===================================== [ BUG: bad unlock balance detected! ] 4.9.67-gf26d3c7 #106 Not tainted ------------------------------------- syz-executor6/17682 is trying to release lock (mrt_lock[ 126.346324] binder: 17684:17685 ERROR: BC_REGISTER_LOOPER called without request ) at: but there are no more locks to release! other info that might help us debug this: 2 locks held by syz-executor6/17682: #0: (&f->f_pos_lock){+.+.+.}, at: [] __fdget_pos+0x9f/0xc0 fs/file.c:781 #1: (&p->lock){+.+.+.}, at: [] seq_read+0xdd/0x1290 fs/seq_file.c:178 stack backtrace: CPU: 1 PID: 17682 Comm: syz-executor6 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801b77778e8 ffffffff81d906e9 ffffffff849ae8f8 ffff8801ca796000 ffffffff834dec54 ffffffff849ae8f8 ffff8801ca796888 ffff8801b7777918 ffffffff812353f4 dffffc0000000000 ffffffff849ae8f8 00000000ffffffff Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_unlock_imbalance_bug+0x174/0x1a0 kernel/locking/lockdep.c:3398 [] __lock_release kernel/locking/lockdep.c:3540 [inline] [] lock_release+0x6f8/0xb80 kernel/locking/lockdep.c:3775 [] __raw_read_unlock include/linux/rwlock_api_smp.h:225 [inline] [] _raw_read_unlock+0x1a/0x50 kernel/locking/spinlock.c:255 [] ipmr_mfc_seq_stop+0xe4/0x140 net/ipv6/ip6mr.c:553 [] seq_read+0xa83/0x1290 fs/seq_file.c:283 [] proc_reg_read+0xef/0x170 fs/proc/inode.c:202 [] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714 [] do_loop_readv_writev fs/read_write.c:880 [inline] [] do_readv_writev+0x520/0x750 fs/read_write.c:874 [] vfs_readv+0x84/0xc0 fs/read_write.c:898 [] do_readv+0xe6/0x250 fs/read_write.c:924 [] SYSC_readv fs/read_write.c:1011 [inline] [] SyS_readv+0x27/0x30 fs/read_write.c:1008 [] entry_SYSCALL_64_fastpath+0x23/0xc6 binder: 17684:17693 transaction failed 29189/-22, size 0-0 line 3007 binder: 17684:17693 BC_ACQUIRE_DONE node 339 has no pending acquire request binder: 17684:17693 got reply transaction with no transaction stack binder: 17684:17693 transaction failed 29201/-71, size 48-40 line 2923 device gre0 entered promiscuous mode binder: 17684:17693 ERROR: BC_REGISTER_LOOPER called without request binder_alloc: 17684: binder_alloc_buf, no vma binder: BINDER_SET_CONTEXT_MGR already set binder: 17684:17693 ioctl 40046207 0 returned -16 binder: 17684:17685 transaction failed 29189/-3, size 0-0 line 3130 binder: 17684:17715 BC_ACQUIRE_DONE u0000000000000000 no match binder: 17684:17715 got reply transaction with no transaction stack binder: 17684:17715 transaction failed 29201/-71, size 48-40 line 2923 device gre0 entered promiscuous mode binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 binder: 17742:17743 ERROR: BC_REGISTER_LOOPER called without request binder: 17746:17747 ERROR: BC_REGISTER_LOOPER called without request binder: 17742:17751 transaction failed 29189/-22, size 0-0 line 3007 binder: 17746:17755 transaction failed 29189/-22, size 0-0 line 3007 binder: 17742:17751 BC_ACQUIRE_DONE node 346 has no pending acquire request binder: 17742:17751 got reply transaction with no transaction stack binder: 17742:17751 transaction failed 29201/-71, size 48-40 line 2923 binder: 17742:17751 ERROR: BC_REGISTER_LOOPER called without request binder: 17746:17758 BC_ACQUIRE_DONE node 350 has no pending acquire request binder: 17746:17758 got reply transaction with no transaction stack binder: 17746:17758 transaction failed 29201/-71, size 48-40 line 2923 binder_alloc: 17742: binder_alloc_buf, no vma binder: 17742:17743 transaction failed 29189/-3, size 0-0 line 3130 binder: BINDER_SET_CONTEXT_MGR already set binder: 17742:17743 ioctl 40046207 0 returned -16 binder: 17742:17751 BC_ACQUIRE_DONE u0000000000000000 no match binder: 17742:17751 got reply transaction with no transaction stack binder: 17742:17751 transaction failed 29201/-71, size 48-40 line 2923 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 binder: 17767:17768 ERROR: BC_REGISTER_LOOPER called without request binder: 17767:17777 transaction failed 29189/-22, size 0-0 line 3007 binder: 17746:17758 ERROR: BC_REGISTER_LOOPER called without request binder_alloc: 17746: binder_alloc_buf, no vma binder: 17746:17747 transaction failed 29189/-3, size 0-0 line 3130 device gre0 entered promiscuous mode binder: BINDER_SET_CONTEXT_MGR already set binder: 17746:17747 ioctl 40046207 0 returned -16 binder: 17767:17777 BC_ACQUIRE_DONE node 358 has no pending acquire request binder: 17767:17777 got reply transaction with no transaction stack binder: 17767:17777 transaction failed 29201/-71, size 48-40 line 2923 binder: 17746:17758 BC_ACQUIRE_DONE u0000000000000000 no match binder: 17746:17758 got reply transaction with no transaction stack binder: 17746:17758 transaction failed 29201/-71, size 48-40 line 2923 binder: 17767:17777 ERROR: BC_REGISTER_LOOPER called without request binder_alloc: 17767: binder_alloc_buf, no vma binder: 17767:17768 transaction failed 29189/-3, size 0-0 line 3130 binder: BINDER_SET_CONTEXT_MGR already set binder: 17767:17768 ioctl 40046207 0 returned -16 binder: 17767:17777 BC_ACQUIRE_DONE u0000000000000000 no match binder: 17767:17777 got reply transaction with no transaction stack binder: 17767:17777 transaction failed 29201/-71, size 48-40 line 2923 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 netlink: 11 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 11 bytes leftover after parsing attributes in process `syz-executor0'. binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 netlink: 11 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 11 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 11 bytes leftover after parsing attributes in process `syz-executor6'. device gre0 entered promiscuous mode netlink: 11 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 11 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 11 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 11 bytes leftover after parsing attributes in process `syz-executor6'. PF_BRIDGE: RTM_SETLINK with unknown ifindex FAULT_FLAG_ALLOW_RETRY missing 30 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 17892 Comm: syz-executor4 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d6a17670 ffffffff81d906e9 ffff8801d6a17950 0000000000000000 ffff8801c6271c10 ffff8801d6a17840 ffff8801c6271b00 ffff8801d6a17868 ffffffff8165e307 ffff8801db2214a0 ffff8801d6a177c0 00000001cd238067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] do_pselect fs/select.c:688 [inline] [] SYSC_pselect6 fs/select.c:729 [inline] [] SyS_pselect6+0x2ae/0x550 fs/select.c:714 [] entry_SYSCALL_64_fastpath+0x23/0xc6 PF_BRIDGE: RTM_SETLINK with unknown ifindex CPU: 1 PID: 17889 Comm: syz-executor4 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801b9f97850 ffffffff81d906e9 ffff8801b9f97b30 0000000000000000 ffff8801c6271c10 ffff8801b9f97a20 ffff8801c6271b00 ffff8801b9f97a48 ffffffff8165e307 ffff8801b9f978b8 ffff8801b9f979a0 00000001cd238067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 binder: 17955:17958 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: 17955:17958 BC_INCREFS_DONE u000000002011a000 no match binder: 17955:17958 got transaction with invalid parent offset or type binder: 17955:17968 got transaction with unaligned buffers size, 58534 binder: 17955:17968 transaction failed 29201/-22, size 0-40 line 3175 binder: 17955:17958 transaction failed 29201/-22, size 32-24 line 3253 binder: BINDER_SET_CONTEXT_MGR already set binder_alloc: binder_alloc_mmap_handler: 17955 2011a000-2051a000 already mapped failed -16 binder: 17955:17968 ioctl 40046207 0 returned -16 binder_alloc: 17955: binder_alloc_buf, no vma binder: 17955:17958 transaction failed 29189/-3, size 0-40 line 3130 binder: undelivered TRANSACTION_ERROR: 29201 binder: 17993:17994 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: 17995:17997 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: 17995:17997 BC_INCREFS_DONE u000000002011a000 no match binder: 17995:17997 got transaction with invalid parent offset or type binder: 17995:17997 transaction failed 29201/-22, size 32-24 line 3253 binder: 17995:17997 got transaction with unaligned buffers size, 58534 binder: 17995:17997 transaction failed 29201/-22, size 0-40 line 3175 binder_alloc: binder_alloc_mmap_handler: 17995 2011a000-2051a000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 17995:17999 ioctl 40046207 0 returned -16 binder_alloc: 17995: binder_alloc_buf, no vma binder: 17995:17997 transaction failed 29189/-3, size 0-40 line 3130 binder: 17996:18008 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: 17996:18008 BC_INCREFS_DONE u000000002011a000 no match binder: 17996:18008 got transaction with invalid parent offset or type binder: 17996:18008 transaction failed 29201/-22, size 32-24 line 3253 binder: 17996:18008 got transaction with unaligned buffers size, 58534 binder: 17996:18008 transaction failed 29201/-22, size 0-40 line 3175 binder: undelivered TRANSACTION_ERROR: 29201 binder: 18002:18009 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: 18002:18009 BC_INCREFS_DONE u000000002011a000 no match binder: 18002:18009 got transaction with invalid parent offset or type binder: 18002:18009 transaction failed 29201/-22, size 32-24 line 3253 binder: 18002:18009 got transaction with unaligned buffers size, 58534 binder: 18002:18009 transaction failed 29201/-22, size 0-40 line 3175 binder_alloc: binder_alloc_mmap_handler: 17996 2011a000-2051a000 already mapped failed -16 binder_alloc: binder_alloc_mmap_handler: 18002 2011a000-2051a000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 17996:18011 ioctl 40046207 0 returned -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 18002:18013 ioctl 40046207 0 returned -16 binder: 17993:18012 got transaction with unaligned buffers size, 58534 binder_alloc: 17996: binder_alloc_buf, no vma binder: 17996:18008 transaction failed 29189/-3, size 0-40 line 3130 binder_alloc: 18002: binder_alloc_buf, no vma binder: 18002:18009 transaction failed 29189/-3, size 0-40 line 3130 binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29201 binder: 17993:18012 transaction failed 29201/-22, size 0-40 line 3175 binder: BINDER_SET_CONTEXT_MGR already set binder: 17993:18030 ioctl 40046207 0 returned -16 binder_alloc: binder_alloc_mmap_handler: 17993 2011a000-2051a000 already mapped failed -16 binder: 17993:18010 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: 17993:18010 BC_INCREFS_DONE u000000002011a000 no match binder_alloc: 17993: binder_alloc_buf, no vma binder: 17993:18010 transaction failed 29189/-3, size 32-24 line 3130 binder_alloc: 17993: binder_alloc_buf, no vma binder: 17993:18010 transaction failed 29189/-3, size 0-40 line 3130 binder: 17993:17994 BC_INCREFS_DONE u000000002011a000 no match binder_alloc: 17993: binder_alloc_buf, no vma binder: 17993:17994 transaction failed 29189/-3, size 32-24 line 3130 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 binder: 18083:18087 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: 18083:18087 BC_INCREFS_DONE u000000002011a000 no match binder: 18083:18087 got transaction with invalid parent offset or type binder: 18083:18092 got transaction with unaligned buffers size, 58534 binder: 18083:18092 transaction failed 29201/-22, size 0-40 line 3175 binder: 18083:18087 transaction failed 29201/-22, size 32-24 line 3253 binder: BINDER_SET_CONTEXT_MGR already set binder: 18083:18092 ioctl 40046207 0 returned -16 binder_alloc: binder_alloc_mmap_handler: 18083 2011a000-2051a000 already mapped failed -16 binder_alloc: 18083: binder_alloc_buf, no vma tmpfs: No value for mount option '‹' binder: 18083:18087 transaction failed 29189/-3, size 0-40 line 3130 tmpfs: No value for mount option '‹' binder: undelivered TRANSACTION_ERROR: 29201 tmpfs: No value for mount option '‹' tmpfs: No value for mount option '‹' device gre0 entered promiscuous mode tty_warn_deprecated_flags: 'syz-executor2' is using deprecated serial flags (with no effect): 00008000 device gre0 entered promiscuous mode device gre0 entered promiscuous mode tty_warn_deprecated_flags: 'syz-executor2' is using deprecated serial flags (with no effect): 00008000 device gre0 entered promiscuous mode device gre0 entered promiscuous mode nla_parse: 3 callbacks suppressed netlink: 2 bytes leftover after parsing attributes in process `syz-executor4'. device gre0 entered promiscuous mode tty_warn_deprecated_flags: 'syz-executor2' is using deprecated serial flags (with no effect): 00008000 tty_warn_deprecated_flags: 'syz-executor3' is using deprecated serial flags (with no effect): 00008000 binder: 18296:18297 ioctl 400445a0 20006000 returned -22 binder: 18296:18297 ioctl 5423 20003000 returned -22 netlink: 2 bytes leftover after parsing attributes in process `syz-executor4'. device gre0 entered promiscuous mode binder: 18296:18297 got transaction with invalid offsets ptr binder: 18296:18297 transaction failed 29201/-14, size 0-4095 line 3158 device gre0 entered promiscuous mode tty_warn_deprecated_flags: 'syz-executor2' is using deprecated serial flags (with no effect): 00008000 binder: undelivered TRANSACTION_ERROR: 29201 tty_warn_deprecated_flags: 'syz-executor3' is using deprecated serial flags (with no effect): 00008000 netlink: 2 bytes leftover after parsing attributes in process `syz-executor4'. binder_alloc: 18296: binder_alloc_buf, no vma binder: 18296:18303 transaction failed 29189/-3, size 0-4095 line 3130 binder: BINDER_SET_CONTEXT_MGR already set binder: 18296:18297 ioctl 40046207 0 returned -16 binder: undelivered TRANSACTION_ERROR: 29189 netlink: 2 bytes leftover after parsing attributes in process `syz-executor4'. binder: 18444:18452 got transaction with invalid offset (56, min 72 max 72) or object. device gre0 entered promiscuous mode 9pnet_virtio: no channels available for device ./file0 9pnet_virtio: no channels available for device ./file0 binder: 18444:18452 transaction failed 29201/-22, size 72-32 line 3193 binder_alloc: binder_alloc_mmap_handler: 18444 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 18444:18452 ioctl 40046207 0 returned -16 binder_alloc: 18444: binder_alloc_buf, no vma binder: 18444:18464 transaction failed 29189/-3, size 72-32 line 3130 device gre0 entered promiscuous mode 9pnet_virtio: no channels available for device ./file0 9pnet_virtio: no channels available for device ./file0 device lo left promiscuous mode netlink: 8 bytes leftover after parsing attributes in process `syz-executor4'. device lo entered promiscuous mode netlink: 8 bytes leftover after parsing attributes in process `syz-executor4'. scsi_io_completion: 6 callbacks suppressed sd 0:0:1:0: [sg0] tag#489 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK sd 0:0:1:0: [sg0] tag#489 CDB: Test Unit Ready sd 0:0:1:0: [sg0] tag#489 CDB[00]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#489 CDB[10]: 00 00 00 00 10 27 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#489 CDB[20]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#489 CDB[30]: 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#489 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK sd 0:0:1:0: [sg0] tag#489 CDB: Test Unit Ready sd 0:0:1:0: [sg0] tag#489 CDB[00]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#489 CDB[10]: 00 00 00 00 10 27 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#489 CDB[20]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#489 CDB[30]: 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#489 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK sd 0:0:1:0: [sg0] tag#489 CDB: Test Unit Ready sd 0:0:1:0: [sg0] tag#489 CDB[00]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#489 CDB[10]: 00 00 00 00 10 27 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#489 CDB[20]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#489 CDB[30]: 00 00 00 00 00 00 00 00 00 00 00 00 device lo left promiscuous mode netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'. device lo entered promiscuous mode device lo entered promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode device lo left promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device gre0 entered promiscuous mode device lo left promiscuous mode device gre0 left promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 left promiscuous mode device gre0 entered promiscuous mode SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=18934 comm=syz-executor5 device gre0 entered promiscuous mode binder: 19083:19086 BC_REQUEST_DEATH_NOTIFICATION invalid ref 4 binder: 19083:19086 DecRefs 0 refcount change on invalid ref 3 ret -22 binder: 19083:19097 BC_DEAD_BINDER_DONE 0000000000000002 not found binder: 19083:19097 BC_FREE_BUFFER u0000000000000000 no match binder: tried to use weak ref as strong ref binder: 19083:19097 got transaction to invalid handle binder: 19083:19097 transaction failed 29201/-22, size 0-32 line 3007 binder_alloc: binder_alloc_mmap_handler: 19083 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 19083:19097 ioctl 40046207 0 returned -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 19105:19108 ioctl 40046207 0 returned -16 binder: binder_mmap: 19105 204c6000-204c7000 bad vm_flags failed -1 binder: undelivered TRANSACTION_COMPLETE binder: BINDER_SET_CONTEXT_MGR already set binder: 19105:19108 ioctl 40046207 0 returned -16 binder: 19105:19108 DecRefs 0 refcount change on invalid ref 4 ret -22 binder: 19105:19108 ERROR: BC_REGISTER_LOOPER called without request binder: 19105:19108 Acquire 1 refcount change on invalid ref 1 ret -22 binder: 19105:19108 IncRefs 0 refcount change on invalid ref 1 ret -22 binder: 19105:19108 ERROR: BC_ENTER_LOOPER called after BC_REGISTER_LOOPER binder: 19105:19108 DecRefs 0 refcount change on invalid ref 4096 ret -22 binder: 19105:19108 unknown command 0 binder: 19105:19108 ioctl c0306201 20004fd0 returned -22 binder_alloc: binder_alloc_mmap_handler: 19105 20000000-20002000 already mapped failed -16 binder_alloc: binder_alloc_mmap_handler: 19105 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 19105:19110 ioctl 40046207 0 returned -16 binder_alloc: 19105: binder_alloc_buf, no vma binder: 19105:19108 transaction failed 29189/-3, size 0-0 line 3130 binder: BINDER_SET_CONTEXT_MGR already set binder: 19105:19110 ioctl 40046207 0 returned -16 binder_alloc: 19105: binder_alloc_buf, no vma binder: 19105:19108 transaction failed 29189/-3, size 0-0 line 3130 binder_alloc: 19083: binder_alloc_buf, no vma binder: 19083:19106 transaction failed 29189/-3, size 80-16 line 3130 binder: binder_mmap: 19105 204c6000-204c7000 bad vm_flags failed -1 binder: undelivered TRANSACTION_ERROR: 29189 binder: BINDER_SET_CONTEXT_MGR already set binder: 19105:19110 ioctl 40046207 0 returned -16 binder: undelivered transaction 406, process died. binder: undelivered transaction 405, process died. binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 binder: 19083:19097 BC_DEAD_BINDER_DONE 0000000000000002 not found binder: 19083:19097 BC_FREE_BUFFER u0000000000000000 no match binder: 19083:19097 got transaction to invalid handle binder: 19083:19097 transaction failed 29201/-22, size 0-32 line 3007 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=18 sclass=netlink_audit_socket pig=19135 comm=syz-executor3 device gre0 entered promiscuous mode SELinux: unrecognized netlink message: protocol=9 nlmsg_type=18 sclass=netlink_audit_socket pig=19141 comm=syz-executor3 binder: 19083:19086 got reply transaction with bad transaction stack, transaction 398 has target 19083:0 binder: 19083:19086 transaction failed 29201/-71, size 48-56 line 2938 binder: release 19083:19086 transaction 398 out, still active binder: send failed reply for transaction 398, target dead SELinux: unrecognized netlink message: protocol=9 nlmsg_type=18 sclass=netlink_audit_socket pig=19165 comm=syz-executor3 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=18 sclass=netlink_audit_socket pig=19169 comm=syz-executor1 device gre0 entered promiscuous mode device gre0 entered promiscuous mode SELinux: unrecognized netlink message: protocol=9 nlmsg_type=18 sclass=netlink_audit_socket pig=19179 comm=syz-executor3 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=18 sclass=netlink_audit_socket pig=19180 comm=syz-executor1 device gre0 entered promiscuous mode SELinux: unrecognized netlink message: protocol=0 nlmsg_type=5 sclass=netlink_route_socket pig=19275 comm=syz-executor4 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=4 sclass=netlink_route_socket pig=19275 comm=syz-executor4 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=19282 comm=syz-executor4 device gre0 entered promiscuous mode netlink: 73 bytes leftover after parsing attributes in process `syz-executor6'. device gre0 entered promiscuous mode device gre0 entered promiscuous mode netlink: 73 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'. device gre0 entered promiscuous mode netlink: 48 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 48 bytes leftover after parsing attributes in process `syz-executor7'. binder: 19635:19636 ioctl 40286608 5 returned -22 netlink: 48 bytes leftover after parsing attributes in process `syz-executor7'. binder: 19635:19636 ioctl 40046205 3 returned -22 binder: 19635:19636 ioctl 40046205 3 returned -22 binder: 19635:19636 ERROR: BC_REGISTER_LOOPER called without request netlink: 48 bytes leftover after parsing attributes in process `syz-executor7'. binder: 19635:19636 ioctl c0306201 204edfd0 returned -11 binder: 19635:19636 Acquire 1 refcount change on invalid ref 1 ret -22 binder: 19635:19636 got reply transaction with no transaction stack IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready binder: 19635:19636 transaction failed 29201/-71, size 32-8 line 2923 binder: 19635:19636 ioctl 40046205 1000 returned -22 binder: 19635:19636 DecRefs 0 refcount change on invalid ref 1 ret -22 binder: 19635:19636 BC_INCREFS_DONE node 412 has no pending increfs request binder: 19635:19636 ioctl c0306201 2000efd0 returned -11 binder: 19635:19636 ioctl 40286608 5 returned -22 binder: 19635:19659 ioctl 40046205 3 returned -22 binder: 19635:19689 ioctl 40046205 3 returned -22 binder: 19635:19636 Acquire 1 refcount change on invalid ref 1 ret -22 binder: 19635:19689 got reply transaction with no transaction stack binder: 19635:19689 transaction failed 29201/-71, size 32-8 line 2923 device gre0 entered promiscuous mode binder: 19635:19689 ioctl 40046205 1000 returned -22 binder: undelivered TRANSACTION_ERROR: 29201 FAULT_FLAG_ALLOW_RETRY missing 30 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 19714 Comm: syz-executor3 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cac3f5d0 ffffffff81d906e9 ffff8801cac3f8b0 0000000000000000 ffff8801d854a110 ffff8801cac3f7a0 ffff8801d854a000 ffff8801cac3f7c8 ffffffff8165e307 0000000000000000 ffff8801cac3f720 00000001b6175067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] vfs_ioctl fs/ioctl.c:43 [inline] [] do_vfs_ioctl+0x1aa/0x1140 fs/ioctl.c:679 [] SYSC_ioctl fs/ioctl.c:694 [inline] [] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 [] entry_SYSCALL_64_fastpath+0x23/0xc6 : renamed from syz4 device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode CPU: 1 PID: 19731 Comm: syz-executor3 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801bae8f840 ffffffff81d906e9 ffff8801bae8fb20 0000000000000000 ffff8801d854a110 ffff8801bae8fa10 ffff8801d854a000 ffff8801bae8fa38 ffffffff8165e307 0000000000000000 ffff8801bae8f990 00000001b6175067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] SYSC_fsetxattr fs/xattr.c:504 [inline] [] SyS_fsetxattr+0x130/0x190 fs/xattr.c:493 [] entry_SYSCALL_64_fastpath+0x23/0xc6 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 19826 Comm: syz-executor3 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801be7075d0 ffffffff81d906e9 ffff8801be7078b0 0000000000000000 ffff8801c6271490 ffff8801be7077a0 ffff8801c6271380 ffff8801be7077c8 ffffffff8165e307 0000000041b58ab3 ffff8801be707720 00000001c89cd067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] vfs_ioctl fs/ioctl.c:43 [inline] [] do_vfs_ioctl+0x1aa/0x1140 fs/ioctl.c:679 [] SYSC_ioctl fs/ioctl.c:694 [inline] [] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 [] entry_SYSCALL_64_fastpath+0x23/0xc6 device gre0 entered promiscuous mode netlink: 6 bytes leftover after parsing attributes in process `syz-executor2'. IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE IPv6: NLM_F_CREATE should be set when creating new route IPv6: NLM_F_CREATE should be set when creating new route netlink: 6 bytes leftover after parsing attributes in process `syz-executor2'. IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE 9pnet_virtio: no channels available for device ./file0 9pnet_virtio: no channels available for device ./file0 binder: 20029:20032 ioctl 400445a0 20006000 returned -22 binder: 20029:20032 ioctl 5423 20003000 returned -22 binder: 20029:20032 got transaction with invalid offsets ptr binder: 20029:20032 transaction failed 29201/-14, size 0-4095 line 3158 binder: undelivered TRANSACTION_ERROR: 29201 binder: BINDER_SET_CONTEXT_MGR already set binder: 20029:20032 ioctl 40046207 0 returned -16 binder_alloc: 20029: binder_alloc_buf, no vma binder: 20029:20036 transaction failed 29189/-3, size 0-4095 line 3130 binder: undelivered TRANSACTION_ERROR: 29189 9pnet_virtio: no channels available for device ./file0