suspicious RCU usage at ./include/linux/inetdevice.h:LINE

[syzbot]

Hello,

syzkaller hit the following crash on
ce43f4fd6f103681c7485c2b1967179647e73555
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.





=============================
WARNING: suspicious RCU usage
4.14.0-rc5+ #140 Not tainted
-----------------------------
./include/linux/inetdevice.h:230 suspicious rcu_dereference_protected()
usage!

other info that might help us debug this:


rcu_scheduler_active = 2, debug_locks = 1
1 lock held by syz-executor2/23859:
#0: (rcu_read_lock){....}, at: [<ffffffff840283f0>]
inet_rtm_getroute+0xaa0/0x2d70 net/ipv4/route.c:2738

stack backtrace:
CPU: 0 PID: 23859 Comm: syz-executor2 Not tainted 4.14.0-rc5+ #140
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
lockdep_rcu_suspicious+0x123/0x170 kernel/locking/lockdep.c:4665
__in_dev_get_rtnl include/linux/inetdevice.h:230 [inline]
fib_dump_info+0x1136/0x13d0 net/ipv4/fib_semantics.c:1377
inet_rtm_getroute+0xf97/0x2d70 net/ipv4/route.c:2785
rtnetlink_rcv_msg+0x51c/0x1090 net/core/rtnetlink.c:4237
netlink_rcv_skb+0x216/0x440 net/netlink/af_netlink.c:2409
rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:4261
netlink_unicast_kernel net/netlink/af_netlink.c:1273 [inline]
netlink_unicast+0x4e8/0x6f0 net/netlink/af_netlink.c:1299
netlink_sendmsg+0xa4a/0xe60 net/netlink/af_netlink.c:1862
sock_sendmsg_nosec net/socket.c:633 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:643
sock_write_iter+0x31a/0x5d0 net/socket.c:912
call_write_iter include/linux/fs.h:1770 [inline]
new_sync_write fs/read_write.c:468 [inline]
__vfs_write+0x684/0x970 fs/read_write.c:481
vfs_write+0x189/0x510 fs/read_write.c:543
SYSC_write fs/read_write.c:588 [inline]
SyS_write+0xef/0x220 fs/read_write.c:580
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x452719
RSP: 002b:00007fd087b03be8 EFLAGS: 00000212 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000758020 RCX: 0000000000452719
RDX: 0000000000000024 RSI: 0000000020226000 RDI: 0000000000000014
RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000000
R13: 0000000000a6f7ff R14: 00007fd087b049c0 R15: 0000000000000000
netlink: 9 bytes leftover after parsing attributes in process
`syz-executor5'.
IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready
A link change request failed with some changes committed already. Interface
lo may have been left with an inconsistent configuration, please check.
netlink: 9 bytes leftover after parsing attributes in process
`syz-executor5'.
IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready
A link change request failed with some changes committed already. Interface
lo may have been left with an inconsistent configuration, please check.
sock: process `syz-executor6' is using obsolete getsockopt SO_BSDCOMPAT
sctp: [Deprecated]: syz-executor7 (pid 23959) Use of int in maxseg socket
option.
Use struct sctp_assoc_value instead
sctp: [Deprecated]: syz-executor7 (pid 23981) Use of int in maxseg socket
option.
Use struct sctp_assoc_value instead
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=17152
sclass=netlink_route_socket pig=24024 comm=syz-executor4
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=17152
sclass=netlink_route_socket pig=24045 comm=syz-executor4
netlink: 5 bytes leftover after parsing attributes in process
`syz-executor6'.
IPv6: Can't replace route, no match found
netlink: 5 bytes leftover after parsing attributes in process
`syz-executor6'.
IPv6: Can't replace route, no match found
netlink: 3 bytes leftover after parsing attributes in process
`syz-executor0'.
audit: type=1326 audit(1508524929.334:2097): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=kernel pid=24082 comm="" exe="/root/syz-executor0"
sig=0 arch=c000003e syscall=202 compat=0 ip=0x452719 code=0x7ffc0000
audit: type=1326 audit(1508524929.335:2098): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=kernel pid=24082 comm="" exe="/root/syz-executor0"
sig=0 arch=c000003e syscall=202 compat=0 ip=0x452719 code=0x7ffc0000
audit: type=1326 audit(1508524929.336:2099): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=kernel pid=24082 comm="" exe="/root/syz-executor0"
sig=0 arch=c000003e syscall=16 compat=0 ip=0x452719 code=0x7ffc0000
audit: type=1326 audit(1508524929.336:2100): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=kernel pid=24082 comm="" exe="/root/syz-executor0"
sig=0 arch=c000003e syscall=202 compat=0 ip=0x452719 code=0x7ffc0000
audit: type=1326 audit(1508524929.337:2101): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=kernel pid=24082 comm="" exe="/root/syz-executor0"
sig=0 arch=c000003e syscall=202 compat=0 ip=0x452719 code=0x7ffc0000
audit: type=1326 audit(1508524929.338:2102): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=kernel pid=24082 comm="" exe="/root/syz-executor0"
sig=0 arch=c000003e syscall=72 compat=0 ip=0x452719 code=0x7ffc0000
audit: type=1326 audit(1508524929.338:2103): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=kernel pid=24082 comm="" exe="/root/syz-executor0"
sig=0 arch=c000003e syscall=202 compat=0 ip=0x452719 code=0x7ffc0000
audit: type=1326 audit(1508524929.341:2104): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=kernel pid=24082 comm="" exe="/root/syz-executor0"
sig=0 arch=c000003e syscall=54 compat=0 ip=0x452719 code=0x7ffc0000
netlink: 1 bytes leftover after parsing attributes in process
`syz-executor7'.
netlink: 3 bytes leftover after parsing attributes in process
`syz-executor0'.
syz-executor0: vmalloc: allocation failure: 17179607040 bytes,
mode:0x14080c0(GFP_KERNEL|__GFP_ZERO), nodemask=(null)
syz-executor0 cpuset=/ mems_allowed=0
CPU: 0 PID: 24175 Comm: syz-executor0 Not tainted 4.14.0-rc5+ #140
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
warn_alloc+0x1c2/0x2f0 mm/page_alloc.c:3254
__vmalloc_node_range+0x4f0/0x650 mm/vmalloc.c:1775
__vmalloc_node mm/vmalloc.c:1804 [inline]
__vmalloc_node_flags_caller+0x50/0x60 mm/vmalloc.c:1826
kvmalloc_node+0x82/0xd0 mm/util.c:406
kvmalloc include/linux/mm.h:529 [inline]
kvmalloc_array include/linux/mm.h:545 [inline]
xt_alloc_entry_offsets+0x21/0x30 net/netfilter/x_tables.c:774
translate_table+0x235/0x1610 net/ipv4/netfilter/ip_tables.c:686
do_replace net/ipv4/netfilter/ip_tables.c:1130 [inline]
do_ipt_set_ctl+0x345/0x5c0 net/ipv4/netfilter/ip_tables.c:1664
nf_sockopt net/netfilter/nf_sockopt.c:105 [inline]
nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:114
ip_setsockopt+0xa1/0xb0 net/ipv4/ip_sockglue.c:1255
udp_setsockopt+0x45/0x80 net/ipv4/udp.c:2412
sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2965
SYSC_setsockopt net/socket.c:1852 [inline]
SyS_setsockopt+0x189/0x360 net/socket.c:1831
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x452719
RSP: 002b:00007f8907d9cbe8 EFLAGS: 00000212 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 0000000000758020 RCX: 0000000000452719
RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000015
RBP: 0000000000000082 R08: 0000000000000004 R09: 0000000000000000
R10: 0000000020000000 R11: 0000000000000212 R12: 00000000006ee730
R13: 00000000ffffffff R14: 00007f8907d9d6d4 R15: 0000000000000000
warn_alloc_show_mem: 1 callbacks suppressed
Mem-Info:
active_anon:126152 inactive_anon:43 isolated_anon:0
active_file:3901 inactive_file:7229 isolated_file:0
unevictable:2 dirty:129 writeback:0 unstable:0
slab_reclaimable:9955 slab_unreclaimable:97370
mapped:22873 shmem:94 pagetables:881 bounce:0
free:1362539 free_pcp:332 free_cma:0
syz-executor0: vmalloc: allocation failure: 17179607040 bytes,
mode:0x14080c0(GFP_KERNEL|__GFP_ZERO), nodemask=(null)
syz-executor0 cpuset=/ mems_allowed=0
CPU: 1 PID: 24195 Comm: syz-executor0 Not tainted 4.14.0-rc5+ #140
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
warn_alloc+0x1c2/0x2f0 mm/page_alloc.c:3254
__vmalloc_node_range+0x4f0/0x650 mm/vmalloc.c:1775
__vmalloc_node mm/vmalloc.c:1804 [inline]
__vmalloc_node_flags_caller+0x50/0x60 mm/vmalloc.c:1826
kvmalloc_node+0x82/0xd0 mm/util.c:406
kvmalloc include/linux/mm.h:529 [inline]
kvmalloc_array include/linux/mm.h:545 [inline]
xt_alloc_entry_offsets+0x21/0x30 net/netfilter/x_tables.c:774
translate_table+0x235/0x1610 net/ipv4/netfilter/ip_tables.c:686
do_replace net/ipv4/netfilter/ip_tables.c:1130 [inline]
do_ipt_set_ctl+0x345/0x5c0 net/ipv4/netfilter/ip_tables.c:1664
nf_sockopt net/netfilter/nf_sockopt.c:105 [inline]
nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:114
ip_setsockopt+0xa1/0xb0 net/ipv4/ip_sockglue.c:1255
udp_setsockopt+0x45/0x80 net/ipv4/udp.c:2412
sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2965
SYSC_setsockopt net/socket.c:1852 [inline]
SyS_setsockopt+0x189/0x360 net/socket.c:1831
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x452719
RSP: 002b:00007f8907d5abe8 EFLAGS: 00000212 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 0000000000758190 RCX: 0000000000452719
RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000019
RBP: 0000000000000082 R08: 0000000000000004 R09: 0000000000000000
R10: 0000000020000000 R11: 0000000000000212 R12: 0000000000000000
R13: 0000000000a6f7ff R14: 00007f8907d5b9c0 R15: 0000000000000001
Node 0 active_anon:485692kB inactive_anon:172kB active_file:15604kB
inactive_file:28932kB unevictable:8kB isolated(anon):0kB isolated(file):0kB
mapped:91492kB dirty:616kB writeback:0kB shmem:376kB shmem_thp: 0kB
shmem_pmdmapped: 0kB anon_thp: 57344kB writeback_tmp:0kB unstable:0kB
all_unreclaimable? no
Node 0 DMA free:15908kB min:160kB low:200kB high:240kB active_anon:0kB
inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB
writepending:0kB present:15992kB managed:15908kB mlocked:0kB
kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:0kB local_pcp:0kB
free_cma:0kB
lowmem_reserve[]: 0 2886 6399 6399
Node 0 DMA32 free:2957628kB min:30408kB low:38008kB high:45608kB
active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB
unevictable:0kB writepending:0kB present:3129332kB managed:2958344kB
mlocked:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:716kB
local_pcp:660kB free_cma:0kB
lowmem_reserve[]: 0 0 3513 3513
Node 0 Normal free:2495284kB min:37008kB low:46260kB high:55512kB
active_anon:485692kB inactive_anon:172kB active_file:15604kB
inactive_file:28932kB unevictable:8kB writepending:616kB present:4718592kB
managed:3597452kB mlocked:0kB kernel_stack:3968kB pagetables:3304kB
bounce:0kB free_pcp:956kB local_pcp:324kB free_cma:0kB
lowmem_reserve[]: 0 0 0 0
Node 0 DMA: 1*4kB (U) 0*8kB 0*16kB 1*32kB (U) 2*64kB (U) 1*128kB (U)
1*256kB (U) 0*512kB 1*1024kB (U) 1*2048kB (M) 3*4096kB (M) = 15908kB
Node 0 DMA32: 3*4kB (UM) 2*8kB (UM) 4*16kB (UM) 1*32kB (U) 3*64kB (UM)
2*128kB (M) 3*256kB (UM) 4*512kB (UM) 3*1024kB (UM) 3*2048kB (UM)
719*4096kB (M) = 2957628kB
Node 0 Normal: 309*4kB (UME) 398*8kB (UME) 1325*16kB (UME) 1264*32kB (UME)
1336*64kB (UME) 340*128kB (UME) 89*256kB (UM) 50*512kB (UME) 29*1024kB
(UME) 11*2048kB (UME) 537*4096kB (UM) = 2495252kB
Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0
hugepages_size=2048kB
11227 total pagecache pages
0 pages in swap cache
Swap cache stats: add 0, delete 0, find 0/0
Free swap = 0kB
Total swap = 0kB
1965979 pages RAM
0 pages HighMem/MovableOnly
323053 pages reserved
netlink: 3 bytes leftover after parsing attributes in process
`syz-executor0'.
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0
sclass=netlink_route_socket pig=24260 comm=syz-executor3
QAT: Invalid ioctl
QAT: Invalid ioctl
device syz7 entered promiscuous mode
device syz7 left promiscuous mode
device syz7 entered promiscuous mode
dccp_invalid_packet: pskb_may_pull failed
dccp_invalid_packet: P.Data Offset(0) too small
dccp_invalid_packet: pskb_may_pull failed
dccp_invalid_packet: P.Data Offset(0) too small
device lo left promiscuous mode
kauditd_printk_skb: 113 callbacks suppressed
audit: type=1326 audit(1508524932.912:2218): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=kernel pid=24663 comm="syz-executor5"
exe="/root/syz-executor5" sig=0 arch=c000003e syscall=202 compat=0
ip=0x452719 code=0x7ffc0000
audit: type=1326 audit(1508524932.912:2219): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=kernel pid=24663 comm="syz-executor5"
exe="/root/syz-executor5" sig=0 arch=c000003e syscall=202 compat=0
ip=0x452719 code=0x7ffc0000
audit: type=1326 audit(1508524932.912:2220): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=kernel pid=24663 comm="syz-executor5"
exe="/root/syz-executor5" sig=0 arch=c000003e syscall=117 compat=0
ip=0x452719 code=0x7ffc0000
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0
sclass=netlink_route_socket pig=24693 comm=syz-executor7
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 1
CPU: 1 PID: 24702 Comm: syz-executor2 Not tainted 4.14.0-rc5+ #140
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
fail_dump lib/fault-inject.c:51 [inline]
should_fail+0x8c0/0xa40 lib/fault-inject.c:149
should_failslab+0xec/0x120 mm/failslab.c:31
slab_pre_alloc_hook mm/slab.h:422 [inline]
slab_alloc_node mm/slab.c:3304 [inline]
kmem_cache_alloc_node+0x56/0x760 mm/slab.c:3649
__alloc_skb+0xf1/0x740 net/core/skbuff.c:194
alloc_skb include/linux/skbuff.h:976 [inline]
netlink_alloc_large_skb net/netlink/af_netlink.c:1145 [inline]
netlink_sendmsg+0xa86/0xe60 net/netlink/af_netlink.c:1837
sock_sendmsg_nosec net/socket.c:633 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:643
sock_write_iter+0x31a/0x5d0 net/socket.c:912
call_write_iter include/linux/fs.h:1770 [inline]
new_sync_write fs/read_write.c:468 [inline]
__vfs_write+0x684/0x970 fs/read_write.c:481
vfs_write+0x189/0x510 fs/read_write.c:543
SYSC_write fs/read_write.c:588 [inline]
SyS_write+0xef/0x220 fs/read_write.c:580
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x452719
RSP: 002b:00007fd087b03be8 EFLAGS: 00000212 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000758020 RCX: 0000000000452719
RDX: 0000000000000024 RSI: 0000000020226000 RDI: 0000000000000013
RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f7880
R13: 0000000000000014 R14: 0000000000758080 R15: ffffffffffffffff
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
CPU: 1 PID: 24719 Comm: syz-executor2 Not tainted 4.14.0-rc5+ #140
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
fail_dump lib/fault-inject.c:51 [inline]
should_fail+0x8c0/0xa40 lib/fault-inject.c:149
should_failslab+0xec/0x120 mm/failslab.c:31
slab_pre_alloc_hook mm/slab.h:422 [inline]
slab_alloc_node mm/slab.c:3304 [inline]
kmem_cache_alloc_node_trace+0x5a/0x750 mm/slab.c:3668
__do_kmalloc_node mm/slab.c:3688 [inline]
__kmalloc_node_track_caller+0x33/0x70 mm/slab.c:3703
__kmalloc_reserve.isra.40+0x41/0xd0 net/core/skbuff.c:138
__alloc_skb+0x13b/0x740 net/core/skbuff.c:206
alloc_skb include/linux/skbuff.h:976 [inline]
netlink_alloc_large_skb net/netlink/af_netlink.c:1145 [inline]
netlink_sendmsg+0xa86/0xe60 net/netlink/af_netlink.c:1837
sock_sendmsg_nosec net/socket.c:633 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:643
sock_write_iter+0x31a/0x5d0 net/socket.c:912
call_write_iter include/linux/fs.h:1770 [inline]
new_sync_write fs/read_write.c:468 [inline]
__vfs_write+0x684/0x970 fs/read_write.c:481
vfs_write+0x189/0x510 fs/read_write.c:543
SYSC_write fs/read_write.c:588 [inline]
SyS_write+0xef/0x220 fs/read_write.c:580
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x452719
RSP: 002b:00007fd087b03be8 EFLAGS: 00000212 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000758020 RCX: 0000000000452719
RDX: 0000000000000024 RSI: 0000000020226000 RDI: 0000000000000013
RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b7420
R13: 00007fd087b03b58 R14: 00000000004b7430 R15: 0000000000000000
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0
sclass=netlink_route_socket pig=24724 comm=syz-executor6
audit: type=1326 audit(1508524932.912:2221): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=kernel pid=24663 comm="syz-executor5"
exe="/root/syz-executor5" sig=0 arch=c000003e syscall=202 compat=0
ip=0x452719 code=0x7ffc0000
audit: type=1326 audit(1508524932.912:2222): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=kernel pid=24663 comm="syz-executor5"
exe="/root/syz-executor5" sig=0 arch=c000003e syscall=202 compat=0
ip=0x452719 code=0x7ffc0000
audit: type=1326 audit(1508524932.913:2223): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=kernel pid=24663 comm="syz-executor5"
exe="/root/syz-executor5" sig=0 arch=c000003e syscall=2 compat=0
ip=0x40ca51 code=0x7ffc0000
audit: type=1326 audit(1508524932.913:2224): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=kernel pid=24663 comm="syz-executor5"
exe="/root/syz-executor5" sig=0 arch=c000003e syscall=202 compat=0
ip=0x452719 code=0x7ffc0000
audit: type=1326 audit(1508524932.915:2225): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=kernel pid=24663 comm="syz-executor5"
exe="/root/syz-executor5" sig=0 arch=c000003e syscall=16 compat=0
ip=0x452719 code=0x7ffc0000
audit: type=1326 audit(1508524932.915:2226): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=kernel pid=24663 comm="syz-executor5"
exe="/root/syz-executor5" sig=0 arch=c000003e syscall=202 compat=0
ip=0x452719 code=0x7ffc0000
audit: type=1326 audit(1508524932.915:2227): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=kernel pid=24663 comm="syz-executor5"
exe="/root/syz-executor5" sig=0 arch=c000003e syscall=202 compat=0
ip=0x452719 code=0x7ffc0000
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
CPU: 1 PID: 24741 Comm: syz-executor2 Not tainted 4.14.0-rc5+ #140
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
fail_dump lib/fault-inject.c:51 [inline]
should_fail+0x8c0/0xa40 lib/fault-inject.c:149
should_failslab+0xec/0x120 mm/failslab.c:31
slab_pre_alloc_hook mm/slab.h:422 [inline]
slab_alloc_node mm/slab.c:3304 [inline]
kmem_cache_alloc_node+0x56/0x760 mm/slab.c:3649
__alloc_skb+0xf1/0x740 net/core/skbuff.c:194
alloc_skb include/linux/skbuff.h:976 [inline]
inet_rtm_getroute+0x2a4/0x2d70 net/ipv4/route.c:2702
rtnetlink_rcv_msg+0x51c/0x1090 net/core/rtnetlink.c:4237
netlink_rcv_skb+0x216/0x440 net/netlink/af_netlink.c:2409
rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:4261
netlink_unicast_kernel net/netlink/af_netlink.c:1273 [inline]
netlink_unicast+0x4e8/0x6f0 net/netlink/af_netlink.c:1299
netlink_sendmsg+0xa4a/0xe60 net/netlink/af_netlink.c:1862
sock_sendmsg_nosec net/socket.c:633 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:643
sock_write_iter+0x31a/0x5d0 net/socket.c:912
call_write_iter include/linux/fs.h:1770 [inline]
new_sync_write fs/read_write.c:468 [inline]
__vfs_write+0x684/0x970 fs/read_write.c:481
vfs_write+0x189/0x510 fs/read_write.c:543
SYSC_write fs/read_write.c:588 [inline]
SyS_write+0xef/0x220 fs/read_write.c:580
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x452719
RSP: 002b:00007fd087b03be8 EFLAGS: 00000212 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000758020 RCX: 0000000000452719
RDX: 0000000000000024 RSI: 0000000020226000 RDI: 0000000000000013
RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b7420
R13: 00007fd087b03b58 R14: 00000000004b7430 R15: 0000000000000000
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
CPU: 1 PID: 24751 Comm: syz-executor2 Not tainted 4.14.0-rc5+ #140
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
fail_dump lib/fault-inject.c:51 [inline]
should_fail+0x8c0/0xa40 lib/fault-inject.c:149
should_failslab+0xec/0x120 mm/failslab.c:31
slab_pre_alloc_hook mm/slab.h:422 [inline]
slab_alloc_node mm/slab.c:3304 [inline]
kmem_cache_alloc_node_trace+0x5a/0x750 mm/slab.c:3668
__do_kmalloc_node mm/slab.c:3688 [inline]
__kmalloc_node_track_caller+0x33/0x70 mm/slab.c:3703
__kmalloc_reserve.isra.40+0x41/0xd0 net/core/skbuff.c:138
__alloc_skb+0x13b/0x740 net/core/skbuff.c:206
alloc_skb include/linux/skbuff.h:976 [inline]
inet_rtm_getroute+0x2a4/0x2d70 net/ipv4/route.c:2702
rtnetlink_rcv_msg+0x51c/0x1090 net/core/rtnetlink.c:4237
netlink_rcv_skb+0x216/0x440 net/netlink/af_netlink.c:2409
rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:4261
netlink_unicast_kernel net/netlink/af_netlink.c:1273 [inline]
netlink_unicast+0x4e8/0x6f0 net/netlink/af_netlink.c:1299
netlink_sendmsg+0xa4a/0xe60 net/netlink/af_netlink.c:1862
sock_sendmsg_nosec net/socket.c:633 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:643
sock_write_iter+0x31a/0x5d0 net/socket.c:912
call_write_iter include/linux/fs.h:1770 [inline]
new_sync_write fs/read_write.c:468 [inline]
__vfs_write+0x684/0x970 fs/read_write.c:481
vfs_write+0x189/0x510 fs/read_write.c:543
SYSC_write fs/read_write.c:588 [inline]
SyS_write+0xef/0x220 fs/read_write.c:580
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x452719
RSP: 002b:00007fd087b03be8 EFLAGS: 00000212 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000758020 RCX: 0000000000452719
RDX: 0000000000000024 RSI: 0000000020226000 RDI: 0000000000000013
RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b7420
R13: 00007fd087b03b58 R14: 00000000004b7430 R15: 0000000000000000
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
CPU: 1 PID: 24773 Comm: syz-executor2 Not tainted 4.14.0-rc5+ #140
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
fail_dump lib/fault-inject.c:51 [inline]
should_fail+0x8c0/0xa40 lib/fault-inject.c:149
should_failslab+0xec/0x120 mm/failslab.c:31
slab_pre_alloc_hook mm/slab.h:422 [inline]
slab_alloc_node mm/slab.c:3304 [inline]
kmem_cache_alloc_node_trace+0x5a/0x750 mm/slab.c:3668
__do_kmalloc_node mm/slab.c:3688 [inline]
__kmalloc_node_track_caller+0x33/0x70 mm/slab.c:3703
__kmalloc_reserve.isra.40+0x41/0xd0 net/core/skbuff.c:138
pskb_expand_head+0x1fb/0x10b0 net/core/skbuff.c:1459
netlink_trim+0x23a/0x300 net/netlink/af_netlink.c:1255
netlink_unicast+0xb0/0x6f0 net/netlink/af_netlink.c:1289
nlmsg_unicast include/net/netlink.h:607 [inline]
rtnl_unicast+0x4c/0x70 net/core/rtnetlink.c:640
inet_rtm_getroute+0x1f4a/0x2d70 net/ipv4/route.c:2798
rtnetlink_rcv_msg+0x51c/0x1090 net/core/rtnetlink.c:4237
netlink_rcv_skb+0x216/0x440 net/netlink/af_netlink.c:2409
rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:4261
netlink_unicast_kernel net/netlink/af_netlink.c:1273 [inline]
netlink_unicast+0x4e8/0x6f0 net/netlink/af_netlink.c:1299
netlink_sendmsg+0xa4a/0xe60 net/netlink/af_netlink.c:1862
sock_sendmsg_nosec net/socket.c:633 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:643
sock_write_iter+0x31a/0x5d0 net/socket.c:912
call_write_iter include/linux/fs.h:1770 [inline]
new_sync_write fs/read_write.c:468 [inline]
__vfs_write+0x684/0x970 fs/read_write.c:481
vfs_write+0x189/0x510 fs/read_write.c:543
SYSC_write fs/read_write.c:588 [inline]
SyS_write+0xef/0x220 fs/read_write.c:580
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x452719
RSP: 002b:00007fd087b03be8 EFLAGS: 00000212 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000758020 RCX: 0000000000452719
RDX: 0000000000000024 RSI: 0000000020226000 RDI: 0000000000000013
RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b7420
R13: 00007fd087b03b58 R14: 00000000004b7430 R15: 0000000000000000
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0
sclass=netlink_route_socket pig=24799 comm=syz-executor4
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=39134
sclass=netlink_route_socket pig=24910 comm=syz-executor2
nla_parse: 3 callbacks suppressed
netlink: 3 bytes leftover after parsing attributes in process
`syz-executor6'.
netlink: 3 bytes leftover after parsing attributes in process
`syz-executor6'.
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=39134
sclass=netlink_route_socket pig=24922 comm=syz-executor2
netlink: 3 bytes leftover after parsing attributes in process
`syz-executor6'.
device gre0 entered promiscuous mode
RDS: rds_bind could not find a transport for 172.20.7.170, load rds_tcp or
rds_rdma?
RDS: rds_bind could not find a transport for 172.20.7.170, load rds_tcp or
rds_rdma?
QAT: Invalid ioctl
QAT: Invalid ioctl
netlink: 5 bytes leftover after parsing attributes in process
`syz-executor3'.
SELinux: unrecognized netlink message: protocol=6 nlmsg_type=65535
sclass=netlink_xfrm_socket pig=25113 comm=syz-executor3
netlink: 60 bytes leftover after parsing attributes in process
`syz-executor3'.
netlink: 5 bytes leftover after parsing attributes in process
`syz-executor3'.
SELinux: unrecognized netlink message: protocol=6 nlmsg_type=65535
sclass=netlink_xfrm_socket pig=25113 comm=syz-executor3
netlink: 60 bytes leftover after parsing attributes in process
`syz-executor3'.
QAT: Invalid ioctl
device gre0 left promiscuous mode
QAT: Invalid ioctl
mmap: syz-executor7 (25194): VmData 18792448 exceed data ulimit 0. Update
limits or use boot option ignore_rlimit_data.
print_req_error: I/O error, dev loop0, sector 0
Buffer I/O error on dev loop0, logical block 0, lost async page write
print_req_error: I/O error, dev loop0, sector 8
Buffer I/O error on dev loop0, logical block 1, lost async page write
print_req_error: I/O error, dev loop0, sector 16
Buffer I/O error on dev loop0, logical block 2, lost async page write
print_req_error: I/O error, dev loop0, sector 24
Buffer I/O error on dev loop0, logical block 3, lost async page write
print_req_error: I/O error, dev loop0, sector 32
Buffer I/O error on dev loop0, logical block 4, lost async page write
print_req_error: I/O error, dev loop0, sector 40
Buffer I/O error on dev loop0, logical block 5, lost async page write
print_req_error: I/O error, dev loop0, sector 48
Buffer I/O error on dev loop0, logical block 6, lost async page write
print_req_error: I/O error, dev loop0, sector 56
Buffer I/O error on dev loop0, logical block 7, lost async page write
print_req_error: I/O error, dev loop0, sector 64
Buffer I/O error on dev loop0, logical block 8, lost async page write
print_req_error: I/O error, dev loop0, sector 72
Buffer I/O error on dev loop0, logical block 9, lost async page write


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
Please credit me with: Reported-by: syzbot <syzk...@googlegroups.com>

syzbot will keep track of this bug report.
Once a fix for this bug is committed, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line.

[Florian Westphal]

syzbot reported yet another regression added with DOIT_UNLOCKED.
When nexthop is marked as dead, fib_dump_info uses __in_dev_get_rtnl():

./include/linux/inetdevice.h:230 suspicious rcu_dereference_protected() usage!

rcu_scheduler_active = 2, debug_locks = 1
1 lock held by syz-executor2/23859:
#0: (rcu_read_lock){....}, at: [<ffffffff840283f0>]
inet_rtm_getroute+0xaa0/0x2d70 net/ipv4/route.c:2738

[..]

lockdep_rcu_suspicious+0x123/0x170 kernel/locking/lockdep.c:4665
__in_dev_get_rtnl include/linux/inetdevice.h:230 [inline]
fib_dump_info+0x1136/0x13d0 net/ipv4/fib_semantics.c:1377
inet_rtm_getroute+0xf97/0x2d70 net/ipv4/route.c:2785

..

This isn't safe anymore, callers either hold RTNL mutex or rcu read lock,
so these spots must use rcu_dereference_rtnl() or plain rcu_derefence()
(plus unconditional rcu read lock).

This does the latter.

Fixes: 394f51abb3d04f ("ipv4: route: set ipv4 RTM_GETROUTE to not use rtnl")
Reported-by: syzbot <syzk...@googlegroups.com>
Signed-off-by: Florian Westphal <f...@strlen.de>
---
net/ipv4/fib_semantics.c | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
index 57a5d48acee8..01ed22139ac2 100644
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -1365,8 +1365,6 @@ int fib_dump_info(struct sk_buff *skb, u32 portid, u32 seq, int event,
nla_put_in_addr(skb, RTA_PREFSRC, fi->fib_prefsrc))
goto nla_put_failure;
if (fi->fib_nhs == 1) {
- struct in_device *in_dev;
-
if (fi->fib_nh->nh_gw &&
nla_put_in_addr(skb, RTA_GATEWAY, fi->fib_nh->nh_gw))
goto nla_put_failure;
@@ -1374,10 +1372,14 @@ int fib_dump_info(struct sk_buff *skb, u32 portid, u32 seq, int event,
nla_put_u32(skb, RTA_OIF, fi->fib_nh->nh_oif))
goto nla_put_failure;
if (fi->fib_nh->nh_flags & RTNH_F_LINKDOWN) {
- in_dev = __in_dev_get_rtnl(fi->fib_nh->nh_dev);
+ struct in_device *in_dev;
+
+ rcu_read_lock();
+ in_dev = __in_dev_get_rcu(fi->fib_nh->nh_dev);
if (in_dev &&
IN_DEV_IGNORE_ROUTES_WITH_LINKDOWN(in_dev))
rtm->rtm_flags |= RTNH_F_DEAD;
+ rcu_read_unlock();
}
if (fi->fib_nh->nh_flags & RTNH_F_OFFLOAD)
rtm->rtm_flags |= RTNH_F_OFFLOAD;
@@ -1400,18 +1402,20 @@ int fib_dump_info(struct sk_buff *skb, u32 portid, u32 seq, int event,
goto nla_put_failure;

for_nexthops(fi) {
- struct in_device *in_dev;
-
rtnh = nla_reserve_nohdr(skb, sizeof(*rtnh));
if (!rtnh)
goto nla_put_failure;

rtnh->rtnh_flags = nh->nh_flags & 0xFF;
if (nh->nh_flags & RTNH_F_LINKDOWN) {
- in_dev = __in_dev_get_rtnl(nh->nh_dev);
+ struct in_device *in_dev;
+
+ rcu_read_lock();
+ in_dev = __in_dev_get_rcu(nh->nh_dev);
if (in_dev &&
IN_DEV_IGNORE_ROUTES_WITH_LINKDOWN(in_dev))
rtnh->rtnh_flags |= RTNH_F_DEAD;
+ rcu_read_unlock();
}
rtnh->rtnh_hops = nh->nh_weight - 1;
rtnh->rtnh_ifindex = nh->nh_oif;
--
2.13.6

[Cong Wang]

On Thu, Nov 2, 2017 at 3:53 AM, syzbot
<bot+e52a2ae091b628f727...@syzkaller.appspotmail.com>
wrote:

This is introduced by:

commit 394f51abb3d04f33fb798f04b16ae6b0491ea4ec
Author: Florian Westphal <f...@strlen.de>
Date: Tue Aug 15 16:34:44 2017 +0200

ipv4: route: set ipv4 RTM_GETROUTE to not use rtnl

Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: David S. Miller <da...@davemloft.net>

Looks like we need a wrapper for rcu_dereference_protected(dev->ip_ptr).

[Florian Westphal]

Cong Wang <xiyou.w...@gmail.com> wrote:
> > CPU: 0 PID: 23859 Comm: syz-executor2 Not tainted 4.14.0-rc5+ #140
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > Google 01/01/2011
> > Call Trace:
> > __dump_stack lib/dump_stack.c:16 [inline]
> > dump_stack+0x194/0x257 lib/dump_stack.c:52
> > lockdep_rcu_suspicious+0x123/0x170 kernel/locking/lockdep.c:4665
> > __in_dev_get_rtnl include/linux/inetdevice.h:230 [inline]
> > fib_dump_info+0x1136/0x13d0 net/ipv4/fib_semantics.c:1377
> > inet_rtm_getroute+0xf97/0x2d70 net/ipv4/route.c:2785
>
> This is introduced by:
>
> commit 394f51abb3d04f33fb798f04b16ae6b0491ea4ec
> Author: Florian Westphal <f...@strlen.de>
> Date: Tue Aug 15 16:34:44 2017 +0200
>
> ipv4: route: set ipv4 RTM_GETROUTE to not use rtnl
>
> Signed-off-by: Florian Westphal <f...@strlen.de>
> Signed-off-by: David S. Miller <da...@davemloft.net>
>
> Looks like we need a wrapper for rcu_dereference_protected(dev->ip_ptr).

Yes, thats the alternative to
https://patchwork.ozlabs.org/patch/833401/

which switches to _rcu version.

[Cong Wang]

Yeah, that works too.

[David Miller]

From: Florian Westphal <f...@strlen.de>
Date: Thu, 2 Nov 2017 16:02:20 +0100

> syzbot reported yet another regression added with DOIT_UNLOCKED.
> When nexthop is marked as dead, fib_dump_info uses __in_dev_get_rtnl():
>
> ./include/linux/inetdevice.h:230 suspicious rcu_dereference_protected() usage!
> rcu_scheduler_active = 2, debug_locks = 1
> 1 lock held by syz-executor2/23859:
> #0: (rcu_read_lock){....}, at: [<ffffffff840283f0>]
> inet_rtm_getroute+0xaa0/0x2d70 net/ipv4/route.c:2738
> [..]
> lockdep_rcu_suspicious+0x123/0x170 kernel/locking/lockdep.c:4665
> __in_dev_get_rtnl include/linux/inetdevice.h:230 [inline]
> fib_dump_info+0x1136/0x13d0 net/ipv4/fib_semantics.c:1377
> inet_rtm_getroute+0xf97/0x2d70 net/ipv4/route.c:2785
> ..
>
> This isn't safe anymore, callers either hold RTNL mutex or rcu read lock,
> so these spots must use rcu_dereference_rtnl() or plain rcu_derefence()
> (plus unconditional rcu read lock).
>
> This does the latter.
>
> Fixes: 394f51abb3d04f ("ipv4: route: set ipv4 RTM_GETROUTE to not use rtnl")
> Reported-by: syzbot <syzk...@googlegroups.com>
> Signed-off-by: Florian Westphal <f...@strlen.de>

Applied, thanks Florian.

[Eric Biggers]

No longer seeing this crash. I assume it was fixed by the following commit
(thanks Florian!), so telling syzbot:

#syz fix: fib: fib_dump_info can no longer use __in_dev_get_rtnl