================================================================== BUG: KASAN: stack-out-of-bounds in unwind_next_frame+0xd7/0xe0 arch/x86/kernel/unwind_frame.c:51 at addr ffff8801c9a5fde8 Read of size 8 by task syz-executor3/5385 page:ffffea00072697c0 count:0 mapcount:0 mapping: (null) index:0x0 flags: 0x8000000000000000() page dumped because: kasan: bad access detected CPU: 0 PID: 5385 Comm: syz-executor3 Not tainted 4.9.69-g3f1d77c #108 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c9a7f928 ffffffff81d90a29 ffffed003934bfbd 0000000000000008 0000000000000000 ffffed003934bfbd ffff8801c9a5fde8 ffff8801c9a7f9b0 ffffffff8153a9c3 ffff8801c70acfd8 0000000000000003 ffffffff810d3e07 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_address_description mm/kasan/report.c:208 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x4c3/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] unwind_next_frame+0xd7/0xe0 arch/x86/kernel/unwind_frame.c:51 [] __save_stack_trace+0x7d/0xf0 arch/x86/kernel/stacktrace.c:42 [] save_stack_trace_tsk+0x48/0x70 arch/x86/kernel/stacktrace.c:71 [] proc_pid_stack+0x146/0x230 fs/proc/base.c:466 [] proc_single_show+0xf8/0x170 fs/proc/base.c:768 [] seq_read+0x32f/0x1290 fs/seq_file.c:240 [] __vfs_read+0x103/0x670 fs/read_write.c:452 [] vfs_read+0x11e/0x380 fs/read_write.c:475 [] SYSC_read fs/read_write.c:591 [inline] [] SyS_read+0xd9/0x1b0 fs/read_write.c:584 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801c9a5fc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8801c9a5fd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8801c9a5fd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 ^ ffff8801c9a5fe00: f1 00 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 ffff8801c9a5fe80: f2 00 00 f2 f2 00 00 00 00 00 00 00 00 00 00 00 ================================================================== netlink: 2 bytes leftover after parsing attributes in process `syz-executor2'. binder: release 5478:5487 transaction 13 out, still active device gre0 entered promiscuous mode binder: release 5478:5487 transaction 14 out, still active binder: release 5478:5487 transaction 13 in, still active binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_COMPLETE binder_alloc: binder_alloc_mmap_handler: 5478 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 5478:5498 ioctl 40046207 0 returned -16 binder_alloc: 5478: binder_alloc_buf, no vma binder: 5478:5498 transaction failed 29189/-3, size 0-0 line 3130 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 5478:5498 transaction 14 in, still active binder: send failed reply for transaction 14, target dead binder: send failed reply for transaction 13, target dead netlink: 2 bytes leftover after parsing attributes in process `syz-executor2'. device gre0 left promiscuous mode device gre0 entered promiscuous mode audit: type=1400 audit(1513495335.389:30): avc: denied { getopt } for pid=5538 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'. audit: type=1400 audit(1513495335.539:31): avc: denied { connect } for pid=5590 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 netlink: 3 bytes leftover after parsing attributes in process `syz-executor3'. audit: type=1400 audit(1513495335.539:32): avc: denied { getattr } for pid=5576 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 netlink: 3 bytes leftover after parsing attributes in process `syz-executor3'. program syz-executor4 is using a deprecated SCSI ioctl, please convert it to SG_IO sd 0:0:1:0: ioctl_internal_command: ILLEGAL REQUEST asc=0x20 ascq=0x0 keychord: Insufficient bytes present for keycount 18 keychord: Insufficient bytes present for keycount 18 program syz-executor4 is using a deprecated SCSI ioctl, please convert it to SG_IO sd 0:0:1:0: ioctl_internal_command: ILLEGAL REQUEST asc=0x20 ascq=0x0 binder: release 5695:5699 transaction 17 out, still active device gre0 entered promiscuous mode binder_alloc: 5695: binder_alloc_buf, no vma binder: 5695:5699 transaction failed 29189/-3, size 0-0 line 3130 binder: undelivered TRANSACTION_COMPLETE binder: release 5695:5699 transaction 17 in, still active binder: send failed reply for transaction 17, target dead binder: undelivered TRANSACTION_ERROR: 29189 binder_alloc: binder_alloc_mmap_handler: 5695 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 5695:5730 ioctl 40046207 0 returned -16 binder_alloc: 5695: binder_alloc_buf, no vma binder: 5695:5730 transaction failed 29189/-3, size 0-0 line 3130 binder: undelivered TRANSACTION_ERROR: 29189 binder_alloc: 5695: binder_alloc_buf, no vma binder: 5695:5740 transaction failed 29189/-3, size 0-0 line 3130 binder: undelivered TRANSACTION_ERROR: 29189 binder: 5749:5751 ioctl 40046205 8 returned -22 audit: type=1400 audit(1513495336.359:33): avc: denied { transfer } for pid=5749 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 binder: binder_mmap: 5749 20476000-20479000 bad vm_flags failed -1 binder: 5749:5761 got reply transaction with no transaction stack binder: 5749:5761 transaction failed 29201/-71, size 0-56 line 2923 binder: 5749:5761 ioctl 40046205 8 returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 5749:5764 ioctl 40046207 0 returned -16 binder_alloc: 5749: binder_alloc_buf, no vma binder: 5749:5761 transaction failed 29189/-3, size 80-16 line 3130 binder: binder_mmap: 5749 20476000-20479000 bad vm_flags failed -1 binder: 5749:5761 got reply transaction with no transaction stack binder: 5749:5761 transaction failed 29201/-71, size 0-56 line 2923 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 5749:5761 transaction 22 out, still active binder: unexpected work type, 4, not freed netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'. binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 22, target dead device gre0 entered promiscuous mode device lo left promiscuous mode SELinux: unrecognized netlink message: protocol=9 nlmsg_type=65535 sclass=netlink_audit_socket pig=5977 comm=syz-executor6 device lo entered promiscuous mode audit: type=1400 audit(1513495336.989:34): avc: denied { write } for pid=6003 comm="syz-executor5" path="socket:[16738]" dev="sockfs" ino=16738 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_fib_lookup_socket permissive=1 device lo left promiscuous mode SELinux: unrecognized netlink message: protocol=9 nlmsg_type=65535 sclass=netlink_audit_socket pig=5993 comm=syz-executor6 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=6011 comm=syz-executor2 device syz6 entered promiscuous mode binder: 6097:6098 ioctl 894b 202ec000 returned -22 binder: 6097:6098 ioctl 89e0 2072b000 returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 6097:6098 ioctl 40046207 0 returned -16 binder: 6097:6106 ioctl 894b 202ec000 returned -22 binder: 6097:6107 ioctl 89e0 2072b000 returned -22 binder_alloc: 6097: binder_alloc_buf, no vma binder: 6097:6106 transaction failed 29189/-3, size 0-0 line 3130 binder: undelivered TRANSACTION_ERROR: 29189 binder: send failed reply for transaction 29 to 6097:6098 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 binder: 6104:6120 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 6104:6105 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: 6104:6144 BC_DEAD_BINDER_DONE 0000000000000000 not found qtaguid: iface_stat: iface_check_stats_reset_and_adjust(lo): iface reset its stats unexpectedly device gre0 entered promiscuous mode binder: 6190:6191 got reply transaction with no transaction stack binder: 6190:6191 transaction failed 29201/-71, size 2-1144397507205 line 2923 binder: 6190:6194 Acquire 1 refcount change on invalid ref 1 ret -22 binder: 6190:6194 got transaction to invalid handle binder: 6190:6194 transaction failed 29201/-22, size 64-32 line 3007 binder: 6190:6223 BC_INCREFS_DONE uffffffffffffffff no match binder: 6190:6223 got transaction to invalid handle binder: 6190:6223 transaction failed 29201/-22, size 40-16 line 3007 binder_alloc: 6190: binder_alloc_buf, no vma binder: 6190:6223 transaction failed 29189/-3, size 0-0 line 3130 binder: 6190:6235 BC_CLEAR_DEATH_NOTIFICATION invalid ref 2 binder: 6190:6235 BC_FREE_BUFFER u0000000000000000 no match binder: 6190:6194 unknown command 0 binder: 6190:6194 ioctl c0306201 20004000 returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 6190:6194 ioctl 40046207 0 returned -16 binder: 6190:6194 Acquire 1 refcount change on invalid ref 1 ret -22 binder: 6190:6194 got transaction to invalid handle binder: 6190:6194 transaction failed 29201/-22, size 64-32 line 3007 binder: 6190:6239 BC_INCREFS_DONE uffffffffffffffff no match binder: 6190:6239 got transaction to invalid handle binder: 6190:6239 transaction failed 29201/-22, size 40-16 line 3007 binder_alloc: 6190: binder_alloc_buf, no vma binder: 6190:6239 transaction failed 29189/-3, size 0-0 line 3130 binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29201 device gre0 entered promiscuous mode SELinux: unrecognized netlink message: protocol=0 nlmsg_type=14762 sclass=netlink_route_socket pig=6387 comm=syz-executor5 nla_parse: 8 callbacks suppressed netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=14762 sclass=netlink_route_socket pig=6416 comm=syz-executor5 netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 6 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 6 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor7'. binder: 6445:6446 ERROR: BC_REGISTER_LOOPER called without request binder_alloc: 6445: binder_alloc_buf, no vma binder: 6445:6446 transaction failed 29189/-3, size -9136452502804823694--6259034843114309523 line 3130 device lo entered promiscuous mode netlink: 2 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor7'. binder: undelivered TRANSACTION_ERROR: 29189 binder: BINDER_SET_CONTEXT_MGR already set binder: 6445:6465 ioctl 40046207 0 returned -16 binder: 6445:6446 ERROR: BC_REGISTER_LOOPER called without request binder: 6445:6465 unknown command 29196 binder: 6445:6465 ioctl c0306201 20002fd0 returned -22 binder: 6445:6446 got reply transaction with no transaction stack binder: 6445:6446 transaction failed 29201/-71, size 0-0 line 2923 binder: undelivered TRANSACTION_ERROR: 29201 IPVS: Creating netns size=2536 id=9 device gre0 entered promiscuous mode IPVS: Creating netns size=2536 id=10 IPVS: Creating netns size=2536 id=11 device gre0 entered promiscuous mode 9pnet_virtio: no channels available for device ./file0 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=29486 sclass=netlink_route_socket pig=6602 comm=syz-executor3 9pnet_virtio: no channels available for device ./file0 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=29486 sclass=netlink_route_socket pig=6614 comm=syz-executor3 capability: warning: `syz-executor0' uses deprecated v2 capabilities in a way that may be insecure binder: 6684:6686 BC_ACQUIRE_DONE node 44 has no pending acquire request binder: BINDER_SET_CONTEXT_MGR already set binder: 6684:6704 ioctl 40046207 0 returned -16 binder_alloc: 6684: binder_alloc_buf, no vma binder: 6684:6686 transaction failed 29189/-3, size 80-16 line 3130 binder: 6684:6704 BC_ACQUIRE_DONE u0000000000000000 no match binder: undelivered TRANSACTION_ERROR: 29189 binder: release 6684:6686 transaction 45 out, still active binder: unexpected work type, 4, not freed binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 45, target dead device gre0 entered promiscuous mode netlink: 8 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor6'. audit_printk_skb: 12 callbacks suppressed audit: type=1400 audit(1513495340.239:39): avc: denied { setopt } for pid=6847 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 devpts: called with bogus options devpts: called with bogus options device gre0 entered promiscuous mode device gre0 entered promiscuous mode tty_warn_deprecated_flags: 'syz-executor1' is using deprecated serial flags (with no effect): 00008000 tty_warn_deprecated_flags: 'syz-executor1' is using deprecated serial flags (with no effect): 00008000 IPVS: Creating netns size=2536 id=12 audit: type=1400 audit(1513495341.369:40): avc: denied { create } for pid=7235 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_connector_socket permissive=1 audit: type=1400 audit(1513495341.399:41): avc: denied { setopt } for pid=7235 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_connector_socket permissive=1 audit: type=1400 audit(1513495341.419:42): avc: denied { net_broadcast } for pid=7235 comm="syz-executor3" capability=11 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1513495341.429:43): avc: denied { write } for pid=7235 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_connector_socket permissive=1 audit: type=1400 audit(1513495341.429:44): avc: denied { read } for pid=7235 comm="syz-executor3" path="socket:[19593]" dev="sockfs" ino=19593 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_connector_socket permissive=1 audit: type=1400 audit(1513495341.439:45): avc: denied { write } for pid=7267 comm="syz-executor2" name="net" dev="proc" ino=20580 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=dir permissive=1 audit: type=1400 audit(1513495341.439:46): avc: denied { add_name } for pid=7267 comm="syz-executor2" name="pfkey" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=dir permissive=1 audit: type=1400 audit(1513495341.449:47): avc: denied { create } for pid=7267 comm="syz-executor2" name="pfkey" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:insmod_t:s0 tclass=file permissive=1 pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads IPVS: Creating netns size=2536 id=13 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 7383 Comm: syz-executor0 Tainted: G B 4.9.69-g3f1d77c #108 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a7337940 ffffffff81d90a29 ffff8801a7337c20 0000000000000000 ffff8801a65aa410 ffff8801a7337b10 ffff8801a65aa300 ffff8801a7337b38 ffffffff8165e557 1ffff10034e66f2f ffff8801a7337a90 00000001a989b067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 IPVS: Creating netns size=2536 id=14 PF_BRIDGE: RTM_NEWNEIGH with unknown ifindex PF_BRIDGE: RTM_NEWNEIGH with unknown ifindex pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads tmpfs: No value for mount option ' ' tmpfs: No value for mount option ' ' nla_parse: 10 callbacks suppressed netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. device gre0 entered promiscuous mode netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor5'.