BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor1/5197
syz-executor7: vmalloc: allocation failure: 8590196736 bytes, mode:0x24000c2(GFP_KERNEL|__GFP_HIGHMEM)
CPU: 1 PID: 5210 Comm: syz-executor7 Not tainted 4.9.80-g8a174b47 #31
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
ffff8801b516f880 ffffffff81d94be9 1ffff10036a2df13 ffff8801b5313000
ffffffff83ab8ea0 0000000000000001 0000000000400000 ffff8801b516f990
ffffffff81451d22 024000c200000003 0000000041b58ab3 ffffffff8419522d
Call Trace:
[<ffffffff81d94be9>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81d94be9>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff81451d22>] warn_alloc+0x212/0x240 mm/page_alloc.c:3056
[<ffffffff814ffcf5>] __vmalloc_node_range+0x3f5/0x5f0 mm/vmalloc.c:1722
[<ffffffff814fffbb>] __vmalloc_node mm/vmalloc.c:1744 [inline]
[<ffffffff814fffbb>] __vmalloc_node_flags mm/vmalloc.c:1758 [inline]
[<ffffffff814fffbb>] vmalloc+0x5b/0x70 mm/vmalloc.c:1773
[<ffffffff83141131>] xt_alloc_entry_offsets+0x41/0x60 net/netfilter/x_tables.c:722
[<ffffffff8351f9da>] translate_table+0x21a/0x1e80 net/ipv6/netfilter/ip6_tables.c:730
[<ffffffff835238be>] do_replace net/ipv6/netfilter/ip6_tables.c:1182 [inline]
[<ffffffff835238be>] do_ip6t_set_ctl+0x2be/0x470 net/ipv6/netfilter/ip6_tables.c:1708
[<ffffffff830a1ca7>] nf_sockopt net/netfilter/nf_sockopt.c:105 [inline]
[<ffffffff830a1ca7>] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:114
[<ffffffff8347b085>] ipv6_setsockopt+0x115/0x150 net/ipv6/ipv6_sockglue.c:912
[<ffffffff83231892>] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2740
[<ffffffff82ede275>] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2706
[<ffffffff82edb230>] SYSC_setsockopt net/socket.c:1772 [inline]
[<ffffffff82edb230>] SyS_setsockopt+0x160/0x250 net/socket.c:1751
[<ffffffff838b34ee>] entry_SYSCALL_64_fastpath+0x29/0xe8
Mem-Info:
active_anon:56606 inactive_anon:44 isolated_anon:0
active_file:3481 inactive_file:8285 isolated_file:0
unevictable:0 dirty:61 writeback:0 unstable:0
slab_reclaimable:5405 slab_unreclaimable:59632
mapped:24145 shmem:51 pagetables:717 bounce:0
free:1473128 free_pcp:305 free_cma:0
Node 0 active_anon:226424kB inactive_anon:176kB active_file:13924kB inactive_file:33140kB unevictable:0kB isolated(anon):0kB isolated(file):0kB mapped:96580kB dirty:244kB writeback:0kB shmem:204kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 65536kB writeback_tmp:0kB unstable:0kB pages_scanned:0 all_unreclaimable? no
DMA free:15908kB min:160kB low:200kB high:240kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:15992kB managed:15908kB mlocked:0kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB
DMA32 free:2979960kB min:30592kB low:38240kB high:45888kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:3129292kB managed:2980720kB mlocked:0kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:760kB local_pcp:712kB free_cma:0kB
Normal free:2896644kB min:36824kB low:46028kB high:55232kB active_anon:226424kB inactive_anon:176kB active_file:13924kB inactive_file:33140kB unevictable:0kB writepending:244kB present:4718592kB managed:3585212kB mlocked:0kB slab_reclaimable:21620kB slab_unreclaimable:238528kB kernel_stack:6272kB pagetables:2868kB bounce:0kB free_pcp:460kB local_pcp:392kB free_cma:0kB
DMA: 1*4kB (U) 0*8kB 0*16kB 1*32kB (U) 2*64kB (U) 1*128kB (U) 1*256kB (U) 0*512kB 1*1024kB (U) 1*2048kB (M) 3*4096kB (M) = 15908kB
Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB
11816 total pagecache pages
0 pages in swap cache
Swap cache stats: add 0, delete 0, find 0/0
Free swap = 0kB
Total swap = 0kB
1965969 pages RAM
0 pages HighMem/MovableOnly
320509 pages reserved
Mem-Info:
active_anon:53425 inactive_anon:44 isolated_anon:0
active_file:3481 inactive_file:8285 isolated_file:0
unevictable:0 dirty:61 writeback:0 unstable:0
slab_reclaimable:5405 slab_unreclaimable:59688
mapped:24070 shmem:51 pagetables:643 bounce:0
free:1476400 free_pcp:400 free_cma:0
Node 0 active_anon:213700kB inactive_anon:176kB active_file:13924kB inactive_file:33140kB unevictable:0kB isolated(anon):0kB isolated(file):0kB mapped:96280kB dirty:244kB writeback:0kB shmem:204kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 65536kB writeback_tmp:0kB unstable:0kB pages_scanned:0 all_unreclaimable? no
DMA free:15908kB min:160kB low:200kB high:240kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:15992kB managed:15908kB mlocked:0kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB
DMA32 free:2979960kB min:30592kB low:38240kB high:45888kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:3129292kB managed:2980720kB mlocked:0kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:760kB local_pcp:712kB free_cma:0kB
Normal free:2909732kB min:36824kB low:46028kB high:55232kB active_anon:213700kB inactive_anon:176kB active_file:13924kB inactive_file:33140kB unevictable:0kB writepending:244kB present:4718592kB managed:3585212kB mlocked:0kB slab_reclaimable:21620kB slab_unreclaimable:238752kB kernel_stack:5664kB pagetables:2572kB bounce:0kB free_pcp:840kB local_pcp:652kB free_cma:0kB
DMA: 1*4kB (U) 0*8kB 0*16kB 1*32kB (U) 2*64kB (U) 1*128kB (U) 1*256kB (U) 0*512kB 1*1024kB (U) 1*2048kB (M) 3*4096kB (M) = 15908kB
Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB
11816 total pagecache pages
0 pages in swap cache
Swap cache stats: add 0, delete 0, find 0/0
Free swap = 0kB
Total swap = 0kB
1965969 pages RAM
0 pages HighMem/MovableOnly
320509 pages reserved
caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62
CPU: 0 PID: 5197 Comm: syz-executor1 Not tainted 4.9.80-g8a174b47 #31
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
ffff8801b4d37490 ffffffff81d94be9 0000000000000000 ffffffff83c18800
ffffffff83f454c0 ffff8801b5373000 0000000000000003 ffff8801b4d374d0
ffffffff81dfc1c4 ffff8801b4d374e8 ffffffff83f454c0 dffffc0000000000
Call Trace:
[<ffffffff81d94be9>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81d94be9>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff81dfc1c4>] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46
[<ffffffff81dfc22c>] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62
[<ffffffff833fce38>] ipcomp_alloc_tfms net/xfrm/xfrm_ipcomp.c:286 [inline]
[<ffffffff833fce38>] ipcomp_init_state+0x188/0x930 net/xfrm/xfrm_ipcomp.c:363
[<ffffffff83369250>] ipcomp4_init_state+0xb0/0x7d0 net/ipv4/ipcomp.c:137
[<ffffffff833db527>] __xfrm_init_state+0x3e7/0xb30 net/xfrm/xfrm_state.c:2096
[<ffffffff833fa686>] xfrm_state_construct net/xfrm/xfrm_user.c:590 [inline]
[<ffffffff833fa686>] xfrm_add_sa+0x1916/0x2e40 net/xfrm/xfrm_user.c:639
[<ffffffff833eacd3>] xfrm_user_rcv_msg+0x413/0x6a0 net/xfrm/xfrm_user.c:2525
[<ffffffff8309537e>] netlink_rcv_skb+0x13e/0x370 net/netlink/af_netlink.c:2351
[<ffffffff833e71cf>] xfrm_netlink_rcv+0x6f/0x90 net/xfrm/xfrm_user.c:2533
[<ffffffff83093f01>] netlink_unicast_kernel net/netlink/af_netlink.c:1275 [inline]
[<ffffffff83093f01>] netlink_unicast+0x511/0x750 net/netlink/af_netlink.c:1301
[<ffffffff83094a28>] netlink_sendmsg+0x8e8/0xc50 net/netlink/af_netlink.c:1847
[<ffffffff82ed7baa>] sock_sendmsg_nosec net/socket.c:635 [inline]
[<ffffffff82ed7baa>] sock_sendmsg+0xca/0x110 net/socket.c:645
[<ffffffff82ed97a1>] ___sys_sendmsg+0x6d1/0x7e0 net/socket.c:1969
[<ffffffff82edb7d6>] __sys_sendmsg+0xd6/0x190 net/socket.c:2003
[<ffffffff82edb8bd>] SYSC_sendmsg net/socket.c:2014 [inline]
[<ffffffff82edb8bd>] SyS_sendmsg+0x2d/0x50 net/socket.c:2010
[<ffffffff838b34ee>] entry_SYSCALL_64_fastpath+0x29/0xe8
IPVS: Creating netns size=2536 id=9
pktgen: kernel_thread() failed for cpu 0
pktgen: Cannot create thread for cpu 0 (-4)
pktgen: kernel_thread() failed for cpu 1
pktgen: Cannot create thread for cpu 1 (-4)
pktgen: Initialization failed for all threads
audit_printk_skb: 2 callbacks suppressed
audit: type=1400 audit(1518421547.077:14): avc: denied { create } for pid=5573 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
audit: type=1400 audit(1518421547.167:15): avc: denied { create } for pid=5602 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_crypto_socket permissive=1
binder: 5629:5633 BC_REQUEST_DEATH_NOTIFICATION invalid ref 4
binder: 5629:5633 BC_INCREFS_DONE uffffffffffffffff no match
binder: 5629:5646 transaction failed 29189/-22, size 80-16 line 3004
binder: 5629:5646 BC_REQUEST_DEATH_NOTIFICATION invalid ref 4
binder: 5629:5646 BC_INCREFS_DONE uffffffffffffffff no match
binder: 5629:5646 BC_FREE_BUFFER u0000000000000000 no match
binder: 5629:5646 BC_ACQUIRE_DONE u0000000000000000 no match
binder: 5629:5646 BC_DEAD_BINDER_DONE 0000000000000002 not found
binder: 5629:5646 BC_DEAD_BINDER_DONE 0000000000000000 not found
binder: 5629:5646 Release 1 refcount change on invalid ref 1 ret -22
binder: 5629:5659 transaction failed 29189/-22, size 80-16 line 3004
audit: type=1400 audit(1518421547.317:16): avc: denied { set_context_mgr } for pid=5657 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1
audit: type=1400 audit(1518421547.327:18): avc: denied { read } for pid=5642 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1
audit: type=1400 audit(1518421547.317:17): avc: denied { call } for pid=5657 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1
binder: 5657:5660 got transaction with invalid offsets size, 2
binder: 5657:5660 transaction failed 29201/-22, size 80-2 line 3163
binder: BINDER_SET_CONTEXT_MGR already set
binder: 5657:5666 ioctl 40046207 0 returned -16
binder_alloc: binder_alloc_mmap_handler: 5657 20000000-20002000 already mapped failed -16
binder: undelivered TRANSACTION_ERROR: 29201
binder: 5629:5633 BC_FREE_BUFFER u0000000000000000 no match
binder: 5629:5633 BC_ACQUIRE_DONE u0000000000000000 no match
binder: 5629:5633 BC_DEAD_BINDER_DONE 0000000000000002 not found
binder: 5629:5633 BC_DEAD_BINDER_DONE 0000000000000000 not found
binder: 5629:5633 Release 1 refcount change on invalid ref 1 ret -22
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29189
device gre0 entered promiscuous mode
SELinux: unrecognized netlink message: protocol=9 nlmsg_type=32 sclass=netlink_audit_socket pig=5972 comm=syz-executor3
SELinux: unrecognized netlink message: protocol=9 nlmsg_type=32 sclass=netlink_audit_socket pig=5983 comm=syz-executor3
FAULT_FLAG_ALLOW_RETRY missing 30
CPU: 0 PID: 6002 Comm: syz-executor2 Not tainted 4.9.80-g8a174b47 #31
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
ffff8801ad327970 ffffffff81d94be9 ffff8801ad327c50 0000000000000000
ffff8801b50a1010 ffff8801ad327b40 ffff8801b50a0f00 ffff8801ad327b68
ffffffff8166253a 0000000000001244 ffff8801ad3020f0 ffff8801ad3020a0
Call Trace:
[<ffffffff81d94be9>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81d94be9>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff8166253a>] handle_userfault+0xa3a/0x1310 fs/userfaultfd.c:323
[<ffffffff814d0e21>] do_anonymous_page mm/memory.c:2747 [inline]
[<ffffffff814d0e21>] handle_pte_fault mm/memory.c:3488 [inline]
[<ffffffff814d0e21>] __handle_mm_fault mm/memory.c:3577 [inline]
[<ffffffff814d0e21>] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614
[<ffffffff810de642>] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1407
[<ffffffff810dede7>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1470
[<ffffffff838b4848>] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1055
[<ffffffff838b34ee>] entry_SYSCALL_64_fastpath+0x29/0xe8
audit: type=1401 audit(1518421549.147:19): op=fscreate invalid_context=AB386CD7F1D23B0E7314486494C8D560871ED875FA9F4BD1C737BBEF72516BB0515188578E35377114A5032BCA1FD79048BAF6FCEA050B306A2130F3EF3898E7A2C9319DB59FA5E20F9D38C3F33012C7C71EB9551427238F2BE00D61FE0D88D3762029B94B82FFD790B873D417A369EE0AE2541FE1292ACE2FE81B012DD99FE0C4F64E53CFEECAF728B2A6A1BBA7DF382C7F6CCB95E0EB387F9DCC34CE196C4749F95174566487114D2AEAAC6D220E4209BA8B4FC34696E5405949D5A6EAB09B1B5C82B9D3A4A71D8BB5A0F90F128EC34817D22AE2653EC323BEE642323E1766B34FA45F9CA42B3B42EE464668538DCD45E5D53E129CC210D72704D5D1702599E91C1B5570B9568BFF7DAD4F380DD314B7553CBCC79661E66420A02C32CE4EC4FAD5FE74766392CE7A9539E17771861BB684DD3FD48CE01AE5FAF3F5BB74A01F1C89B719D61419134F40D33291777E98753F69BB0B326BED4D579BB669337FBB15E9C0DB3BE3ECAC43C7AB574B695959253C9985D028E1AE2DBDC876E45798747D04CED0C284FC17D82735109657619A888E2DFBF5F1659CEBB208BB37EF60604AFCBF8026DF8581AE0F57D3F5920ACF9E467E0B28E9E780EBC5E2D45634CC56079A60E7320229B5DE5FF0
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 6102 Comm: syz-executor3 Not tainted 4.9.80-g8a174b47 #31
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8801b1de4800 task.stack: ffff8801ba408000
RIP: 0010:[<ffffffff8144ef01>] [<ffffffff8144ef01>] __read_once_size include/linux/compiler.h:243 [inline]
RIP: 0010:[<ffffffff8144ef01>] [<ffffffff8144ef01>] atomic_read arch/x86/include/asm/atomic.h:26 [inline]
RIP: 0010:[<ffffffff8144ef01>] [<ffffffff8144ef01>] page_ref_count include/linux/page_ref.h:66 [inline]
RIP: 0010:[<ffffffff8144ef01>] [<ffffffff8144ef01>] put_page_testzero include/linux/mm.h:450 [inline]
RIP: 0010:[<ffffffff8144ef01>] [<ffffffff8144ef01>] __free_pages+0x21/0x80 mm/page_alloc.c:3897
RSP: 0018:ffff8801ba40f9b0 EFLAGS: 00010a07
RAX: dffffc0000000000 RBX: dead4ead00000000 RCX: ffffffff826680eb
RDX: 1bd5a9d5a0000003 RSI: 0000000000000006 RDI: dead4ead0000001c
RBP: ffff8801ba40f9c0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000004
R13: 0000000000000020 R14: ffff8801b1e18000 R15: dffffc0000000000
FS: 00007ff81ca7f700(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000208c0000 CR3: 00000001c93ae000 CR4: 0000000000160670
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
ffff8801b1de4800 ffff8801b1e18158 ffff8801ba40fa20 ffffffff82668111
ffff8801b1e18170 ffffed00363c302b ffffed00363c302e ffff8801b1e18168
dead4ead00000000 ffff8801b1e18140 0000000000000000 0000000000000000
Call Trace:
[<ffffffff82668111>] sg_remove_scat.isra.19+0x1c1/0x2d0 drivers/scsi/sg.c:1944
[<ffffffff826684d5>] sg_finish_rem_req+0x2b5/0x340 drivers/scsi/sg.c:1825
[<ffffffff82668599>] sg_new_read.isra.20+0x39/0x3e0 drivers/scsi/sg.c:566
[<ffffffff8266a207>] sg_read+0x8b7/0x1440 drivers/scsi/sg.c:455
[<ffffffff8156cca1>] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714
[<ffffffff81570b10>] do_loop_readv_writev fs/read_write.c:880 [inline]
[<ffffffff81570b10>] do_readv_writev+0x520/0x750 fs/read_write.c:874
[<ffffffff81570dc4>] vfs_readv+0x84/0xc0 fs/read_write.c:898
[<ffffffff81570ee6>] do_readv+0xe6/0x250 fs/read_write.c:924
[<ffffffff815743d7>] SYSC_readv fs/read_write.c:1011 [inline]
[<ffffffff815743d7>] SyS_readv+0x27/0x30 fs/read_write.c:1008
[<ffffffff838b34ee>] entry_SYSCALL_64_fastpath+0x29/0xe8
Code: e9 27 fc ff ff 0f 1f 44 00 00 48 b8 00 00 00 00 00 fc ff df 55 48 89 e5 53 48 89 fb 48 83 c7 1c 48 89 fa 48 83 ec 08 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 3d
RIP [<ffffffff8144ef01>] __read_once_size include/linux/compiler.h:243 [inline]
RIP [<ffffffff8144ef01>] atomic_read arch/x86/include/asm/atomic.h:26 [inline]
RIP [<ffffffff8144ef01>] page_ref_count include/linux/page_ref.h:66 [inline]
RIP [<ffffffff8144ef01>] put_page_testzero include/linux/mm.h:450 [inline]
RIP [<ffffffff8144ef01>] __free_pages+0x21/0x80 mm/page_alloc.c:3897
RSP <ffff8801ba40f9b0>
---[ end trace 5d459e4de4950388 ]---