BUG: using __this_cpu_add() in preemptible [00000000] code: syz-executor7/6033
caller is __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62
CPU: 1 PID: 6033 Comm: syz-executor7 Not tainted 4.4.105-g36205b7 #4
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 5e6a8e9ac5201b74 ffff8800b8bdf828 ffffffff81cc9b4f
 0000000000000001 ffffffff839fd4a0 ffff8800b8bdf868 ffffffff81d28d58
audit: type=1326 audit(1513042114.481:22): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=5988 comm="syz-executor4" exe="/root/syz-executor4" sig=31 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x0
 ffffffff83ced1a0 1ffff1001717bf14 ffff8801d565a000 ffff8801d565bb00
Call Trace:
 [<ffffffff81cc9b4f>] __dump_stack /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:15 [inline]
 [<ffffffff81cc9b4f>] dump_stack+0x8e/0xcf /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:51
 [<ffffffff81d28d58>] check_preemption_disabled+0x1b8/0x1f0 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:46
 [<ffffffff81d28dc3>] __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62
 [<ffffffff830dc180>] tcp_try_coalesce+0x200/0x4b0 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp_input.c:4278
 [<ffffffff830e5c6e>] tcp_queue_rcv+0xfe/0x720 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp_input.c:4485
 [<ffffffff830ffed1>] tcp_send_rcvq+0x391/0x4a0 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp_input.c:4531
 [<ffffffff830d20cc>] tcp_sendmsg+0x1d1c/0x36a0 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp.c:1134
 [<ffffffff8319024c>] inet_sendmsg+0x26c/0x430 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/af_inet.c:755
 [<ffffffff82d94005>] sock_sendmsg_nosec /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:625 [inline]
 [<ffffffff82d94005>] sock_sendmsg+0xb5/0xf0 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:635
 [<ffffffff82d94e47>] SYSC_sendto+0x267/0x300 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:1665
 [<ffffffff82d97179>] SyS_sendto+0x9/0x10 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:1633
 [<ffffffff8374ab36>] entry_SYSCALL_64_fastpath+0x16/0x76
device syz6 entered promiscuous mode
device syz2 entered promiscuous mode
audit: type=1400 audit(1513042115.231:23): avc:  denied  { create } for  pid=6153 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_fib_lookup_socket permissive=1
audit: type=1400 audit(1513042115.301:24): avc:  denied  { write } for  pid=6153 comm="syz-executor4" path="socket:[14041]" dev="sockfs" ino=14041 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_fib_lookup_socket permissive=1
binder: 6192:6193 DecRefs 0 refcount change on invalid ref 268435456 ret -22
binder: 6192:6193 Acquire 1 refcount change on invalid ref 0 ret -22
binder: 6192:6193 BC_INCREFS_DONE u0000000000000000 no match
binder: 6192:6193 ERROR: BC_REGISTER_LOOPER called without request
binder: 6192:6193 BC_INCREFS_DONE u0000000000000000 node 71 cookie mismatch 0000000000000002 != 0000000000000000
binder: 6192:6193 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0
binder: 6192:6195 BC_INCREFS_DONE u0000000000000000 node 71 cookie mismatch 0000000000000003 != 0000000000000000
binder: 6192:6195 got transaction to invalid handle
binder: 6192:6193 DecRefs 0 refcount change on invalid ref 4 ret -22
binder: 6192:6195 transaction failed 29201/-22, size 40-16 line 3008
audit: type=1326 audit(1513042115.531:25): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=6180 comm="syz-executor7" exe="/root/syz-executor7" sig=31 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x0
binder: 6192:6193 unknown command 0
binder: 6192:6193 ioctl c0306201 2000efd0 returned -22
binder: 6192:6195 DecRefs 0 refcount change on invalid ref 268435456 ret -22
binder: 6192:6195 BC_INCREFS_DONE u0000000000000000 no match
binder: BINDER_SET_CONTEXT_MGR already set
binder: 6192:6198 ioctl 40046207 0 returned -16
binder: 6192:6198 ERROR: BC_REGISTER_LOOPER called without request
binder: 6192:6198 BC_INCREFS_DONE u0000000000000000 no match
binder: 6192:6198 BC_CLEAR_DEATH_NOTIFICATION death notification not active
binder: 6192:6198 DecRefs 0 refcount change on invalid ref 4 ret -22
binder: 6192:6198 Release 1 refcount change on invalid ref 1 ret -22
binder: 6192:6198 ERROR: BC_REGISTER_LOOPER called without request
binder: 6192:6195 BC_INCREFS_DONE u0000000000000000 no match
binder: 6192:6195 got transaction to invalid handle
binder: 6192:6195 transaction failed 29201/-22, size 40-16 line 3008
binder: release 6192:6195 transaction 74 out, still active
binder: undelivered TRANSACTION_COMPLETE
binder: send failed reply for transaction 74, target dead
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=2 sclass=netlink_route_socket
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=2 sclass=netlink_route_socket
device syz3 entered promiscuous mode
nla_parse: 15 callbacks suppressed
netlink: 1 bytes leftover after parsing attributes in process `syz-executor2'.
mmap: syz-executor5 (6432) uses deprecated remap_file_pages() syscall. See Documentation/vm/remap_file_pages.txt.
device gre0 entered promiscuous mode
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=2 sclass=netlink_route_socket
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=2 sclass=netlink_route_socket
netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'.
netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'.
device gre0 entered promiscuous mode
device gre0 entered promiscuous mode
device gre0 entered promiscuous mode
binder: 6621:6624 DecRefs 0 refcount change on invalid ref 268435456 ret -22
binder: 6621:6624 Acquire 1 refcount change on invalid ref 0 ret -22
binder: 6621:6624 BC_INCREFS_DONE u0000000000000000 no match
netlink: 1 bytes leftover after parsing attributes in process `syz-executor6'.
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=2 sclass=netlink_route_socket
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=2 sclass=netlink_route_socket
netlink: 1 bytes leftover after parsing attributes in process `syz-executor6'.
device gre0 entered promiscuous mode
netlink: 1 bytes leftover after parsing attributes in process `syz-executor2'.
netlink: 1 bytes leftover after parsing attributes in process `syz-executor2'.
device syz1 entered promiscuous mode
device syz1 entered promiscuous mode
netlink: 7 bytes leftover after parsing attributes in process `syz-executor6'.
audit: type=1326 audit(1513042118.791:26): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=6840 comm="syz-executor5" exe="/root/syz-executor5" sig=31 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x0
netlink: 7 bytes leftover after parsing attributes in process `syz-executor6'.
device gre0 entered promiscuous mode
audit: type=1326 audit(1513042118.961:27): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=6840 comm="syz-executor5" exe="/root/syz-executor5" sig=31 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x0
netlink: 7 bytes leftover after parsing attributes in process `syz-executor0'.
audit: type=1326 audit(1513042119.241:28): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=6983 comm="syz-executor3" exe="/root/syz-executor3" sig=31 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x0
audit: type=1326 audit(1513042119.421:29): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=6983 comm="syz-executor3" exe="/root/syz-executor3" sig=31 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x0
capability: warning: `syz-executor1' uses deprecated v2 capabilities in a way that may be insecure
device gre0 entered promiscuous mode
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=2 sclass=netlink_route_socket
audit: type=1400 audit(1513042119.711:30): avc:  denied  { getopt } for  pid=7152 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=2 sclass=netlink_route_socket
audit: type=1326 audit(1513042119.821:31): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=7116 comm="syz-executor5" exe="/root/syz-executor5" sig=31 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x0
audit: type=1326 audit(1513042119.991:32): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=7116 comm="syz-executor5" exe="/root/syz-executor5" sig=31 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x0
binder: 7245:7246 DecRefs 0 refcount change on invalid ref 268435456 ret -22
binder: 7245:7246 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0
binder: 7245:7260 ERROR: BC_REGISTER_LOOPER called without request
binder: 7245:7246 BC_INCREFS_DONE node 77 has no pending increfs request
binder: 7245:7269 BC_INCREFS_DONE u0000000000000000 node 77 cookie mismatch 0000000000000003 != 0000000000000000
binder: 7245:7260 ioctl c0306201 2000efd0 returned -14
binder: 7245:7269 unknown command 0
binder: 7245:7260 unknown command 0
binder: 7245:7260 ioctl c0306201 20004000 returned -22
binder: 7245:7269 ioctl c0306201 20003000 returned -22
binder: BINDER_SET_CONTEXT_MGR already set
binder: 7245:7291 ioctl 40046207 0 returned -16
binder: 7245:7260 BC_INCREFS_DONE u0000000000000000 no match
binder: 7245:7260 got transaction to invalid handle
binder_alloc: 7245: binder_alloc_buf, no vma
binder: 7245:7260 transaction failed 29201/-22, size 40-16 line 3008
binder: 7245:7269 transaction failed 29189/-3, size 0-0 line 3131
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered transaction 78, process died.
device syz0 entered promiscuous mode
device gre0 entered promiscuous mode
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=2 sclass=netlink_route_socket
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=2 sclass=netlink_route_socket
device syz3 entered promiscuous mode
device gre0 entered promiscuous mode
audit: type=1326 audit(1513042121.601:33): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=7599 comm="syz-executor7" exe="/root/syz-executor7" sig=31 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x0
audit: type=1400 audit(1513042121.601:34): avc:  denied  { create } for  pid=7673 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_connector_socket permissive=1
device syz6 entered promiscuous mode
device gre0 entered promiscuous mode
audit: type=1326 audit(1513042121.781:35): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=7599 comm="syz-executor7" exe="/root/syz-executor7" sig=31 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x0
audit: type=1326 audit(1513042122.161:36): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=7752 comm="syz-executor1" exe="/root/syz-executor1" sig=31 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x0
audit: type=1326 audit(1513042122.301:37): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=7752 comm="syz-executor1" exe="/root/syz-executor1" sig=31 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x0
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=2 sclass=netlink_route_socket
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=2 sclass=netlink_route_socket
nla_parse: 19 callbacks suppressed
netlink: 1 bytes leftover after parsing attributes in process `syz-executor4'.
netlink: 1 bytes leftover after parsing attributes in process `syz-executor4'.
device gre0 entered promiscuous mode
audit: type=1326 audit(1513042123.371:38): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=8080 comm="syz-executor5" exe="/root/syz-executor5" sig=31 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x0
audit: type=1326 audit(1513042123.421:39): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=8093 comm="syz-executor6" exe="/root/syz-executor6" sig=31 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x0
netlink: 7 bytes leftover after parsing attributes in process `syz-executor0'.
netlink: 13 bytes leftover after parsing attributes in process `syz-executor0'.
netlink: 7 bytes leftover after parsing attributes in process `syz-executor0'.
netlink: 13 bytes leftover after parsing attributes in process `syz-executor0'.
device gre0 entered promiscuous mode
device syz0 entered promiscuous mode