netlink: 21 bytes leftover after parsing attributes in process `syz-executor3'. binder: 9792:9802 ERROR: BC_REGISTER_LOOPER called without request BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor4/9810 binder: send failed reply for transaction 90 to 9792:9811 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 binder: 9792:9802 ERROR: BC_REGISTER_LOOPER called without request binder: release 9792:9811 transaction 92 out, still active binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 92, target dead caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 CPU: 0 PID: 9810 Comm: syz-executor4 Not tainted 4.9.73-gf3f3457 #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801b053f6c8 ffffffff81d922b9 0000000000000000 ffffffff83c17a00 ffffffff83f444c0 ffff8801c6fce000 0000000000000003 ffff8801b053f708 ffffffff81df9294 ffff8801b053f720 ffffffff83f444c0 dffffc0000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46 [] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 9pnet_virtio: no channels available for device H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H H 9pnet_virtio: no channels available for device H [] ipcomp_alloc_tfms net/xfrm/xfrm_ipcomp.c:286 [inline] [] ipcomp_init_state+0x188/0x930 net/xfrm/xfrm_ipcomp.c:363 [] ipcomp6_init_state+0xb5/0x820 net/ipv6/ipcomp6.c:165 [] __xfrm_init_state+0x3e7/0xb30 net/xfrm/xfrm_state.c:2096 [] xfrm_init_state+0x1a/0x20 net/xfrm/xfrm_state.c:2122 [] pfkey_msg2xfrm_state net/key/af_key.c:1281 [inline] [] pfkey_add+0x1fb9/0x3470 net/key/af_key.c:1498 [] pfkey_process+0x61e/0x730 net/key/af_key.c:2826 [] pfkey_sendmsg+0x3a9/0x760 net/key/af_key.c:3670 [] sock_sendmsg_nosec net/socket.c:635 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:645 [] ___sys_sendmsg+0x6d1/0x7e0 net/socket.c:1969 [] __sys_sendmsg+0xd6/0x190 net/socket.c:2003 [] SYSC_sendmsg net/socket.c:2014 [inline] [] SyS_sendmsg+0x2d/0x50 net/socket.c:2010 [] entry_SYSCALL_64_fastpath+0x23/0xc6 audit: type=1400 audit(1514645554.594:36): avc: denied { attach_queue } for pid=9888 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=tun_socket permissive=1 device lo entered promiscuous mode binder: 10035:10046 got new transaction with bad transaction stack, transaction 94 has target 10035:10036 binder: 10035:10046 transaction failed 29201/-71, size 0-0 line 3031 binder: BINDER_SET_CONTEXT_MGR already set binder: 10035:10051 ioctl 40046207 0 returned -16 binder_alloc: 10035: binder_alloc_buf, no vma binder: 10035:10046 transaction failed 29189/-3, size 0-0 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 10035:10036 transaction 94 in, still active binder: send failed reply for transaction 94 to 10035:10046 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29189 nla_parse: 4 callbacks suppressed netlink: 2 bytes leftover after parsing attributes in process `syz-executor3'. binder: BINDER_SET_CONTEXT_MGR already set binder: 10149:10154 ioctl 40046207 0 returned -16 binder_alloc: 10149: binder_alloc_buf, no vma binder: 10149:10182 transaction failed 29189/-3, size 0-0 line 3127 netlink: 2 bytes leftover after parsing attributes in process `syz-executor3'. binder: 10149:10154 BC_FREE_BUFFER u0000000020000000 no match binder_alloc: 10149: binder_alloc_buf, no vma binder: 10149:10154 transaction failed 29189/-3, size 0-0 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 10149:10154 transaction 99 out, still active binder: release 10149:10154 transaction 98 in, still active binder: undelivered TRANSACTION_COMPLETE binder: release 10149:10175 transaction 98 out, still active binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 99, target dead binder: send failed reply for transaction 98, target dead SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=10267 comm=syz-executor7 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=10267 comm=syz-executor7 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=10267 comm=syz-executor7 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=10275 comm=syz-executor7 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=10275 comm=syz-executor7 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=10276 comm=syz-executor7 audit: type=1400 audit(1514645556.104:37): avc: denied { bind } for pid=10277 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=770 sclass=netlink_route_socket pig=10312 comm=syz-executor2 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=770 sclass=netlink_route_socket pig=10312 comm=syz-executor2 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=770 sclass=netlink_route_socket pig=10312 comm=syz-executor2 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=770 sclass=netlink_route_socket pig=10312 comm=syz-executor2 binder: 10390:10395 ioctl c0306201 200cd000 returned -14 tc_dump_action: action bad kind tc_dump_action: action bad kind device syz6 entered promiscuous mode device syz4 entered promiscuous mode netlink: 21 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 21 bytes leftover after parsing attributes in process `syz-executor7'. audit: type=1401 audit(1514645558.084:38): op=fscreate invalid_context=36A8475A00000000000000000000000000000000000000 tc_dump_action: action bad kind tc_dump_action: action bad kind 9pnet_virtio: no channels available for device @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ 9pnet_virtio: no channels available for device @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ device gre0 entered promiscuous mode PF_BRIDGE: RTM_NEWNEIGH with unknown ifindex PF_BRIDGE: RTM_NEWNEIGH with unknown ifindex audit: type=1400 audit(1514645558.584:39): avc: denied { getopt } for pid=11009 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 binder: 11042:11044 BC_FREE_BUFFER u000000002011a000 no match binder: 11042:11044 ERROR: BC_REGISTER_LOOPER called without request binder: 11042:11044 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: 11042:11044 ioctl 4c03 20009f68 returned -22 binder: 11042:11044 transaction failed 29201/-22, size 0-0 line 3127 binder_alloc: binder_alloc_mmap_handler: 11042 2011a000-2051a000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 11042:11044 ioctl 40046207 0 returned -16 binder: 11042:11044 BC_FREE_BUFFER u000000002011a000 no match binder: 11042:11044 ERROR: BC_REGISTER_LOOPER called without request binder: 11042:11044 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: 11042:11051 ioctl 4c03 20009f68 returned -22 binder_alloc: 11042: binder_alloc_buf, no vma binder: 11042:11044 transaction failed 29189/-3, size 0-0 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 binder_alloc: 11140: binder_alloc_buf, no vma binder: 11140:11142 transaction failed 29189/-3, size 0-0 line 3127 binder: BINDER_SET_CONTEXT_MGR already set binder: 11140:11155 ioctl 40046207 0 returned -16 binder_alloc: 11140: binder_alloc_buf, no vma binder: 11140:11159 transaction failed 29189/-3, size 0-0 line 3127 device gre0 entered promiscuous mode binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 netlink: 3 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 6 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 6 bytes leftover after parsing attributes in process `syz-executor1'. binder: 11416:11423 BC_FREE_BUFFER u0000000020000000 matched unreturned buffer binder_alloc: 11416:11434 FREE_BUFFER u0000000020000000 user freed buffer twice binder: 11416:11434 BC_FREE_BUFFER u0000000020000000 no match binder: BINDER_SET_CONTEXT_MGR already set binder: 11416:11448 ioctl 40046207 0 returned -16 binder_alloc: 11416: binder_alloc_buf, no vma binder: 11416:11449 transaction failed 29189/-3, size 0-0 line 3127 binder: 11416:11450 BC_FREE_BUFFER u0000000020000000 no match binder: 11416:11450 BC_FREE_BUFFER u0000000020000000 no match binder: undelivered TRANSACTION_ERROR: 29189 binder: release 11416:11423 transaction 109 out, still active binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 109, target dead IPVS: Creating netns size=2536 id=10 kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] PREEMPT SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 1 PID: 11625 Comm: syz-executor1 Not tainted 4.9.73-gf3f3457 #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8801d7af3000 task.stack: ffff8801bc870000 RIP: 0010:[] [] __read_once_size include/linux/compiler.h:243 [inline] RIP: 0010:[] [] atomic_read arch/x86/include/asm/atomic.h:26 [inline] RIP: 0010:[] [] page_ref_count include/linux/page_ref.h:66 [inline] RIP: 0010:[] [] put_page_testzero include/linux/mm.h:450 [inline] RIP: 0010:[] [] __free_pages+0x21/0x80 mm/page_alloc.c:3903 RSP: 0018:ffff8801bc8779b0 EFLAGS: 00010a07 RAX: dffffc0000000000 RBX: dead4ead00000000 RCX: ffffffff82664f9b RDX: 1bd5a9d5a0000003 RSI: 0000000000000002 RDI: dead4ead0000001c RBP: ffff8801bc8779c0 R08: 0000000048000000 R09: 0000000000001e30 R10: 0000000000002100 R11: ffff8801d7af3000 R12: 0000000000000004 R13: 0000000000000020 R14: ffff8801d85c8000 R15: dffffc0000000000 FS: 00007f03e60ec700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020a13000 CR3: 00000001c316c000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Stack: 0000000000000001 ffff8801d85c8158 ffff8801bc877a20 ffffffff82664fc1 ffff8801d85c8170 ffffed003b0b902b ffffed003b0b902e ffff8801d85c8168 dead4ead00000000 ffff8801d85c8140 0000000000000000 0000000000000000 Call Trace: [] sg_remove_scat.isra.19+0x1c1/0x2d0 drivers/scsi/sg.c:1954 [] sg_finish_rem_req+0x2b5/0x340 drivers/scsi/sg.c:1836 [] sg_new_read.isra.20+0x18d/0x3e0 drivers/scsi/sg.c:567 [] sg_read+0x8bd/0x1440 drivers/scsi/sg.c:456 [] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714 [] do_loop_readv_writev fs/read_write.c:880 [inline] [] do_readv_writev+0x520/0x750 fs/read_write.c:874 [] vfs_readv+0x84/0xc0 fs/read_write.c:898 [] do_readv+0xe6/0x250 fs/read_write.c:924 [] SYSC_readv fs/read_write.c:1011 [inline] [] SyS_readv+0x27/0x30 fs/read_write.c:1008 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Code: e9 27 fc ff ff 0f 1f 44 00 00 48 b8 00 00 00 00 00 fc ff df 55 48 89 e5 53 48 89 fb 48 83 c7 1c 48 89 fa 48 83 ec 08 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 3d RIP [] __read_once_size include/linux/compiler.h:243 [inline] RIP [] atomic_read arch/x86/include/asm/atomic.h:26 [inline] RIP [] page_ref_count include/linux/page_ref.h:66 [inline] RIP [] put_page_testzero include/linux/mm.h:450 [inline] RIP [] __free_pages+0x21/0x80 mm/page_alloc.c:3903 RSP ---[ end trace b4a314c499343879 ]---