binder: 6541:6552 got transaction with invalid data ptr binder: 6541:6552 transaction failed 29201/-14, size 40-8 line 2982 ============================= WARNING: suspicious RCU usage binder_alloc: binder_alloc_mmap_handler: 6541 20000000-20002000 already mapped failed -16 4.16.0-rc7+ #5 Not tainted ----------------------------- ./include/net/inet_sock.h:136 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by syz-executor1/6595: #0: (sk_lock-AF_INET6){+.+.}, at: [<0000000053bfb407>] lock_sock include/net/sock.h:1464 [inline] #0: (sk_lock-AF_INET6){+.+.}, at: [<0000000053bfb407>] sock_fasync+0x85/0x1f0 net/socket.c:1173 stack backtrace: CPU: 0 PID: 6595 Comm: syz-executor1 Not tainted 4.16.0-rc7+ #5 binder_alloc: 6541: binder_alloc_buf, no vma Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x24d lib/dump_stack.c:53 lockdep_rcu_suspicious+0x123/0x170 kernel/locking/lockdep.c:4592 binder: 6541:6594 transaction failed 29189/-3, size 40-8 line 2963 ireq_opt_deref include/net/inet_sock.h:135 [inline] inet_csk_route_req+0x824/0xca0 net/ipv4/inet_connection_sock.c:543 dccp_v4_send_response+0xa7/0x650 net/dccp/ipv4.c:485 dccp_v4_conn_request+0x9ee/0x11b0 net/dccp/ipv4.c:633 dccp_v6_conn_request+0xd30/0x1410 net/dccp/ipv6.c:317 dccp_rcv_state_process+0x574/0x1620 net/dccp/input.c:612 dccp_v4_do_rcv+0xf1/0x160 net/dccp/ipv4.c:682 dccp_v6_do_rcv+0x86a/0xa70 net/dccp/ipv6.c:578 sk_backlog_rcv include/net/sock.h:908 [inline] __release_sock+0x124/0x360 net/core/sock.c:2271 release_sock+0xa4/0x2a0 net/core/sock.c:2786 sock_fasync+0x111/0x1f0 net/socket.c:1182 __fput+0x662/0x7e0 fs/file_table.c:206 ____fput+0x15/0x20 fs/file_table.c:243 task_work_run+0x199/0x270 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:191 [inline] exit_to_usermode_loop+0x275/0x2f0 arch/x86/entry/common.c:166 prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline] syscall_return_slowpath arch/x86/entry/common.c:265 [inline] do_syscall_64+0x6ec/0x940 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x4548b9 RSP: 002b:00007fc5317bbc68 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 00007fc5317bc6d4 RCX: 00000000004548b9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000013 RBP: 000000000072bf58 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 0000000000000052 R14: 00000000006f2850 R15: 0000000000000001 ============================= WARNING: suspicious RCU usage 4.16.0-rc7+ #5 Not tainted ----------------------------- ./include/net/inet_sock.h:136 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by syz-executor1/6595: #0: (sk_lock-AF_INET6){+.+.}, at: [<0000000053bfb407>] lock_sock include/net/sock.h:1464 [inline] #0: (sk_lock-AF_INET6){+.+.}, at: [<0000000053bfb407>] sock_fasync+0x85/0x1f0 net/socket.c:1173 stack backtrace: CPU: 0 PID: 6595 Comm: syz-executor1 Not tainted 4.16.0-rc7+ #5 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x24d lib/dump_stack.c:53 lockdep_rcu_suspicious+0x123/0x170 kernel/locking/lockdep.c:4592 ireq_opt_deref include/net/inet_sock.h:135 [inline] dccp_v4_send_response+0x4b6/0x650 net/dccp/ipv4.c:496 dccp_v4_conn_request+0x9ee/0x11b0 net/dccp/ipv4.c:633 dccp_v6_conn_request+0xd30/0x1410 net/dccp/ipv6.c:317 dccp_rcv_state_process+0x574/0x1620 net/dccp/input.c:612 dccp_v4_do_rcv+0xf1/0x160 net/dccp/ipv4.c:682 dccp_v6_do_rcv+0x86a/0xa70 net/dccp/ipv6.c:578 sk_backlog_rcv include/net/sock.h:908 [inline] __release_sock+0x124/0x360 net/core/sock.c:2271 release_sock+0xa4/0x2a0 net/core/sock.c:2786 sock_fasync+0x111/0x1f0 net/socket.c:1182 __fput+0x662/0x7e0 fs/file_table.c:206 ____fput+0x15/0x20 fs/file_table.c:243 task_work_run+0x199/0x270 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:191 [inline] exit_to_usermode_loop+0x275/0x2f0 arch/x86/entry/common.c:166 prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline] syscall_return_slowpath arch/x86/entry/common.c:265 [inline] do_syscall_64+0x6ec/0x940 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x4548b9 RSP: 002b:00007fc5317bbc68 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 00007fc5317bc6d4 RCX: 00000000004548b9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000013 RBP: 000000000072bf58 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 0000000000000052 R14: 00000000006f2850 R15: 0000000000000001 netlink: 24 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 'syz-executor3': attribute type 29 has an invalid length. netlink: 8 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 'syz-executor3': attribute type 29 has an invalid length. netlink: 8 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 'syz-executor3': attribute type 29 has an invalid length. netlink: 8 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 'syz-executor3': attribute type 29 has an invalid length. netlink: 8 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 'syz-executor3': attribute type 29 has an invalid length. netlink: 'syz-executor3': attribute type 29 has an invalid length. netlink: 8 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 'syz-executor3': attribute type 29 has an invalid length. netlink: 8 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 'syz-executor3': attribute type 29 has an invalid length. netlink: 8 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 'syz-executor3': attribute type 29 has an invalid length. netlink: 'syz-executor3': attribute type 29 has an invalid length. binder: 6670:6672 transaction failed 29189/-22, size 56-8 line 2848 binder: 6670:6687 transaction failed 29189/-22, size 56-8 line 2848 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 x86/PAT: syz-executor0:6703 map pfn RAM range req write-combining for [mem 0x192c80000-0x192c83fff], got write-back x86/PAT: syz-executor0:6703 map pfn RAM range req write-combining for [mem 0x1c5500000-0x1c5503fff], got write-back *** Guest State *** CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 CR4: actual=0x0000000000002050, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 CR3 = 0x00000000fffbc000 RSP = 0x0000000000000000 RIP = 0x000000000000fff0 RFLAGS=0x00000002 DR7 = 0x0000000000000400 Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 CS: sel=0xf000, attr=0x0009b, limit=0x0000ffff, base=0x00000000ffff0000 DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 *** Guest State *** SS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 CR4: actual=0x0000000000002050, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 CR3 = 0x00000000fffbc000 ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 RSP = 0x0000000000000000 RIP = 0x000000000000fff0 FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 RFLAGS=0x00000002 DR7 = 0x0000000000000400 Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 CS: sel=0xf000, attr=0x0009b, limit=0x0000ffff, base=0x00000000ffff0000 GDTR: limit=0x0000ffff, base=0x0000000000000000 DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 SS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000 ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 IDTR: limit=0x0000ffff, base=0x0000000000000000 GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 GDTR: limit=0x0000ffff, base=0x0000000000000000 TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000 IDTR: limit=0x0000ffff, base=0x0000000000000000 EFER = 0x0000000000000000 PAT = 0x0007040600070406 TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 EFER = 0x0000000000000000 PAT = 0x0007040600070406 DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 Interruptibility = 00000000 ActivityState = 00000000 Interruptibility = 00000000 ActivityState = 00000000 *** Host State *** RIP = 0xffffffff811cdba6 RSP = 0xffff8801ca44f3b8 CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 *** Host State *** FSBase=00007fc5317ba700 GSBase=ffff8801db300000 TRBase=fffffe0000034000 GDTBase=fffffe0000032000 IDTBase=fffffe0000000000 RIP = 0xffffffff811cdba6 RSP = 0xffff8801bf46f3b8 CR0=0000000080050033 CR3=00000001c19fd001 CR4=00000000001626e0 Sysenter RSP=fffffe0000033200 CS:RIP=0010:ffffffff86801610 CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 EFER = 0x0000000000000d01 PAT = 0x0000000000000000 FSBase=00007fc5317dd700 GSBase=ffff8801db200000 TRBase=fffffe0000003000 *** Control State *** PinBased=0000003f CPUBased=b5a1edfa SecondaryExec=000000c3 GDTBase=fffffe0000001000 IDTBase=fffffe0000000000 EntryControls=0000d1ff ExitControls=0023efff ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 CR0=0000000080050033 CR3=00000001c19fd005 CR4=00000000001626f0 VMEntry: intr_info=80000000 errcode=00000000 ilen=00000000 VMExit: intr_info=00000000 errcode=00000000 ilen=00000000 Sysenter RSP=fffffe0000002200 CS:RIP=0010:ffffffff86801610 reason=80000021 qualification=0000000000000000 IDTVectoring: info=00000000 errcode=00000000 TSC Offset = 0xffffffddc1997562 EFER = 0x0000000000000d01 PAT = 0x0000000000000000 TPR Threshold = 0x00 EPT pointer = 0x00000001c3b1e01e *** Control State *** PinBased=0000003f CPUBased=b5a1edfa SecondaryExec=000000c3 EntryControls=0000d1ff ExitControls=0023efff ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 VMEntry: intr_info=80000000 errcode=00000000 ilen=00000000 VMExit: intr_info=00000000 errcode=00000000 ilen=00000000 reason=80000021 qualification=0000000000000000 IDTVectoring: info=00000000 errcode=00000000 TSC Offset = 0xffffffddc97f2959 TPR Threshold = 0x00 EPT pointer = 0x00000001cae8d01e xt_SECMARK: only valid in 'mangle' or 'security' table, not 'broute' xt_SECMARK: only valid in 'mangle' or 'security' table, not 'broute' syz-executor2 uses obsolete (PF_INET,SOCK_PACKET) random: crng init done QAT: Invalid ioctl QAT: Invalid ioctl binder: 7027:7030 transaction failed 29189/-22, size 40-8 line 2848 binder: 7027:7030 transaction failed 29189/-22, size 40-8 line 2848 IPVS: ftp: loaded support on port[0] = 21 validate_nla: 12 callbacks suppressed netlink: 'syz-executor7': attribute type 29 has an invalid length. nla_parse: 16 callbacks suppressed netlink: 8 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 'syz-executor7': attribute type 29 has an invalid length. netlink: 8 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 'syz-executor7': attribute type 29 has an invalid length. netlink: 8 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 'syz-executor7': attribute type 29 has an invalid length. netlink: 8 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 'syz-executor7': attribute type 29 has an invalid length. netlink: 8 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 'syz-executor7': attribute type 29 has an invalid length. netlink: 8 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 'syz-executor7': attribute type 29 has an invalid length. netlink: 8 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 'syz-executor7': attribute type 29 has an invalid length. netlink: 8 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 'syz-executor7': attribute type 29 has an invalid length. netlink: 8 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 'syz-executor7': attribute type 29 has an invalid length. netlink: 8 bytes leftover after parsing attributes in process `syz-executor7'. cgroup: cgroup2: unknown option "./file0/" cgroup: cgroup2: unknown option "./file0/" IPVS: ftp: loaded support on port[0] = 21 bond0 (unregistering): Released all slaves IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready 8021q: adding VLAN 0 to HW filter on device bond0 IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready syz-executor0 (7718) used greatest stack depth: 15432 bytes left binder: 7772:7773 unknown command 1014298007 binder: 7772:7773 ioctl c0306201 20000040 returned -22 TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. binder_alloc: 7772: binder_alloc_buf, no vma binder: 7772:7773 transaction failed 29189/-3, size 24-648518346341351456 line 2963 binder: BINDER_SET_CONTEXT_MGR already set binder: 7772:7783 ioctl 40046207 0 returned -16 binder: 7772:7773 unknown command 1014298007 binder: 7772:7773 ioctl c0306201 20000040 returned -22 binder: undelivered TRANSACTION_ERROR: 29189