lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 12 Feb 2018 08:02:01 -0800
From:   syzbot <syzbot+f8af40b8331eed0c4ada@...kaller.appspotmail.com>
To:     davem@...emloft.net, linux-kernel@...r.kernel.org,
        linux-rdma@...r.kernel.org, netdev@...r.kernel.org,
        rds-devel@....oracle.com, santosh.shilimkar@...cle.com,
        syzkaller-bugs@...glegroups.com
Subject: BUG: sleeping function called from invalid context at mm/slab.h:LINE (3)

Hello,

syzbot hit the following crash on upstream commit
7928b2cbe55b2a410a0f5c1f154610059c57b1b2 (Sun Feb 11 23:04:29 2018 +0000)
Linux 4.16-rc1

So far this crash happened 12 times on net-next, upstream.
Unfortunately, I don't have any reproducer for this crash yet.
Raw console output is attached.
compiler: gcc (GCC) 7.1.1 20170620
.config is attached.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f8af40b8331eed0c4ada@...kaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.
If you forward the report, please keep this part and the footer.


BUG: sleeping function called from invalid context at mm/slab.h:420
=============================
in_atomic(): 1, irqs_disabled(): 0, pid: 5502, name: syz-executor5
1 lock held by syz-executor5/5502:
WARNING: suspicious RCU usage
  #0:
4.16.0-rc1+ #309 Not tainted
  (rcu_read_lock
-----------------------------
){....}, at: [<00000000bab82aaf>] __rds_conn_create+0xe46/0x1b50  
net/rds/connection.c:218
CPU: 0 PID: 5502 Comm: syz-executor5 Not tainted 4.16.0-rc1+ #309
./include/linux/rcupdate.h:302 Illegal context switch in RCU read-side  
critical section!
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:17 [inline]
  dump_stack+0x194/0x257 lib/dump_stack.c:53

other info that might help us debug this:

  ___might_sleep+0x2b2/0x470 kernel/sched/core.c:6128

rcu_scheduler_active = 2, debug_locks = 1
  __might_sleep+0x95/0x190 kernel/sched/core.c:6081
1 lock held by syz-executor2/5500:
  slab_pre_alloc_hook mm/slab.h:420 [inline]
  slab_alloc mm/slab.c:3365 [inline]
  kmem_cache_alloc+0x2a2/0x760 mm/slab.c:3539
  #0:
  rds_tcp_conn_alloc+0xa7/0x4e0 net/rds/tcp.c:296
  (
rcu_read_lock
  __rds_conn_create+0x112f/0x1b50 net/rds/connection.c:227
){....}
, at: [<00000000bab82aaf>] __rds_conn_create+0xe46/0x1b50  
net/rds/connection.c:218

stack backtrace:
  rds_conn_create_outgoing+0x3f/0x50 net/rds/connection.c:309
  rds_sendmsg+0xda3/0x2390 net/rds/send.c:1126
  sock_sendmsg_nosec net/socket.c:630 [inline]
  sock_sendmsg+0xca/0x110 net/socket.c:640
  SYSC_sendto+0x361/0x5c0 net/socket.c:1747
  SyS_sendto+0x40/0x50 net/socket.c:1715
  do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287
  entry_SYSCALL_64_after_hwframe+0x26/0x9b
RIP: 0033:0x453a59
RSP: 002b:00007f3b86e30c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007f3b86e316d4 RCX: 0000000000453a59
RDX: 0000000000000000 RSI: 0000000020141fb9 RDI: 0000000000000013
RBP: 000000000071bea0 R08: 000000002069affb R09: 0000000000000010
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000004b9 R14: 00000000006f71f8 R15: 0000000000000000
CPU: 1 PID: 5500 Comm: syz-executor2 Not tainted 4.16.0-rc1+ #309
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:17 [inline]
  dump_stack+0x194/0x257 lib/dump_stack.c:53
  lockdep_rcu_suspicious+0x123/0x170 kernel/locking/lockdep.c:4592
  rcu_preempt_sleep_check include/linux/rcupdate.h:301 [inline]
  ___might_sleep+0x385/0x470 kernel/sched/core.c:6093
  __might_sleep+0x95/0x190 kernel/sched/core.c:6081
  slab_pre_alloc_hook mm/slab.h:420 [inline]
  slab_alloc mm/slab.c:3365 [inline]
  kmem_cache_alloc_trace+0x299/0x740 mm/slab.c:3605
  kmalloc include/linux/slab.h:512 [inline]
  kzalloc include/linux/slab.h:701 [inline]
  rds_loop_conn_alloc+0xc8/0x380 net/rds/loop.c:126
  __rds_conn_create+0x112f/0x1b50 net/rds/connection.c:227
  rds_conn_create_outgoing+0x3f/0x50 net/rds/connection.c:309
  rds_sendmsg+0xda3/0x2390 net/rds/send.c:1126
  sock_sendmsg_nosec net/socket.c:630 [inline]
  sock_sendmsg+0xca/0x110 net/socket.c:640
  SYSC_sendto+0x361/0x5c0 net/socket.c:1747
  SyS_sendto+0x40/0x50 net/socket.c:1715
  do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287
  entry_SYSCALL_64_after_hwframe+0x26/0x9b
RIP: 0033:0x453a59
RSP: 002b:00007ff3962aac68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007ff3962ab6d4 RCX: 0000000000453a59
RDX: 0000000000000000 RSI: 0000000020141fb9 RDI: 0000000000000013
RBP: 000000000071bea0 R08: 000000002069affb R09: 0000000000000010
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000004b9 R14: 00000000006f71f8 R15: 0000000000000000
audit: type=1400 audit(1518434232.557:22): avc:  denied  { map_create }  
for  pid=5494 comm="syz-executor0"  
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf  
permissive=1
netlink: 'syz-executor0': attribute type 21 has an invalid length.
netlink: 'syz-executor0': attribute type 21 has an invalid length.
Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable
xt_SECMARK: invalid mode: 0
Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable
xt_SECMARK: invalid mode: 0
TCP: request_sock_TCPv6: Possible SYN flooding on port 20010. Sending  
cookies.  Check SNMP counters.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20018. Sending  
cookies.  Check SNMP counters.
binder: 5573:5592 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER
binder: 5573:5606 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER
TCP: request_sock_TCPv6: Possible SYN flooding on port 20018. Sending  
cookies.  Check SNMP counters.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20018. Sending  
cookies.  Check SNMP counters.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20018. Sending  
cookies.  Check SNMP counters.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20018. Sending  
cookies.  Check SNMP counters.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20018. Sending  
cookies.  Check SNMP counters.
netlink: 3 bytes leftover after parsing attributes in process  
`syz-executor2'.
netlink: 'syz-executor2': attribute type 6 has an invalid length.
netlink: 3 bytes leftover after parsing attributes in process  
`syz-executor2'.
netlink: 3 bytes leftover after parsing attributes in process  
`syz-executor2'.
netlink: 3 bytes leftover after parsing attributes in process  
`syz-executor2'.
netlink: 3 bytes leftover after parsing attributes in process  
`syz-executor0'.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20018. Sending  
cookies.  Check SNMP counters.
netlink: 'syz-executor0': attribute type 6 has an invalid length.
netlink: 'syz-executor2': attribute type 6 has an invalid length.
netlink: 3 bytes leftover after parsing attributes in process  
`syz-executor0'.
netlink: 3 bytes leftover after parsing attributes in process  
`syz-executor2'.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20018. Sending  
cookies.  Check SNMP counters.
audit: type=1400 audit(1518434234.307:23): avc:  denied  { create } for   
pid=5738 comm="syz-executor2"  
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tclass=netlink_generic_socket permissive=1
audit: type=1400 audit(1518434234.310:24): avc:  denied  { write } for   
pid=5738 comm="syz-executor2"  
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tclass=netlink_generic_socket permissive=1
audit: type=1400 audit(1518434234.359:25): avc:  denied  { map_read  
map_write } for  pid=5744 comm="syz-executor6"  
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf  
permissive=1
QAT: Invalid ioctl
QAT: Invalid ioctl
audit: type=1400 audit(1518434234.581:26): avc:  denied  { map } for   
pid=5799 comm="syz-executor7" path="/dev/snd/pcmC0D0c" dev="devtmpfs"  
ino=9158 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tcontext=system_u:object_r:sound_device_t:s0 tclass=chr_file permissive=1
audit: type=1400 audit(1518434234.621:27): avc:  denied  { setuid } for   
pid=5796 comm="syz-executor1" capability=7   
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns  
permissive=1
audit: type=1400 audit(1518434234.657:28): avc:  denied  { node_bind } for   
pid=5815 comm="syz-executor5" saddr=fe80::  
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tcontext=system_u:object_r:node_t:s0 tclass=dccp_socket permissive=1
audit: type=1400 audit(1518434234.661:29): avc:  denied  { name_bind } for   
pid=5815 comm="syz-executor5" src=20021  
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tcontext=system_u:object_r:port_t:s0 tclass=dccp_socket permissive=1
binder: 5849:5858 ioctl 4b3b 20001ff8 returned -22
audit: type=1400 audit(1518434234.775:30): avc:  denied  { ipc_owner } for   
pid=5850 comm="syz-executor1" capability=15   
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns  
permissive=1
binder: 5849:5872 ioctl 4b3b 20001ff8 returned -22
ipt_REJECT: ECHOREPLY no longer supported.
ipt_REJECT: ECHOREPLY no longer supported.
tmpfs: Bad mount option ,4M��7.���
tmpfs: Bad mount option ,4M��7.���
device eql entered promiscuous mode
device eql entered promiscuous mode
TCP: request_sock_TCPv6: Possible SYN flooding on port 20010. Sending  
cookies.  Check SNMP counters.
netlink: 40 bytes leftover after parsing attributes in process  
`syz-executor5'.
netlink: 40 bytes leftover after parsing attributes in process  
`syz-executor5'.
xt_connbytes: Forcing CT accounting to be enabled
ip_tunnel: non-ECT from 172.20.7.10 with TOS=0xb
ip_tunnel: non-ECT from 172.20.7.10 with TOS=0xb
autofs4:pid:6405:check_dev_ioctl_version: ioctl control interface version  
mismatch: kernel(1.1), user(3590324411.0), cmd(0x0000937e)
autofs4:pid:6405:validate_dev_ioctl: invalid device control module version  
supplied for cmd(0x0000937e)
autofs4:pid:6417:check_dev_ioctl_version: ioctl control interface version  
mismatch: kernel(1.1), user(3590324411.0), cmd(0x0000937e)
autofs4:pid:6417:validate_dev_ioctl: invalid device control module version  
supplied for cmd(0x0000937e)
TCP: request_sock_TCPv6: Possible SYN flooding on port 20018. Sending  
cookies.  Check SNMP counters.
BUG: sleeping function called from invalid context at mm/slab.h:420
in_atomic(): 1, irqs_disabled(): 0, pid: 6524, name: syz-executor3
1 lock held by syz-executor3/6524:
  #0:  (rcu_read_lock){....}, at: [<00000000bab82aaf>]  
__rds_conn_create+0xe46/0x1b50 net/rds/connection.c:218
binder: release 6508:6510 transaction 2 out, still active
CPU: 1 PID: 6524 Comm: syz-executor3 Tainted: G        W        4.16.0-rc1+  
#309
binder: unexpected work type, 4, not freed
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:17 [inline]
  dump_stack+0x194/0x257 lib/dump_stack.c:53
binder: undelivered TRANSACTION_COMPLETE
  ___might_sleep+0x2b2/0x470 kernel/sched/core.c:6128
kauditd_printk_skb: 7 callbacks suppressed
audit: type=1400 audit(1518434237.916:38): avc:  denied  { set_context_mgr  
} for  pid=6508 comm="syz-executor7"  
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder  
permissive=1
  __might_sleep+0x95/0x190 kernel/sched/core.c:6081
audit: type=1400 audit(1518434237.924:39): avc:  denied  { call } for   
pid=6508 comm="syz-executor7"  
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder  
permissive=1
  slab_pre_alloc_hook mm/slab.h:420 [inline]
  slab_alloc mm/slab.c:3365 [inline]
  kmem_cache_alloc_trace+0x299/0x740 mm/slab.c:3605
audit: type=1400 audit(1518434237.924:40): avc:  denied  { transfer } for   
pid=6508 comm="syz-executor7"  
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder  
permissive=1
  kmalloc include/linux/slab.h:512 [inline]
  kzalloc include/linux/slab.h:701 [inline]
  rds_loop_conn_alloc+0xc8/0x380 net/rds/loop.c:126
binder_alloc: binder_alloc_mmap_handler: 6508 20000000-20002000 already  
mapped failed -16
  __rds_conn_create+0x112f/0x1b50 net/rds/connection.c:227
binder: BINDER_SET_CONTEXT_MGR already set
binder: 6508:6534 ioctl 40046207 0 returned -16
  rds_conn_create_outgoing+0x3f/0x50 net/rds/connection.c:309
  rds_sendmsg+0xda3/0x2390 net/rds/send.c:1126
  sock_sendmsg_nosec net/socket.c:630 [inline]
  sock_sendmsg+0xca/0x110 net/socket.c:640
  SYSC_sendto+0x361/0x5c0 net/socket.c:1747
  SyS_sendto+0x40/0x50 net/socket.c:1715
  do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287
  entry_SYSCALL_64_after_hwframe+0x26/0x9b
RIP: 0033:0x453a59
RSP: 002b:00007fc8763d6c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007fc8763d76d4 RCX: 0000000000453a59
RDX: 0000000000000000 RSI: 0000000020007000 RDI: 0000000000000013
RBP: 000000000071bea0 R08: 0000000020000000 R09: 0000000000000010
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000004b9 R14: 00000000006f71f8 R15: 0000000000000000
binder_alloc: 6508: binder_alloc_buf, no vma
binder: 6508:6510 transaction failed 29189/-3, size 40-8 line 2957
binder: undelivered TRANSACTION_ERROR: 29189
binder: send failed reply for transaction 2, target dead
TCP: request_sock_TCPv6: Possible SYN flooding on port 20018. Sending  
cookies.  Check SNMP counters.
audit: type=1400 audit(1518434238.530:41): avc:  denied  { map } for   
pid=6549 comm="syz-executor3"  
path=2F616E6F6E5F6875676570616765202864656C6574656429 dev="hugetlbfs"  
ino=16665 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tcontext=unconfined_u:object_r:hugetlbfs_t:s0 tclass=file permissive=1
TCP: request_sock_TCPv6: Possible SYN flooding on port 20018. Sending  
cookies.  Check SNMP counters.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20018. Sending  
cookies.  Check SNMP counters.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20018. Sending  
cookies.  Check SNMP counters.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20018. Sending  
cookies.  Check SNMP counters.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20018. Sending  
cookies.  Check SNMP counters.
device syz1 entered promiscuous mode
TCP: request_sock_TCPv6: Possible SYN flooding on port 20018. Sending  
cookies.  Check SNMP counters.
QAT: Invalid ioctl
device syz1 left promiscuous mode
QAT: Invalid ioctl
IPv4: Oversized IP packet from 127.0.0.1
TCP: request_sock_TCPv6: Possible SYN flooding on port 20018. Sending  
cookies.  Check SNMP counters.
QAT: Invalid ioctl
capability: warning: `syz-executor0' uses 32-bit capabilities (legacy  
support in use)
xt_connbytes: Forcing CT accounting to be enabled
TCP: request_sock_TCPv6: Possible SYN flooding on port 20018. Sending  
cookies.  Check SNMP counters.
audit: type=1400 audit(1518434239.629:42): avc:  denied  { net_bind_service  
} for  pid=6730 comm="syz-executor0" capability=10   
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns  
permissive=1
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 1
CPU: 0 PID: 6739 Comm: syz-executor4 Tainted: G        W        4.16.0-rc1+  
#309
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:17 [inline]
  dump_stack+0x194/0x257 lib/dump_stack.c:53
  fail_dump lib/fault-inject.c:51 [inline]
  should_fail+0x8c0/0xa40 lib/fault-inject.c:149
  should_failslab+0xec/0x120 mm/failslab.c:32
  slab_pre_alloc_hook mm/slab.h:422 [inline]
  slab_alloc_node mm/slab.c:3286 [inline]
  kmem_cache_alloc_node+0x56/0x760 mm/slab.c:3629
  __alloc_skb+0xf1/0x780 net/core/skbuff.c:193
  alloc_skb_fclone include/linux/skbuff.h:1025 [inline]
  sk_stream_alloc_skb+0x126/0x9a0 net/ipv4/tcp.c:866
  tcp_sendmsg_locked+0x15f6/0x3c70 net/ipv4/tcp.c:1301
  tcp_sendmsg+0x2f/0x50 net/ipv4/tcp.c:1463
  inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:764
  sock_sendmsg_nosec net/socket.c:630 [inline]
  sock_sendmsg+0xca/0x110 net/socket.c:640
  SYSC_sendto+0x361/0x5c0 net/socket.c:1747
  SyS_sendto+0x40/0x50 net/socket.c:1715
  do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287
  entry_SYSCALL_64_after_hwframe+0x26/0x9b
RIP: 0033:0x453a59
RSP: 002b:00007f191fee9c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007f191feea6d4 RCX: 0000000000453a59
RDX: fdbf12558da8f98b RSI: 0000000020fca000 RDI: 0000000000000013
RBP: 000000000071bea0 R08: 0000000020ec6f80 R09: 0000000000000080
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015
R13: 00000000000004b7 R14: 00000000006f71c8 R15: 0000000000000000
TCP: request_sock_TCPv6: Possible SYN flooding on port 20018. Sending  
cookies.  Check SNMP counters.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20018. Sending  
cookies.  Check SNMP counters.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20018. Sending  
cookies.  Check SNMP counters.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20018. Sending  
cookies.  Check SNMP counters.
binder: 6862:6867 Acquire 1 refcount change on invalid ref 0 ret -22
binder: 6862:6867 Acquire 1 refcount change on invalid ref 0 ret -22
TCP: request_sock_TCPv6: Possible SYN flooding on port 20018. Sending  
cookies.  Check SNMP counters.
audit: type=1400 audit(1518434240.565:43): avc:  denied  { setfcap } for   
pid=6883 comm="syz-executor7" capability=31   
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns  
permissive=1
binder: 6885:6895 got reply transaction with no transaction stack
binder: 6885:6895 transaction failed 29201/-71, size 0-0 line 2757
binder: undelivered TRANSACTION_ERROR: 29201
TCP: request_sock_TCPv6: Possible SYN flooding on port 20018. Sending  
cookies.  Check SNMP counters.
device eql entered promiscuous mode
insert transport fail, errno -17
TCP: request_sock_TCPv6: Possible SYN flooding on port 20018. Sending  
cookies.  Check SNMP counters.
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
CPU: 0 PID: 6994 Comm: syz-executor6 Tainted: G        W        4.16.0-rc1+  
#309
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:17 [inline]
  dump_stack+0x194/0x257 lib/dump_stack.c:53
  fail_dump lib/fault-inject.c:51 [inline]
  should_fail+0x8c0/0xa40 lib/fault-inject.c:149
  should_failslab+0xec/0x120 mm/failslab.c:32
  slab_pre_alloc_hook mm/slab.h:422 [inline]
  slab_alloc mm/slab.c:3365 [inline]
  kmem_cache_alloc_trace+0x4b/0x740 mm/slab.c:3605
  kmalloc include/linux/slab.h:512 [inline]
  kzalloc include/linux/slab.h:701 [inline]
  alloc_pipe_info+0x159/0x4b0 fs/pipe.c:633
  splice_direct_to_actor+0x64a/0x820 fs/splice.c:920
  do_splice_direct+0x29b/0x3c0 fs/splice.c:1061
  do_sendfile+0x5c9/0xe80 fs/read_write.c:1413
  SYSC_sendfile64 fs/read_write.c:1468 [inline]
  SyS_sendfile64+0xbd/0x160 fs/read_write.c:1460
  do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287
  entry_SYSCALL_64_after_hwframe+0x26/0x9b
RIP: 0033:0x453a59
RSP: 002b:00007f4849800c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 00007f48498016d4 RCX: 0000000000453a59
RDX: 000000002046cff8 RSI: 0000000000000013 RDI: 0000000000000013
RBP: 000000000071bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 008000000000fffd R11: 0000000000000246 R12: 0000000000000014
R13: 00000000000004a0 R14: 00000000006f6fa0 R15: 0000000000000000
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
CPU: 1 PID: 7015 Comm: syz-executor6 Tainted: G        W        4.16.0-rc1+  
#309
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:17 [inline]
  dump_stack+0x194/0x257 lib/dump_stack.c:53
  fail_dump lib/fault-inject.c:51 [inline]
  should_fail+0x8c0/0xa40 lib/fault-inject.c:149
  should_failslab+0xec/0x120 mm/failslab.c:32
  slab_pre_alloc_hook mm/slab.h:422 [inline]
  slab_alloc mm/slab.c:3365 [inline]
  __do_kmalloc mm/slab.c:3703 [inline]
  __kmalloc+0x63/0x760 mm/slab.c:3714
  kmalloc_array include/linux/slab.h:631 [inline]
  kcalloc include/linux/slab.h:642 [inline]
  alloc_pipe_info+0x23f/0x4b0 fs/pipe.c:650
  splice_direct_to_actor+0x64a/0x820 fs/splice.c:920
  do_splice_direct+0x29b/0x3c0 fs/splice.c:1061
  do_sendfile+0x5c9/0xe80 fs/read_write.c:1413
  SYSC_sendfile64 fs/read_write.c:1468 [inline]
  SyS_sendfile64+0xbd/0x160 fs/read_write.c:1460
  do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287
  entry_SYSCALL_64_after_hwframe+0x26/0x9b
RIP: 0033:0x453a59
RSP: 002b:00007f4849800c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 00007f48498016d4 RCX: 0000000000453a59
RDX: 000000002046cff8 RSI: 0000000000000013 RDI: 0000000000000013
RBP: 000000000071bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 008000000000fffd R11: 0000000000000246 R12: 0000000000000014
R13: 00000000000004a0 R14: 00000000006f6fa0 R15: 0000000000000001
TCP: request_sock_TCPv6: Possible SYN flooding on port 20018. Sending  
cookies.  Check SNMP counters.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20018. Sending  
cookies.  Check SNMP counters.
audit: type=1400 audit(1518434241.708:44): avc:  denied  { prog_run } for   
pid=7059 comm="syz-executor0"  
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf  
permissive=1
TCP: request_sock_TCPv6: Possible SYN flooding on port 20018. Sending  
cookies.  Check SNMP counters.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20018. Sending  
cookies.  Check SNMP counters.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20018. Sending  
cookies.  Check SNMP counters.
QAT: Invalid ioctl
QAT: Invalid ioctl
QAT: Invalid ioctl


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzkaller@...glegroups.com.

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is  
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug  
report.
Note: all commands must start from beginning of the line in the email body.

View attachment "raw.log.txt" of type "text/plain" (609431 bytes)

View attachment "config.txt" of type "text/plain" (136427 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ