================================================================== BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:243 [inline] at addr ffff8801d63be908 BUG: KASAN: use-after-free in atomic_read arch/x86/include/asm/atomic.h:26 [inline] at addr ffff8801d63be908 BUG: KASAN: use-after-free in static_key_count include/linux/jump_label.h:174 [inline] at addr ffff8801d63be908 BUG: KASAN: use-after-free in static_key_false include/linux/jump_label.h:184 [inline] at addr ffff8801d63be908 BUG: KASAN: use-after-free in perf_sw_event include/linux/perf_event.h:1039 [inline] at addr ffff8801d63be908 BUG: KASAN: use-after-free in __do_page_fault+0xc80/0xd70 arch/x86/mm/fault.c:1438 at addr ffff8801d63be908 Read of size 8 by task syz-executor1/4923 CPU: 0 PID: 4923 Comm: syz-executor1 Not tainted 4.9.61-g904c79c #86 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d9ba7d88 ffffffff81d91589 ffff8801da155140 ffff8801d63be8b8 ffff8801d63be970 ffffed003ac77d21 ffff8801d63be908 ffff8801d9ba7db0 ffffffff8153c1bc ffffed003ac77d21 ffff8801da155140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] __read_once_size include/linux/compiler.h:243 [inline] [] atomic_read arch/x86/include/asm/atomic.h:26 [inline] [] static_key_count include/linux/jump_label.h:174 [inline] [] static_key_false include/linux/jump_label.h:184 [inline] [] perf_sw_event include/linux/perf_event.h:1039 [inline] [] __do_page_fault+0xc80/0xd70 arch/x86/mm/fault.c:1438 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 Object at ffff8801d63be8b8, in cache vm_area_struct size: 184 Allocated: PID = 4923 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] kmem_cache_alloc+0xba/0x290 mm/slub.c:2728 kmem_cache_zalloc include/linux/slab.h:626 [inline] mmap_region+0x587/0xfd0 mm/mmap.c:1662 do_mmap+0x57b/0xbe0 mm/mmap.c:1473 do_mmap_pgoff include/linux/mm.h:2014 [inline] vm_mmap_pgoff+0x16b/0x1b0 mm/util.c:305 SYSC_mmap_pgoff mm/mmap.c:1523 [inline] SyS_mmap_pgoff+0xd0/0x560 mm/mmap.c:1481 SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 4934 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xb2/0x2e0 mm/slub.c:2980 remove_vma+0x11d/0x160 mm/mmap.c:175 remove_vma_list mm/mmap.c:2482 [inline] do_munmap+0x7ff/0xeb0 mm/mmap.c:2705 mmap_region+0x14d/0xfd0 mm/mmap.c:1635 do_mmap+0x57b/0xbe0 mm/mmap.c:1473 do_mmap_pgoff include/linux/mm.h:2014 [inline] vm_mmap_pgoff+0x16b/0x1b0 mm/util.c:305 SYSC_mmap_pgoff mm/mmap.c:1523 [inline] SyS_mmap_pgoff+0xd0/0x560 mm/mmap.c:1481 SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86 entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801d63be800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc ffff8801d63be880: fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb fb >ffff8801d63be900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc ^ ffff8801d63be980: fc fc fc fc fc fc fb fb fb fb fb fb fb fb fb fb ffff8801d63bea00: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ================================================================== device lo entered promiscuous mode qtaguid: iface_stat: create(lo): no inet dev qtaguid: iface_stat: create6(lo): no inet dev IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready qtaguid: iface_stat: create6(lo): no inet dev binder: 5011:5016 ioctl 8906 20b4a000 returned -22 binder: 5011:5023 ioctl 8906 20b4a000 returned -22 device gre0 entered promiscuous mode device gre0 entered promiscuous mode sock: sock_set_timeout: `syz-executor5' (pid 5278) tries to set negative timeout device gre0 entered promiscuous mode device gre0 left promiscuous mode device gre0 entered promiscuous mode Empty option to dns_resolver key Empty option to dns_resolver key binder: 5405:5412 ioctl 5402 20e5d000 returned -22 binder: 5405:5412 ioctl 5402 20e5d000 returned -22 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=2 sclass=netlink_route_socket pig=5448 comm=syz-executor2 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=2 sclass=netlink_route_socket pig=5462 comm=syz-executor2 binder: 5485:5486 ioctl 5606 4 returned -22 binder: 5634:5636 ioctl 5402 20f52000 returned -22 binder: 5634:5636 ioctl 4b36 0 returned -22 FAULT_FLAG_ALLOW_RETRY missing 30 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 5679 Comm: syz-executor5 Tainted: G B 4.9.61-g904c79c #86 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c6b0f930 ffffffff81d91589 ffff8801c6b0fc10 0000000000000000 ffff8801a9981c10 ffff8801c6b0fb00 ffff8801a9981b00 ffff8801c6b0fb28 ffffffff8165fe47 ffff8801ce1ab000 ffff8801c6b0fa80 00000001ccece067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5b7/0xd70 arch/x86/mm/fault.c:1396 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 5679 Comm: syz-executor5 Tainted: G B 4.9.61-g904c79c #86 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c6b0f900 ffffffff81d91589 ffff8801c6b0fbe0 0000000000000000 ffff8801a9981c10 ffff8801c6b0fad0 ffff8801a9981b00 ffff8801c6b0faf8 ffffffff8165fe47 0000000000000000 ffff8801c6b0fa50 00000001ccece067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5b7/0xd70 arch/x86/mm/fault.c:1396 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] copy_from_user arch/x86/include/asm/uaccess.h:693 [inline] [] SYSC_timerfd_settime fs/timerfd.c:542 [inline] [] SyS_timerfd_settime+0xb0/0x190 fs/timerfd.c:535 [] entry_SYSCALL_64_fastpath+0x23/0xc6 capability: warning: `syz-executor6' uses deprecated v2 capabilities in a way that may be insecure CPU: 0 PID: 5681 Comm: syz-executor5 Tainted: G B 4.9.61-g904c79c #86 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cb767920 ffffffff81d91589 ffff8801cb767c00 0000000000000000 ffff8801a9981c10 ffff8801cb767af0 ffff8801a9981b00 ffff8801cb767b18 ffffffff8165fe47 1ffff100396ecf30 ffff8801cb767a70 00000001ccece067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5b7/0xd70 arch/x86/mm/fault.c:1396 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 device gre0 entered promiscuous mode binder: 5899:5905 ioctl 4b44 20ad2000 returned -22 binder: 5899:5905 ioctl 4b3a 9 returned -22 IPv6: Can't replace route, no match found binder: 5899:5920 ioctl 4b44 20ad2000 returned -22 binder: 5899:5920 ioctl 4b3a 9 returned -22 IPv6: Can't replace route, no match found binder: 5971:5972 ioctl 8010aa02 20e3dff0 returned -22 binder: 5971:5972 ioctl 8010aa02 20e3dff0 returned -22 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=9 sclass=netlink_audit_socket pig=6041 comm=syz-executor6 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=0 sclass=netlink_audit_socket pig=6041 comm=syz-executor6 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=0 sclass=netlink_audit_socket pig=6041 comm=syz-executor6 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=0 sclass=netlink_audit_socket pig=6041 comm=syz-executor6 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=0 sclass=netlink_audit_socket pig=6041 comm=syz-executor6 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=0 sclass=netlink_audit_socket pig=6041 comm=syz-executor6 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=0 sclass=netlink_audit_socket pig=6041 comm=syz-executor6 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=0 sclass=netlink_audit_socket pig=6041 comm=syz-executor6 sd 0:0:1:0: [sg0] tag#188 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK binder: 6182:6186 ioctl 5609 208daffa returned -22 binder: 6182:6186 ioctl 408c5333 205c5000 returned -22 IPv6: NLM_F_CREATE should be specified when creating new route binder: 6182:6186 ioctl 5609 208daffa returned -22 binder: 6182:6186 ioctl 408c5333 205c5000 returned -22 sd 0:0:1:0: [sg0] tag#188 CDB: Test Unit Ready sd 0:0:1:0: [sg0] tag#188 CDB[00]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#188 CDB[10]: 00 00 00 00 10 27 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#188 CDB[20]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#188 CDB[30]: 00 00 00 00 00 00 00 00 00 00 00 00 device gre0 entered promiscuous mode binder: 6230:6238 ioctl c08c5335 209dcf74 returned -22 nla_parse: 15 callbacks suppressed netlink: 8 bytes leftover after parsing attributes in process `syz-executor5'. binder: 6230:6264 ioctl 80084502 2099ffaa returned -22 binder: 6230:6279 ioctl c08c5335 209dcf74 returned -22 device gre0 entered promiscuous mode binder: 6230:6279 ioctl 80084502 2099ffaa returned -22 sg_write: data in/out 65500/34 bytes for SCSI command 0xfe-- guessing data in; program syz-executor2 not setting count and/or reply_len properly device gre0 entered promiscuous mode netlink: 1 bytes leftover after parsing attributes in process `syz-executor3'. IPv6: NLM_F_REPLACE set, but no existing node found! device gre0 entered promiscuous mode netlink: 1 bytes leftover after parsing attributes in process `syz-executor3'. IPv6: NLM_F_REPLACE set, but no existing node found! IPv6: Can't replace route, no match found sg_write: data in/out 65500/34 bytes for SCSI command 0xfe-- guessing data in; program syz-executor7 not setting count and/or reply_len properly netlink: 6 bytes leftover after parsing attributes in process `syz-executor2'. IPv6: Can't replace route, no match found netlink: 6 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor7'. binder: 6450:6453 ioctl 541c 20dd8ff4 returned -22 binder: 6450:6462 ioctl 541c 20dd8ff4 returned -22 netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'. FAULT_FLAG_ALLOW_RETRY missing 30 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 6492 Comm: syz-executor1 Tainted: G B 4.9.61-g904c79c #86 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c91f75a0 ffffffff81d91589 ffff8801c91f7880 0000000000000000 ffff8801a9980d10 ffff8801c91f7770 ffff8801a9980c00 ffff8801c91f7798 ffffffff8165fe47 0000000000000000 ffff8801c91f76f0 00000001a752c067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5b7/0xd70 arch/x86/mm/fault.c:1396 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] inet_ioctl+0xf2/0x1c0 net/ipv4/af_inet.c:873 [] sock_do_ioctl+0x65/0xb0 net/socket.c:892 [] sock_ioctl+0x2e0/0x3d0 net/socket.c:978 [] vfs_ioctl fs/ioctl.c:43 [inline] [] do_vfs_ioctl+0x1aa/0x10c0 fs/ioctl.c:679 [] SYSC_ioctl fs/ioctl.c:694 [inline] [] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 [] entry_SYSCALL_64_fastpath+0x23/0xc6 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 6480 Comm: syz-executor1 Tainted: G B 4.9.61-g904c79c #86 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d8fff980 ffffffff81d91589 ffff8801d8fffc60 0000000000000000 ffff8801a9980d10 ffff8801d8fffb50 ffff8801a9980c00 ffff8801d8fffb78 ffffffff8165fe47 ffffffff812dca20 ffff8801d8fffad0 00000001a752c067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5b7/0xd70 arch/x86/mm/fault.c:1396 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] strndup_user+0x28/0xb0 mm/util.c:160 [] copy_mount_string fs/namespace.c:2746 [inline] [] SYSC_mount fs/namespace.c:3035 [inline] [] SyS_mount+0x3c/0x120 fs/namespace.c:3027 [] entry_SYSCALL_64_fastpath+0x23/0xc6 CPU: 0 PID: 6508 Comm: syz-executor1 Tainted: G B 4.9.61-g904c79c #86 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801ca9675a0 ffffffff81d91589 ffff8801ca967880 0000000000000000 ffff8801a9980d10 ffff8801ca967770 ffff8801a9980c00 ffff8801ca967798 ffffffff8165fe47 0000000000000000 ffff8801ca9676f0 00000001a752c067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5b7/0xd70 arch/x86/mm/fault.c:1396 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] inet_ioctl+0xf2/0x1c0 net/ipv4/af_inet.c:873 [] sock_do_ioctl+0x65/0xb0 net/socket.c:892 [] sock_ioctl+0x2e0/0x3d0 net/socket.c:978 [] vfs_ioctl fs/ioctl.c:43 [inline] [] do_vfs_ioctl+0x1aa/0x10c0 fs/ioctl.c:679 [] SYSC_ioctl fs/ioctl.c:694 [inline] [] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 [] entry_SYSCALL_64_fastpath+0x23/0xc6 device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 6521 Comm: syz-executor1 Tainted: G B 4.9.61-g904c79c #86 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d6aaf5a0 ffffffff81d91589 ffff8801d6aaf880 0000000000000000 ffff8801a9980b90 ffff8801d6aaf770 ffff8801a9980a80 ffff8801d6aaf798 ffffffff8165fe47 0000000041b58ab3 ffff8801d6aaf6f0 00000001d99d3067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5b7/0xd70 arch/x86/mm/fault.c:1396 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] inet_ioctl+0xf2/0x1c0 net/ipv4/af_inet.c:873 [] sock_do_ioctl+0x65/0xb0 net/socket.c:892 [] sock_ioctl+0x2e0/0x3d0 net/socket.c:978 [] vfs_ioctl fs/ioctl.c:43 [inline] [] do_vfs_ioctl+0x1aa/0x10c0 fs/ioctl.c:679 [] SYSC_ioctl fs/ioctl.c:694 [inline] [] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 [] entry_SYSCALL_64_fastpath+0x23/0xc6 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 6480 Comm: syz-executor1 Tainted: G B 4.9.61-g904c79c #86 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d8fff5a0 ffffffff81d91589 ffff8801d8fff880 0000000000000000 ffff8801a9980b90 ffff8801d8fff770 ffff8801a9980a80 ffff8801d8fff798 ffffffff8165fe47 ffffffff815382a2 ffff8801d8fff6f0 00000001d99d3067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5b7/0xd70 arch/x86/mm/fault.c:1396 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] inet_ioctl+0xf2/0x1c0 net/ipv4/af_inet.c:873 [] sock_do_ioctl+0x65/0xb0 net/socket.c:892 [] sock_ioctl+0x2e0/0x3d0 net/socket.c:978 [] vfs_ioctl fs/ioctl.c:43 [inline] [] do_vfs_ioctl+0x1aa/0x10c0 fs/ioctl.c:679 [] SYSC_ioctl fs/ioctl.c:694 [inline] [] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 [] entry_SYSCALL_64_fastpath+0x23/0xc6 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 6492 Comm: syz-executor1 Tainted: G B 4.9.61-g904c79c #86 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c91f7980 ffffffff81d91589 ffff8801c91f7c60 0000000000000000 ffff8801a9980b90 ffff8801c91f7b50 ffff8801a9980a80 ffff8801c91f7b78 ffffffff8165fe47 ffffffff812dca20 ffff8801c91f7ad0 00000001d99d3067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5b7/0xd70 arch/x86/mm/fault.c:1396 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] strndup_user+0x28/0xb0 mm/util.c:160 [] copy_mount_string fs/namespace.c:2746 [inline] [] SYSC_mount fs/namespace.c:3035 [inline] [] SyS_mount+0x3c/0x120 fs/namespace.c:3027 [] entry_SYSCALL_64_fastpath+0x23/0xc6 binder: 6628:6632 ioctl 40bc5311 203c8000 returned -22 netlink: 8 bytes leftover after parsing attributes in process `syz-executor2'. binder: 6659:6661 ioctl 5402 20000fec returned -22 device gre0 entered promiscuous mode device gre0 left promiscuous mode binder: 6659:6661 ioctl 5402 20000fec returned -22 device gre0 entered promiscuous mode device gre0 left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode binder: 6690:6691 ioctl 5417 20e32000 returned -22 binder: 6690:6696 ioctl 5417 20e32000 returned -22 device lo entered promiscuous mode device lo left promiscuous mode selinux_nlmsg_perm: 148 callbacks suppressed SELinux: unrecognized netlink message: protocol=0 nlmsg_type=6949 sclass=netlink_route_socket pig=6727 comm=syz-executor7 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=6949 sclass=netlink_route_socket pig=6737 comm=syz-executor7 binder: 6773:6776 ioctl 5606 4 returned -22 binder: 6792:6793 ioctl 40082404 20000ff8 returned -22 binder: 6792:6793 ioctl 4b48 20000000 returned -22 binder: 6792:6793 ioctl 40082404 20000ff8 returned -22 binder: 6792:6793 ioctl 4b48 20000000 returned -22 binder: 6773:6776 ioctl 5606 4 returned -22 keychord: unsupported version 40 device gre0 entered promiscuous mode PF_BRIDGE: RTM_NEWNEIGH with unknown ifindex PF_BRIDGE: RTM_NEWNEIGH with unknown ifindex sock: sock_set_timeout: `syz-executor1' (pid 7113) tries to set negative timeout sock: sock_set_timeout: `syz-executor1' (pid 7118) tries to set negative timeout IPVS: Creating netns size=2536 id=13 FAULT_FLAG_ALLOW_RETRY missing 30 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 7109 Comm: syz-executor7 Tainted: G B 4.9.61-g904c79c #86 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a97978b0 ffffffff81d91589 ffff8801a9797b90 0000000000000000 ffff8801a77e6710 ffff8801a9797a80 ffff8801a77e6600 ffff8801a9797aa8 ffffffff8165fe47 ffff8801a9797940 ffff8801a9797a00 00000001ca827067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5b7/0xd70 arch/x86/mm/fault.c:1396 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 7093 Comm: syz-executor7 Tainted: G B 4.9.61-g904c79c #86 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d0d4f890 ffffffff81d91589 ffff8801d0d4fb70 0000000000000000 ffff8801a77e6710 ffff8801d0d4fa60 ffff8801a77e6600 ffff8801d0d4fa88 ffffffff8165fe47 ffff8801da29b000 ffff8801d0d4f9e0 00000001ca827067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5b7/0xd70 arch/x86/mm/fault.c:1396 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] getname_flags+0x10e/0x580 fs/namei.c:148 [] getname+0x19/0x20 fs/namei.c:208 [] do_sys_open+0x21d/0x4c0 fs/open.c:1066 [] SYSC_openat fs/open.c:1099 [inline] [] SyS_openat+0x30/0x40 fs/open.c:1093 [] entry_SYSCALL_64_fastpath+0x23/0xc6 program syz-executor6 is using a deprecated SCSI ioctl, please convert it to SG_IO device lo entered promiscuous mode sd 0:0:1:0: ioctl_internal_command: ILLEGAL REQUEST asc=0x20 ascq=0x0 CPU: 0 PID: 7120 Comm: syz-executor7 Tainted: G B 4.9.61-g904c79c #86 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d61a7930 ffffffff81d91589 ffff8801d61a7c10 0000000000000000 ffff8801a77e6710 ffff8801d61a7b00 ffff8801a77e6600 ffff8801d61a7b28 ffffffff8165fe47 0000000000000000 ffff8801d61a7a80 00000001ca827067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5b7/0xd70 arch/x86/mm/fault.c:1396 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads