netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'. IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE IPv6: NLM_F_CREATE should be set when creating new route IPv6: NLM_F_CREATE should be set when creating new route BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor3/7139 caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 CPU: 0 PID: 7139 Comm: syz-executor3 Not tainted 4.9.74-g9e5dd8e #12 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c50bf668 ffffffff81d91d19 0000000000000000 ffffffff83c17a00 ffffffff83f44500 ffff8801c6143000 0000000000000003 ffff8801c50bf6a8 ffffffff81df8cf4 ffff8801c50bf6c0 ffffffff83f44500 dffffc0000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46 sg_write: data in/out 458716/2 bytes for SCSI command 0x5f-- guessing data in; program syz-executor2 not setting count and/or reply_len properly device gre0 entered promiscuous mode [] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 [] ipcomp_alloc_tfms net/xfrm/xfrm_ipcomp.c:286 [inline] [] ipcomp_init_state+0x188/0x930 net/xfrm/xfrm_ipcomp.c:363 device lo entered promiscuous mode [] ipcomp4_init_state+0xb0/0x7d0 net/ipv4/ipcomp.c:137 [] __xfrm_init_state+0x3e7/0xb30 net/xfrm/xfrm_state.c:2096 [] xfrm_init_state+0x1a/0x20 net/xfrm/xfrm_state.c:2122 netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'. IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE [] pfkey_msg2xfrm_state net/key/af_key.c:1281 [inline] [] pfkey_add+0x1fb9/0x3470 net/key/af_key.c:1498 [] pfkey_process+0x61e/0x730 net/key/af_key.c:2826 [] pfkey_sendmsg+0x3a9/0x760 net/key/af_key.c:3670 [] sock_sendmsg_nosec net/socket.c:635 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:645 [] ___sys_sendmsg+0x6d1/0x7e0 net/socket.c:1969 [] __sys_sendmsg+0xd6/0x190 net/socket.c:2003 [] C_SYSC_sendmsg net/compat.c:734 [inline] [] compat_SyS_sendmsg+0x2a/0x40 net/compat.c:732 [] do_syscall_32_irqs_on arch/x86/entry/common.c:322 [inline] [] do_fast_syscall_32+0x2f7/0x890 arch/x86/entry/common.c:384 [] entry_SYSENTER_compat+0x51/0x60 arch/x86/entry/entry_64_compat.S:124 BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor3/7163 caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 CPU: 0 PID: 7163 Comm: syz-executor3 Not tainted 4.9.74-g9e5dd8e #12 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801b4b77668 ffffffff81d91d19 0000000000000000 ffffffff83c17a00 ffffffff83f44500 ffff8801c56d6000 0000000000000003 ffff8801b4b776a8 ffffffff81df8cf4 ffff8801b4b776c0 ffffffff83f44500 dffffc0000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46 [] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 [] ipcomp_alloc_tfms net/xfrm/xfrm_ipcomp.c:286 [inline] [] ipcomp_init_state+0x188/0x930 net/xfrm/xfrm_ipcomp.c:363 [] ipcomp4_init_state+0xb0/0x7d0 net/ipv4/ipcomp.c:137 [] __xfrm_init_state+0x3e7/0xb30 net/xfrm/xfrm_state.c:2096 [] xfrm_init_state+0x1a/0x20 net/xfrm/xfrm_state.c:2122 [] pfkey_msg2xfrm_state net/key/af_key.c:1281 [inline] [] pfkey_add+0x1fb9/0x3470 net/key/af_key.c:1498 [] pfkey_process+0x61e/0x730 net/key/af_key.c:2826 [] pfkey_sendmsg+0x3a9/0x760 net/key/af_key.c:3670 [] sock_sendmsg_nosec net/socket.c:635 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:645 [] ___sys_sendmsg+0x6d1/0x7e0 net/socket.c:1969 [] __sys_sendmsg+0xd6/0x190 net/socket.c:2003 [] C_SYSC_sendmsg net/compat.c:734 [inline] [] compat_SyS_sendmsg+0x2a/0x40 net/compat.c:732 [] do_syscall_32_irqs_on arch/x86/entry/common.c:322 [inline] [] do_fast_syscall_32+0x2f7/0x890 arch/x86/entry/common.c:384 [] entry_SYSENTER_compat+0x51/0x60 arch/x86/entry/entry_64_compat.S:124 audit: type=1400 audit(1514973900.737:30): avc: denied { setopt } for pid=7195 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_fib_lookup_socket permissive=1 device syz6 entered promiscuous mode binder: undelivered transaction 57, process died. binder: BINDER_SET_CONTEXT_MGR already set binder_alloc: binder_alloc_mmap_handler: 7226 20000000-20002000 already mapped failed -16 binder: 7226:7243 ioctl 40046207 0 returned -16 binder: undelivered TRANSACTION_COMPLETE netlink: 5 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor6'. audit_printk_skb: 3 callbacks suppressed audit: type=1400 audit(1514973901.497:32): avc: denied { net_broadcast } for pid=7333 comm="syz-executor5" capability=11 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1514973901.557:33): avc: denied { read } for pid=7333 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_fib_lookup_socket permissive=1 device syz7 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode binder: BINDER_SET_CONTEXT_MGR already set binder: 7491:7516 ioctl 40046207 0 returned -16 device lo entered promiscuous mode audit: type=1400 audit(1514973902.577:34): avc: denied { setopt } for pid=7582 comm="syz-executor7" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 binder: 7593:7594 ERROR: BC_REGISTER_LOOPER called without request binder: undelivered TRANSACTION_COMPLETE binder: undelivered transaction 61, process died. binder: 7593:7594 ERROR: BC_REGISTER_LOOPER called without request binder_alloc: 7593: binder_alloc_buf, no vma binder: 7593:7601 transaction failed 29189/-3, size 0-0 line 3127 binder: 7593:7594 got reply transaction with no transaction stack binder: 7593:7594 transaction failed 29201/-71, size 32-8 line 2920 binder: 7593:7608 DecRefs 0 refcount change on invalid ref 1 ret -22 binder: 7593:7608 BC_INCREFS_DONE u0000000000000000 no match binder: undelivered TRANSACTION_ERROR: 29189 audit: type=1400 audit(1514973903.157:35): avc: denied { create } for pid=7610 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_crypto_socket permissive=1 netlink: 188 bytes leftover after parsing attributes in process `syz-executor4'. binder: 7647:7653 got transaction with invalid offset (48, min 0 max 72) or object. binder: 7647:7653 transaction failed 29201/-22, size 72-8 line 3190 device syz2 entered promiscuous mode binder_alloc: binder_alloc_mmap_handler: 7647 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 7647:7668 ioctl 40046207 0 returned -16 binder_alloc: 7647: binder_alloc_buf, no vma binder: 7647:7674 transaction failed 29189/-3, size 72-8 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 device syz2 entered promiscuous mode audit: type=1400 audit(1514973903.747:36): avc: denied { bind } for pid=7754 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 keychord: keycode 5120 out of range keychord: keycode 5120 out of range binder: 7864:7874 ioctl 89f7 20cfffd6 returned -22 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=260 sclass=netlink_route_socket pig=7876 comm=syz-executor4 binder: 7864:7874 ioctl 89f7 20cfffd6 returned -22 netlink: 5 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor5'. device syz0 entered promiscuous mode device gre0 entered promiscuous mode device lo entered promiscuous mode device gre0 entered promiscuous mode SELinux: unrecognized netlink message: protocol=0 nlmsg_type=18877 sclass=netlink_route_socket pig=8507 comm=syz-executor7 netlink: 11 bytes leftover after parsing attributes in process `syz-executor3'. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=18877 sclass=netlink_route_socket pig=8529 comm=syz-executor7 netlink: 11 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor6'. device gre0 entered promiscuous mode device gre0 entered promiscuous mode audit: type=1400 audit(1514973906.627:37): avc: denied { getopt } for pid=8641 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 device gre0 entered promiscuous mode binder: tried to use weak ref as strong ref binder: 8667:8675 got transaction with fd, 0, but target does not allow fds binder: 8667:8675 transaction failed 29201/-1, size 72-24 line 3269 binder_alloc: binder_alloc_mmap_handler: 8667 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 8667:8675 ioctl 40046207 0 returned -16 binder_alloc: 8667: binder_alloc_buf, no vma binder: 8667:8678 transaction failed 29189/-3, size 72-24 line 3127 binder: 8660:8671 got transaction to invalid handle binder_alloc: binder_alloc_mmap_handler: 8660 20000000-20002000 already mapped failed -16 binder: 8660:8671 transaction failed 29201/-22, size 0-0 line 3004 binder: BINDER_SET_CONTEXT_MGR already set binder: 8660:8691 ioctl 40046207 0 returned -16 binder: tried to use weak ref as strong ref binder: 8660:8691 got transaction to invalid handle binder: 8660:8691 transaction failed 29201/-22, size 0-0 line 3004 binder_alloc: 8660: binder_alloc_buf, no vma binder: 8660:8686 transaction failed 29189/-3, size 80-16 line 3127 audit: type=1400 audit(1514973906.987:38): avc: denied { write } for pid=8687 comm="syz-executor0" path="socket:[15645]" dev="sockfs" ino=15645 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_connector_socket permissive=1 binder: release 8660:8671 transaction 71 out, still active binder: unexpected work type, 4, not freed binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: 8717:8723 ERROR: BC_REGISTER_LOOPER called without request device gre0 entered promiscuous mode device gre0 entered promiscuous mode binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29189 netlink: 1 bytes leftover after parsing attributes in process `syz-executor4'. binder: undelivered TRANSACTION_ERROR: 29201 binder: send failed reply for transaction 71, target dead netlink: 1 bytes leftover after parsing attributes in process `syz-executor4'. binder: BINDER_SET_CONTEXT_MGR already set binder: 8717:8723 ioctl 40046207 0 returned -16 binder: 8717:8735 ERROR: BC_REGISTER_LOOPER called without request device syz6 entered promiscuous mode device gre0 entered promiscuous mode binder: release 8717:8723 transaction 83 in, still active binder: send failed reply for transaction 83 to 8717:8735 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 device gre0 entered promiscuous mode capability: warning: `syz-executor4' uses deprecated v2 capabilities in a way that may be insecure binder: 9067:9068 tried to acquire reference to desc 0, got 1 instead binder: BINDER_SET_CONTEXT_MGR already set binder: 9067:9074 ioctl 40046207 0 returned -16 binder: 9067:9074 tried to acquire reference to desc 0, got 1 instead binder: BINDER_SET_CONTEXT_MGR already set binder: 9067:9068 ioctl 40046207 0 returned -16 audit: type=1400 audit(1514973908.677:39): avc: denied { getattr } for pid=9077 comm="syz-executor1" path="socket:[15201]" dev="sockfs" ino=15201 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 device syz4 entered promiscuous mode netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'. binder: 9120:9132 ioctl c5 20b3e000 returned -22 binder: 9120:9132 ERROR: BC_REGISTER_LOOPER called without request binder: 9120:9132 ioctl c0306201 20008fd0 returned -11 : renamed from syz5 binder: 9120:9132 ioctl c5 20b3e000 returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 9120:9149 ERROR: BC_REGISTER_LOOPER called without request binder: 9120:9132 ioctl 40046207 0 returned -16 binder_alloc: 9120: binder_alloc_buf, no vma binder: 9120:9150 transaction failed 29189/-3, size 0-0 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: send failed reply for transaction 90 to 9120:9132 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 binder: BINDER_SET_CONTEXT_MGR already set binder: 9227:9241 ioctl 40046207 0 returned -16 audit: type=1400 audit(1514973909.287:40): avc: denied { ioctl } for pid=9242 comm="syz-executor3" path="socket:[15261]" dev="sockfs" ino=15261 ioctlcmd=0x8903 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1