BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor4/12202 syz-executor3: vmalloc: allocation failure: 15157949456 bytes, mode:0x24000c2(GFP_KERNEL|__GFP_HIGHMEM) CPU: 0 PID: 12205 Comm: syz-executor3 Not tainted 4.9.77-ge12a9c4 #18 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801ba9af880 ffffffff81d941c9 1ffff10037535f13 ffff8801bacae000 ffffffff83ab8e20 0000000000000001 0000000000400000 ffff8801ba9af990 ffffffff81451af2 024000c200000003 0000000041b58ab3 ffffffff84195265 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] warn_alloc+0x212/0x240 mm/page_alloc.c:3056 [] __vmalloc_node_range+0x3f5/0x5f0 mm/vmalloc.c:1722 [] __vmalloc_node mm/vmalloc.c:1744 [inline] [] __vmalloc_node_flags mm/vmalloc.c:1758 [inline] [] vmalloc+0x5b/0x70 mm/vmalloc.c:1773 [] xt_alloc_entry_offsets+0x41/0x60 net/netfilter/x_tables.c:722 [] translate_table+0x2da/0x1cd0 net/ipv4/netfilter/arp_tables.c:549 [] do_replace net/ipv4/netfilter/arp_tables.c:986 [inline] [] do_arpt_set_ctl+0x2b7/0x650 net/ipv4/netfilter/arp_tables.c:1465 [] nf_sockopt net/netfilter/nf_sockopt.c:105 [inline] [] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:114 [] ip_setsockopt+0xa1/0xb0 net/ipv4/ip_sockglue.c:1248 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2737 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2706 [] SYSC_setsockopt net/socket.c:1772 [inline] [] SyS_setsockopt+0x160/0x250 net/socket.c:1751 [] entry_SYSCALL_64_fastpath+0x29/0xe8 Mem-Info: active_anon:55639 inactive_anon:58 isolated_anon:0 active_file:3623 inactive_file:8063 isolated_file:0 unevictable:0 dirty:114 writeback:0 unstable:0 slab_reclaimable:7770 slab_unreclaimable:60104 mapped:23762 shmem:65 pagetables:679 bounce:0 free:1471745 free_pcp:462 free_cma:0 Node 0 active_anon:222556kB inactive_anon:232kB active_file:14492kB inactive_file:32252kB unevictable:0kB isolated(anon):0kB isolated(file):0kB mapped:95048kB dirty:456kB writeback:0kB shmem:260kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 88064kB writeback_tmp:0kB unstable:0kB pages_scanned:0 all_unreclaimable? no DMA free:15908kB min:160kB low:200kB high:240kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:15992kB managed:15908kB mlocked:0kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB DMA32 free:2980000kB min:30596kB low:38244kB high:45892kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:3129332kB managed:2980760kB mlocked:0kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:760kB local_pcp:48kB free_cma:0kB Normal free:2891072kB min:36824kB low:46028kB high:55232kB active_anon:222556kB inactive_anon:232kB active_file:14492kB inactive_file:32252kB unevictable:0kB writepending:456kB present:4718592kB managed:3585212kB mlocked:0kB slab_reclaimable:31080kB slab_unreclaimable:240416kB kernel_stack:5920kB pagetables:2716kB bounce:0kB free_pcp:1088kB local_pcp:448kB free_cma:0kB DMA: 1*4kB (U) 0*8kB 0*16kB 1*32kB (U) 2*64kB (U) 1*128kB (U) 1*256kB (U) 0*512kB 1*1024kB (U) 1*2048kB (M) 3*4096kB (M) = 15908kB Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB 11750 total pagecache pages 0 pages in swap cache Swap cache stats: add 0, delete 0, find 0/0 Free swap = 0kB Total swap = 0kB 1965979 pages RAM 0 pages HighMem/MovableOnly 320509 pages reserved syz-executor3: vmalloc: allocation failure: 15157949456 bytes, mode:0x24000c2(GFP_KERNEL|__GFP_HIGHMEM) CPU: 0 PID: 12213 Comm: syz-executor3 Not tainted 4.9.77-ge12a9c4 #18 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c58e7880 ffffffff81d941c9 1ffff10038b1cf13 ffff8801c55b3000 ffffffff83ab8e20 0000000000000001 0000000000400000 ffff8801c58e7990 ffffffff81451af2 024000c200000003 0000000041b58ab3 ffffffff84195265 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] warn_alloc+0x212/0x240 mm/page_alloc.c:3056 [] __vmalloc_node_range+0x3f5/0x5f0 mm/vmalloc.c:1722 [] __vmalloc_node mm/vmalloc.c:1744 [inline] [] __vmalloc_node_flags mm/vmalloc.c:1758 [inline] [] vmalloc+0x5b/0x70 mm/vmalloc.c:1773 [] xt_alloc_entry_offsets+0x41/0x60 net/netfilter/x_tables.c:722 [] translate_table+0x2da/0x1cd0 net/ipv4/netfilter/arp_tables.c:549 [] do_replace net/ipv4/netfilter/arp_tables.c:986 [inline] [] do_arpt_set_ctl+0x2b7/0x650 net/ipv4/netfilter/arp_tables.c:1465 [] nf_sockopt net/netfilter/nf_sockopt.c:105 [inline] [] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:114 [] ip_setsockopt+0xa1/0xb0 net/ipv4/ip_sockglue.c:1248 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2737 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2706 [] SYSC_setsockopt net/socket.c:1772 [inline] [] SyS_setsockopt+0x160/0x250 net/socket.c:1751 [] entry_SYSCALL_64_fastpath+0x29/0xe8 Mem-Info: active_anon:57180 inactive_anon:58 isolated_anon:0 active_file:3623 inactive_file:8063 isolated_file:0 unevictable:0 dirty:114 writeback:0 unstable:0 slab_reclaimable:7770 slab_unreclaimable:60053 mapped:23766 shmem:65 pagetables:685 bounce:0 free:1470234 free_pcp:523 free_cma:0 Node 0 active_anon:228720kB inactive_anon:232kB active_file:14492kB inactive_file:32252kB unevictable:0kB isolated(anon):0kB isolated(file):0kB mapped:95064kB dirty:456kB writeback:0kB shmem:260kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 100352kB writeback_tmp:0kB unstable:0kB pages_scanned:0 all_unreclaimable? no DMA free:15908kB min:160kB low:200kB high:240kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:15992kB managed:15908kB mlocked:0kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB DMA32 free:2980000kB min:30596kB low:38244kB high:45892kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:3129332kB managed:2980760kB mlocked:0kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:760kB local_pcp:48kB free_cma:0kB Normal free:2885028kB min:36824kB low:46028kB high:55232kB active_anon:228720kB inactive_anon:232kB active_file:14492kB inactive_file:32252kB unevictable:0kB writepending:456kB present:4718592kB managed:3585212kB mlocked:0kB slab_reclaimable:31080kB slab_unreclaimable:240212kB kernel_stack:5888kB pagetables:2740kB bounce:0kB free_pcp:1332kB local_pcp:692kB free_cma:0kB DMA: 1*4kB (U) 0*8kB 0*16kB 1*32kB (U) 2*64kB (U) 1*128kB (U) 1*256kB (U) 0*512kB 1*1024kB (U) 1*2048kB (M) 3*4096kB (M) = 15908kB Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB 11750 total pagecache pages 0 pages in swap cache Swap cache stats: add 0, delete 0, find 0/0 Free swap = 0kB Total swap = 0kB 1965979 pages RAM 0 pages HighMem/MovableOnly 320509 pages reserved caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 CPU: 1 PID: 12202 Comm: syz-executor4 Not tainted 4.9.77-ge12a9c4 #18 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c58c7490 ffffffff81d941c9 0000000000000001 ffffffff83c18800 ffffffff83f45400 ffff8801baca9800 0000000000000003 ffff8801c58c74d0 ffffffff81dfb794 ffff8801c58c74e8 ffffffff83f45400 dffffc0000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46 [] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 [] ipcomp_alloc_tfms net/xfrm/xfrm_ipcomp.c:286 [inline] [] ipcomp_init_state+0x188/0x930 net/xfrm/xfrm_ipcomp.c:363 [] ipcomp4_init_state+0xb0/0x7d0 net/ipv4/ipcomp.c:137 [] __xfrm_init_state+0x3e7/0xb30 net/xfrm/xfrm_state.c:2096 [] xfrm_state_construct net/xfrm/xfrm_user.c:590 [inline] [] xfrm_add_sa+0x1916/0x2e40 net/xfrm/xfrm_user.c:639 [] xfrm_user_rcv_msg+0x413/0x6a0 net/xfrm/xfrm_user.c:2525 [] netlink_rcv_skb+0x13e/0x370 net/netlink/af_netlink.c:2351 [] xfrm_netlink_rcv+0x6f/0x90 net/xfrm/xfrm_user.c:2533 [] netlink_unicast_kernel net/netlink/af_netlink.c:1275 [inline] [] netlink_unicast+0x511/0x750 net/netlink/af_netlink.c:1301 [] netlink_sendmsg+0x8e8/0xc50 net/netlink/af_netlink.c:1847 [] sock_sendmsg_nosec net/socket.c:635 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:645 [] ___sys_sendmsg+0x6d1/0x7e0 net/socket.c:1969 [] __sys_sendmsg+0xd6/0x190 net/socket.c:2003 [] SYSC_sendmsg net/socket.c:2014 [inline] [] SyS_sendmsg+0x2d/0x50 net/socket.c:2010 [] entry_SYSCALL_64_fastpath+0x29/0xe8 TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. audit: type=1400 audit(1516696262.835:60): avc: denied { sys_admin } for pid=12233 comm="syz-executor2" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1516696262.905:61): avc: denied { sys_admin } for pid=12233 comm="syz-executor2" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=12351 comm=syz-executor3 audit_printk_skb: 120 callbacks suppressed audit: type=1400 audit(1516696263.355:102): avc: denied { dac_override } for pid=12340 comm="syz-executor6" capability=1 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1516696263.355:103): avc: denied { dac_override } for pid=12343 comm="syz-executor7" capability=1 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1516696263.355:104): avc: denied { dac_override } for pid=12340 comm="syz-executor6" capability=1 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1516696263.355:105): avc: denied { dac_override } for pid=12340 comm="syz-executor6" capability=1 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1516696263.355:106): avc: denied { sys_chroot } for pid=12340 comm="syz-executor6" capability=18 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1516696263.355:107): avc: denied { sys_admin } for pid=12340 comm="syz-executor6" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1516696263.365:108): avc: denied { dac_override } for pid=12340 comm="syz-executor6" capability=1 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1516696263.365:109): avc: denied { sys_admin } for pid=12343 comm="syz-executor7" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1516696263.365:110): avc: denied { sys_admin } for pid=12343 comm="syz-executor7" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1516696263.375:111): avc: denied { net_raw } for pid=12361 comm="syz-executor4" capability=13 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 sock: sock_set_timeout: `syz-executor5' (pid 12366) tries to set negative timeout sock: sock_set_timeout: `syz-executor5' (pid 12366) tries to set negative timeout device eql entered promiscuous mode binder: BINDER_SET_CONTEXT_MGR already set binder: 12398:12411 ioctl 40046207 0 returned -16 binder_alloc: 12398: binder_alloc_buf, no vma binder: 12398:12423 transaction failed 29189/-3, size 0-0 line 3127 binder: undelivered TRANSACTION_COMPLETE binder: undelivered transaction 93, process died. binder: undelivered TRANSACTION_COMPLETE SELinux: policydb string length -37 does not match expected length 8 SELinux: policydb string length -37 does not match expected length 8 IPVS: Creating netns size=2536 id=13 SELinux: unrecognized netlink message: protocol=4 nlmsg_type=29 sclass=netlink_tcpdiag_socket pig=12825 comm=syz-executor7 SELinux: unrecognized netlink message: protocol=4 nlmsg_type=29 sclass=netlink_tcpdiag_socket pig=12845 comm=syz-executor7 IPVS: Creating netns size=2536 id=14 pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) IPVS: Creating netns size=2536 id=15 binder_alloc: 12894: binder_alloc_buf, no vma binder: 12894:12899 transaction failed 29189/-3, size 0-0 line 3127 binder: BINDER_SET_CONTEXT_MGR already set binder: 12894:12903 ioctl 40046207 0 returned -16 binder: undelivered TRANSACTION_ERROR: 29189 device gre0 entered promiscuous mode binder_alloc: binder_alloc_mmap_handler: 13008 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 13008:13027 ioctl 40046207 0 returned -16 binder_alloc: 13008: binder_alloc_buf, no vma binder: 13008:13033 transaction failed 29189/-3, size 0-0 line 3127 binder: undelivered TRANSACTION_COMPLETE binder: undelivered transaction 99, process died. binder: undelivered TRANSACTION_COMPLETE binder: BINDER_SET_CONTEXT_MGR already set binder: 13172:13194 ioctl 40046207 0 returned -16 audit_printk_skb: 911 callbacks suppressed audit: type=1400 audit(1516696268.365:414): avc: denied { call } for pid=13172 comm="syz-executor7" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 binder_alloc: 13172: binder_alloc_buf, no vma binder: 13172:13174 transaction failed 29189/-3, size 40-0 line 3127 audit: type=1400 audit(1516696268.375:415): avc: denied { call } for pid=13172 comm="syz-executor7" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 binder_alloc: 13172: binder_alloc_buf, no vma binder: 13172:13198 transaction failed 29189/-3, size 0-0 line 3127 audit: type=1400 audit(1516696268.405:416): avc: denied { dac_override } for pid=13199 comm="syz-executor0" capability=1 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1516696268.495:417): avc: denied { dac_override } for pid=13206 comm="syz-executor2" capability=1 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1516696268.515:418): avc: denied { create } for pid=13225 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1400 audit(1516696268.515:419): avc: denied { write } for pid=13225 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1400 audit(1516696268.515:420): avc: denied { net_admin } for pid=13225 comm="syz-executor6" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1516696268.515:421): avc: denied { net_admin } for pid=13225 comm="syz-executor6" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1516696268.525:422): avc: denied { sys_admin } for pid=13219 comm="syz-executor1" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1516696268.545:423): avc: denied { create } for pid=13225 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_COMPLETE binder: undelivered transaction 103, process died. binder: undelivered transaction 102, process died. device gre0 entered promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode device eql entered promiscuous mode netlink: 4 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor0'. Empty option to dns_resolver key Empty option to dns_resolver key binder: 13468:13478 ioctl 541b 202c3ffc returned -22 binder: 13468:13489 ioctl 541b 202c3ffc returned -22 binder: 13505:13508 ERROR: BC_REGISTER_LOOPER called without request binder: BINDER_SET_CONTEXT_MGR already set binder: 13505:13529 ioctl 40046207 0 returned -16 binder: 13505:13536 ERROR: BC_REGISTER_LOOPER called without request binder_alloc: 13505: binder_alloc_buf, no vma binder: 13505:13536 transaction failed 29189/-3, size 0-0 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: send failed reply for transaction 107 to 13505:13508 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 netlink: 2 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor0'.