device gre0 entered promiscuous mode BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor0/6286 caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 CPU: 0 PID: 6286 Comm: syz-executor0 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d1ef76d8 ffffffff81d90889 0000000000000000 ffffffff83c17800 ffffffff83f42ec0 ffff8801d2200000 0000000000000003 ffff8801d1ef7718 ffffffff81df7854 ffff8801d1ef7730 ffffffff83f42ec0 dffffc0000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46 [] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 [] ipcomp_alloc_tfms net/xfrm/xfrm_ipcomp.c:286 [inline] [] ipcomp_init_state+0x188/0x930 net/xfrm/xfrm_ipcomp.c:363 [] ipcomp4_init_state+0xb0/0x7d0 net/ipv4/ipcomp.c:137 [] __xfrm_init_state+0x3e7/0xb30 net/xfrm/xfrm_state.c:2096 [] xfrm_init_state+0x1a/0x20 net/xfrm/xfrm_state.c:2122 [] pfkey_msg2xfrm_state net/key/af_key.c:1281 [inline] [] pfkey_add+0x1fb9/0x3470 net/key/af_key.c:1498 [] pfkey_process+0x61e/0x730 net/key/af_key.c:2826 [] pfkey_sendmsg+0x3a9/0x760 net/key/af_key.c:3670 [] sock_sendmsg_nosec net/socket.c:635 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:645 [] ___sys_sendmsg+0x6d1/0x7e0 net/socket.c:1968 [] __sys_sendmsg+0xd6/0x190 net/socket.c:2002 [] SYSC_sendmsg net/socket.c:2013 [inline] [] SyS_sendmsg+0x2d/0x50 net/socket.c:2009 [] entry_SYSCALL_64_fastpath+0x23/0xc6 pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads binder: 6328:6329 ERROR: BC_REGISTER_LOOPER called without request binder_alloc: binder_alloc_mmap_handler: 6328 20000000-20002000 already mapped failed -16 device gre0 entered promiscuous mode device gre0 entered promiscuous mode binder: BINDER_SET_CONTEXT_MGR already set binder: 6328:6347 ioctl 40046207 0 returned -16 binder: 6328:6329 ERROR: BC_REGISTER_LOOPER called without request binder_alloc: 6328: binder_alloc_buf, no vma binder: 6328:6329 transaction failed 29189/-3, size 0-0 line 3130 binder: 6328:6347 got reply transaction with no transaction stack binder: 6328:6347 transaction failed 29201/-71, size 24-8 line 2923 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_COMPLETE binder: undelivered transaction 37, process died. binder: 6369:6370 got transaction with invalid offset (56, min 72 max 72) or object. binder: 6369:6370 transaction failed 29201/-22, size 72-32 line 3193 binder_alloc: binder_alloc_mmap_handler: 6369 20000000-20002000 already mapped failed -16 nla_parse: 6 callbacks suppressed netlink: 3 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor4'. : renamed from syz6 binder: 6603:6606 IncRefs 0 refcount change on invalid ref 0 ret -22 binder: 6603:6606 got transaction to invalid handle binder: 6603:6606 transaction failed 29201/-22, size 0-0 line 3007 binder: 6603:6627 IncRefs 0 refcount change on invalid ref 0 ret -22 binder: undelivered TRANSACTION_ERROR: 29201 device syz5 entered promiscuous mode binder: 6718:6719 got transaction with invalid offset (0, min 0 max 0) or object. binder: 6718:6719 transaction failed 29201/-22, size 0-8 line 3193 binder: 6718:6719 got transaction with invalid handle, 0 binder: 6718:6719 transaction failed 29201/-22, size 24-16 line 3222 binder: BINDER_SET_CONTEXT_MGR already set binder_alloc: 6718: binder_alloc_buf, no vma binder: 6718:6719 ioctl 40046207 0 returned -16 binder: 6718:6733 transaction failed 29189/-3, size 0-8 line 3130 binder_alloc: 6718: binder_alloc_buf, no vma binder: 6718:6719 transaction failed 29189/-3, size 24-16 line 3130 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 updating oom_score_adj for 6766 (syz-executor5) from 0 to 58 because it shares mm with 6757 (syz-executor5). Report if this is unexpected. device gre0 entered promiscuous mode netlink: 3 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor5'. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=63367 sclass=netlink_route_socket pig=6849 comm=syz-executor6 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=63367 sclass=netlink_route_socket pig=6849 comm=syz-executor6 audit: type=1400 audit(1513075604.010:45): avc: denied { setopt } for pid=6873 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 audit: type=1400 audit(1513075604.130:46): avc: denied { create } for pid=6904 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_rdma_socket permissive=1 device gre0 entered promiscuous mode binder: BINDER_SET_CONTEXT_MGR already set binder: 6962:6967 ioctl 40046207 0 returned -16 audit: type=1400 audit(1513075604.450:47): avc: denied { dyntransition } for pid=6987 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=process permissive=1 audit: type=1400 audit(1513075604.490:48): avc: denied { write } for pid=6981 comm="syz-executor4" path="socket:[18703]" dev="sockfs" ino=18703 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_connector_socket permissive=1 keychord: invalid keycode count 0 keychord: invalid keycode count 0 FAULT_FLAG_ALLOW_RETRY missing 30 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 7040 Comm: syz-executor7 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c3457870 ffffffff81d90889 ffff8801c3457b50 0000000000000000 ffff8801a661fa90 ffff8801c3457a40 ffff8801a661f980 ffff8801c3457a68 ffffffff8165e497 0000000000006e92 ffff8801c48a50f0 ffff8801c48a50a0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] SYSC_mq_timedsend ipc/mqueue.c:973 [inline] [] SyS_mq_timedsend+0xe6/0xa80 ipc/mqueue.c:956 [] entry_SYSCALL_64_fastpath+0x23/0xc6 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 7079 Comm: syz-executor3 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a4cdf850 ffffffff81d90889 ffff8801a4cdfb30 0000000000000000 ffff8801c3eb6b90 ffff8801a4cdfa20 ffff8801c3eb6a80 ffff8801a4cdfa48 ffffffff8165e497 0000000000006e92 ffff8801c7c238f0 ffff8801c7c238a0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] do_fcntl fs/fcntl.c:284 [inline] [] SYSC_fcntl fs/fcntl.c:372 [inline] [] SyS_fcntl+0x81c/0xc70 fs/fcntl.c:357 [] entry_SYSCALL_64_fastpath+0x23/0xc6 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 7079 Comm: syz-executor3 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a4cdf850 ffffffff81d90889 ffff8801a4cdfb30 0000000000000000 ffff8801c3eb6d10 ffff8801a4cdfa20 ffff8801c3eb6c00 ffff8801a4cdfa48 ffffffff8165e497 0000000000006e92 ffff8801c7c238f0 ffff8801c7c238a0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] do_fcntl fs/fcntl.c:284 [inline] [] SYSC_fcntl fs/fcntl.c:372 [inline] [] SyS_fcntl+0x81c/0xc70 fs/fcntl.c:357 [] entry_SYSCALL_64_fastpath+0x23/0xc6 CPU: 1 PID: 7048 Comm: syz-executor7 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d0cdf9a0 ffffffff81d90889 ffff8801d0cdfc80 0000000000000000 ffff8801a661fa90 ffff8801d0cdfb70 ffff8801a661f980 ffff8801d0cdfb98 ffffffff8165e497 0000000000006e92 ffff8801a476e8f0 ffff8801a476e8a0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 keychord: invalid keycode count 0 keychord: invalid keycode count 0 device gre0 entered promiscuous mode BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor5/7234 binder: 7236:7241 got transaction with fd, -1, but target does not allow fds binder: 7236:7241 transaction failed 29201/-1, size 24-8 line 3235 binder_alloc: binder_alloc_mmap_handler: 7236 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 7236:7241 ioctl 40046207 0 returned -16 binder_alloc: 7236: binder_alloc_buf, no vma binder: 7236:7243 transaction failed 29189/-3, size 24-8 line 3130 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 CPU: 1 PID: 7234 Comm: syz-executor5 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a5a876d8 ffffffff81d90889[ 59.790952] device gre0 entered promiscuous mode 0000000000000001 ffffffff83c17800 ffffffff83f42ec0 ffff8801a5b49800 0000000000000003 ffff8801a5a87718 ffffffff81df7854 ffff8801a5a87730 ffffffff83f42ec0 dffffc0000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46 [] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 [] ipcomp_alloc_tfms net/xfrm/xfrm_ipcomp.c:286 [inline] [] ipcomp_init_state+0x188/0x930 net/xfrm/xfrm_ipcomp.c:363 sg_write: data in/out 822404280/197 bytes for SCSI command 0x12-- guessing data in; program syz-executor7 not setting count and/or reply_len properly [] ipcomp4_init_state+0xb0/0x7d0 net/ipv4/ipcomp.c:137 [] __xfrm_init_state+0x3e7/0xb30 net/xfrm/xfrm_state.c:2096 [] xfrm_init_state+0x1a/0x20 net/xfrm/xfrm_state.c:2122 [] pfkey_msg2xfrm_state net/key/af_key.c:1281 [inline] [] pfkey_add+0x1fb9/0x3470 net/key/af_key.c:1498 [] pfkey_process+0x61e/0x730 net/key/af_key.c:2826 [] pfkey_sendmsg+0x3a9/0x760 net/key/af_key.c:3670 [] sock_sendmsg_nosec net/socket.c:635 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:645 [] ___sys_sendmsg+0x6d1/0x7e0 net/socket.c:1968 [] __sys_sendmsg+0xd6/0x190 net/socket.c:2002 [] SYSC_sendmsg net/socket.c:2013 [inline] [] SyS_sendmsg+0x2d/0x50 net/socket.c:2009 [] entry_SYSCALL_64_fastpath+0x23/0xc6 BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor5/7234 caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 CPU: 1 PID: 7234 Comm: syz-executor5 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a5a876d8 ffffffff81d90889 0000000000000001 ffffffff83c17800 ffffffff83f42ec0 ffff8801a5b49800 0000000000000003 ffff8801a5a87718 ffffffff81df7854 ffff8801a5a87730 ffffffff83f42ec0 dffffc0000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46 [] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 [] ipcomp_alloc_tfms net/xfrm/xfrm_ipcomp.c:286 [inline] [] ipcomp_init_state+0x188/0x930 net/xfrm/xfrm_ipcomp.c:363 [] ipcomp4_init_state+0xb0/0x7d0 net/ipv4/ipcomp.c:137 [] __xfrm_init_state+0x3e7/0xb30 net/xfrm/xfrm_state.c:2096 [] xfrm_init_state+0x1a/0x20 net/xfrm/xfrm_state.c:2122 [] pfkey_msg2xfrm_state net/key/af_key.c:1281 [inline] [] pfkey_add+0x1fb9/0x3470 net/key/af_key.c:1498 [] pfkey_process+0x61e/0x730 net/key/af_key.c:2826 [] pfkey_sendmsg+0x3a9/0x760 net/key/af_key.c:3670 [] sock_sendmsg_nosec net/socket.c:635 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:645 [] ___sys_sendmsg+0x6d1/0x7e0 net/socket.c:1968 [] __sys_sendmsg+0xd6/0x190 net/socket.c:2002 [] SYSC_sendmsg net/socket.c:2013 [inline] [] SyS_sendmsg+0x2d/0x50 net/socket.c:2009 [] entry_SYSCALL_64_fastpath+0x23/0xc6 device gre0 entered promiscuous mode audit: type=1400 audit(1513075607.370:49): avc: denied { bind } for pid=7449 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7483 comm=syz-executor7 nla_parse: 12 callbacks suppressed netlink: 16 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor3'. device lo entered promiscuous mode device lo left promiscuous mode netlink: 9 bytes leftover after parsing attributes in process `syz-executor0'. A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. device lo entered promiscuous mode device lo left promiscuous mode netlink: 9 bytes leftover after parsing attributes in process `syz-executor0'. A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. device gre0 entered promiscuous mode device eql entered promiscuous mode device gre0 entered promiscuous mode program syz-executor6 is using a deprecated SCSI ioctl, please convert it to SG_IO sd 0:0:1:0: ioctl_internal_command: ILLEGAL REQUEST asc=0x20 ascq=0x0 device gre0 entered promiscuous mode program syz-executor6 is using a deprecated SCSI ioctl, please convert it to SG_IO sd 0:0:1:0: ioctl_internal_command: ILLEGAL REQUEST asc=0x20 ascq=0x0 netlink: 16 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 16 bytes leftover after parsing attributes in process `syz-executor1'. Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable sd 0:0:1:0: [sg0] tag#473 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK sd 0:0:1:0: [sg0] tag#473 CDB: Test Unit Ready sd 0:0:1:0: [sg0] tag#473 CDB[00]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#473 CDB[10]: 00 00 00 00 10 27 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#473 CDB[20]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable sd 0:0:1:0: [sg0] tag#473 CDB[30]: 00 00 00 00 00 00 00 00 00 00 00 00 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 8031 Comm: syz-executor2 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d98c7480 ffffffff81d90889 ffff8801d98c7760 0000000000000000 ffff8801a661f190 ffff8801d98c7650 ffff8801a661f080 ffff8801d98c7678 ffffffff8165e497 0000000000005207 ffff8801d59d8918 ffff8801d59d88a0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] do_ip_setsockopt.isra.12+0x1977/0x2960 net/ipv4/ip_sockglue.c:1151 [] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1240 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2736 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2706 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x160/0x250 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 binder: 8079:8089 got reply transaction with no transaction stack binder: 8079:8089 transaction failed 29201/-71, size 2-1144397507205 line 2923 binder: 8079:8098 Acquire 1 refcount change on invalid ref 1 ret -22 binder: 8079:8098 got transaction to invalid handle binder: 8079:8098 transaction failed 29201/-22, size 64-32 line 3007 binder: 8079:8098 ioctl c0306201 2000cfd0 returned -14 binder: send failed reply for transaction 55 to 8079:8125 binder: 8079:8089 ioctl c0306201 2000efd0 returned -14 binder: 8079:8089 Release 1 refcount change on invalid ref 4 ret -22 binder: 8079:8089 IncRefs 0 refcount change on invalid ref 3 ret -22 binder: 8079:8089 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER binder: 8079:8089 got transaction to invalid handle binder: 8079:8089 transaction failed 29201/-22, size 0-32 line 3007 binder: 8079:8125 got reply transaction with no transaction stack binder: 8079:8125 transaction failed 29201/-71, size 2-1144397507205 line 2923 binder: BINDER_SET_CONTEXT_MGR already set binder: 8079:8089 ioctl 40046207 0 returned -16 binder: 8079:8089 Acquire 1 refcount change on invalid ref 1 ret -22 binder: 8079:8089 got transaction to invalid handle binder: 8079:8089 transaction failed 29201/-22, size 64-32 line 3007 binder_alloc: 8079: binder_alloc_buf, no vma binder: 8079:8143 transaction failed 29189/-3, size 0-0 line 3130 binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29201 binder: 8165:8168 ioctl 40046205 0 returned -22 binder: 8163:8167 ioctl 40046205 fffffffffffffffd returned -22 binder: 8163:8167 ERROR: BC_REGISTER_LOOPER called without request device lo entered promiscuous mode device lo left promiscuous mode binder: 8163:8167 unknown command 1400526783 binder: 8163:8167 ioctl c0306201 20002fd0 returned -22 binder: 8163:8167 ioctl c018620b 20000fe8 returned -14 binder: 8163:8167 BC_FREE_BUFFER uffffffffffffffff no match binder: 8163:8167 BC_CLEAR_DEATH_NOTIFICATION death notification not active binder: 8163:8167 BC_REQUEST_DEATH_NOTIFICATION invalid ref 3 binder: 8163:8167 got reply transaction with no transaction stack binder: 8163:8167 transaction failed 29201/-71, size 32-16 line 2923 binder: 8163:8167 ioctl c0306201 20005fd0 returned -14 binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29201 binder: 8163:8167 BC_FREE_BUFFER u00000000ffffffff no match binder: undelivered TRANSACTION_COMPLETE binder: undelivered transaction 62, process died. binder: undelivered transaction 66, process died. binder: 8163:8167 ioctl 40046205 6 returned -22 binder: 8163:8167 ioctl 40046205 fffffffffffffffd returned -22 binder: 8165:8178 ERROR: BC_REGISTER_LOOPER called without request binder: 8163:8167 ERROR: BC_REGISTER_LOOPER called without request binder: 8163:8185 unknown command 0 binder: 8163:8185 ioctl c0306201 20002fd0 returned -22 binder: 8163:8185 got reply transaction with no transaction stack binder: 8163:8185 transaction failed 29201/-71, size 24-8 line 2923 binder: 8163:8185 ioctl c018620b 20000fe8 returned -14 binder: 8163:8185 BC_FREE_BUFFER uffffffffffffffff no match binder: 8163:8185 IncRefs 0 refcount change on invalid ref 1 ret -22 binder: 8163:8185 got transaction to invalid handle binder: 8163:8185 transaction failed 29201/-22, size 72-8 line 3007 binder: 8163:8185 ioctl c0306201 20005fd0 returned -14 binder: undelivered TRANSACTION_ERROR: 29201 binder: 8165:8178 got transaction to invalid handle binder: 8165:8178 transaction failed 29201/-22, size 0-8 line 3007 binder: release 8163:8179 transaction 72 out, still active binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29201 binder: send failed reply for transaction 72, target dead binder_alloc: 8165: binder_alloc_buf, no vma binder: 8165:8178 transaction failed 29189/-3, size 24-8 line 3130 binder: send failed reply for transaction 76 to 8165:8189 binder: undelivered TRANSACTION_ERROR: 29190 binder: 8165:8178 BC_FREE_BUFFER u0000000000000000 no match binder: 8165:8178 IncRefs 0 refcount change on invalid ref 1 ret -22 binder: 8165:8178 got transaction to invalid handle binder: 8165:8178 transaction failed 29201/-22, size 72-8 line 3007 binder: 8165:8178 ioctl 40046205 6 returned -22 binder: 8165:8189 ioctl 40046205 0 returned -22 binder: 8165:8189 ERROR: BC_REGISTER_LOOPER called without request binder: 8165:8189 ioctl c0306201 20008fd0 returned -11 binder_alloc: 8165: binder_alloc_buf, no vma binder: 8165:8189 transaction failed 29189/-3, size 0-0 line 3130 binder: BINDER_SET_CONTEXT_MGR already set binder: 8165:8178 ioctl 40046207 0 returned -16 binder: 8165:8189 got transaction to invalid handle binder: 8165:8189 transaction failed 29201/-22, size 0-8 line 3007 device lo entered promiscuous mode binder: 8165:8189 BC_FREE_BUFFER u0000000000000000 no match binder: 8165:8189 IncRefs 0 refcount change on invalid ref 1 ret -22 binder: 8165:8189 got transaction to invalid handle binder: 8165:8189 transaction failed 29201/-22, size 72-8 line 3007 device lo left promiscuous mode audit: type=1400 audit(1513075610.830:50): avc: denied { setattr } for pid=8309 comm="syz-executor7" name="current" dev="proc" ino=19953 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=file permissive=1 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 device gre0 entered promiscuous mode netlink: 72 bytes leftover after parsing attributes in process `syz-executor2'. FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 8338 Comm: syz-executor7 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 netlink: 72 bytes leftover after parsing attributes in process `syz-executor2'. ffff8801d6b1f700 ffffffff81d90889 ffff8801d6b1f9e0 0000000000000000 ffff8801a661f190 ffff8801d6b1f8d0 ffff8801a661f080 ffff8801d6b1f8f8 ffffffff8165e497 0000000000006e92 ffff8801c6e108f0 ffff8801c6e108a0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406