BUG: sleeping function called from invalid context at ./include/linux/uaccess.h:71 in_atomic(): 1, irqs_disabled(): 0, pid: 7153, name: syz-executor4 2 locks held by syz-executor4/7153: #0: (&vcpu->mutex){+.+.}, at: [] vcpu_load+0x1c/0x70 arch/x86/kvm/../../../virt/kvm/kvm_main.c:154 #1: (&kvm->srcu){....}, at: [] vcpu_enter_guest arch/x86/kvm/x86.c:7021 [inline] #1: (&kvm->srcu){....}, at: [] vcpu_run arch/x86/kvm/x86.c:7100 [inline] #1: (&kvm->srcu){....}, at: [] kvm_arch_vcpu_ioctl_run+0x1bdd/0x5a30 arch/x86/kvm/x86.c:7261 CPU: 3 PID: 7153 Comm: syz-executor4 Not tainted 4.13.0-next-20170904+ #14 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:16 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:52 ___might_sleep+0x2b2/0x470 kernel/sched/core.c:6023 __might_sleep+0x95/0x190 kernel/sched/core.c:5976 __might_fault+0xab/0x1d0 mm/memory.c:4499 __copy_from_user include/linux/uaccess.h:71 [inline] paging32_walk_addr_generic+0x427/0x1d80 arch/x86/kvm/paging_tmpl.h:369 paging32_walk_addr arch/x86/kvm/paging_tmpl.h:475 [inline] paging32_gva_to_gpa+0xa5/0x230 arch/x86/kvm/paging_tmpl.h:913 kvm_read_guest_virt_helper+0xd8/0x140 arch/x86/kvm/x86.c:4436 kvm_read_guest_virt_system+0x3c/0x50 arch/x86/kvm/x86.c:4503 segmented_read_std+0x10c/0x180 arch/x86/kvm/emulate.c:822 em_fxrstor+0x27b/0x410 arch/x86/kvm/emulate.c:4025 x86_emulate_insn+0x55d/0x3cf0 arch/x86/kvm/emulate.c:5483 x86_emulate_instruction+0x411/0x1ca0 arch/x86/kvm/x86.c:5735 kvm_mmu_page_fault+0x1b0/0x2f0 arch/x86/kvm/mmu.c:4956 handle_ept_violation+0x194/0x540 arch/x86/kvm/vmx.c:6502 vmx_handle_exit+0x24b/0x1a60 arch/x86/kvm/vmx.c:8823 vcpu_enter_guest arch/x86/kvm/x86.c:7038 [inline] vcpu_run arch/x86/kvm/x86.c:7100 [inline] kvm_arch_vcpu_ioctl_run+0x1d36/0x5a30 arch/x86/kvm/x86.c:7261 kvm_vcpu_ioctl+0x64c/0x1010 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2550 vfs_ioctl fs/ioctl.c:45 [inline] do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:685 SYSC_ioctl fs/ioctl.c:700 [inline] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:691 entry_SYSCALL_64_fastpath+0x1f/0xbe RIP: 0033:0x447299 RSP: 002b:00007f0231c97c08 EFLAGS: 00000296 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000019 RCX: 0000000000447299 RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000019 RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000296 R12: 00000000ffffffff R13: 0000000000005790 R14: 00000000006e8850 R15: 0000000000000019 device gre0 entered promiscuous mode device gre0 left promiscuous mode device gre0 entered promiscuous mode device gre0 left promiscuous mode device lo entered promiscuous mode device gre0 entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode selinux_nlmsg_perm: 5 callbacks suppressed SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7303 comm=syz-executor3 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7361 comm=syz-executor5 sctp: [Deprecated]: syz-executor5 (pid 7372) Use of struct sctp_assoc_value in delayed_ack socket option. Use struct sctp_sack_info instead sctp: [Deprecated]: syz-executor5 (pid 7372) Use of int in maxseg socket option. Use struct sctp_assoc_value instead sctp: [Deprecated]: syz-executor5 (pid 7372) Use of struct sctp_assoc_value in delayed_ack socket option. Use struct sctp_sack_info instead sctp: [Deprecated]: syz-executor5 (pid 7372) Use of int in maxseg socket option. Use struct sctp_assoc_value instead SELinux: unrecognized netlink message: protocol=0 nlmsg_type=8 sclass=netlink_route_socket pig=7448 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=8 sclass=netlink_route_socket pig=7454 comm=syz-executor5 QAT: Invalid ioctl QAT: Invalid ioctl *** Guest State *** CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 CR4: actual=0x0000000000002050, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 CR3 = 0x00000000fffbc000 RSP = 0x0000000000000f80 RIP = 0x0000000000000000 RFLAGS=0x00000002 DR7 = 0x0000000000000400 Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 CS: sel=0x0000, attr=0x08093, limit=0xffffffff, base=0x0000000000000000 DS: sel=0x0000, attr=0x08093, limit=0xffffffff, base=0x0000000000000000 SS: sel=0x0000, attr=0x08093, limit=0xffffffff, base=0x0000000000000000 ES: sel=0x0000, attr=0x08093, limit=0xffffffff, base=0x0000000000000000 FS: sel=0x0000, attr=0x08093, limit=0xffffffff, base=0x0000000000000000 GS: sel=0x0000, attr=0x08093, limit=0xffffffff, base=0x0000000000000000 GDTR: limit=0x000007ff, base=0x0000000000001000 LDTR: sel=0x0008, attr=0x04082, limit=0x000007ff, base=0x0000000000001800 IDTR: limit=0x00000000, base=0x0000000000000000 TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 EFER = 0x000000000000d800 PAT = 0x0007040600070406 DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 BndCfgS = 0x0000000000000000 Interruptibility = 00000008 ActivityState = 00000000 *** Host State *** RIP = 0xffffffff811b8c6f RSP = 0xffff88003be374c8 CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 FSBase=00007fe60280d700 GSBase=ffff88003ed00000 TRBase=ffff88003ed23100 GDTBase=ffffffffff576000 IDTBase=ffffffffff57b000 CR0=0000000080050033 CR3=0000000067b03000 CR4=00000000000026e0 Sysenter RSP=0000000000000000 CS:RIP=0010:ffffffff84d426c0 EFER = 0x0000000000000d01 PAT = 0x0007040600070406 *** Control State *** PinBased=0000003f CPUBased=b6d9edfe SecondaryExec=000000e2 EntryControls=0001d1ff ExitControls=00afefff ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 VMEntry: intr_info=80000202 errcode=00000000 ilen=00000000 VMExit: intr_info=00000000 errcode=00000000 ilen=00000001 reason=80000021 qualification=0000000000000000 IDTVectoring: info=00000000 errcode=00000000 TSC Offset = 0xffffffd4c19b3d04 EPT pointer = 0x000000003c0ce01e Virtual processor ID = 0x00b8 *** Guest State *** CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 CR4: actual=0x0000000000002050, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 CR3 = 0x00000000fffbc000 RSP = 0x0000000000000f80 RIP = 0x0000000000000000 RFLAGS=0x00000002 DR7 = 0x0000000000000400 Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 CS: sel=0x0000, attr=0x08093, limit=0xffffffff, base=0x0000000000000000 DS: sel=0x0000, attr=0x08093, limit=0xffffffff, base=0x0000000000000000 SS: sel=0x0000, attr=0x08093, limit=0xffffffff, base=0x0000000000000000 ES: sel=0x0000, attr=0x08093, limit=0xffffffff, base=0x0000000000000000 FS: sel=0x0000, attr=0x08093, limit=0xffffffff, base=0x0000000000000000 GS: sel=0x0000, attr=0x08093, limit=0xffffffff, base=0x0000000000000000 GDTR: limit=0x000007ff, base=0x0000000000001000 LDTR: sel=0x0008, attr=0x04082, limit=0x000007ff, base=0x0000000000001800 IDTR: limit=0x00000000, base=0x0000000000000000 TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 EFER = 0x000000000000d800 PAT = 0x0007040600070406 DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 BndCfgS = 0x0000000000000000 Interruptibility = 00000008 ActivityState = 00000000 *** Host State *** RIP = 0xffffffff811b8c6f RSP = 0xffff88003bfef4c8 CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 FSBase=00007fe6027eb700 GSBase=ffff88006df00000 TRBase=ffff88006df23100 GDTBase=ffffffffff574000 IDTBase=ffffffffff57b000 CR0=0000000080050033 CR3=0000000067b03000 CR4=00000000000026e0 Sysenter RSP=0000000000000000 CS:RIP=0010:ffffffff84d426c0 EFER = 0x0000000000000d01 PAT = 0x0007040600070406 *** Control State *** PinBased=0000003f CPUBased=b6d9edfe SecondaryExec=000000e2 EntryControls=0001d1ff ExitControls=00afefff ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 VMEntry: intr_info=80000202 errcode=00000000 ilen=00000000 VMExit: intr_info=00000000 errcode=00000000 ilen=00000001 reason=80000021 qualification=0000000000000000 IDTVectoring: info=00000000 errcode=00000000 TSC Offset = 0xffffffd4c19b3d04 EPT pointer = 0x000000003c0ce01e Virtual processor ID = 0x00b8 device lo entered promiscuous mode audit: type=1326 audit(1504541826.295:34): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=kernel pid=7716 comm="syz-executor1" exe="/syz-executor1" sig=31 arch=c000003e syscall=202 compat=0 ip=0x447299 code=0x0 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7830 comm=syz-executor4 QAT: Invalid ioctl QAT: Invalid ioctl nla_parse: 8 callbacks suppressed netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'. QAT: Invalid ioctl QAT: Invalid ioctl device  entered promiscuous mode device  left promiscuous mode Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable netlink: 3 bytes leftover after parsing attributes in process `syz-executor2'. insert transport fail, errno -17 tc_dump_action: action bad kind tc_dump_action: action bad kind kvm_hv_get_msr: 249 callbacks suppressed kvm [8272]: vcpu0, guest rIP: 0x9135 Hyper-V unhandled rdmsr: 0x4000008f kvm [8272]: vcpu0, guest rIP: 0x9135 Hyper-V unhandled rdmsr: 0x4000008e kvm [8272]: vcpu0, guest rIP: 0x9135 Hyper-V unhandled rdmsr: 0x4000008d kvm [8272]: vcpu0, guest rIP: 0x9135 Hyper-V unhandled rdmsr: 0x4000008c kvm [8272]: vcpu0, guest rIP: 0x9135 Hyper-V unhandled rdmsr: 0x4000008b kvm [8272]: vcpu0, guest rIP: 0x9135 Hyper-V unhandled rdmsr: 0x4000008a kvm [8272]: vcpu0, guest rIP: 0x9135 Hyper-V unhandled rdmsr: 0x40000089 kvm [8272]: vcpu0, guest rIP: 0x9135 Hyper-V unhandled rdmsr: 0x40000088 kvm [8272]: vcpu0, guest rIP: 0x9135 Hyper-V unhandled rdmsr: 0x40000087 kvm [8272]: vcpu0, guest rIP: 0x9135 Hyper-V unhandled rdmsr: 0x40000086 kvm [8272]: vcpu0, guest rIP: 0x9112 Hyper-V uhandled wrmsr: 0x40000023 data 0x66c900003b9a1043 kvm [8272]: vcpu0, guest rIP: 0x9112 Hyper-V uhandled wrmsr: 0x40000022 data 0x66c90000cb211043 kvm [8294]: vcpu0, guest rIP: 0x9112 Hyper-V uhandled wrmsr: 0x4000008f data 0x71 kvm [8294]: vcpu0, guest rIP: 0x9112 Hyper-V uhandled wrmsr: 0x4000008e data 0x71 kvm [8294]: vcpu0, guest rIP: 0x9112 Hyper-V uhandled wrmsr: 0x4000008d data 0x71 kvm [8294]: vcpu0, guest rIP: 0x9112 Hyper-V uhandled wrmsr: 0x4000008c data 0x71 kvm [8294]: vcpu0, guest rIP: 0x9112 Hyper-V uhandled wrmsr: 0x4000008b data 0xd1 kvm [8294]: vcpu0, guest rIP: 0x9112 Hyper-V uhandled wrmsr: 0x4000008a data 0x31 kvm [8294]: vcpu0, guest rIP: 0x9112 Hyper-V uhandled wrmsr: 0x40000089 data 0x31 kvm [8294]: vcpu0, guest rIP: 0x9112 Hyper-V uhandled wrmsr: 0x40000088 data 0x31 netlink: 11 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 11 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor7'. QAT: Invalid ioctl QAT: Invalid ioctl SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=8526 comm=syz-executor0 QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl syz-executor4 (8491) used greatest stack depth: 15312 bytes left QAT: Invalid ioctl QAT: Invalid ioctl device syz5 left promiscuous mode device syz5 entered promiscuous mode QAT: Invalid ioctl netlink: 64 bytes leftover after parsing attributes in process `syz-executor7'. device syz5 left promiscuous mode PF_BRIDGE: RTM_SETLINK with unknown ifindex PF_BRIDGE: RTM_SETLINK with unknown ifindex sctp: [Deprecated]: syz-executor4 (pid 8706) Use of int in maxseg socket option. Use struct sctp_assoc_value instead sctp: [Deprecated]: syz-executor4 (pid 8706) Use of int in maxseg socket option. Use struct sctp_assoc_value instead QAT: Invalid ioctl QAT: Invalid ioctl sit0: Invalid MTU 16711680 requested, hw max 65508 device syz6 entered promiscuous mode sit0: Invalid MTU 16711680 requested, hw max 65508 device syz6 left promiscuous mode device syz6 entered promiscuous mode kvm: MWAIT instruction emulated as NOP! sctp: [Deprecated]: syz-executor0 (pid 8863) Use of struct sctp_assoc_value in delayed_ack socket option. Use struct sctp_sack_info instead QAT: Invalid ioctl QAT: Invalid ioctl sg_write: data in/out 1488586335/114 bytes for SCSI command 0x24-- guessing data in; program syz-executor5 not setting count and/or reply_len properly QAT: Invalid ioctl QAT: Invalid ioctl sg_write: data in/out 1488586335/114 bytes for SCSI command 0x24-- guessing data in; program syz-executor5 not setting count and/or reply_len properly sctp: [Deprecated]: syz-executor0 (pid 8893) Use of struct sctp_assoc_value in delayed_ack socket option. Use struct sctp_sack_info instead SELinux: unrecognized netlink message: protocol=0 nlmsg_type=53102 sclass=netlink_route_socket pig=8921 comm=syz-executor2 rpcbind: RPC call returned error 22 rpcbind: RPC call returned error 22 QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl audit: type=1326 audit(1504541829.149:35): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=kernel pid=8967 comm="syz-executor7" exe="/syz-executor7" sig=31 arch=c000003e syscall=202 compat=0 ip=0x447299 code=0x0 audit: type=1326 audit(1504541829.223:36): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=kernel pid=8967 comm="syz-executor7" exe="/syz-executor7" sig=31 arch=c000003e syscall=202 compat=0 ip=0x447299 code=0x0 QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl SELinux: unrecognized netlink message: protocol=0 nlmsg_type=8 sclass=netlink_route_socket pig=9055 comm=syz-executor4 QAT: Invalid ioctl SELinux: unrecognized netlink message: protocol=0 nlmsg_type=8 sclass=netlink_route_socket pig=9055 comm=syz-executor4 devpts: called with bogus options devpts: called with bogus options audit: type=1326 audit(1504541829.751:37): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=kernel pid=9214 comm="syz-executor4" exe="/syz-executor4" sig=31 arch=c000003e syscall=202 compat=0 ip=0x447299 code=0xffff0000 QAT: Invalid ioctl QAT: Invalid ioctl SELinux: unrecognized netlink message: protocol=0 nlmsg_type=3 sclass=netlink_route_socket pig=9264 comm=syz-executor7 loop_reread_partitions: partition scan of loop0 (-\t@r9hxGQ:[il L*@R-Tr-x) failed (rc=-13) FAULT_FLAG_ALLOW_RETRY missing 31 CPU: 2 PID: 9445 Comm: syz-executor1 Tainted: G W 4.13.0-next-20170904+ #14 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:16 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:52 handle_userfault+0x11ec/0x2390 fs/userfaultfd.c:427 do_anonymous_page mm/memory.c:3135 [inline] handle_pte_fault mm/memory.c:3908 [inline] __handle_mm_fault+0x3823/0x39c0 mm/memory.c:4034 handle_mm_fault+0x3bb/0x860 mm/memory.c:4071 __do_page_fault+0x4f6/0xb60 arch/x86/mm/fault.c:1445 do_page_fault+0xee/0x720 arch/x86/mm/fault.c:1520 do_async_page_fault+0x72/0xc0 arch/x86/kernel/kvm.c:266 async_page_fault+0x22/0x30 arch/x86/entry/entry_64.S:1069 RIP: 0010:copy_user_generic_string+0x2c/0x40 arch/x86/lib/copy_user_64.S:143 RSP: 0018:ffff88003ce67e38 EFLAGS: 00010246 RAX: ffffed00079ccfd5 RBX: 0000000000000008 RCX: 0000000000000001 RDX: 0000000000000000 RSI: ffff88003ce67ea0 RDI: 0000000020002000 RBP: ffff88003ce67e68 R08: ffffed00079ccfd5 R09: ffffed00079ccfd5 R10: 0000000000000001 R11: ffffed00079ccfd4 R12: 0000000020002000 R13: ffff88003ce67ea0 R14: 00007ffffffff000 R15: 0000000020002008 copy_to_user include/linux/uaccess.h:154 [inline] SYSC_pipe2 fs/pipe.c:846 [inline] SyS_pipe2 fs/pipe.c:838 [inline] SYSC_pipe fs/pipe.c:862 [inline] SyS_pipe+0xfd/0x2e0 fs/pipe.c:860 entry_SYSCALL_64_fastpath+0x1f/0xbe RIP: 0033:0x447299 RSP: 002b:00007fe6027ebc08 EFLAGS: 00000296 ORIG_RAX: 0000000000000016 RAX: ffffffffffffffda RBX: 0000000020002000 RCX: 0000000000447299 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020002000 RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000 R13: 0000000000000000 R14: 00007fe6027ec9c0 R15: 00007fe6027ec700 FAULT_FLAG_ALLOW_RETRY missing 31 CPU: 0 PID: 9445 Comm: syz-executor1 Tainted: G W 4.13.0-next-20170904+ #14 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:16 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:52 handle_userfault+0x11ec/0x2390 fs/userfaultfd.c:427 do_anonymous_page mm/memory.c:3135 [inline] handle_pte_fault mm/memory.c:3908 [inline] __handle_mm_fault+0x3823/0x39c0 mm/memory.c:4034 handle_mm_fault+0x3bb/0x860 mm/memory.c:4071 __do_page_fault+0x4f6/0xb60 arch/x86/mm/fault.c:1445 do_page_fault+0xee/0x720 arch/x86/mm/fault.c:1520 do_async_page_fault+0x72/0xc0 arch/x86/kernel/kvm.c:266 async_page_fault+0x22/0x30 arch/x86/entry/entry_64.S:1069 RIP: 0010:copy_user_generic_string+0x2c/0x40 arch/x86/lib/copy_user_64.S:143 RSP: 0018:ffff88003ce67e38 EFLAGS: 00010246 RAX: ffffed00079ccfd5 RBX: 0000000000000008 RCX: 0000000000000001 RDX: 0000000000000000 RSI: ffff88003ce67ea0 RDI: 0000000020002000 RBP: ffff88003ce67e68 R08: ffffed00079ccfd5 R09: ffffed00079ccfd5 R10: 0000000000000001 R11: ffffed00079ccfd4 R12: 0000000020002000 R13: ffff88003ce67ea0 R14: 00007ffffffff000 R15: 0000000020002008 copy_to_user include/linux/uaccess.h:154 [inline] SYSC_pipe2 fs/pipe.c:846 [inline] SyS_pipe2 fs/pipe.c:838 [inline] SYSC_pipe fs/pipe.c:862 [inline] SyS_pipe+0xfd/0x2e0 fs/pipe.c:860 entry_SYSCALL_64_fastpath+0x1f/0xbe RIP: 0033:0x447299 RSP: 002b:00007fe6027ebc08 EFLAGS: 00000296 ORIG_RAX: 0000000000000016 RAX: ffffffffffffffda RBX: 0000000020002000 RCX: 0000000000447299 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020002000 RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000296 R12: 00000000ffffffff R13: 0000000000003d10 R14: 00000000006e6dd0 R15: 0000000000000000 QAT: Invalid ioctl QAT: Invalid ioctl sock: process `syz-executor5' is using obsolete getsockopt SO_BSDCOMPAT Buffer I/O error on dev loop0, logical block 0, async page read Buffer I/O error on dev loop0, logical block 0, async page read *** Guest State *** CR0: actual=0x0000000000000030, shadow=0x0000000060000010, gh_mask=fffffffffffffff7 CR4: actual=0x0000000000002050, shadow=0x0000000000000000, gh_mask=ffffffffffffe871 CR3 = 0x00000000fffbc000 RSP = 0x0000000000000000 RIP = 0x000000000000fff0 RFLAGS=0x00000000 DR7 = 0x0000000000000400 Sysenter RSP=0000000000000000 CS:RIP=0000:0000000000000000 CS: sel=0xf000, attr=0x0009b, limit=0x0000ffff, base=0x00000000ffff0000 DS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 SS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 ES: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 FS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 GS: sel=0x0000, attr=0x00093, limit=0x0000ffff, base=0x0000000000000000 GDTR: limit=0x0000ffff, base=0x0000000000000000 LDTR: sel=0x0000, attr=0x00082, limit=0x0000ffff, base=0x0000000000000000 IDTR: limit=0x0000ffff, base=0x0000000000000000 TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 EFER = 0x0000000000000000 PAT = 0x0007040600070406 DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 BndCfgS = 0x0000000000000000 Interruptibility = 00000000 ActivityState = 00000000 *** Host State *** RIP = 0xffffffff811b8c6f RSP = 0xffff88003cbd74c8 CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 FSBase=00007f8bda4d8700 GSBase=ffff88006de00000 TRBase=ffff88006de23100 GDTBase=ffffffffff575000 IDTBase=ffffffffff57b000 CR0=0000000080050033 CR3=0000000055954000 CR4=00000000000026e0 Sysenter RSP=0000000000000000 CS:RIP=0010:ffffffff84d426c0 EFER = 0x0000000000000d01 PAT = 0x0007040600070406 *** Control State *** PinBased=0000003f CPUBased=b6a1edfe SecondaryExec=000000e3 EntryControls=0001d1ff ExitControls=00afefff ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 VMEntry: intr_info=00000000 errcode=00000000 ilen=00000000 VMExit: intr_info=00000000 errcode=00000000 ilen=00000000 reason=80000021 qualification=0000000000000000 IDTVectoring: info=00000000 errcode=00000000 TSC Offset = 0xffffffd0126901b6 TPR Threshold = 0x00 EPT pointer = 0x000000006848501e Virtual processor ID = 0x0096 audit: type=1326 audit(1504541832.291:38): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=kernel pid=9767 comm="syz-executor2" exe="/syz-executor2" sig=31 arch=c000003e syscall=202 compat=0 ip=0x447299 code=0x0 device lo left promiscuous mode nla_parse: 14 callbacks suppressed netlink: 16 bytes leftover after parsing attributes in process `syz-executor4'. sctp: [Deprecated]: syz-executor4 (pid 9775) Use of int in max_burst socket option. Use struct sctp_assoc_value instead netlink: 16 bytes leftover after parsing attributes in process `syz-executor4'. QAT: Invalid ioctl selinux_nlmsg_perm: 9 callbacks suppressed SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=9789 comm=syz-executor4 sctp: [Deprecated]: syz-executor4 (pid 9775) Use of int in max_burst socket option. Use struct sctp_assoc_value instead audit: type=1326 audit(1504541832.361:39): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=kernel pid=9767 comm="syz-executor2" exe="/syz-executor2" sig=31 arch=c000003e syscall=202 compat=0 ip=0x447299 code=0x0 QAT: Invalid ioctl sctp: [Deprecated]: syz-executor2 (pid 9845) Use of struct sctp_assoc_value in delayed_ack socket option. Use struct sctp_sack_info instead SELinux: unrecognized netlink message: protocol=6 nlmsg_type=3131 sclass=netlink_xfrm_socket pig=9822 comm=syz-executor0 Trying to set illegal importance in message netlink: 1 bytes leftover after parsing attributes in process `syz-executor3'. sctp: [Deprecated]: syz-executor2 (pid 9831) Use of struct sctp_assoc_value in delayed_ack socket option. Use struct sctp_sack_info instead SELinux: unrecognized netlink message: protocol=6 nlmsg_type=3131 sclass=netlink_xfrm_socket pig=9832 comm=syz-executor0 netlink: 1 bytes leftover after parsing attributes in process `syz-executor3'. Trying to set illegal importance in message audit: type=1326 audit(1504541832.679:40): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=kernel pid=9874 comm="syz-executor7" exe="/syz-executor7" sig=31 arch=c000003e syscall=202 compat=0 ip=0x447299 code=0xffff0000 kvm_hv_get_msr: 242 callbacks suppressed kvm [9904]: vcpu0, guest rIP: 0x9135 Hyper-V unhandled rdmsr: 0x4000007f kvm [9904]: vcpu0, guest rIP: 0x9135 Hyper-V unhandled rdmsr: 0x4000007e kvm [9904]: vcpu0, guest rIP: 0x9135 Hyper-V unhandled rdmsr: 0x4000007d kvm [9904]: vcpu0, guest rIP: 0x9135 Hyper-V unhandled rdmsr: 0x4000007c kvm [9904]: vcpu0, guest rIP: 0x9135 Hyper-V unhandled rdmsr: 0x4000007b kvm [9904]: vcpu0, guest rIP: 0x9135 Hyper-V unhandled rdmsr: 0x4000007a kvm [9904]: vcpu0, guest rIP: 0x9135 Hyper-V unhandled rdmsr: 0x40000079 kvm [9904]: vcpu0, guest rIP: 0x9135 Hyper-V unhandled rdmsr: 0x40000078 kvm [9904]: vcpu0, guest rIP: 0x9135 Hyper-V unhandled rdmsr: 0x40000077 kvm [9904]: vcpu0, guest rIP: 0x9135 Hyper-V unhandled rdmsr: 0x40000076 kvm [9904]: vcpu0, guest rIP: 0x9112 Hyper-V uhandled wrmsr: 0x40000020 data 0x66c90000000a1043 audit: type=1326 audit(1504541832.739:41): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=kernel pid=9939 comm="syz-executor4" exe="/syz-executor4" sig=31 arch=c000003e syscall=202 compat=0 ip=0x447299 code=0xffff0000 audit: type=1326 audit(1504541832.869:42): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=kernel pid=9939 comm="syz-executor4" exe="/syz-executor4" sig=31 arch=c000003e syscall=202 compat=0 ip=0x447299 code=0xffff0000 audit: type=1326 audit(1504541833.154:43): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=kernel pid=9968 comm="syz-executor1" exe="/syz-executor1" sig=31 arch=c000003e syscall=202 compat=0 ip=0x447299 code=0x0 audit: type=1326 audit(1504541833.173:44): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=kernel pid=9968 comm="syz-executor1" exe="/syz-executor1" sig=31 arch=c000003e syscall=202 compat=0 ip=0x447299 code=0x0 QAT: Invalid ioctl kvm_hv_set_msr: 18 callbacks suppressed kvm [9995]: vcpu0, guest rIP: 0x9112 Hyper-V uhandled wrmsr: 0x40000023 data 0x66c900003b9a1043 kvm [9995]: vcpu0, guest rIP: 0x9112 Hyper-V uhandled wrmsr: 0x40000022 data 0x66c90000cb211043 kvm [9995]: vcpu0, guest rIP: 0x9112 Hyper-V uhandled wrmsr: 0x40000020 data 0x66c90000000e1043 QAT: Invalid ioctl ================================================================== BUG: KASAN: slab-out-of-bounds in __collect_expired_timers include/linux/list.h:729 [inline] BUG: KASAN: slab-out-of-bounds in collect_expired_timers kernel/time/timer.c:1569 [inline] BUG: KASAN: slab-out-of-bounds in __run_timers+0xa2e/0xb90 kernel/time/timer.c:1616 Write of size 8 at addr ffff880067b93a08 by task syz-executor2/10059 CPU: 2 PID: 10059 Comm: syz-executor2 Tainted: G W 4.13.0-next-20170904+ #14 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:16 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:52 print_address_description+0x73/0x250 mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report+0x24e/0x340 mm/kasan/report.c:409 __asan_report_store8_noabort+0x17/0x20 mm/kasan/report.c:435 __collect_expired_timers include/linux/list.h:729 [inline] collect_expired_timers kernel/time/timer.c:1569 [inline] __run_timers+0xa2e/0xb90 kernel/time/timer.c:1616 run_timer_softirq+0x4c/0xb0 kernel/time/timer.c:1646 __do_softirq+0x2bb/0xbd0 kernel/softirq.c:284 invoke_softirq kernel/softirq.c:364 [inline] irq_exit+0x1d3/0x210 kernel/softirq.c:405 exiting_irq arch/x86/include/asm/apic.h:638 [inline] smp_apic_timer_interrupt+0x177/0x710 arch/x86/kernel/apic/apic.c:1048 apic_timer_interrupt+0x9d/0xb0 arch/x86/entry/entry_64.S:577 RIP: 0010:clear_page_rep+0x7/0x10 arch/x86/lib/clear_page_64.S:19 RSP: 0000:ffff8800559c76f8 EFLAGS: 00010246 ORIG_RAX: ffffffffffffff10 RAX: 0000000000000000 RBX: 00000000000000b8 RCX: 0000000000000130 RDX: 0000000000000000 RSI: ffff8800571280c0 RDI: ffff88004f8b8680 RBP: ffff8800559c7760 R08: 0000000000029190 R09: 0000000000000000 R10: ffffffffffffffe8 R11: 0000000000000000 R12: dffffc0000000000 R13: ffff8800571280c0 R14: ffff8800571280c0 R15: ffff8800571280c0 __do_huge_pmd_anonymous_page mm/huge_memory.c:570 [inline] do_huge_pmd_anonymous_page+0x59c/0x1ba0 mm/huge_memory.c:728 create_huge_pmd mm/memory.c:3802 [inline] __handle_mm_fault+0x1827/0x39c0 mm/memory.c:4005 handle_mm_fault+0x3bb/0x860 mm/memory.c:4071 __do_page_fault+0x4f6/0xb60 arch/x86/mm/fault.c:1445 do_page_fault+0xee/0x720 arch/x86/mm/fault.c:1520 do_async_page_fault+0x72/0xc0 arch/x86/kernel/kvm.c:266 async_page_fault+0x22/0x30 arch/x86/entry/entry_64.S:1069 RIP: 0033:0x4063ff RSP: 002b:0000000000a5f8d0 EFLAGS: 00010246 RAX: 00000000208e4000 RBX: 0000000000000006 RCX: 0000000000000006 RDX: 7451d109f3e447c7 RSI: 0000000000000000 RDI: 0000000000c7a840 RBP: 0000000000000000 R08: 0000000000000000 R09: 000000920000001e R10: 0000000000a5f960 R11: 0000000000000000 R12: fffffffffffffffe R13: 00000000007080dc R14: 000000000000000f R15: 00000000208e4000 Allocated by task 9738: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551 __do_kmalloc mm/slab.c:3725 [inline] __kmalloc+0x162/0x760 mm/slab.c:3734 kmalloc_array include/linux/slab.h:612 [inline] kcalloc include/linux/slab.h:623 [inline] __rds_conn_create+0x4cc/0x1870 net/rds/connection.c:176 rds_conn_create_outgoing+0x3f/0x50 net/rds/connection.c:303 rds_sendmsg+0xd6c/0x1f90 net/rds/send.c:1108 sock_sendmsg_nosec net/socket.c:633 [inline] sock_sendmsg+0xca/0x110 net/socket.c:643 SYSC_sendto+0x358/0x5a0 net/socket.c:1750 SyS_sendto+0x40/0x50 net/socket.c:1718 entry_SYSCALL_64_fastpath+0x1f/0xbe Freed by task 9307: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524 __cache_free mm/slab.c:3503 [inline] kfree+0xca/0x250 mm/slab.c:3820 kvfree+0x36/0x60 mm/util.c:416 netdev_freemem net/core/dev.c:7963 [inline] free_netdev+0x2cf/0x360 net/core/dev.c:8125 tun_set_iff drivers/net/tun.c:2091 [inline] __tun_chr_ioctl+0x2cf6/0x3d20 drivers/net/tun.c:2262 tun_chr_ioctl+0x2a/0x40 drivers/net/tun.c:2507 vfs_ioctl fs/ioctl.c:45 [inline] do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:685 SYSC_ioctl fs/ioctl.c:700 [inline] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:691 entry_SYSCALL_64_fastpath+0x1f/0xbe The buggy address belongs to the object at ffff880067b90600 which belongs to the cache kmalloc-16384 of size 16384 The buggy address is located 13320 bytes inside of 16384-byte region [ffff880067b90600, ffff880067b94600) The buggy address belongs to the page: page:ffffea00019ee400 count:1 mapcount:0 mapping:ffff880067b90600 index:0x0 compound_mapcount: 0 flags: 0x500000000008100(slab|head) raw: 0500000000008100 ffff880067b90600 0000000000000000 0000000100000001 raw: ffffea0001a1b620 ffffea0001a29e20 ffff88003e802200 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff880067b93900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff880067b93980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff880067b93a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff880067b93a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff880067b93b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================