===================================== [ BUG: bad unlock balance detected! ] 4.9.69-g3f1d77c #108 Not tainted ------------------------------------- syz-executor0/5334 is trying to release lock ([ 35.119039] binder: 5350:5352 ioctl 85 20416000 returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 5350:5352 ioctl 40046207 0 returned -16 binder: 5350:5352 ioctl c0306201 2004f000 returned -14 binder: 5350:5352 ioctl c018620b 20088000 returned -14 binder: 5350:5352 ioctl c0306201 204ef000 returned -14 binder: 5350:5355 ioctl 85 20416000 returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 5350:5355 ioctl 40046207 0 returned -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 5350:5352 ioctl 40046207 0 returned -16 binder: 5350:5355 ioctl c0306201 2004f000 returned -14 binder: 5350:5352 ioctl c018620b 20088000 returned -14 binder: 5350:5352 ioctl c0306201 204ef000 returned -14 mrt_lock) at: but there are no more locks to release! other info that might help us debug this: 1 lock held by syz-executor0/5334: #0: (&p->lock){+.+.+.}, at: [] seq_read+0xdd/0x1290 fs/seq_file.c:178 stack backtrace: CPU: 0 PID: 5334 Comm: syz-executor0 Not tainted 4.9.69-g3f1d77c #108 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c9abf8e8 ffffffff81d90a29 ffffffff849ae9f8 ffff8801c755c800 ffffffff834dfd74 ffffffff849ae9f8 ffff8801c755d088 ffff8801c9abf918 ffffffff81235404 dffffc0000000000 ffffffff849ae9f8 00000000ffffffff Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_unlock_imbalance_bug+0x174/0x1a0 kernel/locking/lockdep.c:3398 [] __lock_release kernel/locking/lockdep.c:3540 [inline] [] lock_release+0x6f8/0xb80 kernel/locking/lockdep.c:3775 [] __raw_read_unlock include/linux/rwlock_api_smp.h:225 [inline] [] _raw_read_unlock+0x1a/0x50 kernel/locking/spinlock.c:255 [] ipmr_mfc_seq_stop+0xe4/0x140 net/ipv6/ip6mr.c:553 [] seq_read+0xa83/0x1290 fs/seq_file.c:283 [] proc_reg_read+0xef/0x170 fs/proc/inode.c:202 [] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714 [] do_loop_readv_writev fs/read_write.c:880 [inline] [] do_readv_writev+0x520/0x750 fs/read_write.c:874 [] vfs_readv+0x84/0xc0 fs/read_write.c:898 [] do_readv+0xe6/0x250 fs/read_write.c:924 [] SYSC_readv fs/read_write.c:1011 [inline] [] SyS_readv+0x27/0x30 fs/read_write.c:1008 [] entry_SYSCALL_64_fastpath+0x23/0xc6 binder_alloc: 5369: binder_alloc_buf, no vma binder: 5369:5376 transaction failed 29189/-3, size 0-0 line 3130 binder: 5369:5389 BC_ACQUIRE_DONE node 31 has no pending acquire request binder: 5369:5389 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 binder: 5369:5389 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: 5369:5389 ERROR: BC_REGISTER_LOOPER called without request binder: 5369:5389 DecRefs 0 refcount change on invalid ref 3 ret -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 5369:5389 ioctl 40046207 0 returned -16 binder_alloc: 5369: binder_alloc_buf, no vma binder: 5369:5389 transaction failed 29189/-3, size 0-0 line 3130 binder: 5369:5401 BC_ACQUIRE_DONE u0000000000000000 no match binder: 5369:5401 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 binder: 5369:5401 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: 5369:5401 ERROR: BC_REGISTER_LOOPER called without request binder: 5369:5401 DecRefs 0 refcount change on invalid ref 3 ret -22 binder: 5369:5401 ioctl c0306201 20000000 returned -11 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 capability: warning: `syz-executor5' uses deprecated v2 capabilities in a way that may be insecure netlink: 2 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor1'. audit: type=1400 audit(1513561280.586:40): avc: denied { fsetid } for pid=5641 comm="syz-executor5" capability=4 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 binder: 5650:5651 ioctl 40046205 0 returned -22 binder: 5650:5651 got transaction to invalid handle binder: 5650:5651 transaction failed 29201/-22, size 48-16 line 3007 binder: 5650:5651 got transaction with invalid data ptr binder: 5650:5651 transaction failed 29201/-14, size 56-0 line 3149 binder: 5650:5651 unknown command 1400526783 binder: 5650:5651 ioctl c0306201 20002fd0 returned -22 binder: 5650:5651 Acquire 1 refcount change on invalid ref 2 ret -22 binder: 5650:5651 ioctl 40046205 6 returned -22 binder: 5650:5651 ioctl 40046205 0 returned -22 binder: 5650:5651 got transaction to invalid handle binder: 5650:5651 transaction failed 29201/-22, size 48-16 line 3007 binder: 5650:5653 got transaction with invalid data ptr binder: 5650:5653 transaction failed 29201/-14, size 56-0 line 3149 binder: 5650:5651 BC_INCREFS_DONE uffffffffffffffff no match binder: 5650:5651 got reply transaction with no transaction stack binder: 5650:5651 transaction failed 29201/-71, size 88-40 line 2923 binder: 5650:5651 unknown command 1400526783 binder: 5650:5651 ioctl c0306201 20002fd0 returned -22 binder: 5650:5651 Acquire 1 refcount change on invalid ref 2 ret -22 binder: undelivered TRANSACTION_ERROR: 29201 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 5671 Comm: syz-executor1 Not tainted 4.9.69-g3f1d77c #108 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d9b87990 ffffffff81d90a29 ffff8801d9b87c70 0000000000000000 ffff8801a8d93a90 ffff8801d9b87b60 ffff8801a8d93980 ffff8801d9b87b88 ffffffff8165e557 ffff8801cda00000 ffff8801d9b87ae0 00000001cf9b4067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 5656 Comm: syz-executor1 Not tainted 4.9.69-g3f1d77c #108 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cda17710 ffffffff81d90a29 ffff8801cda179f0 0000000000000000 ffff8801a8d93a90 ffff8801cda178e0 ffff8801a8d93980 ffff8801cda17908 ffffffff8165e557 ffffffff8144807e ffff8801cda17860 00000001cf9b4067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] SYSC_select fs/select.c:652 [inline] [] SyS_select+0x158/0x1e0 fs/select.c:634 [] entry_SYSCALL_64_fastpath+0x23/0xc6 netlink: 6 bytes leftover after parsing attributes in process `syz-executor7'. IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE IPv6: NLM_F_CREATE should be set when creating new route IPv6: NLM_F_CREATE should be set when creating new route binder: 5856:5858 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: 5856:5858 got transaction to invalid handle binder: 5856:5858 transaction failed 29201/-22, size 24-16 line 3007 netlink: 6 bytes leftover after parsing attributes in process `syz-executor7'. IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE binder: 5856:5858 unknown command 536907575 binder: 5856:5867 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: 5856:5858 ioctl c0306201 20008fd0 returned -22 binder: 5856:5858 unknown command 1986356271 binder: 5856:5858 ioctl c0306201 20003fd0 returned -22 netlink: 8 bytes leftover after parsing attributes in process `syz-executor2'. binder: 5856:5883 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: 5856:5883 Release 1 refcount change on invalid ref 0 ret -22 binder: 5856:5883 got transaction to invalid handle binder: 5856:5883 transaction failed 29201/-22, size 24-16 line 3007 netlink: 8 bytes leftover after parsing attributes in process `syz-executor2'. device syz6 entered promiscuous mode binder: undelivered death notification, 0000000000000000 binder: 5937:5942 got reply transaction with no transaction stack binder: 5937:5942 transaction failed 29201/-71, size 0-6181628549 line 2923 binder: 5937:5953 BC_INCREFS_DONE u0000000000000000 node 48 cookie mismatch 0000000000000003 != 0000000000000000 binder: 5937:5953 got transaction to invalid handle binder: 5937:5953 transaction failed 29201/-22, size 40-16 line 3007 binder: 5937:5977 BC_CLEAR_DEATH_NOTIFICATION invalid ref 2 binder: 5937:5992 unknown command 0 binder: 5937:5992 ioctl c0306201 20004000 returned -22 binder: 6003:6004 ioctl 85 20416000 returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 5937:5977 ioctl 40046207 0 returned -16 binder: 5937:5977 BC_INCREFS_DONE u0000000000000000 no match binder: 5937:5977 got transaction to invalid handle binder: 5937:5977 transaction failed 29201/-22, size 40-16 line 3007 binder_alloc: 5937: binder_alloc_buf, no vma binder: 5937:5992 transaction failed 29189/-3, size 0-0 line 3130 binder: 6003:6014 ioctl c0306201 2004f000 returned -14 binder: 6003:6014 IncRefs 0 refcount change on invalid ref 2 ret -22 binder: 6003:6014 Acquire 1 refcount change on invalid ref 4 ret -22 binder: 6003:6014 unknown command 0 binder: 6003:6014 ioctl c0306201 20000fd0 returned -22 binder: 6003:6015 ioctl 85 20416000 returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 6003:6015 ioctl 40046207 0 returned -16 binder: 6003:6015 ioctl c0306201 2004f000 returned -14 binder: release 5937:5942 transaction 50 in, still active binder: send failed reply for transaction 50 to 5937:5953 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 binder_alloc: binder_alloc_mmap_handler: 6122 20000000-20002000 already mapped failed -16 IPVS: Creating netns size=2536 id=9 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=770 sclass=netlink_route_socket pig=6135 comm=syz-executor1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=770 sclass=netlink_route_socket pig=6135 comm=syz-executor1 ================================================================== BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x2453/0x2830 net/xfrm/xfrm_state.c:822 at addr ffff8801c35c78b0 Read of size 4 by task syz-executor2/6185 page:ffffea00070d71c0 count:0 mapcount:0 mapping: (null) index:0x0 flags: 0x8000000000000000() page dumped because: kasan: bad access detected CPU: 1 PID: 6185 Comm: syz-executor2 Not tainted 4.9.69-g3f1d77c #108 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c35c6ef8 ffffffff81d90a29 ffffed00386b8f16 0000000000000004 0000000000000000 ffffed00386b8f16 ffff8801c35c78b0 ffff8801c35c6f80 ffffffff8153a9c3 0000000000000000 0000000000000002 ffffffff833d1a63 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_address_description mm/kasan/report.c:208 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x4c3/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:329 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:329 [] xfrm_state_find+0x2453/0x2830 net/xfrm/xfrm_state.c:822 [] xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:1476 [inline] [] xfrm_tmpl_resolve+0x298/0xa90 net/xfrm/xfrm_policy.c:1520 [] xfrm_resolve_and_create_bundle+0xd7/0x1d90 net/xfrm/xfrm_policy.c:1868 [] xfrm_lookup+0x984/0xbf0 net/xfrm/xfrm_policy.c:2222 [] xfrm_lookup_route+0x39/0x1a0 net/xfrm/xfrm_policy.c:2344 [] ip_route_output_flow+0x7f/0xa0 net/ipv4/route.c:2435 [] udp_sendmsg+0xe36/0x1c10 net/ipv4/udp.c:1023 [] udpv6_sendmsg+0x588/0x2540 net/ipv6/udp.c:1086 [] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770 [] sock_sendmsg_nosec net/socket.c:635 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:645 [] SYSC_sendto+0x2c8/0x340 net/socket.c:1670 [] SyS_sendto+0x40/0x50 net/socket.c:1638 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801c35c7780: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 ffff8801c35c7800: f2 f2 f2 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 00 >ffff8801c35c7880: 00 00 00 00 00 00 f2 f2 f2 f2 f2 00 00 00 00 00 ^ ffff8801c35c7900: 00 00 00 00 f2 f2 f2 00 00 00 00 00 00 00 00 00 ffff8801c35c7980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== ================================================================== BUG: KASAN: stack-out-of-bounds in __xfrm_dst_hash net/xfrm/xfrm_hash.h:90 [inline] at addr ffff8801c35c78b0 BUG: KASAN: stack-out-of-bounds in xfrm_dst_hash net/xfrm/xfrm_state.c:60 [inline] at addr ffff8801c35c78b0 BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0xc9b/0x2830 net/xfrm/xfrm_state.c:822 at addr ffff8801c35c78b0 Read of size 4 by task syz-executor2/6185 page:ffffea00070d71c0 count:0 mapcount:0 mapping: (null) index:0x0 flags: 0x8000000000000000() page dumped because: kasan: bad access detected CPU: 1 PID: 6185 Comm: syz-executor2 Tainted: G B 4.9.69-g3f1d77c #108 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c35c6ef8 ffffffff81d90a29 ffffed00386b8f16 0000000000000004 0000000000000000 ffffed00386b8f16 ffff8801c35c78b0 ffff8801c35c6f80 ffffffff8153a9c3 0000000000000010 0000000000000000 ffffffff833d02ab Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_address_description mm/kasan/report.c:208 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x4c3/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:329 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:329 [] __xfrm_dst_hash net/xfrm/xfrm_hash.h:90 [inline] [] xfrm_dst_hash net/xfrm/xfrm_state.c:60 [inline] [] xfrm_state_find+0xc9b/0x2830 net/xfrm/xfrm_state.c:822 [] xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:1476 [inline] [] xfrm_tmpl_resolve+0x298/0xa90 net/xfrm/xfrm_policy.c:1520 [] xfrm_resolve_and_create_bundle+0xd7/0x1d90 net/xfrm/xfrm_policy.c:1868 [] xfrm_lookup+0x984/0xbf0 net/xfrm/xfrm_policy.c:2222 [] xfrm_lookup_route+0x39/0x1a0 net/xfrm/xfrm_policy.c:2344 [] ip_route_output_flow+0x7f/0xa0 net/ipv4/route.c:2435 [] udp_sendmsg+0xe36/0x1c10 net/ipv4/udp.c:1023 [] udpv6_sendmsg+0x588/0x2540 net/ipv6/udp.c:1086 [] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770 [] sock_sendmsg_nosec net/socket.c:635 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:645 [] SYSC_sendto+0x2c8/0x340 net/socket.c:1670 [] SyS_sendto+0x40/0x50 net/socket.c:1638 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801c35c7780: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 ffff8801c35c7800: f2 f2 f2 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 00 >ffff8801c35c7880: 00 00 00 00 00 00 f2 f2 f2 f2 f2 00 00 00 00 00 ^ ffff8801c35c7900: 00 00 00 00 f2 f2 f2 00 00 00 00 00 00 00 00 00 ffff8801c35c7980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== audit_printk_skb: 20 callbacks suppressed audit: type=1400 audit(1513561282.906:44): avc: denied { create } for pid=6126 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_rdma_socket permissive=1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=770 sclass=netlink_route_socket pig=6157 comm=syz-executor1 SELinux: unrecognized netlink message: protocol=4 nlmsg_type=770 sclass=netlink_tcpdiag_socket pig=6157 comm=syz-executor1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=770 sclass=netlink_route_socket pig=6213 comm=syz-executor1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=770 sclass=netlink_route_socket pig=6209 comm=syz-executor1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=770 sclass=netlink_route_socket pig=6213 comm=syz-executor1 SELinux: unrecognized netlink message: protocol=4 nlmsg_type=770 sclass=netlink_tcpdiag_socket pig=6213 comm=syz-executor1 pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads nla_parse: 6 callbacks suppressed netlink: 4 bytes leftover after parsing attributes in process `syz-executor4'. audit: type=1400 audit(1513561284.396:45): avc: denied { getattr } for pid=6252 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 audit: type=1400 audit(1513561284.426:46): avc: denied { read } for pid=6252 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 netlink: 4 bytes leftover after parsing attributes in process `syz-executor4'. TCP: request_sock_TCPv6: Possible SYN flooding on port 20006. Sending cookies. Check SNMP counters. netlink: 5 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor3'. FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 6370 Comm: syz-executor6 Tainted: G B 4.9.69-g3f1d77c #108 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c4e8f940 ffffffff81d90a29 ffff8801c4e8fc20 0000000000000000 ffff8801a8d93910 ffff8801c4e8fb10 ffff8801a8d93800 ffff8801c4e8fb38 ffffffff8165e557 0000000000000000 ffff8801c4e8fa90 00000001d60e4067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 program syz-executor1 is using a deprecated SCSI ioctl, please convert it to SG_IO [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 program syz-executor1 is using a deprecated SCSI ioctl, please convert it to SG_IO [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 sd 0:0:1:0: ioctl_internal_command: ILLEGAL REQUEST asc=0x20 ascq=0x0 sd 0:0:1:0: ioctl_internal_command: ILLEGAL REQUEST asc=0x20 ascq=0x0 FAULT_FLAG_ALLOW_RETRY missing 30 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 6370 Comm: syz-executor6 Tainted: G B 4.9.69-g3f1d77c #108 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c4e8f940 ffffffff81d90a29 ffff8801c4e8fc20 0000000000000000 ffff8801a8556110 ffff8801c4e8fb10 ffff8801a8556000 ffff8801c4e8fb38 ffffffff8165e557 1ffff100389d1f2f ffff8801c4e8fa90 00000001d60e4067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 CPU: 1 PID: 6353 Comm: syz-executor6 Tainted: G B 4.9.69-g3f1d77c #108 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d95cf990 ffffffff81d90a29 ffff8801d95cfc70 0000000000000000 ffff8801a8556110 ffff8801d95cfb60 ffff8801a8556000 ffff8801d95cfb88 ffffffff8165e557 ffffffff810ec8f0 ffff8801d95cfae0 00000001d60e4067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 audit: type=1400 audit(1513561285.366:47): avc: denied { setpcap } for pid=6492 comm="syz-executor3" capability=8 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 netlink: 11 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 11 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor5'. audit: type=1400 audit(1513561285.776:48): avc: denied { read } for pid=6624 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_fib_lookup_socket permissive=1 qtaguid: iface_stat: iface_check_stats_reset_and_adjust(lo): iface reset its stats unexpectedly 9pnet_virtio: no channels available for device H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=6887 comm=syz-executor0 9pnet_virtio: no channels available for device H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H audit: type=1400 audit(1513561286.766:49): avc: denied { read } for pid=6958 comm="syz-executor6" path="socket:[17384]" dev="sockfs" ino=17384 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 binder: 7079:7082 got reply transaction with no transaction stack binder: 7079:7082 transaction failed 29201/-71, size 64-24 line 2923 binder: 7079:7082 BC_DEAD_BINDER_DONE 0000000000000000 not found binder: 7079:7082 got reply transaction with no transaction stack binder: 7079:7082 transaction failed 29201/-71, size 48-16 line 2923 binder: 7079:7114 got reply transaction with no transaction stack binder: 7079:7114 transaction failed 29201/-71, size 64-24 line 2923 binder: 7079:7123 BC_DEAD_BINDER_DONE 0000000000000000 not found binder: 7079:7123 got reply transaction with no transaction stack binder: 7079:7123 transaction failed 29201/-71, size 48-16 line 2923 device lo entered promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode binder: 7273:7274 ERROR: BC_REGISTER_LOOPER called without request binder: 7278:7280 ERROR: BC_REGISTER_LOOPER called without request device lo entered promiscuous mode device lo left promiscuous mode binder: 7278:7292 transaction failed 29189/-22, size 0-0 line 3007 binder: undelivered TRANSACTION_COMPLETE binder: undelivered transaction 63, process died. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=3485 sclass=netlink_route_socket pig=7289 comm=syz-executor3 device lo left promiscuous mode binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: 7273:7285 ERROR: BC_REGISTER_LOOPER called without request binder_alloc: 7273: binder_alloc_buf, no vma binder: 7273:7305 transaction failed 29189/-3, size 0-0 line 3130 binder: 7278:7298 BC_ACQUIRE_DONE node 67 has no pending acquire request binder: 7278:7298 got reply transaction with no transaction stack binder: 7278:7298 transaction failed 29201/-71, size 48-40 line 2923 binder: undelivered TRANSACTION_ERROR: 29189 binder: 7278:7298 ERROR: BC_REGISTER_LOOPER called without request binder_alloc: 7278: binder_alloc_buf, no vma binder: 7278:7280 transaction failed 29189/-3, size 0-0 line 3130 binder: BINDER_SET_CONTEXT_MGR already set binder: 7278:7280 ioctl 40046207 0 returned -16 binder: 7278:7298 BC_ACQUIRE_DONE u0000000000000000 no match binder: 7278:7298 got reply transaction with no transaction stack binder: 7278:7298 transaction failed 29201/-71, size 48-40 line 2923 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 binder: 7366:7373 BC_REQUEST_DEATH_NOTIFICATION death notification already set rfkill: input handler disabled rfkill: input handler enabled binder: 7366:7388 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: 7366:7388 got transaction to invalid handle binder: 7366:7388 transaction failed 29201/-22, size 24-16 line 3007 binder: 7366:7401 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: 7366:7401 got transaction to invalid handle binder: 7366:7388 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 7366:7401 transaction failed 29201/-22, size 24-16 line 3007 rfkill: input handler disabled rfkill: input handler enabled sd 0:0:1:0: [sg0] tag#989 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK sd 0:0:1:0: [sg0] tag#989 CDB: opcode=0xff (vendor) sd 0:0:1:0: [sg0] tag#989 CDB[00]: ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#989 CDB[10]: 00 00 00 00 10 27 00 00 00 00 00 00 00 00 04 00 sd 0:0:1:0: [sg0] tag#989 CDB[20]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#989 CDB[30]: 00 00 00 00 00 00 00 00 00 00 00 00 device ±BÞÓ*mqÐx”o‡3{© entered promiscuous mode device ±BÞÓ*mqÐx”o‡3{© left promiscuous mode device ±BÞÓ*mqÐx”o‡3{© entered promiscuous mode device ±BÞÓ*mqÐx”o‡3{© left promiscuous mode tc_dump_action: action bad kind tc_dump_action: action bad kind binder: 7629:7634 got transaction to invalid handle binder: 7629:7634 transaction failed 29201/-22, size 24-24 line 3007 binder: 7629:7634 ioctl 5417 20013000 returned -22 selinux_nlmsg_perm: 1 callbacks suppressed SELinux: unrecognized netlink message: protocol=0 nlmsg_type=2561 sclass=netlink_route_socket pig=7646 comm=syz-executor6 binder: 7629:7654 BC_FREE_BUFFER u000000002000c000 matched unreturned buffer binder: BINDER_SET_CONTEXT_MGR already set binder: 7629:7664 ioctl 40046207 0 returned -16 binder: 7629:7654 got transaction to invalid handle binder: 7629:7654 transaction failed 29201/-22, size 24-24 line 3007 binder: 7629:7654 ioctl 5417 20013000 returned -22 binder_alloc: 7629: binder_alloc_buf, no vma binder: 7629:7664 transaction failed 29189/-3, size 0-0 line 3130 binder: 7629:7664 BC_FREE_BUFFER u000000002000c000 no match keychord: keycode 25638 out of range binder: undelivered transaction 83, process died. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=2561 sclass=netlink_route_socket pig=7660 comm=syz-executor6 keychord: keycode 25638 out of range device gre0 entered promiscuous mode