device gre0 entered promiscuous mode BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor5/8923 caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 CPU: 1 PID: 8923 Comm: syz-executor5 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c55676d8 ffffffff81d90889 0000000000000001 ffffffff83c17800 ffffffff83f42ec0 ffff8801cf580000 0000000000000003 ffff8801c5567718 ffffffff81df7854 ffff8801c5567730 ffffffff83f42ec0 dffffc0000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46 [] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 [] ipcomp_alloc_tfms net/xfrm/xfrm_ipcomp.c:286 [inline] [] ipcomp_init_state+0x188/0x930 net/xfrm/xfrm_ipcomp.c:363 [] ipcomp4_init_state+0xb0/0x7d0 net/ipv4/ipcomp.c:137 [] __xfrm_init_state+0x3e7/0xb30 net/xfrm/xfrm_state.c:2096 [] xfrm_init_state+0x1a/0x20 net/xfrm/xfrm_state.c:2122 [] pfkey_msg2xfrm_state net/key/af_key.c:1281 [inline] [] pfkey_add+0x1fb9/0x3470 net/key/af_key.c:1498 [] pfkey_process+0x61e/0x730 net/key/af_key.c:2826 [] pfkey_sendmsg+0x3a9/0x760 net/key/af_key.c:3670 [] sock_sendmsg_nosec net/socket.c:635 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:645 [] ___sys_sendmsg+0x6d1/0x7e0 net/socket.c:1968 [] __sys_sendmsg+0xd6/0x190 net/socket.c:2002 [] SYSC_sendmsg net/socket.c:2013 [inline] [] SyS_sendmsg+0x2d/0x50 net/socket.c:2009 [] entry_SYSCALL_64_fastpath+0x23/0xc6 BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor5/8930 caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 CPU: 1 PID: 8930 Comm: syz-executor5 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cd8276d8 ffffffff81d90889 0000000000000001 ffffffff83c17800 ffffffff83f42ec0 ffff8801a975c800 0000000000000003 ffff8801cd827718 ffffffff81df7854 ffff8801cd827730 ffffffff83f42ec0 dffffc0000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46 [] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 [] ipcomp_alloc_tfms net/xfrm/xfrm_ipcomp.c:286 [inline] [] ipcomp_init_state+0x188/0x930 net/xfrm/xfrm_ipcomp.c:363 [] ipcomp4_init_state+0xb0/0x7d0 net/ipv4/ipcomp.c:137 [] __xfrm_init_state+0x3e7/0xb30 net/xfrm/xfrm_state.c:2096 [] xfrm_init_state+0x1a/0x20 net/xfrm/xfrm_state.c:2122 [] pfkey_msg2xfrm_state net/key/af_key.c:1281 [inline] [] pfkey_add+0x1fb9/0x3470 net/key/af_key.c:1498 [] pfkey_process+0x61e/0x730 net/key/af_key.c:2826 [] pfkey_sendmsg+0x3a9/0x760 net/key/af_key.c:3670 [] sock_sendmsg_nosec net/socket.c:635 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:645 [] ___sys_sendmsg+0x6d1/0x7e0 net/socket.c:1968 [] __sys_sendmsg+0xd6/0x190 net/socket.c:2002 [] SYSC_sendmsg net/socket.c:2013 [inline] [] SyS_sendmsg+0x2d/0x50 net/socket.c:2009 [] entry_SYSCALL_64_fastpath+0x23/0xc6 device gre0 entered promiscuous mode SELinux: unrecognized netlink message: protocol=0 nlmsg_type=63367 sclass=netlink_route_socket pig=9018 comm=syz-executor2 binder: 9026:9029 DecRefs 0 refcount change on invalid ref 1 ret -22 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=63367 sclass=netlink_route_socket pig=9018 comm=syz-executor2 binder_alloc: 9026: binder_alloc_buf, no vma binder: 9026:9038 transaction failed 29189/-3, size 0-0 line 3130 binder: 9026:9029 DecRefs 0 refcount change on invalid ref 912 ret -22 binder: 9026:9029 unknown command 0 binder: 9026:9029 ioctl c0306201 20003000 returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 9026:9029 ioctl 40046207 0 returned -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 9026:9029 ioctl 40046207 0 returned -16 binder: 9026:9029 DecRefs 0 refcount change on invalid ref 1 ret -22 binder_alloc: 9026: binder_alloc_buf, no vma binder: 9026:9038 transaction failed 29189/-3, size 0-0 line 3130 binder: 9026:9052 DecRefs 0 refcount change on invalid ref 912 ret -22 binder: 9026:9052 unknown command 0 binder: 9026:9052 ioctl c0306201 20003000 returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 9026:9029 ioctl 40046207 0 returned -16 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 binder: BINDER_SET_CONTEXT_MGR already set binder: 9111:9117 ioctl 40046207 0 returned -16 netlink: 16 bytes leftover after parsing attributes in process `syz-executor4'. sock: sock_set_timeout: `syz-executor6' (pid 9176) tries to set negative timeout binder: binder_mmap: 9164 20005000-20008000 bad vm_flags failed -1 binder: 9164:9175 ioctl c0306201 20007000 returned -14 device gre0 entered promiscuous mode binder: 9164:9167 ioctl 5405 2000bfec returned -22 binder: release 9164:9167 transaction 74 in, still active binder: send failed reply for transaction 74 to 9164:9175 binder: 9164:9167 ioctl c0306201 20005fd0 returned -14 binder: BINDER_SET_CONTEXT_MGR already set binder: 9164:9167 ioctl 40046207 0 returned -16 binder: binder_mmap: 9164 20005000-20008000 bad vm_flags failed -1 binder: 9164:9175 ioctl c0306201 20007000 returned -14 binder_alloc: 9164: binder_alloc_buf, no vma binder: 9164:9175 transaction failed 29189/-3, size 0-0 line 3130 binder: 9164:9167 ioctl 5405 2000bfec returned -22 binder: undelivered TRANSACTION_ERROR: 29189 binder: 9164:9175 ioctl c0306201 20005fd0 returned -14 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 sock: sock_set_timeout: `syz-executor6' (pid 9152) tries to set negative timeout device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode binder: 9342:9348 ioctl 2403 ffff returned -22 binder: 9342:9364 ioctl 8004e500 20005000 returned -22 binder: 9342:9364 ioctl 401845ef 20004000 returned -22 binder: undelivered death notification, 0000000000000000 binder: 9342:9364 ioctl 2403 ffff returned -22 audit: type=1400 audit(1513076012.626:50): avc: denied { bind } for pid=9401 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 binder: BINDER_SET_CONTEXT_MGR already set binder: 9342:9364 ioctl 40046207 0 returned -16 binder: 9342:9364 ioctl 8004e500 20005000 returned -22 binder: 9342:9364 ioctl 401845ef 20004000 returned -22 binder: undelivered death notification, 0000000000000000 device gre0 entered promiscuous mode IPVS: Creating netns size=2536 id=16 IPVS: Creating netns size=2536 id=17 binder: 9498:9499 ioctl 40046205 8 returned -22 device gre0 entered promiscuous mode tty_warn_deprecated_flags: 'syz-executor1' is using deprecated serial flags (with no effect): 00008000 9pnet_virtio: no channels available for device ./file0 9pnet_virtio: no channels available for device ./file0 binder_alloc: binder_alloc_mmap_handler: 9517 20000000-20002000 already mapped failed -16 binder: 9498:9499 got reply transaction with no transaction stack binder: 9498:9499 transaction failed 29201/-71, size 0-56 line 2923 tty_warn_deprecated_flags: 'syz-executor1' is using deprecated serial flags (with no effect): 00008000 binder: 9498:9529 ioctl 40046205 8 returned -22 binder_alloc: binder_alloc_mmap_handler: 9498 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 9498:9529 ioctl 40046207 0 returned -16 binder_alloc: 9498: binder_alloc_buf, no vma binder: 9498:9543 transaction failed 29189/-3, size 80-16 line 3130 binder: 9498:9543 got reply transaction with no transaction stack binder: 9498:9543 transaction failed 29201/-71, size 0-56 line 2923 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 9498:9515 transaction 80 out, still active binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 80, target dead device gre0 entered promiscuous mode TCP: request_sock_TCPv6: Possible SYN flooding on port 20018. Sending cookies. Check SNMP counters. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=9661 comm=syz-executor2 pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads device gre0 entered promiscuous mode binder: 9776:9780 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 9776:9780 ioctl c0306201 20008fd0 returned -14 binder: 9776:9780 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: 9776:9793 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: 9776:9793 BC_INCREFS_DONE uffffffffffffffff no match binder: 9776:9793 Acquire 1 refcount change on invalid ref 1 ret -22 nla_parse: 10 callbacks suppressed netlink: 73 bytes leftover after parsing attributes in process `syz-executor4'. binder: 9776:9793 BC_DEAD_BINDER_DONE 0000000000000000 not found netlink: 11 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 11 bytes leftover after parsing attributes in process `syz-executor3'. binder: 9776:9823 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 9776:9823 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 9776:9824 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: 9776:9823 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: 9776:9823 BC_INCREFS_DONE uffffffffffffffff no match binder: 9776:9823 Acquire 1 refcount change on invalid ref 1 ret -22 binder: 9776:9824 BC_DEAD_BINDER_DONE 0000000000000000 not found device gre0 entered promiscuous mode FAULT_FLAG_ALLOW_RETRY missing 30 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 9931 Comm: syz-executor4 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d2237710 ffffffff81d90889 ffff8801d22379f0 0000000000000000 ffff8801c4883310 ffff8801d22378e0 ffff8801c4883200 ffff8801d2237908 ffffffff8165e497 0000000000006e92 ffff8801a25b88f0 ffff8801a25b88a0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] SYSC_select fs/select.c:652 [inline] [] SyS_select+0x158/0x1e0 fs/select.c:634 [] entry_SYSCALL_64_fastpath+0x23/0xc6 device lo entered promiscuous mode netlink: 5 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 13 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 13 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor0'. CPU: 0 PID: 9944 Comm: syz-executor4 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d88478c0 ffffffff81d90889 ffff8801d8847ba0 0000000000000000 ffff8801c4883310 ffff8801d8847a90 ffff8801c4883200 ffff8801d8847ab8 ffffffff8165e497 0000000000006e92 ffff8801d83a68f0 ffff8801d83a68a0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 IPVS: Creating netns size=2536 id=18 binder: 10084:10092 ioctl 85 20416000 returned -22 binder: 10084:10092 IncRefs 0 refcount change on invalid ref 2 ret -22 binder: 10084:10092 Acquire 1 refcount change on invalid ref 4 ret -22 binder: 10084:10092 unknown command 0 binder: 10084:10116 ioctl 85 20416000 returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 10084:10116 ioctl 40046207 0 returned -16 binder: 10084:10092 ioctl c0306201 20000fd0 returned -22 device gre0 entered promiscuous mode pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads netlink: 1 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor5'. device gre0 entered promiscuous mode SELinux: unrecognized netlink message: protocol=0 nlmsg_type=805 sclass=netlink_route_socket pig=10404 comm=syz-executor5 binder_alloc: 10509: binder_alloc_buf, no vma binder: 10509:10511 transaction failed 29189/-3, size 80-16 line 3130 binder: BINDER_SET_CONTEXT_MGR already set binder: 10509:10511 ioctl 40046207 0 returned -16 binder_alloc: 10509: binder_alloc_buf, no vma binder: 10509:10515 transaction failed 29189/-3, size 80-16 line 3130 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 Option 'tgˆa9mļw& [% SM?4-' to dns_resolver key: bad/missing value device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode Option 'tgˆa9mļw& [% SM?4-' to dns_resolver key: bad/missing value IPv6: Can't replace route, no match found IPv6: Can't replace route, no match found FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 10915 Comm: syz-executor4 Not tainted 4.9.68-gfb66dc2 #107 binder: 10925:10926 ERROR: BC_REGISTER_LOOPER called without request binder: 10925:10926 transaction failed 29189/-22, size 0-0 line 3007 binder: 10925:10926 BC_ACQUIRE_DONE u0000000000000000 no match binder: 10925:10926 got reply transaction with no transaction stack binder: 10925:10926 transaction failed 29201/-71, size 48-40 line 2923 binder: 10925:10926 ERROR: BC_REGISTER_LOOPER called without request binder_alloc: 10925: binder_alloc_buf, no vma binder: 10925:10929 transaction failed 29189/-3, size 0-0 line 3130 binder: BINDER_SET_CONTEXT_MGR already set binder: 10925:10929 ioctl 40046207 0 returned -16 binder: 10925:10929 BC_ACQUIRE_DONE u0000000000000000 no match binder: 10925:10929 got reply transaction with no transaction stack binder: 10925:10929 transaction failed 29201/-71, size 48-40 line 2923 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d90bf6b0 ffffffff81d90889 ffff8801d90bf990 0000000000000000 ffff8801c4883c10 ffff8801d90bf880 ffff8801c4883b00 ffff8801d90bf8a8 ffffffff8165e497 0000000000006e92 ffff8801c8c608f0 ffff8801c8c608a0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] inet_ioctl+0x117/0x1c0 net/ipv4/af_inet.c:908 [] sock_do_ioctl+0x65/0xb0 net/socket.c:892 [] sock_ioctl+0x2e0/0x3d0 net/socket.c:978 [] vfs_ioctl fs/ioctl.c:43 [inline] [] do_vfs_ioctl+0x1aa/0x1140 fs/ioctl.c:679 [] SYSC_ioctl fs/ioctl.c:694 [inline] [] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 [] entry_SYSCALL_64_fastpath+0x23/0xc6 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 10924 Comm: syz-executor4 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d90ef6b0 ffffffff81d90889 ffff8801d90ef990 0000000000000000 ffff8801c4883d90 ffff8801d90ef880 ffff8801c4883c80 ffff8801d90ef8a8 ffffffff8165e497 0000000000006e92 ffff8801d90e08f0 ffff8801d90e08a0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] inet_ioctl+0x117/0x1c0 net/ipv4/af_inet.c:908 [] sock_do_ioctl+0x65/0xb0 net/socket.c:892 [] sock_ioctl+0x2e0/0x3d0 net/socket.c:978 [] vfs_ioctl fs/ioctl.c:43 [inline] [] do_vfs_ioctl+0x1aa/0x1140 fs/ioctl.c:679 [] SYSC_ioctl fs/ioctl.c:694 [inline] [] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 [] entry_SYSCALL_64_fastpath+0x23/0xc6 device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode