syzbot

 sign-in | mailing list | source | docs
🐞 Open [196]
🐞 Fixed [42]
🐞 Invalid [470]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

BUG: bad unlock balance in __fdget_pos

Status: auto-closed as invalid on 2019/02/22 14:55
First crash: 2548d, last: 2529d

Sample crash report:
=====================================
[ BUG: bad unlock balance detected! ]
4.9.70-g9542d2a #109 Not tainted
-------------------------------------
syz-executor7/8889 is trying to release lock ([   43.518507] netlink: 2 bytes leftover after parsing attributes in process `syz-executor0'.
IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE
IPv6: NLM_F_CREATE should be set when creating new route
IPv6: NLM_F_CREATE should be set when creating new route
mrt_lock) at:
but there are no more locks to release!

other info that might help us debug this:
2 locks held by syz-executor7/8889:
 #0:  (&f->f_pos_lock){+.+.+.}, at: [<ffffffff815cfb1f>] __fdget_pos+0x9f/0xc0 fs/file.c:781
 #1:  (&p->lock){+.+.+.}, at: [<ffffffff815e4f1d>] seq_read+0xdd/0x1290 fs/seq_file.c:178

stack backtrace:
CPU: 1 PID: 8889 Comm: syz-executor7 Not tainted 4.9.70-g9542d2a #109
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801d8e3f8e8 ffffffff81d90a29 ffffffff849ae9f8 ffff8801d8e30000
 ffffffff834df9b4 ffffffff849ae9f8 ffff8801d8e30888 ffff8801d8e3f918
 ffffffff81235404 dffffc0000000000 ffffffff849ae9f8 00000000ffffffff
Call Trace:
 [<ffffffff81d90a29>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d90a29>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff81235404>] print_unlock_imbalance_bug+0x174/0x1a0 kernel/locking/lockdep.c:3398
 [<ffffffff8123ded8>] __lock_release kernel/locking/lockdep.c:3540 [inline]
 [<ffffffff8123ded8>] lock_release+0x6f8/0xb80 kernel/locking/lockdep.c:3775
 [<ffffffff838a9f8a>] __raw_read_unlock include/linux/rwlock_api_smp.h:225 [inline]
 [<ffffffff838a9f8a>] _raw_read_unlock+0x1a/0x50 kernel/locking/spinlock.c:255
 [<ffffffff834df9b4>] ipmr_mfc_seq_stop+0xe4/0x140 net/ipv6/ip6mr.c:553
 [<ffffffff815e58c3>] seq_read+0xa83/0x1290 fs/seq_file.c:283
 [<ffffffff816be57f>] proc_reg_read+0xef/0x170 fs/proc/inode.c:202
 [<ffffffff81568ef1>] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714
 [<ffffffff8156cd60>] do_loop_readv_writev fs/read_write.c:880 [inline]
 [<ffffffff8156cd60>] do_readv_writev+0x520/0x750 fs/read_write.c:874
 [<ffffffff8156d014>] vfs_readv+0x84/0xc0 fs/read_write.c:898
 [<ffffffff8156d136>] do_readv+0xe6/0x250 fs/read_write.c:924
 [<ffffffff81570627>] SYSC_readv fs/read_write.c:1011 [inline]
 [<ffffffff81570627>] SyS_readv+0x27/0x30 fs/read_write.c:1008
 [<ffffffff838aa405>] entry_SYSCALL_64_fastpath+0x23/0xc6
binder: 8931:8934 got transaction with invalid offsets size, 4
binder: 8931:8934 transaction failed 29201/-22, size 0-4 line 3166
binder: 8931:8934 ioctl c0306201 20007000 returned -14
binder: undelivered TRANSACTION_ERROR: 29201
binder_alloc: 8931: binder_alloc_buf, no vma
binder: 8931:8951 transaction failed 29189/-3, size 0-4 line 3130
binder: 8962:8971 got transaction with invalid parent offset or type
binder: 8962:8971 transaction failed 29201/-22, size 32-8 line 3253
binder_alloc: binder_alloc_mmap_handler: 8962 20000000-20002000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 8962:8971 ioctl 40046207 0 returned -16
binder: undelivered TRANSACTION_ERROR: 29201
BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor2/9008
binder: 9003:9015 got transaction with invalid parent offset or type
binder: 9003:9015 transaction failed 29201/-22, size 32-8 line 3253
binder: undelivered TRANSACTION_ERROR: 29201
device gre0 entered promiscuous mode
caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62
CPU: 1 PID: 9008 Comm: syz-executor2 Not tainted 4.9.70-g9542d2a #109
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801d809f6d8 ffffffff81d90a29 0000000000000001 ffffffff83c17800
 ffffffff83f42ec0 ffff8801d8090000 0000000000000003 ffff8801d809f718
 ffffffff81df79f4 ffff8801d809f730 ffffffff83f42ec0 dffffc0000000000
Call Trace:
 [<ffffffff81d90a29>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d90a29>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff81df79f4>] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46
 [<ffffffff81df7a5c>] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62
 [<ffffffff833f3cd8>] ipcomp_alloc_tfms net/xfrm/xfrm_ipcomp.c:286 [inline]
 [<ffffffff833f3cd8>] ipcomp_init_state+0x188/0x930 net/xfrm/xfrm_ipcomp.c:363
 [<ffffffff83360100>] ipcomp4_init_state+0xb0/0x7d0 net/ipv4/ipcomp.c:137
 [<ffffffff833d23d7>] __xfrm_init_state+0x3e7/0xb30 net/xfrm/xfrm_state.c:2096
 [<ffffffff833d2b3a>] xfrm_init_state+0x1a/0x20 net/xfrm/xfrm_state.c:2122
 [<ffffffff8356c579>] pfkey_msg2xfrm_state net/key/af_key.c:1281 [inline]
 [<ffffffff8356c579>] pfkey_add+0x1fb9/0x3470 net/key/af_key.c:1498
 [<ffffffff8356401e>] pfkey_process+0x61e/0x730 net/key/af_key.c:2826
 [<ffffffff835658c9>] pfkey_sendmsg+0x3a9/0x760 net/key/af_key.c:3670
 [<ffffffff82ecfb9a>] sock_sendmsg_nosec net/socket.c:635 [inline]
 [<ffffffff82ecfb9a>] sock_sendmsg+0xca/0x110 net/socket.c:645
 [<ffffffff82ed1791>] ___sys_sendmsg+0x6d1/0x7e0 net/socket.c:1968
 [<ffffffff82ed37c6>] __sys_sendmsg+0xd6/0x190 net/socket.c:2002
 [<ffffffff82ed38ad>] SYSC_sendmsg net/socket.c:2013 [inline]
 [<ffffffff82ed38ad>] SyS_sendmsg+0x2d/0x50 net/socket.c:2009
 [<ffffffff838aa405>] entry_SYSCALL_64_fastpath+0x23/0xc6
device sit0 entered promiscuous mode
FAULT_FLAG_ALLOW_RETRY missing 30
CPU: 0 PID: 9067 Comm:  Not tainted 4.9.70-g9542d2a #109
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801c34f7880 ffffffff81d90a29 ffff8801c34f7b60 0000000000000000
 ffff8801ce1d7a90 ffff8801c34f7a50 ffff8801ce1d7980 ffff8801c34f7a78
 ffffffff8165e557 ffff8801db221418 ffff8801c34f79d0 00000001d9a8b067
Call Trace:
 [<ffffffff81d90a29>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d90a29>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8165e557>] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323
 [<ffffffff814cd781>] do_anonymous_page mm/memory.c:2747 [inline]
 [<ffffffff814cd781>] handle_pte_fault mm/memory.c:3488 [inline]
 [<ffffffff814cd781>] __handle_mm_fault mm/memory.c:3577 [inline]
 [<ffffffff814cd781>] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614
 [<ffffffff810dd452>] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406
 [<ffffffff810ddbf7>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469
 [<ffffffff838ab5d8>] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012
 [<ffffffff81175f3a>] SYSC_prctl kernel/sys.c:2285 [inline]
 [<ffffffff81175f3a>] SyS_prctl+0x45a/0x14a0 kernel/sys.c:2224
 [<ffffffff838aa405>] entry_SYSCALL_64_fastpath+0x23/0xc6
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=9113 comm=syz-executor5
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=9115 comm=syz-executor5
device syz7 entered promiscuous mode
audit: type=1400 audit(1513690920.649:40): avc:  denied  { create } for  pid=9330 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_fib_lookup_socket permissive=1
audit: type=1400 audit(1513690920.689:41): avc:  denied  { write } for  pid=9330 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_fib_lookup_socket permissive=1
audit: type=1400 audit(1513690920.709:42): avc:  denied  { read } for  pid=9330 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_fib_lookup_socket permissive=1
device gre0 entered promiscuous mode
TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies.  Check SNMP counters.
TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies.  Check SNMP counters.
TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies.  Check SNMP counters.
TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies.  Check SNMP counters.
binder: 9671:9677 BC_FREE_BUFFER u0000000020000000 matched unreturned buffer
binder: 9671:9677 got new transaction with bad transaction stack, transaction 67 has target 9671:0
binder: 9671:9677 transaction failed 29201/-71, size 0-0 line 3034
TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies.  Check SNMP counters.
binder: BINDER_SET_CONTEXT_MGR already set
binder: 9671:9677 ioctl 40046207 0 returned -16
binder_alloc: 9671: binder_alloc_buf, no vma
binder: 9671:9688 transaction failed 29189/-3, size 0-0 line 3130
binder: undelivered TRANSACTION_ERROR: 29189
binder: release 9671:9677 transaction 67 out, still active
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered TRANSACTION_ERROR: 29201
binder: send failed reply for transaction 67, target dead
netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'.
TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies.  Check SNMP counters.
TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies.  Check SNMP counters.
TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies.  Check SNMP counters.
TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies.  Check SNMP counters.
TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies.  Check SNMP counters.
TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies.  Check SNMP counters.
TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies.  Check SNMP counters.
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=48821 sclass=netlink_route_socket pig=10100 comm=syz-executor5
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=48821 sclass=netlink_route_socket pig=10108 comm=syz-executor5
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=55994 sclass=netlink_route_socket pig=10188 comm=syz-executor5
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=55994 sclass=netlink_route_socket pig=10200 comm=syz-executor5
TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies.  Check SNMP counters.
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=23397 sclass=netlink_route_socket pig=10245 comm=syz-executor5
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=23397 sclass=netlink_route_socket pig=10245 comm=syz-executor5
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=121 sclass=netlink_route_socket pig=10250 comm=syz-executor5
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=121 sclass=netlink_route_socket pig=10252 comm=syz-executor5
TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies.  Check SNMP counters.
TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies.  Check SNMP counters.
TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies.  Check SNMP counters.
TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies.  Check SNMP counters.
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=32 sclass=netlink_tcpdiag_socket pig=10692 comm=syz-executor5
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=32 sclass=netlink_tcpdiag_socket pig=10697 comm=syz-executor5
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=27935 sclass=netlink_route_socket pig=10828 comm=syz-executor5
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=27935 sclass=netlink_route_socket pig=10836 comm=syz-executor5
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=11097 comm=syz-executor5
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=56497 sclass=netlink_route_socket pig=11148 comm=syz-executor5
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=56497 sclass=netlink_route_socket pig=11158 comm=syz-executor5
TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies.  Check SNMP counters.
TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies.  Check SNMP counters.
TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies.  Check SNMP counters.
audit: type=1400 audit(1513690926.919:43): avc:  denied  { create } for  pid=11344 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_connector_socket permissive=1
TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies.  Check SNMP counters.
TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies.  Check SNMP counters.
TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies.  Check SNMP counters.
TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies.  Check SNMP counters.
TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies.  Check SNMP counters.
binder: 11908:11912 ioctl c0306201 20382000 returned -11
binder: BINDER_SET_CONTEXT_MGR already set
binder: 11908:11914 ioctl 40046207 0 returned -16
TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies.  Check SNMP counters.
TCP: request_sock_TCP: Possible SYN flooding on port 20029. Sending cookies.  Check SNMP counters.

Crashes (126):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2017/12/19 13:42 https://android.googlesource.com/kernel/common android-4.9 9542d2a0126e af9163c7 .config console log report ci-android-49-kasan-gce
2017/12/18 14:25 https://android.googlesource.com/kernel/common android-4.9 9542d2a0126e 1c4160ef .config console log report ci-android-49-kasan-gce
2017/12/17 02:19 https://android.googlesource.com/kernel/common android-4.9 3f1d77ca5f8f b6f0c91b .config console log report ci-android-49-kasan-gce
2017/12/16 12:01 https://android.googlesource.com/kernel/common android-4.9 3f1d77ca5f8f b6f0c91b .config console log report ci-android-49-kasan-gce
2017/12/16 10:24 https://android.googlesource.com/kernel/common android-4.9 3f1d77ca5f8f b6f0c91b .config console log report ci-android-49-kasan-gce
2017/12/14 11:42 https://android.googlesource.com/kernel/common android-4.9 3f1d77ca5f8f ac20b98c .config console log report ci-android-49-kasan-gce
2017/12/13 12:20 https://android.googlesource.com/kernel/common android-4.9 fb66dc2a6e5e ce7f2399 .config console log report ci-android-49-kasan-gce
2017/12/13 08:57 https://android.googlesource.com/kernel/common android-4.9 fb66dc2a6e5e ce7f2399 .config console log report ci-android-49-kasan-gce
2017/12/13 04:04 https://android.googlesource.com/kernel/common android-4.9 fb66dc2a6e5e ce7f2399 .config console log report ci-android-49-kasan-gce
2017/12/12 23:59 https://android.googlesource.com/kernel/common android-4.9 fb66dc2a6e5e 414a185f .config console log report ci-android-49-kasan-gce
2017/12/12 06:17 https://android.googlesource.com/kernel/common android-4.9 fb66dc2a6e5e da131727 .config console log report ci-android-49-kasan-gce
2017/12/11 18:29 https://android.googlesource.com/kernel/common android-4.9 fb66dc2a6e5e 27f5dfef .config console log report ci-android-49-kasan-gce
2017/12/11 18:20 https://android.googlesource.com/kernel/common android-4.9 fb66dc2a6e5e 27f5dfef .config console log report ci-android-49-kasan-gce
2017/12/11 17:15 https://android.googlesource.com/kernel/common android-4.9 fb66dc2a6e5e 27f5dfef .config console log report ci-android-49-kasan-gce
2017/12/11 16:15 https://android.googlesource.com/kernel/common android-4.9 f26d3c76d376 27f5dfef .config console log report ci-android-49-kasan-gce
2017/12/11 15:49 https://android.googlesource.com/kernel/common android-4.9 f26d3c76d376 27f5dfef .config console log report ci-android-49-kasan-gce
2017/12/11 14:58 https://android.googlesource.com/kernel/common android-4.9 f26d3c76d376 27f5dfef .config console log report ci-android-49-kasan-gce
2017/12/11 13:57 https://android.googlesource.com/kernel/common android-4.9 f26d3c76d376 27f5dfef .config console log report ci-android-49-kasan-gce
2017/12/11 11:53 https://android.googlesource.com/kernel/common android-4.9 f26d3c76d376 5ad0ce95 .config console log report ci-android-49-kasan-gce
2017/12/11 11:18 https://android.googlesource.com/kernel/common android-4.9 f26d3c76d376 5ad0ce95 .config console log report ci-android-49-kasan-gce
2017/12/11 11:14 https://android.googlesource.com/kernel/common android-4.9 f26d3c76d376 5ad0ce95 .config console log report ci-android-49-kasan-gce
2017/12/11 09:13 https://android.googlesource.com/kernel/common android-4.9 f26d3c76d376 5ad0ce95 .config console log report ci-android-49-kasan-gce
2017/12/11 09:11 https://android.googlesource.com/kernel/common android-4.9 f26d3c76d376 5ad0ce95 .config console log report ci-android-49-kasan-gce
2017/12/11 08:56 https://android.googlesource.com/kernel/common android-4.9 f26d3c76d376 5ad0ce95 .config console log report ci-android-49-kasan-gce
2017/12/11 07:24 https://android.googlesource.com/kernel/common android-4.9 f26d3c76d376 5ad0ce95 .config console log report ci-android-49-kasan-gce
2017/12/11 01:39 https://android.googlesource.com/kernel/common android-4.9 f26d3c76d376 5ad0ce95 .config console log report ci-android-49-kasan-gce
2017/12/11 00:08 https://android.googlesource.com/kernel/common android-4.9 f26d3c76d376 5ad0ce95 .config console log report ci-android-49-kasan-gce
2017/12/10 23:37 https://android.googlesource.com/kernel/common android-4.9 f26d3c76d376 5ad0ce95 .config console log report ci-android-49-kasan-gce
2017/12/10 23:00 https://android.googlesource.com/kernel/common android-4.9 f26d3c76d376 5ad0ce95 .config console log report ci-android-49-kasan-gce
2017/12/10 22:17 https://android.googlesource.com/kernel/common android-4.9 f26d3c76d376 5ad0ce95 .config console log report ci-android-49-kasan-gce
2017/12/10 20:18 https://android.googlesource.com/kernel/common android-4.9 f26d3c76d376 5ad0ce95 .config console log report ci-android-49-kasan-gce
2017/12/10 17:58 https://android.googlesource.com/kernel/common android-4.9 f26d3c76d376 5ad0ce95 .config console log report ci-android-49-kasan-gce
2017/12/10 17:23 https://android.googlesource.com/kernel/common android-4.9 f26d3c76d376 5ad0ce95 .config console log report ci-android-49-kasan-gce
2017/12/10 16:07 https://android.googlesource.com/kernel/common android-4.9 f26d3c76d376 5ad0ce95 .config console log report ci-android-49-kasan-gce
2017/12/10 15:43 https://android.googlesource.com/kernel/common android-4.9 f26d3c76d376 5ad0ce95 .config console log report ci-android-49-kasan-gce
2017/12/10 15:42 https://android.googlesource.com/kernel/common android-4.9 f26d3c76d376 5ad0ce95 .config console log report ci-android-49-kasan-gce
2017/12/10 13:50 https://android.googlesource.com/kernel/common android-4.9 f26d3c76d376 5ad0ce95 .config console log report ci-android-49-kasan-gce
2017/12/10 12:05 https://android.googlesource.com/kernel/common android-4.9 f26d3c76d376 5ad0ce95 .config console log report ci-android-49-kasan-gce
2017/12/10 11:16 https://android.googlesource.com/kernel/common android-4.9 f26d3c76d376 5ad0ce95 .config console log report ci-android-49-kasan-gce
2017/12/10 09:46 https://android.googlesource.com/kernel/common android-4.9 f26d3c76d376 5ad0ce95 .config console log report ci-android-49-kasan-gce
* Struck through repros no longer work on HEAD.