syzbot


possible deadlock in generic_file_write_iter (2)

Status: closed as invalid on 2018/02/13 19:29
Subsystems: fs
[Documentation on labels]
Reported-by: syzbot+045a1f65bdea780940bf0f795a292f4cd0b773d1@syzkaller.appspotmail.com
First crash: 2373d, last: 2356d
Similar bugs (5)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 possible deadlock in generic_file_write_iter 4 1450d 1457d 0/1 auto-closed as invalid on 2020/10/06 15:19
linux-4.19 possible deadlock in generic_file_write_iter (2) C error 453 488d 1057d 0/1 upstream: reported C repro on 2021/07/06 07:41
linux-4.14 possible deadlock in generic_file_write_iter (2) C 20 455d 887d 0/1 upstream: reported C repro on 2021/12/23 04:07
upstream possible deadlock in generic_file_write_iter C 61506 2374d 2396d 3/26 fixed on 2017/11/28 03:36
linux-4.14 possible deadlock in generic_file_write_iter 3 1455d 1528d 0/1 auto-closed as invalid on 2020/10/01 23:22

Sample crash report:
binder: 11688:11700 transaction failed 29189/-22, size 24-16 line 2775

======================================================
WARNING: possible circular locking dependency detected
4.15.0-rc3+ #222 Not tainted
------------------------------------------------------
syz-executor4/11756 is trying to acquire lock:
 (&sb->s_type->i_mutex_key#10){++++}, at: [<00000000141c582c>] inode_lock include/linux/fs.h:713 [inline]
 (&sb->s_type->i_mutex_key#10){++++}, at: [<00000000141c582c>] generic_file_write_iter+0xdc/0x7a0 mm/filemap.c:3289

but task is already holding lock:
 (&pipe->mutex/1){+.+.}, at: [<00000000f1fe300c>] pipe_lock_nested fs/pipe.c:67 [inline]
 (&pipe->mutex/1){+.+.}, at: [<00000000f1fe300c>] pipe_lock fs/pipe.c:75 [inline]
 (&pipe->mutex/1){+.+.}, at: [<00000000f1fe300c>] pipe_wait+0x1e6/0x280 fs/pipe.c:123

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #6 (&pipe->mutex/1){+.+.}:
       lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4004
       __mutex_lock_common kernel/locking/mutex.c:756 [inline]
       __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893
       mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908
       pipe_lock_nested fs/pipe.c:67 [inline]
       pipe_lock+0x56/0x70 fs/pipe.c:75
       iter_file_splice_write+0x264/0xf30 fs/splice.c:699
       do_splice_from fs/splice.c:851 [inline]
       do_splice fs/splice.c:1147 [inline]
       SYSC_splice fs/splice.c:1402 [inline]
       SyS_splice+0x7d5/0x1630 fs/splice.c:1382
       entry_SYSCALL_64_fastpath+0x1f/0x96

-> #5 (sb_writers){.+.+}:
       mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908
       fsnotify_destroy_mark+0x26/0x50 fs/notify/mark.c:390
       fsnotify_destroy_marks+0xdf/0x190 fs/notify/mark.c:717
       fsnotify_clear_marks_by_inode fs/notify/fsnotify.h:33 [inline]
       __fsnotify_inode_delete+0x19/0x20 fs/notify/fsnotify.c:35
       fsnotify_inoderemove include/linux/fsnotify.h:136 [inline]
       dentry_unlink_inode+0x49e/0x5e0 fs/dcache.c:371

-> #4 ((completion)&req.done){+.+.}:
       lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4004
       complete_acquire include/linux/completion.h:40 [inline]
       __wait_for_common kernel/sched/completion.c:109 [inline]
       wait_for_common kernel/sched/completion.c:123 [inline]
       wait_for_completion+0xcb/0x7b0 kernel/sched/completion.c:144
       devtmpfs_create_node+0x32b/0x4a0 drivers/base/devtmpfs.c:115
       device_add+0x120f/0x1640 drivers/base/core.c:1824
       device_create_groups_vargs+0x1f3/0x250 drivers/base/core.c:2430
       device_create_vargs drivers/base/core.c:2470 [inline]
       device_create+0xda/0x110 drivers/base/core.c:2506
       msr_device_create+0x26/0x40 arch/x86/kernel/msr.c:188
       cpuhp_invoke_callback+0x2ea/0x1d20 kernel/cpu.c:182
       cpuhp_thread_fun+0x48e/0x7e0 kernel/cpu.c:571
       smpboot_thread_fn+0x450/0x7c0 kernel/smpboot.c:164
       kthread+0x37a/0x440 kernel/kthread.c:238
       ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:441

-> #3 (cpuhp_state-up){+.+.}:
       lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4004
       cpuhp_lock_acquire kernel/cpu.c:85 [inline]
       cpuhp_invoke_ap_callback kernel/cpu.c:605 [inline]
       cpuhp_issue_call+0x1e5/0x520 kernel/cpu.c:1495
       __cpuhp_setup_state_cpuslocked+0x282/0x600 kernel/cpu.c:1642
       __cpuhp_setup_state+0xb0/0x140 kernel/cpu.c:1671
       cpuhp_setup_state include/linux/cpuhotplug.h:201 [inline]
       page_writeback_init+0x4d/0x71 mm/page-writeback.c:2081
       pagecache_init+0x48/0x4f mm/filemap.c:977
       start_kernel+0x6c1/0x754 init/main.c:695
       x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:378
       x86_64_start_kernel+0x77/0x7a arch/x86/kernel/head64.c:359
       secondary_startup_64+0xa5/0xb0 arch/x86/kernel/head_64.S:237

-> #2 (cpuhp_state_mutex){+.+.}:
       lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4004
       __mutex_lock_common kernel/locking/mutex.c:756 [inline]
       __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893
       mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908
       __cpuhp_setup_state_cpuslocked+0x5b/0x600 kernel/cpu.c:1617
       __cpuhp_setup_state+0xb0/0x140 kernel/cpu.c:1671
       cpuhp_setup_state_nocalls include/linux/cpuhotplug.h:229 [inline]
       kvm_guest_init+0x1f3/0x20f arch/x86/kernel/kvm.c:528
       setup_arch+0x17e8/0x1a02 arch/x86/kernel/setup.c:1266
       start_kernel+0xa5/0x754 init/main.c:530
       x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:378
       x86_64_start_kernel+0x77/0x7a arch/x86/kernel/head64.c:359
       secondary_startup_64+0xa5/0xb0 arch/x86/kernel/head_64.S:237

-> #1 (cpu_hotplug_lock.rw_sem){++++}:
       lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4004
       percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline]
       percpu_down_read include/linux/percpu-rwsem.h:59 [inline]
       cpus_read_lock+0x42/0x90 kernel/cpu.c:293
       get_online_cpus include/linux/cpu.h:117 [inline]
       lru_add_drain_all+0xe/0x20 mm/swap.c:729
       shmem_wait_for_pins mm/shmem.c:2672 [inline]
       shmem_add_seals+0x3df/0x1060 mm/shmem.c:2780
       shmem_fcntl+0xfe/0x130 mm/shmem.c:2815
       do_fcntl+0x73e/0x1160 fs/fcntl.c:421
       SYSC_fcntl fs/fcntl.c:463 [inline]
       SyS_fcntl+0xdc/0x120 fs/fcntl.c:448
       entry_SYSCALL_64_fastpath+0x1f/0x96

-> #0 (&sb->s_type->i_mutex_key#10){++++}:
       check_prevs_add kernel/locking/lockdep.c:2031 [inline]
       validate_chain kernel/locking/lockdep.c:2473 [inline]
       __lock_acquire+0x3498/0x47f0 kernel/locking/lockdep.c:3500
       lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4004
       down_write+0x87/0x120 kernel/locking/rwsem.c:70
       inode_lock include/linux/fs.h:713 [inline]
       generic_file_write_iter+0xdc/0x7a0 mm/filemap.c:3289
       call_write_iter include/linux/fs.h:1772 [inline]
       do_iter_readv_writev+0x531/0x7f0 fs/read_write.c:653
       do_iter_write+0x15a/0x540 fs/read_write.c:932
       vfs_iter_write+0x77/0xb0 fs/read_write.c:945
       iter_file_splice_write+0x7db/0xf30 fs/splice.c:749
       do_splice_from fs/splice.c:851 [inline]
       do_splice fs/splice.c:1147 [inline]
       SYSC_splice fs/splice.c:1402 [inline]
       SyS_splice+0x7d5/0x1630 fs/splice.c:1382
       entry_SYSCALL_64_fastpath+0x1f/0x96

other info that might help us debug this:

Chain exists of:
  &sb->s_type->i_mutex_key#10 --> sb_writers --> &pipe->mutex/1

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&pipe->mutex/1);
                               lock(sb_writers);
                               lock(&pipe->mutex/1);
  lock(&sb->s_type->i_mutex_key#10);

 *** DEADLOCK ***

2 locks held by syz-executor4/11756:
 #0:  (sb_writers#6){.+.+}, at: [<00000000a435019e>] file_start_write include/linux/fs.h:2715 [inline]
 #0:  (sb_writers#6){.+.+}, at: [<00000000a435019e>] do_splice fs/splice.c:1146 [inline]
 #0:  (sb_writers#6){.+.+}, at: [<00000000a435019e>] SYSC_splice fs/splice.c:1402 [inline]
 #0:  (sb_writers#6){.+.+}, at: [<00000000a435019e>] SyS_splice+0x1117/0x1630 fs/splice.c:1382
 #1:  (&pipe->mutex/1){+.+.}, at: [<00000000f1fe300c>] pipe_lock_nested fs/pipe.c:67 [inline]
 #1:  (&pipe->mutex/1){+.+.}, at: [<00000000f1fe300c>] pipe_lock fs/pipe.c:75 [inline]
 #1:  (&pipe->mutex/1){+.+.}, at: [<00000000f1fe300c>] pipe_wait+0x1e6/0x280 fs/pipe.c:123

stack backtrace:
CPU: 0 PID: 11756 Comm: syz-executor4 Not tainted 4.15.0-rc3+ #222
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x257 lib/dump_stack.c:53
 print_circular_bug+0x42d/0x610 kernel/locking/lockdep.c:1271
 check_prev_add+0x666/0x15f0 kernel/locking/lockdep.c:1914
 check_prevs_add kernel/locking/lockdep.c:2031 [inline]
 validate_chain kernel/locking/lockdep.c:2473 [inline]
 __lock_acquire+0x3498/0x47f0 kernel/locking/lockdep.c:3500
 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4004
 down_write+0x87/0x120 kernel/locking/rwsem.c:70
 inode_lock include/linux/fs.h:713 [inline]
 generic_file_write_iter+0xdc/0x7a0 mm/filemap.c:3289
 call_write_iter include/linux/fs.h:1772 [inline]
 do_iter_readv_writev+0x531/0x7f0 fs/read_write.c:653
 do_iter_write+0x15a/0x540 fs/read_write.c:932
 vfs_iter_write+0x77/0xb0 fs/read_write.c:945
 iter_file_splice_write+0x7db/0xf30 fs/splice.c:749
 do_splice_from fs/splice.c:851 [inline]
 do_splice fs/splice.c:1147 [inline]
 SYSC_splice fs/splice.c:1402 [inline]
 SyS_splice+0x7d5/0x1630 fs/splice.c:1382
 entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x452a39
RSP: 002b:00007fbde3022c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000113
RAX: ffffffffffffffda RBX: 00007fbde3023700 RCX: 0000000000452a39
RDX: 0000000000000017 RSI: 0000000000000000 RDI: 0000000000000015
RBP: 0000000000a6f880 R08: 00000000fffffffe R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000000
R13: 0000000000a6f7ff R14: 00007fbde30239c0 R15: 000000000000001b
QAT: Invalid ioctl
netlink: 'syz-executor2': attribute type 4 has an invalid length.
sctp: [Deprecated]: syz-executor3 (pid 11778) Use of struct sctp_assoc_value in delayed_ack socket option.
Use struct sctp_sack_info instead
binder_alloc: binder_alloc_mmap_handler: 11767 20004000-20005000 already mapped failed -16
netlink: 'syz-executor2': attribute type 4 has an invalid length.
QAT: Invalid ioctl
sctp: [Deprecated]: syz-executor3 (pid 11796) Use of struct sctp_assoc_value in delayed_ack socket option.
Use struct sctp_sack_info instead
kvm: pic: single mode not supported
kvm: pic: level sensitive irq not supported
device eql entered promiscuous mode
nla_parse: 6 callbacks suppressed
netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'.
netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'.
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=12116 comm=syz-executor1
sock: sock_set_timeout: `syz-executor7' (pid 12174) tries to set negative timeout
device gre0 entered promiscuous mode
sock: sock_set_timeout: `syz-executor7' (pid 12174) tries to set negative timeout
device eql entered promiscuous mode
netlink: 2 bytes leftover after parsing attributes in process `syz-executor1'.
binder: BINDER_SET_CONTEXT_MGR already set
binder: 12223:12241 ioctl 40046207 0 returned -16
netlink: 2 bytes leftover after parsing attributes in process `syz-executor1'.
kauditd_printk_skb: 20 callbacks suppressed
audit: type=1400 audit(1513375088.519:909): avc:  denied  { prog_load } for  pid=12252 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1
print_req_error: 43 callbacks suppressed
print_req_error: I/O error, dev loop6, sector 0
print_req_error: I/O error, dev loop6, sector 0
buffer_io_error: 42 callbacks suppressed
Buffer I/O error on dev loop6, logical block 0, async page read
print_req_error: I/O error, dev loop6, sector 0
Buffer I/O error on dev loop6, logical block 0, async page read
print_req_error: I/O error, dev loop6, sector 0
Buffer I/O error on dev loop6, logical block 0, async page read
print_req_error: I/O error, dev loop6, sector 0
Buffer I/O error on dev loop6, logical block 0, async page read
print_req_error: I/O error, dev loop6, sector 0
Buffer I/O error on dev loop6, logical block 0, async page read
print_req_error: I/O error, dev loop6, sector 0
Buffer I/O error on dev loop6, logical block 0, async page read
print_req_error: I/O error, dev loop6, sector 0
Buffer I/O error on dev loop6, logical block 0, async page read
print_req_error: I/O error, dev loop6, sector 0
Buffer I/O error on dev loop6, logical block 0, async page read
print_req_error: I/O error, dev loop6, sector 0
Buffer I/O error on dev loop6, logical block 0, async page read
Buffer I/O error on dev loop6, logical block 0, async page read
audit: type=1400 audit(1513375088.526:910): avc:  denied  { prog_run } for  pid=12252 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1
audit: type=1400 audit(1513375088.557:911): avc:  denied  { map_create } for  pid=12272 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1
netlink: 2 bytes leftover after parsing attributes in process `syz-executor3'.
audit: type=1326 audit(1513375088.975:912): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=12329 comm="syz-executor2" exe="/root/syz-executor2" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x7ffc0000
audit: type=1326 audit(1513375088.975:913): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=12329 comm="syz-executor2" exe="/root/syz-executor2" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x7ffc0000
audit: type=1326 audit(1513375088.976:914): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=12329 comm="syz-executor2" exe="/root/syz-executor2" sig=0 arch=c000003e syscall=297 compat=0 ip=0x452a39 code=0x7ffc0000
audit: type=1326 audit(1513375088.976:915): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=12329 comm="syz-executor2" exe="/root/syz-executor2" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x7ffc0000
audit: type=1326 audit(1513375088.976:916): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=12329 comm="syz-executor2" exe="/root/syz-executor2" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x7ffc0000
audit: type=1326 audit(1513375088.978:917): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=12329 comm="syz-executor2" exe="/root/syz-executor2" sig=0 arch=c000003e syscall=41 compat=0 ip=0x452a39 code=0x7ffc0000
audit: type=1326 audit(1513375088.984:918): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=12329 comm="syz-executor2" exe="/root/syz-executor2" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x7ffc0000
QAT: Invalid ioctl
QAT: Invalid ioctl
QAT: Invalid ioctl
QAT: Invalid ioctl
QAT: Invalid ioctl
QAT: Invalid ioctl
netlink: 2 bytes leftover after parsing attributes in process `syz-executor3'.
Started in network mode
Own node address <64.888.2950>, network identity 4711
netlink: 17 bytes leftover after parsing attributes in process `syz-executor6'.
netlink: 17 bytes leftover after parsing attributes in process `syz-executor6'.
netlink: 14 bytes leftover after parsing attributes in process `syz-executor1'.
netlink: 14 bytes leftover after parsing attributes in process `syz-executor1'.
netlink: 'syz-executor2': attribute type 2 has an invalid length.
rfkill: input handler disabled
netlink: 'syz-executor2': attribute type 2 has an invalid length.
rfkill: input handler enabled
mmap: syz-executor6 (12543): VmData 15966208 exceed data ulimit 4. Update limits or use boot option ignore_rlimit_data.
device eql entered promiscuous mode
RDS: rds_bind could not find a transport for 172.20.1.187, load rds_tcp or rds_rdma?
binder: 12678:12680 BC_DEAD_BINDER_DONE 0000000000000003 not found
binder: 12678:12680 got transaction with invalid parent offset or type
binder: 12678:12680 transaction failed 29201/-22, size 32-16 line 3013
binder: 12678:12680 transaction failed 29201/-22, size 0-0 line 2890
binder_alloc: binder_alloc_mmap_handler: 12678 20265000-20279000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 12678:12680 ioctl 40046207 0 returned -16
binder: 12678:12686 BC_DEAD_BINDER_DONE 0000000000000003 not found
kvm_hv_set_msr: 246 callbacks suppressed
kvm [12684]: vcpu0, guest rIP: 0x9115 Hyper-V uhandled wrmsr: 0x4000008f data 0xe0050031
kvm [12684]: vcpu0, guest rIP: 0x9115 Hyper-V uhandled wrmsr: 0x4000008e data 0xe0050031
kvm [12684]: vcpu0, guest rIP: 0x9115 Hyper-V uhandled wrmsr: 0x4000008d data 0xe0050031
kvm [12684]: vcpu0, guest rIP: 0x9115 Hyper-V uhandled wrmsr: 0x4000008c data 0xe0050031
kvm [12684]: vcpu0, guest rIP: 0x9115 Hyper-V uhandled wrmsr: 0x4000008b data 0xe0050031
kvm [12684]: vcpu0, guest rIP: 0x9115 Hyper-V uhandled wrmsr: 0x4000008a data 0xe0050031
kvm [12684]: vcpu0, guest rIP: 0x9115 Hyper-V uhandled wrmsr: 0x40000089 data 0xe0050031
kvm [12684]: vcpu0, guest rIP: 0x9115 Hyper-V uhandled wrmsr: 0x40000088 data 0xe0050031
kvm [12684]: vcpu0, guest rIP: 0x9115 Hyper-V uhandled wrmsr: 0x40000087 data 0xe0050031
kvm [12684]: vcpu0, guest rIP: 0x9115 Hyper-V uhandled wrmsr: 0x40000086 data 0xe0050031
kvm [12684]: vcpu0, guest rIP: 0x9115 Hyper-V uhandled wrmsr: 0x40000020 data 0xe0050031
binder_alloc: 12678: binder_alloc_buf, no vma
binder: 12678:12680 transaction failed 29189/-3, size 0-0 line 2890
binder_alloc: 12678: binder_alloc_buf, no vma
binder: 12678:12686 transaction failed 29189/-3, size 32-16 line 2890
kvm [12684]: vcpu0, guest rIP: 0x9115 Hyper-V uhandled wrmsr: 0x40000020 data 0xe0050031
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
dccp_close: ABORT with 11 bytes unread
semctl(GETNCNT/GETZCNT) is since 3.16 Single Unix Specification compliant.
The task syz-executor4 (12996) triggered the difference, watch for misbehavior.
netlink: 'syz-executor1': attribute type 5 has an invalid length.
device gre0 entered promiscuous mode
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=213 sclass=netlink_route_socket pig=13373 comm=syz-executor3
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=213 sclass=netlink_route_socket pig=13387 comm=syz-executor3
kauditd_printk_skb: 215 callbacks suppressed
audit: type=1400 audit(1513375094.026:1134): avc:  denied  { map } for  pid=13401 comm="syz-executor1" path="socket:[44945]" dev="sockfs" ino=44945 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=packet_socket permissive=1
binder: 13449:13452 DecRefs 0 refcount change on invalid ref 2 ret -22
binder: 13449:13458 DecRefs 0 refcount change on invalid ref 2 ret -22
binder: 13402:13404 Acquire 1 refcount change on invalid ref 0 ret -22
binder: 13402:13404 Release 1 refcount change on invalid ref 0 ret -22
binder: 13402:13404 transaction failed 29189/-22, size 0-0 line 2775
binder: 13402:13404 Acquire 1 refcount change on invalid ref 0 ret -22
binder: 13402:13476 Release 1 refcount change on invalid ref 0 ret -22
binder: 13402:13476 transaction failed 29189/-22, size 0-0 line 2775
audit: type=1400 audit(1513375094.532:1135): avc:  denied  { map_read } for  pid=13513 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1
device gre0 entered promiscuous mode
QAT: Invalid ioctl
print_req_error: 96 callbacks suppressed
print_req_error: I/O error, dev loop6, sector 0
print_req_error: I/O error, dev loop6, sector 0
buffer_io_error: 94 callbacks suppressed
Buffer I/O error on dev loop6, logical block 0, async page read
9pnet_virtio: no channels available for device ./file0/file0
print_req_error: I/O error, dev loop6, sector 0
Buffer I/O error on dev loop6, logical block 0, async page read
print_req_error: I/O error, dev loop6, sector 0
Buffer I/O error on dev loop6, logical block 0, async page read
print_req_error: I/O error, dev loop6, sector 0
Buffer I/O error on dev loop6, logical block 0, async page read
print_req_error: I/O error, dev loop6, sector 0
Buffer I/O error on dev loop6, logical block 0, async page read
print_req_error: I/O error, dev loop6, sector 0
Buffer I/O error on dev loop6, logical block 0, async page read
print_req_error: I/O error, dev loop6, sector 0
Buffer I/O error on dev loop6, logical block 0, async page read
print_req_error: I/O error, dev loop6, sector 0
Buffer I/O error on dev loop6, logical block 0, async page read
print_req_error: I/O error, dev loop6, sector 0
Buffer I/O error on dev loop6, logical block 0, async page read
Buffer I/O error on dev loop6, logical block 0, async page read
nla_parse: 12 callbacks suppressed
netlink: 1 bytes leftover after parsing attributes in process `syz-executor0'.
audit: type=1400 audit(1513375095.085:1136): avc:  denied  { map } for  pid=13640 comm="syz-executor4" path="socket:[46008]" dev="sockfs" ino=46008 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=udp_socket permissive=1
9pnet_virtio: no channels available for device ./file0/file0
netlink: 1 bytes leftover after parsing attributes in process `syz-executor0'.

Crashes (182):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2017/12/15 21:58 upstream 032b4cc8ff84 ac20b98c .config console log report ci-upstream-kasan-gce
2017/12/15 21:05 upstream 032b4cc8ff84 ac20b98c .config console log report ci-upstream-kasan-gce
2017/12/15 09:32 upstream d455df0bcc00 ac20b98c .config console log report ci-upstream-kasan-gce
2017/12/15 06:31 upstream d455df0bcc00 ac20b98c .config console log report ci-upstream-kasan-gce
2017/12/14 19:10 upstream 7c5cac1bc717 ac20b98c .config console log report ci-upstream-kasan-gce
2017/12/14 17:04 upstream 7c5cac1bc717 ac20b98c .config console log report ci-upstream-kasan-gce
2017/12/14 08:49 upstream 7c5cac1bc717 ac20b98c .config console log report ci-upstream-kasan-gce
2017/12/14 07:09 upstream 7c5cac1bc717 06ea774d .config console log report ci-upstream-kasan-gce
2017/12/14 02:18 upstream d39a01eff9af 06ea774d .config console log report ci-upstream-kasan-gce
2017/12/13 03:22 upstream d39a01eff9af ce7f2399 .config console log report ci-upstream-kasan-gce
2017/12/13 00:37 upstream a638349bf6c2 414a185f .config console log report ci-upstream-kasan-gce
2017/12/12 19:52 upstream a638349bf6c2 414a185f .config console log report ci-upstream-kasan-gce
2017/12/12 19:50 upstream a638349bf6c2 414a185f .config console log report ci-upstream-kasan-gce
2017/12/12 19:18 upstream a638349bf6c2 414a185f .config console log report ci-upstream-kasan-gce
2017/12/12 17:57 upstream a638349bf6c2 414a185f .config console log report ci-upstream-kasan-gce
2017/12/12 12:17 upstream a638349bf6c2 081721ff .config console log report ci-upstream-kasan-gce
2017/12/12 11:42 upstream a638349bf6c2 081721ff .config console log report ci-upstream-kasan-gce
2017/12/12 05:27 upstream a638349bf6c2 da131727 .config console log report ci-upstream-kasan-gce
2017/12/12 03:01 upstream a638349bf6c2 da131727 .config console log report ci-upstream-kasan-gce
2017/12/11 23:26 upstream 50c4c4e268a2 da131727 .config console log report ci-upstream-kasan-gce
2017/12/11 17:58 upstream 50c4c4e268a2 27f5dfef .config console log report ci-upstream-kasan-gce
2017/12/11 13:57 upstream 50c4c4e268a2 27f5dfef .config console log report ci-upstream-kasan-gce
2017/12/11 10:19 upstream 50c4c4e268a2 5ad0ce95 .config console log report ci-upstream-kasan-gce
2017/12/11 08:13 upstream 50c4c4e268a2 5ad0ce95 .config console log report ci-upstream-kasan-gce
2017/12/11 05:37 upstream 51090c5d6de0 5ad0ce95 .config console log report ci-upstream-kasan-gce
2017/12/11 02:37 upstream 51090c5d6de0 5ad0ce95 .config console log report ci-upstream-kasan-gce
2017/12/11 02:26 upstream 51090c5d6de0 5ad0ce95 .config console log report ci-upstream-kasan-gce
2017/12/10 22:28 upstream 51090c5d6de0 5ad0ce95 .config console log report ci-upstream-kasan-gce
2017/12/10 22:27 upstream 51090c5d6de0 5ad0ce95 .config console log report ci-upstream-kasan-gce
2017/12/10 21:44 upstream 51090c5d6de0 5ad0ce95 .config console log report ci-upstream-kasan-gce
2017/12/10 19:31 upstream 51090c5d6de0 5ad0ce95 .config console log report ci-upstream-kasan-gce
2017/12/10 16:46 upstream 4ded3bec65a0 5ad0ce95 .config console log report ci-upstream-kasan-gce
2017/12/10 16:04 upstream 4ded3bec65a0 5ad0ce95 .config console log report ci-upstream-kasan-gce
2017/12/10 14:28 upstream 4ded3bec65a0 5ad0ce95 .config console log report ci-upstream-kasan-gce
2017/12/10 14:07 upstream 4ded3bec65a0 5ad0ce95 .config console log report ci-upstream-kasan-gce
2017/12/10 11:54 upstream 4ded3bec65a0 5ad0ce95 .config console log report ci-upstream-kasan-gce
2017/12/10 11:04 upstream 4ded3bec65a0 5ad0ce95 .config console log report ci-upstream-kasan-gce
2017/12/10 10:16 upstream 4ded3bec65a0 5ad0ce95 .config console log report ci-upstream-kasan-gce
2017/12/15 07:07 upstream d455df0bcc00 ac20b98c .config console log report ci-upstream-kasan-gce-386
2017/12/15 06:36 upstream d455df0bcc00 ac20b98c .config console log report ci-upstream-kasan-gce-386
* Struck through repros no longer work on HEAD.