Hello, syzkaller hit the following crash on 2db767d9889cef087149a5eaa35c1497671fa40f git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master compiler: gcc (GCC) 7.1.1 20170620 .config is attached Raw console output is attached. Unfortunately, I don't have any reproducer for this bug yet. ====================================================== WARNING: possible circular locking dependency detected 4.15.0-rc1+ #205 Not tainted ------------------------------------------------------ syz-executor3/19453 is trying to acquire lock: (&sb->s_type->i_mutex_key#10){++++}, at: [<00000000671e2a00>] inode_lock include/linux/fs.h:713 [inline] (&sb->s_type->i_mutex_key#10){++++}, at: [<00000000671e2a00>] generic_file_write_iter+0xdc/0x7a0 mm/filemap.c:3289 but task is already holding lock: (&pipe->mutex/1){+.+.}, at: [<00000000468992cc>] pipe_lock_nested fs/pipe.c:67 [inline] (&pipe->mutex/1){+.+.}, at: [<00000000468992cc>] pipe_lock fs/pipe.c:75 [inline] (&pipe->mutex/1){+.+.}, at: [<00000000468992cc>] pipe_wait+0x1e6/0x280 fs/pipe.c:123 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #6 (&pipe->mutex/1){+.+.}: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4004 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908 pipe_lock_nested fs/pipe.c:67 [inline] pipe_lock+0x56/0x70 fs/pipe.c:75 iter_file_splice_write+0x264/0xf30 fs/splice.c:699 do_splice_from fs/splice.c:851 [inline] do_splice fs/splice.c:1147 [inline] SYSC_splice fs/splice.c:1402 [inline] SyS_splice+0x7d5/0x1630 fs/splice.c:1382 entry_SYSCALL_64_fastpath+0x1f/0x96 -> #5 (sb_writers){.+.+}: put_ucounts+0x71/0x2d0 kernel/ucount.c:170 -> #4 ((completion)&req.done){+.+.}: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4004 complete_acquire include/linux/completion.h:40 [inline] __wait_for_common kernel/sched/completion.c:109 [inline] wait_for_common kernel/sched/completion.c:123 [inline] wait_for_completion+0xcb/0x7b0 kernel/sched/completion.c:144 devtmpfs_create_node+0x32b/0x4a0 drivers/base/devtmpfs.c:115 device_add+0x120f/0x1640 drivers/base/core.c:1824 device_create_groups_vargs+0x1f3/0x250 drivers/base/core.c:2430 device_create_vargs drivers/base/core.c:2470 [inline] device_create+0xda/0x110 drivers/base/core.c:2506 msr_device_create+0x26/0x40 arch/x86/kernel/msr.c:188 cpuhp_invoke_callback+0x2ea/0x1d20 kernel/cpu.c:182 cpuhp_thread_fun+0x48e/0x7e0 kernel/cpu.c:571 smpboot_thread_fn+0x450/0x7c0 kernel/smpboot.c:164 kthread+0x37a/0x440 kernel/kthread.c:238 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:441 -> #3 (cpuhp_state-up){+.+.}: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4004 cpuhp_lock_acquire kernel/cpu.c:85 [inline] cpuhp_invoke_ap_callback kernel/cpu.c:605 [inline] cpuhp_issue_call+0x1e5/0x520 kernel/cpu.c:1495 __cpuhp_setup_state_cpuslocked+0x282/0x600 kernel/cpu.c:1642 __cpuhp_setup_state+0xb0/0x140 kernel/cpu.c:1671 cpuhp_setup_state include/linux/cpuhotplug.h:201 [inline] page_writeback_init+0x4d/0x71 mm/page-writeback.c:2081 pagecache_init+0x48/0x4f mm/filemap.c:977 start_kernel+0x6bc/0x74f init/main.c:690 x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:378 x86_64_start_kernel+0x77/0x7a arch/x86/kernel/head64.c:359 secondary_startup_64+0xa5/0xb0 arch/x86/kernel/head_64.S:237 -> #2 (cpuhp_state_mutex){+.+.}: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4004 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908 __cpuhp_setup_state_cpuslocked+0x5b/0x600 kernel/cpu.c:1617 __cpuhp_setup_state+0xb0/0x140 kernel/cpu.c:1671 cpuhp_setup_state_nocalls include/linux/cpuhotplug.h:229 [inline] kvm_guest_init+0x1f3/0x20f arch/x86/kernel/kvm.c:528 setup_arch+0x17e8/0x1a02 arch/x86/kernel/setup.c:1266 start_kernel+0xa5/0x74f init/main.c:530 x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:378 x86_64_start_kernel+0x77/0x7a arch/x86/kernel/head64.c:359 secondary_startup_64+0xa5/0xb0 arch/x86/kernel/head_64.S:237 -> #1 (cpu_hotplug_lock.rw_sem){++++}: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4004 percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline] percpu_down_read include/linux/percpu-rwsem.h:59 [inline] cpus_read_lock+0x42/0x90 kernel/cpu.c:293 get_online_cpus include/linux/cpu.h:117 [inline] lru_add_drain_all+0xe/0x20 mm/swap.c:729 shmem_wait_for_pins mm/shmem.c:2672 [inline] shmem_add_seals+0x3df/0x1060 mm/shmem.c:2780 shmem_fcntl+0xfe/0x130 mm/shmem.c:2815 do_fcntl+0x73e/0x1160 fs/fcntl.c:421 SYSC_fcntl fs/fcntl.c:463 [inline] SyS_fcntl+0xdc/0x120 fs/fcntl.c:448 entry_SYSCALL_64_fastpath+0x1f/0x96 -> #0 (&sb->s_type->i_mutex_key#10){++++}: check_prevs_add kernel/locking/lockdep.c:2031 [inline] validate_chain kernel/locking/lockdep.c:2473 [inline] __lock_acquire+0x3498/0x47f0 kernel/locking/lockdep.c:3500 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4004 down_write+0x87/0x120 kernel/locking/rwsem.c:70 inode_lock include/linux/fs.h:713 [inline] generic_file_write_iter+0xdc/0x7a0 mm/filemap.c:3289 call_write_iter include/linux/fs.h:1772 [inline] do_iter_readv_writev+0x531/0x7f0 fs/read_write.c:653 do_iter_write+0x15a/0x540 fs/read_write.c:932 vfs_iter_write+0x77/0xb0 fs/read_write.c:945 iter_file_splice_write+0x7db/0xf30 fs/splice.c:749 do_splice_from fs/splice.c:851 [inline] do_splice fs/splice.c:1147 [inline] SYSC_splice fs/splice.c:1402 [inline] SyS_splice+0x7d5/0x1630 fs/splice.c:1382 entry_SYSCALL_64_fastpath+0x1f/0x96 other info that might help us debug this: Chain exists of: &sb->s_type->i_mutex_key#10 --> sb_writers --> &pipe->mutex/1 Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&pipe->mutex/1); lock(sb_writers); lock(&pipe->mutex/1); lock(&sb->s_type->i_mutex_key#10); *** DEADLOCK *** 2 locks held by syz-executor3/19453: #0: (sb_writers#5){.+.+}, at: [<00000000cc03aa80>] file_start_write include/linux/fs.h:2715 [inline] #0: (sb_writers#5){.+.+}, at: [<00000000cc03aa80>] do_splice fs/splice.c:1146 [inline] #0: (sb_writers#5){.+.+}, at: [<00000000cc03aa80>] SYSC_splice fs/splice.c:1402 [inline] #0: (sb_writers#5){.+.+}, at: [<00000000cc03aa80>] SyS_splice+0x1117/0x1630 fs/splice.c:1382 #1: (&pipe->mutex/1){+.+.}, at: [<00000000468992cc>] pipe_lock_nested fs/pipe.c:67 [inline] #1: (&pipe->mutex/1){+.+.}, at: [<00000000468992cc>] pipe_lock fs/pipe.c:75 [inline] #1: (&pipe->mutex/1){+.+.}, at: [<00000000468992cc>] pipe_wait+0x1e6/0x280 fs/pipe.c:123 stack backtrace: CPU: 1 PID: 19453 Comm: syz-executor3 Not tainted 4.15.0-rc1+ #205 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 print_circular_bug+0x42d/0x610 kernel/locking/lockdep.c:1271 check_prev_add+0x666/0x15f0 kernel/locking/lockdep.c:1914 check_prevs_add kernel/locking/lockdep.c:2031 [inline] validate_chain kernel/locking/lockdep.c:2473 [inline] __lock_acquire+0x3498/0x47f0 kernel/locking/lockdep.c:3500 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4004 down_write+0x87/0x120 kernel/locking/rwsem.c:70 inode_lock include/linux/fs.h:713 [inline] generic_file_write_iter+0xdc/0x7a0 mm/filemap.c:3289 call_write_iter include/linux/fs.h:1772 [inline] do_iter_readv_writev+0x531/0x7f0 fs/read_write.c:653 do_iter_write+0x15a/0x540 fs/read_write.c:932 vfs_iter_write+0x77/0xb0 fs/read_write.c:945 iter_file_splice_write+0x7db/0xf30 fs/splice.c:749 do_splice_from fs/splice.c:851 [inline] do_splice fs/splice.c:1147 [inline] SYSC_splice fs/splice.c:1402 [inline] SyS_splice+0x7d5/0x1630 fs/splice.c:1382 entry_SYSCALL_64_fastpath+0x1f/0x96 RIP: 0033:0x4529d9 RSP: 002b:00007fa90949bc58 EFLAGS: 00000212 ORIG_RAX: 0000000000000113 RAX: ffffffffffffffda RBX: 00000000007580d8 RCX: 00000000004529d9 RDX: 000000000000001a RSI: 0000000000000000 RDI: 0000000000000018 RBP: 000000000000039b R08: 00000000fffffffe R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f2728 R13: 00000000ffffffff R14: 00007fa90949c6d4 R15: 0000000000000001 device gre0 entered promiscuous mode device gre0 entered promiscuous mode kauditd_printk_skb: 382 callbacks suppressed audit: type=1326 audit(1512298759.296:3040): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=kernel pid=19681 comm="syz-executor2" exe="/root/syz-executor2" sig=31 arch=c000003e syscall=202 compat=0 ip=0x4529d9 code=0xffff0000 device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode audit: type=1326 audit(1512298759.562:3041): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=kernel pid=19737 comm="syz-executor2" exe="/root/syz-executor2" sig=31 arch=c000003e syscall=202 compat=0 ip=0x4529d9 code=0xffff0000 device gre0 entered promiscuous mode device gre0 entered promiscuous mode audit: type=1326 audit(1512298759.710:3042): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=kernel pid=19737 comm="syz-executor2" exe="/root/syz-executor2" sig=31 arch=c000003e syscall=202 compat=0 ip=0x4529d9 code=0xffff0000 device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 0 PID: 21033 Comm: syz-executor1 Not tainted 4.15.0-rc1+ #205 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:421 [inline] slab_alloc mm/slab.c:3371 [inline] kmem_cache_alloc_trace+0x4b/0x750 mm/slab.c:3611 kmalloc include/linux/slab.h:499 [inline] kzalloc include/linux/slab.h:688 [inline] kobject_uevent_env+0x1ec/0xbc0 lib/kobject_uevent.c:436 kobject_uevent+0x1f/0x30 lib/kobject_uevent.c:558 kobject_cleanup lib/kobject.c:635 [inline] kobject_release lib/kobject.c:677 [inline] kref_put include/linux/kref.h:70 [inline] kobject_put+0x1c2/0x250 lib/kobject.c:694 netdev_queue_update_kobjects+0x29a/0x480 net/core/net-sysfs.c:1375 netif_set_real_num_tx_queues+0x14e/0x710 net/core/dev.c:2366 tun_set_real_num_queues drivers/net/tun.c:582 [inline] __tun_detach+0xd24/0x1550 drivers/net/tun.c:646 tun_set_queue drivers/net/tun.c:2461 [inline] __tun_chr_ioctl+0x68d/0x3dc0 drivers/net/tun.c:2499 tun_chr_ioctl+0x2a/0x40 drivers/net/tun.c:2761 vfs_ioctl fs/ioctl.c:46 [inline] do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:686 SYSC_ioctl fs/ioctl.c:701 [inline] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692 entry_SYSCALL_64_fastpath+0x1f/0x96 RIP: 0033:0x4529d9 RSP: 002b:00007f846fbb1c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f846fbb1aa0 RCX: 00000000004529d9 RDX: 000000002053d000 RSI: 00000000400454d9 RDI: 0000000000000014 RBP: 00007f846fbb1a90 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b759b R13: 00007f846fbb1bc8 R14: 00000000004b759b R15: 0000000000000000 device gre0 entered promiscuous mode device gre0 entered promiscuous mode FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 0 PID: 21043 Comm: syz-executor0 Not tainted 4.15.0-rc1+ #205 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:421 [inline] slab_alloc_node mm/slab.c:3292 [inline] kmem_cache_alloc_node+0x56/0x760 mm/slab.c:3635 __alloc_skb+0xf1/0x780 net/core/skbuff.c:193 alloc_skb include/linux/skbuff.h:983 [inline] nlmsg_new include/net/netlink.h:511 [inline] rtmsg_ifinfo_build_skb+0x73/0x190 net/core/rtnetlink.c:3013 rtmsg_ifinfo_event.part.26+0x41/0xd0 net/core/rtnetlink.c:3049 rtmsg_ifinfo_event net/core/rtnetlink.c:3058 [inline] rtmsg_ifinfo+0x72/0x90 net/core/rtnetlink.c:3057 dev_close_many+0x3a5/0x850 net/core/dev.c:1491 rollback_registered_many+0x4d5/0xdf0 net/core/dev.c:7221 rollback_registered+0x1be/0x3c0 net/core/dev.c:7285 unregister_netdevice_queue+0x2e3/0x5d0 net/core/dev.c:8273 unregister_netdevice include/linux/netdevice.h:2462 [inline] __tun_detach+0x1177/0x1550 drivers/net/tun.c:658 tun_detach drivers/net/tun.c:669 [inline] tun_chr_close+0x44/0x60 drivers/net/tun.c:2849 __fput+0x333/0x7f0 fs/file_table.c:210 ____fput+0x15/0x20 fs/file_table.c:244 task_work_run+0x199/0x270 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:191 [inline] exit_to_usermode_loop+0x296/0x310 arch/x86/entry/common.c:162 prepare_exit_to_usermode arch/x86/entry/common.c:195 [inline] syscall_return_slowpath+0x490/0x550 arch/x86/entry/common.c:264 entry_SYSCALL_64_fastpath+0x94/0x96 RIP: 0033:0x4529d9 RSP: 002b:00007fa091c6dc58 EFLAGS: 00000212 ORIG_RAX: 0000000000000124 RAX: 0000000000000015 RBX: 0000000000758020 RCX: 00000000004529d9 RDX: 0000000000000000 RSI: 0000000000000015 RDI: 0000000000000013 RBP: 000000000000005c R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006ed940 R13: 0000000000000016 R14: 00007fa091c6e6d4 R15: ffffffffffffffff device gre0 entered promiscuous mode FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 1 PID: 21056 Comm: syz-executor6 Not tainted 4.15.0-rc1+ #205 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:421 [inline] slab_alloc mm/slab.c:3371 [inline] kmem_cache_alloc_trace+0x4b/0x750 mm/slab.c:3611 kmalloc include/linux/slab.h:499 [inline] kzalloc include/linux/slab.h:688 [inline] kobject_uevent_env+0x1ec/0xbc0 lib/kobject_uevent.c:436 kobject_uevent+0x1f/0x30 lib/kobject_uevent.c:558 kobject_cleanup lib/kobject.c:635 [inline] kobject_release lib/kobject.c:677 [inline] kref_put include/linux/kref.h:70 [inline] kobject_put+0x1c2/0x250 lib/kobject.c:694 netdev_queue_update_kobjects+0x29a/0x480 net/core/net-sysfs.c:1375 netif_set_real_num_tx_queues+0x14e/0x710 net/core/dev.c:2366 tun_set_real_num_queues drivers/net/tun.c:582 [inline] __tun_detach+0xd24/0x1550 drivers/net/tun.c:646 tun_set_queue drivers/net/tun.c:2461 [inline] __tun_chr_ioctl+0x68d/0x3dc0 drivers/net/tun.c:2499 tun_chr_ioctl+0x2a/0x40 drivers/net/tun.c:2761 vfs_ioctl fs/ioctl.c:46 [inline] do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:686 SYSC_ioctl fs/ioctl.c:701 [inline] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692 entry_SYSCALL_64_fastpath+0x1f/0x96 RIP: 0033:0x4529d9 RSP: 002b:00007fe13a7b5c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fe13a7b5aa0 RCX: 00000000004529d9 RDX: 000000002053d000 RSI: 00000000400454d9 RDI: 0000000000000014 RBP: 00007fe13a7b5a90 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b759b R13: 00007fe13a7b5bc8 R14: 00000000004b759b R15: 0000000000000000 device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode FAULT_INJECTION: forcing a failure. name fail_page_alloc, interval 1, probability 0, space 0, times 1 CPU: 1 PID: 21088 Comm: syz-executor6 Not tainted 4.15.0-rc1+ #205 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_fail_alloc_page mm/page_alloc.c:2937 [inline] prepare_alloc_pages mm/page_alloc.c:4176 [inline] __alloc_pages_nodemask+0x338/0xd80 mm/page_alloc.c:4215 __alloc_pages include/linux/gfp.h:456 [inline] __alloc_pages_node include/linux/gfp.h:469 [inline] kmem_getpages mm/slab.c:1413 [inline] cache_grow_begin+0x72/0x3f0 mm/slab.c:2671 cache_alloc_refill mm/slab.c:3038 [inline] ____cache_alloc mm/slab.c:3120 [inline] __do_cache_alloc mm/slab.c:3342 [inline] slab_alloc mm/slab.c:3377 [inline] kmem_cache_alloc_trace+0x3f3/0x750 mm/slab.c:3611 kmalloc include/linux/slab.h:499 [inline] kzalloc include/linux/slab.h:688 [inline] kobject_uevent_env+0x1ec/0xbc0 lib/kobject_uevent.c:436 kobject_uevent+0x1f/0x30 lib/kobject_uevent.c:558 kobject_cleanup lib/kobject.c:635 [inline] kobject_release lib/kobject.c:677 [inline] kref_put include/linux/kref.h:70 [inline] kobject_put+0x1c2/0x250 lib/kobject.c:694 netdev_queue_update_kobjects+0x29a/0x480 net/core/net-sysfs.c:1375 netif_set_real_num_tx_queues+0x14e/0x710 net/core/dev.c:2366 tun_set_real_num_queues drivers/net/tun.c:582 [inline] __tun_detach+0xd24/0x1550 drivers/net/tun.c:646 tun_set_queue drivers/net/tun.c:2461 [inline] __tun_chr_ioctl+0x68d/0x3dc0 drivers/net/tun.c:2499 tun_chr_ioctl+0x2a/0x40 drivers/net/tun.c:2761 vfs_ioctl fs/ioctl.c:46 [inline] do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:686 SYSC_ioctl fs/ioctl.c:701 [inline] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692 entry_SYSCALL_64_fastpath+0x1f/0x96 RIP: 0033:0x4529d9 RSP: 002b:00007fe13a7b5c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fe13a7b5aa0 RCX: 00000000004529d9 RDX: 000000002053d000 RSI: 00000000400454d9 RDI: 0000000000000014 RBP: 00007fe13a7b5a90 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b759b R13: 00007fe13a7b5bc8 R14: 00000000004b759b R15: 0000000000000000 device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 1 PID: 21128 Comm: syz-executor6 Not tainted 4.15.0-rc1+ #205 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:421 [inline] slab_alloc_node mm/slab.c:3292 [inline] kmem_cache_alloc_node+0x56/0x760 mm/slab.c:3635 __alloc_skb+0xf1/0x780 net/core/skbuff.c:193 alloc_skb include/linux/skbuff.h:983 [inline] kobject_uevent_net_broadcast lib/kobject_uevent.c:320 [inline] kobject_uevent_env+0x6e3/0xbc0 lib/kobject_uevent.c:509 kobject_uevent+0x1f/0x30 lib/kobject_uevent.c:558 kobject_cleanup lib/kobject.c:635 [inline] kobject_release lib/kobject.c:677 [inline] kref_put include/linux/kref.h:70 [inline] kobject_put+0x1c2/0x250 lib/kobject.c:694 netdev_queue_update_kobjects+0x29a/0x480 net/core/net-sysfs.c:1375 netif_set_real_num_tx_queues+0x14e/0x710 net/core/dev.c:2366 tun_set_real_num_queues drivers/net/tun.c:582 [inline] __tun_detach+0xd24/0x1550 drivers/net/tun.c:646 tun_set_queue drivers/net/tun.c:2461 [inline] __tun_chr_ioctl+0x68d/0x3dc0 drivers/net/tun.c:2499 tun_chr_ioctl+0x2a/0x40 drivers/net/tun.c:2761 vfs_ioctl fs/ioctl.c:46 [inline] do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:686 SYSC_ioctl fs/ioctl.c:701 [inline] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692 entry_SYSCALL_64_fastpath+0x1f/0x96 RIP: 0033:0x4529d9 RSP: 002b:00007fe13a7b5c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fe13a7b5aa0 RCX: 00000000004529d9 RDX: 000000002053d000 RSI: 00000000400454d9 RDI: 0000000000000014 RBP: 00007fe13a7b5a90 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b759b R13: 00007fe13a7b5bc8 R14: 00000000004b759b R15: 0000000000000000 device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 1 PID: 21148 Comm: syz-executor6 Not tainted 4.15.0-rc1+ #205 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:421 [inline] slab_alloc_node mm/slab.c:3292 [inline] kmem_cache_alloc_node_trace+0x5a/0x760 mm/slab.c:3654 __do_kmalloc_node mm/slab.c:3674 [inline] __kmalloc_node_track_caller+0x33/0x70 mm/slab.c:3689 __kmalloc_reserve.isra.41+0x41/0xd0 net/core/skbuff.c:137 __alloc_skb+0x13b/0x780 net/core/skbuff.c:205 alloc_skb include/linux/skbuff.h:983 [inline] kobject_uevent_net_broadcast lib/kobject_uevent.c:320 [inline] kobject_uevent_env+0x6e3/0xbc0 lib/kobject_uevent.c:509 kobject_uevent+0x1f/0x30 lib/kobject_uevent.c:558 kobject_cleanup lib/kobject.c:635 [inline] kobject_release lib/kobject.c:677 [inline] kref_put include/linux/kref.h:70 [inline] kobject_put+0x1c2/0x250 lib/kobject.c:694 netdev_queue_update_kobjects+0x29a/0x480 net/core/net-sysfs.c:1375 netif_set_real_num_tx_queues+0x14e/0x710 net/core/dev.c:2366 tun_set_real_num_queues drivers/net/tun.c:582 [inline] __tun_detach+0xd24/0x1550 drivers/net/tun.c:646 tun_set_queue drivers/net/tun.c:2461 [inline] __tun_chr_ioctl+0x68d/0x3dc0 drivers/net/tun.c:2499 tun_chr_ioctl+0x2a/0x40 drivers/net/tun.c:2761 vfs_ioctl fs/ioctl.c:46 [inline] do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:686 SYSC_ioctl fs/ioctl.c:701 [inline] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692 entry_SYSCALL_64_fastpath+0x1f/0x96 RIP: 0033:0x4529d9 RSP: 002b:00007fe13a7b5c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fe13a7b5aa0 RCX: 00000000004529d9 RDX: 000000002053d000 RSI: 00000000400454d9 RDI: 0000000000000014 RBP: 00007fe13a7b5a90 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b759b R13: 00007fe13a7b5bc8 R14: 00000000004b759b R15: 0000000000000000 device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode --- This bug is generated by a dumb bot. It may contain errors. See https://goo.gl/tpsmEJ for details. Direct all questions to syzkaller@googlegroups.com. Please credit me with: Reported-by: syzbot syzbot will keep track of this bug report. Once a fix for this bug is committed, please reply to this email with: #syz fix: exact-commit-title To mark this as a duplicate of another syzbot report, please reply with: #syz dup: exact-subject-of-another-report If it's a one-off invalid bug report, please reply with: #syz invalid Note: if the crash happens again, it will cause creation of a new bug report. Note: all commands must start from beginning of the line in the email body.