syzbot

 sign-in | mailing list | source | docs
🐞 Open [142] 🐞 Fixed [16] 🐞 Invalid [163] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

BUG: using __this_cpu_add() in preemptible code in warn_alloc_failed

Status: auto-closed as invalid on 2019/02/22 15:23
First crash: 2274d, last: 2272d

Sample crash report:
BUG: using __this_cpu_add() in preemptible [00000000] code: syz-executor2/9175
vmalloc: allocation failure: 6806414744 bytes
syz-executor7: page allocation failure: order:0, mode:0x24000c2
CPU: 0 PID: 9174 Comm: syz-executor7 Not tainted 4.4.114-ga81d322 #4
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 a320bc57348a8dbc ffff8800af287880 ffffffff81d0394d
 1ffff10015e50f13 ffff8800aecf9800 00000000024000c2 0000000000000000
 0000000000000001 ffff8800af287990 ffffffff814311e9 ffffffff838ac420
Call Trace:
 [<ffffffff81d0394d>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d0394d>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
 [<ffffffff814311e9>] warn_alloc_failed+0x1d9/0x240 mm/page_alloc.c:2757
 [<ffffffff814c871d>] __vmalloc_node_range+0x41d/0x630 mm/vmalloc.c:1692
 [<ffffffff814c89fb>] __vmalloc_node mm/vmalloc.c:1715 [inline]
 [<ffffffff814c89fb>] __vmalloc_node_flags mm/vmalloc.c:1729 [inline]
 [<ffffffff814c89fb>] vmalloc+0x5b/0x70 mm/vmalloc.c:1744
 [<ffffffff8302f321>] xt_alloc_entry_offsets+0x41/0x60 net/netfilter/x_tables.c:721
 [<ffffffff833f783a>] translate_table+0x21a/0x1f40 net/ipv6/netfilter/ip6_tables.c:832
 [<ffffffff810002b8>] ? 0xffffffff810002b8
 [<ffffffff833fb753>] do_replace net/ipv6/netfilter/ip6_tables.c:1306 [inline]
 [<ffffffff833fb753>] do_ip6t_set_ctl+0x2a3/0x450 net/ipv6/netfilter/ip6_tables.c:1859
 [<ffffffff82f96327>] nf_sockopt net/netfilter/nf_sockopt.c:105 [inline]
 [<ffffffff82f96327>] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:114
 [<ffffffff8335ced5>] ipv6_setsockopt+0x115/0x150 net/ipv6/ipv6_sockglue.c:910
 [<ffffffff8311c552>] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2635
 [<ffffffff82df1955>] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2659
 [<ffffffff82deea40>] SYSC_setsockopt net/socket.c:1767 [inline]
 [<ffffffff82deea40>] SyS_setsockopt+0x160/0x250 net/socket.c:1746
 [<ffffffff83773edf>] entry_SYSCALL_64_fastpath+0x1c/0x98
Mem-Info:
active_anon:52674 inactive_anon:45 isolated_anon:0
 active_file:3590 inactive_file:8265 isolated_file:0
 unevictable:0 dirty:134 writeback:0 unstable:0
 slab_reclaimable:6198 slab_unreclaimable:60034
 mapped:24134 shmem:51 pagetables:678 bounce:0
 free:1473248 free_pcp:384 free_cma:0
DMA free:15904kB min:160kB low:200kB high:240kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:15992kB managed:15904kB mlocked:0kB dirty:0kB writeback:0kB mapped:0kB shmem:0kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB unstable:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? yes
lowmem_reserve[]: 0 2911 6411 6411
DMA32 free:2664260kB min:30608kB low:38260kB high:45912kB active_anon:96748kB inactive_anon:76kB active_file:6052kB inactive_file:14656kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:3129292kB managed:2982736kB mlocked:0kB dirty:324kB writeback:0kB mapped:45444kB shmem:88kB slab_reclaimable:12384kB slab_unreclaimable:112532kB kernel_stack:2752kB pagetables:1328kB unstable:0kB bounce:0kB free_pcp:628kB local_pcp:136kB free_cma:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? no
lowmem_reserve[]: 0 0 3500 3500
Normal free:3212828kB min:36808kB low:46008kB high:55212kB active_anon:113948kB inactive_anon:104kB active_file:8308kB inactive_file:18404kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:4718592kB managed:3584660kB mlocked:0kB dirty:212kB writeback:0kB mapped:51092kB shmem:116kB slab_reclaimable:12408kB slab_unreclaimable:127604kB kernel_stack:2752kB pagetables:1384kB unstable:0kB bounce:0kB free_pcp:908kB local_pcp:244kB free_cma:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? no
lowmem_reserve[]: 0 0 0 0
DMA: 0*4kB 0*8kB 0*16kB 1*32kB (U) 2*64kB (U) 1*128kB (U) 1*256kB (U) 0*512kB 1*1024kB (U) 1*2048kB (M) 3*4096kB (M) = 15904kB
DMA32: 877*4kB (UME) 417*8kB (UME) 165*16kB (UME) 99*32kB (UME) 88*64kB (UME) 36*128kB (UM) 32*256kB (UM) 29*512kB (UME) 33*1024kB (ME) 4*2048kB (ME) 629*4096kB (M) = 2664300kB
Normal: 1067*4kB (UME) 558*8kB (UME) 136*16kB (UME) 175*32kB (UME) 86*64kB (UME) 57*128kB (UME) 38*256kB (UME) 45*512kB (UM) 45*1024kB (ME) 4*2048kB (ME) 756*4096kB (M) = 3212924kB
Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB
11905 total pagecache pages
0 pages in swap cache
Swap cache stats: add 0, delete 0, find 0/0
Free swap  = 0kB
Total swap = 0kB
1965969 pages RAM
0 pages HighMem/MovableOnly
320144 pages reserved
caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62
CPU: 1 PID: 9175 Comm: syz-executor2 Not tainted 4.4.114-ga81d322 #4
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 d4f56b9ce56b7b5a ffff8800b5097800 ffffffff81d0394d
 0000000000000001 ffffffff839fe3a0 ffffffff83cef720 ffff8800b65ae000
 0000000000000003 ffff8800b5097840 ffffffff81d63894 ffffffff810002b8
Call Trace:
 [<ffffffff81d0394d>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d0394d>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
 [<ffffffff81d63894>] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46
 [<ffffffff810002b8>] ? 0xffffffff810002b8
 [<ffffffff81d638fc>] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62
 [<ffffffff8312a229>] tcp_try_coalesce+0x249/0x4d0 net/ipv4/tcp_input.c:4278
 [<ffffffff831323a7>] tcp_queue_rcv+0x127/0x720 net/ipv4/tcp_input.c:4485
 [<ffffffff83149c7b>] tcp_send_rcvq+0x39b/0x450 net/ipv4/tcp_input.c:4531
 [<ffffffff83120edf>] tcp_sendmsg+0x1e8f/0x2b10 net/ipv4/tcp.c:1134
 [<ffffffff831d6c0c>] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:755
 [<ffffffff82deb3ba>] sock_sendmsg_nosec net/socket.c:625 [inline]
 [<ffffffff82deb3ba>] sock_sendmsg+0xca/0x110 net/socket.c:635
 [<ffffffff82dec308>] SYSC_sendto+0x2c8/0x340 net/socket.c:1665
 [<ffffffff82dee800>] SyS_sendto+0x40/0x50 net/socket.c:1633
 [<ffffffff83773edf>] entry_SYSCALL_64_fastpath+0x1c/0x98
netlink: 156 bytes leftover after parsing attributes in process `syz-executor2'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor6'.
netlink: 156 bytes leftover after parsing attributes in process `syz-executor2'.
audit: type=1326 audit(1517536923.565:31): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=9364 comm="syz-executor0" exe="/root/syz-executor0" sig=31 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x0
audit: type=1326 audit(1517536923.595:32): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=9364 comm="syz-executor0" exe="/root/syz-executor0" sig=31 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x0
audit: type=1400 audit(1517536923.905:33): avc:  denied  { getopt } for  pid=9420 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1
IPv4: Oversized IP packet from 127.0.0.1
IPv4: Oversized IP packet from 127.0.0.1
SELinux:  Invalid class 86
TCP: request_sock_TCPv6: Possible SYN flooding on port 20026. Sending cookies.  Check SNMP counters.
binder: 9607:9609 BC_INCREFS_DONE uffffffffffffffff no match
ALSA: seq fatal error: cannot create timer (-22)
TCP: request_sock_TCPv6: Possible SYN flooding on port 20022. Sending cookies.  Check SNMP counters.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20022. Sending cookies.  Check SNMP counters.
Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable
Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable
audit: type=1400 audit(1517536926.465:34): avc:  denied  { create } for  pid=9879 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1
audit: type=1400 audit(1517536926.505:35): avc:  denied  { write } for  pid=9879 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1
audit: type=1400 audit(1517536926.895:36): avc:  denied  { create } for  pid=10016 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1
audit: type=1400 audit(1517536926.965:37): avc:  denied  { write } for  pid=10016 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=25 sclass=netlink_tcpdiag_socket
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=25 sclass=netlink_tcpdiag_socket
tmpfs: No value for mount option '.<'
tmpfs: No value for mount option '.<'
audit: type=1400 audit(1517536927.665:38): avc:  denied  { set_context_mgr } for  pid=10244 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1
audit: type=1400 audit(1517536927.755:39): avc:  denied  { execute } for  pid=10265 comm="syz-executor2" dev="pipefs" ino=20628 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=fifo_file permissive=1
audit: type=1400 audit(1517536927.755:40): avc:  denied  { call } for  pid=10244 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1
binder: BINDER_SET_CONTEXT_MGR already set
binder: 10256:10270 ioctl 40046207 0 returned -16
binder: 10244:10246 BC_FREE_BUFFER u0000000020000000 matched unreturned buffer
binder: BINDER_SET_CONTEXT_MGR already set
binder: 10244:10246 ioctl 40046207 0 returned -16
binder_alloc: 10244: binder_alloc_buf, no vma
binder: 10256:10270 transaction failed 29189/-3, size 0-0 line 3128
binder_alloc: 10244: binder_alloc_buf, no vma
binder: 10244:10258 transaction failed 29189/-3, size 0-0 line 3128
binder: 10244:10246 got reply transaction with no transaction stack
binder: 10244:10246 transaction failed 29201/-71, size 0-0 line 2921
binder: BINDER_SET_CONTEXT_MGR already set
binder: 10256:10286 ioctl 40046207 0 returned -16
binder_alloc: 10244: binder_alloc_buf, no vma
binder: 10256:10286 transaction failed 29189/-3, size 0-0 line 3128
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_ERROR: 29189
binder: release 10244:10246 transaction 57 out, still active
binder: undelivered TRANSACTION_COMPLETE
binder: release 10244:10258 transaction 55 out, still active
binder: undelivered TRANSACTION_COMPLETE
binder: send failed reply for transaction 55, target dead
binder: send failed reply for transaction 57, target dead
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29189
device gre0 entered promiscuous mode
audit: type=1400 audit(1517536928.075:41): avc:  denied  { create } for  pid=10303 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
device gre0 entered promiscuous mode
device gre0 entered promiscuous mode
audit: type=1400 audit(1517536928.735:42): avc:  denied  { write } for  pid=10522 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
device gre0 entered promiscuous mode
device gre0 entered promiscuous mode
device gre0 entered promiscuous mode
device gre0 entered promiscuous mode
device gre0 entered promiscuous mode
device gre0 entered promiscuous mode
audit: type=1400 audit(1517536929.735:43): avc:  denied  { create } for  pid=10748 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_crypto_socket permissive=1
device gre0 entered promiscuous mode
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=4095 sclass=netlink_route_socket
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket
device gre0 entered promiscuous mode
binder: BINDER_SET_CONTEXT_MGR already set
binder: 11018:11033 ioctl 40046207 0 returned -16
binder: undelivered death notification, 0000000000000000
binder: 11187:11196 ioctl c0306201 20007000 returned -14
binder: 11187:11206 unknown command 0
binder: 11187:11206 ioctl c0306201 20007000 returned -22
device gre0 entered promiscuous mode
device gre0 entered promiscuous mode

Crashes (3):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/02/02 02:02 https://android.googlesource.com/kernel/common android-4.4 a81d32264721 67bd3383 .config console log report ci-android-44-kasan-gce
2018/02/01 07:32 https://android.googlesource.com/kernel/common android-4.4 fe09418d6f88 02553e22 .config console log report ci-android-44-kasan-gce
2018/02/03 14:04 https://android.googlesource.com/kernel/common android-4.4 4e74e983ab6e 632a8c2c .config console log report ci-android-44-kasan-gce-386
* Struck through repros no longer work on HEAD.