================================ WARNING: inconsistent lock state 4.15.0-rc9+ #283 Not tainted -------------------------------- inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage. syz-executor4/6057 [HC0[0]:SC1[1]:HE1:SE0] takes: (&(&est->lock)->rlock){+.?.}, at: [<00000000f9414648>] spin_lock include/linux/spinlock.h:310 [inline] (&(&est->lock)->rlock){+.?.}, at: [<00000000f9414648>] est_fetch_counters+0x4f/0x150 net/core/gen_estimator.c:70 {SOFTIRQ-ON-W} state was registered at: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3914 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144 spin_lock include/linux/spinlock.h:310 [inline] est_fetch_counters+0x4f/0x150 net/core/gen_estimator.c:70 gen_new_estimator+0x317/0x770 net/core/gen_estimator.c:162 xt_rateest_tg_checkentry+0x487/0xaa0 net/netfilter/xt_RATEEST.c:135 xt_check_target+0x22c/0x7d0 net/netfilter/x_tables.c:845 check_target net/ipv6/netfilter/ip6_tables.c:538 [inline] find_check_entry.isra.7+0x935/0xcf0 net/ipv6/netfilter/ip6_tables.c:580 translate_table+0xf52/0x1690 net/ipv6/netfilter/ip6_tables.c:749 do_replace net/ipv6/netfilter/ip6_tables.c:1167 [inline] do_ip6t_set_ctl+0x370/0x5f0 net/ipv6/netfilter/ip6_tables.c:1693 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115 ipv6_setsockopt+0x115/0x150 net/ipv6/ipv6_sockglue.c:928 udpv6_setsockopt+0x45/0x80 net/ipv6/udp.c:1452 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2968 SYSC_setsockopt net/socket.c:1831 [inline] SyS_setsockopt+0x189/0x360 net/socket.c:1810 entry_SYSCALL_64_fastpath+0x29/0xa0 irq event stamp: 74 hardirqs last enabled at (74): [<00000000be349644>] restore_regs_and_return_to_kernel+0x0/0x21 hardirqs last disabled at (73): [<00000000c29e95d7>] apic_timer_interrupt+0xa4/0xb0 arch/x86/entry/entry_64.S:937 softirqs last enabled at (0): [<00000000ef97155f>] copy_process.part.38+0x14ec/0x4b20 kernel/fork.c:1695 softirqs last disabled at (69): [<00000000368de686>] invoke_softirq kernel/softirq.c:365 [inline] softirqs last disabled at (69): [<00000000368de686>] irq_exit+0x1cc/0x200 kernel/softirq.c:405 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&(&est->lock)->rlock); lock(&(&est->lock)->rlock); *** DEADLOCK *** 1 lock held by syz-executor4/6057: #0: ((&est->timer)){+.-.}, at: [<0000000026f0b55c>] lockdep_copy_map include/linux/lockdep.h:178 [inline] #0: ((&est->timer)){+.-.}, at: [<0000000026f0b55c>] call_timer_fn+0x1c6/0x820 kernel/time/timer.c:1308 stack backtrace: CPU: 1 PID: 6057 Comm: syz-executor4 Not tainted 4.15.0-rc9+ #283 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 print_usage_bug+0x377/0x38c kernel/locking/lockdep.c:2537 valid_state kernel/locking/lockdep.c:2550 [inline] mark_lock_irq kernel/locking/lockdep.c:2744 [inline] mark_lock+0xf61/0x1430 kernel/locking/lockdep.c:3142 mark_irqflags kernel/locking/lockdep.c:3020 [inline] __lock_acquire+0x173a/0x3e00 kernel/locking/lockdep.c:3383 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3914 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144 spin_lock include/linux/spinlock.h:310 [inline] est_fetch_counters+0x4f/0x150 net/core/gen_estimator.c:70 est_timer+0x97/0x7c0 net/core/gen_estimator.c:85 call_timer_fn+0x228/0x820 kernel/time/timer.c:1318 expire_timers kernel/time/timer.c:1355 [inline] __run_timers+0x7ee/0xb70 kernel/time/timer.c:1658 run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1684 __do_softirq+0x2d7/0xb85 kernel/softirq.c:285 invoke_softirq kernel/softirq.c:365 [inline] irq_exit+0x1cc/0x200 kernel/softirq.c:405 exiting_irq arch/x86/include/asm/apic.h:541 [inline] smp_apic_timer_interrupt+0x16b/0x700 arch/x86/kernel/apic/apic.c:1052 apic_timer_interrupt+0xa9/0xb0 arch/x86/entry/entry_64.S:937 RIP: 0010:arch_local_irq_enable arch/x86/include/asm/paravirt.h:787 [inline] RIP: 0010:__do_page_fault+0x69a/0xc90 arch/x86/mm/fault.c:1333 RSP: 0018:ffff8801d419f6f0 EFLAGS: 00000216 ORIG_RAX: ffffffffffffff11 RAX: 0000000000010000 RBX: 0000000000000000 RCX: ffffffff81318d63 RDX: 0000000000000072 RSI: ffffc90004414000 RDI: ffffffff86ac8c78 RBP: ffff8801d419f7c0 R08: ffffed003a833f9a R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801d419f938 R13: ffff8801d7c32740 R14: ffff8801d419f9c0 R15: ffff8801d7c32740 do_page_fault+0xee/0x720 arch/x86/mm/fault.c:1505 page_fault+0x2c/0x60 arch/x86/entry/entry_64.S:1260 RIP: 0010:copy_user_generic_unrolled+0x86/0xc0 arch/x86/lib/copy_user_64.S:65 RSP: 0018:ffff8801d419f9e8 EFLAGS: 00010203 RAX: ffffed003a833f9a RBX: 0000000020afa000 RCX: 0000000000000001 RDX: 0000000000000004 RSI: 0000000020afa000 RDI: ffff8801d419fcc0 RBP: ffff8801d419fa18 R08: ffffed003a833f9a R09: ffffed003a833f9a R10: 0000000000000002 R11: ffffed003a833f99 R12: 000000000000000c R13: ffff8801d419fcc0 R14: 00007ffffffff000 R15: 0000000020afa00c copy_from_user include/linux/uaccess.h:147 [inline] move_addr_to_kernel.part.18+0x34/0x100 net/socket.c:194 move_addr_to_kernel net/socket.c:190 [inline] copy_msghdr_from_user+0x459/0x590 net/socket.c:1931 ___sys_sendmsg+0x13c/0x8b0 net/socket.c:1973 __sys_sendmsg+0xe5/0x210 net/socket.c:2062 SYSC_sendmsg net/socket.c:2073 [inline] SyS_sendmsg+0x2d/0x50 net/socket.c:2069 entry_SYSCALL_64_fastpath+0x29/0xa0 RIP: 0033:0x453299 RSP: 002b:00007fa28be2cc58 EFLAGS: 00000212 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007fa28be2d700 RCX: 0000000000453299 RDX: 0000000020008800 RSI: 0000000020796000 RDI: 0000000000000014 RBP: 0000000000a2f3c0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000000 R13: 0000000000a2f33f R14: 00007fa28be2d9c0 R15: 0000000000000002 device eql entered promiscuous mode netlink: 'syz-executor5': attribute type 16 has an invalid length. netlink: 'syz-executor5': attribute type 16 has an invalid length. sg_write: data in/out 36090/355 bytes for SCSI command 0x8c-- guessing data in; program syz-executor3 not setting count and/or reply_len properly sg_write: data in/out 36090/355 bytes for SCSI command 0x8c-- guessing data in; program syz-executor3 not setting count and/or reply_len properly audit: type=1400 audit(1517130465.410:854): avc: denied { write } for pid=6085 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 audit: type=1400 audit(1517130465.416:855): avc: denied { map } for pid=6079 comm="syz-executor3" path="/dev/ashmem" dev="devtmpfs" ino=116 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1 dccp_invalid_packet: invalid packet type audit: type=1326 audit(1517130467.016:856): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=6366 comm="syz-executor2" exe="/root/syz-executor2" sig=0 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517130467.017:857): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=6366 comm="syz-executor2" exe="/root/syz-executor2" sig=0 arch=c000003e syscall=305 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517130467.017:858): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=6366 comm="syz-executor2" exe="/root/syz-executor2" sig=0 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517130467.018:859): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=6366 comm="syz-executor2" exe="/root/syz-executor2" sig=0 arch=c000003e syscall=9 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517130467.020:860): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=6366 comm="syz-executor2" exe="/root/syz-executor2" sig=0 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x7ffc0000 device eql entered promiscuous mode netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 'syz-executor5': attribute type 29 has an invalid length. netlink: 'syz-executor5': attribute type 29 has an invalid length. binder: 6756 RLIMIT_NICE not set binder: BINDER_SET_CONTEXT_MGR already set binder: 6743:6765 ioctl 40046207 0 returned -16 binder: 6756 RLIMIT_NICE not set binder: BINDER_SET_CONTEXT_MGR already set binder: 6743:6765 ioctl 40046207 0 returned -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 6756 RLIMIT_NICE not set binder: 6743:6765 ioctl 40046207 0 returned -16 binder_alloc: 6743: binder_alloc_buf, no vma binder: 6743:6766 transaction failed 29189/-3, size 0-0 line 2903 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 6743:6756 transaction 5 in, still active binder: send failed reply for transaction 5 to 6743:6765 binder: undelivered TRANSACTION_COMPLETE binder: 6772 RLIMIT_NICE not set binder: BINDER_SET_CONTEXT_MGR already set binder: 6770:6786 ioctl 40046207 0 returned -16 binder: 6772 RLIMIT_NICE not set binder: undelivered TRANSACTION_ERROR: 29189 binder: release 6770:6772 transaction 8 in, still active binder: send failed reply for transaction 8 to 6770:6786 binder: undelivered TRANSACTION_COMPLETE binder: 6810 RLIMIT_NICE not set binder: undelivered TRANSACTION_ERROR: 29189 binder: BINDER_SET_CONTEXT_MGR already set binder: 6807:6831 ioctl 40046207 0 returned -16 binder: 6810 RLIMIT_NICE not set binder: release 6807:6810 transaction 10 in, still active binder: send failed reply for transaction 10 to 6807:6831 binder: undelivered TRANSACTION_COMPLETE binder: 6837 RLIMIT_NICE not set binder: BINDER_SET_CONTEXT_MGR already set binder: 6835:6856 ioctl 40046207 0 returned -16 binder: 6837 RLIMIT_NICE not set binder: undelivered TRANSACTION_ERROR: 29189 binder: release 6835:6837 transaction 12 in, still active binder: send failed reply for transaction 12 to 6835:6856 binder: undelivered TRANSACTION_COMPLETE binder: 6886 RLIMIT_NICE not set binder: undelivered TRANSACTION_ERROR: 29189 binder: BINDER_SET_CONTEXT_MGR already set binder: 6872:6896 ioctl 40046207 0 returned -16 binder: 6886 RLIMIT_NICE not set binder: release 6872:6886 transaction 14 in, still active binder: send failed reply for transaction 14 to 6872:6896 binder: undelivered TRANSACTION_COMPLETE binder: 6922 RLIMIT_NICE not set binder: undelivered TRANSACTION_ERROR: 29189 binder: BINDER_SET_CONTEXT_MGR already set binder: 6913:6931 ioctl 40046207 0 returned -16 binder: 6922 RLIMIT_NICE not set binder: release 6913:6922 transaction 16 in, still active binder: send failed reply for transaction 16 to 6913:6931 binder: undelivered TRANSACTION_COMPLETE binder: 6957 RLIMIT_NICE not set binder: undelivered TRANSACTION_ERROR: 29189 binder: BINDER_SET_CONTEXT_MGR already set binder: 6947:6967 ioctl 40046207 0 returned -16 binder: 6957 RLIMIT_NICE not set binder: BINDER_SET_CONTEXT_MGR already set binder: 6981:6984 ioctl 40046207 0 returned -16 binder: 6984 RLIMIT_NICE not set binder: BINDER_SET_CONTEXT_MGR already set binder: release 6947:6957 transaction 18 in, still active binder: 6981:6988 ioctl 40046207 0 returned -16 binder: 6981:6988 transaction failed 29189/-22, size 0-0 line 2788 binder: send failed reply for transaction 18 to 6947:6967 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 binder: 7004 RLIMIT_NICE not set binder: BINDER_SET_CONTEXT_MGR already set binder: 7000:7012 ioctl 40046207 0 returned -16 binder: 7004 RLIMIT_NICE not set binder: release 7000:7004 transaction 21 in, still active binder: send failed reply for transaction 21 to 7000:7012 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 binder: 7024 RLIMIT_NICE not set binder: BINDER_SET_CONTEXT_MGR already set binder: 7018:7028 ioctl 40046207 0 returned -16 binder: 7028 RLIMIT_NICE not set binder: BINDER_SET_CONTEXT_MGR already set binder: 7019:7036 ioctl 40046207 0 returned -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 7018:7041 ioctl 40046207 0 returned -16 binder: release 7018:7041 transaction 24 out, still active binder: undelivered TRANSACTION_COMPLETE binder: 7024 RLIMIT_NICE not set binder: release 7019:7024 transaction 23 in, still active binder: send failed reply for transaction 23 to 7019:7036 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 binder: send failed reply for transaction 24, target dead binder: 7068 RLIMIT_NICE not set binder: BINDER_SET_CONTEXT_MGR already set binder: 7058:7069 ioctl 40046207 0 returned -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 7066:7081 ioctl 40046207 0 returned -16 binder: 7068 RLIMIT_NICE not set binder: BINDER_SET_CONTEXT_MGR already set binder: 7058:7087 ioctl 40046207 0 returned -16 binder: release 7066:7068 transaction 26 in, still active binder: send failed reply for transaction 26 to 7066:7081 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 binder: 7058:7087 transaction failed 29189/-22, size 0-0 line 2788 binder: undelivered TRANSACTION_ERROR: 29189 binder: 7101 RLIMIT_NICE not set binder: BINDER_SET_CONTEXT_MGR already set binder: 7100:7104 ioctl 40046207 0 returned -16 binder: 7104 RLIMIT_NICE not set binder: BINDER_SET_CONTEXT_MGR already set binder: 7091:7115 ioctl 40046207 0 returned -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 7100:7120 ioctl 40046207 0 returned -16 binder: release 7100:7120 transaction 30 out, still active binder: undelivered TRANSACTION_COMPLETE binder: 7101 RLIMIT_NICE not set binder: release 7091:7101 transaction 29 in, still active binder: send failed reply for transaction 29 to 7091:7115 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 binder: send failed reply for transaction 30, target dead binder: BINDER_SET_CONTEXT_MGR already set binder: 7146 RLIMIT_NICE not set binder: 7143:7149 ioctl 40046207 0 returned -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 7138:7156 ioctl 40046207 0 returned -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 7143:7159 ioctl 40046207 0 returned -16 binder: 7146 RLIMIT_NICE not set binder: release 7138:7146 transaction 32 in, still active binder: send failed reply for transaction 32 to 7138:7156 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 binder: send failed reply for transaction 33 to 7143:7159 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 binder: 7173 RLIMIT_NICE not set binder: BINDER_SET_CONTEXT_MGR already set binder: 7167:7180 ioctl 40046207 0 returned -16 binder: 7173 RLIMIT_NICE not set binder: release 7167:7173 transaction 35 in, still active binder: send failed reply for transaction 35 to 7167:7180 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 binder: 7200 RLIMIT_NICE not set FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 1 CPU: 0 PID: 7207 Comm: syz-executor0 Not tainted 4.15.0-rc9+ #283 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:421 [inline] slab_alloc_node mm/slab.c:3289 [inline] kmem_cache_alloc_node+0x56/0x760 mm/slab.c:3632 __alloc_skb+0xf1/0x780 net/core/skbuff.c:193 alloc_skb include/linux/skbuff.h:983 [inline] netlink_alloc_large_skb net/netlink/af_netlink.c:1147 [inline] netlink_sendmsg+0xa86/0xe60 net/netlink/af_netlink.c:1839 sock_sendmsg_nosec net/socket.c:638 [inline] sock_sendmsg+0xca/0x110 net/socket.c:648 ___sys_sendmsg+0x767/0x8b0 net/socket.c:2028 __sys_sendmsg+0xe5/0x210 net/socket.c:2062 SYSC_sendmsg net/socket.c:2073 [inline] SyS_sendmsg+0x2d/0x50 net/socket.c:2069 entry_SYSCALL_64_fastpath+0x29/0xa0 RIP: 0033:0x453299 RSP: 002b:00007fceb57bbc58 EFLAGS: 00000212 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007fceb57bbaa0 RCX: 0000000000453299 RDX: 0000000000000000 RSI: 0000000020065fc8 RDI: 0000000000000013 RBP: 00007fceb57bba90 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b8096 R13: 00007fceb57bbbc8 R14: 00000000004b8096 R15: 0000000000000000 binder: BINDER_SET_CONTEXT_MGR already set binder: 7198:7213 ioctl 40046207 0 returned -16 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 0 PID: 7219 Comm: syz-executor0 Not tainted 4.15.0-rc9+ #283 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:421 [inline] slab_alloc_node mm/slab.c:3289 [inline] kmem_cache_alloc_node_trace+0x5a/0x750 mm/slab.c:3651 __do_kmalloc_node mm/slab.c:3671 [inline] __kmalloc_node_track_caller+0x33/0x70 mm/slab.c:3686 __kmalloc_reserve.isra.39+0x41/0xd0 net/core/skbuff.c:137 __alloc_skb+0x13b/0x780 net/core/skbuff.c:205 alloc_skb include/linux/skbuff.h:983 [inline] netlink_alloc_large_skb net/netlink/af_netlink.c:1147 [inline] netlink_sendmsg+0xa86/0xe60 net/netlink/af_netlink.c:1839 sock_sendmsg_nosec net/socket.c:638 [inline] sock_sendmsg+0xca/0x110 net/socket.c:648 ___sys_sendmsg+0x767/0x8b0 net/socket.c:2028 __sys_sendmsg+0xe5/0x210 net/socket.c:2062 SYSC_sendmsg net/socket.c:2073 [inline] SyS_sendmsg+0x2d/0x50 net/socket.c:2069 entry_SYSCALL_64_fastpath+0x29/0xa0 RIP: 0033:0x453299 RSP: 002b:00007fceb57bbc58 EFLAGS: 00000212 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007fceb57bbaa0 RCX: 0000000000453299 RDX: 0000000000000000 RSI: 0000000020065fc8 RDI: 0000000000000013 RBP: 00007fceb57bba90 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b8096 R13: 00007fceb57bbbc8 R14: 00000000004b8096 R15: 0000000000000000 binder: 7242 RLIMIT_NICE not set FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 0 PID: 7247 Comm: syz-executor0 Not tainted 4.15.0-rc9+ #283 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:421 [inline] slab_alloc_node mm/slab.c:3289 [inline] kmem_cache_alloc_node+0x56/0x760 mm/slab.c:3632 __alloc_skb+0xf1/0x780 net/core/skbuff.c:193 alloc_skb include/linux/skbuff.h:983 [inline] netlink_dump+0x545/0xcf0 net/netlink/af_netlink.c:2170 __netlink_dump_start+0x4f0/0x6d0 net/netlink/af_netlink.c:2286 netlink_dump_start include/linux/netlink.h:214 [inline] nf_tables_getchain+0x486/0x590 net/netfilter/nf_tables_api.c:1159 nfnetlink_rcv_msg+0xbf0/0xd70 net/netfilter/nfnetlink.c:214 netlink_rcv_skb+0x14b/0x380 net/netlink/af_netlink.c:2409 nfnetlink_rcv+0x200/0x1920 net/netfilter/nfnetlink.c:515 netlink_unicast_kernel net/netlink/af_netlink.c:1275 [inline] netlink_unicast+0x4ee/0x700 net/netlink/af_netlink.c:1301 netlink_sendmsg+0xa4a/0xe60 net/netlink/af_netlink.c:1864 sock_sendmsg_nosec net/socket.c:638 [inline] sock_sendmsg+0xca/0x110 net/socket.c:648 ___sys_sendmsg+0x767/0x8b0 net/socket.c:2028 __sys_sendmsg+0xe5/0x210 net/socket.c:2062 SYSC_sendmsg net/socket.c:2073 [inline] SyS_sendmsg+0x2d/0x50 net/socket.c:2069 entry_SYSCALL_64_fastpath+0x29/0xa0 RIP: 0033:0x453299 RSP: 002b:00007fceb57bbc58 EFLAGS: 00000212 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007fceb57bbaa0 RCX: 0000000000453299 RDX: 0000000000000000 RSI: 0000000020065fc8 RDI: 0000000000000013 RBP: 00007fceb57bba90 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b8096 R13: 00007fceb57bbbc8 R14: 00000000004b8096 R15: 0000000000000000 binder: BINDER_SET_CONTEXT_MGR already set binder: 7238:7252 ioctl 40046207 0 returned -16 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 1 PID: 7257 Comm: syz-executor0 Not tainted 4.15.0-rc9+ #283 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:421 [inline] slab_alloc_node mm/slab.c:3289 [inline] kmem_cache_alloc_node_trace+0x5a/0x750 mm/slab.c:3651 __do_kmalloc_node mm/slab.c:3671 [inline] __kmalloc_node_track_caller+0x33/0x70 mm/slab.c:3686 __kmalloc_reserve.isra.39+0x41/0xd0 net/core/skbuff.c:137 __alloc_skb+0x13b/0x780 net/core/skbuff.c:205 alloc_skb include/linux/skbuff.h:983 [inline] netlink_dump+0x545/0xcf0 net/netlink/af_netlink.c:2170 __netlink_dump_start+0x4f0/0x6d0 net/netlink/af_netlink.c:2286 netlink_dump_start include/linux/netlink.h:214 [inline] nf_tables_getchain+0x486/0x590 net/netfilter/nf_tables_api.c:1159 nfnetlink_rcv_msg+0xbf0/0xd70 net/netfilter/nfnetlink.c:214 netlink_rcv_skb+0x14b/0x380 net/netlink/af_netlink.c:2409 nfnetlink_rcv+0x200/0x1920 net/netfilter/nfnetlink.c:515 netlink_unicast_kernel net/netlink/af_netlink.c:1275 [inline] netlink_unicast+0x4ee/0x700 net/netlink/af_netlink.c:1301 netlink_sendmsg+0xa4a/0xe60 net/netlink/af_netlink.c:1864 sock_sendmsg_nosec net/socket.c:638 [inline] sock_sendmsg+0xca/0x110 net/socket.c:648 ___sys_sendmsg+0x767/0x8b0 net/socket.c:2028 __sys_sendmsg+0xe5/0x210 net/socket.c:2062 SYSC_sendmsg net/socket.c:2073 [inline] SyS_sendmsg+0x2d/0x50 net/socket.c:2069 entry_SYSCALL_64_fastpath+0x29/0xa0 RIP: 0033:0x453299 RSP: 002b:00007fceb57bbc58 EFLAGS: 00000212 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007fceb57bbaa0 RCX: 0000000000453299 RDX: 0000000000000000 RSI: 0000000020065fc8 RDI: 0000000000000013 RBP: 00007fceb57bba90 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b8096 R13: 00007fceb57bbbc8 R14: 00000000004b8096 R15: 0000000000000000 binder: 7277 RLIMIT_NICE not set binder: BINDER_SET_CONTEXT_MGR already set binder: 7274:7289 ioctl 40046207 0 returned -16 binder: 7313 RLIMIT_NICE not set netlink: 9716 bytes leftover after parsing attributes in process `syz-executor0'. binder: BINDER_SET_CONTEXT_MGR already set FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 0 PID: 7332 Comm: syz-executor7 Not tainted 4.15.0-rc9+ #283 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:421 [inline] slab_alloc mm/slab.c:3368 [inline] __do_kmalloc mm/slab.c:3706 [inline] __kmalloc+0x63/0x760 mm/slab.c:3717 kmalloc include/linux/slab.h:504 [inline] sock_kmalloc+0x112/0x190 net/core/sock.c:1979 af_alg_alloc_tsgl+0x3bd/0x510 crypto/af_alg.c:502 af_alg_sendmsg+0x5b4/0x1060 crypto/af_alg.c:911 aead_sendmsg+0x103/0x150 crypto/algif_aead.c:76 sock_sendmsg_nosec net/socket.c:638 [inline] sock_sendmsg+0xca/0x110 net/socket.c:648 ___sys_sendmsg+0x767/0x8b0 net/socket.c:2028 __sys_sendmsg+0xe5/0x210 net/socket.c:2062 SYSC_sendmsg net/socket.c:2073 [inline] SyS_sendmsg+0x2d/0x50 net/socket.c:2069 entry_SYSCALL_64_fastpath+0x29/0xa0 RIP: 0033:0x453299 RSP: 002b:00007fc7f710ac58 EFLAGS: 00000212 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007fc7f710aaa0 RCX: 0000000000453299 RDX: 0000000000000000 RSI: 0000000020efffc8 RDI: 0000000000000014 RBP: 00007fc7f710aa90 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b8096 R13: 00007fc7f710abc8 R14: 00000000004b8096 R15: 0000000000000000 netlink: 9716 bytes leftover after parsing attributes in process `syz-executor0'. FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 0 PID: 7344 Comm: syz-executor1 Not tainted 4.15.0-rc9+ #283 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:421 [inline] slab_alloc mm/slab.c:3368 [inline] __do_kmalloc mm/slab.c:3706 [inline] __kmalloc+0x63/0x760 mm/slab.c:3717 kmalloc include/linux/slab.h:504 [inline] sock_kmalloc+0x112/0x190 net/core/sock.c:1979 af_alg_alloc_tsgl+0x3bd/0x510 crypto/af_alg.c:502 af_alg_sendmsg+0x5b4/0x1060 crypto/af_alg.c:911 aead_sendmsg+0x103/0x150 crypto/algif_aead.c:76 sock_sendmsg_nosec net/socket.c:638 [inline] sock_sendmsg+0xca/0x110 net/socket.c:648 ___sys_sendmsg+0x767/0x8b0 net/socket.c:2028 __sys_sendmsg+0xe5/0x210 net/socket.c:2062 SYSC_sendmsg net/socket.c:2073 [inline] SyS_sendmsg+0x2d/0x50 net/socket.c:2069 entry_SYSCALL_64_fastpath+0x29/0xa0 RIP: 0033:0x453299 RSP: 002b:00007feef958cc58 EFLAGS: 00000212 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007feef958caa0 RCX: 0000000000453299 RDX: 0000000000000000 RSI: 0000000020efffc8 RDI: 0000000000000014 RBP: 00007feef958ca90 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b8096 R13: 00007feef958cbc8 R14: 00000000004b8096 R15: 0000000000000000 binder: 7310:7328 ioctl 40046207 0 returned -16 binder_alloc: 7310: binder_alloc_buf, no vma binder: 7310:7333 transaction failed 29189/-3, size 0-0 line 2903 binder: undelivered TRANSACTION_ERROR: 29189 binder: 7382 RLIMIT_NICE not set binder: BINDER_SET_CONTEXT_MGR already set binder: 7376:7389 ioctl 40046207 0 returned -16 binder_alloc: 7376: binder_alloc_buf, no vma binder: 7376:7389 transaction failed 29189/-3, size 0-0 line 2903 binder: undelivered TRANSACTION_ERROR: 29189 binder: 7408 RLIMIT_NICE not set binder: BINDER_SET_CONTEXT_MGR already set binder: 7401:7413 ioctl 40046207 0 returned -16 binder_alloc: 7401: binder_alloc_buf, no vma binder: 7401:7426 transaction failed 29189/-3, size 0-0 line 2903 binder: undelivered TRANSACTION_ERROR: 29189 binder: 7454 RLIMIT_NICE not set binder: 7454 RLIMIT_NICE not set binder: release 7451:7454 transaction 46 in, still active binder: send failed reply for transaction 46 to 7451:7469 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 binder: 7495 RLIMIT_NICE not set binder: 7485:7509 transaction failed 29189/-22, size 0-0 line 2788 binder: undelivered TRANSACTION_ERROR: 29189 QAT: Invalid ioctl binder: 7542 RLIMIT_NICE not set QAT: Invalid ioctl binder: 7536:7546 transaction failed 29189/-22, size 0-0 line 2788 binder: undelivered TRANSACTION_ERROR: 29189 binder: 7560 RLIMIT_NICE not set binder: 7553:7570 transaction failed 29189/-22, size 0-0 line 2788 QAT: Invalid ioctl binder: undelivered TRANSACTION_ERROR: 29189 kauditd_printk_skb: 45 callbacks suppressed audit: type=1400 audit(1517130474.248:906): avc: denied { create } for pid=7573 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_crypto_socket permissive=1 binder: release 7584:7604 transaction 51 out, still active binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 51, target dead binder: release 7619:7629 transaction 53 out, still active binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 53, target dead binder: release 7634:7653 transaction 55 out, still active binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 55, target dead binder: 7733 RLIMIT_NICE not set binder: 7733 RLIMIT_NICE not set binder: release 7732:7733 transaction 57 in, still active binder: send failed reply for transaction 57 to 7732:7739 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 binder: release 7858:7870 transaction 59 out, still active binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 59, target dead audit: type=1400 audit(1517130475.112:907): avc: denied { accept } for pid=7882 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1400 audit(1517130475.163:908): avc: denied { getattr } for pid=7900 comm="syz-executor0" path="socket:[18809]" dev="sockfs" ino=18809 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 binder: release 7881:7907 transaction 61 out, still active binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 61, target dead