lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <089e082603c4d3bea10563fa816b@google.com>
Date:   Tue, 30 Jan 2018 00:54:14 -0800
From:   syzbot <syzbot+ed1af231da07c4aee030@...kaller.appspotmail.com>
To:     coreteam@...filter.org, davem@...emloft.net, fw@...len.de,
        kadlec@...ckhole.kfki.hu, linux-kernel@...r.kernel.org,
        netdev@...r.kernel.org, netfilter-devel@...r.kernel.org,
        pablo@...filter.org, syzkaller-bugs@...glegroups.com
Subject: possible deadlock in xt_find_table_lock

Hello,

syzbot hit the following crash on net-next commit
3e3ab9ccca5b50b11bd4d16c2048b667343354bd (Mon Jan 29 15:14:59 2018 +0000)
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

Unfortunately, I don't have any reproducer for this crash yet.
Raw console output is attached.
compiler: gcc (GCC) 7.1.1 20170620
.config is attached.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+ed1af231da07c4aee030@...kaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.
If you forward the report, please keep this part and the footer.


======================================================
WARNING: possible circular locking dependency detected
4.15.0-rc9+ #215 Not tainted
------------------------------------------------------
syz-executor7/5544 is trying to acquire lock:
  (&xt[i].mutex){+.+.}, at: [<00000000ecf27ab4>]  
xt_find_table_lock+0x3e/0x3e0 net/netfilter/x_tables.c:1036

but task is already holding lock:
  (sk_lock-AF_INET6){+.+.}, at: [<00000000fc772797>] lock_sock  
include/net/sock.h:1463 [inline]
  (sk_lock-AF_INET6){+.+.}, at: [<00000000fc772797>]  
ip_getsockopt+0x143/0x220 net/ipv4/ip_sockglue.c:1576

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #2 (sk_lock-AF_INET6){+.+.}:
        lock_sock_nested+0xc2/0x110 net/core/sock.c:2780
        lock_sock include/net/sock.h:1463 [inline]
        do_ipv6_setsockopt.isra.8+0x3c5/0x39d0 net/ipv6/ipv6_sockglue.c:167
        ipv6_setsockopt+0xd7/0x150 net/ipv6/ipv6_sockglue.c:922
        tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2899
        sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2978
        SYSC_setsockopt net/socket.c:1849 [inline]
        SyS_setsockopt+0x189/0x360 net/socket.c:1828
        entry_SYSCALL_64_fastpath+0x29/0xa0

-> #1 (rtnl_mutex){+.+.}:
        __mutex_lock_common kernel/locking/mutex.c:756 [inline]
        __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893
        mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908
        rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74
        unregister_netdevice_notifier+0x91/0x4e0 net/core/dev.c:1673
        clusterip_config_entry_put net/ipv4/netfilter/ipt_CLUSTERIP.c:114  
[inline]
        clusterip_tg_destroy+0x389/0x6e0  
net/ipv4/netfilter/ipt_CLUSTERIP.c:508
        cleanup_entry+0x218/0x350 net/ipv4/netfilter/ip_tables.c:659
        __do_replace+0x79d/0xa50 net/ipv4/netfilter/ip_tables.c:1094
        do_replace net/ipv4/netfilter/ip_tables.c:1150 [inline]
        do_ipt_set_ctl+0x40f/0x5f0 net/ipv4/netfilter/ip_tables.c:1680
        nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
        nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115
        ip_setsockopt+0xa1/0xb0 net/ipv4/ip_sockglue.c:1260
        tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2899
        sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2978
        SYSC_setsockopt net/socket.c:1849 [inline]
        SyS_setsockopt+0x189/0x360 net/socket.c:1828
        entry_SYSCALL_64_fastpath+0x29/0xa0

-> #0 (&xt[i].mutex){+.+.}:
        lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3914
        __mutex_lock_common kernel/locking/mutex.c:756 [inline]
        __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893
        mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908
        xt_find_table_lock+0x3e/0x3e0 net/netfilter/x_tables.c:1036
        xt_request_find_table_lock+0x28/0xc0 net/netfilter/x_tables.c:1083
        get_info+0x154/0x690 net/ipv6/netfilter/ip6_tables.c:994
        do_arpt_get_ctl+0x2a9/0xa00 net/ipv4/netfilter/arp_tables.c:1486
        nf_sockopt net/netfilter/nf_sockopt.c:104 [inline]
        nf_getsockopt+0x6a/0xc0 net/netfilter/nf_sockopt.c:122
        ip_getsockopt+0x15c/0x220 net/ipv4/ip_sockglue.c:1577
        udp_getsockopt+0x45/0x80 net/ipv4/udp.c:2473
        ipv6_getsockopt+0xf3/0x2e0 net/ipv6/ipv6_sockglue.c:1363
        tcp_getsockopt+0x82/0xd0 net/ipv4/tcp.c:3353
        sock_common_getsockopt+0x95/0xd0 net/core/sock.c:2937
        SYSC_getsockopt net/socket.c:1880 [inline]
        SyS_getsockopt+0x178/0x340 net/socket.c:1862
        entry_SYSCALL_64_fastpath+0x29/0xa0

other info that might help us debug this:

Chain exists of:
   &xt[i].mutex --> rtnl_mutex --> sk_lock-AF_INET6

  Possible unsafe locking scenario:

        CPU0                    CPU1
        ----                    ----
   lock(sk_lock-AF_INET6);
                                lock(rtnl_mutex);
                                lock(sk_lock-AF_INET6);
   lock(&xt[i].mutex);

  *** DEADLOCK ***

1 lock held by syz-executor7/5544:
  #0:  (sk_lock-AF_INET6){+.+.}, at: [<00000000fc772797>] lock_sock  
include/net/sock.h:1463 [inline]
  #0:  (sk_lock-AF_INET6){+.+.}, at: [<00000000fc772797>]  
ip_getsockopt+0x143/0x220 net/ipv4/ip_sockglue.c:1576

stack backtrace:
CPU: 0 PID: 5544 Comm: syz-executor7 Not tainted 4.15.0-rc9+ #215
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:17 [inline]
  dump_stack+0x194/0x257 lib/dump_stack.c:53
  print_circular_bug.isra.37+0x2cd/0x2dc kernel/locking/lockdep.c:1218
  check_prev_add kernel/locking/lockdep.c:1858 [inline]
  check_prevs_add kernel/locking/lockdep.c:1971 [inline]
  validate_chain kernel/locking/lockdep.c:2412 [inline]
  __lock_acquire+0x30a8/0x3e00 kernel/locking/lockdep.c:3426
  lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3914
  __mutex_lock_common kernel/locking/mutex.c:756 [inline]
  __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893
  mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908
  xt_find_table_lock+0x3e/0x3e0 net/netfilter/x_tables.c:1036
  xt_request_find_table_lock+0x28/0xc0 net/netfilter/x_tables.c:1083
  get_info+0x154/0x690 net/ipv6/netfilter/ip6_tables.c:994
  do_arpt_get_ctl+0x2a9/0xa00 net/ipv4/netfilter/arp_tables.c:1486
  nf_sockopt net/netfilter/nf_sockopt.c:104 [inline]
  nf_getsockopt+0x6a/0xc0 net/netfilter/nf_sockopt.c:122
  ip_getsockopt+0x15c/0x220 net/ipv4/ip_sockglue.c:1577
  udp_getsockopt+0x45/0x80 net/ipv4/udp.c:2473
  ipv6_getsockopt+0xf3/0x2e0 net/ipv6/ipv6_sockglue.c:1363
  tcp_getsockopt+0x82/0xd0 net/ipv4/tcp.c:3353
  sock_common_getsockopt+0x95/0xd0 net/core/sock.c:2937
  SYSC_getsockopt net/socket.c:1880 [inline]
  SyS_getsockopt+0x178/0x340 net/socket.c:1862
  entry_SYSCALL_64_fastpath+0x29/0xa0
RIP: 0033:0x453299
RSP: 002b:00007fa847069c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000037
RAX: ffffffffffffffda RBX: 00007fa84706a700 RCX: 0000000000453299
RDX: 0000000000000060 RSI: 0000000000000000 RDI: 0000000000000013
RBP: 0000000000000000 R08: 0000000020d23000 R09: 0000000000000000
R10: 00000000201e3000 R11: 0000000000000212 R12: 0000000000000000
R13: 0000000000a2f33f R14: 00007fa84706a9c0 R15: 0000000000000000
netlink: 16 bytes leftover after parsing attributes in process  
`syz-executor1'.
netlink: 16 bytes leftover after parsing attributes in process  
`syz-executor1'.
netlink: 1316 bytes leftover after parsing attributes in process  
`syz-executor0'.
netlink: 'syz-executor0': attribute type 6 has an invalid length.
netlink: 1316 bytes leftover after parsing attributes in process  
`syz-executor0'.
netlink: 'syz-executor0': attribute type 6 has an invalid length.
syz-executor3 (5753) used greatest stack depth: 12656 bytes left
oom_reaper: reaped process 5783 (syz-executor1), now anon-rss:0kB,  
file-rss:0kB, shmem-rss:0kB
syz-executor1 invoked oom-killer: gfp_mask=0x14002c2(GFP_KERNEL| 
__GFP_HIGHMEM|__GFP_NOWARN), nodemask=(null), order=0, oom_score_adj=0
syz-executor1: vmalloc: allocation failure, allocated 2791477248 of  
4294971392 bytes, mode:0x14000c0(GFP_KERNEL), nodemask=(null)
syz-executor1 cpuset=/ mems_allowed=0
CPU: 1 PID: 5793 Comm: syz-executor1 Not tainted 4.15.0-rc9+ #215
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:17 [inline]
  dump_stack+0x194/0x257 lib/dump_stack.c:53
  warn_alloc+0x19a/0x2b0 mm/page_alloc.c:3299
  __vmalloc_area_node mm/vmalloc.c:1718 [inline]
  __vmalloc_node_range+0x482/0x650 mm/vmalloc.c:1759
  __vmalloc_node mm/vmalloc.c:1804 [inline]
  __vmalloc_node_flags_caller+0x50/0x60 mm/vmalloc.c:1826
  kvmalloc_node+0x82/0xd0 mm/util.c:406
  kvmalloc include/linux/mm.h:541 [inline]
  xt_alloc_table_info+0x64/0xe0 net/netfilter/x_tables.c:1006
  do_replace net/ipv4/netfilter/ip_tables.c:1135 [inline]
  do_ipt_set_ctl+0x29b/0x5f0 net/ipv4/netfilter/ip_tables.c:1680
  nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
  nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115
  ip_setsockopt+0xa1/0xb0 net/ipv4/ip_sockglue.c:1260
  sctp_setsockopt+0x2b6/0x61d0 net/sctp/socket.c:4141
  sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2978
  SYSC_setsockopt net/socket.c:1849 [inline]
  SyS_setsockopt+0x189/0x360 net/socket.c:1828
  entry_SYSCALL_64_fastpath+0x29/0xa0
RIP: 0033:0x453299
RSP: 002b:00007fcd79983c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 000000000071c010 RCX: 0000000000453299
RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000016
RBP: 00000000000003d6 R08: 00000000000002e8 R09: 0000000000000000
R10: 0000000020015000 R11: 0000000000000212 R12: 00000000006f4cb0
R13: 00000000ffffffff R14: 00007fcd799846d4 R15: 0000000000000002
Mem-Info:
active_anon:45395 inactive_anon:65 isolated_anon:0
  active_file:10 inactive_file:18 isolated_file:0
  unevictable:0 dirty:0 writeback:0 unstable:0
  slab_reclaimable:6878 slab_unreclaimable:91335
  mapped:16515 shmem:70 pagetables:614 bounce:0
  free:15762 free_pcp:30 free_cma:0
Node 0 active_anon:181580kB inactive_anon:260kB active_file:40kB  
inactive_file:72kB unevictable:0kB isolated(anon):0kB isolated(file):0kB  
mapped:66060kB dirty:0kB writeback:0kB shmem:280kB shmem_thp: 0kB  
shmem_pmdmapped: 0kB anon_thp: 65536kB writeback_tmp:0kB unstable:0kB  
all_unreclaimable? yes
Node 0 DMA free:15908kB min:164kB low:204kB high:244kB active_anon:0kB  
inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB  
writepending:0kB present:15992kB managed:15908kB mlocked:0kB  
kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:0kB local_pcp:0kB  
free_cma:0kB
lowmem_reserve[]: 0 2868 6378 6378
Node 0 DMA32 free:28748kB min:30316kB low:37892kB high:45468kB  
active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB  
unevictable:0kB writepending:0kB present:3129292kB managed:2939976kB  
mlocked:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:120kB  
local_pcp:0kB free_cma:0kB
lowmem_reserve[]: 0 0 3510 3510
Node 0 Normal free:18392kB min:37096kB low:46368kB high:55640kB  
active_anon:181580kB inactive_anon:260kB active_file:40kB  
inactive_file:72kB unevictable:0kB writepending:0kB present:4718592kB  
managed:3594332kB mlocked:0kB kernel_stack:3776kB pagetables:2456kB  
bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB
lowmem_reserve[]: 0 0 0 0
Node 0 DMA: 1*4kB (U) 0*8kB 0*16kB 1*32kB (U) 2*64kB (U) 1*128kB (U)  
1*256kB (U) 0*512kB 1*1024kB (U) 1*2048kB (M) 3*4096kB (M) = 15908kB
Node 0 DMA32: 3*4kB (UM) 4*8kB (M) 2*16kB (M) 2*32kB (M) 1*64kB (M) 3*128kB  
(M) 2*256kB (M) 2*512kB (M) 4*1024kB (UM) 1*2048kB (M) 5*4096kB (M) =  
28748kB
Node 0 Normal: 584*4kB (UME) 328*8kB (UME) 197*16kB (UME) 53*32kB (ME)  
58*64kB (UME) 39*128kB (UM) 0*256kB 0*512kB 0*1024kB 0*2048kB 0*4096kB =  
18512kB
Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0  
hugepages_size=2048kB
98 total pagecache pages
0 pages in swap cache
Swap cache stats: add 0, delete 0, find 0/0
Free swap  = 0kB
Total swap = 0kB
1965969 pages RAM
0 pages HighMem/MovableOnly
328415 pages reserved
syz-executor1 cpuset=/ mems_allowed=0
CPU: 0 PID: 5783 Comm: syz-executor1 Not tainted 4.15.0-rc9+ #215
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:17 [inline]
  dump_stack+0x194/0x257 lib/dump_stack.c:53
  dump_header+0x28c/0xe1e mm/oom_kill.c:437
  oom_kill_process+0x8b5/0x14a0 mm/oom_kill.c:865
  out_of_memory+0x86d/0x1220 mm/oom_kill.c:1079
  __alloc_pages_may_oom mm/page_alloc.c:3395 [inline]
  __alloc_pages_slowpath+0x1d1b/0x2d00 mm/page_alloc.c:4096
  __alloc_pages_nodemask+0x9fb/0xd80 mm/page_alloc.c:4252
  alloc_pages_current+0xb6/0x1e0 mm/mempolicy.c:2036
  alloc_pages include/linux/gfp.h:492 [inline]
  __vmalloc_area_node mm/vmalloc.c:1699 [inline]
  __vmalloc_node_range+0x409/0x650 mm/vmalloc.c:1759
  __vmalloc_node mm/vmalloc.c:1804 [inline]
  __vmalloc_node_flags_caller+0x50/0x60 mm/vmalloc.c:1826
  kvmalloc_node+0x82/0xd0 mm/util.c:406
  kvmalloc include/linux/mm.h:541 [inline]
  xt_alloc_table_info+0x64/0xe0 net/netfilter/x_tables.c:1006
  do_replace net/ipv4/netfilter/ip_tables.c:1135 [inline]
  do_ipt_set_ctl+0x29b/0x5f0 net/ipv4/netfilter/ip_tables.c:1680
  nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
  nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115
  ip_setsockopt+0xa1/0xb0 net/ipv4/ip_sockglue.c:1260
  sctp_setsockopt+0x2b6/0x61d0 net/sctp/socket.c:4141
  sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2978
  SYSC_setsockopt net/socket.c:1849 [inline]
  SyS_setsockopt+0x189/0x360 net/socket.c:1828
  entry_SYSCALL_64_fastpath+0x29/0xa0
RIP: 0033:0x453299
RSP: 002b:00007fcd799c5c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000453299
RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000013
RBP: 0000000000000040 R08: 00000000000002e8 R09: 0000000000000000
R10: 0000000020015000 R11: 0000000000000212 R12: 00000000006ef6a0
R13: 00000000ffffffff R14: 00007fcd799c66d4 R15: 0000000000000000
Mem-Info:
active_anon:45395 inactive_anon:65 isolated_anon:0
  active_file:13 inactive_file:342 isolated_file:0
  unevictable:0 dirty:0 writeback:0 unstable:0
  slab_reclaimable:6879 slab_unreclaimable:91336
  mapped:16739 shmem:70 pagetables:614 bounce:0
  free:698623 free_pcp:445 free_cma:0
Node 0 active_anon:181580kB inactive_anon:260kB active_file:52kB  
inactive_file:1468kB unevictable:0kB isolated(anon):0kB isolated(file):0kB  
mapped:66956kB dirty:0kB writeback:0kB shmem:280kB shmem_thp: 0kB  
shmem_pmdmapped: 0kB anon_thp: 65536kB writeback_tmp:0kB unstable:0kB  
all_unreclaimable? yes
Node 0 DMA free:15908kB min:164kB low:204kB high:244kB active_anon:0kB  
inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB  
writepending:0kB present:15992kB managed:15908kB mlocked:0kB  
kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:0kB local_pcp:0kB  
free_cma:0kB
lowmem_reserve[]: 0 2868 6378 6378
Node 0 DMA32 free:1461444kB min:30316kB low:37892kB high:45468kB  
active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB  
unevictable:0kB writepending:0kB present:3129292kB managed:2939976kB  
mlocked:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:744kB  
local_pcp:120kB free_cma:0kB
lowmem_reserve[]: 0 0 3510 3510
Node 0 Normal free:1316204kB min:37096kB low:46368kB high:55640kB  
active_anon:181584kB inactive_anon:260kB active_file:56kB  
inactive_file:2120kB unevictable:0kB writepending:76kB present:4718592kB  
managed:3594332kB mlocked:0kB kernel_stack:3744kB pagetables:2456kB  
bounce:0kB free_pcp:1236kB local_pcp:392kB free_cma:0kB
lowmem_reserve[]: 0 0 0 0
Node 0 DMA: 1*4kB (U) 0*8kB 0*16kB 1*32kB (U) 2*64kB (U) 1*128kB (U)  
1*256kB (U) 0*512kB 1*1024kB (U) 1*2048kB (M) 3*4096kB (M) = 15908kB
Node 0 DMA32: 11535*4kB (UM) 11527*8kB (UM) 11527*16kB (UM) 11525*32kB (UM)  
11527*64kB (UM) 21*128kB (UM) 3*256kB (UM) 4*512kB (UM) 4*1024kB (UM)  
1*2048kB (M) 5*4096kB (M) = 1461444kB
Node 0 Normal: 10726*4kB (UE) 10701*8kB (UME) 10567*16kB (UME) 10384*32kB  
(UME) 10352*64kB (UME) 95*128kB (UM) 9*256kB (U) 6*512kB (U) 4*1024kB (U)  
1*2048kB (U) 0*4096kB = 1316080kB
Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0  
hugepages_size=2048kB
657 total pagecache pages
0 pages in swap cache
Swap cache stats: add 0, delete 0, find 0/0
Free swap  = 0kB
Total swap = 0kB
1965969 pages RAM
0 pages HighMem/MovableOnly
328415 pages reserved
Unreclaimable slab info:
Name                      Used          Total
pid_2                    187KB        188KB
hashtab_node             118KB        119KB
ebitmap_node            1274KB       1275KB
avtab_node              1012KB       1013KB
TIPC                      25KB         28KB
RDS                       12KB         15KB
rds_connection             2KB          4KB
SCTPv6                    62KB         64KB
SCTP                      45KB         47KB
sctp_chunk                43KB         45KB
sctp_bind_bucket           1KB          3KB
DCCPv6                    29KB         43KB
DCCP                      29KB         33KB
dccp_bind_bucket           1KB          4KB
KCM                       15KB         15KB
kcm_psock_cache            4KB          7KB
kcm_mux_cache             13KB         15KB
bridge_fdb_cache           4KB          7KB
fib6_nodes                25KB         32KB
ip6_dst_cache            412KB        412KB
PINGv6                    16KB         19KB
RAWv6                    108KB        110KB
UDPv6                     36KB         38KB
TCPv6                     14KB         28KB
ashmem_area_cache          0KB          3KB
AF_VSOCK                  13KB         13KB
sd_ext_cdb                 0KB          3KB
scsi_sense_cache          47KB         96KB
virtio_scsi_cmd           16KB         16KB
sgpool-128                 8KB          8KB
sgpool-64                  4KB          6KB
sgpool-32                 51KB         63KB
sgpool-16                 19KB         22KB
sgpool-8                  91KB        131KB
cfq_io_cq                  5KB         19KB
cfq_queue                  8KB         27KB
mqueue_inode_cache         12KB         21KB
fuse_request               0KB          4KB
nfs_commit_data            3KB          7KB
nfs_write_data            34KB         37KB
jbd2_inode                 2KB          3KB
ext4_system_zone           0KB          3KB
bio-1                      1KB          3KB
pid_namespace              2KB          7KB
rpc_buffers               17KB         19KB
rpc_tasks                  2KB          3KB
UNIX                     420KB        486KB
tcp_bind_bucket            3KB          4KB
ip_fib_trie                3KB          7KB
ip_fib_alias              42KB         43KB
ip_dst_cache              10KB         12KB
PING                      10KB         14KB
RAW                       67KB         71KB
UDP                       68KB         70KB
tw_sock_TCP                2KB          7KB
TCP                       52KB         55KB
hugetlbfs_inode_cache          1KB          7KB
eventpoll_pwq             43KB         63KB
eventpoll_epi             75KB        110KB
inotify_inode_mark          3KB          7KB
request_queue             42KB        113KB
blkdev_ioc                 7KB         23KB
bio-0                    118KB        187KB
biovec-(1<<(21-12))        495KB        495KB
biovec-64                 72KB        102KB
biovec-16                 10KB         15KB
bio_integrity_payload          0KB          4KB
khugepaged_mm_slot          7KB          7KB
user_namespace             5KB          7KB
uid_cache                  0KB          3KB
dmaengine-unmap-2          0KB          3KB
audit_buffer               2KB          3KB
skbuff_fclone_cache        228KB        262KB
skbuff_head_cache       6685KB       6735KB
configfs_dir_cache          0KB          4KB
file_lock_cache           78KB        106KB
file_lock_ctx              0KB          3KB
fsnotify_mark_connector          2KB          3KB
net_namespace             54KB         54KB
shmem_inode_cache       1283KB       1283KB
task_delay_info          359KB        359KB
taskstats                 63KB         65KB
sigqueue                 384KB        401KB
kernfs_node_cache       5161KB       5166KB
mnt_cache                 88KB         92KB
filp                    5912KB       8595KB
names_cache            73520KB      73559KB
avc_node                  48KB         51KB
selinux_file_security        303KB        651KB
selinux_inode_security       1686KB       1980KB
key_jar                    3KB          7KB
nsproxy                    4KB          7KB
vm_area_struct         16682KB      16698KB
mm_struct               3793KB       4625KB
fs_cache                 455KB        476KB
files_cache             1426KB       1668KB
signal_cache            2048KB       2465KB
sighand_cache            330KB        457KB
task_struct            10706KB      10706KB
cred_jar                2012KB       2296KB
anon_vma_chain          4422KB       6496KB
anon_vma                 213KB        389KB
pid                      102KB        220KB
Acpi-Operand             312KB        792KB
Acpi-ParseExt              0KB          3KB
Acpi-State                 0KB          3KB
Acpi-Namespace           102KB        104KB
numa_policy                0KB          3KB
debug_objects_cache        419KB        578KB
trace_event_file         149KB        151KB
ftrace_event_field        261KB        263KB
pool_workqueue            40KB         44KB
page->ptl               2808KB       3277KB
kmalloc-262144          1032KB       1032KB
kmalloc-131072           780KB        780KB
kmalloc-65536            594KB        594KB
kmalloc-32768          37356KB      37356KB
kmalloc-16384           4488KB       4488KB
kmalloc-8192            1839KB       1856KB
kmalloc-4096            8440KB       8453KB
kmalloc-2048            9156KB       9192KB
kmalloc-1024            5261KB       5268KB
kmalloc-512             4826KB       4833KB
kmalloc-256             2364KB       2771KB
kmalloc-128              786KB        791KB
kmalloc-96               768KB        768KB
kmalloc-64              1253KB       1256KB
kmalloc-32              1943KB       2815KB
kmalloc-192              415KB        416KB
kmem_cache               106KB        112KB
[ pid ]   uid  tgid total_vm      rss pgtables_bytes swapents oom_score_adj  
name
[ 2097]     0  2097     5517      313    86016        0         -1000 udevd
[ 3867]     0  3867     2493      574    57344        0             0  
dhclient
[ 3999]     0  3999    14265      173   114688        0             0  
rsyslogd
[ 4038]     0  4038     4725       50    77824        0             0 cron
[ 4068]     0  4068     3735       44    65536        0             0  
mcstransd
[ 4080]     0  4080    12927     1228   139264        0             0  
restorecond
[ 4100]     0  4100    12490      153   135168        0         -1000 sshd
[ 4124]     0  4124     3694       40    73728        0             0 getty
[ 4125]     0  4125     3694       40    73728        0             0 getty
[ 4126]     0  4126     3694       39    77824        0             0 getty
[ 4127]     0  4127     3694       42    73728        0             0 getty
[ 4128]     0  4128     3694       41    77824        0             0 getty
[ 4129]     0  4129     3694       41    69632        0             0 getty
[ 4130]     0  4130     3649       39    77824        0             0 getty
[ 4133]     0  4133     5681      454    86016        0         -1000 udevd
[ 4134]     0  4134     5681      454    86016        0         -1000 udevd
[ 4147]     0  4147    17821      197   188416        0             0 sshd
[ 4149]     0  4149    87739    41161   503808        0             0  
syz-fuzzer
[ 4192]     0  4192     7297       15    65536        0             0  
syz-executor7
[ 4193]     0  4193     7297       17    65536        0             0  
syz-executor3
[ 4194]     0  4194     7297       16    73728        0             0  
syz-executor4
[ 4195]     0  4195     7296     2074    73728        0             0  
syz-executor3
[ 4196]     0  4196     7297       16    65536        0             0  
syz-executor0
[ 4197]     0  4197     7296     2072    73728        0             0  
syz-executor7
[ 4198]     0  4198     7297       17    65536        0             0  
syz-executor1
[ 4199]     0  4199     7297       16    69632        0             0  
syz-executor2
[ 4200]     0  4200     7296     2073    81920        0             0  
syz-executor4
[ 4201]     0  4201     7297       15    69632        0             0  
syz-executor6
[ 4202]     0  4202     7296     2073    73728        0             0  
syz-executor0
[ 4203]     0  4203     7297       17    61440        0             0  
syz-executor5
[ 4204]     0  4204     7296     2074    73728        0             0  
syz-executor1
[ 4206]     0  4206     7296     2073    77824        0             0  
syz-executor2
[ 4207]     0  4207     7296     2074    69632        0             0  
syz-executor5
[ 4208]     0  4208     7296     2072    77824        0             0  
syz-executor6
[ 5783]     0  5775     7432        0    77824        0             0  
syz-executor1
Out of memory: Kill process 4149 (syz-fuzzer) score 24 or sacrifice child
Killed process 4194 (syz-executor4) total-vm:29188kB, anon-rss:60kB,  
file-rss:4kB, shmem-rss:0kB
syz-executor1: vmalloc: allocation failure, allocated 3105042432 of  
4294971392 bytes, mode:0x14000c0(GFP_KERNEL), nodemask=(null)
syz-executor1 cpuset=/ mems_allowed=0
CPU: 1 PID: 5783 Comm: syz-executor1 Not tainted 4.15.0-rc9+ #215
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:17 [inline]
  dump_stack+0x194/0x257 lib/dump_stack.c:53
  warn_alloc+0x19a/0x2b0 mm/page_alloc.c:3299
  __vmalloc_area_node mm/vmalloc.c:1718 [inline]
  __vmalloc_node_range+0x482/0x650 mm/vmalloc.c:1759
  __vmalloc_node mm/vmalloc.c:1804 [inline]
  __vmalloc_node_flags_caller+0x50/0x60 mm/vmalloc.c:1826
  kvmalloc_node+0x82/0xd0 mm/util.c:406
  kvmalloc include/linux/mm.h:541 [inline]
  xt_alloc_table_info+0x64/0xe0 net/netfilter/x_tables.c:1006
  do_replace net/ipv4/netfilter/ip_tables.c:1135 [inline]
  do_ipt_set_ctl+0x29b/0x5f0 net/ipv4/netfilter/ip_tables.c:1680
  nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
  nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115
  ip_setsockopt+0xa1/0xb0 net/ipv4/ip_sockglue.c:1260
  sctp_setsockopt+0x2b6/0x61d0 net/sctp/socket.c:4141
  sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2978
  SYSC_setsockopt net/socket.c:1849 [inline]
  SyS_setsockopt+0x189/0x360 net/socket.c:1828
  entry_SYSCALL_64_fastpath+0x29/0xa0
RIP: 0033:0x453299
RSP: 002b:00007fcd799c5c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000453299
RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000013
RBP: 0000000000000040 R08: 00000000000002e8 R09: 0000000000000000
R10: 0000000020015000 R11: 0000000000000212 R12: 00000000006ef6a0
R13: 00000000ffffffff R14: 00007fcd799c66d4 R15: 0000000000000000
Mem-Info:
active_anon:45371 inactive_anon:65 isolated_anon:0
  active_file:14 inactive_file:597 isolated_file:0
  unevictable:0 dirty:33 writeback:0 unstable:0
  slab_reclaimable:6833 slab_unreclaimable:91065
  mapped:14857 shmem:70 pagetables:577 bounce:0
  free:698635 free_pcp:543 free_cma:0
Node 0 active_anon:181484kB inactive_anon:260kB active_file:56kB  
inactive_file:2388kB unevictable:0kB isolated(anon):0kB isolated(file):0kB  
mapped:59428kB dirty:132kB writeback:0kB shmem:280kB shmem_thp: 0kB  
shmem_pmdmapped: 0kB anon_thp: 65536kB writeback_tmp:0kB unstable:0kB  
all_unreclaimable? yes
Node 0 DMA free:15908kB min:164kB low:204kB high:244kB active_anon:0kB  
inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB  
writepending:0kB present:15992kB managed:15908kB mlocked:0kB  
kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:0kB local_pcp:0kB  
free_cma:0kB
lowmem_reserve[]: 0 2868 6378 6378
Node 0 DMA32 free:1461444kB min:30316kB low:37892kB high:45468kB  
active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB  
unevictable:0kB writepending:0kB present:3129292kB managed:2939976kB  
mlocked:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:744kB  
local_pcp:624kB free_cma:0kB
lowmem_reserve[]: 0 0 3510 3510
Node 0 Normal free:1317188kB min:37096kB low:46368kB high:55640kB  
active_anon:181484kB inactive_anon:260kB active_file:56kB  
inactive_file:2388kB unevictable:0kB writepending:132kB present:4718592kB  
managed:3594332kB mlocked:0kB kernel_stack:3712kB pagetables:2308kB  
bounce:0kB free_pcp:1424kB local_pcp:772kB free_cma:0kB
lowmem_reserve[]: 0 0 0 0
Node 0 DMA: 1*4kB (U) 0*8kB 0*16kB 1*32kB (U) 2*64kB (U) 1*128kB (U)  
1*256kB (U) 0*512kB 1*1024kB (U) 1*2048kB (M) 3*4096kB (M) = 15908kB
Node 0 DMA32: 11535*4kB (UM) 11527*8kB (UM) 11527*16kB (UM) 11525*32kB (UM)  
11527*64kB (UM) 21*128kB (UM) 3*256kB (UM) 4*512kB (UM) 4*1024kB (UM)  
1*2048kB (M) 5*4096kB (M) = 1461444kB
Node 0 Normal: 10781*4kB (UME) 10740*8kB (UME) 10595*16kB (UME) 10386*32kB  
(UME) 10352*64kB (UME) 95*128kB (UM) 9*256kB (U) 6*512kB (U) 4*1024kB (U)  
1*2048kB (U) 0*4096kB = 1317124kB
Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0  
hugepages_size=2048kB
706 total pagecache pages
0 pages in swap cache
Swap cache stats: add 0, delete 0, find 0/0
Free swap  = 0kB
Total swap = 0kB
1965969 pages RAM
0 pages HighMem/MovableOnly
328415 pages reserved
ieee80211 phy2: Selected rate control algorithm 'minstrel_ht'
ieee80211 phy3: Selected rate control algorithm 'minstrel_ht'
ieee80211 phy4: Selected rate control algorithm 'minstrel_ht'
IPVS: ftp: loaded support on port[0] = 21
IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready
TCP: request_sock_TCPv6: Possible SYN flooding on port 20006. Sending  
cookies.  Check SNMP counters.
kauditd_printk_skb: 13 callbacks suppressed
audit: type=1400 audit(1517248800.611:35): avc:  denied  { map } for   
pid=6022 comm="syz-executor2" path="socket:[15001]" dev="sockfs" ino=15001  
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=rawip_socket  
permissive=1
Dead loop on virtual device ip6_vti0, fix it urgently!
Dead loop on virtual device ip6_vti0, fix it urgently!
Cannot find add_set index 0 as target
Cannot find add_set index 0 as target
dccp_xmit_packet: Payload too large (65423) for featneg.
audit: type=1400 audit(1517248800.662:36): avc:  denied  { name_connect }  
for  pid=6041 comm="syz-executor4" dest=20019  
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tcontext=system_u:object_r:port_t:s0 tclass=dccp_socket permissive=1
dccp_close: ABORT with 65423 bytes unread
netlink: 7 bytes leftover after parsing attributes in process  
`syz-executor7'.
netlink: 7 bytes leftover after parsing attributes in process  
`syz-executor7'.
netlink: 7 bytes leftover after parsing attributes in process  
`syz-executor7'.
netlink: 7 bytes leftover after parsing attributes in process  
`syz-executor7'.
netlink: 7 bytes leftover after parsing attributes in process  
`syz-executor7'.
netlink: 7 bytes leftover after parsing attributes in process  
`syz-executor2'.
netlink: 16 bytes leftover after parsing attributes in process  
`syz-executor3'.
audit: type=1400 audit(1517248801.090:37): avc:  denied  { accept } for   
pid=6179 comm="syz-executor3"  
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tclass=netlink_generic_socket permissive=1
netlink: 16 bytes leftover after parsing attributes in process  
`syz-executor3'.
ieee80211 phy5: Selected rate control algorithm 'minstrel_ht'
netlink: 16 bytes leftover after parsing attributes in process  
`syz-executor3'.
ieee80211 phy6: Selected rate control algorithm 'minstrel_ht'
netlink: 16 bytes leftover after parsing attributes in process  
`syz-executor3'.


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzkaller@...glegroups.com.

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is  
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug  
report.
Note: all commands must start from beginning of the line in the email body.

View attachment "raw.log.txt" of type "text/plain" (378883 bytes)

View attachment "config.txt" of type "text/plain" (136464 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ