syzbot

CPU: 0 PID: 9088 Comm: syz-executor6 Not tainted 4.4.120-gd63fdf6 #28
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 56d0f6a324ca922e ffff8801c3887970 ffffffff81d0408d
 ffff8800af320600 1ffff10038710f3b ffff8801c3887af8[   61.510406] BUG: using __this_cpu_add() in preemptible [00000000] code: syz-executor5/9119
caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62
 0000000000000000
 0000000000000000 ffff8801c3887b20 ffffffff81607305 ffffffff81237410
Call Trace:
 [<ffffffff81d0408d>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d0408d>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
 [<ffffffff81607305>] handle_userfault+0x715/0xf50 fs/userfaultfd.c:316
 [<ffffffff814a2d88>] do_anonymous_page mm/memory.c:2731 [inline]
 [<ffffffff814a2d88>] handle_pte_fault mm/memory.c:3295 [inline]
 [<ffffffff814a2d88>] __handle_mm_fault mm/memory.c:3426 [inline]
 [<ffffffff814a2d88>] handle_mm_fault+0x2938/0x3190 mm/memory.c:3455
 [<ffffffff810dc6cb>] __do_page_fault+0x35b/0xa00 arch/x86/mm/fault.c:1245
 [<ffffffff810dcd97>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1308
 [<ffffffff83774d88>] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1033
 [<ffffffff8377395f>] entry_SYSCALL_64_fastpath+0x1c/0x98
CPU: 1 PID: 9119 Comm: syz-executor5 Not tainted 4.4.120-gd63fdf6 #28
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 9477f83be79f41ba ffff8800adc9f638 ffffffff81d0408d
 0000000000000001 ffffffff839fe5a0 ffffffff83cefc20 ffff8800b4e28000
 0000000000000003 ffff8800adc9f678 ffffffff81d63fe4 ffff8801d0a9e848
Call Trace:
 [<ffffffff81d0408d>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d0408d>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
 [<ffffffff81d63fe4>] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46
 [<ffffffff81d6404c>] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62
 [<ffffffff8312b439>] tcp_try_coalesce+0x249/0x4d0 net/ipv4/tcp_input.c:4278
 [<ffffffff831335b7>] tcp_queue_rcv+0x127/0x720 net/ipv4/tcp_input.c:4485
 [<ffffffff8314ae8b>] tcp_send_rcvq+0x39b/0x450 net/ipv4/tcp_input.c:4531
 [<ffffffff831220ef>] tcp_sendmsg+0x1e8f/0x2b10 net/ipv4/tcp.c:1134
 [<ffffffff831d7d4c>] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:755
 [<ffffffff82deba6a>] sock_sendmsg_nosec net/socket.c:625 [inline]
 [<ffffffff82deba6a>] sock_sendmsg+0xca/0x110 net/socket.c:635
 [<ffffffff82debcd6>] sock_write_iter+0x226/0x3b0 net/socket.c:834
 [<ffffffff8151e0b8>] do_iter_readv_writev+0x138/0x1e0 fs/read_write.c:664
 [<ffffffff8151f852>] do_readv_writev+0x2d2/0x6e0 fs/read_write.c:808
 [<ffffffff8151fd8b>] vfs_writev+0x7b/0xb0 fs/read_write.c:847
 [<ffffffff81522249>] SYSC_writev fs/read_write.c:880 [inline]
 [<ffffffff81522249>] SyS_writev+0xd9/0x240 fs/read_write.c:872
 [<ffffffff8377395f>] entry_SYSCALL_64_fastpath+0x1c/0x98
SELinux:  unknown mount option
audit: type=1400 audit(1521587910.275:22): avc:  denied  { setattr } for  pid=9197 comm="syz-executor0" name="NETLINK" dev="sockfs" ino=20670 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1
device lo entered promiscuous mode
device lo left promiscuous mode
device lo entered promiscuous mode
device lo left promiscuous mode
binder: 9322:9325 BC_CLEAR_DEATH_NOTIFICATION invalid ref 536870913
binder: 9322:9325 unknown command 1873765532
binder: 9322:9325 ioctl c0306201 20000100 returned -22
binder: 9322:9330 BC_CLEAR_DEATH_NOTIFICATION invalid ref 536870913
binder: 9322:9330 unknown command 1873765532
binder: 9322:9330 ioctl c0306201 20000100 returned -22
IPv4: Oversized IP packet from 127.0.0.1
IPv4: Oversized IP packet from 127.0.0.1
binder_alloc: binder_alloc_mmap_handler: 9436 20000000-20002000 already mapped failed -16
binder_alloc: binder_alloc_mmap_handler: 9436 20000000-20002000 already mapped failed -16
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=39846 sclass=netlink_route_socket
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=39846 sclass=netlink_route_socket
netlink: 64 bytes leftover after parsing attributes in process `syz-executor1'.
kasan: CONFIG_KASAN_INLINE enabled
IPVS: length: 542594606 != 24
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 9752 Comm: syz-executor3 Not tainted 4.4.120-gd63fdf6 #28
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8800b10bc800 task.stack: ffff8800b3d78000
RIP: 0010:[<ffffffff81434701>]  [<ffffffff81434701>] __read_once_size include/linux/compiler.h:218 [inline]
RIP: 0010:[<ffffffff81434701>]  [<ffffffff81434701>] atomic_read arch/x86/include/asm/atomic.h:27 [inline]
RIP: 0010:[<ffffffff81434701>]  [<ffffffff81434701>] put_page_testzero include/linux/mm.h:357 [inline]
RIP: 0010:[<ffffffff81434701>]  [<ffffffff81434701>] __free_pages+0x21/0x90 mm/page_alloc.c:3365
RSP: 0018:ffff8800b3d7fab0  EFLAGS: 00010a07
RAX: dffffc0000000000 RBX: dead4ead00000000 RCX: ffffffff825b85eb
RDX: 1bd5a9d5a0000003 RSI: 0000000000000001 RDI: dead4ead0000001c
RBP: ffff8800b3d7fac0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000004
R13: 0000000000000020 R14: ffff8801c7a8c200 R15: dffffc0000000000
FS:  00007f87552a2700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000180 CR3: 00000000b2668000 CR4: 0000000000160670
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
 0000000000000000 ffff8801c7a8c358 ffff8800b3d7fb20 ffffffff825b8611
 ffff8801c7a8c370 ffffed0038f5186b ffffed0038f5186e ffff8801c7a8c368
 dead4ead00000000 ffff8801c7a8c340 0000000000000000 0000000000000000
Call Trace:
 [<ffffffff825b8611>] sg_remove_scat.isra.17+0x1c1/0x2d0 drivers/scsi/sg.c:1954
 [<ffffffff825b89d5>] sg_finish_rem_req+0x2b5/0x340 drivers/scsi/sg.c:1835
 [<ffffffff825b8a99>] sg_new_read.isra.18+0x39/0x3c0 drivers/scsi/sg.c:577
 [<ffffffff825ba6fc>] sg_read+0x8bc/0x1490 drivers/scsi/sg.c:466
 [<ffffffff8151cf33>] __vfs_read+0x103/0x440 fs/read_write.c:432
 [<ffffffff8151edd3>] vfs_read+0x123/0x3a0 fs/read_write.c:454
 [<ffffffff81521719>] SYSC_read fs/read_write.c:569 [inline]
 [<ffffffff81521719>] SyS_read+0xd9/0x1b0 fs/read_write.c:562
 [<ffffffff8377395f>] entry_SYSCALL_64_fastpath+0x1c/0x98
Code: c6 a0 0c 00 e9 78 fd ff ff 90 48 b8 00 00 00 00 00 fc ff df 55 48 89 e5 53 48 89 fb 48 83 c7 1c 48 89 fa 48 83 ec 08 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 49 
RIP  [<ffffffff81434701>] __read_once_size include/linux/compiler.h:218 [inline]
RIP  [<ffffffff81434701>] atomic_read arch/x86/include/asm/atomic.h:27 [inline]
RIP  [<ffffffff81434701>] put_page_testzero include/linux/mm.h:357 [inline]
RIP  [<ffffffff81434701>] __free_pages+0x21/0x90 mm/page_alloc.c:3365
 RSP <ffff8800b3d7fab0>
---[ end trace f5da2aa3488c37d9 ]---