IPVS: Creating netns size=2536 id=5 BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor1/3609 caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 CPU: 1 PID: 3609 Comm: syz-executor1 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c36976d8 ffffffff81d90889 0000000000000001 ffffffff83c17800 ffffffff83f42ec0 ffff8801d89a9800 0000000000000003 ffff8801c3697718 ffffffff81df7854 ffff8801c3697730 ffffffff83f42ec0 dffffc0000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46 [] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 [] ipcomp_alloc_tfms net/xfrm/xfrm_ipcomp.c:286 [inline] [] ipcomp_init_state+0x188/0x930 net/xfrm/xfrm_ipcomp.c:363 [] ipcomp4_init_state+0xb0/0x7d0 net/ipv4/ipcomp.c:137 [] __xfrm_init_state+0x3e7/0xb30 net/xfrm/xfrm_state.c:2096 [] xfrm_init_state+0x1a/0x20 net/xfrm/xfrm_state.c:2122 [] pfkey_msg2xfrm_state net/key/af_key.c:1281 [inline] [] pfkey_add+0x1fb9/0x3470 net/key/af_key.c:1498 [] pfkey_process+0x61e/0x730 net/key/af_key.c:2826 [] pfkey_sendmsg+0x3a9/0x760 net/key/af_key.c:3670 [] sock_sendmsg_nosec net/socket.c:635 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:645 [] ___sys_sendmsg+0x6d1/0x7e0 net/socket.c:1968 [] __sys_sendmsg+0xd6/0x190 net/socket.c:2002 [] SYSC_sendmsg net/socket.c:2013 [inline] [] SyS_sendmsg+0x2d/0x50 net/socket.c:2009 [] entry_SYSCALL_64_fastpath+0x23/0xc6 IPVS: Creating netns size=2536 id=6 IPVS: Creating netns size=2536 id=7 audit: type=1400 audit(1513074556.580:9): avc: denied { dac_override } for pid=3628 comm="syz-executor6" capability=1 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 IPVS: Creating netns size=2536 id=8 device gre0 entered promiscuous mode audit: type=1400 audit(1513074556.680:10): avc: denied { set_context_mgr } for pid=3660 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 binder: 3660:3675 ERROR: BC_REGISTER_LOOPER called without request binder: 3660:3675 BC_DEAD_BINDER_DONE 0000000000000000 not found binder: 3660:3675 got reply transaction with no transaction stack binder: 3660:3675 transaction failed 29201/-71, size 48-16 line 2923 FAULT_FLAG_ALLOW_RETRY missing 30 binder: 3660:3662 ERROR: BC_REGISTER_LOOPER called without request binder: 3660:3662 BC_DEAD_BINDER_DONE 0000000000000000 not found binder: 3660:3662 got reply transaction with no transaction stack binder: 3660:3662 transaction failed 29201/-71, size 48-16 line 2923 CPU: 0 PID: 3672 Comm: syz-executor4 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d03878c0 ffffffff81d90889 ffff8801d0387ba0 0000000000000000 ffff8801cfa8e110 ffff8801d0387a90 ffff8801cfa8e000 ffff8801d0387ab8 ffffffff8165e497 0000000000006e92 ffff8801d09208f0 ffff8801d09208a0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 3672 Comm: syz-executor4 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d03878c0 ffffffff81d90889 ffff8801d0387ba0 0000000000000000 ffff8801ce24c110 ffff8801d0387a90 ffff8801ce24c000 ffff8801d0387ab8 ffffffff8165e497 0000000000006e92 ffff8801d09208f0 ffff8801d09208a0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 audit: type=1400 audit(1513074557.080:11): avc: denied { setuid } for pid=3687 comm="syz-executor5" capability=7 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 binder: 3687:3697 ioctl 40046205 6 returned -22 binder: 3687:3697 ioctl 40046205 0 returned -22 binder: 3687:3697 ioctl 40046205 6 returned -22 binder: 3687:3697 ioctl 40046205 0 returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 3687:3700 ioctl 40046207 0 returned -16 syz-executor0 uses obsolete (PF_INET,SOCK_PACKET) [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 netlink: 3 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 9 bytes leftover after parsing attributes in process `syz-executor7'. A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. blk_update_request: I/O error, dev loop0, sector 0 blk_update_request: I/O error, dev loop0, sector 255 netlink: 21 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 21 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor7'. capability: warning: `syz-executor0' uses 32-bit capabilities (legacy support in use) binder: 4016:4021 BC_REQUEST_DEATH_NOTIFICATION invalid ref 4 netlink: 3 bytes leftover after parsing attributes in process `syz-executor4'. binder: 4016 invalid dec weak, ref 7 desc 0 s 1 w 0 netlink: 3 bytes leftover after parsing attributes in process `syz-executor4'. binder: 4016:4029 BC_CLEAR_DEATH_NOTIFICATION death notification not active binder: 4016:4029 got reply transaction with no transaction stack binder: 4016:4029 transaction failed 29201/-71, size 0-48 line 2923 IPv6: Can't replace route, no match found binder: 4016:4021 BC_REQUEST_DEATH_NOTIFICATION invalid ref 4 binder: 4016:4029 DecRefs 0 refcount change on invalid ref 0 ret -22 binder: 4016:4029 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: 4016:4029 got reply transaction with no transaction stack binder: 4016:4029 transaction failed 29201/-71, size 0-48 line 2923 IPv6: Can't replace route, no match found capability: warning: `syz-executor4' uses deprecated v2 capabilities in a way that may be insecure device gre0 entered promiscuous mode device gre0 left promiscuous mode device gre0 entered promiscuous mode sg_write: data in/out 327644/32 bytes for SCSI command 0x4-- guessing data in; program syz-executor7 not setting count and/or reply_len properly binder: 4232:4236 ioctl 8924 20004fd8 returned -22 binder: 4232:4236 ERROR: BC_REGISTER_LOOPER called without request binder: 4237:4240 ioctl 40046205 0 returned -22 binder: 4237:4240 ERROR: BC_REGISTER_LOOPER called without request binder_alloc: 4232: binder_alloc_buf size 68719476736 failed, no address space binder: 4237:4240 got transaction to invalid handle binder: 4237:4240 transaction failed 29201/-22, size 0-8 line 3007 binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: 4237:4240 BC_FREE_BUFFER u0000000000000000 no match binder: invalid inc weak node for 16 binder: 4237:4240 IncRefs 0 refcount change on invalid ref 1 ret -22 binder: 4237:4240 got transaction with invalid data ptr binder: 4237:4240 transaction failed 29201/-14, size 72-8 line 3149 binder: 4237:4240 ioctl c0306201 20005fd0 returned -14 binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_COMPLETE binder: undelivered transaction 15, process died. binder: 4237:4240 ioctl 40046205 6 returned -22 binder: 4237:4240 ioctl 40046205 0 returned -22 binder: 4237:4240 ERROR: BC_REGISTER_LOOPER called without request binder: 4237:4240 ioctl c0306201 20008fd0 returned -11 binder: 4237:4240 got transaction to invalid handle binder: 4237:4240 transaction failed 29201/-22, size 0-8 line 3007 binder: 4237:4240 got reply transaction with no transaction stack binder: 4237:4240 transaction failed 29201/-71, size 24-8 line 2923 binder: undelivered TRANSACTION_ERROR: 29201 binder: release 4237:4249 transaction 21 out, still active binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 21, target dead binder_alloc: binder_alloc_mmap_handler: 4232 20000000-20002000 already mapped failed -16 binder: 4232:4260 ioctl 8924 20004fd8 returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 4232:4253 ioctl 40046207 0 returned -16 binder: 4232:4260 ERROR: BC_REGISTER_LOOPER called without request device gre0 entered promiscuous mode skbuff: bad partial csum: csum=98/65532 len=113 binder_alloc: allocated: 0 (num: 0 largest: 0), free: 8192 (num: 1 largest: 8192) binder_alloc: 4232: binder_alloc_buf, no vma binder: 4232:4260 transaction failed 29189/-3, size 68719476736-0 line 3130 binder: 4232:4246 transaction failed 29201/-28, size 68719476736-0 line 3130 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode device gre0 entered promiscuous mode SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=4494 comm=syz-executor7 device gre0 entered promiscuous mode IPVS: Creating netns size=2536 id=9 IPVS: Creating netns size=2536 id=10 audit_printk_skb: 59 callbacks suppressed audit: type=1400 audit(1513074561.240:29): avc: denied { ioctl } for pid=4789 comm="syz-executor4" path="socket:[11998]" dev="sockfs" ino=11998 ioctlcmd=0x89e1 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 device gre0 entered promiscuous mode audit: type=1400 audit(1513074561.340:30): avc: denied { getattr } for pid=4815 comm="syz-executor3" path="socket:[12757]" dev="sockfs" ino=12757 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 audit: type=1400 audit(1513074561.380:31): avc: denied { read } for pid=4815 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 binder: 4838:4840 BC_DEAD_BINDER_DONE fffffffffffffffd not found binder: 4838:4840 BC_ACQUIRE_DONE uffffffffffffffff no match binder: 4838:4840 ioctl c0306201 2000f000 returned -11 binder: 4838:4840 got transaction with unaligned buffers size, 58534 binder: 4838:4840 transaction failed 29201/-22, size 72-40 line 3175 binder: 4838:4840 ioctl c0306201 20008fd0 returned -14 audit: type=1400 audit(1513074561.490:32): avc: denied { fsetid } for pid=4846 comm="syz-executor7" capability=4 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 binder: 4838:4852 ioctl c0306201 20012000 returned -14 binder: BINDER_SET_CONTEXT_MGR already set binder: 4838:4852 ioctl 40046207 0 returned -16 binder: 4838:4840 Release 1 refcount change on invalid ref 0 ret -22 binder: 4838:4852 ioctl c0306201 20008fd0 returned -14 binder: 4838:4840 got transaction with unaligned buffers size, 58534 binder: 4838:4840 transaction failed 29201/-22, size 72-40 line 3175 devpts: called with bogus options blk_update_request: I/O error, dev loop0, sector 0 loop: Write error at byte offset 0, length 512. blk_update_request: I/O error, dev loop6, sector 0 Buffer I/O error on dev loop6, logical block 0, lost async page write blk_update_request: I/O error, dev loop0, sector 0 binder: 4931:4933 got transaction with too large buffer devpts: called with bogus options binder: 4931:4933 transaction failed 29201/-22, size 80-16 line 3289 binder: BINDER_SET_CONTEXT_MGR already set binder: 4931:4939 ioctl 40046207 0 returned -16 binder_alloc: 4931: binder_alloc_buf, no vma binder: 4931:4933 transaction failed 29189/-3, size 80-16 line 3130 loop: Write error at byte offset 0, length 512. blk_update_request: I/O error, dev loop6, sector 0 Buffer I/O error on dev loop6, logical block 0, lost async page write binder: 4980:4983 ERROR: BC_REGISTER_LOOPER called without request binder: release 4980:4983 transaction 36 in, still active binder: send failed reply for transaction 36 to 4980:4992 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 binder: 4980:4983 ERROR: BC_REGISTER_LOOPER called without request binder_alloc: 4980: binder_alloc_buf, no vma binder: 4980:4992 transaction failed 29189/-3, size 0-0 line 3130 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 keychord: Insufficient bytes present for keycount 10188 keychord: Insufficient bytes present for keycount 10188 audit: type=1400 audit(1513074562.340:33): avc: denied { create } for pid=5082 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_rdma_socket permissive=1