syzbot


BUG: using __this_cpu_read() in preemptible code in ipcomp6_init_state

Status: auto-closed as invalid on 2019/02/22 13:49
First crash: 2309d, last: 2300d

Sample crash report:
netlink: 21 bytes leftover after parsing attributes in process `syz-executor3'.
binder: 9792:9802 ERROR: BC_REGISTER_LOOPER called without request
BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor4/9810
binder: send failed reply for transaction 90 to 9792:9811
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered TRANSACTION_ERROR: 29189
binder: 9792:9802 ERROR: BC_REGISTER_LOOPER called without request
binder: release 9792:9811 transaction 92 out, still active
binder: undelivered TRANSACTION_COMPLETE
binder: send failed reply for transaction 92, target dead
caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62
CPU: 0 PID: 9810 Comm: syz-executor4 Not tainted 4.9.73-gf3f3457 #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801b053f6c8 ffffffff81d922b9 0000000000000000 ffffffff83c17a00
 ffffffff83f444c0 ffff8801c6fce000 0000000000000003 ffff8801b053f708
 ffffffff81df9294 ffff8801b053f720 ffffffff83f444c0 dffffc0000000000
Call Trace:
 [<ffffffff81d922b9>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d922b9>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff81df9294>] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46
 [<ffffffff81df92fc>] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62
9pnet_virtio: no channels available for device H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
H
9pnet_virtio: no channels available for device H

 [<ffffffff833f9388>] ipcomp_alloc_tfms net/xfrm/xfrm_ipcomp.c:286 [inline]
 [<ffffffff833f9388>] ipcomp_init_state+0x188/0x930 net/xfrm/xfrm_ipcomp.c:363
 [<ffffffff8350f175>] ipcomp6_init_state+0xb5/0x820 net/ipv6/ipcomp6.c:165
 [<ffffffff833d7a77>] __xfrm_init_state+0x3e7/0xb30 net/xfrm/xfrm_state.c:2096
 [<ffffffff833d81da>] xfrm_init_state+0x1a/0x20 net/xfrm/xfrm_state.c:2122
 [<ffffffff83571d39>] pfkey_msg2xfrm_state net/key/af_key.c:1281 [inline]
 [<ffffffff83571d39>] pfkey_add+0x1fb9/0x3470 net/key/af_key.c:1498
 [<ffffffff835697de>] pfkey_process+0x61e/0x730 net/key/af_key.c:2826
 [<ffffffff8356b089>] pfkey_sendmsg+0x3a9/0x760 net/key/af_key.c:3670
 [<ffffffff82ed4baa>] sock_sendmsg_nosec net/socket.c:635 [inline]
 [<ffffffff82ed4baa>] sock_sendmsg+0xca/0x110 net/socket.c:645
 [<ffffffff82ed67a1>] ___sys_sendmsg+0x6d1/0x7e0 net/socket.c:1969
 [<ffffffff82ed87d6>] __sys_sendmsg+0xd6/0x190 net/socket.c:2003
 [<ffffffff82ed88bd>] SYSC_sendmsg net/socket.c:2014 [inline]
 [<ffffffff82ed88bd>] SyS_sendmsg+0x2d/0x50 net/socket.c:2010
 [<ffffffff838af585>] entry_SYSCALL_64_fastpath+0x23/0xc6
audit: type=1400 audit(1514645554.594:36): avc:  denied  { attach_queue } for  pid=9888 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=tun_socket permissive=1
device lo entered promiscuous mode
binder: 10035:10046 got new transaction with bad transaction stack, transaction 94 has target 10035:10036
binder: 10035:10046 transaction failed 29201/-71, size 0-0 line 3031
binder: BINDER_SET_CONTEXT_MGR already set
binder: 10035:10051 ioctl 40046207 0 returned -16
binder_alloc: 10035: binder_alloc_buf, no vma
binder: 10035:10046 transaction failed 29189/-3, size 0-0 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
binder: release 10035:10036 transaction 94 in, still active
binder: send failed reply for transaction 94 to 10035:10046
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_ERROR: 29189
nla_parse: 4 callbacks suppressed
netlink: 2 bytes leftover after parsing attributes in process `syz-executor3'.
binder: BINDER_SET_CONTEXT_MGR already set
binder: 10149:10154 ioctl 40046207 0 returned -16
binder_alloc: 10149: binder_alloc_buf, no vma
binder: 10149:10182 transaction failed 29189/-3, size 0-0 line 3127
netlink: 2 bytes leftover after parsing attributes in process `syz-executor3'.
binder: 10149:10154 BC_FREE_BUFFER u0000000020000000 no match
binder_alloc: 10149: binder_alloc_buf, no vma
binder: 10149:10154 transaction failed 29189/-3, size 0-0 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29189
binder: release 10149:10154 transaction 99 out, still active
binder: release 10149:10154 transaction 98 in, still active
binder: undelivered TRANSACTION_COMPLETE
binder: release 10149:10175 transaction 98 out, still active
binder: undelivered TRANSACTION_COMPLETE
binder: send failed reply for transaction 99, target dead
binder: send failed reply for transaction 98, target dead
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=10267 comm=syz-executor7
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=10267 comm=syz-executor7
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=10267 comm=syz-executor7
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=10275 comm=syz-executor7
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=10275 comm=syz-executor7
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=10276 comm=syz-executor7
audit: type=1400 audit(1514645556.104:37): avc:  denied  { bind } for  pid=10277 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=770 sclass=netlink_route_socket pig=10312 comm=syz-executor2
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=770 sclass=netlink_route_socket pig=10312 comm=syz-executor2
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=770 sclass=netlink_route_socket pig=10312 comm=syz-executor2
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=770 sclass=netlink_route_socket pig=10312 comm=syz-executor2
binder: 10390:10395 ioctl c0306201 200cd000 returned -14
tc_dump_action: action bad kind
tc_dump_action: action bad kind
device syz6 entered promiscuous mode
device syz4 entered promiscuous mode
netlink: 21 bytes leftover after parsing attributes in process `syz-executor7'.
netlink: 21 bytes leftover after parsing attributes in process `syz-executor7'.
audit: type=1401 audit(1514645558.084:38): op=fscreate invalid_context=36A8475A00000000000000000000000000000000000000
tc_dump_action: action bad kind
tc_dump_action: action bad kind
9pnet_virtio: no channels available for device @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ 
9pnet_virtio: no channels available for device @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ 
device gre0 entered promiscuous mode
PF_BRIDGE: RTM_NEWNEIGH with unknown ifindex
PF_BRIDGE: RTM_NEWNEIGH with unknown ifindex
audit: type=1400 audit(1514645558.584:39): avc:  denied  { getopt } for  pid=11009 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1
binder: 11042:11044 BC_FREE_BUFFER u000000002011a000 no match
binder: 11042:11044 ERROR: BC_REGISTER_LOOPER called without request
binder: 11042:11044 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0
binder: 11042:11044 ioctl 4c03 20009f68 returned -22
binder: 11042:11044 transaction failed 29201/-22, size 0-0 line 3127
binder_alloc: binder_alloc_mmap_handler: 11042 2011a000-2051a000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 11042:11044 ioctl 40046207 0 returned -16
binder: 11042:11044 BC_FREE_BUFFER u000000002011a000 no match
binder: 11042:11044 ERROR: BC_REGISTER_LOOPER called without request
binder: 11042:11044 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0
binder: 11042:11051 ioctl 4c03 20009f68 returned -22
binder_alloc: 11042: binder_alloc_buf, no vma
binder: 11042:11044 transaction failed 29189/-3, size 0-0 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
binder_alloc: 11140: binder_alloc_buf, no vma
binder: 11140:11142 transaction failed 29189/-3, size 0-0 line 3127
binder: BINDER_SET_CONTEXT_MGR already set
binder: 11140:11155 ioctl 40046207 0 returned -16
binder_alloc: 11140: binder_alloc_buf, no vma
binder: 11140:11159 transaction failed 29189/-3, size 0-0 line 3127
device gre0 entered promiscuous mode
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29189
netlink: 3 bytes leftover after parsing attributes in process `syz-executor5'.
netlink: 3 bytes leftover after parsing attributes in process `syz-executor5'.
netlink: 6 bytes leftover after parsing attributes in process `syz-executor1'.
netlink: 6 bytes leftover after parsing attributes in process `syz-executor1'.
binder: 11416:11423 BC_FREE_BUFFER u0000000020000000 matched unreturned buffer
binder_alloc: 11416:11434 FREE_BUFFER u0000000020000000 user freed buffer twice
binder: 11416:11434 BC_FREE_BUFFER u0000000020000000 no match
binder: BINDER_SET_CONTEXT_MGR already set
binder: 11416:11448 ioctl 40046207 0 returned -16
binder_alloc: 11416: binder_alloc_buf, no vma
binder: 11416:11449 transaction failed 29189/-3, size 0-0 line 3127
binder: 11416:11450 BC_FREE_BUFFER u0000000020000000 no match
binder: 11416:11450 BC_FREE_BUFFER u0000000020000000 no match
binder: undelivered TRANSACTION_ERROR: 29189
binder: release 11416:11423 transaction 109 out, still active
binder: undelivered TRANSACTION_COMPLETE
binder: send failed reply for transaction 109, target dead
IPVS: Creating netns size=2536 id=10
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 11625 Comm: syz-executor1 Not tainted 4.9.73-gf3f3457 #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8801d7af3000 task.stack: ffff8801bc870000
RIP: 0010:[<ffffffff8144d081>]  [<ffffffff8144d081>] __read_once_size include/linux/compiler.h:243 [inline]
RIP: 0010:[<ffffffff8144d081>]  [<ffffffff8144d081>] atomic_read arch/x86/include/asm/atomic.h:26 [inline]
RIP: 0010:[<ffffffff8144d081>]  [<ffffffff8144d081>] page_ref_count include/linux/page_ref.h:66 [inline]
RIP: 0010:[<ffffffff8144d081>]  [<ffffffff8144d081>] put_page_testzero include/linux/mm.h:450 [inline]
RIP: 0010:[<ffffffff8144d081>]  [<ffffffff8144d081>] __free_pages+0x21/0x80 mm/page_alloc.c:3903
RSP: 0018:ffff8801bc8779b0  EFLAGS: 00010a07
RAX: dffffc0000000000 RBX: dead4ead00000000 RCX: ffffffff82664f9b
RDX: 1bd5a9d5a0000003 RSI: 0000000000000002 RDI: dead4ead0000001c
RBP: ffff8801bc8779c0 R08: 0000000048000000 R09: 0000000000001e30
R10: 0000000000002100 R11: ffff8801d7af3000 R12: 0000000000000004
R13: 0000000000000020 R14: ffff8801d85c8000 R15: dffffc0000000000
FS:  00007f03e60ec700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020a13000 CR3: 00000001c316c000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
 0000000000000001 ffff8801d85c8158 ffff8801bc877a20 ffffffff82664fc1
 ffff8801d85c8170 ffffed003b0b902b ffffed003b0b902e ffff8801d85c8168
 dead4ead00000000 ffff8801d85c8140 0000000000000000 0000000000000000
Call Trace:
 [<ffffffff82664fc1>] sg_remove_scat.isra.19+0x1c1/0x2d0 drivers/scsi/sg.c:1954
 [<ffffffff82665385>] sg_finish_rem_req+0x2b5/0x340 drivers/scsi/sg.c:1836
 [<ffffffff8266559d>] sg_new_read.isra.20+0x18d/0x3e0 drivers/scsi/sg.c:567
 [<ffffffff8266703d>] sg_read+0x8bd/0x1440 drivers/scsi/sg.c:456
 [<ffffffff8156a4e1>] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714
 [<ffffffff8156e350>] do_loop_readv_writev fs/read_write.c:880 [inline]
 [<ffffffff8156e350>] do_readv_writev+0x520/0x750 fs/read_write.c:874
 [<ffffffff8156e604>] vfs_readv+0x84/0xc0 fs/read_write.c:898
 [<ffffffff8156e726>] do_readv+0xe6/0x250 fs/read_write.c:924
 [<ffffffff81571c17>] SYSC_readv fs/read_write.c:1011 [inline]
 [<ffffffff81571c17>] SyS_readv+0x27/0x30 fs/read_write.c:1008
 [<ffffffff838af585>] entry_SYSCALL_64_fastpath+0x23/0xc6
Code: e9 27 fc ff ff 0f 1f 44 00 00 48 b8 00 00 00 00 00 fc ff df 55 48 89 e5 53 48 89 fb 48 83 c7 1c 48 89 fa 48 83 ec 08 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 3d 
RIP  [<ffffffff8144d081>] __read_once_size include/linux/compiler.h:243 [inline]
RIP  [<ffffffff8144d081>] atomic_read arch/x86/include/asm/atomic.h:26 [inline]
RIP  [<ffffffff8144d081>] page_ref_count include/linux/page_ref.h:66 [inline]
RIP  [<ffffffff8144d081>] put_page_testzero include/linux/mm.h:450 [inline]
RIP  [<ffffffff8144d081>] __free_pages+0x21/0x80 mm/page_alloc.c:3903
 RSP <ffff8801bc8779b0>
---[ end trace b4a314c499343879 ]---

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2017/12/30 14:52 https://android.googlesource.com/kernel/common android-4.9 f3f3457d4582 bb6384b8 .config console log report ci-android-49-kasan-gce
2017/12/22 11:13 https://android.googlesource.com/kernel/common android-4.9 250637879165 81fe66b4 .config console log report ci-android-49-kasan-gce
* Struck through repros no longer work on HEAD.