BUG: using __this_cpu_add() in preemptible [00000000] code: syz-executor7/1457 caller is __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62 CPU: 0 PID: 1457 Comm: syz-executor7 Not tainted 4.4.105-g36205b7 #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 0c7ec3d2f7f4c0d7 ffff8801d3347640 ffffffff81cc9b4f 0000000000000000 ffffffff839fd4a0 ffff8801d3347680 ffffffff81d28d58[ 114.256419] binder: BINDER_SET_CONTEXT_MGR already set binder: 1422:1467 ioctl 40046207 0 returned -16 binder: 1422:1424 IncRefs 0 refcount change on invalid ref 3 ret -22 binder: 1422:1424 ioctl c0306201 2000dfd0 returned -14 ffffffff83ced1a0 1ffff1003a668ed7 ffff8800b88fdb00 ffff8800b88fc6c0 Call Trace: [] __dump_stack /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:51 [] check_preemption_disabled+0x1b8/0x1f0 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:46 [] __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62 [] tcp_try_coalesce+0x200/0x4b0 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp_input.c:4278 [] tcp_queue_rcv+0xfe/0x720 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp_input.c:4485 [] tcp_send_rcvq+0x391/0x4a0 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp_input.c:4531 [] tcp_sendmsg+0x1d1c/0x36a0 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp.c:1134 [] inet_sendmsg+0x26c/0x430 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:625 [inline] [] sock_sendmsg+0xb5/0xf0 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:635 [] sock_write_iter+0x1ea/0x3d0 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:834 [] do_iter_readv_writev+0xf7/0x1d0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:664 [] do_readv_writev+0x27e/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:808 [] vfs_writev+0x5d/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:847 [] SYSC_writev /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:880 [inline] [] SyS_writev+0xd3/0x260 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:872 [] entry_SYSCALL_64_fastpath+0x16/0x76 BUG: using __this_cpu_add() in preemptible [00000000] code: syz-executor7/1457 caller is __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62 CPU: 0 PID: 1457 Comm: syz-executor7 Not tainted 4.4.105-g36205b7 #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 0c7ec3d2f7f4c0d7 ffff8801d3347640 ffffffff81cc9b4f 0000000000000000 ffffffff839fd4a0 ffff8801d3347680 ffffffff81d28d58 ffffffff83ced1a0 1ffff1003a668ed7 ffff8800b88fdb00 ffff8800b88fd8c0 Call Trace: [] __dump_stack /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:51 [] check_preemption_disabled+0x1b8/0x1f0 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:46 [] __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62 [] tcp_try_coalesce+0x200/0x4b0 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp_input.c:4278 [] tcp_queue_rcv+0xfe/0x720 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp_input.c:4485 [] tcp_send_rcvq+0x391/0x4a0 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp_input.c:4531 [] tcp_sendmsg+0x1d1c/0x36a0 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp.c:1134 [] inet_sendmsg+0x26c/0x430 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:625 [inline] [] sock_sendmsg+0xb5/0xf0 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:635 [] sock_write_iter+0x1ea/0x3d0 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:834 [] do_iter_readv_writev+0xf7/0x1d0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:664 [] do_readv_writev+0x27e/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:808 [] vfs_writev+0x5d/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:847 [] SYSC_writev /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:880 [inline] [] SyS_writev+0xd3/0x260 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:872 [] entry_SYSCALL_64_fastpath+0x16/0x76 binder: 1540:1542 IncRefs 0 refcount change on invalid ref 3 ret -22 device gre0 entered promiscuous mode binder: BINDER_SET_CONTEXT_MGR already set binder: 1540:1542 ioctl 40046207 0 returned -16 binder: 1540:1572 IncRefs 0 refcount change on invalid ref 3 ret -22 binder: 1540:1542 BC_CLEAR_DEATH_NOTIFICATION death notification not active binder: 1697:1698 IncRefs 0 refcount change on invalid ref 3 ret -22 binder: 1697:1706 BC_CLEAR_DEATH_NOTIFICATION death notification not active binder: BINDER_SET_CONTEXT_MGR already set binder: 1697:1717 ioctl 40046207 0 returned -16 binder: 1697:1717 IncRefs 0 refcount change on invalid ref 3 ret -22 binder: 1697:1715 BC_CLEAR_DEATH_NOTIFICATION death notification not active BUG: using __this_cpu_add() in preemptible [00000000] code: syz-executor7/1849 caller is __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62 CPU: 0 PID: 1849 Comm: syz-executor7 Not tainted 4.4.105-g36205b7 #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 9b0206d5190f3374 ffff8801d52bf640 ffffffff81cc9b4f 0000000000000000 ffffffff839fd4a0 ffff8801d52bf680 ffffffff81d28d58 ffffffff83ced1a0 1ffff1003aa57ed7 ffff8800b88fcd80 ffff8800b88fdd40 Call Trace: [] __dump_stack /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:51 [] check_preemption_disabled+0x1b8/0x1f0 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:46 [] __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62 [] tcp_try_coalesce+0x200/0x4b0 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp_input.c:4278 [] tcp_queue_rcv+0xfe/0x720 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp_input.c:4485 [] tcp_send_rcvq+0x391/0x4a0 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp_input.c:4531 [] tcp_sendmsg+0x1d1c/0x36a0 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp.c:1134 [] inet_sendmsg+0x26c/0x430 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:625 [inline] [] sock_sendmsg+0xb5/0xf0 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:635 [] sock_write_iter+0x1ea/0x3d0 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:834 [] do_iter_readv_writev+0xf7/0x1d0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:664 [] do_readv_writev+0x27e/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:808 [] vfs_writev+0x5d/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:847 [] SYSC_writev /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:880 [inline] [] SyS_writev+0xd3/0x260 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:872 [] entry_SYSCALL_64_fastpath+0x16/0x76 BUG: using __this_cpu_add() in preemptible [00000000] code: syz-executor7/1857 caller is __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62 CPU: 1 PID: 1857 Comm: syz-executor7 Not tainted 4.4.105-g36205b7 #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 007159584d88a663 ffff8801d2387640 ffffffff81cc9b4f 0000000000000001 ffffffff839fd4a0 ffff8801d2387680 ffffffff81d28d58 ffffffff83ced1a0 1ffff1003a470ed7 ffff8800b88fd680 ffff8800b88fd200 Call Trace: [] __dump_stack /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:51 [] check_preemption_disabled+0x1b8/0x1f0 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:46 [] __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62 [] tcp_try_coalesce+0x200/0x4b0 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp_input.c:4278 [] tcp_queue_rcv+0xfe/0x720 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp_input.c:4485 [] tcp_send_rcvq+0x391/0x4a0 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp_input.c:4531 [] tcp_sendmsg+0x1d1c/0x36a0 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp.c:1134 [] inet_sendmsg+0x26c/0x430 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:625 [inline] [] sock_sendmsg+0xb5/0xf0 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:635 [] sock_write_iter+0x1ea/0x3d0 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:834 [] do_iter_readv_writev+0xf7/0x1d0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:664 [] do_readv_writev+0x27e/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:808 [] vfs_writev+0x5d/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:847 [] SYSC_writev /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:880 [inline] [] SyS_writev+0xd3/0x260 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:872 [] entry_SYSCALL_64_fastpath+0x16/0x76 binder: 1966:1969 IncRefs 0 refcount change on invalid ref 3 ret -22 binder: 1966:1969 ioctl c0306201 2000dfd0 returned -14 binder: BINDER_SET_CONTEXT_MGR already set binder: 1966:1991 ioctl 40046207 0 returned -16 binder: 1966:2010 IncRefs 0 refcount change on invalid ref 3 ret -22 binder: 1966:1969 BC_CLEAR_DEATH_NOTIFICATION death notification not active nla_parse: 23 callbacks suppressed netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. audit: type=1400 audit(1513035136.179:29): avc: denied { read } for pid=2022 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 6 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 6 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor3'. binder: 2255:2258 IncRefs 0 refcount change on invalid ref 3 ret -22 binder: 2255:2258 ioctl c0306201 2000dfd0 returned -14 binder: BINDER_SET_CONTEXT_MGR already set binder: 2255:2258 ioctl 40046207 0 returned -16 binder: 2255:2308 IncRefs 0 refcount change on invalid ref 3 ret -22 binder: 2255:2307 BC_CLEAR_DEATH_NOTIFICATION death notification not active binder: 2338:2343 ERROR: BC_REGISTER_LOOPER called without request binder: 2337:2349 IncRefs 0 refcount change on invalid ref 3 ret -22 binder: 2338:2343 got transaction with invalid fd, -1 binder: 2338:2343 transaction failed 29201/-9, size 24-8 line 3236 binder: 2337:2367 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 2337:2367 BC_CLEAR_DEATH_NOTIFICATION death notification not active binder: send failed reply for transaction 86 to 2338:2359 binder: BINDER_SET_CONTEXT_MGR already set binder: 2338:2359 ioctl 40046207 0 returned -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 2338:2343 ERROR: BC_REGISTER_LOOPER called without request binder_alloc: 2338: binder_alloc_buf, no vma binder: 2338:2372 transaction failed 29189/-3, size 0-0 line 3131 binder: 2337:2385 ioctl 40046207 0 returned -16 binder: 2337:2371 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 2337:2401 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29190 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29201 binder: 2511:2516 ERROR: BC_REGISTER_LOOPER called without request binder: 2511:2516 got transaction with invalid fd, -1 binder: 2511:2516 transaction failed 29201/-9, size 24-8 line 3236 binder: send failed reply for transaction 91 to 2511:2538 device gre0 entered promiscuous mode device gre0 entered promiscuous mode binder_alloc: binder_alloc_mmap_handler: 2511 20000000-20002000 already mapped failed -16 binder: 2511:2538 ERROR: BC_REGISTER_LOOPER called without request binder: 2511:2538 unknown command 76 binder: BINDER_SET_CONTEXT_MGR already set binder: 2511:2516 ioctl 40046207 0 returned -16 binder: 2511:2563 got reply transaction with no transaction stack binder: 2511:2538 ioctl c0306201 2000a000 returned -22 binder: 2511:2563 transaction failed 29201/-71, size 24-8 line 2924 binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29190 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29201 binder: 2629:2633 ioctl 5413 20b05ff8 returned -22 device gre0 entered promiscuous mode binder: 2629:2633 ioctl 8904 20730000 returned -22 binder: 2629:2633 not enough space to store 0 fds in buffer binder: 2629:2633 transaction failed 29201/-22, size 72-32 line 3273 binder: 2629:2659 ioctl 5413 20b05ff8 returned -22 binder: 2629:2672 ioctl 8904 20730000 returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 2629:2669 ioctl 40046207 0 returned -16 binder_alloc: 2629: binder_alloc_buf, no vma binder: 2629:2659 transaction failed 29189/-3, size 72-32 line 3131 binder: 2683:2685 IncRefs 0 refcount change on invalid ref 3 ret -22 binder: 2683:2685 IncRefs 0 refcount change on invalid ref 4 ret -22 binder: 2683:2692 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 2683:2692 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 2683:2692 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: 2683:2717 IncRefs 0 refcount change on invalid ref 3 ret -22 binder: 2683:2717 IncRefs 0 refcount change on invalid ref 4 ret -22 binder: 2791:2795 IncRefs 0 refcount change on invalid ref 3 ret -22 binder: 2791:2795 IncRefs 0 refcount change on invalid ref 0 ret -22 binder: 2791:2806 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 2791:2806 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: 2791:2836 IncRefs 0 refcount change on invalid ref 3 ret -22 binder: 2791:2836 IncRefs 0 refcount change on invalid ref 0 ret -22 binder: 2791:2828 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: 2981:2984 ERROR: BC_REGISTER_LOOPER called without request binder: 2981:2984 got transaction with invalid fd, -1 binder: 2981:2984 transaction failed 29201/-9, size 24-8 line 3236 binder: send failed reply for transaction 100 to 2981:3006 binder_alloc: binder_alloc_mmap_handler: 2981 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 2981:3006 ERROR: BC_REGISTER_LOOPER called without request binder: 2981:3021 got reply transaction with no transaction stack binder: 2981:3021 transaction failed 29201/-71, size 24-8 line 2924 binder: 2981:3006 unknown command 76 binder: 2981:3006 ioctl c0306201 2000a000 returned -22 binder: 2981:2984 ioctl 40046207 0 returned -16 binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29190 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29201 FAULT_FLAG_ALLOW_RETRY missing 31 CPU: 1 PID: 3057 Comm: syz-executor3 Not tainted 4.4.105-g36205b7 #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 16f929234962ef14 ffff8800b773f910 ffffffff81cc9b4f 1ffff10016ee7f2d 0000000000000031 ffff8800b773fab0 ffffffff815db71b ffff8801d6f7c740 ffffed0000000006 ffff8801d6f7c740 ffffffff8140ec17 Call Trace: [] __dump_stack /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:51 [] handle_userfault+0x75b/0x1570 /syzkaller/managers/android-44-kasan-gce/kernel/fs/userfaultfd.c:316 [] do_anonymous_page /syzkaller/managers/android-44-kasan-gce/kernel/mm/memory.c:2731 [inline] [] handle_pte_fault /syzkaller/managers/android-44-kasan-gce/kernel/mm/memory.c:3295 [inline] [] __handle_mm_fault /syzkaller/managers/android-44-kasan-gce/kernel/mm/memory.c:3426 [inline] [] handle_mm_fault+0x2731/0x39b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/memory.c:3455 [] __do_page_fault+0x2d0/0x910 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/mm/fault.c:1245 [] do_page_fault+0x22/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/mm/fault.c:1308 [] page_fault+0x28/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/entry/entry_64.S:985 [] urandom_read+0x4e/0x310 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/char/random.c:1476 [] SYSC_getrandom /syzkaller/managers/android-44-kasan-gce/kernel/drivers/char/random.c:1627 [inline] [] SyS_getrandom+0x112/0x220 /syzkaller/managers/android-44-kasan-gce/kernel/drivers/char/random.c:1607 [] entry_SYSCALL_64_fastpath+0x16/0x76 capability: warning: `syz-executor5' uses 32-bit capabilities (legacy support in use) FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 3241 Comm: syz-executor4 Not tainted 4.4.105-g36205b7 #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 37115bc273a2fbfa ffff8801d44df7e0 ffffffff81cc9b4f 1ffff1003a89bf07 0000000000000030 ffff8801d44df980 ffffffff815db71b ffff8800b921cb60 ffff8800b921cb60 ffff8800b921cb60 ffff8801d44df958 Call Trace: [] __dump_stack /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:51 [] handle_userfault+0x75b/0x1570 /syzkaller/managers/android-44-kasan-gce/kernel/fs/userfaultfd.c:316 [] do_anonymous_page /syzkaller/managers/android-44-kasan-gce/kernel/mm/memory.c:2731 [inline] [] handle_pte_fault /syzkaller/managers/android-44-kasan-gce/kernel/mm/memory.c:3295 [inline] [] __handle_mm_fault /syzkaller/managers/android-44-kasan-gce/kernel/mm/memory.c:3426 [inline] [] handle_mm_fault+0x2731/0x39b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/memory.c:3455 [] __do_page_fault+0x2d0/0x910 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/mm/fault.c:1245 [] do_page_fault+0x22/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/mm/fault.c:1308 [] page_fault+0x28/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/entry/entry_64.S:985 [] SYSC_select /syzkaller/managers/android-44-kasan-gce/kernel/fs/select.c:640 [inline] [] SyS_select+0x124/0x1a0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/select.c:622 [] entry_SYSCALL_64_fastpath+0x16/0x76 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 3241 Comm: syz-executor4 Not tainted 4.4.105-g36205b7 #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 37115bc273a2fbfa ffff8801d44df7e0 ffffffff81cc9b4f 1ffff1003a89bf07 0000000000000030 ffff8801d44df980 ffffffff815db71b ffff8800b921cb60 ffff8800b921cb60 ffff8800b921cb60 ffff8801d44df958 Call Trace: [] __dump_stack /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:51 [] handle_userfault+0x75b/0x1570 /syzkaller/managers/android-44-kasan-gce/kernel/fs/userfaultfd.c:316 [] do_anonymous_page /syzkaller/managers/android-44-kasan-gce/kernel/mm/memory.c:2731 [inline] [] handle_pte_fault /syzkaller/managers/android-44-kasan-gce/kernel/mm/memory.c:3295 [inline] [] __handle_mm_fault /syzkaller/managers/android-44-kasan-gce/kernel/mm/memory.c:3426 [inline] [] handle_mm_fault+0x2731/0x39b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/memory.c:3455 [] __do_page_fault+0x2d0/0x910 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/mm/fault.c:1245 [] do_page_fault+0x22/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/mm/fault.c:1308 [] page_fault+0x28/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/entry/entry_64.S:985 [] SYSC_select /syzkaller/managers/android-44-kasan-gce/kernel/fs/select.c:640 [inline] [] SyS_select+0x124/0x1a0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/select.c:622 [] entry_SYSCALL_64_fastpath+0x16/0x76 device gre0 entered promiscuous mode BUG: using __this_cpu_add() in preemptible [00000000] code: syz-executor3/3484 caller is __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62 CPU: 1 PID: 3484 Comm: syz-executor3 Not tainted 4.4.105-g36205b7 #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 8679270953338164 ffff8801d672f640 ffffffff81cc9b4f 0000000000000001 ffffffff839fd4a0 ffff8801d672f680 ffffffff81d28d58 ffffffff83ced1a0 1ffff1003ace5ed7 ffff8801d4437440 ffff8801d4437680 Call Trace: [] __dump_stack /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:51 [] check_preemption_disabled+0x1b8/0x1f0 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:46 [] __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62 [] tcp_try_coalesce+0x200/0x4b0 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp_input.c:4278 [] tcp_queue_rcv+0xfe/0x720 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp_input.c:4485 [] tcp_send_rcvq+0x391/0x4a0 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp_input.c:4531 [] tcp_sendmsg+0x1d1c/0x36a0 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp.c:1134 [] inet_sendmsg+0x26c/0x430 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:625 [inline] [] sock_sendmsg+0xb5/0xf0 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:635 [] sock_write_iter+0x1ea/0x3d0 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:834 [] do_iter_readv_writev+0xf7/0x1d0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:664 [] do_readv_writev+0x27e/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:808 [] vfs_writev+0x5d/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:847 [] SYSC_writev /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:880 [inline] [] SyS_writev+0xd3/0x260 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:872 [] entry_SYSCALL_64_fastpath+0x16/0x76 sd 0:0:1:0: [sg0] tag#278 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK sd 0:0:1:0: [sg0] tag#278 CDB: Test Unit Ready sd 0:0:1:0: [sg0] tag#278 CDB[00]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#278 CDB[10]: 00 00 00 00 10 27 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#278 CDB[20]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#278 CDB[30]: 00 00 00 00 00 00 00 00 00 00 00 00 BUG: using __this_cpu_add() in preemptible [00000000] code: syz-executor3/3484 caller is __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62 CPU: 1 PID: 3484 Comm: syz-executor3 Not tainted 4.4.105-g36205b7 #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 8679270953338164 ffff8801d672f640 ffffffff81cc9b4f 0000000000000001 ffffffff839fd4a0 ffff8801d672f680 ffffffff81d28d58 ffffffff83ced1a0 1ffff1003ace5ed7 ffff8801d4437440 ffff8801d44366c0 Call Trace: [] __dump_stack /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:51 [] check_preemption_disabled+0x1b8/0x1f0 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:46 [] __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62 [] tcp_try_coalesce+0x200/0x4b0 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp_input.c:4278 [] tcp_queue_rcv+0xfe/0x720 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp_input.c:4485 [] tcp_send_rcvq+0x391/0x4a0 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp_input.c:4531 [] tcp_sendmsg+0x1d1c/0x36a0 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp.c:1134 [] inet_sendmsg+0x26c/0x430 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:625 [inline] [] sock_sendmsg+0xb5/0xf0 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:635 [] sock_write_iter+0x1ea/0x3d0 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:834 [] do_iter_readv_writev+0xf7/0x1d0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:664 [] do_readv_writev+0x27e/0x660 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:808 [] vfs_writev+0x5d/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:847 [] SYSC_writev /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:880 [inline] [] SyS_writev+0xd3/0x260 /syzkaller/managers/android-44-kasan-gce/kernel/fs/read_write.c:872 [] entry_SYSCALL_64_fastpath+0x16/0x76 device gre0 entered promiscuous mode FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 3717 Comm: syz-executor7 Not tainted 4.4.105-g36205b7 #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 fa818e56e78c248a ffff8801d50a77e0 ffffffff81cc9b4f 1ffff1003aa14f07 0000000000000030 ffff8801d50a7980 ffffffff815db71b ffff8800b921a320 ffff8800b921a320 ffff8800b921a320 ffff8801d50a7958 Call Trace: [] __dump_stack /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:51 [] handle_userfault+0x75b/0x1570 /syzkaller/managers/android-44-kasan-gce/kernel/fs/userfaultfd.c:316 device gre0 entered promiscuous mode [] do_anonymous_page /syzkaller/managers/android-44-kasan-gce/kernel/mm/memory.c:2731 [inline] [] handle_pte_fault /syzkaller/managers/android-44-kasan-gce/kernel/mm/memory.c:3295 [inline] [] __handle_mm_fault /syzkaller/managers/android-44-kasan-gce/kernel/mm/memory.c:3426 [inline] [] handle_mm_fault+0x2731/0x39b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/memory.c:3455 [] __do_page_fault+0x2d0/0x910 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/mm/fault.c:1245 [] do_page_fault+0x22/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/mm/fault.c:1308 [] page_fault+0x28/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/entry/entry_64.S:985 [] SYSC_select /syzkaller/managers/android-44-kasan-gce/kernel/fs/select.c:640 [inline] [] SyS_select+0x124/0x1a0 /syzkaller/managers/android-44-kasan-gce/kernel/fs/select.c:622 [] entry_SYSCALL_64_fastpath+0x16/0x76 nla_parse: 20 callbacks suppressed netlink: 6 bytes leftover after parsing attributes in process `syz-executor4'. device lo entered promiscuous mode netlink: 6 bytes leftover after parsing attributes in process `syz-executor4'. FAULT_FLAG_ALLOW_RETRY missing 30 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 3840 Comm: syz-executor0 Not tainted 4.4.105-g36205b7 #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 4bed5858706f8f40 ffff8801d52579e0 ffffffff81cc9b4f 1ffff1003aa4af47 0000000000000030 ffff8801d5257b80 ffffffff815db71b ffff8800b921d6e0 ffff8800b921d6e0 ffff8800b921d6e0 ffff8801d5257b58 Call Trace: [] __dump_stack /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:51 [] handle_userfault+0x75b/0x1570 /syzkaller/managers/android-44-kasan-gce/kernel/fs/userfaultfd.c:316 [] do_anonymous_page /syzkaller/managers/android-44-kasan-gce/kernel/mm/memory.c:2731 [inline] [] handle_pte_fault /syzkaller/managers/android-44-kasan-gce/kernel/mm/memory.c:3295 [inline] [] __handle_mm_fault /syzkaller/managers/android-44-kasan-gce/kernel/mm/memory.c:3426 [inline] [] handle_mm_fault+0x2731/0x39b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/memory.c:3455 [] __do_page_fault+0x2d0/0x910 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/mm/fault.c:1245 [] do_page_fault+0x22/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/mm/fault.c:1308 [] page_fault+0x28/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/entry/entry_64.S:985 [] SYSC_seccomp /syzkaller/managers/android-44-kasan-gce/kernel/kernel/seccomp.c:844 [inline] [] SyS_seccomp+0x9/0x10 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/seccomp.c:841 [] entry_SYSCALL_64_fastpath+0x16/0x76 CPU: 0 PID: 3863 Comm: syz-executor0 Not tainted 4.4.105-g36205b7 #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 49f1f86a03e4bf4a ffff8801d2de77e0 ffffffff81cc9b4f 1ffff1003a5bcf07 0000000000000030 ffff8801d2de7980 ffffffff815db71b ffff8800b921d6e0 ffff8800b921d6e0 ffff8800b921d6e0 ffff8801d2de7958 Call Trace: [] __dump_stack /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:51 [] handle_userfault+0x75b/0x1570 /syzkaller/managers/android-44-kasan-gce/kernel/fs/userfaultfd.c:316 [] do_anonymous_page /syzkaller/managers/android-44-kasan-gce/kernel/mm/memory.c:2731 [inline] [] handle_pte_fault /syzkaller/managers/android-44-kasan-gce/kernel/mm/memory.c:3295 [inline] [] __handle_mm_fault /syzkaller/managers/android-44-kasan-gce/kernel/mm/memory.c:3426 [inline] [] handle_mm_fault+0x2731/0x39b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/memory.c:3455 [] __do_page_fault+0x2d0/0x910 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/mm/fault.c:1245 [] do_page_fault+0x22/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/mm/fault.c:1308 [] page_fault+0x28/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/entry/entry_64.S:985 [] sock_do_ioctl+0x84/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:890 [] sock_ioctl+0x2aa/0x3c0 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:969 [] vfs_ioctl /syzkaller/managers/android-44-kasan-gce/kernel/fs/ioctl.c:43 [inline] [] do_vfs_ioctl+0x681/0xe10 /syzkaller/managers/android-44-kasan-gce/kernel/fs/ioctl.c:607 [] SYSC_ioctl /syzkaller/managers/android-44-kasan-gce/kernel/fs/ioctl.c:622 [inline] [] SyS_ioctl+0x74/0x80 /syzkaller/managers/android-44-kasan-gce/kernel/fs/ioctl.c:613 [] entry_SYSCALL_64_fastpath+0x16/0x76 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 3832 Comm: syz-executor0 Not tainted 4.4.105-g36205b7 #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 3b3a264133c28f4f ffff8800b6867980 ffffffff81cc9b4f 1ffff10016d0cf3b 0000000000000030 ffff8800b6867b20 ffffffff815db71b ffffffff81229f2f ffff8800b45037e8 0000000100000006 ffff8800b4502f80 Call Trace: [] __dump_stack /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:51 [] handle_userfault+0x75b/0x1570 /syzkaller/managers/android-44-kasan-gce/kernel/fs/userfaultfd.c:316 [] do_anonymous_page /syzkaller/managers/android-44-kasan-gce/kernel/mm/memory.c:2731 [inline] [] handle_pte_fault /syzkaller/managers/android-44-kasan-gce/kernel/mm/memory.c:3295 [inline] [] __handle_mm_fault /syzkaller/managers/android-44-kasan-gce/kernel/mm/memory.c:3426 [inline] [] handle_mm_fault+0x2731/0x39b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/memory.c:3455 [] __do_page_fault+0x2d0/0x910 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/mm/fault.c:1245 [] do_page_fault+0x22/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/mm/fault.c:1308 [] page_fault+0x28/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/entry/entry_64.S:985 [] entry_SYSCALL_64_fastpath+0x16/0x76 binder: 3912:3921 ioctl 5413 20b05ff8 returned -22 binder: 3912:3921 ioctl 8904 20730000 returned -22 binder: 3912:3947 ioctl 40304580 203cafec returned -22 binder: 3912:3921 ioctl 40284504 208d6000 returned -22 binder: 3912:3921 not enough space to store 0 fds in buffer binder: 3912:3921 transaction failed 29201/-22, size 72-32 line 3273 binder: 3912:3921 ioctl 5413 20b05ff8 returned -22 binder: 3912:3947 ioctl 8904 20730000 returned -22 binder: 3912:3975 ioctl 40304580 203cafec returned -22 binder: 3912:3978 ioctl 40284504 208d6000 returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 3912:3975 ioctl 40046207 0 returned -16 binder_alloc: 3912: binder_alloc_buf, no vma binder: 3912:3978 transaction failed 29189/-3, size 72-32 line 3131 netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. sd 0:0:1:0: [sg0] tag#278 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK sd 0:0:1:0: [sg0] tag#278 CDB: Test Unit Ready sd 0:0:1:0: [sg0] tag#278 CDB[00]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#278 CDB[10]: 00 00 00 00 10 27 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#278 CDB[20]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#278 CDB[30]: 00 00 00 00 00 00 00 00 00 00 00 00 netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. device gre0 entered promiscuous mode sd 0:0:1:0: [sg0] tag#103 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK sd 0:0:1:0: [sg0] tag#103 CDB: Test Unit Ready sd 0:0:1:0: [sg0] tag#103 CDB[00]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#103 CDB[10]: 00 00 00 00 10 27 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#103 CDB[20]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#103 CDB[30]: 00 00 00 00 00 00 00 00 00 00 00 00 syz-executor6 (4065): /proc/4061/oom_adj is deprecated, please use /proc/4061/oom_score_adj instead.