audit: type=1400 audit(1519624483.085:53): avc: denied { getopt } for pid=7647 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 ============================= WARNING: suspicious RCU usage 4.16.0-rc2+ #329 Not tainted ----------------------------- ./include/net/inet_sock.h:136 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by syz-executor7/7668: #0: (sk_lock-AF_INET6){+.+.}, at: [<000000008cdef788>] lock_sock include/net/sock.h:1463 [inline] #0: (sk_lock-AF_INET6){+.+.}, at: [<000000008cdef788>] inet_csk_accept+0xac/0xde0 net/ipv4/inet_connection_sock.c:438 stack backtrace: CPU: 1 PID: 7668 Comm: syz-executor7 Not tainted 4.16.0-rc2+ #329 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x24d lib/dump_stack.c:53 lockdep_rcu_suspicious+0x123/0x170 kernel/locking/lockdep.c:4592 ireq_opt_deref include/net/inet_sock.h:135 [inline] inet_csk_route_req+0x824/0xca0 net/ipv4/inet_connection_sock.c:543 dccp_v4_send_response+0xa7/0x650 net/dccp/ipv4.c:485 dccp_v4_conn_request+0x9ee/0x11b0 net/dccp/ipv4.c:633 dccp_v6_conn_request+0xd30/0x1410 net/dccp/ipv6.c:317 dccp_rcv_state_process+0x574/0x1620 net/dccp/input.c:612 dccp_v4_do_rcv+0xf1/0x160 net/dccp/ipv4.c:682 dccp_v6_do_rcv+0x86a/0xa70 net/dccp/ipv6.c:578 sk_backlog_rcv include/net/sock.h:908 [inline] __release_sock+0x124/0x360 net/core/sock.c:2271 release_sock+0xa4/0x2a0 net/core/sock.c:2786 inet_csk_wait_for_connect net/ipv4/inet_connection_sock.c:405 [inline] inet_csk_accept+0x48c/0xde0 net/ipv4/inet_connection_sock.c:456 inet_accept+0x12c/0x930 net/ipv4/af_inet.c:699 SYSC_accept4+0x38d/0x870 net/socket.c:1571 SyS_accept4+0x2c/0x40 net/socket.c:1522 do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x453de9 RSP: 002b:00007f5ca4272c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000120 RAX: ffffffffffffffda RBX: 00007f5ca42736d4 RCX: 0000000000453de9 RDX: 0000000020752ffc RSI: 0000000020975000 RDI: 0000000000000016 RBP: 000000000072c010 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 000000000000000b R14: 00000000006f01a8 R15: 0000000000000002 ============================= WARNING: suspicious RCU usage 4.16.0-rc2+ #329 Not tainted ----------------------------- ./include/net/inet_sock.h:136 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by syz-executor7/7668: #0: (sk_lock-AF_INET6){+.+.}, at: [<000000008cdef788>] lock_sock include/net/sock.h:1463 [inline] #0: (sk_lock-AF_INET6){+.+.}, at: [<000000008cdef788>] inet_csk_accept+0xac/0xde0 net/ipv4/inet_connection_sock.c:438 stack backtrace: CPU: 1 PID: 7668 Comm: syz-executor7 Not tainted 4.16.0-rc2+ #329 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x24d lib/dump_stack.c:53 lockdep_rcu_suspicious+0x123/0x170 kernel/locking/lockdep.c:4592 ireq_opt_deref include/net/inet_sock.h:135 [inline] dccp_v4_send_response+0x4b6/0x650 net/dccp/ipv4.c:496 dccp_v4_conn_request+0x9ee/0x11b0 net/dccp/ipv4.c:633 dccp_v6_conn_request+0xd30/0x1410 net/dccp/ipv6.c:317 dccp_rcv_state_process+0x574/0x1620 net/dccp/input.c:612 dccp_v4_do_rcv+0xf1/0x160 net/dccp/ipv4.c:682 dccp_v6_do_rcv+0x86a/0xa70 net/dccp/ipv6.c:578 sk_backlog_rcv include/net/sock.h:908 [inline] __release_sock+0x124/0x360 net/core/sock.c:2271 release_sock+0xa4/0x2a0 net/core/sock.c:2786 inet_csk_wait_for_connect net/ipv4/inet_connection_sock.c:405 [inline] inet_csk_accept+0x48c/0xde0 net/ipv4/inet_connection_sock.c:456 inet_accept+0x12c/0x930 net/ipv4/af_inet.c:699 SYSC_accept4+0x38d/0x870 net/socket.c:1571 SyS_accept4+0x2c/0x40 net/socket.c:1522 do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x453de9 RSP: 002b:00007f5ca4272c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000120 RAX: ffffffffffffffda RBX: 00007f5ca42736d4 RCX: 0000000000453de9 RDX: 0000000020752ffc RSI: 0000000020975000 RDI: 0000000000000016 RBP: 000000000072c010 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 000000000000000b R14: 00000000006f01a8 R15: 0000000000000002 SELinux: failed to load policy syz-executor5: vmalloc: allocation failure: 0 bytes, mode:0x14000c0(GFP_KERNEL), nodemask=(null) syz-executor5 cpuset=/ mems_allowed=0 CPU: 1 PID: 7708 Comm: syz-executor5 Not tainted 4.16.0-rc2+ #329 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x24d lib/dump_stack.c:53 warn_alloc+0x19a/0x2b0 mm/page_alloc.c:3310 __vmalloc_node_range+0x4f0/0x650 mm/vmalloc.c:1775 __vmalloc_node mm/vmalloc.c:1804 [inline] __vmalloc_node_flags mm/vmalloc.c:1818 [inline] vmalloc+0x45/0x50 mm/vmalloc.c:1840 sel_write_load+0x1f5/0x1910 security/selinux/selinuxfs.c:495 binder: BINDER_SET_CONTEXT_MGR already set binder: 7722:7732 ioctl 40046207 0 returned -16 __vfs_write+0xef/0x970 fs/read_write.c:480 vfs_write+0x189/0x510 fs/read_write.c:544 CUSE: DEVNAME unspecified SYSC_write fs/read_write.c:589 [inline] SyS_write+0xef/0x220 fs/read_write.c:581 do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287 CUSE: DEVNAME unspecified entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x453de9 RSP: 002b:00007fb76bdebc68 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007fb76bdec6d4 RCX: 0000000000453de9 RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000013 RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 000000000000065f R14: 00000000006f9988 R15: 0000000000000000 warn_alloc_show_mem: 1 callbacks suppressed Mem-Info: active_anon:61646 inactive_anon:64 isolated_anon:0 active_file:4378 inactive_file:3161 isolated_file:0 unevictable:0 dirty:110 writeback:0 unstable:0 slab_reclaimable:8543 slab_unreclaimable:90487 mapped:23038 shmem:70 pagetables:780 bounce:0 free:1433020 free_pcp:516 free_cma:0 Node 0 active_anon:246684kB inactive_anon:256kB active_file:17512kB inactive_file:12644kB unevictable:0kB isolated(anon):0kB isolated(file):0kB mapped:92152kB dirty:440kB writeback:0kB shmem:280kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 26624kB writeback_tmp:0kB unstable:0kB all_unreclaimable? no Node 0 DMA free:15908kB min:164kB low:204kB high:244kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:15992kB managed:15908kB mlocked:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB lowmem_reserve[]: 0 2864 6373 6373 Node 0 DMA32 free:2933892kB min:30292kB low:37864kB high:45436kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:3129292kB managed:2935320kB mlocked:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:1420kB local_pcp:700kB free_cma:0kB lowmem_reserve[]: 0 0 3509 3509 Node 0 Normal free:2779540kB min:37120kB low:46400kB high:55680kB active_anon:248908kB inactive_anon:256kB active_file:17512kB inactive_file:12716kB unevictable:0kB writepending:508kB present:4718592kB managed:3593748kB mlocked:0kB kernel_stack:4800kB pagetables:2988kB bounce:0kB free_pcp:512kB local_pcp:160kB free_cma:0kB lowmem_reserve[]: 0 0 0 0 Node 0 DMA: 1*4kB (U) 0*8kB 0*16kB 1*32kB (U) 2*64kB (U) 1*128kB (U) 1*256kB (U) 0*512kB 1*1024kB (U) 1*2048kB (M) 3*4096kB (M) = 15908kB Node 0 DMA32: 11*4kB (UM) 11*8kB (UM) 10*16kB (UM) 13*32kB (UM) 9*64kB (U) 5*128kB (UM) 7*256kB (UM) 7*512kB (UM) 4*1024kB (UM) 3*2048kB (UM) 712*4096kB (UM) = 2933892kB Node 0 Normal: 883*4kB (UME) 2416*8kB (UME) 2982*16kB (UME) 2202*32kB (UME) 1111*64kB (UME) 257*128kB (UM) 127*256kB (UM) 47*512kB (UM) 30*1024kB (U) 17*2048kB (UM) 592*4096kB (UM) = 2791980kB Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB 7626 total pagecache pages 0 pages in swap cache Swap cache stats: add 0, delete 0, find 0/0 Free swap = 0kB Total swap = 0kB 1965969 pages RAM 0 pages HighMem/MovableOnly 329725 pages reserved netlink: 'syz-executor7': attribute type 16 has an invalid length. binder: 8100:8101 unknown command -1666620666 binder: 8100:8101 ioctl c0306201 2000bfd0 returned -22 netlink: 'syz-executor0': attribute type 1 has an invalid length. xt_bpf: check failed: parse error xt_bpf: check failed: parse error binder: 8175:8177 ioctl 89e2 20000000 returned -22 binder: 8175:8177 ioctl 89e2 20000000 returned -22 kauditd_printk_skb: 5 callbacks suppressed audit: type=1400 audit(1519624487.094:59): avc: denied { map } for pid=8429 comm="syz-executor4" path="/dev/random" dev="devtmpfs" ino=9358 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=1 QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl xt_SECMARK: mode already set to 1 cannot mix with rules for mode 0 xt_SECMARK: mode already set to 1 cannot mix with rules for mode 0 dst_release: dst:000000005e0f625e refcnt:-1 audit: type=1326 audit(1519624487.716:60): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=8583 comm="syz-executor6" exe="/root/syz-executor6" sig=9 arch=c000003e syscall=202 compat=0 ip=0x453de9 code=0x0 audit: type=1326 audit(1519624487.792:61): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=8583 comm="syz-executor6" exe="/root/syz-executor6" sig=9 arch=c000003e syscall=202 compat=0 ip=0x453de9 code=0x0 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 8604 Comm: syz-executor4 Not tainted 4.16.0-rc2+ #329 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 binder: 8620:8630 ioctl c0306201 20008000 returned -14 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x24d lib/dump_stack.c:53 handle_userfault+0xbd9/0x2500 fs/userfaultfd.c:430 binder_alloc: binder_alloc_mmap_handler: 8620 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 8620:8635 ioctl 40046207 0 returned -16 do_anonymous_page mm/memory.c:3163 [inline] handle_pte_fault mm/memory.c:3977 [inline] __handle_mm_fault+0x3440/0x3b60 mm/memory.c:4103 handle_mm_fault+0x44a/0xb00 mm/memory.c:4140 __do_page_fault+0x5c9/0xc90 arch/x86/mm/fault.c:1426 do_page_fault+0xee/0x730 arch/x86/mm/fault.c:1501 page_fault+0x62/0x90 arch/x86/entry/entry_64.S:1122 RIP: 0010:fault_in_pages_readable arch/x86/include/asm/smap.h:58 [inline] RIP: 0010:iov_iter_fault_in_readable+0x1aa/0x420 lib/iov_iter.c:421 RSP: 0018:ffff8801b075f7e0 EFLAGS: 00010246 RAX: 0000000000010000 RBX: 0000000020011fd2 RCX: ffffffff825cb381 RDX: 000000000000010f RSI: ffffc90003501000 RDI: ffff8801b075fbe0 RBP: ffff8801b075f8c0 R08: 0000000000000000 R09: 1ffff100360ebea8 R10: ffff8801b075f710 R11: 0000000000000003 R12: 1ffff100360ebeff R13: ffff8801b075f898 R14: 0000000000000000 R15: ffff8801b075fbd8 generic_perform_write+0x200/0x600 mm/filemap.c:3128 __generic_file_write_iter+0x366/0x5b0 mm/filemap.c:3263 generic_file_write_iter+0x399/0x790 mm/filemap.c:3291 call_write_iter include/linux/fs.h:1781 [inline] new_sync_write fs/read_write.c:469 [inline] __vfs_write+0x684/0x970 fs/read_write.c:482 vfs_write+0x189/0x510 fs/read_write.c:544 SYSC_write fs/read_write.c:589 [inline] SyS_write+0xef/0x220 fs/read_write.c:581 do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x453de9 RSP: 002b:00007f3d96e7cc68 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007f3d96e7d6d4 RCX: 0000000000453de9 RDX: 0000000000000030 RSI: 0000000020011fd2 RDI: 0000000000000014 RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 0000000000000662 R14: 00000000006f99d0 R15: 0000000000000000 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=4096 sclass=netlink_route_socket pig=8744 comm=syz-executor2 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=4096 sclass=netlink_route_socket pig=8758 comm=syz-executor2 audit: type=1400 audit(1519624489.297:62): avc: denied { write } for pid=8788 comm="syz-executor1" name="500" dev="proc" ino=23899 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=dir permissive=1 device eql entered promiscuous mode audit: type=1400 audit(1519624490.086:63): avc: denied { add_name } for pid=8932 comm="syz-executor5" name="pfkey" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=dir permissive=1 netlink: 20 bytes leftover after parsing attributes in process `syz-executor5'. audit: type=1400 audit(1519624490.086:64): avc: denied { create } for pid=8932 comm="syz-executor5" name="pfkey" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:insmod_t:s0 tclass=file permissive=1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=64425 sclass=netlink_route_socket pig=8994 comm=syz-executor4 netlink: 'syz-executor6': attribute type 21 has an invalid length. xt_connbytes: Forcing CT accounting to be enabled SELinux: unrecognized netlink message: protocol=0 nlmsg_type=64425 sclass=netlink_route_socket pig=9006 comm=syz-executor4 netlink: 'syz-executor6': attribute type 21 has an invalid length. audit: type=1400 audit(1519624490.674:65): avc: denied { map } for pid=9041 comm="syz-executor2" path="/proc/530/net/rt6_stats" dev="proc" ino=4026533699 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1 netlink: 12 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 12 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor1'.