PF_BRIDGE: RTM_SETLINK with unknown ifindex ===================================== [ BUG: bad unlock balance detected! ] 4.9.68-gfb66dc2 #107 Not tainted ------------------------------------- syz-executor1/18833 is trying to release lock ([ 102.742744] IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready mrt_lock) at: but there are no more locks to release! other info that might help us debug this: 1 lock held by syz-executor1/18833: #0: (&p->lock){+.+.+.}, at: [] seq_read+0xdd/0x1290 fs/seq_file.c:178 stack backtrace: CPU: 1 PID: 18833 Comm: syz-executor1 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d009f8e8 ffffffff81d90889 ffffffff849ae9f8 ffff8801d8cf1800 ffffffff834dfc54 ffffffff849ae9f8 ffff8801d8cf2088 ffff8801d009f918 ffffffff812353f4 dffffc0000000000 ffffffff849ae9f8 00000000ffffffff Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_unlock_imbalance_bug+0x174/0x1a0 kernel/locking/lockdep.c:3398 [] __lock_release kernel/locking/lockdep.c:3540 [inline] [] lock_release+0x6f8/0xb80 kernel/locking/lockdep.c:3775 [] __raw_read_unlock include/linux/rwlock_api_smp.h:225 [inline] [] _raw_read_unlock+0x1a/0x50 kernel/locking/spinlock.c:255 [] ipmr_mfc_seq_stop+0xe4/0x140 net/ipv6/ip6mr.c:553 [] seq_read+0xa83/0x1290 fs/seq_file.c:283 [] proc_reg_read+0xef/0x170 fs/proc/inode.c:202 [] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714 [] do_loop_readv_writev fs/read_write.c:880 [inline] [] do_readv_writev+0x520/0x750 fs/read_write.c:874 [] vfs_readv+0x84/0xc0 fs/read_write.c:898 [] do_readv+0xe6/0x250 fs/read_write.c:924 [] SYSC_readv fs/read_write.c:1011 [inline] [] SyS_readv+0x27/0x30 fs/read_write.c:1008 [] entry_SYSCALL_64_fastpath+0x23/0xc6 PF_BRIDGE: RTM_SETLINK with unknown ifindex device lo entered promiscuous mode device lo left promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready device gre0 entered promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode sg_write: data in/out 196569/89 bytes for SCSI command 0x4e-- guessing data in; program syz-executor7 not setting count and/or reply_len properly binder: 18926:18948 ioctl 540f 2034cffc returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 18926:18967 ioctl 40046207 0 returned -16 binder: 18926:18967 ioctl 540f 2034cffc returned -22 device lo left promiscuous mode device gre0 entered promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode binder: 19232:19235 BC_DEAD_BINDER_DONE 0000000000000003 not found sock: process `syz-executor3' is using obsolete getsockopt SO_BSDCOMPAT binder: 19232:19235 BC_INCREFS_DONE u000000002011a000 no match audit: type=1400 audit(1513018900.877:62): avc: denied { getopt } for pid=19236 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_fib_lookup_socket permissive=1 binder: 19232:19241 got transaction with unaligned buffers size, 58534 binder: 19232:19241 transaction failed 29201/-22, size 0-40 line 3175 binder_alloc: binder_alloc_mmap_handler: 19232 2011a000-2051a000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 19232:19241 ioctl 40046207 0 returned -16 binder: 19232:19252 unknown command 0 binder: 19232:19252 ioctl c0306201 20004000 returned -22 binder: 19232:19241 ioctl c0306201 2000f000 returned -14 binder_alloc: 19232: binder_alloc_buf, no vma binder: 19232:19252 transaction failed 29189/-3, size 0-40 line 3130 binder: 19260:19264 transaction failed 29189/-22, size 80-16 line 3007 binder: 19269:19273 got transaction with invalid offset (40, min 0 max 80) or object. binder: 19269:19273 transaction failed 29201/-22, size 80-8 line 3193 binder: BINDER_SET_CONTEXT_MGR already set binder: 19269:19273 ioctl 40046207 0 returned -16 binder: 19269:19273 transaction failed 29201/-28, size 0-4629809268588045068 line 3130 binder: binder_mmap: 19269 204c6000-204c7000 bad vm_flags failed -1 binder: undelivered TRANSACTION_ERROR: 29201 binder: BINDER_SET_CONTEXT_MGR already set binder: 19269:19273 ioctl 40046207 0 returned -16 binder_alloc: binder_alloc_mmap_handler: 19269 20000000-20002000 already mapped failed -16 binder_alloc: binder_alloc_mmap_handler: 19269 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 19269:19277 ioctl 40046207 0 returned -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 19269:19277 ioctl 40046207 0 returned -16 binder_alloc: 19269: binder_alloc_buf, no vma binder: 19269:19273 transaction failed 29189/-3, size 0-4629809268588045068 line 3130 binder_alloc: binder_alloc_mmap_handler: 19260 20000000-20002000 already mapped failed -16 binder: undelivered TRANSACTION_ERROR: 29189 binder: BINDER_SET_CONTEXT_MGR already set binder: 19269:19277 ioctl 40046207 0 returned -16 binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29189 binder: 19232:19235 unknown command 0 binder: 19232:19235 ioctl c0306201 20004000 returned -22 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=19371 comm=syz-executor3 tc_dump_action: action bad kind tc_dump_action: action bad kind device gre0 entered promiscuous mode 9pnet_virtio: no channels available for device ./file0 9pnet_virtio: no channels available for device ./file0 device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 left promiscuous mode device gre0 entered promiscuous mode device gre0 left promiscuous mode binder: 19579:19585 ioctl c0306201 20000fd0 returned -14 nla_parse: 14 callbacks suppressed netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=19638 comm=syz-executor2 device eql entered promiscuous mode SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=19682 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=202 sclass=netlink_route_socket pig=19682 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=19707 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=202 sclass=netlink_route_socket pig=19682 comm=syz-executor5 netlink: 1 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor4'. program syz-executor5 is using a deprecated SCSI ioctl, please convert it to SG_IO sd 0:0:1:0: ioctl_internal_command: ILLEGAL REQUEST asc=0x20 ascq=0x0 binder: 19795:19796 ioctl 40046205 0 returned -22 binder: 19795:19796 ERROR: BC_REGISTER_LOOPER called without request netlink: 1 bytes leftover after parsing attributes in process `syz-executor4'. program syz-executor5 is using a deprecated SCSI ioctl, please convert it to SG_IO sd 0:0:1:0: ioctl_internal_command: ILLEGAL REQUEST asc=0x20 ascq=0x0 binder: 19796 RLIMIT_NICE not set binder: 19795:19796 got transaction to invalid handle binder: 19795:19796 transaction failed 29201/-22, size 0-8 line 3007 binder: 19795:19796 BC_FREE_BUFFER u0000000000000000 no match binder: 19795:19796 got transaction with invalid data ptr binder: 19795:19796 transaction failed 29201/-14, size 72-8 line 3149 binder: 19795:19796 ioctl c0306201 20005fd0 returned -14 binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29201 binder: 19795:19796 ioctl c0306201 20004000 returned -14 binder: undelivered TRANSACTION_COMPLETE binder: undelivered transaction 299, process died. binder: 19795:19796 ioctl 40046205 6 returned -22 binder: 19795:19808 ioctl 40046205 0 returned -22 binder: 19795:19808 ERROR: BC_REGISTER_LOOPER called without request binder: 19795:19808 ioctl c0306201 20008fd0 returned -11 binder: 19795:19808 unknown command 0 binder: 19795:19808 ioctl c0306201 20002fd0 returned -22 binder: 19795:19796 BC_FREE_BUFFER u0000000000000000 no match binder: 19795:19796 IncRefs 0 refcount change on invalid ref 1 ret -22 binder: 19795:19796 got transaction to invalid handle binder: 19795:19796 transaction failed 29201/-22, size 72-8 line 3007 binder: 19795:19796 ioctl c0306201 20005fd0 returned -14 binder: undelivered TRANSACTION_ERROR: 29201 binder: send failed reply for transaction 305 to 19795:19796 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 IPv6: Can't replace route, no match found IPv6: Can't replace route, no match found FAULT_FLAG_ALLOW_RETRY missing 30 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 19842 Comm: syz-executor7 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d1d97990 ffffffff81d90889 ffff8801d1d97c70 0000000000000000 ffff8801cefa3790 ffff8801d1d97b60 ffff8801cefa3680 ffff8801d1d97b88 ffffffff8165e497 ffff8801d918e000 ffff8801d1d97ae0 00000001ca029067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 sg_write: data in/out 901092476/192 bytes for SCSI command 0x1b-- guessing data in; program syz-executor6 not setting count and/or reply_len properly device gre0 entered promiscuous mode CPU: 0 PID: 19846 Comm: syz-executor7 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a79179c0 ffffffff81d90889 ffff8801a7917ca0 0000000000000000 ffff8801cefa3790 ffff8801a7917b90 ffff8801cefa3680 ffff8801a7917bb8 ffffffff8165e497 788b98a197c4ed6a ffff8801a7917b10 00000001ca029067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] SYSC_keyctl security/keys/keyctl.c:1604 [inline] [] SyS_keyctl+0x1fb/0x230 security/keys/keyctl.c:1592 [] entry_SYSCALL_64_fastpath+0x23/0xc6 FAULT_FLAG_ALLOW_RETRY missing 30 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 19842 Comm: syz-executor7 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d1d97990 ffffffff81d90889 ffff8801d1d97c70 0000000000000000 ffff8801d0eaed10 ffff8801d1d97b60 ffff8801d0eaec00 ffff8801d1d97b88 ffffffff8165e497 ffffffff810ec8f0 ffff8801d1d97ae0 00000001a62e9067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 CPU: 0 PID: 19846 Comm: syz-executor7 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a79179c0 ffffffff81d90889 ffff8801a7917ca0 0000000000000000 ffff8801d0eaed10 ffff8801a7917b90 ffff8801d0eaec00 ffff8801a7917bb8 ffffffff8165e497 788b98a197c4ed6a ffff8801a7917b10 00000001a62e9067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] SYSC_keyctl security/keys/keyctl.c:1604 [inline] [] SyS_keyctl+0x1fb/0x230 security/keys/keyctl.c:1592 [] entry_SYSCALL_64_fastpath+0x23/0xc6 device syz6 entered promiscuous mode device gre0 entered promiscuous mode 9pnet_virtio: no channels available for device ./file0 9pnet_virtio: no channels available for device ./file0 device lo entered promiscuous mode device gre0 entered promiscuous mode netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. device gre0 entered promiscuous mode netlink: 5 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor6'. binder: 20427:20430 got transaction with too large buffer binder: 20427:20430 transaction failed 29201/-22, size 80-16 line 3289 binder_alloc: binder_alloc_mmap_handler: 20427 20000000-20002000 already mapped failed -16 device gre0 entered promiscuous mode binder: BINDER_SET_CONTEXT_MGR already set binder: 20427:20452 ioctl 40046207 0 returned -16 device gre0 left promiscuous mode binder: undelivered TRANSACTION_ERROR: 29201 device gre0 entered promiscuous mode binder: 21032:21035 ERROR: BC_REGISTER_LOOPER called without request binder: 21032:21035 ioctl c0306201 20008fd0 returned -11 binder: 21032:21035 got transaction to invalid handle binder: 21032:21035 transaction failed 29201/-22, size 32-16 line 3007 binder_alloc: binder_alloc_mmap_handler: 21032 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 21032:21035 ioctl 40046207 0 returned -16 binder: 21032:21080 ERROR: BC_REGISTER_LOOPER called without request binder: 21032:21096 got transaction to invalid handle binder: 21032:21096 transaction failed 29201/-22, size 32-16 line 3007 binder_alloc: 21032: binder_alloc_buf, no vma binder: 21032:21080 transaction failed 29189/-3, size 0-0 line 3130 binder: undelivered TRANSACTION_ERROR: 29189 binder: send failed reply for transaction 314 to 21032:21035 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 FAULT_FLAG_ALLOW_RETRY missing 30 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 21159 Comm: syz-executor5 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c2ebf890 ffffffff81d90889 ffff8801c2ebfb70 0000000000000000 ffff8801d0eae110 ffff8801c2ebfa60 ffff8801d0eae000 ffff8801c2ebfa88 ffffffff8165e497 ffff8801db321418 ffff8801c2ebf9e0 00000001cbc78067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] getname_flags+0x10e/0x580 fs/namei.c:148 [] getname+0x19/0x20 fs/namei.c:208 [] do_sys_open+0x21d/0x4c0 fs/open.c:1066 [] SYSC_openat fs/open.c:1099 [inline] [] SyS_openat+0x30/0x40 fs/open.c:1093 [] entry_SYSCALL_64_fastpath+0x23/0xc6 nla_parse: 12 callbacks suppressed netlink: 1 bytes leftover after parsing attributes in process `syz-executor7'. CPU: 1 PID: 21163 Comm: syz-executor5 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d75f78b0 ffffffff81d90889 ffff8801d75f7b90 0000000000000000 ffff8801d0eae110 ffff8801d75f7a80 ffff8801d0eae000 ffff8801d75f7aa8 ffffffff8165e497 ffffffff83899213 ffff8801d75f7a00 00000001cbc78067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] SyS_mq_getsetattr+0x24/0x30 ipc/mqueue.c:1321 [] entry_SYSCALL_64_fastpath+0x23/0xc6 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 21159 Comm: syz-executor5 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c2ebf890 ffffffff81d90889 ffff8801c2ebfb70 0000000000000000 ffff8801cefa2110 ffff8801c2ebfa60 ffff8801cefa2000 ffff8801c2ebfa88 ffffffff8165e497 ffff8801ca391f80 ffff8801c2ebf9e0 00000001c260d067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] getname_flags+0x10e/0x580 fs/namei.c:148 [] getname+0x19/0x20 fs/namei.c:208 [] do_sys_open+0x21d/0x4c0 fs/open.c:1066 [] SYSC_openat fs/open.c:1099 [inline] [] SyS_openat+0x30/0x40 fs/open.c:1093 [] entry_SYSCALL_64_fastpath+0x23/0xc6 netlink: 8 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor1'. keychord: keycode 25638 out of range keychord: keycode 25638 out of range device gre0 entered promiscuous mode device gre0 left promiscuous mode device gre0 entered promiscuous mode binder: BINDER_SET_CONTEXT_MGR already set binder: 21558:21560 ioctl 40046207 0 returned -16 netlink: 1 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor3'. IPVS: Creating netns size=2536 id=25