syzbot


BUG: using __this_cpu_read() in preemptible [ADDR] code: syz-executor (2)

Status: closed as invalid on 2017/12/12 15:26
First crash: 2536d, last: 2536d
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-44 BUG: using __this_cpu_read() in preemptible [ADDR] code: syz-executor 124 2536d 2536d 0/2 closed as invalid on 2017/12/12 13:26
android-49 BUG: using __this_cpu_read() in preemptible [ADDR] code: syz-executor 1213 2536d 2536d 0/3 closed as invalid on 2017/12/12 13:35

Sample crash report:
BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor7/6729
caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62
CPU: 0 PID: 6729 Comm: syz-executor7 Not tainted 4.9.68-gfb66dc2 #107
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801d5eef6d8 ffffffff81d90889 0000000000000000 ffffffff83c17800
 ffffffff83f42ec0 ffff8801aed31800 0000000000000003 ffff8801d5eef718
 ffffffff81df7854 ffff8801d5eef730 ffffffff83f42ec0[   45.871305] tc_dump_action: action bad kind
 dffffc0000000000Call Trace:
 [<ffffffff81d90889>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d90889>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff81df7854>] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46
 [<ffffffff81df78bc>] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62
tc_dump_action: action bad kind
 [<ffffffff833f3f78>] ipcomp_alloc_tfms net/xfrm/xfrm_ipcomp.c:286 [inline]
 [<ffffffff833f3f78>] ipcomp_init_state+0x188/0x930 net/xfrm/xfrm_ipcomp.c:363
 [<ffffffff83360470>] ipcomp4_init_state+0xb0/0x7d0 net/ipv4/ipcomp.c:137
 [<ffffffff833d2677>] __xfrm_init_state+0x3e7/0xb30 net/xfrm/xfrm_state.c:2096
 [<ffffffff833d2dda>] xfrm_init_state+0x1a/0x20 net/xfrm/xfrm_state.c:2122
 [<ffffffff8356cb49>] pfkey_msg2xfrm_state net/key/af_key.c:1281 [inline]
 [<ffffffff8356cb49>] pfkey_add+0x1fb9/0x3470 net/key/af_key.c:1498
 [<ffffffff835645ee>] pfkey_process+0x61e/0x730 net/key/af_key.c:2826
 [<ffffffff83565e99>] pfkey_sendmsg+0x3a9/0x760 net/key/af_key.c:3670
 [<ffffffff82ecfb9a>] sock_sendmsg_nosec net/socket.c:635 [inline]
 [<ffffffff82ecfb9a>] sock_sendmsg+0xca/0x110 net/socket.c:645
 [<ffffffff82ed1791>] ___sys_sendmsg+0x6d1/0x7e0 net/socket.c:1968
 [<ffffffff82ed37c6>] __sys_sendmsg+0xd6/0x190 net/socket.c:2002
 [<ffffffff82ed38ad>] SYSC_sendmsg net/socket.c:2013 [inline]
 [<ffffffff82ed38ad>] SyS_sendmsg+0x2d/0x50 net/socket.c:2009
 [<ffffffff838aa9c5>] entry_SYSCALL_64_fastpath+0x23/0xc6
nla_parse: 60 callbacks suppressed
netlink: 9 bytes leftover after parsing attributes in process `syz-executor3'.
netlink: 9 bytes leftover after parsing attributes in process `syz-executor3'.
netlink: 9 bytes leftover after parsing attributes in process `syz-executor3'.
netlink: 9 bytes leftover after parsing attributes in process `syz-executor3'.
netlink: 9 bytes leftover after parsing attributes in process `syz-executor3'.
netlink: 9 bytes leftover after parsing attributes in process `syz-executor3'.
netlink: 9 bytes leftover after parsing attributes in process `syz-executor3'.
netlink: 9 bytes leftover after parsing attributes in process `syz-executor3'.
netlink: 9 bytes leftover after parsing attributes in process `syz-executor3'.
netlink: 9 bytes leftover after parsing attributes in process `syz-executor3'.
mmap: syz-executor3 (7136): VmData 35430400 exceed data ulimit 127. Update limits or use boot option ignore_rlimit_data.
audit: type=1400 audit(1513087834.774:33): avc:  denied  { create } for  pid=7168 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_crypto_socket permissive=1
device gre0 entered promiscuous mode
device gre0 entered promiscuous mode
device gre0 entered promiscuous mode
audit: type=1400 audit(1513087835.824:34): avc:  denied  { getattr } for  pid=7409 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1
devpts: called with bogus options
devpts: called with bogus options
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=57618 sclass=netlink_route_socket pig=7936 comm=syz-executor3
devpts: called with bogus options
devpts: called with bogus options
devpts: called with bogus options
devpts: called with bogus options
audit: type=1400 audit(1513087838.054:35): avc:  denied  { create } for  pid=8018 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_scsitransport_socket permissive=1
device lo entered promiscuous mode
device lo left promiscuous mode
device lo entered promiscuous mode
device lo left promiscuous mode
sock: process `syz-executor6' is using obsolete setsockopt SO_BSDCOMPAT
sd 0:0:1:0: [sg0] tag#186 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK
sd 0:0:1:0: [sg0] tag#186 CDB: Test Unit Ready
sd 0:0:1:0: [sg0] tag#186 CDB[00]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#186 CDB[10]: 00 00 00 00 10 27 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#186 CDB[20]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#186 CDB[30]: 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#245 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK
sd 0:0:1:0: [sg0] tag#245 CDB: Test Unit Ready
sd 0:0:1:0: [sg0] tag#245 CDB[00]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#245 CDB[10]: 00 00 00 00 10 27 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#245 CDB[20]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#245 CDB[30]: 00 00 00 00 00 00 00 00 00 00 00 00
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=8 sclass=netlink_route_socket pig=8456 comm=syz-executor5
nla_parse: 71 callbacks suppressed
netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'.
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=8 sclass=netlink_route_socket pig=8456 comm=syz-executor5
netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'.
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=202 sclass=netlink_route_socket pig=8597 comm=syz-executor2
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=202 sclass=netlink_route_socket pig=8619 comm=syz-executor2
device gre0 entered promiscuous mode
device lo entered promiscuous mode
device lo left promiscuous mode
device lo entered promiscuous mode
device lo left promiscuous mode
device lo entered promiscuous mode
device lo left promiscuous mode
device lo entered promiscuous mode
device lo left promiscuous mode
netlink: 9 bytes leftover after parsing attributes in process `syz-executor1'.
A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check.
netlink: 9 bytes leftover after parsing attributes in process `syz-executor1'.
A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check.
binder: 9154:9157 ERROR: BC_REGISTER_LOOPER called without request
binder: 9154:9168 BC_FREE_BUFFER u0000000000000000 no match
audit: type=1400 audit(1513087842.594:36): avc:  denied  { setopt } for  pid=9170 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
binder: 9154:9168 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0
binder: 9154:9157 unknown command 0
binder: 9154:9168 BC_ACQUIRE_DONE uffffffffffffffff no match
binder: 9154:9168 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER
binder: 9154:9187 got reply transaction with bad transaction stack, transaction 36 has target 9154:9157
binder: 9154:9187 transaction failed 29201/-71, size 32-8 line 2938
binder: 9154:9157 ioctl c0306201 2000a000 returned -22
binder: BINDER_SET_CONTEXT_MGR already set
binder: 9154:9168 ioctl 40046207 0 returned -16
binder: 9154:9168 ERROR: BC_REGISTER_LOOPER called without request
binder: release 9154:9157 transaction 36 in, still active
binder: send failed reply for transaction 36 to 9154:9187
binder: undelivered TRANSACTION_COMPLETE
binder: 9154:9168 BC_FREE_BUFFER u0000000000000000 no match
binder: 9154:9168 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0
binder: 9154:9168 BC_ACQUIRE_DONE uffffffffffffffff no match
binder: 9154:9168 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER
binder: 9154:9187 transaction failed 29189/-22, size 0-0 line 3007
binder: 9154:9157 ioctl c0306201 2000a000 returned -14
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_ERROR: 29189
device syz0 entered promiscuous mode
binder: undelivered TRANSACTION_ERROR: 29189

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2017/12/12 14:10 https://android.googlesource.com/kernel/common android-4.9 fb66dc2a6e5e 32f694fc .config console log report ci-android-49-kasan-gce
* Struck through repros no longer work on HEAD.