc (GCC) 8.1.0 kernel signature: b857d14a622c6150a4d95285fbd2cc99fb6b3a764e2611b2bb465d20ee82062f run #0: crashed: WARNING in corrupted run #1: crashed: WARNING in corrupted run #2: crashed: WARNING in corrupted run #3: crashed: WARNING in ex_handler_refcount run #4: crashed: WARNING in corrupted run #5: crashed: WARNING in corrupted run #6: crashed: BUG: corrupted list in cleanup_net run #7: crashed: KASAN: use-after-free Read in cleanup_net run #8: crashed: KASAN: use-after-free Read in cleanup_net run #9: crashed: KASAN: use-after-free Read in cleanup_net # git bisect bad dccd3ab55ead650dda0eed652727a9a9d541b0b8 Bisecting: 2 revisions left to test after this (roughly 1 step) [43f2ebd5571653f5a02c178d6d73ab642e8a0cad] net: phy: at803x: don't inline helpers testing commit 43f2ebd5571653f5a02c178d6d73ab642e8a0cad with gcc (GCC) 8.1.0 kernel signature: b7f591b1e3fa6c50e0c0b183a0c8fc5a4fe98fb28ae32d563f3dc412d0d2a392 run #0: crashed: BUG: corrupted list in corrupted run #1: crashed: BUG: corrupted list in corrupted run #2: crashed: WARNING in ex_handler_refcount run #3: crashed: WARNING in corrupted run #4: crashed: WARNING in corrupted run #5: crashed: WARNING in corrupted run #6: crashed: WARNING in refcount_error_report run #7: crashed: WARNING in corrupted run #8: crashed: KASAN: use-after-free Read in cleanup_net run #9: crashed: BUG: corrupted list in cleanup_net # git bisect bad 43f2ebd5571653f5a02c178d6d73ab642e8a0cad Bisecting: 0 revisions left to test after this (roughly 0 steps) [14215108a1fd7e002c0a1f9faf8fbaf41fdda50d] net_sched: initialize net pointer inside tcf_exts_init() testing commit 14215108a1fd7e002c0a1f9faf8fbaf41fdda50d with gcc (GCC) 8.1.0 kernel signature: bbf67ef1b2d844e698bc7fca98fe0a120c4f6e91f5ce31731a29b7a15ccf9a4d run #0: crashed: WARNING in ex_handler_refcount run #1: crashed: WARNING in refcount_error_report run #2: crashed: WARNING in corrupted run #3: crashed: WARNING in corrupted run #4: crashed: WARNING in refcount_error_report run #5: crashed: WARNING in corrupted run #6: crashed: WARNING in ex_handler_refcount run #7: crashed: WARNING in refcount_error_report run #8: crashed: WARNING in corrupted run #9: crashed: WARNING in ex_handler_refcount # git bisect bad 14215108a1fd7e002c0a1f9faf8fbaf41fdda50d 14215108a1fd7e002c0a1f9faf8fbaf41fdda50d is the first bad commit commit 14215108a1fd7e002c0a1f9faf8fbaf41fdda50d Author: Cong Wang Date: Wed Feb 20 21:37:42 2019 -0800 net_sched: initialize net pointer inside tcf_exts_init() For tcindex filter, it is too late to initialize the net pointer in tcf_exts_validate(), as tcf_exts_get_net() requires a non-NULL net pointer. We can just move its initialization into tcf_exts_init(), which just requires an additional parameter. This makes the code in tcindex_alloc_perfect_hash() prettier. Cc: Jamal Hadi Salim Cc: Jiri Pirko Signed-off-by: Cong Wang Signed-off-by: David S. Miller include/net/pkt_cls.h | 5 +++-- net/sched/cls_api.c | 1 - net/sched/cls_basic.c | 2 +- net/sched/cls_bpf.c | 2 +- net/sched/cls_cgroup.c | 2 +- net/sched/cls_flow.c | 2 +- net/sched/cls_flower.c | 2 +- net/sched/cls_fw.c | 5 +++-- net/sched/cls_matchall.c | 2 +- net/sched/cls_route.c | 2 +- net/sched/cls_rsvp.h | 7 ++++--- net/sched/cls_tcindex.c | 19 +++++++++---------- net/sched/cls_u32.c | 8 ++++---- 13 files changed, 30 insertions(+), 29 deletions(-) culprit signature: bbf67ef1b2d844e698bc7fca98fe0a120c4f6e91f5ce31731a29b7a15ccf9a4d parent signature: d6f00ed02b08a1bcf117cc21fa683a0f34198041af773bf66250ee24e20499d1 revisions tested: 19, total time: 3h27m36.978949229s (build: 1h54m24.910601201s, test: 1h31m44.716806526s) first bad commit: 14215108a1fd7e002c0a1f9faf8fbaf41fdda50d net_sched: initialize net pointer inside tcf_exts_init() cc: ["ast@kernel.org" "bpf@vger.kernel.org" "daniel@iogearbox.net" "davem@davemloft.net" "jhs@mojatatu.com" "jiri@resnulli.us" "kafai@fb.com" "linux-kernel@vger.kernel.org" "netdev@vger.kernel.org" "songliubraving@fb.com" "xiyou.wangcong@gmail.com" "yhs@fb.com"] crash: WARNING in ex_handler_refcount should_failslab+0x9/0x14 mm/slab_common.c:1603 slab_pre_alloc_hook mm/slab.h:423 [inline] slab_alloc_node mm/slab.c:3288 [inline] kmem_cache_alloc_node+0x270/0x730 mm/slab.c:3631 refcount_t overflow at refcount_add_not_zero arch/x86/include/asm/refcount.h:96 [inline] in syz-executor.1[7787], uid/euid: 0/0 refcount_t overflow at refcount_inc_not_zero arch/x86/include/asm/refcount.h:109 [inline] in syz-executor.1[7787], uid/euid: 0/0 refcount_t overflow at maybe_get_net include/net/net_namespace.h:235 [inline] in syz-executor.1[7787], uid/euid: 0/0 refcount_t overflow at tcf_exts_get_net include/net/pkt_cls.h:316 [inline] in syz-executor.1[7787], uid/euid: 0/0 refcount_t overflow at u32_change+0x148f/0x31b8 net/sched/cls_u32.c:937 in syz-executor.1[7787], uid/euid: 0/0 __alloc_skb+0xa7/0x570 net/core/skbuff.c:196 alloc_skb include/linux/skbuff.h:1011 [inline] netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline] netlink_sendmsg+0x810/0xc40 net/netlink/af_netlink.c:1900 WARNING: CPU: 0 PID: 7787 at kernel/panic.c:683 refcount_error_report+0x1a4/0x202 kernel/panic.c:679 Kernel panic - not syncing: panic_on_warn set ... sock_sendmsg_nosec net/socket.c:621 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:631 ___sys_sendmsg+0x28e/0x950 net/socket.c:2136 __sys_sendmmsg+0x160/0x380 net/socket.c:2231 __do_sys_sendmmsg net/socket.c:2260 [inline] __se_sys_sendmmsg net/socket.c:2257 [inline] __x64_sys_sendmmsg+0x98/0x100 net/socket.c:2257 do_syscall_64+0xd0/0x4d0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45b349 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f1e86d15c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 RAX: ffffffffffffffda RBX: 00007f1e86d166d4 RCX: 000000000045b349 RDX: 049249249249278c RSI: 0000000020000140 RDI: 0000000000000008 RBP: 000000000075c070 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000009 R13: 00000000000008a8 R14: 00000000004ca02a R15: 0000000000000009 CPU: 0 PID: 7787 Comm: syz-executor.1 Not tainted 5.0.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x113/0x167 lib/dump_stack.c:113 panic+0x212/0x40b kernel/panic.c:214 __warn.cold.8+0x1b/0x38 kernel/panic.c:571 report_bug+0x1a4/0x200 lib/bug.c:186 fixup_bug arch/x86/kernel/traps.c:178 [inline] do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:271 do_invalid_op+0x36/0x40 arch/x86/kernel/traps.c:290 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:973 RIP: 0010:refcount_error_report+0x1a4/0x202 kernel/panic.c:679 Code: 25 40 ee 01 00 48 81 c1 a8 06 00 00 80 3c 02 00 75 57 48 8b 93 80 00 00 00 41 55 4c 89 e6 48 c7 c7 00 96 48 87 e8 6f 00 00 00 <0f> 0b 58 e9 80 fe ff ff 44 89 4d dc e8 fb 2f 59 00 44 8b 4d dc eb RSP: 0018:ffff88808d136f38 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88808d1370b8 RCX: 0000000000000000 RDX: 0000000000000004 RSI: ffffffff8787d2a0 RDI: ffffffff8a379ea0 RBP: ffff88808d136f70 R08: ffffed1015d05021 R09: ffffed1015d05020 R10: ffffed1015d05020 R11: ffff8880ae828107 R12: ffffffff87478080 R13: 0000000000000000 R14: ffff8880894dc5c0 R15: 0000000000000000 ex_handler_refcount+0x10e/0x180 arch/x86/mm/extable.c:85 fixup_exception+0x90/0xcf arch/x86/mm/extable.c:283 do_trap_no_signal arch/x86/kernel/traps.c:206 [inline] do_trap+0x6a/0x250 arch/x86/kernel/traps.c:250 do_error_trap+0xd6/0x200 arch/x86/kernel/traps.c:277 do_invalid_op+0x36/0x40 arch/x86/kernel/traps.c:290 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:973 RIP: 0010:refcount_add_not_zero arch/x86/include/asm/refcount.h:104 [inline] RIP: 0010:refcount_inc_not_zero arch/x86/include/asm/refcount.h:109 [inline] RIP: 0010:maybe_get_net include/net/net_namespace.h:235 [inline] RIP: 0010:tcf_exts_get_net include/net/pkt_cls.h:316 [inline] RIP: 0010:u32_change+0x148f/0x31b8 net/sched/cls_u32.c:937 Code: 1f 3d ff ff ff 7f 40 0f 94 c7 40 08 f7 75 09 41 39 c4 0f 8d 40 ff ff ff 4c 8b a5 80 fe ff ff 45 89 f0 4d 89 fe e9 91 95 51 01 75 ff ff ff 4c 8b ad 40 ff ff ff 4d 85 ed 0f 84 b8 0a 00 00 49 RSP: 0018:ffff88808d137160 EFLAGS: 00010a12 RAX: 00000000c0000000 RBX: 1ffff11011a26e3b RCX: ffff88808ea24184 RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff88808ea24184 RBP: ffff88808d137348 R08: 0000000000000000 R09: ffffed1011d44830 R10: ffffed1011d44830 R11: ffff88808ea24187 R12: ffff88808ea24180 R13: ffff888099172300 R14: ffff88808ea24184 R15: 00000000c0000001 tc_new_tfilter+0xcb4/0x1a90 net/sched/cls_api.c:2148 rtnetlink_rcv_msg+0x636/0x8f0 net/core/rtnetlink.c:5183 netlink_rcv_skb+0x13c/0x380 net/netlink/af_netlink.c:2485 rtnetlink_rcv+0x10/0x20 net/core/rtnetlink.c:5210 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline] netlink_unicast+0x43d/0x640 net/netlink/af_netlink.c:1336 netlink_sendmsg+0x765/0xc40 net/netlink/af_netlink.c:1925 sock_sendmsg_nosec net/socket.c:621 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:631 ___sys_sendmsg+0x28e/0x950 net/socket.c:2136 __sys_sendmmsg+0x160/0x380 net/socket.c:2231 __do_sys_sendmmsg net/socket.c:2260 [inline] __se_sys_sendmmsg net/socket.c:2257 [inline] __x64_sys_sendmmsg+0x98/0x100 net/socket.c:2257 do_syscall_64+0xd0/0x4d0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45b349 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fd10ce71c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 RAX: ffffffffffffffda RBX: 00007fd10ce726d4 RCX: 000000000045b349 RDX: 049249249249278c RSI: 0000000020000140 RDI: 0000000000000008 RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000009 R13: 00000000000008a8 R14: 00000000004ca02a R15: 0000000000000009 CPU: 1 PID: 7803 Comm: syz-executor.4 Not tainted 5.0.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x113/0x167 lib/dump_stack.c:113 fail_dump lib/fault-inject.c:51 [inline] should_fail.cold.4+0x5/0x13 lib/fault-inject.c:149 __should_failslab+0xba/0xf0 mm/failslab.c:32 should_failslab+0x9/0x14 mm/slab_common.c:1603 slab_pre_alloc_hook mm/slab.h:423 [inline] slab_alloc_node mm/slab.c:3288 [inline] kmem_cache_alloc_node+0x270/0x730 mm/slab.c:3631 __alloc_skb+0xa7/0x570 net/core/skbuff.c:196 alloc_skb include/linux/skbuff.h:1011 [inline] netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline] netlink_sendmsg+0x810/0xc40 net/netlink/af_netlink.c:1900 sock_sendmsg_nosec net/socket.c:621 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:631 ___sys_sendmsg+0x28e/0x950 net/socket.c:2136 __sys_sendmmsg+0x160/0x380 net/socket.c:2231 __do_sys_sendmmsg net/socket.c:2260 [inline] __se_sys_sendmmsg net/socket.c:2257 [inline] __x64_sys_sendmmsg+0x98/0x100 net/socket.c:2257 do_syscall_64+0xd0/0x4d0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45b349 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f4c63bcbc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 RAX: ffffffffffffffda RBX: 00007f4c63bcc6d4 RCX: 000000000045b349 RDX: 049249249249278c RSI: 0000000020000140 RDI: 0000000000000007 RBP: 000000000075c070 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000008 R13: 00000000000008a8 R14: 00000000004ca02a R15: 0000000000000009 Kernel Offset: disabled Rebooting in 86400 seconds..