IPVS: Creating netns size=2536 id=4 IPVS: Creating netns size=2536 id=5 BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor4/3644 caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 CPU: 1 PID: 3644 Comm: syz-executor4 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d87df6d8 ffffffff81d90889 0000000000000001 ffffffff83c17800 ffffffff83f42ec0 ffff8801d5d58000 0000000000000003 ffff8801d87df718[ 53.564694] audit: type=1400 audit(1513075818.327:10): avc: denied { create } for pid=3647 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 audit: type=1400 audit(1513075818.327:11): avc: denied { write } for pid=3647 comm="syz-executor5" path="socket:[11409]" dev="sockfs" ino=11409 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 ffffffff81df7854 ffff8801d87df730 ffffffff83f42ec0 dffffc0000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46 [] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 [] ipcomp_alloc_tfms net/xfrm/xfrm_ipcomp.c:286 [inline] [] ipcomp_init_state+0x188/0x930 net/xfrm/xfrm_ipcomp.c:363 [] ipcomp4_init_state+0xb0/0x7d0 net/ipv4/ipcomp.c:137 [] __xfrm_init_state+0x3e7/0xb30 net/xfrm/xfrm_state.c:2096 [] xfrm_init_state+0x1a/0x20 net/xfrm/xfrm_state.c:2122 [] pfkey_msg2xfrm_state net/key/af_key.c:1281 [inline] [] pfkey_add+0x1fb9/0x3470 net/key/af_key.c:1498 [] pfkey_process+0x61e/0x730 net/key/af_key.c:2826 [] pfkey_sendmsg+0x3a9/0x760 net/key/af_key.c:3670 [] sock_sendmsg_nosec net/socket.c:635 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:645 [] ___sys_sendmsg+0x6d1/0x7e0 net/socket.c:1968 [] __sys_sendmsg+0xd6/0x190 net/socket.c:2002 [] SYSC_sendmsg net/socket.c:2013 [inline] [] SyS_sendmsg+0x2d/0x50 net/socket.c:2009 [] entry_SYSCALL_64_fastpath+0x23/0xc6 IPVS: Creating netns size=2536 id=6 IPVS: Creating netns size=2536 id=7 IPVS: Creating netns size=2536 id=8 device gre0 entered promiscuous mode device ±BÞÓ*mqÐx”o‡3{© entered promiscuous mode device ±BÞÓ*mqÐx”o‡3{© left promiscuous mode netlink: 1 bytes leftover after parsing attributes in process `syz-executor7'. audit: type=1400 audit(1513075818.857:12): avc: denied { execute } for pid=3719 comm="syz-executor4" path="pipe:[11138]" dev="pipefs" ino=11138 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=fifo_file permissive=1 netlink: 1 bytes leftover after parsing attributes in process `syz-executor7'. audit: type=1400 audit(1513075818.937:13): avc: denied { ioctl } for pid=3737 comm="syz-executor6" path="socket:[12449]" dev="sockfs" ino=12449 ioctlcmd=0x8 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 device gre0 entered promiscuous mode mmap: syz-executor0 (3815) uses deprecated remap_file_pages() syscall. See Documentation/vm/remap_file_pages.txt. syz-executor7 uses obsolete (PF_INET,SOCK_PACKET) netlink: 8 bytes leftover after parsing attributes in process `syz-executor4'. mmap: syz-executor5 (3886): VmData 18661376 exceed data ulimit 0. Update limits or use boot option ignore_rlimit_data. netlink: 8 bytes leftover after parsing attributes in process `syz-executor4'. device gre0 entered promiscuous mode device gre0 entered promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode netlink: 11 bytes leftover after parsing attributes in process `syz-executor3'. device gre0 entered promiscuous mode tty_warn_deprecated_flags: 'syz-executor2' is using deprecated serial flags (with no effect): 00008000 device gre0 entered promiscuous mode netlink: 11 bytes leftover after parsing attributes in process `syz-executor3'. tty_warn_deprecated_flags: 'syz-executor2' is using deprecated serial flags (with no effect): 00008000 device syz7 entered promiscuous mode netlink: 5 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor2'. device syz7 entered promiscuous mode netlink: 8 bytes leftover after parsing attributes in process `syz-executor2'. program syz-executor2 is using a deprecated SCSI ioctl, please convert it to SG_IO sd 0:0:1:0: ioctl_internal_command: ILLEGAL REQUEST asc=0x20 ascq=0x0 program syz-executor2 is using a deprecated SCSI ioctl, please convert it to SG_IO sd 0:0:1:0: ioctl_internal_command: ILLEGAL REQUEST asc=0x20 ascq=0x0 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=4435 comm=syz-executor6 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=4456 comm=syz-executor6 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=0 sclass=netlink_audit_socket pig=4488 comm=syz-executor2 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=6 sclass=netlink_audit_socket pig=4488 comm=syz-executor2 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=0 sclass=netlink_audit_socket pig=4497 comm=syz-executor2 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=6 sclass=netlink_audit_socket pig=4488 comm=syz-executor2 device eql entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode keychord: keycode 25638 out of range IPVS: Creating netns size=2536 id=9 keychord: keycode 25638 out of range IPVS: Creating netns size=2536 id=10 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=4700 comm=syz-executor0 device gre0 entered promiscuous mode capability: warning: `syz-executor3' uses deprecated v2 capabilities in a way that may be insecure handle_userfault: 50 callbacks suppressed FAULT_FLAG_ALLOW_RETRY missing 30 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 4824 Comm: syz-executor4 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c9edf6c0 ffffffff81d90889 ffff8801c9edf9a0 0000000000000000 ffff8801d663b010 ffff8801c9edf890 ffff8801d663af00 ffff8801c9edf8b8 ffffffff8165e497 0000000000006e92 ffff8801d0e0e8f0 ffff8801d0e0e8a0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] sock_do_ioctl+0x94/0xb0 net/socket.c:899 [] sock_ioctl+0x2e0/0x3d0 net/socket.c:978 [] vfs_ioctl fs/ioctl.c:43 [inline] [] do_vfs_ioctl+0x1aa/0x1140 fs/ioctl.c:679 [] SYSC_ioctl fs/ioctl.c:694 [inline] [] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 [] entry_SYSCALL_64_fastpath+0x23/0xc6 binder: 4871:4872 ioctl 40046205 8 returned -22 audit: type=1400 audit(1513075823.227:29): avc: denied { set_context_mgr } for pid=4871 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 audit: type=1400 audit(1513075823.237:30): avc: denied { call } for pid=4871 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 audit: type=1400 audit(1513075823.237:31): avc: denied { transfer } for pid=4871 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 binder: binder_mmap: 4871 20476000-20479000 bad vm_flags failed -1 binder: 4886:4891 got transaction to invalid handle binder: 4886:4891 transaction failed 29201/-22, size 32-40 line 3007 binder: 4871:4883 got reply transaction with no transaction stack binder: 4871:4883 transaction failed 29201/-71, size 0-56 line 2923 binder: 4886:4891 got transaction to invalid handle binder: 4886:4891 transaction failed 29201/-22, size 32-40 line 3007 binder: 4871:4899 ioctl 40046205 8 returned -22 binder_alloc: binder_alloc_mmap_handler: 4871 20000000-20002000 already mapped failed -16 binder_alloc: 4871: binder_alloc_buf, no vma binder: 4871:4901 transaction failed 29189/-3, size 80-16 line 3130 binder: BINDER_SET_CONTEXT_MGR already set binder: 4871:4899 ioctl 40046207 0 returned -16 binder: binder_mmap: 4871 20476000-20479000 bad vm_flags failed -1 binder: 4871:4902 got reply transaction with no transaction stack binder: 4871:4902 transaction failed 29201/-71, size 0-56 line 2923 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 4871:4883 transaction 2 out, still active binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 2, target dead FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 4797 Comm: syz-executor4 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c7a4f8a0 ffffffff81d90889 ffff8801c7a4fb80 0000000000000000 ffff8801d663b010 ffff8801c7a4fa70 ffff8801d663af00 ffff8801c7a4fa98 ffffffff8165e497 0000000000006e92 ffff8801c7a408f0 ffff8801c7a408a0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 CPU: 1 PID: 4805 Comm: syz-executor4 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cbd3f900 ffffffff81d90889 ffff8801cbd3fbe0 0000000000000000 ffff8801d663b010 ffff8801cbd3fad0 ffff8801d663af00 ffff8801cbd3faf8 ffffffff8165e497 0000000000006e92 ffff8801c7a468f0 ffff8801c7a468a0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] SYSC_seccomp kernel/seccomp.c:809 [inline] [] SyS_seccomp+0x24/0x30 kernel/seccomp.c:806 [] entry_SYSCALL_64_fastpath+0x23/0xc6 sock: process `syz-executor5' is using obsolete setsockopt SO_BSDCOMPAT nla_parse: 16 callbacks suppressed netlink: 13 bytes leftover after parsing attributes in process `syz-executor6'. capability: warning: `syz-executor3' uses 32-bit capabilities (legacy support in use) netlink: 13 bytes leftover after parsing attributes in process `syz-executor6'. audit: type=1400 audit(1513075824.367:32): avc: denied { create } for pid=5037 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_connector_socket permissive=1 tc_ctl_action: received NO action attribs tc_ctl_action: received NO action attribs device eql entered promiscuous mode skbuff: bad partial csum: csum=65534/0 len=32 audit: type=1400 audit(1513075824.587:33): avc: denied { attach_queue } for pid=5109 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=tun_socket permissive=1 audit: type=1400 audit(1513075824.627:34): avc: denied { create } for pid=5118 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_fib_lookup_socket permissive=1 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 5123 Comm: syz-executor3 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d01cf920 ffffffff81d90889 ffff8801d01cfc00 0000000000000000 ffff8801d663b490[ 59.940123] netlink: 1 bytes leftover after parsing attributes in process `syz-executor2'. ffff8801d01cfaf0 ffff8801d663b380 ffff8801d01cfb18 ffffffff8165e497 0000000000006e92 ffff8801cfab50f0 ffff8801cfab50a0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 netlink: 1 bytes leftover after parsing attributes in process `syz-executor2'. binder: 5163:5164 ERROR: BC_REGISTER_LOOPER called without request binder: 5163:5164 got reply with fd, -1, but target does not allow fds binder: 5163:5164 transaction failed 29201/-1, size 24-8 line 3235 binder: send failed reply for transaction 11 to 5163:5176 device gre0 entered promiscuous mode binder_alloc: binder_alloc_mmap_handler: 5163 20000000-20002000 already mapped failed -16 binder: 5163:5176 ERROR: BC_REGISTER_LOOPER called without request binder: BINDER_SET_CONTEXT_MGR already set binder: 5163:5164 ioctl 40046207 0 returned -16 binder_alloc: 5163: binder_alloc_buf, no vma binder: 5163:5176 transaction failed 29189/-3, size 0-0 line 3130 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29190 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29201 SELinux: unrecognized netlink message: protocol=6 nlmsg_type=0 sclass=netlink_xfrm_socket pig=5187 comm=syz-executor2 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=202 sclass=netlink_route_socket pig=5187 comm=syz-executor2 SELinux: unrecognized netlink message: protocol=6 nlmsg_type=0 sclass=netlink_xfrm_socket pig=5206 comm=syz-executor2 netlink: 1 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor5'. selinux_nlmsg_perm: 1 callbacks suppressed SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=5483 comm=syz-executor1 binder: 5564:5565 ioctl c0306201 20008fd0 returned -14 binder: 5564:5565 ioctl c018620b 20000fe8 returned -14 binder_alloc: binder_alloc_mmap_handler: 5564 20000000-20002000 already mapped failed -16 binder: 5564:5571 ioctl 8924 20002000 returned -22 binder: 5564:5571 ioctl c0306201 20008fd0 returned -14 binder: 5564:5571 ioctl c018620b 20000fe8 returned -14 device gre0 entered promiscuous mode device gre0 entered promiscuous mode IPVS: Creating netns size=2536 id=11 program syz-executor7 is using a deprecated SCSI ioctl, please convert it to SG_IO sd 0:0:1:0: ioctl_internal_command: ILLEGAL REQUEST asc=0x20 ascq=0x0 program syz-executor7 is using a deprecated SCSI ioctl, please convert it to SG_IO sd 0:0:1:0: ioctl_internal_command: ILLEGAL REQUEST asc=0x20 ascq=0x0 device gre0 entered promiscuous mode devpts: called with bogus options netlink: 21 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 21 bytes leftover after parsing attributes in process `syz-executor3'. devpts: called with bogus options binder: BINDER_SET_CONTEXT_MGR already set binder: 5861:5863 ioctl 40046207 0 returned -16 binder: 5861:5863 ioctl 40046205 101 returned -22 binder: BC_ATTEMPT_ACQUIRE not supported binder: 5861:5863 ioctl c0306201 20002fd0 returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 5861:5863 ioctl 40046207 0 returned -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 5861:5868 ioctl 40046207 0 returned -16 binder: 5861:5870 ioctl 40046205 101 returned -22 binder: BC_ATTEMPT_ACQUIRE not supported binder: 5861:5868 ioctl c0306201 20002fd0 returned -22 9pnet_virtio: no channels available for device ./file0 9pnet_virtio: no channels available for device ./file0