================================================================== BUG: KASAN: stack-out-of-bounds in get_frame_pointer arch/x86/include/asm/stacktrace.h:64 [inline] at addr ffff8801d8f6fbb8 BUG: KASAN: stack-out-of-bounds in __unwind_start+0x3a7/0x3c0 arch/x86/kernel/unwind_frame.c:76 at addr ffff8801d8f6fbb8 Read of size 8 by task syz-executor7/9607 page:ffffea000763dbc0 count:0 mapcount:0 mapping: (null) index:0x0 flags: 0x8000000000000000() page dumped because: kasan: bad access detected CPU: 1 PID: 9607 Comm: syz-executor7 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d25d71a0 ffffffff81d906e9[ 62.678292] binder: 9620:9621 BC_ACQUIRE_DONE node 89 has no pending acquire request ffffed003b1edf77 0000000000000008 0000000000000000 ffffed003b1edf77 ffff8801d8f6fbb8 ffff8801d25d7228 ffffffff8153a833 ffff8801cfd7b000 ffffffff8389f09e ffffffff810d41b7 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 binder_alloc: binder_alloc_mmap_handler: 9620 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 9620:9621 ioctl 40046207 0 returned -16 binder_alloc: 9620: binder_alloc_buf, no vma binder: 9620:9621 transaction failed 29189/-3, size 80-16 line 3130 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 9620:9621 transaction 90 out, still active binder: unexpected work type, 4, not freed binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 90, target dead [] print_address_description mm/kasan/report.c:208 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x4c3/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] get_frame_pointer arch/x86/include/asm/stacktrace.h:64 [inline] [] __unwind_start+0x3a7/0x3c0 arch/x86/kernel/unwind_frame.c:76 [] unwind_start arch/x86/include/asm/unwind.h:39 [inline] [] __save_stack_trace+0x59/0xf0 arch/x86/kernel/stacktrace.c:41 [] save_stack_trace_tsk+0x48/0x70 arch/x86/kernel/stacktrace.c:71 [] proc_pid_stack+0x146/0x230 fs/proc/base.c:466 [] proc_single_show+0xf8/0x170 fs/proc/base.c:768 [] seq_read+0x32f/0x1290 fs/seq_file.c:240 [] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714 [] do_loop_readv_writev fs/read_write.c:880 [inline] [] do_readv_writev+0x520/0x750 fs/read_write.c:874 [] vfs_readv+0x84/0xc0 fs/read_write.c:898 [] kernel_readv fs/splice.c:363 [inline] [] default_file_splice_read+0x43f/0x7a0 fs/splice.c:435 [] do_splice_to+0x10a/0x160 fs/splice.c:899 [] splice_direct_to_actor+0x24d/0x800 fs/splice.c:971 [] do_splice_direct+0x1a7/0x270 fs/splice.c:1080 [] do_sendfile+0x54b/0xd30 fs/read_write.c:1401 [] SYSC_sendfile64 fs/read_write.c:1456 [inline] [] SyS_sendfile64+0xd1/0x160 fs/read_write.c:1448 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801d8f6fa80: f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 ffff8801d8f6fb00: 00 00 00 00 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 >ffff8801d8f6fb80: 00 00 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00 ^ ffff8801d8f6fc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8801d8f6fc80: 00 00 00 00 00 00 f1 f1 f1 f1 04 f2 f2 f2 f2 f2 ================================================================== SELinux: unrecognized netlink message: protocol=9 nlmsg_type=18 sclass=netlink_audit_socket pig=9692 comm=syz-executor3 binder: 9689:9693 got transaction with fd, -1, but target does not allow fds binder: 9689:9693 transaction failed 29201/-1, size 24-8 line 3235 binder_alloc: binder_alloc_mmap_handler: 9689 20000000-20002000 already mapped failed -16 device gre0 entered promiscuous mode binder: BINDER_SET_CONTEXT_MGR already set binder: 9689:9693 ioctl 40046207 0 returned -16 binder_alloc: 9689: binder_alloc_buf, no vma binder: 9689:9694 transaction failed 29189/-3, size 24-8 line 3130 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=18 sclass=netlink_audit_socket pig=9702 comm=syz-executor3 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 device gre0 entered promiscuous mode SELinux: unrecognized netlink message: protocol=0 nlmsg_type=5 sclass=netlink_route_socket pig=9797 comm=syz-executor1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=9797 comm=syz-executor1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=5 sclass=netlink_route_socket pig=9812 comm=syz-executor1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=9797 comm=syz-executor1 binder: 9853:9854 got new transaction with bad transaction stack, transaction 100 has target 9853:0 binder: 9853:9854 transaction failed 29201/-71, size 0-72 line 3034 device gre0 entered promiscuous mode binder: BINDER_SET_CONTEXT_MGR already set binder: 9853:9883 ioctl 40046207 0 returned -16 binder_alloc: 9853: binder_alloc_buf, no vma binder: release 9853:9854 transaction 100 out, still active binder: send failed reply for transaction 100, target dead binder: 9853:9854 transaction failed 29189/-22, size 0-72 line 3007 qtaguid: iface_stat: create(lo): no inet dev qtaguid: iface_stat: create6(lo): no inet dev IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready qtaguid: iface_stat: create6(lo): no inet dev binder: 9853:9873 transaction failed 29189/-3, size 0-0 line 3130 FAULT_FLAG_ALLOW_RETRY missing 30 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 9895 Comm: syz-executor7 Tainted: G B 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a228f930 ffffffff81d906e9 ffff8801a228fc10 0000000000000000 ffff8801a5da8d10 ffff8801a228fb00 ffff8801a5da8c00 ffff8801a228fb28 ffffffff8165e307 ffff8801a228fac8 ffff8801a228fa80 00000001d9a6f067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 binder: undelivered TRANSACTION_ERROR: 29189 netlink: 1 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor3'. IPv6: NLM_F_REPLACE set, but no existing node found! netlink: 1 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor3'. IPv6: NLM_F_REPLACE set, but no existing node found! : renamed from syz5 CPU: 1 PID: 9909 Comm: syz-executor7 Tainted: G B 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d231f670 ffffffff81d906e9 ffff8801d231f950 0000000000000000 ffff8801a5da8d10 ffff8801d231f840 ffff8801a5da8c00 ffff8801d231f868 ffffffff8165e307 0000000000000000 ffff8801d231f7c0 00000001d9a6f067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] import_iovec+0xc8/0x3c0 lib/iov_iter.c:1243 [] do_readv_writev+0xd2/0x750 fs/read_write.c:850 [] vfs_readv+0x84/0xc0 fs/read_write.c:898 [] do_preadv+0x115/0x1a0 fs/read_write.c:975 [] SYSC_preadv fs/read_write.c:1025 [inline] [] SyS_preadv+0x30/0x40 fs/read_write.c:1020 [] entry_SYSCALL_64_fastpath+0x23/0xc6 device gre0 entered promiscuous mode keychord: Insufficient bytes present for keycount 18 netlink: 2 bytes leftover after parsing attributes in process `syz-executor6'. Tx-ring is not supported. keychord: Insufficient bytes present for keycount 18 Tx-ring is not supported. netlink: 2 bytes leftover after parsing attributes in process `syz-executor6'. device gre0 entered promiscuous mode netlink: 1 bytes leftover after parsing attributes in process `syz-executor1'. device gre0 entered promiscuous mode netlink: 1 bytes leftover after parsing attributes in process `syz-executor1'. devpts: called with bogus options device gre0 entered promiscuous mode devpts: called with bogus options binder: 10377:10382 ERROR: BC_REGISTER_LOOPER called without request device gre0 entered promiscuous mode binder: BINDER_SET_CONTEXT_MGR already set binder: 10377:10402 ioctl 40046207 0 returned -16 binder: 10377:10382 ERROR: BC_REGISTER_LOOPER called without request binder_alloc: 10377: binder_alloc_buf, no vma binder: 10377:10382 transaction failed 29189/-3, size 0-0 line 3130 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 10377:10402 transaction 105 out, still active binder: undelivered TRANSACTION_COMPLETE binder: release 10377:10382 transaction 105 in, still active binder: send failed reply for transaction 105, target dead device lo entered promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready qtaguid: iface_stat: create6(lo): no inet dev device lo left promiscuous mode device lo entered promiscuous mode qtaguid: iface_stat: create(lo): no inet dev qtaguid: iface_stat: create6(lo): no inet dev IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready qtaguid: iface_stat: create6(lo): no inet dev device lo left promiscuous mode device gre0 entered promiscuous mode binder: 10539:10544 got reply transaction with no transaction stack binder: 10539:10544 transaction failed 29201/-71, size 0-8 line 2923 binder_alloc: 10539: binder_alloc_buf, no vma binder: 10539:10556 transaction failed 29189/-3, size 0-0 line 3130 binder_alloc: 10539: binder_alloc_buf, no vma binder: 10539:10556 transaction failed 29189/-3, size 0-0 line 3130 binder: 10539:10556 ioctl c018620b 2000bfe8 returned -14 binder: undelivered TRANSACTION_ERROR: 29189 binder: 10539:10582 got reply transaction with no transaction stack device gre0 entered promiscuous mode device gre0 left promiscuous mode binder: 10539:10582 transaction failed 29201/-71, size 24-16 line 2923 binder: undelivered TRANSACTION_ERROR: 29201 device gre0 entered promiscuous mode device gre0 left promiscuous mode binder: 10539:10556 got reply transaction with no transaction stack binder: 10539:10556 transaction failed 29201/-71, size 0-8 line 2923 binder_alloc: 10539: binder_alloc_buf, no vma binder_alloc: 10539: binder_alloc_buf, no vma binder: 10539:10544 transaction failed 29189/-3, size 0-0 line 3130 binder: 10539:10582 transaction failed 29189/-3, size 0-0 line 3130 binder: 10539:10544 got reply transaction with no transaction stack binder: undelivered TRANSACTION_ERROR: 29189 binder: 10539:10544 transaction failed 29201/-71, size 24-16 line 2923 binder: undelivered TRANSACTION_ERROR: 29201 binder: 10674:10675 ERROR: BC_REGISTER_LOOPER called without request nla_parse: 6 callbacks suppressed netlink: 13 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor1'. binder: 10674:10681 got reply transaction with no transaction stack binder: 10674:10681 transaction failed 29201/-71, size 32-8 line 2923 binder_alloc: binder_alloc_mmap_handler: 10674 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 10674:10685 ioctl 40046207 0 returned -16 binder: 10674:10681 ERROR: BC_REGISTER_LOOPER called without request binder: 10674:10685 got reply transaction with no transaction stack binder: 10674:10685 transaction failed 29201/-71, size 32-8 line 2923 binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29201 device gre0 entered promiscuous mode sg_write: data in/out 196569/89 bytes for SCSI command 0x4e-- guessing data in; program syz-executor3 not setting count and/or reply_len properly device gre0 entered promiscuous mode FAULT_FLAG_ALLOW_RETRY missing 31 CPU: 0 PID: 10771 Comm: syz-executor7 Tainted: G B 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a7eb7870 ffffffff81d906e9 ffff8801a7eb7b50 0000000000000000 ffff8801a39f3c10 ffff8801a7eb7a40 ffff8801a39f3b00 ffff8801a7eb7a68 ffffffff8165e307 ffff8801a7eb78a0 ffffffff811b890d 0000000006e4f280 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2783 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1f82/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] SYSC_getrandom drivers/char/random.c:1899 [inline] [] SyS_getrandom+0x165/0x2a0 drivers/char/random.c:1880 [] entry_SYSCALL_64_fastpath+0x23/0xc6 device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode binder: 10884:10885 ioctl 40046205 0 returned -22 binder: 10884:10885 ERROR: BC_REGISTER_LOOPER called without request binder: 10884:10885 unknown command 1400526783 binder: 10884:10885 ioctl c0306201 20002fd0 returned -22 binder: 10884:10885 BC_FREE_BUFFER u0000000000000000 no match binder: 10884:10885 sending u0000000000000000 node 120, cookie mismatch 0000000000000004 != 0000000000000000 binder: 10884:10885 transaction failed 29201/-22, size 72-8 line 3209 binder: 10899:10900 ioctl 40046205 0 returned -22 binder: 10899:10900 ERROR: BC_REGISTER_LOOPER called without request loop: Write error at byte offset 0, length 512. blk_update_request: 9 callbacks suppressed blk_update_request: I/O error, dev loop4, sector 0 buffer_io_error: 9 callbacks suppressed Buffer I/O error on dev loop4, logical block 0, lost async page write binder: 10899:10900 got transaction to invalid handle binder: 10899:10900 transaction failed 29201/-22, size 0-8 line 3007 binder: 10899:10900 BC_FREE_BUFFER u0000000000000000 no match binder: 10899:10900 got transaction with invalid offsets ptr binder: 10899:10900 transaction failed 29201/-14, size 72-8 line 3158 binder: 10899:10900 ioctl c0306201 20005fd0 returned -14 binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29201 binder: 10899:10900 BC_FREE_BUFFER u00000000ffffffff no match binder: undelivered TRANSACTION_COMPLETE binder: undelivered transaction 130, process died. binder: 10899:10900 ioctl 40046205 6 returned -22 binder: 10899:10912 ioctl 40046205 0 returned -22 binder: undelivered TRANSACTION_COMPLETE binder: undelivered transaction 122, process died. binder: 10884:10895 BC_FREE_BUFFER u00000000ffffffff no match binder: 10899:10912 ERROR: BC_REGISTER_LOOPER called without request binder: 10899:10912 ioctl c0306201 20008fd0 returned -11 binder: 10899:10912 unknown command 0 binder: 10899:10912 ioctl c0306201 20002fd0 returned -22 binder: 10899:10900 BC_FREE_BUFFER u0000000000000000 no match binder: 10899:10900 IncRefs 0 refcount change on invalid ref 1 ret -22 binder: 10899:10900 got transaction to invalid handle binder: 10899:10900 transaction failed 29201/-22, size 72-8 line 3007 binder: 10899:10900 ioctl c0306201 20005fd0 returned -14 binder: 10884:10895 ioctl 40046205 6 returned -22 binder: release 10899:10900 transaction 136 out, still active binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29201 binder: send failed reply for transaction 136, target dead binder: 10884:10924 ioctl 40046205 0 returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 10884:10895 ioctl 40046207 0 returned -16 binder: 10884:10924 ERROR: BC_REGISTER_LOOPER called without request binder: 10884:10924 ioctl c0306201 20008fd0 returned -11 binder_alloc: 10884: binder_alloc_buf, no vma binder: 10884:10895 transaction failed 29189/-3, size 0-0 line 3130 binder: 10884:10895 unknown command 0 binder: 10884:10895 ioctl c0306201 20002fd0 returned -22 binder: 10884:10895 BC_FREE_BUFFER u0000000000000000 no match binder: 10884:10895 IncRefs 0 refcount change on invalid ref 1 ret -22 binder: 10884:10895 got transaction to invalid handle binder: 10884:10895 transaction failed 29201/-22, size 72-8 line 3007 binder: 10884:10895 ioctl c0306201 20005fd0 returned -14 binder: undelivered TRANSACTION_ERROR: 29189 binder: 10884:10895 BC_FREE_BUFFER u0000000000000000 no match netlink: 16 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 16 bytes leftover after parsing attributes in process `syz-executor6'. binder: 10884:10885 ioctl c0306201 20005fd0 returned -14 binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29201 Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable device gre0 entered promiscuous mode device gre0 entered promiscuous mode device lo entered promiscuous mode binder: undelivered TRANSACTION_ERROR: 29201 netlink: 2 bytes leftover after parsing attributes in process `syz-executor5'. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=11073 comm=syz-executor5 binder: 11076:11081 got reply transaction with no transaction stack binder: 11076:11081 transaction failed 29201/-71, size 2-1144397507205 line 2923 binder: 11076:11092 Acquire 1 refcount change on invalid ref 1 ret -22 binder: 11076:11092 got transaction to invalid handle binder: 11076:11092 transaction failed 29201/-22, size 64-32 line 3007 binder: 11076:11104 BC_CLEAR_DEATH_NOTIFICATION invalid ref 2 binder: 11076:11104 BC_FREE_BUFFER u000000002000c000 no match binder: 11076:11104 got reply transaction with no transaction stack binder: 11076:11104 transaction failed 29201/-71, size 2-1144397507205 line 2923 binder: BINDER_SET_CONTEXT_MGR already set binder: 11076:11109 ioctl 40046207 0 returned -16 binder: 11076:11109 Acquire 1 refcount change on invalid ref 1 ret -22 binder: 11076:11109 got transaction to invalid handle binder: 11076:11109 transaction failed 29201/-22, size 64-32 line 3007 binder: 11076:11113 BC_INCREFS_DONE uffffffffffffffff no match binder: 11076:11113 got transaction to invalid handle binder: 11076:11113 transaction failed 29201/-22, size 40-16 line 3007 binder: undelivered TRANSACTION_ERROR: 29201 binder: 11204:11205 transaction failed 29201/-22, size 255156491150087--17179869184 line 3130 binder: BINDER_SET_CONTEXT_MGR already set binder: 11204:11227 ioctl 40046207 0 returned -16 binder_alloc: 11204: binder_alloc_buf, no vma binder: 11204:11215 transaction failed 29189/-3, size 255156491150087--17179869184 line 3130 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 netlink: 5 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor6'. binder: 11342:11345 tried to acquire reference to desc 0, got 1 instead binder: 11342:11344 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 11342:11362 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: 11342:11345 BC_DEAD_BINDER_DONE 0000000000000000 not found binder: undelivered death notification, 0000000000000000 netlink: 8 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor4'. FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 11483 Comm: syz-executor3 Tainted: G B 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d120f8d0 ffffffff81d906e9 ffff8801d120fbb0 0000000000000000 ffff8801a5da9910 ffff8801d120faa0 ffff8801a5da9800 ffff8801d120fac8 ffffffff8165e307 ffff8801d120f918 ffff8801d120fa20 00000001a883b067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 FAULT_FLAG_ALLOW_RETRY missing 30 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 11546 Comm: syz-executor3 Tainted: G B 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a445f8a0 ffffffff81d906e9 ffff8801a445fb80 0000000000000000 ffff8801a5da9610 ffff8801a445fa70 ffff8801a5da9500 ffff8801a445fa98 ffffffff8165e307 ffff8801cf62f9c0 ffff8801a445f9f0 00000001d9767067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 blk_update_request: I/O error, dev loop7, sector 0 Buffer I/O error on dev loop7, logical block 0, lost async page write blk_update_request: I/O error, dev loop7, sector 8 Buffer I/O error on dev loop7, logical block 1, lost async page write blk_update_request: I/O error, dev loop7, sector 16 Buffer I/O error on dev loop7, logical block 2, lost async page write blk_update_request: I/O error, dev loop7, sector 24 Buffer I/O error on dev loop7, logical block 3, lost async page write blk_update_request: I/O error, dev loop7, sector 32 Buffer I/O error on dev loop7, logical block 4, lost async page write blk_update_request: I/O error, dev loop7, sector 40 Buffer I/O error on dev loop7, logical block 5, lost async page write blk_update_request: I/O error, dev loop7, sector 48 Buffer I/O error on dev loop7, logical block 6, lost async page write blk_update_request: I/O error, dev loop7, sector 56 Buffer I/O error on dev loop7, logical block 7, lost async page write blk_update_request: I/O error, dev loop7, sector 64 Buffer I/O error on dev loop7, logical block 8, lost async page write CPU: 1 PID: 11562 Comm: syz-executor3 Tainted: G B 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a622f9a0 ffffffff81d906e9 ffff8801a622fc80 0000000000000000 ffff8801a5da9610 ffff8801a622fb70 ffff8801a5da9500 ffff8801a622fb98 ffffffff8165e307 0000000000000000 ffff8801a622faf0 00000001d9767067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 binder: 11764:11767 ioctl 85 20416000 returned -22 binder: 11764:11767 ioctl c018620b 20236fe8 returned -14 binder: 11764:11767 ioctl 800454cf 201e4000 returned -22 binder: 11764:11780 IncRefs 0 refcount change on invalid ref 2 ret -22 binder: 11764:11780 Acquire 1 refcount change on invalid ref 4 ret -22 binder: 11764:11780 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 11764:11780 unknown command 0 binder: 11764:11780 ioctl c0306201 20000fd0 returned -22 netlink: 1 bytes leftover after parsing attributes in process `syz-executor2'. binder: 11764:11800 ioctl 85 20416000 returned -22 binder: 11764:11767 ioctl c018620b 20236fe8 returned -14 device gre0 entered promiscuous mode binder: 11764:11800 ioctl 800454cf 201e4000 returned -22 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=32228 sclass=netlink_route_socket pig=11937 comm=syz-executor0 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=32228 sclass=netlink_route_socket pig=11943 comm=syz-executor0 FAULT_FLAG_ALLOW_RETRY missing 30 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 12113 Comm: syz-executor5 Tainted: G B 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a3bbf6b0 ffffffff81d906e9 ffff8801a3bbf990 0000000000000000 ffff8801cad08b90 ffff8801a3bbf880 ffff8801cad08a80 ffff8801a3bbf8a8 ffffffff8165e307 0000000000000046 ffff8801a3bbf800 00000001d9a31067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] inet_ioctl+0x117/0x1c0 net/ipv4/af_inet.c:908 [] sock_do_ioctl+0x65/0xb0 net/socket.c:892 [] sock_ioctl+0x2e0/0x3d0 net/socket.c:978 [] vfs_ioctl fs/ioctl.c:43 [inline] [] do_vfs_ioctl+0x1aa/0x1140 fs/ioctl.c:679 [] SYSC_ioctl fs/ioctl.c:694 [inline] [] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 [] entry_SYSCALL_64_fastpath+0x23/0xc6 CPU: 0 PID: 12131 Comm: syz-executor5 Tainted: G B 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c4d8f6c0 ffffffff81d906e9 ffff8801c4d8f9a0 0000000000000000 ffff8801cad08b90 ffff8801c4d8f890 ffff8801cad08a80 ffff8801c4d8f8b8 ffffffff8165e307 1ffff100389b1edc ffff8801c4d8f810 00000001d9a31067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] process_vm_rw+0x1bf/0x210 mm/process_vm_access.c:280 [] SYSC_process_vm_writev mm/process_vm_access.c:307 [inline] [] SyS_process_vm_writev+0x47/0x60 mm/process_vm_access.c:302 [] entry_SYSCALL_64_fastpath+0x23/0xc6 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=12238 comm=syz-executor3 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=12249 comm=syz-executor3 devpts: called with bogus options SELinux: unrecognized netlink message: protocol=0 nlmsg_type=62650 sclass=netlink_route_socket pig=12364 comm=syz-executor6 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=62650 sclass=netlink_route_socket pig=12364 comm=syz-executor6