futex_wake_op: syz-executor4 tries to shift op by -1; fix this program BUG: Bad rss-counter state mm:00000000fbab8969 idx:0 val:200 BUG: Bad rss-counter state mm:00000000fbab8969 idx:1 val:24 BUG: non-zero pgtables_bytes on freeing mm: 16384 kauditd_printk_skb: 6 callbacks suppressed audit: type=1400 audit(1513244090.924:998): avc: denied { listen } for pid=7804 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 print_req_error: I/O error, dev loop4, sector 0 Buffer I/O error on dev loop4, logical block 0, lost async page write print_req_error: I/O error, dev loop4, sector 2 Buffer I/O error on dev loop4, logical block 1, lost async page write print_req_error: I/O error, dev loop4, sector 4 Buffer I/O error on dev loop4, logical block 2, lost async page write print_req_error: I/O error, dev loop4, sector 6 Buffer I/O error on dev loop4, logical block 3, lost async page write print_req_error: I/O error, dev loop4, sector 8 Buffer I/O error on dev loop4, logical block 4, lost async page write netlink: 17 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 14 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 14 bytes leftover after parsing attributes in process `syz-executor4'. audit: type=1400 audit(1513244091.463:999): avc: denied { setpcap } for pid=8022 comm="syz-executor6" capability=8 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 BUG: Bad rss-counter state mm:000000007df8973d idx:0 val:7 audit: type=1326 audit(1513244091.683:1000): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=8131 comm="syz-executor1" exe="/root/syz-executor1" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x50000 audit: type=1326 audit(1513244091.683:1001): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=8131 comm="syz-executor1" exe="/root/syz-executor1" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x50000 audit: type=1326 audit(1513244091.683:1002): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=8131 comm="syz-executor1" exe="/root/syz-executor1" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x50000 audit: type=1326 audit(1513244091.684:1003): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=8131 comm="syz-executor1" exe="/root/syz-executor1" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x50000 audit: type=1326 audit(1513244091.684:1004): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=8131 comm="syz-executor1" exe="/root/syz-executor1" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x50000 audit: type=1326 audit(1513244091.684:1005): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=8131 comm="syz-executor1" exe="/root/syz-executor1" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x50000 audit: type=1326 audit(1513244091.684:1006): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=8131 comm="syz-executor1" exe="/root/syz-executor1" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x50000 audit: type=1326 audit(1513244091.684:1007): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=8131 comm="syz-executor1" exe="/root/syz-executor1" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x50000 netlink: 3 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor3'. net_ratelimit: 59 callbacks suppressed dccp_close: ABORT with 12 bytes unread SELinux: unknown mount option dccp_close: ABORT with 12 bytes unread dccp_close: ABORT with 12 bytes unread dccp_close: ABORT with 12 bytes unread dccp_close: ABORT with 12 bytes unread binder: 8625:8628 ioctl c0a45322 20883000 returned -22 device gre0 entered promiscuous mode binder: 8625:8628 ioctl c0a45322 20883000 returned -22 dccp_close: ABORT with 12 bytes unread dccp_close: ABORT with 12 bytes unread dccp_close: ABORT with 12 bytes unread netlink: 1 bytes leftover after parsing attributes in process `syz-executor6'. dccp_close: ABORT with 12 bytes unread IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE IPv6: NLM_F_CREATE should be set when creating new route netlink: 1 bytes leftover after parsing attributes in process `syz-executor6'. IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE dccp_close: ABORT with 12 bytes unread QAT: Invalid ioctl QAT: Invalid ioctl binder: 8934:8936 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: 8934:8936 got transaction with invalid parent offset or type binder: 8934:8936 transaction failed 29201/-22, size 32-16 line 3070 binder: 8934:8936 transaction failed 29201/-22, size 0-0 line 2947 binder: BINDER_SET_CONTEXT_MGR already set binder: 8934:8942 ioctl 40046207 0 returned -16 binder: 8934:8942 BC_DEAD_BINDER_DONE 0000000000000003 not found device lo entered promiscuous mode binder_alloc: 8934: binder_alloc_buf, no vma binder: 8934:8942 transaction failed 29189/-3, size 32-16 line 2947 binder_alloc: 8934: binder_alloc_buf, no vma binder: 8934:8936 transaction failed 29189/-3, size 0-0 line 2947 binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29189 QAT: failed to copy from user cfg_data. device gre0 entered promiscuous mode QAT: failed to copy from user cfg_data. binder: 8977:8989 got reply transaction with no transaction stack binder: 8977:8989 transaction failed 29201/-71, size 32-8 line 2747 binder: 8977:8989 BC_DEAD_BINDER_DONE 0000000000000002 not found binder: 8989 RLIMIT_NICE not set binder: 8977:9007 got new transaction with bad transaction stack, transaction 68 has target 8977:0 binder: 8977:9007 transaction failed 29201/-71, size 0-0 line 2859 binder: send failed reply for transaction 68 to 8977:9007 binder: 8977:9051 got reply transaction with no transaction stack binder: 8977:9051 transaction failed 29201/-71, size 32-8 line 2747 binder: 8977:9052 BC_DEAD_BINDER_DONE 0000000000000002 not found binder: 9052 RLIMIT_NICE not set binder_alloc: 8977: binder_alloc_buf, no vma binder: 8977:9050 transaction failed 29189/-3, size 0-0 line 2947 binder_alloc: 8977: binder_alloc_buf, no vma binder: 8977:9051 transaction failed 29189/-3, size 0-0 line 2947 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 sctp: [Deprecated]: syz-executor4 (pid 9070) Use of int in max_burst socket option deprecated. Use struct sctp_assoc_value instead sctp: [Deprecated]: syz-executor4 (pid 9073) Use of int in max_burst socket option deprecated. Use struct sctp_assoc_value instead Empty option to dns_resolver key binder: BINDER_SET_CONTEXT_MGR already set binder: 9250:9251 ioctl 40046207 0 returned -16 binder: binder_mmap: 9250 204c6000-204c7000 bad vm_flags failed -1 binder: BINDER_SET_CONTEXT_MGR already set binder: 9250:9251 ioctl 40046207 0 returned -16 binder: 9250:9251 DecRefs 0 refcount change on invalid ref 4 ret -22 RDS: rds_bind could not find a transport for 172.20.5.187, load rds_tcp or rds_rdma? binder: 9250:9251 ERROR: BC_REGISTER_LOOPER called without request RDS: rds_bind could not find a transport for 172.20.5.187, load rds_tcp or rds_rdma? binder: 9250:9251 Acquire 1 refcount change on invalid ref 1 ret -22 binder: 9250:9251 IncRefs 0 refcount change on invalid ref 1 ret -22 binder: 9250:9251 ERROR: BC_ENTER_LOOPER called after BC_REGISTER_LOOPER binder: 9250:9251 DecRefs 0 refcount change on invalid ref 4096 ret -22 binder_alloc: binder_alloc_mmap_handler: 9250 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 9250:9272 ioctl 40046207 0 returned -16 binder_alloc: 9250: binder_alloc_buf, no vma binder: 9250:9280 transaction failed 29189/-3, size 0-0 line 2947 binder: BINDER_SET_CONTEXT_MGR already set binder: 9250:9272 ioctl 40046207 0 returned -16 binder_alloc: 9250: binder_alloc_buf, no vma binder: 9250:9280 transaction failed 29189/-3, size 0-0 line 2947 binder: binder_mmap: 9250 204c6000-204c7000 bad vm_flags failed -1 binder: undelivered TRANSACTION_ERROR: 29189 binder: 9250:9280 DecRefs 0 refcount change on invalid ref 4 ret -22 binder: 9250:9280 ERROR: BC_REGISTER_LOOPER called without request binder: 9250:9280 Acquire 1 refcount change on invalid ref 1 ret -22 binder: 9250:9280 IncRefs 0 refcount change on invalid ref 1 ret -22 binder: 9250:9280 ERROR: BC_ENTER_LOOPER called after BC_REGISTER_LOOPER binder: 9250:9280 DecRefs 0 refcount change on invalid ref 4096 ret -22 binder: 9250:9280 unknown command 0 binder: 9250:9280 ioctl c0306201 20004fd0 returned -22 binder: 9250:9251 unknown command 0 binder: 9250:9251 ioctl c0306201 20004fd0 returned -22 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_COMPLETE binder: undelivered transaction 75, process died. netlink: 1 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 'syz-executor1': attribute type 3 has an invalid length. netlink: 1 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 'syz-executor1': attribute type 3 has an invalid length. netlink: 1 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 11 bytes leftover after parsing attributes in process `syz-executor3'. autofs4:pid:9482:check_dev_ioctl_version: ioctl control interface version mismatch: kernel(1.1), user(4294967184.2432696575), cmd(0x0000937e) autofs4:pid:9482:validate_dev_ioctl: invalid device control module version supplied for cmd(0x0000937e) autofs4:pid:9482:check_dev_ioctl_version: ioctl control interface version mismatch: kernel(1.1), user(4294967184.2432696575), cmd(0x0000937e) autofs4:pid:9482:validate_dev_ioctl: invalid device control module version supplied for cmd(0x0000937e) kauditd_printk_skb: 71 callbacks suppressed audit: type=1400 audit(1513244096.217:1079): avc: denied { read } for pid=9472 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 netlink: 11 bytes leftover after parsing attributes in process `syz-executor3'. QAT: Invalid ioctl QAT: Invalid ioctl audit: type=1400 audit(1513244096.387:1080): avc: denied { map } for pid=9540 comm="syz-executor3" path="/dev/autofs" dev="devtmpfs" ino=8837 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:autofs_device_t:s0 tclass=chr_file permissive=1 audit: type=1400 audit(1513244096.441:1081): avc: denied { map } for pid=9580 comm="syz-executor0" path="socket:[29293]" dev="sockfs" ino=29293 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=dccp_socket permissive=1 device gre0 entered promiscuous mode device gre0 entered promiscuous mode audit: type=1326 audit(1513244096.547:1082): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=9611 comm="syz-executor5" exe="/root/syz-executor5" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x7ffc0000 audit: type=1326 audit(1513244096.547:1083): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=9611 comm="syz-executor5" exe="/root/syz-executor5" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x7ffc0000 audit: type=1326 audit(1513244096.575:1084): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=9611 comm="syz-executor5" exe="/root/syz-executor5" sig=0 arch=c000003e syscall=16 compat=0 ip=0x452a39 code=0x7ffc0000 audit: type=1326 audit(1513244096.578:1085): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=9611 comm="syz-executor5" exe="/root/syz-executor5" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x7ffc0000 audit: type=1326 audit(1513244096.578:1086): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=9611 comm="syz-executor5" exe="/root/syz-executor5" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x7ffc0000 audit: type=1326 audit(1513244096.587:1087): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=9611 comm="syz-executor5" exe="/root/syz-executor5" sig=0 arch=c000003e syscall=41 compat=0 ip=0x452a39 code=0x7ffc0000 audit: type=1326 audit(1513244096.587:1088): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=9611 comm="syz-executor5" exe="/root/syz-executor5" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x7ffc0000 binder: 9745:9746 BC_INCREFS_DONE u0000000000000000 no match QAT: Invalid ioctl binder: 9745:9757 BC_INCREFS_DONE u0000000000000000 no match netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'. QAT: Invalid ioctl netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor1'. loop: Write error at byte offset 0, length 512. print_req_error: 2 callbacks suppressed print_req_error: I/O error, dev loop4, sector 0 buffer_io_error: 2 callbacks suppressed Buffer I/O error on dev loop4, logical block 0, lost async page write loop: Write error at byte offset 0, length 512. print_req_error: I/O error, dev loop4, sector 0 loop: Write error at byte offset 0, length 512. print_req_error: I/O error, dev loop4, sector 0 Buffer I/O error on dev loop4, logical block 0, lost async page write loop: Write error at byte offset 0, length 512. print_req_error: I/O error, dev loop4, sector 0 sock: process `syz-executor4' is using obsolete getsockopt SO_BSDCOMPAT FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 1 PID: 10147 Comm: syz-executor6 Not tainted 4.15.0-rc3-next-20171214+ #67 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0xe9/0x14b lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x1e5/0x220 lib/fault-inject.c:149 should_failslab+0x73/0x90 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:422 [inline] slab_alloc mm/slab.c:3372 [inline] __do_kmalloc mm/slab.c:3710 [inline] __kmalloc+0x63/0x730 mm/slab.c:3721 kmalloc include/linux/slab.h:521 [inline] alloc_msg ipc/msgutil.c:56 [inline] load_msg+0x3c/0x1d0 ipc/msgutil.c:91 prepare_copy ipc/msg.c:934 [inline] do_msgrcv+0xed/0x9e0 ipc/msg.c:997 SYSC_msgrcv ipc/msg.c:1141 [inline] SyS_msgrcv+0x3b/0x50 ipc/msg.c:1138 entry_SYSCALL_64_fastpath+0x1f/0x96 RIP: 0033:0x452a39 RSP: 002b:00007fde42999c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000046 RAX: ffffffffffffffda RBX: 00007fde42999aa0 RCX: 0000000000452a39 RDX: 0000000000000fd1 RSI: 000000002053f007 RDI: 0000000000000000 RBP: 00007fde42999a90 R08: 524b970b525d5f5d R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b75fb R13: 00007fde42999bc8 R14: 00000000004b75fb R15: 0000000000000000 SELinux: unrecognized netlink message: protocol=4 nlmsg_type=0 sclass=netlink_tcpdiag_socket pig=10219 comm=syz-executor1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=4 sclass=netlink_route_socket pig=10219 comm=syz-executor1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=10219 comm=syz-executor1 SELinux: unrecognized netlink message: protocol=4 nlmsg_type=0 sclass=netlink_tcpdiag_socket pig=10219 comm=syz-executor1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=4 sclass=netlink_route_socket pig=10219 comm=syz-executor1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=10232 comm=syz-executor1 Started in network mode Own node address <192.1287.2275>, network identity 4711 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=10329 comm=syz-executor5 QAT: Invalid ioctl Started in network mode Own node address <40.2355.3459>, network identity 4711 kvm [10547]: vcpu4, guest rIP: 0xfff0 unimplemented MMIO_CONF_BASE wrmsr: 0x3e2d sctp: [Deprecated]: syz-executor3 (pid 10566) Use of struct sctp_assoc_value in delayed_ack socket option. Use struct sctp_sack_info instead sctp: [Deprecated]: syz-executor3 (pid 10566) Use of struct sctp_assoc_value in delayed_ack socket option. Use struct sctp_sack_info instead kvm [10547]: vcpu4, guest rIP: 0xfff0 unimplemented MMIO_CONF_BASE wrmsr: 0x3e2d device gre0 entered promiscuous mode