syzbot


BUG: using __this_cpu_add() in preemptible code in tcp_queue_rcv

Status: auto-closed as invalid on 2019/04/10 07:53
First crash: 2232d, last: 2232d

Sample crash report:
BUG: using __this_cpu_add() in preemptible [00000000] code: syz-executor5/5409
caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62
CPU: 0 PID: 5409 Comm: syz-executor5 Not tainted 4.4.160+ #45
 0000000000000000 0278457e8f1a9e51 ffff8800b303f658 ffffffff81a995dd
 0000000000000000 ffffffff82929980 ffffffff82a7c660 ffff8800ba704740
 0000000000000002 ffff8800b303f698 ffffffff81b3509a ffff8800b303f6a8
Call Trace:
 [<ffffffff81a995dd>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81a995dd>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
 [<ffffffff81b3509a>] check_preemption_disabled.cold.0+0x7f/0x8b lib/smp_processor_id.c:46
 [<ffffffff81af77bc>] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62
audit: type=1401 audit(1539330277.325:13): op=fscreate invalid_context=1C000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002F6465762F7572616E646F6D00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002F6465762F6C6F6F702D636F6E74726F6C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000300000004000400040000005E20440000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FC739800000000 [<ffffffff823fd2ea>] tcp_try_coalesce+0x22a/0x4c0 net/ipv4/tcp_input.c:4293
 [<ffffffff823fd6a7>] tcp_queue_rcv+0x127/0x6f0 net/ipv4/tcp_input.c:4500
 [<ffffffff82412126>] tcp_send_rcvq+0x3a6/0x470 net/ipv4/tcp_input.c:4546
 [<ffffffff823ea32c>] tcp_sendmsg+0x237c/0x2b30 net/ipv4/tcp.c:1134
 [<ffffffff82496833>] inet_sendmsg+0x203/0x4d0 net/ipv4/af_inet.c:755
 [<ffffffff821c332b>] sock_sendmsg_nosec net/socket.c:638 [inline]
 [<ffffffff821c332b>] sock_sendmsg+0xbb/0x110 net/socket.c:648
 [<ffffffff821c5175>] ___sys_sendmsg+0x745/0x880 net/socket.c:1975
 [<ffffffff821c81c6>] __sys_sendmsg+0xd6/0x190 net/socket.c:2009
 [<ffffffff8229927a>] C_SYSC_sendmsg net/compat.c:722 [inline]
 [<ffffffff8229927a>] compat_SyS_sendmsg+0x2a/0x40 net/compat.c:720
 [<ffffffff8100629e>] do_syscall_32_irqs_on arch/x86/entry/common.c:396 [inline]
 [<ffffffff8100629e>] do_fast_syscall_32+0x31e/0xa80 arch/x86/entry/common.c:463
 [<ffffffff82707890>] sysenter_flags_fixed+0xd/0x1a
BUG: using __this_cpu_add() in preemptible [00000000] code: syz-executor5/5391
caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62
CPU: 0 PID: 5391 Comm: syz-executor5 Not tainted 4.4.160+ #45
 0000000000000000 1690e9d64e22819c ffff8800b2d877d8 ffffffff81a995dd
 0000000000000000 ffffffff82929980 ffffffff82a7c660 ffff8800bb87af80
 0000000000000002 ffff8800b2d87818 ffffffff81b3509a ffff8800ba0e65c4
Call Trace:
 [<ffffffff81a995dd>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81a995dd>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
 [<ffffffff81b3509a>] check_preemption_disabled.cold.0+0x7f/0x8b lib/smp_processor_id.c:46
 [<ffffffff81af77bc>] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62
 [<ffffffff823fd2ea>] tcp_try_coalesce+0x22a/0x4c0 net/ipv4/tcp_input.c:4293
 [<ffffffff823fd6a7>] tcp_queue_rcv+0x127/0x6f0 net/ipv4/tcp_input.c:4500
 [<ffffffff82412126>] tcp_send_rcvq+0x3a6/0x470 net/ipv4/tcp_input.c:4546
 [<ffffffff823ea32c>] tcp_sendmsg+0x237c/0x2b30 net/ipv4/tcp.c:1134
 [<ffffffff82496833>] inet_sendmsg+0x203/0x4d0 net/ipv4/af_inet.c:755
 [<ffffffff821c332b>] sock_sendmsg_nosec net/socket.c:638 [inline]
 [<ffffffff821c332b>] sock_sendmsg+0xbb/0x110 net/socket.c:648
 [<ffffffff821c7550>] SYSC_sendto net/socket.c:1678 [inline]
 [<ffffffff821c7550>] SyS_sendto+0x220/0x370 net/socket.c:1646
 [<ffffffff8100629e>] do_syscall_32_irqs_on arch/x86/entry/common.c:396 [inline]
 [<ffffffff8100629e>] do_fast_syscall_32+0x31e/0xa80 arch/x86/entry/common.c:463
 [<ffffffff82707890>] sysenter_flags_fixed+0xd/0x1a
binder: 5585:5586 transaction failed 29189/-22, size 0-0 line 3014
audit: type=1400 audit(1539330282.545:14): avc:  denied  { associate } for  pid=5585 comm="syz-executor1" name="binder1" dev="devtmpfs" ino=1090 scontext=system_u:object_r:auditctl_exec_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem permissive=1
binder: 5585:5586 transaction failed 29189/-22, size 0-0 line 3014
binder: 5585:5586 ioctl 40046602 20000000 returned -22
binder: 5585:5587 transaction failed 29189/-22, size 0-0 line 3014
binder: 5585:5587 transaction failed 29189/-22, size 0-0 line 3014
netlink: 32 bytes leftover after parsing attributes in process `syz-executor4'.
netlink: 32 bytes leftover after parsing attributes in process `syz-executor4'.
input: syz1 as /devices/virtual/input/input14
input: syz1 as /devices/virtual/input/input15
audit: type=1326 audit(1539330286.285:15): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=5871 comm="syz-executor0" exe="/root/syz-executor0" sig=31 arch=40000003 syscall=265 compat=1 ip=0xf773abe9 code=0x0
mmap: syz-executor1 (5897) uses deprecated remap_file_pages() syscall. See Documentation/vm/remap_file_pages.txt.
audit: type=1326 audit(1539330287.085:16): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=5871 comm="syz-executor0" exe="/root/syz-executor0" sig=31 arch=40000003 syscall=265 compat=1 ip=0xf773abe9 code=0x0

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/10/12 07:44 https://android.googlesource.com/kernel/common android-4.4 a94efb1c27c4 ba6ddb43 .config console log report ci-android-44-kasan-gce-386
* Struck through repros no longer work on HEAD.