syzbot

 sign-in | mailing list | source | docs
🐞 Open [196] 🐞 Fixed [42] 🐞 Invalid [470] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

BUG: bad unlock balance in do_sendfile

Status: auto-closed as invalid on 2019/02/22 14:55
First crash: 2314d, last: 2266d

Sample crash report:
=====================================
[ BUG: bad unlock balance detected! ]
4.9.71-g2506378 #113 Not tainted
-------------------------------------
syz-executor4/15327 is trying to release lock ([   81.909351] binder: 15319:15324 ERROR: BC_REGISTER_LOOPER called without request
mrt_lock) at:
but there are no more locks to release!

other info that might help us debug this:
binder: 15319:15324 got transaction with invalid offsets ptr
binder: 15319:15324 transaction failed 29201/-14, size 0-8 line 3155
binder: unexpected work type, 4, not freed
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered transaction 887, process died.
2 locks held by syz-executor4/15327:
 #0:  (sb_writers#7){.+.+.+}, at: [<ffffffff8157087f>] file_start_write include/linux/fs.h:2619 [inline]
 #0:  (sb_writers#7){.+.+.+}, at: [<ffffffff8157087f>] do_sendfile+0x9ff/0xd30 fs/read_write.c:1400
 #1:  (&p->lock){+.+.+.}, at: [<ffffffff815e651d>] seq_read+0xdd/0x1290 fs/seq_file.c:178

stack backtrace:
CPU: 0 PID: 15327 Comm: syz-executor4 Not tainted 4.9.71-g2506378 #113
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801d1ba72a8 ffffffff81d922b9 ffffffff849afcf8 ffff8801d1fe4800
 ffffffff834e4b84 ffffffff849afcf8 ffff8801d1fe5088 ffff8801d1ba72d8
 ffffffff81235fa4 dffffc0000000000 ffffffff849afcf8 00000000ffffffff
Call Trace:
 [<ffffffff81d922b9>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d922b9>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff81235fa4>] print_unlock_imbalance_bug+0x174/0x1a0 kernel/locking/lockdep.c:3398
 [<ffffffff8123ea78>] __lock_release kernel/locking/lockdep.c:3540 [inline]
 [<ffffffff8123ea78>] lock_release+0x6f8/0xb80 kernel/locking/lockdep.c:3775
 [<ffffffff838aeb2a>] __raw_read_unlock include/linux/rwlock_api_smp.h:225 [inline]
 [<ffffffff838aeb2a>] _raw_read_unlock+0x1a/0x50 kernel/locking/spinlock.c:255
 [<ffffffff834e4b84>] ipmr_mfc_seq_stop+0xe4/0x140 net/ipv6/ip6mr.c:553
 [<ffffffff815e6ec3>] seq_read+0xa83/0x1290 fs/seq_file.c:283
 [<ffffffff816bfbbf>] proc_reg_read+0xef/0x170 fs/proc/inode.c:202
 [<ffffffff8156a4e1>] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714
 [<ffffffff8156e350>] do_loop_readv_writev fs/read_write.c:880 [inline]
 [<ffffffff8156e350>] do_readv_writev+0x520/0x750 fs/read_write.c:874
 [<ffffffff8156e604>] vfs_readv+0x84/0xc0 fs/read_write.c:898
 [<ffffffff8160d6bf>] kernel_readv fs/splice.c:363 [inline]
 [<ffffffff8160d6bf>] default_file_splice_read+0x43f/0x7a0 fs/splice.c:435
 [<ffffffff8160c7ba>] do_splice_to+0x10a/0x160 fs/splice.c:899
 [<ffffffff8160ca5d>] splice_direct_to_actor+0x24d/0x800 fs/splice.c:971
 [<ffffffff8160d1b7>] do_splice_direct+0x1a7/0x270 fs/splice.c:1080
 [<ffffffff815703cb>] do_sendfile+0x54b/0xd30 fs/read_write.c:1401
 [<ffffffff81572321>] SYSC_sendfile64 fs/read_write.c:1456 [inline]
 [<ffffffff81572321>] SyS_sendfile64+0xd1/0x160 fs/read_write.c:1448
 [<ffffffff838aef85>] entry_SYSCALL_64_fastpath+0x23/0xc6
binder: 15319:15350 ERROR: BC_REGISTER_LOOPER called without request
binder: 15319:15324 got reply transaction with bad transaction stack, transaction 892 has target 15319:0
binder: 15319:15324 transaction failed 29201/-71, size 24-8 line 2935
binder: 15319:15324 got transaction to invalid handle
binder: 15319:15324 transaction failed 29201/-22, size 0-8 line 3004
binder: release 15319:15324 transaction 892 out, still active
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_ERROR: 29201
binder: send failed reply for transaction 892, target dead
binder: 15367:15392 got reply transaction with bad transaction stack, transaction 896 has target 15367:0
binder: 15367:15392 transaction failed 29201/-71, size 24-8 line 2935
binder: 15367:15417 got transaction to invalid handle
binder: 15367:15417 transaction failed 29201/-22, size 0-8 line 3004
binder: release 15367:15392 transaction 896 out, still active
binder: undelivered TRANSACTION_COMPLETE
binder_alloc: 15367: binder_alloc_buf, no vma
binder: 15367:15392 transaction failed 29189/-3, size 0-0 line 3127
binder: 15367:15371 got reply transaction with no transaction stack
binder: 15367:15371 transaction failed 29201/-71, size 24-8 line 2920
binder: 15367:15392 got transaction to invalid handle
binder: 15367:15392 transaction failed 29201/-22, size 0-8 line 3004
binder: BINDER_SET_CONTEXT_MGR already set
binder: 15423:15431 ioctl 40046207 0 returned -16
binder: 15423:15431 got transaction to invalid handle
binder: 15423:15431 transaction failed 29201/-22, size 0-32 line 3004
binder_alloc: binder_alloc_mmap_handler: 15423 20000000-20002000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 15423:15431 ioctl 40046207 0 returned -16
binder: 15423:15436 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 15367: binder_alloc_buf, no vma
binder: 15423:15431 transaction failed 29189/-3, size 0--1639644763780905976 line 3127
binder: 15423:15436 got transaction to invalid handle
binder: 15423:15436 transaction failed 29201/-22, size 0-32 line 3004
binder: BINDER_SET_CONTEXT_MGR already set
binder: 15455:15456 ioctl 40046207 0 returned -16
binder: 15455:15456 Acquire 1 refcount change on invalid ref 4 ret -22
binder_alloc: 15367: binder_alloc_buf, no vma
binder: 15455:15464 transaction failed 29189/-3, size 0-0 line 3127
binder: BINDER_SET_CONTEXT_MGR already set
binder: 15455:15478 ioctl 40046207 0 returned -16
binder: 15455:15478 unknown command 0
binder: 15455:15478 ioctl c0306201 20008fd0 returned -22
binder_alloc: 15367: binder_alloc_buf, no vma
binder: 15455:15464 transaction failed 29189/-3, size 0-0 line 3127
binder: 15455:15478 got transaction to invalid handle
binder: 15455:15478 transaction failed 29201/-22, size 0-8 line 3004
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_ERROR: 29201
binder: send failed reply for transaction 896, target dead
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
binder: 15491:15501 ERROR: BC_REGISTER_LOOPER called without request
binder: 15491:15501 got transaction with invalid offsets ptr
SELinux: unrecognized netlink message: protocol=6 nlmsg_type=2 sclass=netlink_xfrm_socket pig=15528 comm=syz-executor5
binder: 15491:15501 transaction failed 29201/-14, size 0-8 line 3155
binder: unexpected work type, 4, not freed
binder: undelivered TRANSACTION_COMPLETE
SELinux: unrecognized netlink message: protocol=6 nlmsg_type=2 sclass=netlink_xfrm_socket pig=15528 comm=syz-executor5
binder: 15491:15519 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 15491: binder_alloc_buf size 536870912 failed, no address space
binder_alloc: allocated: 0 (num: 0 largest: 0), free: 8192 (num: 1 largest: 8192)
binder: 15491:15501 transaction failed 29201/-28, size 536870912-0 line 3127
binder: 15491:15519 got transaction to invalid handle
binder: 15491:15519 transaction failed 29201/-22, size 0-8 line 3004
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered transaction 911, process died.
binder: undelivered TRANSACTION_ERROR: 29201
binder: BINDER_SET_CONTEXT_MGR already set
binder: 15568:15573 ioctl 40046207 0 returned -16
binder: 15568:15573 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 15491: binder_alloc_buf, no vma
binder: 15568:15586 transaction failed 29189/-3, size 0-0 line 3127
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_ERROR: 29189
binder: 15568:15573 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 15568: binder_alloc_buf, no vma
binder: 15568:15586 transaction failed 29189/-3, size 0-0 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
binder: 15619:15626 ERROR: BC_REGISTER_LOOPER called without request
binder: 15619:15626 got transaction with invalid offsets ptr
binder: 15645:15647 Acquire 1 refcount change on invalid ref 1 ret -22
binder: 15645:15647 BC_REQUEST_DEATH_NOTIFICATION invalid ref 2
binder: 15645:15647 BC_CLEAR_DEATH_NOTIFICATION invalid ref 2
binder: 15645:15654 unknown command 0
binder: 15645:15654 ioctl c0306201 2000a000 returned -22
binder: 15645:15654 ERROR: BC_REGISTER_LOOPER called without request
binder: undelivered transaction 929, copy_to_user failed
binder: 15645:15654 ioctl c0306201 20fc1fd0 returned -14
device syz7 entered promiscuous mode
binder: BINDER_SET_CONTEXT_MGR already set
binder: 15619:15639 ioctl 40046207 0 returned -16
binder: 15619:15659 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 15619: binder_alloc_buf, no vma
binder: 15619:15659 transaction failed 29189/-3, size 0-0 line 3127
binder_alloc: binder_alloc_mmap_handler: 15645 20000000-20002000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 15645:15654 ioctl 40046207 0 returned -16
binder: 15645:15654 unknown command 0
binder: 15645:15654 ioctl c0306201 2000a000 returned -22
binder_alloc: 15645: binder_alloc_buf, no vma
binder: 15645:15662 transaction failed 29189/-3, size 24-0 line 3127
binder: 15619:15626 transaction failed 29201/-14, size 0-8 line 3155
binder: unexpected work type, 4, not freed
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered transaction 923, process died.
binder: undelivered TRANSACTION_ERROR: 29189
binder: 15680:15682 ERROR: BC_REGISTER_LOOPER called without request
binder: 15681:15686 ERROR: BC_REGISTER_LOOPER called without request
device gre0 entered promiscuous mode
binder: 15680:15682 got transaction with invalid offsets ptr
binder: 15680:15682 transaction failed 29201/-14, size 0-8 line 3155
binder: unexpected work type, 4, not freed
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered transaction 936, process died.
binder: 15680:15697 ERROR: BC_REGISTER_LOOPER called without request
binder: 15681:15686 got transaction with invalid offsets ptr
binder: 15681:15686 transaction failed 29201/-14, size 0-8 line 3155
binder: unexpected work type, 4, not freed
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered transaction 942, process died.
binder_alloc: 15680: binder_alloc_buf, no vma
binder: 15680:15697 transaction failed 29189/-3, size 0-0 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
binder: 15712:15715 ERROR: BC_REGISTER_LOOPER called without request
binder: 15712:15715 ioctl c0306201 20008fd0 returned -11
binder: 15712:15715 ioctl c0306201 20001fd0 returned -14
binder: 15712:15715 got transaction to invalid handle
binder: 15712:15715 transaction failed 29201/-22, size 0-8 line 3004
binder: release 15712:15715 transaction 948 out, still active
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered TRANSACTION_ERROR: 29201
binder: send failed reply for transaction 948, target dead
binder: 15712:15715 ERROR: BC_REGISTER_LOOPER called without request
binder: 15712:15715 ioctl c0306201 20001fd0 returned -14
binder: 15712:15715 got transaction to invalid handle
binder: 15712:15715 transaction failed 29201/-22, size 0-8 line 3004
binder: release 15712:15715 transaction 951 out, still active
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered TRANSACTION_ERROR: 29201
binder: send failed reply for transaction 951, target dead
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=770 sclass=netlink_tcpdiag_socket pig=15733 comm=syz-executor4
binder: 15732:15738 ERROR: BC_REGISTER_LOOPER called without request
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=770 sclass=netlink_tcpdiag_socket pig=15733 comm=syz-executor4
binder: 15732:15738 got transaction with invalid offsets ptr
binder: 15732:15738 transaction failed 29201/-14, size 0-8 line 3155
binder: BINDER_SET_CONTEXT_MGR already set
binder: 15732:15750 ioctl 40046207 0 returned -16
binder: unexpected work type, 4, not freed
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered transaction 955, process died.
binder: 15756:15757 ERROR: BC_REGISTER_LOOPER called without request
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=770 sclass=netlink_tcpdiag_socket pig=15758 comm=syz-executor4
binder: 15756:15757 got transaction with invalid offsets ptr
binder: 15756:15757 transaction failed 29201/-14, size 0-8 line 3155
binder: unexpected work type, 4, not freed
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered transaction 961, process died.
binder: 15756:15766 ERROR: BC_REGISTER_LOOPER called without request
binder: 15756:15757 got reply transaction with bad transaction stack, transaction 966 has target 15756:0
binder: 15756:15757 transaction failed 29201/-71, size 24-8 line 2935
binder: 15756:15766 got transaction to invalid handle
binder: 15756:15766 transaction failed 29201/-22, size 0-8 line 3004
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=770 sclass=netlink_tcpdiag_socket pig=15776 comm=syz-executor4
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=770 sclass=netlink_tcpdiag_socket pig=15758 comm=syz-executor4
binder: release 15756:15757 transaction 966 out, still active
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_ERROR: 29201
binder: send failed reply for transaction 966, target dead
binder: 15777:15778 ERROR: BC_REGISTER_LOOPER called without request
binder: 15777:15778 got transaction with invalid offsets ptr
binder: 15777:15778 transaction failed 29201/-14, size 24-8 line 3155
binder: send failed reply for transaction 970 to 15777:15779
binder: 15777:15778 got transaction to invalid handle
binder: 15777:15778 transaction failed 29201/-22, size 0-8 line 3004
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered TRANSACTION_ERROR: 29201
binder: 15777:15778 ERROR: BC_REGISTER_LOOPER called without request
binder: release 15777:15779 transaction 974 out, still active
binder: undelivered TRANSACTION_COMPLETE
binder: send failed reply for transaction 974, target dead
binder: 15788:15790 ERROR: BC_REGISTER_LOOPER called without request
device gre0 entered promiscuous mode
binder: 15788:15790 got transaction with invalid offsets ptr
binder: 15788:15790 transaction failed 29201/-14, size 0-8 line 3155
binder: unexpected work type, 4, not freed
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered TRANSACTION_ERROR: 29201
binder: 15788:15790 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 15788: binder_alloc_buf size 536870912 failed, no address space
binder_alloc: allocated: 0 (num: 0 largest: 0), free: 8192 (num: 1 largest: 8192)
binder: 15788:15803 transaction failed 29201/-28, size 536870912-0 line 3127
binder: 15788:15803 got transaction to invalid handle
binder: 15788:15803 transaction failed 29201/-22, size 0-8 line 3004
device gre0 entered promiscuous mode
binder: BINDER_SET_CONTEXT_MGR already set
binder: 15823:15825 ioctl 40046207 0 returned -16
binder: 15823:15825 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 15788: binder_alloc_buf, no vma
binder: 15823:15831 transaction failed 29189/-3, size 0-0 line 3127
binder: BINDER_SET_CONTEXT_MGR already set
binder: 15823:15831 ioctl 40046207 0 returned -16
binder: 15823:15839 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 15788: binder_alloc_buf, no vma
binder: 15823:15839 transaction failed 29189/-3, size 0-0 line 3127
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered transaction 977, process died.
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_ERROR: 29201
binder: 15855:15866 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 15855: binder_alloc_buf size 140737489666048 failed, no address space
binder_alloc: allocated: 0 (num: 0 largest: 0), free: 8192 (num: 1 largest: 8192)
binder: 15855:15890 transaction failed 29201/-28, size 140737489666048-0 line 3127
binder: 15855:15903 got reply transaction with no transaction stack
binder: 15855:15903 transaction failed 29201/-71, size 24-8 line 2920
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_ERROR: 29201
binder: 15855:15890 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 15855: binder_alloc_buf size 140737489666048 failed, no address space
binder_alloc: allocated: 0 (num: 0 largest: 0), free: 8192 (num: 1 largest: 8192)
binder: 15855:15890 got reply transaction with no transaction stack
binder: 15855:15890 transaction failed 29201/-71, size 24-8 line 2920
binder: 15855:15903 got transaction to invalid handle
binder: 15855:15903 transaction failed 29201/-22, size 0-8 line 3004
binder: 15855:15866 transaction failed 29201/-28, size 140737489666048-0 line 3127
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_ERROR: 29201
binder: 15927:15931 ERROR: BC_REGISTER_LOOPER called without request
binder: 15927:15931 ioctl 5401 20005fdc returned -22
binder: 15927:15931 got transaction with invalid offsets ptr
binder: 15927:15931 transaction failed 29201/-14, size 0-8 line 3155
binder: BINDER_SET_CONTEXT_MGR already set
binder: 15927:15946 ioctl 40046207 0 returned -16
binder: 15927:15931 ioctl 5401 20005fdc returned -22
binder: 15927:15946 got transaction to invalid handle
binder: 15927:15946 transaction failed 29201/-22, size 0-8 line 3004
binder: undelivered TRANSACTION_ERROR: 29201
binder: unexpected work type, 4, not freed
binder: undelivered TRANSACTION_COMPLETE
binder: 15951:15963 ERROR: BC_REGISTER_LOOPER called without request
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered transaction 995, process died.
binder: 15951:15963 got transaction with invalid offsets ptr
binder: 15951:15963 transaction failed 29201/-14, size 0-8 line 3155
binder: 15951:15963 ioctl 40a85321 20002000 returned -22
binder: BINDER_SET_CONTEXT_MGR already set
binder: 15951:15980 ioctl 40046207 0 returned -16
binder: 15951:15963 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 15951: binder_alloc_buf, no vma
binder: 15951:15980 transaction failed 29189/-3, size 0-0 line 3127
binder: 15951:15980 got transaction to invalid handle
binder: 15951:15980 transaction failed 29201/-22, size 0-8 line 3004
binder: 15951:15963 got reply transaction with no transaction stack
binder: 15951:15963 transaction failed 29201/-71, size 24-8 line 2920
binder: BINDER_SET_CONTEXT_MGR already set
binder: 15997:16002 ioctl 40046207 0 returned -16
binder: 15997:16002 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 15951: binder_alloc_buf, no vma
binder: 15997:16020 transaction failed 29189/-3, size 38654705664-0 line 3127
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_ERROR: 29189
binder: BINDER_SET_CONTEXT_MGR already set
binder: 15997:16002 ioctl 40046207 0 returned -16
binder: 15997:16020 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 15951: binder_alloc_buf, no vma
binder: 15997:16020 transaction failed 29189/-3, size 38654705664-0 line 3127
binder: 15997:16002 got reply transaction with no transaction stack
binder: 15997:16002 transaction failed 29201/-71, size 24-8 line 2920
binder: 15997:16020 got transaction to invalid handle
binder: 15997:16020 transaction failed 29201/-22, size 0-8 line 3004
audit: type=1400 audit(1514097885.820:58): avc:  denied  { bind } for  pid=16043 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_fib_lookup_socket permissive=1
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_ERROR: 29189
binder: BINDER_SET_CONTEXT_MGR already set
binder: 16053:16062 ioctl 40046207 0 returned -16
binder: 16053:16062 ERROR: BC_REGISTER_LOOPER called without request
binder: undelivered TRANSACTION_ERROR: 29201
binder: 16080:16081 got reply transaction with no transaction stack
binder: 16080:16081 transaction failed 29201/-71, size 24-8 line 2920
binder_alloc: binder_alloc_mmap_handler: 16080 20000000-20002000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 16080:16088 ioctl 40046207 0 returned -16
binder: 16080:16088 got reply transaction with no transaction stack
binder: 16080:16088 transaction failed 29201/-71, size 24-8 line 2920
binder_alloc: 15951: binder_alloc_buf, no vma
binder: 16053:16086 transaction failed 29189/-3, size 0-0 line 3127
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_ERROR: 29189
binder: BINDER_SET_CONTEXT_MGR already set
binder: 16053:16086 ioctl 40046207 0 returned -16
binder: 16053:16062 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 15951: binder_alloc_buf, no vma
binder: 16053:16062 transaction failed 29189/-3, size 0-0 line 3127
binder: 16053:16062 got transaction to invalid handle
binder: 16053:16062 transaction failed 29201/-22, size 0-8 line 3004
binder: BINDER_SET_CONTEXT_MGR already set
binder: 16109:16115 ioctl 40046207 0 returned -16
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
binder: unexpected work type, 4, not freed
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered transaction 1002, process died.
binder: 16126:16138 ERROR: BC_REGISTER_LOOPER called without request
binder: 16126:16138 got transaction with invalid offsets ptr
binder: 16126:16138 transaction failed 29201/-14, size 0-8 line 3155
binder: BINDER_SET_CONTEXT_MGR already set
binder: 16129:16186 ioctl 40046207 0 returned -16
binder_alloc: 16129: binder_alloc_buf, no vma
binder: 16129:16186 transaction failed 29189/-3, size 0-0 line 3127
binder: unexpected work type, 4, not freed
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered TRANSACTION_ERROR: 29201
binder: 16126:16171 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 16126: binder_alloc_buf size 536870912 failed, no address space
binder_alloc: allocated: 0 (num: 0 largest: 0), free: 8192 (num: 1 largest: 8192)
binder: 16126:16138 transaction failed 29201/-28, size 536870912-0 line 3127
binder: 16126:16171 got transaction to invalid handle
binder: 16126:16171 transaction failed 29201/-22, size 0-8 line 3004
binder: BINDER_SET_CONTEXT_MGR already set
binder: 16202:16203 ioctl 40046207 0 returned -16
binder: 16202:16203 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 16126: binder_alloc_buf, no vma
binder: 16202:16221 transaction failed 29189/-3, size 0-0 line 3127
binder: undelivered TRANSACTION_COMPLETE
binder: BINDER_SET_CONTEXT_MGR already set
binder: 16202:16230 ioctl 40046207 0 returned -16
binder: 16202:16221 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 16126: binder_alloc_buf, no vma
binder: 16202:16230 transaction failed 29189/-3, size 0-0 line 3127
binder: 16202:16230 got transaction to invalid handle
binder: 16202:16230 transaction failed 29201/-22, size 0-8 line 3004
device gre0 entered promiscuous mode
binder: BINDER_SET_CONTEXT_MGR already set
binder: 16237:16245 ioctl 40046207 0 returned -16
netlink: 5 bytes leftover after parsing attributes in process `syz-executor2'.
binder: 16237:16245 ERROR: BC_REGISTER_LOOPER called without request
device gre0 entered promiscuous mode
binder_alloc: 16126: binder_alloc_buf, no vma
binder: 16237:16261 transaction failed 29189/-3, size 0-0 line 3127
netlink: 5 bytes leftover after parsing attributes in process `syz-executor2'.
binder: undelivered transaction 1027, process died.
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29189
binder: release 16129:16136 transaction 1023 out, still active
binder: undelivered TRANSACTION_COMPLETE
binder: release 16129:16162 transaction 1025 out, still active
binder: undelivered TRANSACTION_COMPLETE
binder: BINDER_SET_CONTEXT_MGR already set
binder: 16237:16277 ioctl 40046207 0 returned -16
binder: 16237:16277 ERROR: BC_REGISTER_LOOPER called without request
audit: type=1400 audit(1514097887.090:59): avc:  denied  { attach_queue } for  pid=16274 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=tun_socket permissive=1
FAULT_FLAG_ALLOW_RETRY missing 30
CPU: 1 PID: 16279 Comm: syz-executor1 Not tainted 4.9.71-g2506378 #113
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801d09875d0 ffffffff81d922b9 ffff8801d09878b0 0000000000000000
 ffff8801cbe28b90 ffff8801d09877a0 ffff8801cbe28a80 ffff8801d09877c8
 ffffffff8165fb7a 0000000000000000 ffff8801d0987720 00000001d4d5f067
Call Trace:
 [<ffffffff81d922b9>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d922b9>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8165fb7a>] handle_userfault+0xa3a/0x1310 fs/userfaultfd.c:323
 [<ffffffff814cea81>] do_anonymous_page mm/memory.c:2747 [inline]
 [<ffffffff814cea81>] handle_pte_fault mm/memory.c:3488 [inline]
 [<ffffffff814cea81>] __handle_mm_fault mm/memory.c:3577 [inline]
 [<ffffffff814cea81>] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614
 [<ffffffff810dd462>] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406
 [<ffffffff810ddc07>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469
 [<ffffffff838b0158>] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1007
 [<ffffffff815abdda>] vfs_ioctl fs/ioctl.c:43 [inline]
 [<ffffffff815abdda>] do_vfs_ioctl+0x1aa/0x1140 fs/ioctl.c:679
 [<ffffffff815acdff>] SYSC_ioctl fs/ioctl.c:694 [inline]
 [<ffffffff815acdff>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
 [<ffffffff838aef85>] entry_SYSCALL_64_fastpath+0x23/0xc6
binder_alloc: 16126: binder_alloc_buf, no vma
binder: 16237:16261 transaction failed 29189/-3, size 0-0 line 3127
FAULT_FLAG_ALLOW_RETRY missing 30
CPU: 1 PID: 16279 Comm: syz-executor1 Not tainted 4.9.71-g2506378 #113
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801d09875d0 ffffffff81d922b9 ffff8801d09878b0 0000000000000000
 ffff8801cbe28d10 ffff8801d09877a0 ffff8801cbe28c00 ffff8801d09877c8
 ffffffff8165fb7a 0000000041b58ab3 ffff8801d0987720 00000001d1b17067
Call Trace:
 [<ffffffff81d922b9>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d922b9>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8165fb7a>] handle_userfault+0xa3a/0x1310 fs/userfaultfd.c:323
 [<ffffffff814cea81>] do_anonymous_page mm/memory.c:2747 [inline]
 [<ffffffff814cea81>] handle_pte_fault mm/memory.c:3488 [inline]
 [<ffffffff814cea81>] __handle_mm_fault mm/memory.c:3577 [inline]
 [<ffffffff814cea81>] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614
 [<ffffffff810dd462>] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406
 [<ffffffff810ddc07>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469
 [<ffffffff838b0158>] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1007
 [<ffffffff815abdda>] vfs_ioctl fs/ioctl.c:43 [inline]
 [<ffffffff815abdda>] do_vfs_ioctl+0x1aa/0x1140 fs/ioctl.c:679
 [<ffffffff815acdff>] SYSC_ioctl fs/ioctl.c:694 [inline]
 [<ffffffff815acdff>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
 [<ffffffff838aef85>] entry_SYSCALL_64_fastpath+0x23/0xc6
binder: 16237:16283 got transaction to invalid handle
binder: 16237:16283 transaction failed 29201/-22, size 0-8 line 3004
device gre0 entered promiscuous mode
binder: BINDER_SET_CONTEXT_MGR already set
binder: 16291:16301 ioctl 40046207 0 returned -16
binder: 16291:16301 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 16126: binder_alloc_buf, no vma
binder: 16291:16319 transaction failed 29189/-3, size 0-0 line 3127
binder: BINDER_SET_CONTEXT_MGR already set
binder: 16291:16319 ioctl 40046207 0 returned -16
binder: 16291:16327 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 16126: binder_alloc_buf, no vma
binder: 16291:16319 transaction failed 29189/-3, size 0-0 line 3127
binder: 16291:16327 got transaction to invalid handle
binder: 16291:16327 transaction failed 29201/-22, size 0-8 line 3004
binder: BINDER_SET_CONTEXT_MGR already set
binder: 16339:16343 ioctl 40046207 0 returned -16
binder: 16339:16343 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 16126: binder_alloc_buf, no vma
binder: 16339:16352 transaction failed 29189/-3, size 0-0 line 3127
binder: BINDER_SET_CONTEXT_MGR already set
binder: 16339:16357 ioctl 40046207 0 returned -16
binder: 16339:16352 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 16126: binder_alloc_buf, no vma
binder: 16339:16357 transaction failed 29189/-3, size 0-0 line 3127
binder: BINDER_SET_CONTEXT_MGR already set
binder: 16359:16360 ioctl 40046207 0 returned -16
binder: 16359:16360 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 16126: binder_alloc_buf, no vma
binder: 16359:16363 transaction failed 29189/-3, size 0-0 line 3127
binder: BINDER_SET_CONTEXT_MGR already set
binder: 16359:16363 ioctl 40046207 0 returned -16
binder: 16359:16366 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 16126: binder_alloc_buf, no vma
binder: 16359:16363 transaction failed 29189/-3, size 0-0 line 3127
binder: 16359:16366 got transaction to invalid handle
binder: 16359:16366 transaction failed 29201/-22, size 0-8 line 3004
binder: send failed reply for transaction 1023, target dead
binder: send failed reply for transaction 1025, target dead
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_ERROR: 29201
device gre0 entered promiscuous mode
binder: 16380:16388 ERROR: BC_REGISTER_LOOPER called without request
binder: 16380:16388 got transaction with invalid offsets ptr
binder: 16380:16388 transaction failed 29201/-14, size 0-8 line 3155
binder: unexpected work type, 4, not freed
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered TRANSACTION_ERROR: 29201
binder: 16380:16411 ERROR: BC_REGISTER_LOOPER called without request
binder: 16380:16411 got reply transaction with no transaction stack
binder: 16380:16411 transaction failed 29201/-71, size 24-8 line 2920
binder: 16380:16388 got transaction to invalid handle
binder: 16380:16388 transaction failed 29201/-22, size 0-8 line 3004
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered transaction 1051, process died.
binder: release 16380:16388 transaction 1056 out, still active
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_ERROR: 29201
binder: send failed reply for transaction 1056, target dead
binder: 16421:16445 ERROR: BC_REGISTER_LOOPER called without request
FAULT_FLAG_ALLOW_RETRY missing 30
CPU: 1 PID: 16432 Comm: syz-executor5 Not tainted 4.9.71-g2506378 #113
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801c9dcf7b0 ffffffff81d922b9 ffff8801c9dcfa90 0000000000000000
 ffff8801cbe29010 ffff8801c9dcf980 ffff8801cbe28f00 ffff8801c9dcf9a8
 ffffffff8165fb7a 0000000000000046 ffff8801c9dcf900 00000001d6845067
Call Trace:
 [<ffffffff81d922b9>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d922b9>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8165fb7a>] handle_userfault+0xa3a/0x1310 fs/userfaultfd.c:323
 [<ffffffff814cea81>] do_anonymous_page mm/memory.c:2747 [inline]
 [<ffffffff814cea81>] handle_pte_fault mm/memory.c:3488 [inline]
 [<ffffffff814cea81>] __handle_mm_fault mm/memory.c:3577 [inline]
 [<ffffffff814cea81>] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614
 [<ffffffff810dd462>] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406
 [<ffffffff810ddc07>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469
 [<ffffffff838b0158>] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1007
 [<ffffffff82ed82e6>] SYSC_setsockopt net/socket.c:1768 [inline]
 [<ffffffff82ed82e6>] SyS_setsockopt+0x216/0x250 net/socket.c:1751
 [<ffffffff838aef85>] entry_SYSCALL_64_fastpath+0x23/0xc6
FAULT_FLAG_ALLOW_RETRY missing 30
CPU: 1 PID: 16465 Comm: syz-executor2 Not tainted 4.9.71-g2506378 #113
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801c9d7f5d0 ffffffff81d922b9 ffff8801c9d7f8b0 0000000000000000
 ffff8801cbe29310 ffff8801c9d7f7a0 ffff8801cbe29200 ffff8801c9d7f7c8
 ffffffff8165fb7a 0000000000000000 ffff8801c9d7f720 00000001d560a067
Call Trace:
 [<ffffffff81d922b9>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d922b9>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8165fb7a>] handle_userfault+0xa3a/0x1310 fs/userfaultfd.c:323
 [<ffffffff814cea81>] do_anonymous_page mm/memory.c:2747 [inline]
 [<ffffffff814cea81>] handle_pte_fault mm/memory.c:3488 [inline]
 [<ffffffff814cea81>] __handle_mm_fault mm/memory.c:3577 [inline]
 [<ffffffff814cea81>] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614
 [<ffffffff810dd462>] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406
 [<ffffffff810ddc07>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469
 [<ffffffff838b0158>] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1007
binder: 16421:16445 got transaction with invalid offsets ptr
 [<ffffffff815abdda>] vfs_ioctl fs/ioctl.c:43 [inline]
 [<ffffffff815abdda>] do_vfs_ioctl+0x1aa/0x1140 fs/ioctl.c:679
binder: 16421:16445 transaction failed 29201/-14, size 0-8 line 3155
 [<ffffffff815acdff>] SYSC_ioctl fs/ioctl.c:694 [inline]
 [<ffffffff815acdff>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
 [<ffffffff838aef85>] entry_SYSCALL_64_fastpath+0x23/0xc6
FAULT_FLAG_ALLOW_RETRY missing 30
CPU: 1 PID: 16470 Comm: syz-executor2 Not tainted 4.9.71-g2506378 #113
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801cd75f5d0 ffffffff81d922b9 ffff8801cd75f8b0 0000000000000000
 ffff8801cbe29610 ffff8801cd75f7a0 ffff8801cbe29500 ffff8801cd75f7c8
 ffffffff8165fb7a 0000000041b58ab3 ffff8801cd75f720 00000001d560a067
Call Trace:
 [<ffffffff81d922b9>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d922b9>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8165fb7a>] handle_userfault+0xa3a/0x1310 fs/userfaultfd.c:323
 [<ffffffff814cea81>] do_anonymous_page mm/memory.c:2747 [inline]
 [<ffffffff814cea81>] handle_pte_fault mm/memory.c:3488 [inline]
 [<ffffffff814cea81>] __handle_mm_fault mm/memory.c:3577 [inline]
 [<ffffffff814cea81>] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614
 [<ffffffff810dd462>] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406
 [<ffffffff810ddc07>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469
 [<ffffffff838b0158>] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1007
 [<ffffffff815abdda>] vfs_ioctl fs/ioctl.c:43 [inline]
 [<ffffffff815abdda>] do_vfs_ioctl+0x1aa/0x1140 fs/ioctl.c:679
 [<ffffffff815acdff>] SYSC_ioctl fs/ioctl.c:694 [inline]
 [<ffffffff815acdff>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
 [<ffffffff838aef85>] entry_SYSCALL_64_fastpath+0x23/0xc6
binder: BINDER_SET_CONTEXT_MGR already set
binder: 16421:16445 ioctl 40046207 0 returned -16
binder: 16421:16484 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 16421: binder_alloc_buf, no vma
binder: 16421:16445 transaction failed 29189/-3, size 0-0 line 3127
binder: 16421:16484 got transaction to invalid handle
binder: 16421:16484 transaction failed 29201/-22, size 0-8 line 3004
binder: BINDER_SET_CONTEXT_MGR already set
binder: 16492:16499 ioctl 40046207 0 returned -16
binder: 16492:16499 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 16421: binder_alloc_buf, no vma
binder: 16492:16511 transaction failed 29189/-3, size 0-0 line 3127
binder: 16492:16520 ERROR: BC_REGISTER_LOOPER called without request
binder: BINDER_SET_CONTEXT_MGR already set
binder: 16492:16511 ioctl 40046207 0 returned -16
binder_alloc: 16421: binder_alloc_buf, no vma
binder: 16492:16511 transaction failed 29189/-3, size 0-0 line 3127
binder: 16492:16520 got transaction to invalid handle
binder: 16492:16520 transaction failed 29201/-22, size 0-8 line 3004
binder: BINDER_SET_CONTEXT_MGR already set
binder: 16530:16535 ioctl 40046207 0 returned -16
binder: 16530:16535 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 16421: binder_alloc_buf, no vma
binder: 16530:16550 transaction failed 29189/-3, size 0-0 line 3127
binder: BINDER_SET_CONTEXT_MGR already set
binder: 16530:16558 ioctl 40046207 0 returned -16
binder: 16530:16550 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 16421: binder_alloc_buf, no vma
binder: 16530:16558 transaction failed 29189/-3, size 0-0 line 3127
binder: BINDER_SET_CONTEXT_MGR already set
binder: 16565:16574 ioctl 40046207 0 returned -16
binder: 16565:16574 ERROR: BC_REGISTER_LOOPER called without request
binder: 16565:16590 got transaction to invalid handle
binder: 16565:16590 transaction failed 29201/-22, size 0-0 line 3004
binder: BINDER_SET_CONTEXT_MGR already set
binder: 16565:16590 ioctl 40046207 0 returned -16
binder: 16565:16601 ERROR: BC_REGISTER_LOOPER called without request
binder: 16565:16590 got transaction to invalid handle
binder: 16565:16590 transaction failed 29201/-22, size 0-0 line 3004
binder: 16565:16601 got transaction to invalid handle
binder: 16565:16601 transaction failed 29201/-22, size 0-8 line 3004
binder: BINDER_SET_CONTEXT_MGR already set
binder: 16616:16624 ioctl 40046207 0 returned -16
binder: 16616:16624 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 16421: binder_alloc_buf, no vma
binder: 16616:16624 transaction failed 29189/-3, size 0-0 line 3127
binder: BINDER_SET_CONTEXT_MGR already set
binder: 16616:16624 ioctl 40046207 0 returned -16
binder: 16616:16624 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 16421: binder_alloc_buf, no vma
binder: 16616:16629 transaction failed 29189/-3, size 0-0 line 3127
binder: 16616:16624 got reply transaction with no transaction stack
binder: 16616:16624 transaction failed 29201/-71, size 24-8 line 2920
binder: 16616:16629 got transaction to invalid handle
binder: 16616:16629 transaction failed 29201/-22, size 0-8 line 3004
binder: BINDER_SET_CONTEXT_MGR already set
binder: 16646:16650 ioctl 40046207 0 returned -16
binder: 16646:16650 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 16421: binder_alloc_buf, no vma
binder: 16646:16663 transaction failed 29189/-3, size 0-0 line 3127
binder: BINDER_SET_CONTEXT_MGR already set
binder: 16646:16663 ioctl 40046207 0 returned -16
binder: 16646:16664 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 16421: binder_alloc_buf, no vma
binder: 16646:16663 transaction failed 29189/-3, size 0-0 line 3127
binder: 16646:16664 got transaction to invalid handle
binder: 16646:16664 transaction failed 29201/-22, size 0-8 line 3004
binder: 16667:16673 BC_INCREFS_DONE u0000000000000000 no match
binder: 16667:16673 Release 1 refcount change on invalid ref 4 ret -22
binder_alloc: 16421: binder_alloc_buf, no vma
binder: 16667:16673 transaction failed 29189/-3, size 64-24 line 3127
binder: BINDER_SET_CONTEXT_MGR already set
binder: 16667:16673 ioctl 40046207 0 returned -16
binder: 16667:16673 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 16421: binder_alloc_buf, no vma
binder: 16667:16695 transaction failed 29189/-3, size 0-0 line 3127
binder: 16667:16704 unknown command 0
binder: 16667:16704 ioctl c0306201 20008fd0 returned -22
binder: BINDER_SET_CONTEXT_MGR already set
binder: 16667:16704 ioctl 40046207 0 returned -16
binder: 16667:16695 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 16421: binder_alloc_buf, no vma
binder: 16667:16704 transaction failed 29189/-3, size 0-0 line 3127
binder: 16667:16716 got transaction to invalid handle
binder: 16667:16716 transaction failed 29201/-22, size 0-8 line 3004
binder: BINDER_SET_CONTEXT_MGR already set
binder: 16723:16729 ioctl 40046207 0 returned -16
binder: 16723:16729 ERROR: BC_REGISTER_LOOPER called without request
binder: 16722:16732 DecRefs 0 refcount change on invalid ref 2 ret -22
binder: 16722:16732 BC_FREE_BUFFER uffffffffffffffff no match
binder: 16722:16732 BC_DEAD_BINDER_DONE 0000000000000001 not found
binder_alloc: binder_alloc_mmap_handler: 16722 20005000-20008000 already mapped failed -16
binder_alloc: 16421: binder_alloc_buf, no vma
binder: 16723:16746 transaction failed 29189/-3, size 0-0 line 3127
binder: 16722:16736 DecRefs 0 refcount change on invalid ref 2 ret -22
binder: 16722:16736 BC_FREE_BUFFER uffffffffffffffff no match
binder: 16722:16736 BC_DEAD_BINDER_DONE 0000000000000001 not found
binder_alloc: binder_alloc_mmap_handler: 16722 20005000-20008000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 16723:16746 ioctl 40046207 0 returned -16
binder: 16723:16762 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 16421: binder_alloc_buf, no vma
binder: 16723:16746 transaction failed 29189/-3, size 0-0 line 3127
binder: BINDER_SET_CONTEXT_MGR already set
binder: 16767:16778 ioctl 40046207 0 returned -16
binder: 16767:16778 ERROR: BC_REGISTER_LOOPER called without request
binder: 16767:16778 ioctl c0306201 20008fd0 returned -11
binder: 16767:16778 got reply transaction with no transaction stack
binder: 16767:16778 transaction failed 29201/-71, size 24-8 line 2920
binder: BINDER_SET_CONTEXT_MGR already set
binder: 16767:16778 ioctl 40046207 0 returned -16
binder: 16767:16786 ERROR: BC_REGISTER_LOOPER called without request
binder: BINDER_SET_CONTEXT_MGR already set
binder: 16796:16802 ioctl 40046207 0 returned -16
binder_alloc: 16421: binder_alloc_buf, no vma
binder: 16796:16802 transaction failed 29189/-3, size 0-0 line 3127
binder: BINDER_SET_CONTEXT_MGR already set
binder: 16796:16804 ioctl 40046207 0 returned -16
binder_alloc: 16421: binder_alloc_buf, no vma
binder: 16796:16802 transaction failed 29189/-3, size 0-0 line 3127
binder: 16796:16804 got transaction to invalid handle
binder: 16796:16804 transaction failed 29201/-22, size 80-8 line 3004
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
binder: unexpected work type, 4, not freed
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered transaction 1061, process died.
audit: type=1400 audit(1514097890.790:60): avc:  denied  { connect } for  pid=17011 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_fib_lookup_socket permissive=1
audit: type=1400 audit(1514097890.840:61): avc:  denied  { execute } for  pid=17039 comm="syz-executor6" dev="pipefs" ino=27758 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=fifo_file permissive=1
IPVS: Creating netns size=2536 id=17
FAULT_FLAG_ALLOW_RETRY missing 30
CPU: 1 PID: 17107 Comm: syz-executor0 Not tainted 4.9.71-g2506378 #113
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801cb557980 ffffffff81d922b9 ffff8801cb557c60 0000000000000000
 ffff8801c6f33f10 ffff8801cb557b50 ffff8801c6f33e00 ffff8801cb557b78
 ffffffff8165fb7a ffffffff811c4abb ffff8801cb557ad0 00000001c974a067
Call Trace:
 [<ffffffff81d922b9>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d922b9>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8165fb7a>] handle_userfault+0xa3a/0x1310 fs/userfaultfd.c:323
 [<ffffffff814cea81>] do_anonymous_page mm/memory.c:2747 [inline]
 [<ffffffff814cea81>] handle_pte_fault mm/memory.c:3488 [inline]
 [<ffffffff814cea81>] __handle_mm_fault mm/memory.c:3577 [inline]
 [<ffffffff814cea81>] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614
 [<ffffffff810dd462>] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406
 [<ffffffff810ddc07>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469
 [<ffffffff838b0158>] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1007
 [<ffffffff838aef85>] entry_SYSCALL_64_fastpath+0x23/0xc6
pktgen: kernel_thread() failed for cpu 0
pktgen: Cannot create thread for cpu 0 (-4)
pktgen: kernel_thread() failed for cpu 1
pktgen: Cannot create thread for cpu 1 (-4)
pktgen: Initialization failed for all threads
FAULT_FLAG_ALLOW_RETRY missing 30
CPU: 1 PID: 17185 Comm: syz-executor7 Not tainted 4.9.71-g2506378 #113
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801c7ae78b0 ffffffff81d922b9 ffff8801c7ae7b90 0000000000000000
 ffff8801b6beb610 ffff8801c7ae7a80 ffff8801b6beb500 ffff8801c7ae7aa8
 ffffffff8165fb7a ffff8801c5e66000 ffff8801c7ae7a00 00000001b1d33067
Call Trace:
 [<ffffffff81d922b9>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d922b9>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8165fb7a>] handle_userfault+0xa3a/0x1310 fs/userfaultfd.c:323
 [<ffffffff814cea81>] do_anonymous_page mm/memory.c:2747 [inline]
 [<ffffffff814cea81>] handle_pte_fault mm/memory.c:3488 [inline]
 [<ffffffff814cea81>] __handle_mm_fault mm/memory.c:3577 [inline]
 [<ffffffff814cea81>] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614
 [<ffffffff810dd462>] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406
 [<ffffffff810ddc07>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469
 [<ffffffff838b0158>] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1007
 [<ffffffff838aef85>] entry_SYSCALL_64_fastpath+0x23/0xc6

Crashes (3):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2017/12/24 06:44 https://android.googlesource.com/kernel/common android-4.9 250637879165 73aba437 .config console log report ci-android-49-kasan-gce
2018/02/10 16:28 https://android.googlesource.com/kernel/common android-4.9 8a174b4749d3 e67d44e0 .config console log report ci-android-49-kasan-gce-386
2018/02/09 18:07 https://android.googlesource.com/kernel/common android-4.9 20c8a0089294 9fb5ec43 .config console log report ci-android-49-kasan-gce-386
* Struck through repros no longer work on HEAD.