PF_BRIDGE: RTM_SETLINK with unknown ifindex BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor4/5006 caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 CPU: 0 PID: 5006 Comm: syz-executor4 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d046f6d8 ffffffff81d90889 0000000000000000 ffffffff83c17800 ffffffff83f42ec0 ffff8801a5681800 0000000000000003 ffff8801d046f718 ffffffff81df7854 ffff8801d046f730 ffffffff83f42ec0 dffffc0000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46 [] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 [] ipcomp_alloc_tfms net/xfrm/xfrm_ipcomp.c:286 [inline] [] ipcomp_init_state+0x188/0x930 net/xfrm/xfrm_ipcomp.c:363 [] ipcomp4_init_state+0xb0/0x7d0 net/ipv4/ipcomp.c:137 [] __xfrm_init_state+0x3e7/0xb30 net/xfrm/xfrm_state.c:2096 [] xfrm_init_state+0x1a/0x20 net/xfrm/xfrm_state.c:2122 [] pfkey_msg2xfrm_state net/key/af_key.c:1281 [inline] [] pfkey_add+0x1fb9/0x3470 net/key/af_key.c:1498 [] pfkey_process+0x61e/0x730 net/key/af_key.c:2826 [] pfkey_sendmsg+0x3a9/0x760 net/key/af_key.c:3670 [] sock_sendmsg_nosec net/socket.c:635 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:645 [] ___sys_sendmsg+0x6d1/0x7e0 net/socket.c:1968 [] __sys_sendmsg+0xd6/0x190 net/socket.c:2002 [] SYSC_sendmsg net/socket.c:2013 [inline] [] SyS_sendmsg+0x2d/0x50 net/socket.c:2009 [] entry_SYSCALL_64_fastpath+0x23/0xc6 binder: 5071:5076 BC_FREE_BUFFER u0000000000000000 no match audit: type=1400 audit(1513075885.062:36): avc: denied { setuid } for pid=5070 comm="syz-executor5" capability=7 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 binder: 5101:5105 ioctl 40046205 0 returned -22 binder: 5101:5105 ERROR: BC_REGISTER_LOOPER called without request binder: 5101:5105 got transaction to invalid handle binder: 5101:5105 transaction failed 29201/-22, size 0-16 line 3007 binder: 5101:5105 BC_FREE_BUFFER u0000000000000000 no match binder: 5101:5105 sending u0000000000000000 node 27, cookie mismatch 0000000000000004 != 0000000000000000 binder: 5101:5105 transaction failed 29201/-22, size 72-8 line 3209 binder: 5101:5105 ioctl c0306201 20005fd0 returned -14 binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29201 binder: 5101:5105 BC_FREE_BUFFER u00000000ffffffff no match binder: undelivered TRANSACTION_COMPLETE binder: undelivered transaction 30, process died. nla_parse: 17 callbacks suppressed netlink: 2 bytes leftover after parsing attributes in process `syz-executor7'. binder: 5101:5106 ioctl 40046205 0 returned -22 binder: 5101:5106 ERROR: BC_REGISTER_LOOPER called without request binder: 5101:5106 ioctl c0306201 20008fd0 returned -11 binder: 5101:5106 got transaction to invalid handle binder: 5101:5106 transaction failed 29201/-22, size 0-16 line 3007 binder: 5101:5106 BC_FREE_BUFFER u0000000000000000 no match binder: 5101:5106 IncRefs 0 refcount change on invalid ref 1 ret -22 binder: 5101:5106 got transaction to invalid handle binder: 5101:5106 transaction failed 29201/-22, size 72-8 line 3007 binder: 5101:5106 ioctl c0306201 20005fd0 returned -14 binder: release 5101:5105 transaction 36 out, still active binder: undelivered TRANSACTION_COMPLETE netlink: 2 bytes leftover after parsing attributes in process `syz-executor7'. binder: 5147:5150 IncRefs 0 refcount change on invalid ref 2 ret -22 binder: 5147:5150 Acquire 1 refcount change on invalid ref 4 ret -22 binder: 5147:5150 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 5147:5150 unknown command 0 binder: 5147:5150 ioctl c0306201 20000fd0 returned -22 binder: 5147:5150 IncRefs 0 refcount change on invalid ref 2 ret -22 binder: 5147:5150 Acquire 1 refcount change on invalid ref 4 ret -22 binder: 5147:5150 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 5147:5150 unknown command 0 binder: 5147:5150 ioctl c0306201 20000fd0 returned -22 binder: undelivered TRANSACTION_ERROR: 29201 binder: send failed reply for transaction 36, target dead audit: type=1400 audit(1513075885.562:37): avc: denied { sys_ptrace } for pid=5171 comm="ps" capability=19 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=cap_userns permissive=1 device gre0 entered promiscuous mode netlink: 8 bytes leftover after parsing attributes in process `syz-executor7'. audit: type=1400 audit(1513075885.672:38): avc: denied { create } for pid=5177 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_scsitransport_socket permissive=1 netlink: 8 bytes leftover after parsing attributes in process `syz-executor7'. IPv6: Can't replace route, no match found IPVS: Creating netns size=2536 id=10 sock: sock_set_timeout: `' (pid 5295) tries to set negative timeout sock: sock_set_timeout: `' (pid 5309) tries to set negative timeout IPVS: Creating netns size=2536 id=11 SELinux: unrecognized netlink message: protocol=6 nlmsg_type=257 sclass=netlink_xfrm_socket pig=5304 comm=syz-executor0 audit: type=1400 audit(1513075886.842:39): avc: denied { bind } for pid=5344 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 netlink: 5 bytes leftover after parsing attributes in process `syz-executor2'. SELinux: unrecognized netlink message: protocol=6 nlmsg_type=257 sclass=netlink_xfrm_socket pig=5362 comm=syz-executor0 9pnet_virtio: no channels available for device H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H netlink: 5 bytes leftover after parsing attributes in process `syz-executor2'. 9pnet_virtio: no channels available for device H¨ FAULT_FLAG_ALLOW_RETRY missing 30 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 5382 Comm: syz-executor1 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a73cf480 ffffffff81d90889 ffff8801a73cf760 0000000000000000 ffff8801a7145c10 ffff8801a73cf650 ffff8801a7145b00 ffff8801a73cf678 ffffffff8165e497 0000000000002e46 ffff8801a826b918 ffff8801a826b8a0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] do_ip_setsockopt.isra.12+0x1977/0x2960 net/ipv4/ip_sockglue.c:1151 [] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1240 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2736 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2706 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x160/0x250 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 CPU: 1 PID: 5387 Comm: syz-executor1 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a73d78b0 ffffffff81d90889 ffff8801a73d7b90 0000000000000000 ffff8801a7145c10 ffff8801a73d7a80 ffff8801a7145b00 ffff8801a73d7aa8 ffffffff8165e497 0000000000003af1 ffff8801a696d0f0 ffff8801a696d0a0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads sock: process `syz-executor6' is using obsolete getsockopt SO_BSDCOMPAT audit: type=1400 audit(1513075888.012:40): avc: denied { connect } for pid=5441 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. audit: type=1400 audit(1513075888.052:41): avc: denied { read } for pid=5440 comm="syz-executor2" path="socket:[13859]" dev="sockfs" ino=13859 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 device lo entered promiscuous mode netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. device lo left promiscuous mode netlink: 2 bytes leftover after parsing attributes in process `syz-executor6'. binder: 5489:5493 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER binder: 5489:5493 DecRefs 0 refcount change on invalid ref 30949 ret -22 binder: 5489:5493 unknown command 0 binder: 5489:5493 ioctl c0306201 200b9fd0 returned -22 binder: 5489:5493 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER binder: 5489:5493 DecRefs 0 refcount change on invalid ref 30949 ret -22 binder: 5489:5493 unknown command 0 binder: 5489:5493 ioctl c0306201 200b9fd0 returned -22 IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE IPv6: NLM_F_CREATE should be set when creating new route IPv6: NLM_F_CREATE should be set when creating new route device lo entered promiscuous mode device lo left promiscuous mode netlink: 2 bytes leftover after parsing attributes in process `syz-executor6'. IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE IPv6: NLM_F_CREATE should be set when creating new route IPv6: NLM_F_CREATE should be set when creating new route IPVS: Creating netns size=2536 id=12 IPVS: Creating netns size=2536 id=13 keychord: Insufficient bytes present for keycount 18 loop: Write error at byte offset 0, length 512. blk_update_request: I/O error, dev loop4, sector 0 Buffer I/O error on dev loop4, logical block 0, lost async page write loop: Write error at byte offset 0, length 512. blk_update_request: I/O error, dev loop4, sector 0 Buffer I/O error on dev loop4, logical block 0, lost async page write Tx-ring is not supported. keychord: Insufficient bytes present for keycount 18 VFS: Dirty inode writeback failed for block device loop4 (err=-5). pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads audit: type=1400 audit(1513075889.752:42): avc: denied { bind } for pid=5735 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 audit: type=1400 audit(1513075890.382:43): avc: denied { setpcap } for pid=5810 comm="syz-executor6" capability=8 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 nla_parse: 6 callbacks suppressed netlink: 17 bytes leftover after parsing attributes in process `syz-executor1'. binder: 5898:5906 got reply transaction with no transaction stack binder: 5898:5906 transaction failed 29201/-71, size 2-6181628549 line 2923 binder: 5898:5921 got reply transaction with no transaction stack binder: 5898:5921 transaction failed 29201/-71, size 2-6181628549 line 2923 device gre0 entered promiscuous mode audit: type=1400 audit(1513075891.172:44): avc: denied { ioctl } for pid=6002 comm="syz-executor5" path="socket:[14264]" dev="sockfs" ino=14264 ioctlcmd=0x642e scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 netlink: 5 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 11 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 11 bytes leftover after parsing attributes in process `syz-executor5'. 9pnet_virtio: no channels available for device ./control/file0 9pnet_virtio: no channels available for device ./control/file0 device gre0 entered promiscuous mode device gre0 entered promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode keychord: unsupported version 0 device lo left promiscuous mode keychord: unsupported version 0 device gre0 entered promiscuous mode ƒ: renamed from lo device gre0 entered promiscuous mode audit: type=1400 audit(1513075893.242:45): avc: denied { bind } for pid=6667 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_connector_socket permissive=1 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 6679 Comm: syz-executor1 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d22df710 ffffffff81d90889 ffff8801d22df9f0 0000000000000000 ffff8801a4c8d490 ffff8801d22df8e0 ffff8801a4c8d380 ffff8801d22df908 ffffffff8165e497 0000000000003af1 ffff8801cee720f0 ffff8801cee720a0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] SYSC_select fs/select.c:652 [inline] [] SyS_select+0x158/0x1e0 fs/select.c:634 [] entry_SYSCALL_64_fastpath+0x23/0xc6 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 6685 Comm: syz-executor1 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cd5a7710 ffffffff81d90889 ffff8801cd5a79f0 0000000000000000 ffff8801a4c8d610 ffff8801cd5a78e0 ffff8801a4c8d500 ffff8801cd5a7908 ffffffff8165e497 0000000000003af1 ffff8801cee768f0 ffff8801cee768a0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] SYSC_select fs/select.c:652 [inline] [] SyS_select+0x158/0x1e0 fs/select.c:634 [] entry_SYSCALL_64_fastpath+0x23/0xc6 device lo entered promiscuous mode device lo left promiscuous mode