===================================== [ BUG: bad unlock balance detected! ] 4.9.67-gf26d3c7 #106 Not tainted ------------------------------------- syz-executor6/22247 is trying to release lock ([ 128.894151] 9pnet_virtio: no channels available for device H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H device gre0 entered promiscuous mode mrt_lock) at: but there are no more locks to release! other info that might help us debug this: 2 locks held by syz-executor6/22247: #0: (&f->f_pos_lock){+.+.+.}, at: [] __fdget_pos+0x9f/0xc0 fs/file.c:781 #1: (&p->lock){+.+.+.}, at: [] seq_read+0xdd/0x1290 fs/seq_file.c:178 stack backtrace: CPU: 1 PID: 22247 Comm: syz-executor6 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d4fdf8e8 ffffffff81d906e9 ffffffff849ae8f8 ffff8801a8059800 ffffffff834dec54 ffffffff849ae8f8 ffff8801a805a088 ffff8801d4fdf918 ffffffff812353f4 dffffc0000000000 ffffffff849ae8f8 00000000ffffffff Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_unlock_imbalance_bug+0x174/0x1a0 kernel/locking/lockdep.c:3398 [] __lock_release kernel/locking/lockdep.c:3540 [inline] [] lock_release+0x6f8/0xb80 kernel/locking/lockdep.c:3775 [] __raw_read_unlock include/linux/rwlock_api_smp.h:225 [inline] [] _raw_read_unlock+0x1a/0x50 kernel/locking/spinlock.c:255 [] ipmr_mfc_seq_stop+0xe4/0x140 net/ipv6/ip6mr.c:553 [] seq_read+0xa83/0x1290 fs/seq_file.c:283 [] proc_reg_read+0xef/0x170 fs/proc/inode.c:202 [] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714 [] do_loop_readv_writev fs/read_write.c:880 [inline] [] do_readv_writev+0x520/0x750 fs/read_write.c:874 [] vfs_readv+0x84/0xc0 fs/read_write.c:898 [] do_readv+0xe6/0x250 fs/read_write.c:924 [] SYSC_readv fs/read_write.c:1011 [inline] [] SyS_readv+0x27/0x30 fs/read_write.c:1008 [] entry_SYSCALL_64_fastpath+0x23/0xc6 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=155 sclass=netlink_route_socket pig=22331 comm=syz-executor7 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=155 sclass=netlink_route_socket pig=22356 comm=syz-executor7 nla_parse: 6 callbacks suppressed netlink: 5 bytes leftover after parsing attributes in process `syz-executor2'. IPv6: NLM_F_REPLACE set, but no existing node found! binder: 22404:22405 got transaction with invalid parent offset or type binder: 22404:22405 transaction failed 29201/-22, size 80-32 line 3315 device gre0 entered promiscuous mode netlink: 8 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor3'. binder: BINDER_SET_CONTEXT_MGR already set binder: 22404:22405 ioctl 40046207 0 returned -16 binder_alloc: 22404: binder_alloc_buf, no vma binder: 22404:22424 transaction failed 29189/-3, size 80-32 line 3130 IPv6: Can't replace route, no match found device lo left promiscuous mode IPv6: Can't replace route, no match found device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready device lo left promiscuous mode sg_write: data in/out 327644/32 bytes for SCSI command 0x4-- guessing data in; program syz-executor0 not setting count and/or reply_len properly netlink: 5 bytes leftover after parsing attributes in process `syz-executor5'. device lo entered promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready device lo left promiscuous mode netlink: 11 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 11 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 11 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 11 bytes leftover after parsing attributes in process `syz-executor3'. device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode device syz0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode netlink: 2 bytes leftover after parsing attributes in process `syz-executor7'. binder: 22866:22868 unknown command -769334904 binder: 22866:22868 ioctl c0306201 20011000 returned -22 binder: 22866:22868 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: 22866:22868 BC_INCREFS_DONE uffffffffffffffff no match binder_alloc: 22866: binder_alloc_buf, no vma binder: 22866:22868 transaction failed 29189/-3, size 80-48 line 3130 binder_alloc: 22866: binder_alloc_buf, no vma binder: 22866:22886 transaction failed 29189/-3, size 24-40 line 3130 binder: BINDER_SET_CONTEXT_MGR already set binder: 22866:22868 ioctl 40046207 0 returned -16 binder: 22866:22868 unknown command -769334904 binder: 22866:22868 ioctl c0306201 20011000 returned -22 binder: 22894:22896 BC_FREE_BUFFER u0000000000000000 no match binder_alloc: 22894: binder_alloc_buf, no vma binder: 22894:22896 transaction failed 29189/-3, size 72-8 line 3130 binder: BINDER_SET_CONTEXT_MGR already set binder: 22894:22898 ioctl 40046207 0 returned -16 binder: 22866:22888 unknown command 0 binder: 22866:22888 ioctl c0306201 20004000 returned -22 binder: 22894:22896 BC_FREE_BUFFER u0000000000000000 no match binder_alloc: 22894: binder_alloc_buf, no vma binder: 22894:22896 transaction failed 29189/-3, size 72-8 line 3130 binder: 22913:22917 BC_FREE_BUFFER u0000000000000000 no match binder_alloc: 22913: binder_alloc_buf, no vma binder: 22913:22917 transaction failed 29189/-3, size 72-8 line 3130 binder: BINDER_SET_CONTEXT_MGR already set binder: 22913:22919 ioctl 40046207 0 returned -16 binder: 22913:22917 BC_FREE_BUFFER u0000000000000000 no match binder_alloc: 22913: binder_alloc_buf, no vma binder: 22913:22917 transaction failed 29189/-3, size 72-8 line 3130 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=18 sclass=netlink_audit_socket pig=22974 comm=syz-executor7 keychord: keycode 25638 out of range device syz5 entered promiscuous mode device gre0 entered promiscuous mode keychord: keycode 25638 out of range SELinux: unrecognized netlink message: protocol=9 nlmsg_type=18 sclass=netlink_audit_socket pig=22997 comm=syz-executor7 device gre0 entered promiscuous mode binder: 23139:23142 BC_REQUEST_DEATH_NOTIFICATION invalid ref 4 binder: 23139:23142 DecRefs 0 refcount change on invalid ref 3 ret -22 binder: 23139:23142 got reply transaction with bad transaction stack, transaction 308 has target 23139:0 binder: 23139:23142 transaction failed 29201/-71, size 48-56 line 2938 binder: 23139:23155 BC_DEAD_BINDER_DONE 0000000000000002 not found binder: 23139:23155 BC_FREE_BUFFER u0000000000000000 no match binder: tried to use weak ref as strong ref binder: 23139:23155 got transaction to invalid handle binder: 23139:23155 transaction failed 29201/-22, size 0-32 line 3007 binder_alloc: binder_alloc_mmap_handler: 23139 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 23139:23155 ioctl 40046207 0 returned -16 binder_alloc: 23139: binder_alloc_buf, no vma binder: 23139:23155 IncRefs 0 refcount change on invalid ref 2 ret -22 binder: 23139:23155 BC_REQUEST_DEATH_NOTIFICATION invalid ref 4 binder: 23139:23155 DecRefs 0 refcount change on invalid ref 3 ret -22 binder: 23139:23155 got reply transaction with no transaction stack binder: 23139:23155 transaction failed 29201/-71, size 48-56 line 2923 binder: 23139:23166 BC_DEAD_BINDER_DONE 0000000000000002 not found binder: 23139:23166 BC_FREE_BUFFER u0000000000000000 no match binder: 23139:23166 got transaction to invalid handle binder: 23139:23166 transaction failed 29201/-22, size 0-32 line 3007 binder: 23139:23142 transaction failed 29189/-3, size 80-16 line 3130 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 23139:23142 transaction 308 out, still active binder: send failed reply for transaction 308, target dead : renamed from lo binder: 23314:23320 ioctl 40086602 ffffffffffff7fff returned -22 binder: 23314:23320 got reply transaction with no transaction stack binder: 23314:23320 transaction failed 29201/-71, size 2-1144397507205 line 2923 binder: 23314:23320 BC_FREE_BUFFER u0000000000000000 no match binder: 23314:23341 Release 1 refcount change on invalid ref 4 ret -22 binder: 23314:23341 IncRefs 0 refcount change on invalid ref 1 ret -22 binder: 23314:23341 Acquire 1 refcount change on invalid ref 2 ret -22 binder: 23314:23341 ERROR: BC_REGISTER_LOOPER called without request binder: 23314:23341 BC_CLEAR_DEATH_NOTIFICATION invalid ref -2 binder: 23314:23341 BC_FREE_BUFFER u0000000020000000 matched unreturned buffer binder: 23314:23341 got new transaction with bad transaction stack, transaction 320 has target 23314:0 binder: 23314:23341 transaction failed 29201/-71, size 48-32 line 3034 binder: 23314:23341 ioctl 40086602 ffffffffffff7fff returned -22 binder: 23314:23363 got reply transaction with no transaction stack binder: 23314:23363 transaction failed 29201/-71, size 2-1144397507205 line 2923 binder: BINDER_SET_CONTEXT_MGR already set binder: 23314:23352 ioctl 40046207 0 returned -16 binder: 23314:23363 BC_FREE_BUFFER u0000000000000000 no match binder_alloc: 23314: binder_alloc_buf, no vma binder: 23314:23352 transaction failed 29189/-3, size 0-0 line 3130 binder: 23314:23352 Release 1 refcount change on invalid ref 4 ret -22 binder: 23314:23352 IncRefs 0 refcount change on invalid ref 1 ret -22 binder: 23314:23352 Acquire 1 refcount change on invalid ref 2 ret -22 binder: 23314:23352 ERROR: BC_REGISTER_LOOPER called without request binder: undelivered TRANSACTION_ERROR: 29189 binder: release 23314:23341 transaction 320 out, still active binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29201 binder: send failed reply for transaction 320, target dead syz-executor5: [ 133.673603] IPVS: Creating netns size=2536 id=32 vmalloc: allocation failure: 17179082768 bytes[ 133.724534] blk_update_request: I/O error, dev loop0, sector 0 blk_update_request: I/O error, dev loop0, sector 255 , mode:0x24000c2(GFP_KERNEL|__GFP_HIGHMEM) CPU: 0 PID: 23374 Comm: syz-executor5 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d6a47880 ffffffff81d906e9 1ffff1003ad48f13 ffff8801cc133000 ffffffff83ab7dc0 0000000000000001 0000000000400000 ffff8801d6a47990 ffffffff8144ea02 024000c2ed849aa5 0000000041b58ab3 ffffffff841913b5 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] warn_alloc+0x212/0x240 mm/page_alloc.c:3063 [] __vmalloc_node_range+0x3f5/0x5f0 mm/vmalloc.c:1722 [] __vmalloc_node mm/vmalloc.c:1744 [inline] [] __vmalloc_node_flags mm/vmalloc.c:1758 [inline] [] vmalloc+0x5b/0x70 mm/vmalloc.c:1773 [] xt_alloc_entry_offsets+0x41/0x60 net/netfilter/x_tables.c:722 [] translate_table+0x2da/0x1cd0 net/ipv4/netfilter/arp_tables.c:549 [] do_replace net/ipv4/netfilter/arp_tables.c:986 [inline] [] do_arpt_set_ctl+0x2b7/0x650 net/ipv4/netfilter/arp_tables.c:1465 [] nf_sockopt net/netfilter/nf_sockopt.c:105 [inline] [] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:114 [] ip_setsockopt+0xa1/0xb0 net/ipv4/ip_sockglue.c:1248 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2736 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2706 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x160/0x250 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Mem-Info: active_anon:105740 inactive_anon:40 isolated_anon:0 active_file:4013 inactive_file:6963 isolated_file:0 unevictable:15 dirty:0 writeback:0 unstable:0 slab_reclaimable:7584 slab_unreclaimable:55980 mapped:22853 shmem:96 pagetables:735 bounce:0 free:1428589 free_pcp:461 free_cma:0 blk_update_request: I/O error, dev loop0, sector 0 blk_update_request: I/O error, dev loop0, sector 255 Node 0 active_anon:408620kB inactive_anon:160kB active_file:16060kB inactive_file:27852kB unevictable:0kB isolated(anon):0kB isolated(file):0kB mapped:91452kB dirty:0kB writeback:0kB shmem:324kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 86016kB writeback_tmp:0kB unstable:0kB pages_scanned:0 all_unreclaimable? no DMA free:15908kB min:160kB low:200kB high:240kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:15992kB managed:15908kB mlocked:0kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB lowmem_reserve[]: 0 2910 6411 6411 DMA32 free:2981148kB min:30600kB low:38248kB high:45896kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:3129332kB managed:2981844kB mlocked:0kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:696kB local_pcp:48kB free_cma:0kB lowmem_reserve[]: 0 0 3501 3501 Normal free:2732916kB min:36816kB low:46020kB high:55224kB active_anon:406508kB inactive_anon:160kB active_file:16096kB inactive_file:27864kB unevictable:0kB writepending:96kB present:4718592kB managed:3585220kB mlocked:0kB slab_reclaimable:30380kB slab_unreclaimable:226520kB kernel_stack:5792kB pagetables:2924kB bounce:0kB free_pcp:1080kB local_pcp:500kB free_cma:0kB lowmem_reserve[]: 0 0 0 0 DMA: 1*4kB (U) 0*8kB 0*16kB 1*32kB (U) 2*64kB (U) 1*128kB (U) 1*256kB (U) 0*512kB 1*1024kB (U) 1*2048kB (M) 3*4096kB (M) = 15908kB DMA32: 1*4kB (M) 1*8kB (M) 3*16kB (M) 3*32kB (M) 4*64kB (M) 3*128kB (M) 2*256kB (M) 2*512kB (M) 1*1024kB (M) 2*2048kB (M) 726*4096kB (M) = 2981148kB Normal: 436*4kB (M) 383*8kB (ME) 322*16kB (UME) 563*32kB (UME) 792*64kB (M) 175*128kB (UM) 25*256kB (UM) 9*512kB (UM) 3*1024kB (UM) 3*2048kB (ME) 635*4096kB (M) = 2722248kB Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB 11065 total pagecache pages 0 pages in swap cache Swap cache stats: add 0, delete 0, find 0/0 Free swap = 0kB Total swap = 0kB 1965979 pages RAM 0 pages HighMem/MovableOnly 320236 pages reserved device gre0 entered promiscuous mode pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads FAULT_FLAG_ALLOW_RETRY missing 30 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 23523 Comm: syz-executor5 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801ca43f740 ffffffff81d906e9 ffff8801ca43fa20 0000000000000000 ffff8801cc3d2a10 ffff8801ca43f910 ffff8801cc3d2900 ffff8801ca43f938 ffffffff8165e307 ffff8801ca43f798 ffff8801ca43f890 00000001a66d4067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] do_fcntl fs/fcntl.c:274 [inline] [] SYSC_fcntl fs/fcntl.c:372 [inline] [] SyS_fcntl+0x8fd/0xc70 fs/fcntl.c:357 [] entry_SYSCALL_64_fastpath+0x23/0xc6 pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads CPU: 1 PID: 23548 Comm: syz-executor5 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a5297840 ffffffff81d906e9 ffff8801a5297b20 0000000000000000 ffff8801cc3d2a10 ffff8801a5297a10 ffff8801cc3d2900 ffff8801a5297a38 ffffffff8165e307 0000000000000000 ffff8801a5297990 00000001a66d4067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] SYSC_fsetxattr fs/xattr.c:504 [inline] [] SyS_fsetxattr+0x130/0x190 fs/xattr.c:493 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable binder: 23613:23616 ioctl 40046205 8 returned -22 binder: binder_mmap: 23613 20476000-20479000 bad vm_flags failed -1 keychord: invalid keycode count 0 keychord: invalid keycode count 0 binder: 23650:23651 got transaction to invalid handle binder: 23650:23651 transaction failed 29201/-22, size 80-16 line 3007 binder: 23613:23635 got reply transaction with no transaction stack binder: 23613:23635 transaction failed 29201/-71, size 0-56 line 2923 binder: 23613:23665 ioctl 40046205 8 returned -22 binder: 23650:23663 IncRefs 0 refcount change on invalid ref 2 ret -22 binder: 23650:23663 BC_REQUEST_DEATH_NOTIFICATION invalid ref 4 binder: 23650:23663 DecRefs 0 refcount change on invalid ref 3 ret -22 binder: 23650:23663 got reply transaction with no transaction stack binder: 23650:23663 transaction failed 29201/-71, size 48-56 line 2923 binder_alloc: binder_alloc_mmap_handler: 23613 20000000-20002000 already mapped failed -16 binder: 23650:23663 BC_DEAD_BINDER_DONE 0000000000000002 not found binder: 23650:23663 BC_FREE_BUFFER u0000000000000000 no match binder: 23650:23663 got transaction to invalid handle binder: 23650:23663 transaction failed 29201/-22, size 0-32 line 3007 binder: BINDER_SET_CONTEXT_MGR already set binder: 23613:23665 ioctl 40046207 0 returned -16 binder_alloc: 23613: binder_alloc_buf, no vma binder: 23613:23668 transaction failed 29189/-3, size 80-16 line 3130 binder: binder_mmap: 23613 20476000-20479000 bad vm_flags failed -1 binder_alloc: binder_alloc_mmap_handler: 23650 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 23650:23663 ioctl 40046207 0 returned -16 sock: sock_set_timeout: `syz-executor6' (pid 23681) tries to set negative timeout binder: 23650:23686 got transaction to invalid handle binder: 23650:23686 transaction failed 29201/-22, size 80-16 line 3007 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=59136 sclass=netlink_route_socket pig=23688 comm=syz-executor4 binder: 23650:23677 IncRefs 0 refcount change on invalid ref 2 ret -22 binder: 23650:23677 BC_REQUEST_DEATH_NOTIFICATION invalid ref 4 binder: 23650:23677 DecRefs 0 refcount change on invalid ref 3 ret -22 binder: 23650:23677 got reply transaction with no transaction stack binder: 23650:23677 transaction failed 29201/-71, size 48-56 line 2923 binder: 23650:23663 BC_DEAD_BINDER_DONE 0000000000000002 not found binder: 23650:23663 BC_FREE_BUFFER u0000000000000000 no match binder: 23650:23663 got transaction to invalid handle binder: 23650:23663 transaction failed 29201/-22, size 0-32 line 3007 binder: undelivered TRANSACTION_ERROR: 29189 binder: send failed reply for transaction 325 to 23613:23635 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 sock: sock_set_timeout: `syz-executor6' (pid 23681) tries to set negative timeout SELinux: unrecognized netlink message: protocol=0 nlmsg_type=59136 sclass=netlink_route_socket pig=23697 comm=syz-executor4 device gre0 entered promiscuous mode device gre0 left promiscuous mode device gre0 entered promiscuous mode binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29201 binder: 23793:23797 got transaction with invalid offsets ptr binder: 23793:23797 transaction failed 29201/-14, size 0-4095 line 3158 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 23795 Comm: syz-executor2 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d11b7860 ffffffff81d906e9 ffff8801d11b7b40 0000000000000000 ffff8801c76f4410 ffff8801d11b7a30 ffff8801c76f4300 ffff8801d11b7a58 ffffffff8165e307 0000000000000000 ffff8801d11b79b0 00000001a6564067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] SyS_rt_sigtimedwait+0x2d/0x40 kernel/signal.c:2819 [] entry_SYSCALL_64_fastpath+0x23/0xc6 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 23783 Comm: syz-executor2 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c78775d0 ffffffff81d906e9 ffff8801c78778b0 0000000000000000 ffff8801c76f4410 ffff8801c78777a0 ffff8801c76f4300 ffff8801c78777c8 ffffffff8165e307 0000000000000000 ffff8801c7877720 00000001a6564067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] vfs_ioctl fs/ioctl.c:43 [inline] [] do_vfs_ioctl+0x1aa/0x1140 fs/ioctl.c:679 [] SYSC_ioctl fs/ioctl.c:694 [inline] [] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 [] entry_SYSCALL_64_fastpath+0x23/0xc6 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 23771 Comm: syz-executor2 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cc1ff960 ffffffff81d906e9 ffff8801cc1ffc40 0000000000000000 ffff8801c76f4410 ffff8801cc1ffb30 ffff8801c76f4300 ffff8801cc1ffb58 ffffffff8165e307 dffffc0000000000 ffff8801cc1ffab0 00000001a6564067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 IPVS: Creating netns size=2536 id=33 binder: BINDER_SET_CONTEXT_MGR already set binder: 23793:23815 ioctl 40046207 0 returned -16 binder_alloc: 23793: binder_alloc_buf, no vma binder: 23793:23818 transaction failed 29189/-3, size 0-4095 line 3130 pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads device gre0 entered promiscuous mode device gre0 left promiscuous mode device gre0 entered promiscuous mode device gre0 left promiscuous mode IPv6: Can't replace route, no match found IPv6: Can't replace route, no match found device gre0 entered promiscuous mode tmpfs: No value for mount option 'ij' tmpfs: No value for mount option 'ij' binder: 24069:24070 Release 1 refcount change on invalid ref 4 ret -22 binder: 24069:24070 IncRefs 0 refcount change on invalid ref 1 ret -22 binder: 24069:24070 Acquire 1 refcount change on invalid ref 2 ret -22 binder: 24069:24070 ERROR: BC_REGISTER_LOOPER called without request binder: 24069:24070 BC_FREE_BUFFER u0000000000000000 no match nla_parse: 13 callbacks suppressed netlink: 6 bytes leftover after parsing attributes in process `syz-executor7'. binder: 24069:24083 BC_CLEAR_DEATH_NOTIFICATION invalid ref -2 binder: 24069:24083 BC_FREE_BUFFER u0000000020000000 matched unreturned buffer binder: 24069:24083 got transaction with unaligned buffers size, 3571 binder: 24069:24083 transaction failed 29201/-22, size 48-32 line 3175 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=24092 comm=syz-executor7 binder: BINDER_SET_CONTEXT_MGR already set binder: 24069:24093 ioctl 40046207 0 returned -16 binder_alloc: 24069: binder_alloc_buf, no vma binder: 24069:24083 transaction failed 29189/-3, size 0-0 line 3130 binder: 24069:24083 Release 1 refcount change on invalid ref 4 ret -22 binder: 24069:24083 IncRefs 0 refcount change on invalid ref 1 ret -22 binder: 24069:24083 Acquire 1 refcount change on invalid ref 2 ret -22 binder: 24069:24083 ERROR: BC_REGISTER_LOOPER called without request binder: 24069:24083 BC_CLEAR_DEATH_NOTIFICATION invalid ref -2 binder: 24069:24083 BC_FREE_BUFFER u0000000020000000 no match binder_alloc: 24069: binder_alloc_buf, no vma binder: 24069:24083 transaction failed 29189/-3, size 48-32 line 3130 tmpfs: No value for mount option 'bYXS[^\ҥ!j9Ԗ^m)D9@ !/KpGz]#aTi[yGJYVҰL/k!n9 GdA2$gIxWi^U$,2&o yyac`{8 SH>':6$PUS;Kr' tmpfs: No value for mount option 'bYXS[^\ҥ!j9Ԗ^m)D9@ !/KpGz]#aTi[yGJYVҰL/k!n9 GdA2$gIxWi^U$,2&o yyac`{8 SH>':6$PUS;Kr' binder_alloc: 24069:24070 FREE_BUFFER u0000000020000000 user freed buffer twice binder: 24069:24070 BC_FREE_BUFFER u0000000020000000 no match binder: 24069:24070 BC_REQUEST_DEATH_NOTIFICATION invalid ref 3 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 24069:24070 transaction 341 out, still active binder: undelivered TRANSACTION_COMPLETE SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=24147 comm=syz-executor0 binder: undelivered TRANSACTION_ERROR: 29201 binder: send failed reply for transaction 341, target dead sg_write: data in/out 327644/32 bytes for SCSI command 0x4-- guessing data in; program syz-executor5 not setting count and/or reply_len properly FAULT_FLAG_ALLOW_RETRY missing 30 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 24214 Comm: syz-executor4 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c8817830 ffffffff81d906e9 ffff8801c8817b10 0000000000000000 ffff8801c76f5790 ffff8801c8817a00 ffff8801c76f5680 ffff8801c8817a28 ffffffff8165e307 ffff8801db221400 ffff8801c8817980 00000001a86e8067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] SYSC_mq_timedreceive ipc/mqueue.c:1092 [inline] [] SyS_mq_timedreceive+0xcd/0xdb0 ipc/mqueue.c:1077 [] entry_SYSCALL_64_fastpath+0x23/0xc6 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 24191 Comm: syz-executor4 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c5ce78c0 ffffffff81d906e9 ffff8801c5ce7ba0 0000000000000000 ffff8801c76f5790 ffff8801c5ce7a90 ffff8801c76f5680 ffff8801c5ce7ab8 ffffffff8165e307 0000000000000000 ffff8801c5ce7a10 00000001a86e8067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'. CPU: 0 PID: 24180 Comm: syz-executor4 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a5c6f890 ffffffff81d906e9 ffff8801a5c6fb70 0000000000000000 ffff8801c76f5790 ffff8801a5c6fa60 ffff8801c76f5680 ffff8801a5c6fa88 ffffffff8165e307 ffff8801db321418 ffff8801a5c6f9e0 00000001a86e8067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] getname_flags+0x10e/0x580 fs/namei.c:148 [] getname+0x19/0x20 fs/namei.c:208 [] do_sys_open+0x21d/0x4c0 fs/open.c:1066 [] SYSC_openat fs/open.c:1099 [inline] [] SyS_openat+0x30/0x40 fs/open.c:1093 [] entry_SYSCALL_64_fastpath+0x23/0xc6 netlink: 13 bytes leftover after parsing attributes in process `syz-executor6'.