[] entry_SYSCALL_64_fastpath+0x23/0xc6 BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor1/31403 caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 CPU: 0 PID: 31403 Comm: syz-executor1 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a1e776d8 ffffffff81d90889 0000000000000000 ffffffff83c17800 ffffffff83f42ec0 ffff8801d05fe000 0000000000000003 ffff8801a1e77718 ffffffff81df7854 ffff8801a1e77730 ffffffff83f42ec0 dffffc0000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46 [] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 [] ipcomp_alloc_tfms net/xfrm/xfrm_ipcomp.c:286 [inline] [] ipcomp_init_state+0x188/0x930 net/xfrm/xfrm_ipcomp.c:363 [] ipcomp4_init_state+0xb0/0x7d0 net/ipv4/ipcomp.c:137 [] __xfrm_init_state+0x3e7/0xb30 net/xfrm/xfrm_state.c:2096 [] xfrm_init_state+0x1a/0x20 net/xfrm/xfrm_state.c:2122 [] pfkey_msg2xfrm_state net/key/af_key.c:1281 [inline] [] pfkey_add+0x1fb9/0x3470 net/key/af_key.c:1498 [] pfkey_process+0x61e/0x730 net/key/af_key.c:2826 [] pfkey_sendmsg+0x3a9/0x760 net/key/af_key.c:3670 [] sock_sendmsg_nosec net/socket.c:635 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:645 [] ___sys_sendmsg+0x6d1/0x7e0 net/socket.c:1968 [] __sys_sendmsg+0xd6/0x190 net/socket.c:2002 [] SYSC_sendmsg net/socket.c:2013 [inline] [] SyS_sendmsg+0x2d/0x50 net/socket.c:2009 [] entry_SYSCALL_64_fastpath+0x23/0xc6 BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor1/31403 netlink: 11 bytes leftover after parsing attributes in process `syz-executor6'. caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 CPU: 1 PID: 31403 Comm: syz-executor1 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a1e776d8 ffffffff81d90889 0000000000000001 ffffffff83c17800 ffffffff83f42ec0 ffff8801d05fe000 0000000000000003 ffff8801a1e77718 ffffffff81df7854 ffff8801a1e77730 ffffffff83f42ec0 dffffc0000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46 [] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 [] ipcomp_alloc_tfms net/xfrm/xfrm_ipcomp.c:286 [inline] [] ipcomp_init_state+0x188/0x930 net/xfrm/xfrm_ipcomp.c:363 [] ipcomp4_init_state+0xb0/0x7d0 net/ipv4/ipcomp.c:137 [] __xfrm_init_state+0x3e7/0xb30 net/xfrm/xfrm_state.c:2096 [] xfrm_init_state+0x1a/0x20 net/xfrm/xfrm_state.c:2122 [] pfkey_msg2xfrm_state net/key/af_key.c:1281 [inline] [] pfkey_add+0x1fb9/0x3470 net/key/af_key.c:1498 [] pfkey_process+0x61e/0x730 net/key/af_key.c:2826 [] pfkey_sendmsg+0x3a9/0x760 net/key/af_key.c:3670 [] sock_sendmsg_nosec net/socket.c:635 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:645 [] ___sys_sendmsg+0x6d1/0x7e0 net/socket.c:1968 [] __sys_sendmsg+0xd6/0x190 net/socket.c:2002 [] SYSC_sendmsg net/socket.c:2013 [inline] [] SyS_sendmsg+0x2d/0x50 net/socket.c:2009 [] entry_SYSCALL_64_fastpath+0x23/0xc6 netlink: 11 bytes leftover after parsing attributes in process `syz-executor6'. device gre0 entered promiscuous mode netlink: 18 bytes leftover after parsing attributes in process `syz-executor4'. binder: 31505:31509 ioctl 8924 20002000 returned -22 binder: 31505:31509 ERROR: BC_REGISTER_LOOPER called without request binder_alloc: 31505: binder_alloc_buf size 69515765096 failed, no address space binder_alloc: allocated: 0 (num: 0 largest: 0), free: 8192 (num: 1 largest: 8192) binder: 31505:31528 transaction failed 29201/-28, size 69515765092-0 line 3130 netlink: 18 bytes leftover after parsing attributes in process `syz-executor4'. binder: 31505:31534 ioctl 8924 20002000 returned -22 binder: BINDER_SET_CONTEXT_MGR already set IPVS: length: 24 != 8 binder: 31505:31534 ERROR: BC_REGISTER_LOOPER called without request FAULT_FLAG_ALLOW_RETRY missing 31 CPU: 1 PID: 31541 Comm: syz-executor3 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d0087870 ffffffff81d90889 ffff8801d0087b50 0000000000000000 ffff8801d1c0ed10 ffff8801d0087a40 ffff8801d1c0ec00 ffff8801d0087a68 ffffffff8165e497 0000000000005e64 ffff8801a804d0f0 ffff8801a804d0a0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2783 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1f82/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] SYSC_getrandom drivers/char/random.c:1899 [inline] [] SyS_getrandom+0x165/0x2a0 drivers/char/random.c:1880 [] entry_SYSCALL_64_fastpath+0x23/0xc6 binder: 31505:31528 ioctl 40046207 0 returned -16 binder_alloc: 31505: binder_alloc_buf, no vma binder: 31505:31538 transaction failed 29189/-3, size 69515765092-0 line 3130 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 IPv6: ADDRCONF(NETDEV_UP): gre0: link is not ready device gre0 entered promiscuous mode binder: 31739:31751 ioctl 2403 ffff returned -22 binder: 31739:31751 ioctl 2403 ffff returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 31739:31760 ioctl 40046207 0 returned -16 netlink: 11 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 11 bytes leftover after parsing attributes in process `syz-executor6'. devpts: called with bogus options devpts: called with bogus options netlink: 11 bytes leftover after parsing attributes in process `syz-executor6'. sock: process `syz-executor0' is using obsolete getsockopt SO_BSDCOMPAT netlink: 11 bytes leftover after parsing attributes in process `syz-executor6'. binder_alloc: 32080: binder_alloc_buf, no vma binder: 32080:32081 transaction failed 29189/-3, size 0-0 line 3130 binder: undelivered TRANSACTION_ERROR: 29189 binder_alloc: 32080: binder_alloc_buf, no vma binder: 32080:32101 transaction failed 29189/-3, size 0-0 line 3130 netlink: 2 bytes leftover after parsing attributes in process `syz-executor6'. IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE binder: BINDER_SET_CONTEXT_MGR already set binder: 32080:32101 ioctl 40046207 0 returned -16 binder_alloc: 32080: binder_alloc_buf, no vma binder: 32080:32101 transaction failed 29189/-3, size 0-0 line 3130 binder: undelivered TRANSACTION_ERROR: 29189 IPv6: NLM_F_CREATE should be set when creating new route IPv6: NLM_F_CREATE should be set when creating new route binder: undelivered TRANSACTION_ERROR: 29189 device gre0 entered promiscuous mode netlink: 2 bytes leftover after parsing attributes in process `syz-executor6'. IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE binder: 32165:32170 got transaction to invalid handle binder: 32165:32170 transaction failed 29201/-22, size 32-40 line 3007 binder: 32165:32170 got transaction to invalid handle binder: 32165:32170 transaction failed 29201/-22, size 32-40 line 3007 binder: 32165:32181 BC_ACQUIRE_DONE u0000000000000000 no match binder: 32165:32181 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 32165:32181 got reply transaction with no transaction stack binder: 32165:32181 transaction failed 29201/-71, size 48-40 line 2923 binder: undelivered TRANSACTION_ERROR: 29201 binder: 32231:32233 BC_CLEAR_DEATH_NOTIFICATION death notification not active netlink: 1 bytes leftover after parsing attributes in process `syz-executor0'. binder: 32231:32248 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: 32231:32248 got transaction to invalid handle binder: 32231:32248 transaction failed 29201/-22, size 24-16 line 3007 netlink: 1 bytes leftover after parsing attributes in process `syz-executor0'. binder: 32231:32248 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 32231:32233 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: 32231:32233 unknown command 1986356271 binder: 32231:32282 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: 32231:32282 Release 1 refcount change on invalid ref 0 ret -22 binder: 32231:32282 got transaction to invalid handle binder: 32231:32282 transaction failed 29201/-22, size 24-16 line 3007 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=59136 sclass=netlink_route_socket pig=32285 comm=syz-executor5 binder: 32231:32233 ioctl c0306201 20003fd0 returned -22 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=59136 sclass=netlink_route_socket pig=32300 comm=syz-executor5 netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'. audit: type=1400 audit(1513075512.467:69): avc: denied { net_bind_service } for pid=32554 comm="syz-executor1" capability=10 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 9pnet_virtio: no channels available for device ./control device gre0 entered promiscuous mode IPv6: NLM_F_REPLACE set, but no existing node found! IPv6: NLM_F_REPLACE set, but no existing node found! binder: 395:396 DecRefs 0 refcount change on invalid ref 1 ret -22 binder: 395:396 ioctl c0306201 20001000 returned -11 binder_alloc: 395: binder_alloc_buf, no vma binder: 395:396 transaction failed 29189/-3, size 0-0 line 3130 binder: 395:396 DecRefs 0 refcount change on invalid ref 912 ret -22 binder: 395:396 unknown command 0 binder: 395:396 ioctl c0306201 20003000 returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 395:396 ioctl 40046207 0 returned -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 395:396 ioctl 40046207 0 returned -16 binder: 395:396 DecRefs 0 refcount change on invalid ref 1 ret -22 binder: 395:396 ioctl c0306201 20001000 returned -11 binder_alloc: 395: binder_alloc_buf, no vma binder: 395:407 transaction failed 29189/-3, size 0-0 line 3130 binder: 395:408 DecRefs 0 refcount change on invalid ref 912 ret -22 binder: 395:408 unknown command 0 binder: 395:408 ioctl c0306201 20003000 returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 395:407 ioctl 40046207 0 returned -16 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered death notification, 0000000000000000 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered death notification, 0000000000000000