BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor2/10408 vmalloc: allocation failure: 15157949456 bytes syz-executor3: page allocation failure: order:0, mode:0x24000c2 CPU: 1 PID: 10404 Comm: syz-executor3 Not tainted 4.4.114-gfe09418 #3 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 95e3bea90c1514c3 ffff8801d93af880 ffffffff81d02e6d 1ffff1003b275f13 ffff8801d81e5f00 00000000024000c2 0000000000000000 0000000000000001 ffff8801d93af990 ffffffff81430709 ffffffff838ac420 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] warn_alloc_failed+0x1d9/0x240 mm/page_alloc.c:2757 [] __vmalloc_node_range+0x41d/0x630 mm/vmalloc.c:1692 [] __vmalloc_node mm/vmalloc.c:1715 [inline] [] __vmalloc_node_flags mm/vmalloc.c:1729 [inline] [] vmalloc+0x5b/0x70 mm/vmalloc.c:1744 [] xt_alloc_entry_offsets+0x41/0x60 net/netfilter/x_tables.c:721 [] translate_table+0x2da/0x1d50 net/ipv4/netfilter/arp_tables.c:651 [] do_replace net/ipv4/netfilter/arp_tables.c:1112 [inline] [] do_arpt_set_ctl+0x29e/0x640 net/ipv4/netfilter/arp_tables.c:1616 [] nf_sockopt net/netfilter/nf_sockopt.c:105 [inline] [] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:114 [] ip_setsockopt+0xa1/0xb0 net/ipv4/ip_sockglue.c:1226 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2635 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2659 [] SYSC_setsockopt net/socket.c:1767 [inline] [] SyS_setsockopt+0x160/0x250 net/socket.c:1746 [] entry_SYSCALL_64_fastpath+0x1c/0x98 Mem-Info: active_anon:51537 inactive_anon:59 isolated_anon:0 active_file:3797 inactive_file:8265 isolated_file:0 unevictable:0 dirty:65 writeback:0 unstable:0 slab_reclaimable:5420 slab_unreclaimable:60059 mapped:24175 shmem:78 pagetables:686 bounce:0 free:1473298 free_pcp:443 free_cma:0 DMA free:15904kB min:160kB low:200kB high:240kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:15992kB managed:15904kB mlocked:0kB dirty:0kB writeback:0kB mapped:0kB shmem:0kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB unstable:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? yes lowmem_reserve[]: 0 2911 6411 6411 DMA32 free:2669216kB min:30608kB low:38260kB high:45912kB active_anon:90404kB inactive_anon:168kB active_file:7916kB inactive_file:15940kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:3129292kB managed:2982736kB mlocked:0kB dirty:56kB writeback:0kB mapped:45736kB shmem:180kB slab_reclaimable:10096kB slab_unreclaimable:112388kB kernel_stack:1984kB pagetables:1240kB unstable:0kB bounce:0kB free_pcp:784kB local_pcp:372kB free_cma:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? no lowmem_reserve[]: 0 0 3500 3500 Normal free:3208072kB min:36808kB low:46008kB high:55212kB active_anon:115744kB inactive_anon:68kB active_file:7272kB inactive_file:17120kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:4718592kB managed:3584660kB mlocked:0kB dirty:204kB writeback:0kB mapped:50964kB shmem:132kB slab_reclaimable:11584kB slab_unreclaimable:127848kB kernel_stack:3840kB pagetables:1504kB unstable:0kB bounce:0kB free_pcp:988kB local_pcp:620kB free_cma:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? no lowmem_reserve[]: 0 0 0 0 DMA: 0*4kB 0*8kB 0*16kB 1*32kB (U) 2*64kB (U) 1*128kB (U) 1*256kB (U) 0*512kB 1*1024kB (U) 1*2048kB (M) 3*4096kB (M) = 15904kB DMA32: 302*4kB (UME) 259*8kB (UME) 187*16kB (UME) 118*32kB (UM) 85*64kB (UME) 56*128kB (UME) 28*256kB (UM) 37*512kB (UME) 57*1024kB (UME) 1*2048kB (M) 625*4096kB (M) = 2669184kB Normal: 566*4kB (ME) 316*8kB (UME) 177*16kB (UME) 112*32kB (UM) 141*64kB (UM) 63*128kB (UME) 49*256kB (UME) 54*512kB (UME) 74*1024kB (ME) 4*2048kB (ME) 746*4096kB (M) = 3208072kB Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB 12139 total pagecache pages 0 pages in swap cache Swap cache stats: add 0, delete 0, find 0/0 Free swap = 0kB Total swap = 0kB 1965969 pages RAM 0 pages HighMem/MovableOnly 320144 pages reserved vmalloc: allocation failure: 15157949456 bytes syz-executor3: page allocation failure: order:0, mode:0x24000c2 CPU: 1 PID: 10412 Comm: syz-executor3 Not tainted 4.4.114-gfe09418 #3 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 194bedaaaafe7d8c ffff8801d820f880 ffffffff81d02e6d 1ffff1003b041f13 ffff8801c3068000 00000000024000c2 0000000000000000 0000000000000001 ffff8801d820f990 ffffffff81430709 ffffffff838ac420 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] warn_alloc_failed+0x1d9/0x240 mm/page_alloc.c:2757 [] __vmalloc_node_range+0x41d/0x630 mm/vmalloc.c:1692 [] __vmalloc_node mm/vmalloc.c:1715 [inline] [] __vmalloc_node_flags mm/vmalloc.c:1729 [inline] [] vmalloc+0x5b/0x70 mm/vmalloc.c:1744 [] xt_alloc_entry_offsets+0x41/0x60 net/netfilter/x_tables.c:721 [] translate_table+0x2da/0x1d50 net/ipv4/netfilter/arp_tables.c:651 [] do_replace net/ipv4/netfilter/arp_tables.c:1112 [inline] [] do_arpt_set_ctl+0x29e/0x640 net/ipv4/netfilter/arp_tables.c:1616 [] nf_sockopt net/netfilter/nf_sockopt.c:105 [inline] [] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:114 [] ip_setsockopt+0xa1/0xb0 net/ipv4/ip_sockglue.c:1226 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2635 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2659 [] SYSC_setsockopt net/socket.c:1767 [inline] [] SyS_setsockopt+0x160/0x250 net/socket.c:1746 [] entry_SYSCALL_64_fastpath+0x1c/0x98 Mem-Info: active_anon:52072 inactive_anon:59 isolated_anon:0 active_file:3797 inactive_file:8265 isolated_file:0 unevictable:0 dirty:65 writeback:0 unstable:0 slab_reclaimable:5420 slab_unreclaimable:60059 mapped:24175 shmem:78 pagetables:686 bounce:0 free:1472863 free_pcp:327 free_cma:0 DMA free:15904kB min:160kB low:200kB high:240kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:15992kB managed:15904kB mlocked:0kB dirty:0kB writeback:0kB mapped:0kB shmem:0kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB unstable:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? yes lowmem_reserve[]: 0 2911 6411 6411 DMA32 free:2669216kB min:30608kB low:38260kB high:45912kB active_anon:90404kB inactive_anon:168kB active_file:7916kB inactive_file:15940kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:3129292kB managed:2982736kB mlocked:0kB dirty:56kB writeback:0kB mapped:45736kB shmem:180kB slab_reclaimable:10096kB slab_unreclaimable:112388kB kernel_stack:1984kB pagetables:1240kB unstable:0kB bounce:0kB free_pcp:800kB local_pcp:388kB free_cma:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? no lowmem_reserve[]: 0 0 3500 3500 Normal free:3206332kB min:36808kB low:46008kB high:55212kB active_anon:117884kB inactive_anon:68kB active_file:7272kB inactive_file:17120kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:4718592kB managed:3584660kB mlocked:0kB dirty:204kB writeback:0kB mapped:50964kB shmem:132kB slab_reclaimable:11584kB slab_unreclaimable:127848kB kernel_stack:3840kB pagetables:1504kB unstable:0kB bounce:0kB free_pcp:508kB local_pcp:140kB free_cma:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? no lowmem_reserve[]: 0 0 0 0 DMA: 0*4kB 0*8kB 0*16kB 1*32kB (U) 2*64kB (U) 1*128kB (U) 1*256kB (U) 0*512kB 1*1024kB (U) 1*2048kB (M) 3*4096kB (M) = 15904kB DMA32: 302*4kB (UME) 259*8kB (UME) 187*16kB (UME) 119*32kB (UM) 85*64kB (UME) 56*128kB (UME) 28*256kB (UM) 37*512kB (UME) 57*1024kB (UME) 1*2048kB (M) 625*4096kB (M) = 2669216kB Normal: 527*4kB (UME) 318*8kB (UME) 175*16kB (UME) 106*32kB (UM) 140*64kB (UM) 61*128kB (UME) 49*256kB (UME) 52*512kB (UME) 72*1024kB (ME) 5*2048kB (ME) 746*4096kB (M) = 3206364kB Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB 12139 total pagecache pages 0 pages in swap cache Swap cache stats: add 0, delete 0, find 0/0 Free swap = 0kB Total swap = 0kB 1965969 pages RAM 0 pages HighMem/MovableOnly 320144 pages reserved device lo entered promiscuous mode device lo left promiscuous mode caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 CPU: 0 PID: 10408 Comm: syz-executor2 Not tainted 4.4.114-gfe09418 #3 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 4693591f167e6376 ffff8800bad976c8 ffffffff81d02e6d 0000000000000000 ffffffff839fe3a0 ffffffff83d0b920 ffff8801c67f4740 0000000000000003 ffff8800bad97708 ffffffff81d62db4 ffff8800bad97720 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46 [] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 [] ipcomp_alloc_tfms net/xfrm/xfrm_ipcomp.c:286 [inline] [] ipcomp_init_state+0x188/0x980 net/xfrm/xfrm_ipcomp.c:363 [] ipcomp4_init_state+0xb0/0x7d0 net/ipv4/ipcomp.c:137 [] __xfrm_init_state+0x3e7/0xb30 net/xfrm/xfrm_state.c:2058 [] xfrm_init_state+0x1a/0x20 net/xfrm/xfrm_state.c:2084 [] pfkey_msg2xfrm_state net/key/af_key.c:1289 [inline] [] pfkey_add+0x1fbb/0x3490 net/key/af_key.c:1506 [] pfkey_process+0x68b/0x750 net/key/af_key.c:2834 [] pfkey_sendmsg+0x3a9/0x760 net/key/af_key.c:3678 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:635 [] ___sys_sendmsg+0x6c1/0x7c0 net/socket.c:1962 [] __sys_sendmsg+0xd3/0x190 net/socket.c:1996 [] SYSC_sendmsg net/socket.c:2007 [inline] [] SyS_sendmsg+0x2d/0x50 net/socket.c:2003 [] entry_SYSCALL_64_fastpath+0x1c/0x98 audit: type=1400 audit(1517495306.065:31): avc: denied { set_context_mgr } for pid=10462 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 audit: type=1400 audit(1517495306.095:32): avc: denied { call } for pid=10462 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 binder: 10462:10466 BC_ACQUIRE_DONE u0000000000000000 node 55 cookie mismatch 0000000000000002 != 0000000000000000 binder_alloc: 10462: binder_alloc_buf, no vma binder: BINDER_SET_CONTEXT_MGR already set binder_alloc: 10462: binder_alloc_buf, no vma binder: 10462:10480 transaction failed 29189/-3, size 0-0 line 3128 binder: 10462:10491 transaction failed 29189/-3, size 0-0 line 3128 binder: 10462:10466 ioctl 40046207 0 returned -16 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 binder: 10569:10570 ERROR: BC_REGISTER_LOOPER called without request audit: type=1400 audit(1517495306.495:33): avc: denied { transfer } for pid=10569 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 binder: release 10569:10584 transaction 58 out, still active binder: undelivered TRANSACTION_COMPLETE binder: 10569:10597 IncRefs 0 refcount change on invalid ref 1 ret -22 binder: 10569:10570 transaction failed 29189/0, size 24-8 line 3388 binder: send failed reply for transaction 58, target dead binder: undelivered TRANSACTION_ERROR: 29190 binder: 10569:10584 ERROR: BC_REGISTER_LOOPER called without request binder_alloc: 10569: binder_alloc_buf, no vma binder: 10569:10597 transaction failed 29189/-3, size 0-0 line 3128 binder: 10569:10584 IncRefs 0 refcount change on invalid ref 1 ret -22 binder: undelivered TRANSACTION_ERROR: 29189 IPVS: Creating netns size=2552 id=9 audit: type=1400 audit(1517495309.395:34): avc: denied { create } for pid=10987 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1400 audit(1517495309.435:35): avc: denied { write } for pid=10987 comm="syz-executor2" path="socket:[18735]" dev="sockfs" ino=18735 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 nla_parse: 1 callbacks suppressed netlink: 3 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor2'. audit: type=1400 audit(1517495309.925:36): avc: denied { create } for pid=11095 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 binder: 11094:11111 DecRefs 0 refcount change on invalid ref 0 ret -22 binder_alloc: binder_alloc_mmap_handler: 11094 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 11094:11111 ioctl 40046207 0 returned -16 binder: 11094:11111 DecRefs 0 refcount change on invalid ref 0 ret -22 kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access[ 70.843497] audit: type=1400 audit(1517495310.015:37): avc: denied { write } for pid=11095 comm="syz-executor3" path="socket:[19546]" dev="sockfs" ino=19546 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 general protection fault: 0000 [#1] PREEMPT SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 1 PID: 11133 Comm: syz-executor5 Not tainted 4.4.114-gfe09418 #3 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8800b6d14740 task.stack: ffff8801d4ff0000 RIP: 0010:[] [] sg_read_oxfer drivers/scsi/sg.c:1976 [inline] RIP: 0010:[] [] sg_read+0xd17/0x1490 drivers/scsi/sg.c:530 RSP: 0018:ffff8801d4ff7b00 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff825b9c8e RDX: 0000000000000000 RSI: ffffc90003a67000 RDI: ffff8801d3e1a270 RBP: ffff8801d4ff7c08 R08: 3792e1ad26fb6bd4 R09: 0000000000000001 R10: 0000000000000000 R11: 1ffff1003a9fef26 R12: 0000000000000098 R13: 0000000000000000 R14: ffff8801d30ab420 R15: ffff8801d3e1a240 FS: 00007fc03d053700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000071c000 CR3: 00000000b1ed6000 CR4: 0000000000160670 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Stack: 0000000000000030 ffffea000753fdc0 0000000000000000 ffff8801d3e1a258 ffff8801d4ff7b70 ffff8801d3e1a268 00000000000000bc ffff8801d4ff7da0 ffff8801d4fea780 0000000000001000 1ffff1003a9fef6c 0000000020047f68 Call Trace: [] do_loop_readv_writev+0x141/0x1e0 fs/read_write.c:680 [] do_readv_writev+0x5dd/0x6e0 fs/read_write.c:810 [] vfs_readv+0x78/0xb0 fs/read_write.c:834 [] SYSC_readv fs/read_write.c:860 [inline] [] SyS_readv+0xd9/0x240 fs/read_write.c:852 [] entry_SYSCALL_64_fastpath+0x1c/0x98 Code: 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 97 06 00 00 48 b8 00 00 00 00 00 fc ff df 49 8b 5f 28 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 6b 06 00 00 48 8b 1b 48 85 db 0f 84 3b 03 00 RIP [] sg_read_oxfer drivers/scsi/sg.c:1976 [inline] RIP [] sg_read+0xd17/0x1490 drivers/scsi/sg.c:530 RSP ---[ end trace 0187d2c71594a7c8 ]---