BUG: using __this_cpu_add() in preemptible code in __vmalloc_node_range (2)
19 views
Skip to first unread message
syzbot
Nov 19, 2019, 10:15:09 PM11/19/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 62872f95 Merge 4.4.174 into android-4.4
git tree: https://android.googlesource.com/kernel/common android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=11e692cae00000
kernel config: https://syzkaller.appspot.com/x/.config?x=47bc4dd423780c4a
dashboard link: https://syzkaller.appspot.com/bug?extid=23910014b3ffc7b5f427
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+239100...@syzkaller.appspotmail.com
CPU: 0 PID: 8124 Comm: syz-executor.4 Not tainted 4.4.174+ #4
0000000000000000 a2bccaad4f9cd9f2 ffff8801cefe79f0 ffffffff81aad1a1
1ffff10039dfcf41 ffff8801cfe94740 00000000024000c2[ 236.095808] SELinux:
unrecognized netlink message: protocol=0 nlmsg_type=65535
sclass=netlink_route_socket
BUG: using __this_cpu_add() in preemptible [00000000] code:
syz-executor.2/8137
caller is __this_cpu_preempt_check+0x1d/0x30 lib/smp_processor_id.c:62
0000000000000000
ffffffff82895080 ffff8801cefe7b00 ffffffff8148c0cb ffffffff00000001
Call Trace:
[<ffffffff81aad1a1>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81aad1a1>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
[<ffffffff8148c0cb>] warn_alloc_failed.cold+0x78/0x99 mm/page_alloc.c:2757
[<ffffffff8145fb65>] __vmalloc_node_range mm/vmalloc.c:1693 [inline]
[<ffffffff8145fb65>] __vmalloc_node_range+0x365/0x650 mm/vmalloc.c:1654
[<ffffffff8146031c>] __vmalloc_node mm/vmalloc.c:1716 [inline]
[<ffffffff8146031c>] __vmalloc_node_flags mm/vmalloc.c:1730 [inline]
[<ffffffff8146031c>] vmalloc+0x5c/0x70 mm/vmalloc.c:1745
[<ffffffff81979df9>] sel_write_load+0x119/0xf90
security/selinux/selinuxfs.c:527
[<ffffffff81496916>] __vfs_write+0x116/0x3d0 fs/read_write.c:491
[<ffffffff81498612>] vfs_write+0x182/0x4e0 fs/read_write.c:540
[<ffffffff8149ac4c>] SYSC_write fs/read_write.c:587 [inline]
[<ffffffff8149ac4c>] SyS_write+0xdc/0x1c0 fs/read_write.c:579
[<ffffffff82718ba1>] entry_SYSCALL_64_fastpath+0x1e/0x9a
CPU: 1 PID: 8137 Comm: syz-executor.2 Not tainted 4.4.174+ #4
0000000000000000 667c117cfa87a307 ffff8800b26577c8 ffffffff81aad1a1
ffff8800baa3af80 0000000000000001 ffffffff82a861e0 ffffffff8292c040
0000000000000001 ffff8800b2657808 ffffffff81b0ad83 ffff8801d0051180
Call Trace:
[<ffffffff81aad1a1>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81aad1a1>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
[<ffffffff81b0ad83>] check_preemption_disabled+0x1d3/0x200
lib/smp_processor_id.c:46
[<ffffffff81b0aded>] __this_cpu_preempt_check+0x1d/0x30
lib/smp_processor_id.c:62
[<ffffffff8240fcf5>] tcp_try_coalesce net/ipv4/tcp_input.c:4293 [inline]
[<ffffffff8240fcf5>] tcp_try_coalesce+0x245/0x510 net/ipv4/tcp_input.c:4275
[<ffffffff824100e7>] tcp_queue_rcv+0x127/0x6f0 net/ipv4/tcp_input.c:4539
[<ffffffff8242494e>] tcp_send_rcvq+0x3de/0x4a0 net/ipv4/tcp_input.c:4585
[<ffffffff823fd062>] tcp_sendmsg+0x2332/0x2ab0 net/ipv4/tcp.c:1134
[<ffffffff824a8b42>] inet_sendmsg+0x202/0x4d0 net/ipv4/af_inet.c:755
[<ffffffff821d838e>] sock_sendmsg_nosec net/socket.c:638 [inline]
[<ffffffff821d838e>] sock_sendmsg+0xbe/0x110 net/socket.c:648
[<ffffffff821d8615>] sock_write_iter+0x235/0x3d0 net/socket.c:847
[<ffffffff81496ae8>] new_sync_write fs/read_write.c:480 [inline]
[<ffffffff81496ae8>] __vfs_write+0x2e8/0x3d0 fs/read_write.c:493
[<ffffffff81498612>] vfs_write+0x182/0x4e0 fs/read_write.c:540
[<ffffffff8149ac4c>] SYSC_write fs/read_write.c:587 [inline]
[<ffffffff8149ac4c>] SyS_write+0xdc/0x1c0 fs/read_write.c:579
[<ffffffff82718ba1>] entry_SYSCALL_64_fastpath+0x1e/0x9a
Mem-Info:
active_anon:156525 inactive_anon:13050 isolated_anon:0
active_file:7060 inactive_file:18194 isolated_file:0
unevictable:0 dirty:166 writeback:0 unstable:0
slab_reclaimable:5745 slab_unreclaimable:61442
mapped:59428 shmem:13424 pagetables:3336 bounce:0
free:1315686 free_pcp:602 free_cma:0
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=65535
sclass=netlink_route_socket
DMA32 free:2398884kB min:4696kB low:5868kB high:7044kB active_anon:290348kB
inactive_anon:23900kB active_file:13060kB inactive_file:32604kB
unevictable:0kB isolated(anon):0kB isolated(file):0kB present:3145324kB
managed:3021976kB mlocked:0kB dirty:148kB writeback:0kB mapped:109840kB
shmem:24876kB slab_reclaimable:10796kB slab_unreclaimable:112028kB
kernel_stack:3296kB pagetables:6692kB unstable:0kB bounce:0kB
free_pcp:1160kB local_pcp:624kB free_cma:0kB writeback_tmp:0kB
pages_scanned:0 all_unreclaimable? no
lowmem_reserve[]: 0 3504 3504
Normal free:2864204kB min:5580kB low:6972kB high:8368kB
active_anon:335752kB inactive_anon:28300kB active_file:15180kB
inactive_file:40172kB unevictable:0kB isolated(anon):0kB isolated(file):0kB
present:4718592kB managed:3588764kB mlocked:0kB dirty:516kB writeback:0kB
mapped:127872kB shmem:28820kB slab_reclaimable:12184kB
slab_unreclaimable:133600kB kernel_stack:4704kB pagetables:6504kB
unstable:0kB bounce:0kB free_pcp:1164kB local_pcp:572kB free_cma:0kB
writeback_tmp:0kB pages_scanned:0 all_unreclaimable? no
lowmem_reserve[]: 0 0 0
DMA32: 279*4kB (UME) 77*8kB (UME) 28*16kB (UME) 21*32kB (UME) 44*64kB (UME)
28*128kB (UM) 9*256kB (UME) 1*512kB (E) 1*1024kB (M) 1*2048kB (M)
582*4096kB (UM) = 2399012kB
Normal: 187*4kB (UME) 66*8kB (UME) 373*16kB (UME) 82*32kB (UE) 46*64kB (UE)
19*128kB (UM) 9*256kB (UE) 4*512kB (UM) 2*1024kB (UE) 2*2048kB (ME)
693*4096kB (UM) = 2864268kB
38680 total pagecache pages
0 pages in swap cache
Swap cache stats: add 0, delete 0, find 0/0
Free swap = 0kB
Total swap = 0kB
1965979 pages RAM
0 pages HighMem/MovableOnly
313294 pages reserved
binder: release 8167:8187 transaction 18 out, still active
binder: BINDER_SET_CONTEXT_MGR already set
binder: 8167:8187 ioctl 40046207 0 returned -16
binder_alloc: 8167: binder_alloc_buf, no vma
binder: 8167:8175 transaction failed 29189/-3, size 0-0 line 3137
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered TRANSACTION_ERROR: 29189
binder: release 8167:8175 transaction 18 in, still active
binder: send failed reply for transaction 18, target dead
audit: type=1401 audit(1574216050.669:44): op=security_bounded_transition
seresult=denied oldcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
newcontext=unconfined_u:system_r:mount_t:s0-s0:c0.c1023
nf_conntrack: automatic helper assignment is deprecated and it will be
removed soon. Use the iptables CT target to attach helpers instead.
binder: 8267:8269 unknown command 570450700
binder: 8267:8269 ioctl c0306201 20000200 returned -22
binder: release 8267:8269 transaction 21 out, still active
binder: undelivered TRANSACTION_COMPLETE
binder: BINDER_SET_CONTEXT_MGR already set
binder: 8267:8280 ioctl 40046207 0 returned -16
binder: send failed reply for transaction 21, target dead
binder: 8267:8280 unknown command 570450700
binder: 8267:8280 ioctl c0306201 20000200 returned -22
capability: warning: `syz-executor.0' uses deprecated v2 capabilities in a
way that may be insecure
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 62872f95 Merge 4.4.174 into android-4.4
git tree: https://android.googlesource.com/kernel/common android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=11e692cae00000
kernel config: https://syzkaller.appspot.com/x/.config?x=47bc4dd423780c4a
dashboard link: https://syzkaller.appspot.com/bug?extid=23910014b3ffc7b5f427
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+239100...@syzkaller.appspotmail.com
CPU: 0 PID: 8124 Comm: syz-executor.4 Not tainted 4.4.174+ #4
0000000000000000 a2bccaad4f9cd9f2 ffff8801cefe79f0 ffffffff81aad1a1
1ffff10039dfcf41 ffff8801cfe94740 00000000024000c2[ 236.095808] SELinux:
unrecognized netlink message: protocol=0 nlmsg_type=65535
sclass=netlink_route_socket
BUG: using __this_cpu_add() in preemptible [00000000] code:
syz-executor.2/8137
caller is __this_cpu_preempt_check+0x1d/0x30 lib/smp_processor_id.c:62
0000000000000000
ffffffff82895080 ffff8801cefe7b00 ffffffff8148c0cb ffffffff00000001
Call Trace:
[<ffffffff81aad1a1>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81aad1a1>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
[<ffffffff8148c0cb>] warn_alloc_failed.cold+0x78/0x99 mm/page_alloc.c:2757
[<ffffffff8145fb65>] __vmalloc_node_range mm/vmalloc.c:1693 [inline]
[<ffffffff8145fb65>] __vmalloc_node_range+0x365/0x650 mm/vmalloc.c:1654
[<ffffffff8146031c>] __vmalloc_node mm/vmalloc.c:1716 [inline]
[<ffffffff8146031c>] __vmalloc_node_flags mm/vmalloc.c:1730 [inline]
[<ffffffff8146031c>] vmalloc+0x5c/0x70 mm/vmalloc.c:1745
[<ffffffff81979df9>] sel_write_load+0x119/0xf90
security/selinux/selinuxfs.c:527
[<ffffffff81496916>] __vfs_write+0x116/0x3d0 fs/read_write.c:491
[<ffffffff81498612>] vfs_write+0x182/0x4e0 fs/read_write.c:540
[<ffffffff8149ac4c>] SYSC_write fs/read_write.c:587 [inline]
[<ffffffff8149ac4c>] SyS_write+0xdc/0x1c0 fs/read_write.c:579
[<ffffffff82718ba1>] entry_SYSCALL_64_fastpath+0x1e/0x9a
CPU: 1 PID: 8137 Comm: syz-executor.2 Not tainted 4.4.174+ #4
0000000000000000 667c117cfa87a307 ffff8800b26577c8 ffffffff81aad1a1
ffff8800baa3af80 0000000000000001 ffffffff82a861e0 ffffffff8292c040
0000000000000001 ffff8800b2657808 ffffffff81b0ad83 ffff8801d0051180
Call Trace:
[<ffffffff81aad1a1>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81aad1a1>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
[<ffffffff81b0ad83>] check_preemption_disabled+0x1d3/0x200
lib/smp_processor_id.c:46
[<ffffffff81b0aded>] __this_cpu_preempt_check+0x1d/0x30
lib/smp_processor_id.c:62
[<ffffffff8240fcf5>] tcp_try_coalesce net/ipv4/tcp_input.c:4293 [inline]
[<ffffffff8240fcf5>] tcp_try_coalesce+0x245/0x510 net/ipv4/tcp_input.c:4275
[<ffffffff824100e7>] tcp_queue_rcv+0x127/0x6f0 net/ipv4/tcp_input.c:4539
[<ffffffff8242494e>] tcp_send_rcvq+0x3de/0x4a0 net/ipv4/tcp_input.c:4585
[<ffffffff823fd062>] tcp_sendmsg+0x2332/0x2ab0 net/ipv4/tcp.c:1134
[<ffffffff824a8b42>] inet_sendmsg+0x202/0x4d0 net/ipv4/af_inet.c:755
[<ffffffff821d838e>] sock_sendmsg_nosec net/socket.c:638 [inline]
[<ffffffff821d838e>] sock_sendmsg+0xbe/0x110 net/socket.c:648
[<ffffffff821d8615>] sock_write_iter+0x235/0x3d0 net/socket.c:847
[<ffffffff81496ae8>] new_sync_write fs/read_write.c:480 [inline]
[<ffffffff81496ae8>] __vfs_write+0x2e8/0x3d0 fs/read_write.c:493
[<ffffffff81498612>] vfs_write+0x182/0x4e0 fs/read_write.c:540
[<ffffffff8149ac4c>] SYSC_write fs/read_write.c:587 [inline]
[<ffffffff8149ac4c>] SyS_write+0xdc/0x1c0 fs/read_write.c:579
[<ffffffff82718ba1>] entry_SYSCALL_64_fastpath+0x1e/0x9a
Mem-Info:
active_anon:156525 inactive_anon:13050 isolated_anon:0
active_file:7060 inactive_file:18194 isolated_file:0
unevictable:0 dirty:166 writeback:0 unstable:0
slab_reclaimable:5745 slab_unreclaimable:61442
mapped:59428 shmem:13424 pagetables:3336 bounce:0
free:1315686 free_pcp:602 free_cma:0
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=65535
sclass=netlink_route_socket
DMA32 free:2398884kB min:4696kB low:5868kB high:7044kB active_anon:290348kB
inactive_anon:23900kB active_file:13060kB inactive_file:32604kB
unevictable:0kB isolated(anon):0kB isolated(file):0kB present:3145324kB
managed:3021976kB mlocked:0kB dirty:148kB writeback:0kB mapped:109840kB
shmem:24876kB slab_reclaimable:10796kB slab_unreclaimable:112028kB
kernel_stack:3296kB pagetables:6692kB unstable:0kB bounce:0kB
free_pcp:1160kB local_pcp:624kB free_cma:0kB writeback_tmp:0kB
pages_scanned:0 all_unreclaimable? no
lowmem_reserve[]: 0 3504 3504
Normal free:2864204kB min:5580kB low:6972kB high:8368kB
active_anon:335752kB inactive_anon:28300kB active_file:15180kB
inactive_file:40172kB unevictable:0kB isolated(anon):0kB isolated(file):0kB
present:4718592kB managed:3588764kB mlocked:0kB dirty:516kB writeback:0kB
mapped:127872kB shmem:28820kB slab_reclaimable:12184kB
slab_unreclaimable:133600kB kernel_stack:4704kB pagetables:6504kB
unstable:0kB bounce:0kB free_pcp:1164kB local_pcp:572kB free_cma:0kB
writeback_tmp:0kB pages_scanned:0 all_unreclaimable? no
lowmem_reserve[]: 0 0 0
DMA32: 279*4kB (UME) 77*8kB (UME) 28*16kB (UME) 21*32kB (UME) 44*64kB (UME)
28*128kB (UM) 9*256kB (UME) 1*512kB (E) 1*1024kB (M) 1*2048kB (M)
582*4096kB (UM) = 2399012kB
Normal: 187*4kB (UME) 66*8kB (UME) 373*16kB (UME) 82*32kB (UE) 46*64kB (UE)
19*128kB (UM) 9*256kB (UE) 4*512kB (UM) 2*1024kB (UE) 2*2048kB (ME)
693*4096kB (UM) = 2864268kB
38680 total pagecache pages
0 pages in swap cache
Swap cache stats: add 0, delete 0, find 0/0
Free swap = 0kB
Total swap = 0kB
1965979 pages RAM
0 pages HighMem/MovableOnly
313294 pages reserved
binder: release 8167:8187 transaction 18 out, still active
binder: BINDER_SET_CONTEXT_MGR already set
binder: 8167:8187 ioctl 40046207 0 returned -16
binder_alloc: 8167: binder_alloc_buf, no vma
binder: 8167:8175 transaction failed 29189/-3, size 0-0 line 3137
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered TRANSACTION_ERROR: 29189
binder: release 8167:8175 transaction 18 in, still active
binder: send failed reply for transaction 18, target dead
audit: type=1401 audit(1574216050.669:44): op=security_bounded_transition
seresult=denied oldcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
newcontext=unconfined_u:system_r:mount_t:s0-s0:c0.c1023
nf_conntrack: automatic helper assignment is deprecated and it will be
removed soon. Use the iptables CT target to attach helpers instead.
binder: 8267:8269 unknown command 570450700
binder: 8267:8269 ioctl c0306201 20000200 returned -22
binder: release 8267:8269 transaction 21 out, still active
binder: undelivered TRANSACTION_COMPLETE
binder: BINDER_SET_CONTEXT_MGR already set
binder: 8267:8280 ioctl 40046207 0 returned -16
binder: send failed reply for transaction 21, target dead
binder: 8267:8280 unknown command 570450700
binder: 8267:8280 ioctl c0306201 20000200 returned -22
capability: warning: `syz-executor.0' uses deprecated v2 capabilities in a
way that may be insecure
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Mar 18, 2020, 10:15:10 PM3/18/20
to syzkaller-a...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages