possible deadlock in do_ipv6_setsockopt (2)
8 views
Skip to first unread message
syzbot
Feb 9, 2018, 3:58:05 AM2/9/18
to syzkaller-upst...@googlegroups.com
Hello,
syzbot hit the following crash on upstream commit
a2e5790d841658485d642196dbb0927303d6c22f (Wed Feb 7 06:15:42 2018 +0000)
Merge branch 'akpm' (patches from Andrew)
So far this crash happened 2 times on
https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master,
upstream.
Unfortunately, I don't have any reproducer for this crash yet.
Raw console output is attached.
compiler: gcc (GCC) 7.1.1 20170620
.config is attached.
CC: [da...@davemloft.net kuz...@ms2.inr.ac.ru linux-...@vger.kernel.org
net...@vger.kernel.org yosh...@linux-ipv6.org]
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+886c94...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
======================================================
WARNING: possible circular locking dependency detected
4.15.0+ #301 Not tainted
------------------------------------------------------
syz-executor5/6587 is trying to acquire lock:
(sk_lock-AF_INET6){+.+.}, at: [<000000009f143294>] lock_sock
include/net/sock.h:1463 [inline]
(sk_lock-AF_INET6){+.+.}, at: [<000000009f143294>]
do_ipv6_setsockopt.isra.8+0x3c5/0x39d0 net/ipv6/ipv6_sockglue.c:167
but task is already holding lock:
(rtnl_mutex){+.+.}, at: [<00000000820fa952>] rtnl_lock+0x17/0x20
net/core/rtnetlink.c:74
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #2 (rtnl_mutex){+.+.}:
__mutex_lock_common kernel/locking/mutex.c:756 [inline]
__mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893
mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908
rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74
unregister_netdevice_notifier+0x91/0x4e0 net/core/dev.c:1673
clusterip_config_entry_put net/ipv4/netfilter/ipt_CLUSTERIP.c:114
[inline]
clusterip_tg_destroy+0x389/0x6e0
net/ipv4/netfilter/ipt_CLUSTERIP.c:518
cleanup_entry+0x218/0x350 net/ipv4/netfilter/ip_tables.c:654
__do_replace+0x79d/0xa50 net/ipv4/netfilter/ip_tables.c:1089
do_replace net/ipv4/netfilter/ip_tables.c:1145 [inline]
do_ipt_set_ctl+0x40f/0x5f0 net/ipv4/netfilter/ip_tables.c:1675
nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115
ip_setsockopt+0x97/0xa0 net/ipv4/ip_sockglue.c:1259
tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2905
sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2975
SYSC_setsockopt net/socket.c:1849 [inline]
SyS_setsockopt+0x189/0x360 net/socket.c:1828
do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x26/0x9b
-> #1 (&xt[i].mutex){+.+.}:
__mutex_lock_common kernel/locking/mutex.c:756 [inline]
__mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893
mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908
xt_find_table_lock+0x3e/0x3e0 net/netfilter/x_tables.c:1041
get_entries net/ipv6/netfilter/ip6_tables.c:1045 [inline]
do_ip6t_get_ctl+0x432/0xaf0 net/ipv6/netfilter/ip6_tables.c:1714
nf_sockopt net/netfilter/nf_sockopt.c:104 [inline]
nf_getsockopt+0x6a/0xc0 net/netfilter/nf_sockopt.c:122
ipv6_getsockopt+0x1df/0x2e0 net/ipv6/ipv6_sockglue.c:1371
udpv6_getsockopt+0x45/0x80 net/ipv6/udp.c:1441
sock_common_getsockopt+0x95/0xd0 net/core/sock.c:2934
SYSC_getsockopt net/socket.c:1880 [inline]
SyS_getsockopt+0x178/0x340 net/socket.c:1862
do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x26/0x9b
-> #0 (sk_lock-AF_INET6){+.+.}:
lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920
lock_sock_nested+0xc2/0x110 net/core/sock.c:2777
lock_sock include/net/sock.h:1463 [inline]
do_ipv6_setsockopt.isra.8+0x3c5/0x39d0 net/ipv6/ipv6_sockglue.c:167
ipv6_setsockopt+0xd7/0x130 net/ipv6/ipv6_sockglue.c:922
udpv6_setsockopt+0x45/0x80 net/ipv6/udp.c:1422
sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2975
SYSC_setsockopt net/socket.c:1849 [inline]
SyS_setsockopt+0x189/0x360 net/socket.c:1828
do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x26/0x9b
other info that might help us debug this:
Chain exists of:
sk_lock-AF_INET6 --> &xt[i].mutex --> rtnl_mutex
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(rtnl_mutex);
lock(&xt[i].mutex);
lock(rtnl_mutex);
lock(sk_lock-AF_INET6);
*** DEADLOCK ***
1 lock held by syz-executor5/6587:
#0: (rtnl_mutex){+.+.}, at: [<00000000820fa952>] rtnl_lock+0x17/0x20
net/core/rtnetlink.c:74
stack backtrace:
CPU: 0 PID: 6587 Comm: syz-executor5 Not tainted 4.15.0+ #301
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
print_circular_bug.isra.38+0x2cd/0x2dc kernel/locking/lockdep.c:1223
check_prev_add kernel/locking/lockdep.c:1863 [inline]
check_prevs_add kernel/locking/lockdep.c:1976 [inline]
validate_chain kernel/locking/lockdep.c:2417 [inline]
__lock_acquire+0x30a8/0x3e00 kernel/locking/lockdep.c:3431
lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920
lock_sock_nested+0xc2/0x110 net/core/sock.c:2777
lock_sock include/net/sock.h:1463 [inline]
do_ipv6_setsockopt.isra.8+0x3c5/0x39d0 net/ipv6/ipv6_sockglue.c:167
ipv6_setsockopt+0xd7/0x130 net/ipv6/ipv6_sockglue.c:922
udpv6_setsockopt+0x45/0x80 net/ipv6/udp.c:1422
sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2975
SYSC_setsockopt net/socket.c:1849 [inline]
SyS_setsockopt+0x189/0x360 net/socket.c:1828
do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x26/0x9b
RIP: 0033:0x453299
RSP: 002b:00007fa8f8f9ec58 EFLAGS: 00000212 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000453299
RDX: 0000000000000014 RSI: 0000000000000029 RDI: 0000000000000014
RBP: 0000000000000502 R08: 0000000000000014 R09: 0000000000000000
R10: 0000000020d09f80 R11: 0000000000000212 R12: 00000000006f68d0
R13: 00000000ffffffff R14: 00007fa8f8f9f6d4 R15: 0000000000000000
QAT: Invalid ioctl
device eql entered promiscuous mode
QAT: Invalid ioctl
QAT: Invalid ioctl
QAT: Invalid ioctl
device eql entered promiscuous mode
audit: type=1400 audit(1518016203.800:56): avc: denied { map } for
pid=6664 comm="syz-executor6" path="/dev/binder6" dev="devtmpfs" ino=1158
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1
binder: 6664:6666 ioctl 641e 0 returned -22
audit: type=1400 audit(1518016203.800:57): avc: denied { set_context_mgr
} for pid=6664 comm="syz-executor6"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder
permissive=1
binder: BINDER_SET_CONTEXT_MGR already set
audit: type=1400 audit(1518016203.800:58): avc: denied { call } for
pid=6664 comm="syz-executor6"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder
permissive=1
binder_alloc: 6664: binder_alloc_buf, no vma
audit: type=1400 audit(1518016203.800:59): avc: denied { transfer } for
pid=6664 comm="syz-executor6"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder
permissive=1
binder: 6664:6666 ioctl 40046207 0 returned -16
binder: 6664:6672 transaction failed 29189/-3, size 40-8 line 2957
binder: 6664:6673 ioctl 641e 0 returned -22
binder: undelivered TRANSACTION_ERROR: 29189
binder: release 6664:6666 transaction 2 out, still active
binder: unexpected work type, 4, not freed
binder: undelivered TRANSACTION_COMPLETE
binder: send failed reply for transaction 2, target dead
device eql entered promiscuous mode
binder: 6684:6691 ioctl 641e 0 returned -22
binder: release 6684:6691 transaction 7 out, still active
binder: unexpected work type, 4, not freed
binder: undelivered TRANSACTION_COMPLETE
binder: send failed reply for transaction 7, target dead
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
audit: type=1400 audit(1518016205.661:60): avc: denied { setopt } for
pid=7279 comm="syz-executor2"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_generic_socket permissive=1
device eql entered promiscuous mode
netlink: 704 bytes leftover after parsing attributes in process
`syz-executor2'.
device eql entered promiscuous mode
netlink: 704 bytes leftover after parsing attributes in process
`syz-executor2'.
device eql entered promiscuous mode
audit: type=1400 audit(1518016206.040:61): avc: denied { connect } for
pid=7409 comm="syz-executor2"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_generic_socket permissive=1
device eql entered promiscuous mode
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 1
CPU: 1 PID: 7413 Comm: syz-executor1 Not tainted 4.15.0+ #301
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
fail_dump lib/fault-inject.c:51 [inline]
should_fail+0x8c0/0xa40 lib/fault-inject.c:149
should_failslab+0xec/0x120 mm/failslab.c:32
slab_pre_alloc_hook mm/slab.h:422 [inline]
slab_alloc_node mm/slab.c:3286 [inline]
kmem_cache_alloc_node+0x56/0x760 mm/slab.c:3629
__alloc_skb+0xf1/0x780 net/core/skbuff.c:193
alloc_skb include/linux/skbuff.h:983 [inline]
netlink_alloc_large_skb net/netlink/af_netlink.c:1180 [inline]
netlink_sendmsg+0xa86/0xe60 net/netlink/af_netlink.c:1872
sock_sendmsg_nosec net/socket.c:630 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:640
___sys_sendmsg+0x767/0x8b0 net/socket.c:2046
__sys_sendmsg+0xe5/0x210 net/socket.c:2080
SYSC_sendmsg net/socket.c:2091 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2087
do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x26/0x9b
RIP: 0033:0x453299
RSP: 002b:00007f93a66b9c58 EFLAGS: 00000212 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000453299
RDX: 0000000000000000 RSI: 0000000020005000 RDI: 0000000000000013
RBP: 00000000000004b1 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f6138
R13: 0000000000000014 R14: 00007f93a66ba6d4 R15: ffffffffffffffff
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
device eql entered promiscuous mode
CPU: 0 PID: 7449 Comm: syz-executor1 Not tainted 4.15.0+ #301
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
fail_dump lib/fault-inject.c:51 [inline]
should_fail+0x8c0/0xa40 lib/fault-inject.c:149
audit: type=1400 audit(1518016206.490:62): avc: denied { ioctl } for
pid=7465 comm="syz-executor2" path="socket:[18575]" dev="sockfs" ino=18575
ioctlcmd=0x8904 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_generic_socket permissive=1
should_failslab+0xec/0x120 mm/failslab.c:32
slab_pre_alloc_hook mm/slab.h:422 [inline]
slab_alloc_node mm/slab.c:3286 [inline]
kmem_cache_alloc_node_trace+0x5a/0x760 mm/slab.c:3648
__do_kmalloc_node mm/slab.c:3668 [inline]
__kmalloc_node_track_caller+0x33/0x70 mm/slab.c:3683
__kmalloc_reserve.isra.39+0x41/0xd0 net/core/skbuff.c:137
__alloc_skb+0x13b/0x780 net/core/skbuff.c:205
alloc_skb include/linux/skbuff.h:983 [inline]
netlink_alloc_large_skb net/netlink/af_netlink.c:1180 [inline]
netlink_sendmsg+0xa86/0xe60 net/netlink/af_netlink.c:1872
sock_sendmsg_nosec net/socket.c:630 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:640
___sys_sendmsg+0x767/0x8b0 net/socket.c:2046
__sys_sendmsg+0xe5/0x210 net/socket.c:2080
SYSC_sendmsg net/socket.c:2091 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2087
do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x26/0x9b
RIP: 0033:0x453299
RSP: 002b:00007f93a66b9c58 EFLAGS: 00000212 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000453299
RDX: 0000000000000000 RSI: 0000000020005000 RDI: 0000000000000013
RBP: 00000000000004b1 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f6138
R13: 0000000000000014 R14: 00007f93a66ba6d4 R15: ffffffffffffffff
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
CPU: 0 PID: 7477 Comm: syz-executor1 Not tainted 4.15.0+ #301
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
fail_dump lib/fault-inject.c:51 [inline]
should_fail+0x8c0/0xa40 lib/fault-inject.c:149
should_failslab+0xec/0x120 mm/failslab.c:32
slab_pre_alloc_hook mm/slab.h:422 [inline]
slab_alloc mm/slab.c:3365 [inline]
__do_kmalloc mm/slab.c:3703 [inline]
__kmalloc+0x63/0x760 mm/slab.c:3714
kmalloc include/linux/slab.h:517 [inline]
genl_family_rcv_msg+0xb65/0xfb0 net/netlink/genetlink.c:569
genl_rcv_msg+0xb2/0x140 net/netlink/genetlink.c:624
netlink_rcv_skb+0x14b/0x380 net/netlink/af_netlink.c:2442
genl_rcv+0x28/0x40 net/netlink/genetlink.c:635
netlink_unicast_kernel net/netlink/af_netlink.c:1308 [inline]
netlink_unicast+0x4c4/0x6b0 net/netlink/af_netlink.c:1334
netlink_sendmsg+0xa4a/0xe60 net/netlink/af_netlink.c:1897
sock_sendmsg_nosec net/socket.c:630 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:640
___sys_sendmsg+0x767/0x8b0 net/socket.c:2046
__sys_sendmsg+0xe5/0x210 net/socket.c:2080
SYSC_sendmsg net/socket.c:2091 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2087
do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x26/0x9b
RIP: 0033:0x453299
RSP: 002b:00007f93a66b9c58 EFLAGS: 00000212 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000453299
RDX: 0000000000000000 RSI: 0000000020005000 RDI: 0000000000000013
RBP: 00000000000004b1 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f6138
R13: 0000000000000014 R14: 00007f93a66ba6d4 R15: ffffffffffffffff
audit: type=1400 audit(1518016207.687:63): avc: denied { ioctl } for
pid=7591 comm="syz-executor2" path="socket:[18669]" dev="sockfs" ino=18669
ioctlcmd=0x8917 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_netfilter_socket permissive=1
device eql entered promiscuous mode
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
CPU: 0 PID: 7674 Comm: syz-executor5 Not tainted 4.15.0+ #301
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
audit: type=1400 audit(1518016207.903:64): avc: denied { create } for
pid=7687 comm="syz-executor2"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_rdma_socket permissive=1
fail_dump lib/fault-inject.c:51 [inline]
should_fail+0x8c0/0xa40 lib/fault-inject.c:149
should_failslab+0xec/0x120 mm/failslab.c:32
slab_pre_alloc_hook mm/slab.h:422 [inline]
slab_alloc mm/slab.c:3365 [inline]
kmem_cache_alloc_trace+0x4b/0x740 mm/slab.c:3605
kmalloc include/linux/slab.h:512 [inline]
kzalloc include/linux/slab.h:701 [inline]
mld_add_delrec net/ipv6/mcast.c:721 [inline]
igmp6_leave_group net/ipv6/mcast.c:2433 [inline]
igmp6_group_dropped+0x423/0xa80 net/ipv6/mcast.c:700
__ipv6_dev_mc_dec+0x241/0x350 net/ipv6/mcast.c:935
ipv6_sock_mc_drop+0x3ab/0x5d0 net/ipv6/mcast.c:234
do_ipv6_setsockopt.isra.8+0x2dde/0x39d0 net/ipv6/ipv6_sockglue.c:646
ipv6_setsockopt+0xd7/0x130 net/ipv6/ipv6_sockglue.c:922
udpv6_setsockopt+0x45/0x80 net/ipv6/udp.c:1422
sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2975
SYSC_setsockopt net/socket.c:1849 [inline]
SyS_setsockopt+0x189/0x360 net/socket.c:1828
do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x26/0x9b
RIP: 0033:0x453299
RSP: 002b:00007fa8f8f9ec58 EFLAGS: 00000212 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000453299
RDX: 0000000000000015 RSI: 0000000000000029 RDI: 0000000000000013
RBP: 0000000000000502 R08: 0000000000000014 R09: 0000000000000000
R10: 000000002064dfeb R11: 0000000000000212 R12: 00000000006f68d0
R13: 0000000000000014 R14: 00007fa8f8f9f6d4 R15: ffffffffffffffff
device eql entered promiscuous mode
audit: type=1400 audit(1518016208.461:65): avc: denied { create } for
pid=7735 comm="syz-executor2"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_scsitransport_socket permissive=1
device eql entered promiscuous mode
audit: type=1400 audit(1518016208.651:66): avc: denied { create } for
pid=7801 comm="syz-executor1"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_connector_socket permissive=1
audit: type=1400 audit(1518016208.652:67): avc: denied { write } for
pid=7801 comm="syz-executor1"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_connector_socket permissive=1
audit: type=1400 audit(1518016208.692:68): avc: denied { getopt } for
pid=7821 comm="syz-executor1"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_generic_socket permissive=1
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
CPU: 0 PID: 7833 Comm: syz-executor6 Not tainted 4.15.0+ #301
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
fail_dump lib/fault-inject.c:51 [inline]
should_fail+0x8c0/0xa40 lib/fault-inject.c:149
should_failslab+0xec/0x120 mm/failslab.c:32
slab_pre_alloc_hook mm/slab.h:422 [inline]
slab_alloc_node mm/slab.c:3286 [inline]
kmem_cache_alloc_node+0x56/0x760 mm/slab.c:3629
__alloc_skb+0xf1/0x780 net/core/skbuff.c:193
alloc_skb include/linux/skbuff.h:983 [inline]
netlink_alloc_large_skb net/netlink/af_netlink.c:1180 [inline]
netlink_sendmsg+0xa86/0xe60 net/netlink/af_netlink.c:1872
sock_sendmsg_nosec net/socket.c:630 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:640
sock_write_iter+0x31a/0x5d0 net/socket.c:909
call_write_iter include/linux/fs.h:1781 [inline]
new_sync_write fs/read_write.c:469 [inline]
__vfs_write+0x684/0x970 fs/read_write.c:482
vfs_write+0x189/0x510 fs/read_write.c:544
SYSC_write fs/read_write.c:589 [inline]
SyS_write+0xef/0x220 fs/read_write.c:581
do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x26/0x9b
RIP: 0033:0x453299
RSP: 002b:00007facb1bf3c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000453299
RDX: 0000000000000026 RSI: 0000000020df8fd9 RDI: 0000000000000013
RBP: 0000000000000654 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f8880
R13: 0000000000000014 R14: 00007facb1bf46d4 R15: ffffffffffffffff
audit: type=1400 audit(1518016209.201:69): avc: denied { bind } for
pid=7896 comm="syz-executor1"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_generic_socket permissive=1
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
CPU: 0 PID: 7898 Comm: syz-executor3 Not tainted 4.15.0+ #301
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
fail_dump lib/fault-inject.c:51 [inline]
should_fail+0x8c0/0xa40 lib/fault-inject.c:149
should_failslab+0xec/0x120 mm/failslab.c:32
slab_pre_alloc_hook mm/slab.h:422 [inline]
slab_alloc_node mm/slab.c:3286 [inline]
kmem_cache_alloc_node+0x56/0x760 mm/slab.c:3629
__alloc_skb+0xf1/0x780 net/core/skbuff.c:193
alloc_skb include/linux/skbuff.h:983 [inline]
netlink_alloc_large_skb net/netlink/af_netlink.c:1180 [inline]
netlink_sendmsg+0xa86/0xe60 net/netlink/af_netlink.c:1872
sock_sendmsg_nosec net/socket.c:630 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:640
sock_write_iter+0x31a/0x5d0 net/socket.c:909
call_write_iter include/linux/fs.h:1781 [inline]
new_sync_write fs/read_write.c:469 [inline]
__vfs_write+0x684/0x970 fs/read_write.c:482
vfs_write+0x189/0x510 fs/read_write.c:544
SYSC_write fs/read_write.c:589 [inline]
SyS_write+0xef/0x220 fs/read_write.c:581
do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x26/0x9b
RIP: 0033:0x453299
RSP: 002b:00007f22555a3c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000453299
RDX: 0000000000000026 RSI: 0000000020df8fd9 RDI: 0000000000000013
RBP: 0000000000000654 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f8880
R13: 0000000000000014 R14: 00007f22555a46d4 R15: ffffffffffffffff
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=18210
sclass=netlink_route_socket pig=8156 comm=syz-executor6
device eql entered promiscuous mode
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=18210
sclass=netlink_route_socket pig=8156 comm=syz-executor6
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=46413
sclass=netlink_route_socket pig=8317 comm=syz-executor6
device eql entered promiscuous mode
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=46413
sclass=netlink_route_socket pig=8317 comm=syz-executor6
device eql entered promiscuous mode
audit: type=1400 audit(1518016210.897:70): avc: denied { getattr } for
pid=8364 comm="syz-executor1"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_netfilter_socket permissive=1
device eql entered promiscuous mode
audit: type=1400 audit(1518016211.030:71): avc: denied { getopt } for
pid=8414 comm="syz-executor1"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_fib_lookup_socket permissive=1
SELinux: unrecognized netlink message: protocol=9 nlmsg_type=40
sclass=netlink_audit_socket pig=8424 comm=syz-executor2
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
QAT: Invalid ioctl
device eql entered promiscuous mode
QAT: Invalid ioctl
netlink: 'syz-executor1': attribute type 1 has an invalid length.
audit: type=1400 audit(1518016211.649:72): avc: denied { lock } for
pid=8625 comm="syz-executor1" path="socket:[19403]" dev="sockfs" ino=19403
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_generic_socket permissive=1
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
netlink: 'syz-executor1': attribute type 1 has an invalid length.
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
SELinux: unrecognized netlink message: protocol=9 nlmsg_type=40
sclass=netlink_audit_socket pig=8814 comm=syz-executor1
device eql entered promiscuous mode
SELinux: unrecognized netlink message: protocol=9 nlmsg_type=40
sclass=netlink_audit_socket pig=8836 comm=syz-executor1
device eql entered promiscuous mode
QAT: Invalid ioctl
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
To upstream this report, please reply with:
#syz upstream
syzbot hit the following crash on upstream commit
a2e5790d841658485d642196dbb0927303d6c22f (Wed Feb 7 06:15:42 2018 +0000)
Merge branch 'akpm' (patches from Andrew)
So far this crash happened 2 times on
https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master,
upstream.
Unfortunately, I don't have any reproducer for this crash yet.
Raw console output is attached.
compiler: gcc (GCC) 7.1.1 20170620
.config is attached.
CC: [da...@davemloft.net kuz...@ms2.inr.ac.ru linux-...@vger.kernel.org
net...@vger.kernel.org yosh...@linux-ipv6.org]
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+886c94...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
======================================================
WARNING: possible circular locking dependency detected
4.15.0+ #301 Not tainted
------------------------------------------------------
syz-executor5/6587 is trying to acquire lock:
(sk_lock-AF_INET6){+.+.}, at: [<000000009f143294>] lock_sock
include/net/sock.h:1463 [inline]
(sk_lock-AF_INET6){+.+.}, at: [<000000009f143294>]
do_ipv6_setsockopt.isra.8+0x3c5/0x39d0 net/ipv6/ipv6_sockglue.c:167
but task is already holding lock:
(rtnl_mutex){+.+.}, at: [<00000000820fa952>] rtnl_lock+0x17/0x20
net/core/rtnetlink.c:74
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #2 (rtnl_mutex){+.+.}:
__mutex_lock_common kernel/locking/mutex.c:756 [inline]
__mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893
mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908
rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74
unregister_netdevice_notifier+0x91/0x4e0 net/core/dev.c:1673
clusterip_config_entry_put net/ipv4/netfilter/ipt_CLUSTERIP.c:114
[inline]
clusterip_tg_destroy+0x389/0x6e0
net/ipv4/netfilter/ipt_CLUSTERIP.c:518
cleanup_entry+0x218/0x350 net/ipv4/netfilter/ip_tables.c:654
__do_replace+0x79d/0xa50 net/ipv4/netfilter/ip_tables.c:1089
do_replace net/ipv4/netfilter/ip_tables.c:1145 [inline]
do_ipt_set_ctl+0x40f/0x5f0 net/ipv4/netfilter/ip_tables.c:1675
nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115
ip_setsockopt+0x97/0xa0 net/ipv4/ip_sockglue.c:1259
tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2905
sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2975
SYSC_setsockopt net/socket.c:1849 [inline]
SyS_setsockopt+0x189/0x360 net/socket.c:1828
do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x26/0x9b
-> #1 (&xt[i].mutex){+.+.}:
__mutex_lock_common kernel/locking/mutex.c:756 [inline]
__mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893
mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908
xt_find_table_lock+0x3e/0x3e0 net/netfilter/x_tables.c:1041
get_entries net/ipv6/netfilter/ip6_tables.c:1045 [inline]
do_ip6t_get_ctl+0x432/0xaf0 net/ipv6/netfilter/ip6_tables.c:1714
nf_sockopt net/netfilter/nf_sockopt.c:104 [inline]
nf_getsockopt+0x6a/0xc0 net/netfilter/nf_sockopt.c:122
ipv6_getsockopt+0x1df/0x2e0 net/ipv6/ipv6_sockglue.c:1371
udpv6_getsockopt+0x45/0x80 net/ipv6/udp.c:1441
sock_common_getsockopt+0x95/0xd0 net/core/sock.c:2934
SYSC_getsockopt net/socket.c:1880 [inline]
SyS_getsockopt+0x178/0x340 net/socket.c:1862
do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x26/0x9b
-> #0 (sk_lock-AF_INET6){+.+.}:
lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920
lock_sock_nested+0xc2/0x110 net/core/sock.c:2777
lock_sock include/net/sock.h:1463 [inline]
do_ipv6_setsockopt.isra.8+0x3c5/0x39d0 net/ipv6/ipv6_sockglue.c:167
ipv6_setsockopt+0xd7/0x130 net/ipv6/ipv6_sockglue.c:922
udpv6_setsockopt+0x45/0x80 net/ipv6/udp.c:1422
sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2975
SYSC_setsockopt net/socket.c:1849 [inline]
SyS_setsockopt+0x189/0x360 net/socket.c:1828
do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x26/0x9b
other info that might help us debug this:
Chain exists of:
sk_lock-AF_INET6 --> &xt[i].mutex --> rtnl_mutex
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(rtnl_mutex);
lock(&xt[i].mutex);
lock(rtnl_mutex);
lock(sk_lock-AF_INET6);
*** DEADLOCK ***
1 lock held by syz-executor5/6587:
#0: (rtnl_mutex){+.+.}, at: [<00000000820fa952>] rtnl_lock+0x17/0x20
net/core/rtnetlink.c:74
stack backtrace:
CPU: 0 PID: 6587 Comm: syz-executor5 Not tainted 4.15.0+ #301
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
print_circular_bug.isra.38+0x2cd/0x2dc kernel/locking/lockdep.c:1223
check_prev_add kernel/locking/lockdep.c:1863 [inline]
check_prevs_add kernel/locking/lockdep.c:1976 [inline]
validate_chain kernel/locking/lockdep.c:2417 [inline]
__lock_acquire+0x30a8/0x3e00 kernel/locking/lockdep.c:3431
lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920
lock_sock_nested+0xc2/0x110 net/core/sock.c:2777
lock_sock include/net/sock.h:1463 [inline]
do_ipv6_setsockopt.isra.8+0x3c5/0x39d0 net/ipv6/ipv6_sockglue.c:167
ipv6_setsockopt+0xd7/0x130 net/ipv6/ipv6_sockglue.c:922
udpv6_setsockopt+0x45/0x80 net/ipv6/udp.c:1422
sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2975
SYSC_setsockopt net/socket.c:1849 [inline]
SyS_setsockopt+0x189/0x360 net/socket.c:1828
do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x26/0x9b
RIP: 0033:0x453299
RSP: 002b:00007fa8f8f9ec58 EFLAGS: 00000212 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000453299
RDX: 0000000000000014 RSI: 0000000000000029 RDI: 0000000000000014
RBP: 0000000000000502 R08: 0000000000000014 R09: 0000000000000000
R10: 0000000020d09f80 R11: 0000000000000212 R12: 00000000006f68d0
R13: 00000000ffffffff R14: 00007fa8f8f9f6d4 R15: 0000000000000000
QAT: Invalid ioctl
device eql entered promiscuous mode
QAT: Invalid ioctl
QAT: Invalid ioctl
QAT: Invalid ioctl
device eql entered promiscuous mode
audit: type=1400 audit(1518016203.800:56): avc: denied { map } for
pid=6664 comm="syz-executor6" path="/dev/binder6" dev="devtmpfs" ino=1158
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1
binder: 6664:6666 ioctl 641e 0 returned -22
audit: type=1400 audit(1518016203.800:57): avc: denied { set_context_mgr
} for pid=6664 comm="syz-executor6"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder
permissive=1
binder: BINDER_SET_CONTEXT_MGR already set
audit: type=1400 audit(1518016203.800:58): avc: denied { call } for
pid=6664 comm="syz-executor6"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder
permissive=1
binder_alloc: 6664: binder_alloc_buf, no vma
audit: type=1400 audit(1518016203.800:59): avc: denied { transfer } for
pid=6664 comm="syz-executor6"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder
permissive=1
binder: 6664:6666 ioctl 40046207 0 returned -16
binder: 6664:6672 transaction failed 29189/-3, size 40-8 line 2957
binder: 6664:6673 ioctl 641e 0 returned -22
binder: undelivered TRANSACTION_ERROR: 29189
binder: release 6664:6666 transaction 2 out, still active
binder: unexpected work type, 4, not freed
binder: undelivered TRANSACTION_COMPLETE
binder: send failed reply for transaction 2, target dead
device eql entered promiscuous mode
binder: 6684:6691 ioctl 641e 0 returned -22
binder: release 6684:6691 transaction 7 out, still active
binder: unexpected work type, 4, not freed
binder: undelivered TRANSACTION_COMPLETE
binder: send failed reply for transaction 7, target dead
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
audit: type=1400 audit(1518016205.661:60): avc: denied { setopt } for
pid=7279 comm="syz-executor2"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_generic_socket permissive=1
device eql entered promiscuous mode
netlink: 704 bytes leftover after parsing attributes in process
`syz-executor2'.
device eql entered promiscuous mode
netlink: 704 bytes leftover after parsing attributes in process
`syz-executor2'.
device eql entered promiscuous mode
audit: type=1400 audit(1518016206.040:61): avc: denied { connect } for
pid=7409 comm="syz-executor2"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_generic_socket permissive=1
device eql entered promiscuous mode
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 1
CPU: 1 PID: 7413 Comm: syz-executor1 Not tainted 4.15.0+ #301
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
fail_dump lib/fault-inject.c:51 [inline]
should_fail+0x8c0/0xa40 lib/fault-inject.c:149
should_failslab+0xec/0x120 mm/failslab.c:32
slab_pre_alloc_hook mm/slab.h:422 [inline]
slab_alloc_node mm/slab.c:3286 [inline]
kmem_cache_alloc_node+0x56/0x760 mm/slab.c:3629
__alloc_skb+0xf1/0x780 net/core/skbuff.c:193
alloc_skb include/linux/skbuff.h:983 [inline]
netlink_alloc_large_skb net/netlink/af_netlink.c:1180 [inline]
netlink_sendmsg+0xa86/0xe60 net/netlink/af_netlink.c:1872
sock_sendmsg_nosec net/socket.c:630 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:640
___sys_sendmsg+0x767/0x8b0 net/socket.c:2046
__sys_sendmsg+0xe5/0x210 net/socket.c:2080
SYSC_sendmsg net/socket.c:2091 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2087
do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x26/0x9b
RIP: 0033:0x453299
RSP: 002b:00007f93a66b9c58 EFLAGS: 00000212 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000453299
RDX: 0000000000000000 RSI: 0000000020005000 RDI: 0000000000000013
RBP: 00000000000004b1 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f6138
R13: 0000000000000014 R14: 00007f93a66ba6d4 R15: ffffffffffffffff
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
device eql entered promiscuous mode
CPU: 0 PID: 7449 Comm: syz-executor1 Not tainted 4.15.0+ #301
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
fail_dump lib/fault-inject.c:51 [inline]
should_fail+0x8c0/0xa40 lib/fault-inject.c:149
audit: type=1400 audit(1518016206.490:62): avc: denied { ioctl } for
pid=7465 comm="syz-executor2" path="socket:[18575]" dev="sockfs" ino=18575
ioctlcmd=0x8904 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_generic_socket permissive=1
should_failslab+0xec/0x120 mm/failslab.c:32
slab_pre_alloc_hook mm/slab.h:422 [inline]
slab_alloc_node mm/slab.c:3286 [inline]
kmem_cache_alloc_node_trace+0x5a/0x760 mm/slab.c:3648
__do_kmalloc_node mm/slab.c:3668 [inline]
__kmalloc_node_track_caller+0x33/0x70 mm/slab.c:3683
__kmalloc_reserve.isra.39+0x41/0xd0 net/core/skbuff.c:137
__alloc_skb+0x13b/0x780 net/core/skbuff.c:205
alloc_skb include/linux/skbuff.h:983 [inline]
netlink_alloc_large_skb net/netlink/af_netlink.c:1180 [inline]
netlink_sendmsg+0xa86/0xe60 net/netlink/af_netlink.c:1872
sock_sendmsg_nosec net/socket.c:630 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:640
___sys_sendmsg+0x767/0x8b0 net/socket.c:2046
__sys_sendmsg+0xe5/0x210 net/socket.c:2080
SYSC_sendmsg net/socket.c:2091 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2087
do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x26/0x9b
RIP: 0033:0x453299
RSP: 002b:00007f93a66b9c58 EFLAGS: 00000212 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000453299
RDX: 0000000000000000 RSI: 0000000020005000 RDI: 0000000000000013
RBP: 00000000000004b1 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f6138
R13: 0000000000000014 R14: 00007f93a66ba6d4 R15: ffffffffffffffff
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
CPU: 0 PID: 7477 Comm: syz-executor1 Not tainted 4.15.0+ #301
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
fail_dump lib/fault-inject.c:51 [inline]
should_fail+0x8c0/0xa40 lib/fault-inject.c:149
should_failslab+0xec/0x120 mm/failslab.c:32
slab_pre_alloc_hook mm/slab.h:422 [inline]
slab_alloc mm/slab.c:3365 [inline]
__do_kmalloc mm/slab.c:3703 [inline]
__kmalloc+0x63/0x760 mm/slab.c:3714
kmalloc include/linux/slab.h:517 [inline]
genl_family_rcv_msg+0xb65/0xfb0 net/netlink/genetlink.c:569
genl_rcv_msg+0xb2/0x140 net/netlink/genetlink.c:624
netlink_rcv_skb+0x14b/0x380 net/netlink/af_netlink.c:2442
genl_rcv+0x28/0x40 net/netlink/genetlink.c:635
netlink_unicast_kernel net/netlink/af_netlink.c:1308 [inline]
netlink_unicast+0x4c4/0x6b0 net/netlink/af_netlink.c:1334
netlink_sendmsg+0xa4a/0xe60 net/netlink/af_netlink.c:1897
sock_sendmsg_nosec net/socket.c:630 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:640
___sys_sendmsg+0x767/0x8b0 net/socket.c:2046
__sys_sendmsg+0xe5/0x210 net/socket.c:2080
SYSC_sendmsg net/socket.c:2091 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2087
do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x26/0x9b
RIP: 0033:0x453299
RSP: 002b:00007f93a66b9c58 EFLAGS: 00000212 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000453299
RDX: 0000000000000000 RSI: 0000000020005000 RDI: 0000000000000013
RBP: 00000000000004b1 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f6138
R13: 0000000000000014 R14: 00007f93a66ba6d4 R15: ffffffffffffffff
audit: type=1400 audit(1518016207.687:63): avc: denied { ioctl } for
pid=7591 comm="syz-executor2" path="socket:[18669]" dev="sockfs" ino=18669
ioctlcmd=0x8917 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_netfilter_socket permissive=1
device eql entered promiscuous mode
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
CPU: 0 PID: 7674 Comm: syz-executor5 Not tainted 4.15.0+ #301
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
audit: type=1400 audit(1518016207.903:64): avc: denied { create } for
pid=7687 comm="syz-executor2"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_rdma_socket permissive=1
fail_dump lib/fault-inject.c:51 [inline]
should_fail+0x8c0/0xa40 lib/fault-inject.c:149
should_failslab+0xec/0x120 mm/failslab.c:32
slab_pre_alloc_hook mm/slab.h:422 [inline]
slab_alloc mm/slab.c:3365 [inline]
kmem_cache_alloc_trace+0x4b/0x740 mm/slab.c:3605
kmalloc include/linux/slab.h:512 [inline]
kzalloc include/linux/slab.h:701 [inline]
mld_add_delrec net/ipv6/mcast.c:721 [inline]
igmp6_leave_group net/ipv6/mcast.c:2433 [inline]
igmp6_group_dropped+0x423/0xa80 net/ipv6/mcast.c:700
__ipv6_dev_mc_dec+0x241/0x350 net/ipv6/mcast.c:935
ipv6_sock_mc_drop+0x3ab/0x5d0 net/ipv6/mcast.c:234
do_ipv6_setsockopt.isra.8+0x2dde/0x39d0 net/ipv6/ipv6_sockglue.c:646
ipv6_setsockopt+0xd7/0x130 net/ipv6/ipv6_sockglue.c:922
udpv6_setsockopt+0x45/0x80 net/ipv6/udp.c:1422
sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2975
SYSC_setsockopt net/socket.c:1849 [inline]
SyS_setsockopt+0x189/0x360 net/socket.c:1828
do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x26/0x9b
RIP: 0033:0x453299
RSP: 002b:00007fa8f8f9ec58 EFLAGS: 00000212 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000453299
RDX: 0000000000000015 RSI: 0000000000000029 RDI: 0000000000000013
RBP: 0000000000000502 R08: 0000000000000014 R09: 0000000000000000
R10: 000000002064dfeb R11: 0000000000000212 R12: 00000000006f68d0
R13: 0000000000000014 R14: 00007fa8f8f9f6d4 R15: ffffffffffffffff
device eql entered promiscuous mode
audit: type=1400 audit(1518016208.461:65): avc: denied { create } for
pid=7735 comm="syz-executor2"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_scsitransport_socket permissive=1
device eql entered promiscuous mode
audit: type=1400 audit(1518016208.651:66): avc: denied { create } for
pid=7801 comm="syz-executor1"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_connector_socket permissive=1
audit: type=1400 audit(1518016208.652:67): avc: denied { write } for
pid=7801 comm="syz-executor1"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_connector_socket permissive=1
audit: type=1400 audit(1518016208.692:68): avc: denied { getopt } for
pid=7821 comm="syz-executor1"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_generic_socket permissive=1
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
CPU: 0 PID: 7833 Comm: syz-executor6 Not tainted 4.15.0+ #301
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
fail_dump lib/fault-inject.c:51 [inline]
should_fail+0x8c0/0xa40 lib/fault-inject.c:149
should_failslab+0xec/0x120 mm/failslab.c:32
slab_pre_alloc_hook mm/slab.h:422 [inline]
slab_alloc_node mm/slab.c:3286 [inline]
kmem_cache_alloc_node+0x56/0x760 mm/slab.c:3629
__alloc_skb+0xf1/0x780 net/core/skbuff.c:193
alloc_skb include/linux/skbuff.h:983 [inline]
netlink_alloc_large_skb net/netlink/af_netlink.c:1180 [inline]
netlink_sendmsg+0xa86/0xe60 net/netlink/af_netlink.c:1872
sock_sendmsg_nosec net/socket.c:630 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:640
sock_write_iter+0x31a/0x5d0 net/socket.c:909
call_write_iter include/linux/fs.h:1781 [inline]
new_sync_write fs/read_write.c:469 [inline]
__vfs_write+0x684/0x970 fs/read_write.c:482
vfs_write+0x189/0x510 fs/read_write.c:544
SYSC_write fs/read_write.c:589 [inline]
SyS_write+0xef/0x220 fs/read_write.c:581
do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x26/0x9b
RIP: 0033:0x453299
RSP: 002b:00007facb1bf3c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000453299
RDX: 0000000000000026 RSI: 0000000020df8fd9 RDI: 0000000000000013
RBP: 0000000000000654 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f8880
R13: 0000000000000014 R14: 00007facb1bf46d4 R15: ffffffffffffffff
audit: type=1400 audit(1518016209.201:69): avc: denied { bind } for
pid=7896 comm="syz-executor1"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_generic_socket permissive=1
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
CPU: 0 PID: 7898 Comm: syz-executor3 Not tainted 4.15.0+ #301
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
fail_dump lib/fault-inject.c:51 [inline]
should_fail+0x8c0/0xa40 lib/fault-inject.c:149
should_failslab+0xec/0x120 mm/failslab.c:32
slab_pre_alloc_hook mm/slab.h:422 [inline]
slab_alloc_node mm/slab.c:3286 [inline]
kmem_cache_alloc_node+0x56/0x760 mm/slab.c:3629
__alloc_skb+0xf1/0x780 net/core/skbuff.c:193
alloc_skb include/linux/skbuff.h:983 [inline]
netlink_alloc_large_skb net/netlink/af_netlink.c:1180 [inline]
netlink_sendmsg+0xa86/0xe60 net/netlink/af_netlink.c:1872
sock_sendmsg_nosec net/socket.c:630 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:640
sock_write_iter+0x31a/0x5d0 net/socket.c:909
call_write_iter include/linux/fs.h:1781 [inline]
new_sync_write fs/read_write.c:469 [inline]
__vfs_write+0x684/0x970 fs/read_write.c:482
vfs_write+0x189/0x510 fs/read_write.c:544
SYSC_write fs/read_write.c:589 [inline]
SyS_write+0xef/0x220 fs/read_write.c:581
do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x26/0x9b
RIP: 0033:0x453299
RSP: 002b:00007f22555a3c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000453299
RDX: 0000000000000026 RSI: 0000000020df8fd9 RDI: 0000000000000013
RBP: 0000000000000654 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f8880
R13: 0000000000000014 R14: 00007f22555a46d4 R15: ffffffffffffffff
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=18210
sclass=netlink_route_socket pig=8156 comm=syz-executor6
device eql entered promiscuous mode
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=18210
sclass=netlink_route_socket pig=8156 comm=syz-executor6
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=46413
sclass=netlink_route_socket pig=8317 comm=syz-executor6
device eql entered promiscuous mode
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=46413
sclass=netlink_route_socket pig=8317 comm=syz-executor6
device eql entered promiscuous mode
audit: type=1400 audit(1518016210.897:70): avc: denied { getattr } for
pid=8364 comm="syz-executor1"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_netfilter_socket permissive=1
device eql entered promiscuous mode
audit: type=1400 audit(1518016211.030:71): avc: denied { getopt } for
pid=8414 comm="syz-executor1"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_fib_lookup_socket permissive=1
SELinux: unrecognized netlink message: protocol=9 nlmsg_type=40
sclass=netlink_audit_socket pig=8424 comm=syz-executor2
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
QAT: Invalid ioctl
device eql entered promiscuous mode
QAT: Invalid ioctl
netlink: 'syz-executor1': attribute type 1 has an invalid length.
audit: type=1400 audit(1518016211.649:72): avc: denied { lock } for
pid=8625 comm="syz-executor1" path="socket:[19403]" dev="sockfs" ino=19403
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_generic_socket permissive=1
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
netlink: 'syz-executor1': attribute type 1 has an invalid length.
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
SELinux: unrecognized netlink message: protocol=9 nlmsg_type=40
sclass=netlink_audit_socket pig=8814 comm=syz-executor1
device eql entered promiscuous mode
SELinux: unrecognized netlink message: protocol=9 nlmsg_type=40
sclass=netlink_audit_socket pig=8836 comm=syz-executor1
device eql entered promiscuous mode
QAT: Invalid ioctl
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
To upstream this report, please reply with:
#syz upstream
Dmitry Vyukov
Feb 11, 2018, 3:39:23 AM2/11/18
to syzbot, 'Dmitry Vyukov' via syzkaller-upstream-moderation
#syz fix: netfilter: drop outermost socket lock in getsockopt()
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-upstream-moderation" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-upstream-m...@googlegroups.com.
> To post to this group, send email to
> syzkaller-upst...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-upstream-moderation/001a11404462c8a4950564c3b912%40google.com.
> For more options, visit https://groups.google.com/d/optout.
> You received this message because you are subscribed to the Google Groups
> "syzkaller-upstream-moderation" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-upstream-m...@googlegroups.com.
> To post to this group, send email to
> syzkaller-upst...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-upstream-moderation/001a11404462c8a4950564c3b912%40google.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages