netlink: 'syz-executor6': attribute type 21 has an invalid length.
QAT: Invalid ioctl
QAT: Invalid ioctl

=============================
WARNING: suspicious RCU usage
4.16.0-rc7+ #6 Not tainted
-----------------------------
./include/net/inet_sock.h:136 suspicious rcu_dereference_check() usage!

other info that might help us debug this:


rcu_scheduler_active = 2, debug_locks = 1
1 lock held by syz-executor0/19299:
 #0:  (sk_lock-AF_INET6){+.+.}, at: [<00000000396ef77c>] lock_sock include/net/sock.h:1464 [inline]
 #0:  (sk_lock-AF_INET6){+.+.}, at: [<00000000396ef77c>] sock_setsockopt+0x16b/0x1b10 net/core/sock.c:717

stack backtrace:
CPU: 0 PID: 19299 Comm: syz-executor0 Not tainted 4.16.0-rc7+ #6
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x24d lib/dump_stack.c:53
 lockdep_rcu_suspicious+0x123/0x170 kernel/locking/lockdep.c:4592
 ireq_opt_deref include/net/inet_sock.h:135 [inline]
 inet_csk_route_req+0x824/0xca0 net/ipv4/inet_connection_sock.c:543
 dccp_v4_send_response+0xa7/0x650 net/dccp/ipv4.c:485
 dccp_v4_conn_request+0x9ee/0x11b0 net/dccp/ipv4.c:633
 dccp_v6_conn_request+0xd30/0x1410 net/dccp/ipv6.c:317
 dccp_rcv_state_process+0x574/0x1620 net/dccp/input.c:612
 dccp_v4_do_rcv+0xf1/0x160 net/dccp/ipv4.c:682
 dccp_v6_do_rcv+0x86a/0xa70 net/dccp/ipv6.c:578
 sk_backlog_rcv include/net/sock.h:908 [inline]
 __release_sock+0x124/0x360 net/core/sock.c:2271
 release_sock+0xa4/0x2a0 net/core/sock.c:2786
 sock_setsockopt+0x528/0x1b10 net/core/sock.c:1068
 SYSC_setsockopt net/socket.c:1845 [inline]
 SyS_setsockopt+0x2ff/0x360 net/socket.c:1828
 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x4548b9
RSP: 002b:00007fb2476fcc68 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 00007fb2476fd6d4 RCX: 00000000004548b9
RDX: 000000000000001a RSI: 0000000000000001 RDI: 0000000000000014
RBP: 000000000072bea0 R08: 0000000000000010 R09: 0000000000000000
R10: 0000000020000100 R11: 0000000000000246 R12: 00000000ffffffff
R13: 0000000000000525 R14: 00000000006f9c18 R15: 0000000000000000

=============================
WARNING: suspicious RCU usage
4.16.0-rc7+ #6 Not tainted
-----------------------------
./include/net/inet_sock.h:136 suspicious rcu_dereference_check() usage!

other info that might help us debug this:


rcu_scheduler_active = 2, debug_locks = 1
1 lock held by syz-executor0/19299:
 #0:  (sk_lock-AF_INET6){+.+.}, at: [<00000000396ef77c>] lock_sock include/net/sock.h:1464 [inline]
 #0:  (sk_lock-AF_INET6){+.+.}, at: [<00000000396ef77c>] sock_setsockopt+0x16b/0x1b10 net/core/sock.c:717

stack backtrace:
CPU: 0 PID: 19299 Comm: syz-executor0 Not tainted 4.16.0-rc7+ #6
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x24d lib/dump_stack.c:53
 lockdep_rcu_suspicious+0x123/0x170 kernel/locking/lockdep.c:4592
 ireq_opt_deref include/net/inet_sock.h:135 [inline]
 dccp_v4_send_response+0x4b6/0x650 net/dccp/ipv4.c:496
 dccp_v4_conn_request+0x9ee/0x11b0 net/dccp/ipv4.c:633
 dccp_v6_conn_request+0xd30/0x1410 net/dccp/ipv6.c:317
 dccp_rcv_state_process+0x574/0x1620 net/dccp/input.c:612
 dccp_v4_do_rcv+0xf1/0x160 net/dccp/ipv4.c:682
 dccp_v6_do_rcv+0x86a/0xa70 net/dccp/ipv6.c:578
 sk_backlog_rcv include/net/sock.h:908 [inline]
 __release_sock+0x124/0x360 net/core/sock.c:2271
 release_sock+0xa4/0x2a0 net/core/sock.c:2786
 sock_setsockopt+0x528/0x1b10 net/core/sock.c:1068
 SYSC_setsockopt net/socket.c:1845 [inline]
 SyS_setsockopt+0x2ff/0x360 net/socket.c:1828
 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x4548b9
RSP: 002b:00007fb2476fcc68 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 00007fb2476fd6d4 RCX: 00000000004548b9
RDX: 000000000000001a RSI: 0000000000000001 RDI: 0000000000000014
RBP: 000000000072bea0 R08: 0000000000000010 R09: 0000000000000000
R10: 0000000020000100 R11: 0000000000000246 R12: 00000000ffffffff
R13: 0000000000000525 R14: 00000000006f9c18 R15: 0000000000000000
QAT: Invalid ioctl
QAT: Invalid ioctl
QAT: Invalid ioctl
QAT: Invalid ioctl
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
CPU: 1 PID: 19407 Comm: syz-executor1 Not tainted 4.16.0-rc7+ #6
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x24d lib/dump_stack.c:53
 fail_dump lib/fault-inject.c:51 [inline]
 should_fail+0x8c0/0xa40 lib/fault-inject.c:149
 should_failslab+0xec/0x120 mm/failslab.c:32
 slab_pre_alloc_hook mm/slab.h:422 [inline]
 slab_alloc mm/slab.c:3366 [inline]
 kmem_cache_alloc+0x47/0x760 mm/slab.c:3540
 inet_bind_bucket_create+0x7a/0x350 net/ipv4/inet_hashtables.c:70
 __inet_hash_connect+0x670/0xed0 net/ipv4/inet_hashtables.c:729
 inet_hash_connect+0x6a/0x140 net/ipv4/inet_hashtables.c:777
 dccp_v4_connect+0xabf/0x1750 net/dccp/ipv4.c:106
 __inet_stream_connect+0x2d4/0xf00 net/ipv4/af_inet.c:620
 inet_stream_connect+0x58/0xa0 net/ipv4/af_inet.c:684
 SYSC_connect+0x213/0x4a0 net/socket.c:1639
 SyS_connect+0x24/0x30 net/socket.c:1620
 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x4548b9
RSP: 002b:00007fe7111a5c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 00007fe7111a66d4 RCX: 00000000004548b9
RDX: 0000000000000010 RSI: 0000000020e5c000 RDI: 0000000000000014
RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015
R13: 0000000000000059 R14: 00000000006f28f8 R15: 0000000000000000
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
CPU: 0 PID: 19433 Comm: syz-executor5 Not tainted 4.16.0-rc7+ #6
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x24d lib/dump_stack.c:53
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
 fail_dump lib/fault-inject.c:51 [inline]
 should_fail+0x8c0/0xa40 lib/fault-inject.c:149
 should_failslab+0xec/0x120 mm/failslab.c:32
 slab_pre_alloc_hook mm/slab.h:422 [inline]
 slab_alloc mm/slab.c:3366 [inline]
 kmem_cache_alloc+0x47/0x760 mm/slab.c:3540
 inet_bind_bucket_create+0x7a/0x350 net/ipv4/inet_hashtables.c:70
 __inet_hash_connect+0x670/0xed0 net/ipv4/inet_hashtables.c:729
 inet_hash_connect+0x6a/0x140 net/ipv4/inet_hashtables.c:777
 dccp_v4_connect+0xabf/0x1750 net/dccp/ipv4.c:106
 __inet_stream_connect+0x2d4/0xf00 net/ipv4/af_inet.c:620
 inet_stream_connect+0x58/0xa0 net/ipv4/af_inet.c:684
 SYSC_connect+0x213/0x4a0 net/socket.c:1639
 SyS_connect+0x24/0x30 net/socket.c:1620
 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x4548b9
RSP: 002b:00007f01a4cf3c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 00007f01a4cf46d4 RCX: 00000000004548b9
RDX: 0000000000000010 RSI: 0000000020e5c000 RDI: 0000000000000014
RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015
R13: 0000000000000059 R14: 00000000006f28f8 R15: 0000000000000000
CPU: 1 PID: 19441 Comm: syz-executor1 Not tainted 4.16.0-rc7+ #6
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x24d lib/dump_stack.c:53
 fail_dump lib/fault-inject.c:51 [inline]
 should_fail+0x8c0/0xa40 lib/fault-inject.c:149
 should_failslab+0xec/0x120 mm/failslab.c:32
 slab_pre_alloc_hook mm/slab.h:422 [inline]
 slab_alloc mm/slab.c:3366 [inline]
 __do_kmalloc mm/slab.c:3704 [inline]
 __kmalloc_track_caller+0x5f/0x760 mm/slab.c:3721
 kmemdup+0x24/0x50 mm/util.c:118
 kmemdup include/linux/string.h:418 [inline]
 dccp_feat_clone_sp_val.part.3+0x4f/0xd0 net/dccp/feat.c:374
 dccp_feat_clone_sp_val net/dccp/feat.c:372 [inline]
 __feat_register_sp+0x1ee/0x2d0 net/dccp/feat.c:738
 dccp_feat_propagate_ccid+0x22b/0x2b0 net/dccp/feat.c:949
 dccp_feat_finalise_settings+0x251/0x3a0 net/dccp/feat.c:987
 dccp_connect+0x171/0x670 net/dccp/output.c:549
 dccp_v4_connect+0xc8f/0x1750 net/dccp/ipv4.c:126
 __inet_stream_connect+0x2d4/0xf00 net/ipv4/af_inet.c:620
 inet_stream_connect+0x58/0xa0 net/ipv4/af_inet.c:684
 SYSC_connect+0x213/0x4a0 net/socket.c:1639
 SyS_connect+0x24/0x30 net/socket.c:1620
 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x4548b9
RSP: 002b:00007fe7111a5c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 00007fe7111a66d4 RCX: 00000000004548b9
RDX: 0000000000000010 RSI: 0000000020e5c000 RDI: 0000000000000014
RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015
R13: 0000000000000059 R14: 00000000006f28f8 R15: 0000000000000001
dccp_sample_rtt: unusable RTT sample -4294966956, using min
binder: 19805:19813 transaction failed 29189/-22, size 0-0 line 2848
binder: 19805:19821 transaction failed 29189/-22, size 0-0 line 2848
binder: undelivered TRANSACTION_ERROR: 29189
dccp_sample_rtt: unusable RTT sample -250640, using min
dccp_sample_rtt: RTT sample 42949422480 too large, using max
IPVS: set_ctl: invalid protocol: 12 0.0.0.0:20002 nq
sctp: [Deprecated]: syz-executor7 (pid 19958) Use of struct sctp_assoc_value in delayed_ack socket option.
Use struct sctp_sack_info instead
IPVS: set_ctl: invalid protocol: 12 0.0.0.0:20002 nq
sctp: [Deprecated]: syz-executor7 (pid 19958) Use of struct sctp_assoc_value in delayed_ack socket option.
Use struct sctp_sack_info instead
kernel msg: ebtables bug: please report to author: Wrong len argument
binder: 19997:19998 unknown command -1337957632
binder: 19997:19998 ioctl c0306201 200002c0 returned -22
dccp_sample_rtt: unusable RTT sample -4294965126, using min
binder: BINDER_SET_CONTEXT_MGR already set
binder: 19997:19998 ioctl 40046207 0 returned -16
binder: 19997:19998 unknown command -376062370
binder: 19997:19998 ioctl c0306201 20000040 returned -22
binder: BINDER_SET_CONTEXT_MGR already set
binder: 19997:20015 unknown command -1337957632
binder: 19997:20015 ioctl c0306201 200002c0 returned -22
binder: 19997:19998 ioctl 40046207 0 returned -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 19997:20015 ioctl 40046207 0 returned -16
binder: 19997:19998 unknown command -376062370
binder: 19997:19998 ioctl c0306201 20000040 returned -22
dccp_sample_rtt: unusable RTT sample -299800, using min
rpcbind: RPC call returned error 22
dccp_sample_rtt: RTT sample 42949373310 too large, using max
rpcbind: RPC call returned error 22
binder: 20179:20180 got transaction with invalid offsets ptr
binder: 20179:20180 transaction failed 29201/-14, size 0-31 line 2991
x86/PAT: syz-executor6:20211 map pfn RAM range req write-combining for [mem 0x1bd6d0000-0x1bd6d3fff], got write-back
binder: BINDER_SET_CONTEXT_MGR already set
binder: 20179:20200 ioctl 40046207 0 returned -16
x86/PAT: syz-executor6:20211 map pfn RAM range req write-combining for [mem 0x1af6c0000-0x1af6c3fff], got write-back
binder: 20179:20210 got transaction with invalid offsets ptr
binder_alloc: binder_alloc_mmap_handler: 20179 2000c000-2000e000 already mapped failed -16
binder: 20179:20210 transaction failed 29201/-14, size 0-31 line 2991
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_ERROR: 29201
==================================================================
BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:188 [inline]
BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:27 [inline]
BUG: KASAN: slab-out-of-bounds in refcount_read include/linux/refcount.h:42 [inline]
BUG: KASAN: slab-out-of-bounds in check_net include/net/net_namespace.h:228 [inline]
BUG: KASAN: slab-out-of-bounds in rds_destroy_pending net/rds/rds.h:868 [inline]
BUG: KASAN: slab-out-of-bounds in rds_cong_queue_updates+0x4d3/0x4f0 net/rds/cong.c:226
Read of size 4 at addr ffff8801d84942c4 by task kworker/u4:14/14057

CPU: 1 PID: 14057 Comm: kworker/u4:14 Not tainted 4.16.0-rc7+ #6
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: krdsd rds_send_worker
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x24d lib/dump_stack.c:53
 print_address_description+0x73/0x250 mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report+0x23c/0x360 mm/kasan/report.c:412
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:432
 __read_once_size include/linux/compiler.h:188 [inline]
 atomic_read arch/x86/include/asm/atomic.h:27 [inline]
 refcount_read include/linux/refcount.h:42 [inline]
 check_net include/net/net_namespace.h:228 [inline]
 rds_destroy_pending net/rds/rds.h:868 [inline]
 rds_cong_queue_updates+0x4d3/0x4f0 net/rds/cong.c:226
 rds_recv_rcvbuf_delta.part.2+0x289/0x320 net/rds/recv.c:118
 rds_recv_rcvbuf_delta net/rds/recv.c:377 [inline]
 rds_recv_incoming+0xeb4/0x11d0 net/rds/recv.c:377
 rds_loop_xmit+0x149/0x320 net/rds/loop.c:82
 rds_send_xmit+0xbcd/0x26b0 net/rds/send.c:355
 rds_send_worker+0x115/0x2a0 net/rds/threads.c:199
 process_one_work+0xc47/0x1bb0 kernel/workqueue.c:2113
 worker_thread+0x223/0x1990 kernel/workqueue.c:2247
 kthread+0x33c/0x400 kernel/kthread.c:238
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:406

Allocated by task 19109:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:552
 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489
 kmem_cache_alloc+0x12e/0x760 mm/slab.c:3542
 getname_flags+0xcb/0x580 fs/namei.c:138
 getname+0x19/0x20 fs/namei.c:209
 do_sys_open+0x2e7/0x6d0 fs/open.c:1053
 SYSC_open fs/open.c:1077 [inline]
 SyS_open+0x2d/0x40 fs/open.c:1072
 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

Freed by task 19109:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:520
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:527
 __cache_free mm/slab.c:3486 [inline]
 kmem_cache_free+0x83/0x2a0 mm/slab.c:3744
 putname+0xee/0x130 fs/namei.c:258
 do_sys_open+0x31b/0x6d0 fs/open.c:1068
 SYSC_open fs/open.c:1077 [inline]
 SyS_open+0x2d/0x40 fs/open.c:1072
 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

The buggy address belongs to the object at ffff8801d8494380
 which belongs to the cache names_cache of size 4096
The buggy address is located 188 bytes to the left of
 4096-byte region [ffff8801d8494380, ffff8801d8495380)
The buggy address belongs to the page:
page:ffffea0007612500 count:1 mapcount:0 mapping:ffff8801d8494380 index:0x0 compound_mapcount: 0
flags: 0x2fffc0000008100(slab|head)
raw: 02fffc0000008100 ffff8801d8494380 0000000000000000 0000000100000001
raw: ffffea0007694ea0 ffffea0007528d20 ffff8801da5da600 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801d8494180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8801d8494200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8801d8494280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                           ^
 ffff8801d8494300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8801d8494380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================