binder: send failed reply for transaction 20, target dead
device syz1 entered promiscuous mode

=============================
WARNING: suspicious RCU usage
4.15.0-rc6-next-20180102+ #86 Not tainted
-----------------------------
net/netfilter/ipset/ip_set_core.c:2057 suspicious rcu_dereference_protected() usage!

other info that might help us debug this:


rcu_scheduler_active = 2, debug_locks = 1
3 locks held by kworker/u4:3/72:
 #0:  ((wq_completion)"%s""netns"){+.+.}, at: [<00000000cfd25fb3>] process_one_work+0x71f/0x14a0 kernel/workqueue.c:2083
 #1:  (net_cleanup_work){+.+.}, at: [<000000009895a6ec>] process_one_work+0x757/0x14a0 kernel/workqueue.c:2087
 #2:  (net_mutex){+.+.}, at: [<00000000d13481a9>] cleanup_net+0x139/0x8b0 net/core/net_namespace.c:450

stack backtrace:
CPU: 1 PID: 72 Comm: kworker/u4:3 Not tainted 4.15.0-rc6-next-20180102+ #86
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: netns cleanup_net
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x137/0x198 lib/dump_stack.c:53
 lockdep_rcu_suspicious+0x123/0x170 kernel/locking/lockdep.c:4585
 ip_set_net_exit+0x2c6/0x480 net/netfilter/ipset/ip_set_core.c:2057
 ops_exit_list.isra.6+0xae/0x150 net/core/net_namespace.c:142
 cleanup_net+0x3f3/0x8b0 net/core/net_namespace.c:484
 process_one_work+0x801/0x14a0 kernel/workqueue.c:2112
 worker_thread+0xe0/0x1010 kernel/workqueue.c:2246
 kthread+0x33c/0x400 kernel/kthread.c:238
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:524
binder: 6973:6976 got transaction with invalid data ptr
binder: 6973:6976 transaction failed 29201/-14, size 167-0 line 2979
binder: BINDER_SET_CONTEXT_MGR already set
binder: 6973:6988 ioctl 40046207 0 returned -16
binder: undelivered TRANSACTION_ERROR: 29201
netlink: 'syz-executor7': attribute type 40 has an invalid length.
netlink: 'syz-executor7': attribute type 40 has an invalid length.
netlink: 11 bytes leftover after parsing attributes in process `syz-executor7'.
netlink: 11 bytes leftover after parsing attributes in process `syz-executor2'.
netlink: 11 bytes leftover after parsing attributes in process `syz-executor7'.
netlink: 11 bytes leftover after parsing attributes in process `syz-executor2'.
semctl(GETNCNT/GETZCNT) is since 3.16 Single Unix Specification compliant.
The task syz-executor3 (7067) triggered the difference, watch for misbehavior.
sctp: [Deprecated]: syz-executor6 (pid 7118) Use of struct sctp_assoc_value in delayed_ack socket option.
Use struct sctp_sack_info instead
sctp: [Deprecated]: syz-executor6 (pid 7129) Use of struct sctp_assoc_value in delayed_ack socket option.
Use struct sctp_sack_info instead
sctp: [Deprecated]: syz-executor5 (pid 7181) Use of int in maxseg socket option.
Use struct sctp_assoc_value instead
sctp: [Deprecated]: syz-executor5 (pid 7187) Use of int in maxseg socket option.
Use struct sctp_assoc_value instead
kauditd_printk_skb: 22 callbacks suppressed
audit: type=1326 audit(1514913102.838:193): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=7207 comm="syz-executor5" exe="/root/syz-executor5" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452ac9 code=0x7ffc0000
audit: type=1326 audit(1514913102.838:194): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=7207 comm="syz-executor5" exe="/root/syz-executor5" sig=0 arch=c000003e syscall=257 compat=0 ip=0x452ac9 code=0x7ffc0000
audit: type=1326 audit(1514913102.838:195): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=7207 comm="syz-executor5" exe="/root/syz-executor5" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452ac9 code=0x7ffc0000
audit: type=1326 audit(1514913102.838:196): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=7207 comm="syz-executor5" exe="/root/syz-executor5" sig=0 arch=c000003e syscall=157 compat=0 ip=0x452ac9 code=0x7ffc0000
audit: type=1326 audit(1514913102.838:197): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=7207 comm="syz-executor5" exe="/root/syz-executor5" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452ac9 code=0x7ffc0000
audit: type=1326 audit(1514913102.838:198): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=7207 comm="syz-executor5" exe="/root/syz-executor5" sig=0 arch=c000003e syscall=72 compat=0 ip=0x452ac9 code=0x7ffc0000
audit: type=1326 audit(1514913102.838:199): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=7207 comm="syz-executor5" exe="/root/syz-executor5" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452ac9 code=0x7ffc0000
audit: type=1326 audit(1514913102.838:200): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=7207 comm="syz-executor5" exe="/root/syz-executor5" sig=0 arch=c000003e syscall=55 compat=0 ip=0x452ac9 code=0x7ffc0000
audit: type=1326 audit(1514913102.838:201): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=7207 comm="syz-executor5" exe="/root/syz-executor5" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452ac9 code=0x7ffc0000
audit: type=1326 audit(1514913102.838:202): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=7207 comm="syz-executor5" exe="/root/syz-executor5" sig=0 arch=c000003e syscall=6 compat=0 ip=0x452ac9 code=0x7ffc0000
binder: 7329:7333 BC_DEAD_BINDER_DONE 0000000000000003 not found
binder: 7329:7333 DecRefs 0 refcount change on invalid ref 1 ret -22
binder: 7329:7333 BC_INCREFS_DONE u0000000020265000 no match
binder: 7329:7333 got transaction with invalid parent offset or type
binder: 7329:7333 transaction failed 29201/-22, size 32-24 line 3083
binder: 7329:7336 got transaction with unaligned buffers size, 58534
binder: 7329:7336 transaction failed 29201/-22, size 0-32 line 3005
binder: 7329:7333 ioctl c0306201 20004000 returned -14
binder: BINDER_SET_CONTEXT_MGR already set
binder: 7329:7336 ioctl 40046207 0 returned -16
binder: 7329:7336 BC_DEAD_BINDER_DONE 0000000000000003 not found
binder: 7329:7336 DecRefs 0 refcount change on invalid ref 1 ret -22
binder: 7329:7336 BC_INCREFS_DONE u0000000020265000 no match
binder_alloc: 7329: binder_alloc_buf, no vma
binder: 7329:7336 transaction failed 29189/-3, size 32-24 line 2960
binder_alloc: 7329: binder_alloc_buf, no vma
binder: 7329:7333 transaction failed 29189/-3, size 0-32 line 2960
binder: 7329:7336 ioctl c0306201 20004000 returned -14
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=260 sclass=netlink_route_socket pig=7380 comm=syz-executor1
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=260 sclass=netlink_route_socket pig=7380 comm=syz-executor1
encrypted_key: insufficient parameters specified
syz-executor2: vmalloc: allocation failure: 7178027008 bytes, mode:0x14080c0(GFP_KERNEL|__GFP_ZERO), nodemask=(null)
syz-executor2 cpuset=/ mems_allowed=0
CPU: 1 PID: 7661 Comm: syz-executor2 Not tainted 4.15.0-rc6-next-20180102+ #86
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x137/0x198 lib/dump_stack.c:53
 warn_alloc+0x160/0x260 mm/page_alloc.c:3313
 __vmalloc_node_range+0x4f0/0x650 mm/vmalloc.c:1719
 __vmalloc_node mm/vmalloc.c:1748 [inline]
 __vmalloc_node_flags_caller+0x50/0x60 mm/vmalloc.c:1770
 kvmalloc_node+0x82/0xd0 mm/util.c:406
 kvmalloc include/linux/mm.h:541 [inline]
 kvmalloc_array include/linux/mm.h:557 [inline]
 xt_alloc_entry_offsets+0x21/0x30 net/netfilter/x_tables.c:774
 translate_table+0x20e/0x1660 net/ipv6/netfilter/ip6_tables.c:699
 do_replace net/ipv6/netfilter/ip6_tables.c:1160 [inline]
 do_ip6t_set_ctl+0x281/0x430 net/ipv6/netfilter/ip6_tables.c:1686
 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
 nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115
 ipv6_setsockopt+0x115/0x150 net/ipv6/ipv6_sockglue.c:928
 tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2874
 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2978
 SYSC_setsockopt net/socket.c:1821 [inline]
 SyS_setsockopt+0x158/0x240 net/socket.c:1800
 entry_SYSCALL_64_fastpath+0x23/0x9a
RIP: 0033:0x452ac9
RSP: 002b:00007fdaff1bac58 EFLAGS: 00000212 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000452ac9
RDX: 0000000000000040 RSI: 0000000000000029 RDI: 0000000000000013
RBP: 0000000000000577 R08: 0000000000000004 R09: 0000000000000000
R10: 0000000020001fde R11: 0000000000000212 R12: 00000000006f63c8
R13: 00000000ffffffff R14: 00007fdaff1bb6d4 R15: 0000000000000000
Mem-Info:
active_anon:75713 inactive_anon:63 isolated_anon:0
 active_file:3541 inactive_file:9398 isolated_file:0
 unevictable:0 dirty:71 writeback:0 unstable:0
 slab_reclaimable:8915 slab_unreclaimable:89867
 mapped:23292 shmem:70 pagetables:737 bounce:0
 free:1419182 free_pcp:525 free_cma:0
Node 0 active_anon:304912kB inactive_anon:252kB active_file:14164kB inactive_file:37592kB unevictable:0kB isolated(anon):0kB isolated(file):0kB mapped:93168kB dirty:284kB writeback:0kB shmem:280kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 135168kB writeback_tmp:0kB unstable:0kB all_unreclaimable? no
Node 0 DMA free:15908kB min:160kB low:200kB high:240kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:15992kB managed:15908kB mlocked:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB
lowmem_reserve[]: 0 2881 6392 6392
Node 0 DMA32 free:2951788kB min:30384kB low:37980kB high:45576kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:3129332kB managed:2952592kB mlocked:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:804kB local_pcp:640kB free_cma:0kB
lowmem_reserve[]: 0 0 3511 3511
Node 0 Normal free:2715008kB min:37032kB low:46288kB high:55544kB active_anon:298728kB inactive_anon:240kB active_file:14164kB inactive_file:37592kB unevictable:0kB writepending:300kB present:4718592kB managed:3595920kB mlocked:0kB kernel_stack:4288kB pagetables:3000kB bounce:0kB free_pcp:1432kB local_pcp:712kB free_cma:0kB
lowmem_reserve[]: 0 0 0 0
Node 0 DMA: 1*4kB (U) 0*8kB 0*16kB 1*32kB (U) 2*64kB (U) 1*128kB (U) 1*256kB (U) 0*512kB 1*1024kB (U) 1*2048kB (M) 3*4096kB (M) = 15908kB
Node 0 DMA32: 3*4kB (M) 4*8kB (UM) 2*16kB (UM) 1*32kB (M) 4*64kB (UM) 2*128kB (M) 4*256kB (UM) 2*512kB (UM) 4*1024kB (UM) 2*2048kB (UM) 718*4096kB (M) = 2951788kB
Node 0 Normal: 172*4kB (UME) 54*8kB (UM) 686*16kB (UME) 787*32kB (UE) 221*64kB (UME) 10*128kB (UM) 6*256kB (UM) 11*512kB (UM) 11*1024kB (ME) 3*2048kB (M) 644*4096kB (UM) = 2715104kB
Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB
13010 total pagecache pages
0 pages in swap cache
Swap cache stats: add 0, delete 0, find 0/0
Free swap  = 0kB
Total swap = 0kB
1965979 pages RAM
0 pages HighMem/MovableOnly
324874 pages reserved
syz-executor2: vmalloc: allocation failure: 7178027008 bytes, mode:0x14080c0(GFP_KERNEL|__GFP_ZERO), nodemask=(null)
syz-executor2 cpuset=/ mems_allowed=0
CPU: 1 PID: 7672 Comm: syz-executor2 Not tainted 4.15.0-rc6-next-20180102+ #86
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x137/0x198 lib/dump_stack.c:53
 warn_alloc+0x160/0x260 mm/page_alloc.c:3313
 __vmalloc_node_range+0x4f0/0x650 mm/vmalloc.c:1719
 __vmalloc_node mm/vmalloc.c:1748 [inline]
 __vmalloc_node_flags_caller+0x50/0x60 mm/vmalloc.c:1770
 kvmalloc_node+0x82/0xd0 mm/util.c:406
 kvmalloc include/linux/mm.h:541 [inline]
 kvmalloc_array include/linux/mm.h:557 [inline]
 xt_alloc_entry_offsets+0x21/0x30 net/netfilter/x_tables.c:774
 translate_table+0x20e/0x1660 net/ipv6/netfilter/ip6_tables.c:699
 do_replace net/ipv6/netfilter/ip6_tables.c:1160 [inline]
 do_ip6t_set_ctl+0x281/0x430 net/ipv6/netfilter/ip6_tables.c:1686
 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
 nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115
 ipv6_setsockopt+0x115/0x150 net/ipv6/ipv6_sockglue.c:928
 tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2874
 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2978
 SYSC_setsockopt net/socket.c:1821 [inline]
 SyS_setsockopt+0x158/0x240 net/socket.c:1800
 entry_SYSCALL_64_fastpath+0x23/0x9a
RIP: 0033:0x452ac9
RSP: 002b:00007fdaff157c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 000000000071c0c8 RCX: 0000000000452ac9
RDX: 0000000000000040 RSI: 0000000000000029 RDI: 0000000000000013
RBP: 00000000000004be R08: 0000000000000004 R09: 0000000000000000
R10: 0000000020001fde R11: 0000000000000212 R12: 00000000006f5270
R13: 00000000ffffffff R14: 00007fdaff1586d4 R15: 0000000000000002
netlink: 'syz-executor5': attribute type 4 has an invalid length.
netlink: 'syz-executor5': attribute type 4 has an invalid length.
binder: 7864:7868 BC_ACQUIRE_DONE node 29 has no pending acquire request
ptrace attach of "/root/syz-executor1"[3697] was attempted by "/root/syz-executor1"[7868]
binder: BINDER_SET_CONTEXT_MGR already set
binder: 7864:7868 ioctl 40046207 0 returned -16
ptrace attach of "/root/syz-executor1"[3697] was attempted by "/root/syz-executor1"[7874]
device gre0 entered promiscuous mode
binder: 7988:7991 transaction failed 29189/-22, size 6252194308108462804-7126149505219824913 line 2845
binder: 7988:8003 transaction failed 29189/-22, size 0-0 line 2845
IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready
binder: 8145:8148 DecRefs 0 refcount change on invalid ref 0 ret -22
binder: BINDER_SET_CONTEXT_MGR already set
binder: 8145:8148 DecRefs 0 refcount change on invalid ref 0 ret -22
device syz1 entered promiscuous mode
netlink: 16 bytes leftover after parsing attributes in process `syz-executor3'.
netlink: 16 bytes leftover after parsing attributes in process `syz-executor3'.
sctp: [Deprecated]: syz-executor2 (pid 8199) Use of struct sctp_assoc_value in delayed_ack socket option.
Use struct sctp_sack_info instead
sctp: [Deprecated]: syz-executor2 (pid 8200) Use of struct sctp_assoc_value in delayed_ack socket option.
Use struct sctp_sack_info instead
binder: 8153:8156 ioctl 40046207 0 returned -16
ptrace attach of "/root/syz-executor7"[3661] was attempted by "/root/syz-executor7"[8265]
ptrace attach of "/root/syz-executor7"[3661] was attempted by "/root/syz-executor7"[8265]
kauditd_printk_skb: 91 callbacks suppressed
audit: type=1400 audit(1514913108.003:294): avc:  denied  { name_bind } for  pid=8321 comm="syz-executor5" src=20023 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=dccp_socket permissive=1
audit: type=1400 audit(1514913108.003:295): avc:  denied  { node_bind } for  pid=8321 comm="syz-executor5" src=20023 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:node_t:s0 tclass=dccp_socket permissive=1
netlink: 5 bytes leftover after parsing attributes in process `syz-executor5'.
netlink: 5 bytes leftover after parsing attributes in process `syz-executor5'.
binder: 8408:8416 ERROR: BC_REGISTER_LOOPER called without request
binder: 8416 RLIMIT_NICE not set
binder: 8416 RLIMIT_NICE not set
binder: 8416 RLIMIT_NICE not set
binder: BINDER_SET_CONTEXT_MGR already set
binder: 8408:8426 ioctl 40046207 0 returned -16
binder: 8408:8416 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 8408: binder_alloc_buf, no vma
binder: 8408:8426 transaction failed 29189/-3, size 0-0 line 2960
binder: 8416 RLIMIT_NICE not set
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered transaction 37, process died.
audit: type=1400 audit(1514913108.518:296): avc:  denied  { setgid } for  pid=8434 comm="syz-executor6" capability=6  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
audit: type=1400 audit(1514913108.673:297): avc:  denied  { setopt } for  pid=8483 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1
audit: type=1400 audit(1514913109.074:298): avc:  denied  { ioctl } for  pid=8571 comm="syz-executor6" path="socket:[22849]" dev="sockfs" ino=22849 ioctlcmd=0x8934 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
audit: type=1400 audit(1514913109.109:299): avc:  denied  { read } for  pid=8571 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
FAULT_FLAG_ALLOW_RETRY missing 30
CPU: 1 PID: 8551 Comm: syz-executor4 Not tainted 4.15.0-rc6-next-20180102+ #86
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x137/0x198 lib/dump_stack.c:53
 handle_userfault+0x744/0x1750 fs/userfaultfd.c:430
 do_anonymous_page mm/memory.c:3171 [inline]
 handle_pte_fault mm/memory.c:3945 [inline]
 __handle_mm_fault+0x2fc5/0x3210 mm/memory.c:4071
 handle_mm_fault+0x305/0x840 mm/memory.c:4108
 __do_page_fault+0x59e/0xca0 arch/x86/mm/fault.c:1429
 do_page_fault+0x78/0x490 arch/x86/mm/fault.c:1504
 page_fault+0x2c/0x60 arch/x86/entry/entry_64.S:1243
RIP: 0010:fault_in_pages_readable include/linux/pagemap.h:601 [inline]
RIP: 0010:iov_iter_fault_in_readable+0x1a7/0x410 lib/iov_iter.c:421
RSP: 0018:ffff8801c8507a08 EFLAGS: 00010246
RAX: 0000000000010000 RBX: 0000000020011fd2 RCX: ffffffff821c64c1
RDX: 00000000000000c9 RSI: ffffc90002510000 RDI: ffff8801c8507d30
RBP: ffff8801c8507ae8 R08: ffffffff874ebfc8 R09: 0000000000000000
R10: ffff8801c8507978 R11: 0000000000000000 R12: 1ffff100390a0f44
R13: ffff8801c8507ac0 R14: 0000000000000000 R15: ffff8801c8507d28
 generic_perform_write+0x195/0x4a0 mm/filemap.c:3128
 __generic_file_write_iter+0x366/0x5b0 mm/filemap.c:3263
 generic_file_write_iter+0x2f0/0x630 mm/filemap.c:3291
 call_write_iter include/linux/fs.h:1775 [inline]
 new_sync_write fs/read_write.c:469 [inline]
 __vfs_write+0x550/0x740 fs/read_write.c:482
 vfs_write+0x189/0x510 fs/read_write.c:544
 SYSC_write fs/read_write.c:589 [inline]
 SyS_write+0xd4/0x1a0 fs/read_write.c:581
 entry_SYSCALL_64_fastpath+0x23/0x9a
RIP: 0033:0x452ac9
RSP: 002b:00007fe54dd30c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000452ac9
RDX: 0000000000000030 RSI: 0000000020011fd2 RDI: 0000000000000014
RBP: 00000000000002fe R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f2870
R13: 00000000ffffffff R14: 00007fe54dd316d4 R15: 0000000000000000
FAULT_FLAG_ALLOW_RETRY missing 30
CPU: 1 PID: 8551 Comm: syz-executor4 Not tainted 4.15.0-rc6-next-20180102+ #86
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x137/0x198 lib/dump_stack.c:53
 handle_userfault+0x744/0x1750 fs/userfaultfd.c:430
 do_anonymous_page mm/memory.c:3171 [inline]
 handle_pte_fault mm/memory.c:3945 [inline]
 __handle_mm_fault+0x2fc5/0x3210 mm/memory.c:4071
 handle_mm_fault+0x305/0x840 mm/memory.c:4108
 __do_page_fault+0x59e/0xca0 arch/x86/mm/fault.c:1429
 do_page_fault+0x78/0x490 arch/x86/mm/fault.c:1504
 page_fault+0x2c/0x60 arch/x86/entry/entry_64.S:1243
RIP: 0010:fault_in_pages_readable include/linux/pagemap.h:601 [inline]
RIP: 0010:iov_iter_fault_in_readable+0x1a7/0x410 lib/iov_iter.c:421
RSP: 0018:ffff8801c8507a08 EFLAGS: 00010246
RAX: 0000000000010000 RBX: 0000000020011fd2 RCX: ffffffff821c64c1
RDX: 00000000000000c7 RSI: ffffc90002510000 RDI: ffff8801c8507d30
RBP: ffff8801c8507ae8 R08: 0000000000000000 R09: 0000000000000003
R10: ffff8801c8507be0 R11: 0000000000000001 R12: 1ffff100390a0f44
R13: ffff8801c8507ac0 R14: 0000000000000000 R15: ffff8801c8507d28
 generic_perform_write+0x195/0x4a0 mm/filemap.c:3128
 __generic_file_write_iter+0x366/0x5b0 mm/filemap.c:3263
 generic_file_write_iter+0x2f0/0x630 mm/filemap.c:3291
 call_write_iter include/linux/fs.h:1775 [inline]
 new_sync_write fs/read_write.c:469 [inline]
 __vfs_write+0x550/0x740 fs/read_write.c:482
 vfs_write+0x189/0x510 fs/read_write.c:544
 SYSC_write fs/read_write.c:589 [inline]
 SyS_write+0xd4/0x1a0 fs/read_write.c:581
 entry_SYSCALL_64_fastpath+0x23/0x9a
RIP: 0033:0x452ac9
RSP: 002b:00007fe54dd30c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000452ac9
RDX: 0000000000000030 RSI: 0000000020011fd2 RDI: 0000000000000014
RBP: 00000000000005f6 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f6fb0
R13: 00000000ffffffff R14: 00007fe54dd316d4 R15: 0000000000000000
dccp_invalid_packet: P.Data Offset(104) too large
dccp_invalid_packet: P.Data Offset(104) too large
audit: type=1326 audit(1514913110.173:300): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=8723 comm="syz-executor4" exe="/root/syz-executor4" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452ac9 code=0x7ffc0000
audit: type=1326 audit(1514913110.177:301): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=8723 comm="syz-executor4" exe="/root/syz-executor4" sig=0 arch=c000003e syscall=37 compat=0 ip=0x452ac9 code=0x7ffc0000
device syz6 entered promiscuous mode
QAT: Invalid ioctl
QAT: Invalid ioctl
netlink: 'syz-executor3': attribute type 27 has an invalid length.
netlink: 'syz-executor3': attribute type 27 has an invalid length.