BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor5/12042 caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 CPU: 1 PID: 12042 Comm: syz-executor5 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d69b76d8 ffffffff81d90889 0000000000000001 ffffffff83c17800 ffffffff83f42ec0 ffff8801c977c800 0000000000000003 ffff8801d69b7718 ffffffff81df7854 ffff8801d69b7730 ffffffff83f42ec0 dffffc0000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46 [] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 [] ipcomp_alloc_tfms net/xfrm/xfrm_ipcomp.c:286 [inline] [] ipcomp_init_state+0x188/0x930 net/xfrm/xfrm_ipcomp.c:363 [] ipcomp4_init_state+0xb0/0x7d0 net/ipv4/ipcomp.c:137 [] __xfrm_init_state+0x3e7/0xb30 net/xfrm/xfrm_state.c:2096 [] xfrm_init_state+0x1a/0x20 net/xfrm/xfrm_state.c:2122 [] pfkey_msg2xfrm_state net/key/af_key.c:1281 [inline] [] pfkey_add+0x1fb9/0x3470 net/key/af_key.c:1498 [] pfkey_process+0x61e/0x730 net/key/af_key.c:2826 [] pfkey_sendmsg+0x3a9/0x760 net/key/af_key.c:3670 netlink: 2 bytes leftover after parsing attributes in process `syz-executor3'. [] sock_sendmsg_nosec net/socket.c:635 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:645 [] ___sys_sendmsg+0x6d1/0x7e0 net/socket.c:1968 netlink: 2 bytes leftover after parsing attributes in process `syz-executor3'. sock: process `syz-executor3' is using obsolete setsockopt SO_BSDCOMPAT [] __sys_sendmsg+0xd6/0x190 net/socket.c:2002 [] SYSC_sendmsg net/socket.c:2013 [inline] [] SyS_sendmsg+0x2d/0x50 net/socket.c:2009 [] entry_SYSCALL_64_fastpath+0x23/0xc6 netlink: 11 bytes leftover after parsing attributes in process `syz-executor2'. BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor5/12104 caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 CPU: 1 PID: 12104 Comm: syz-executor5 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a7e4f6d8 ffffffff81d90889 0000000000000001 ffffffff83c17800 ffffffff83f42ec0 ffff8801a7e40000 0000000000000003 ffff8801a7e4f718[ 188.975877] netlink: 11 bytes leftover after parsing attributes in process `syz-executor2'. ffffffff81df7854 ffff8801a7e4f730 ffffffff83f42ec0 dffffc0000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46 [] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 [] ipcomp_alloc_tfms net/xfrm/xfrm_ipcomp.c:286 [inline] [] ipcomp_init_state+0x188/0x930 net/xfrm/xfrm_ipcomp.c:363 [] ipcomp4_init_state+0xb0/0x7d0 net/ipv4/ipcomp.c:137 [] __xfrm_init_state+0x3e7/0xb30 net/xfrm/xfrm_state.c:2096 [] xfrm_init_state+0x1a/0x20 net/xfrm/xfrm_state.c:2122 [] pfkey_msg2xfrm_state net/key/af_key.c:1281 [inline] [] pfkey_add+0x1fb9/0x3470 net/key/af_key.c:1498 [] pfkey_process+0x61e/0x730 net/key/af_key.c:2826 [] pfkey_sendmsg+0x3a9/0x760 net/key/af_key.c:3670 [] sock_sendmsg_nosec net/socket.c:635 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:645 [] ___sys_sendmsg+0x6d1/0x7e0 net/socket.c:1968 [] __sys_sendmsg+0xd6/0x190 net/socket.c:2002 [] SYSC_sendmsg net/socket.c:2013 [inline] [] SyS_sendmsg+0x2d/0x50 net/socket.c:2009 [] entry_SYSCALL_64_fastpath+0x23/0xc6 binder: 12174:12175 ERROR: BC_REGISTER_LOOPER called without request binder_alloc: binder_alloc_mmap_handler: 12174 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 12174:12213 ERROR: BC_REGISTER_LOOPER called without request binder: 12174:12188 ioctl 40046207 0 returned -16 audit: type=1401 audit(1513076090.245:58): op=fscreate invalid_context=0802 audit: type=1401 audit(1513076090.275:59): op=fscreate invalid_context=0802 pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads binder: 12279:12284 got transaction with invalid parent offset or type binder: 12279:12284 transaction failed 29201/-22, size 80-16 line 3253 binder: BINDER_SET_CONTEXT_MGR already set binder: 12279:12325 ioctl 40046207 0 returned -16 binder_alloc: 12279: binder_alloc_buf, no vma binder: 12279:12284 transaction failed 29189/-3, size 80-16 line 3130 device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 left promiscuous mode FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 12529 Comm: syz-executor7 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c55ff960 ffffffff81d90889 ffff8801c55ffc40 0000000000000000 ffff8801a5f35190 ffff8801c55ffb30 ffff8801a5f35080 ffff8801c55ffb58 ffffffff8165e497 0000000000005e64 ffff8801d54288f0 ffff8801d54288a0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 12529 Comm: syz-executor7 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c55ff540 ffffffff81d90889 ffff8801c55ff820 0000000000000000 ffff8801a5f35d90 ffff8801c55ff710 ffff8801a5f35c80 ffff8801c55ff738 ffffffff8165e497 0000000000002475 ffff8801d5428940 ffff8801d54288a0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1240 [] udp_setsockopt+0x45/0x80 net/ipv4/udp.c:2083 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2706 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x160/0x250 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 device gre0 entered promiscuous mode device gre0 left promiscuous mode device gre0 entered promiscuous mode FAULT_FLAG_ALLOW_RETRY missing 30 device gre0 entered promiscuous mode FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 12592 Comm: syz-executor0 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c418f480 ffffffff81d90889 ffff8801c418f760 0000000000000000 ffff8801cae07910 ffff8801c418f650 ffff8801cae07800 ffff8801c418f678 ffffffff8165e497 0000000000004951 ffff8801d5575118 ffff8801d55750a0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] do_ip_setsockopt.isra.12+0x1977/0x2960 net/ipv4/ip_sockglue.c:1151 [] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1240 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2736 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2706 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x160/0x250 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 device gre0 entered promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode CPU: 1 PID: 12603 Comm: syz-executor0 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cfff78b0 ffffffff81d90889 ffff8801cfff7b90 0000000000000000 ffff8801cae07910 ffff8801cfff7a80 ffff8801cae07800 ffff8801cfff7aa8 ffffffff8165e497 0000000000005e64 ffff8801c41a20f0 ffff8801c41a20a0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 binder: 12738:12740 ioctl 85 20416000 returned -22 binder: 12738:12740 ioctl c018620b 20236fe8 returned -14 binder: 12738:12740 IncRefs 0 refcount change on invalid ref 2 ret -22 binder: 12738:12740 Acquire 1 refcount change on invalid ref 4 ret -22 binder: 12738:12740 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 12738:12740 unknown command 0 binder: 12738:12740 ioctl c0306201 20000fd0 returned -22 binder: 12738:12757 ioctl 85 20416000 returned -22 binder: 12738:12740 ioctl c018620b 20236fe8 returned -14 binder: 12738:12761 ioctl c0306201 20000fd0 returned -14 IPVS: Creating netns size=2536 id=17 loop_reread_partitions: partition scan of loop0 (2°]€fI¸Òæ¶Ì”B±!S,›ùDÏ') failed (rc=-13) loop_reread_partitions: partition scan of loop0 (2°]€fI¸Òæ¶Ì”B±!S,›ùDÏ') failed (rc=-13) device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads binder: 12935:12936 ioctl 2403 ffff returned -22 device gre0 entered promiscuous mode binder: 12935:12973 ioctl 8004e500 20005000 returned -22 binder: 12935:12973 ioctl 401845ef 20004000 returned -22 binder: 12935:12973 ioctl 2403 ffff returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 12935:12973 ioctl 40046207 0 returned -16 binder: 12935:13016 ioctl 8004e500 20005000 returned -22 binder: 12935:13020 ioctl 401845ef 20004000 returned -22 binder: undelivered death notification, 0000000000000000 binder: undelivered death notification, 0000000000000000 Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable binder: 13040:13041 ioctl 2403 ffff returned -22 Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable binder: 13040:13058 ioctl 8004e500 20005000 returned -22 binder: 13040:13058 ioctl 401845ef 20004000 returned -22 binder: 13040:13058 ioctl 2403 ffff returned -22 device gre0 entered promiscuous mode binder: BINDER_SET_CONTEXT_MGR already set nla_parse: 10 callbacks suppressed netlink: 3 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor5'. binder: 13040:13093 ioctl 8004e500 20005000 returned -22 binder: 13040:13094 ioctl 401845ef 20004000 returned -22 binder: 13040:13094 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: 13040:13058 ioctl 40046207 0 returned -16 binder: undelivered death notification, 0000000000000000 netlink: 8 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor3'. IPv6: NLM_F_REPLACE set, but no existing node found! netlink: 8 bytes leftover after parsing attributes in process `syz-executor5'. device gre0 entered promiscuous mode netlink: 5 bytes leftover after parsing attributes in process `syz-executor3'. IPv6: NLM_F_REPLACE set, but no existing node found! netlink: 13 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 13 bytes leftover after parsing attributes in process `syz-executor1'. sg_write: data in/out 327644/32 bytes for SCSI command 0x4-- guessing data in; program syz-executor4 not setting count and/or reply_len properly program syz-executor3 is using a deprecated SCSI ioctl, please convert it to SG_IO sd 0:0:1:0: ioctl_internal_command: ILLEGAL REQUEST asc=0x20 ascq=0x0 program syz-executor3 is using a deprecated SCSI ioctl, please convert it to SG_IO sd 0:0:1:0: ioctl_internal_command: ILLEGAL REQUEST asc=0x20 ascq=0x0 keychord: invalid keycode count 0 keychord: invalid keycode count 0 sg_write: data in/out 901092476/192 bytes for SCSI command 0x1b-- guessing data in; program syz-executor0 not setting count and/or reply_len properly IPVS: Creating netns size=2536 id=18 pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads binder: 13542:13544 ERROR: BC_REGISTER_LOOPER called without request binder: 13542:13559 got reply transaction with no transaction stack netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'. binder: 13542:13559 transaction failed 29201/-71, size 24-8 line 2923 binder_alloc: binder_alloc_mmap_handler: 13542 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 13542:13591 ioctl 40046207 0 returned -16 binder: 13542:13579 ERROR: BC_REGISTER_LOOPER called without request binder: 13542:13579 got reply transaction with no transaction stack binder: 13542:13579 transaction failed 29201/-71, size 24-8 line 2923 netlink: 3 bytes leftover after parsing attributes in process `syz-executor3'. binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29201 IPVS: Creating netns size=2536 id=19 pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads ALSA: seq fatal error: cannot create timer (-19) device lo entered promiscuous mode ALSA: seq fatal error: cannot create timer (-19) device lo left promiscuous mode ƒ: renamed from lo device lo entered promiscuous mode device lo left promiscuous mode updating oom_score_adj for 13908 (syz-executor5) from 0 to 58 because it shares mm with 13898 (syz-executor5). Report if this is unexpected. updating oom_score_adj for 13922 (syz-executor5) from 58 to 58 because it shares mm with 13898 (syz-executor5). Report if this is unexpected. binder: 13939:13940 Acquire 1 refcount change on invalid ref 2 ret -22 binder: 13939:13940 IncRefs 0 refcount change on invalid ref 0 ret -22 binder: 13939:13940 IncRefs 0 refcount change on invalid ref 1 ret -22 binder: 13939:13940 ERROR: BC_REGISTER_LOOPER called without request binder: 13939:13940 Release 1 refcount change on invalid ref 0 ret -22