BUG: using __this_cpu_add() in preemptible [00000000] code: syz-executor4/7531 caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 CPU: 0 PID: 7531 Comm: syz-executor4 Not tainted 4.4.113-g962d1f3 #2 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 2b219c18cf2db618 ffff8800b508f800 ffffffff81d028ed 0000000000000000 ffffffff839fe3a0 ffffffff83cef6a0 ffff8800aa632f80 0000000000000003 ffff8800b508f840 ffffffff81d62834 ffffffff810002b8 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46 [] ? 0xffffffff810002b8 [] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 [] tcp_try_coalesce+0x249/0x4d0 net/ipv4/tcp_input.c:4278 [] tcp_queue_rcv+0x127/0x720 net/ipv4/tcp_input.c:4485 [] tcp_send_rcvq+0x39b/0x450 net/ipv4/tcp_input.c:4531 [] tcp_sendmsg+0x1e8f/0x2b10 net/ipv4/tcp.c:1134 [] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:635 [] SYSC_sendto+0x2c8/0x340 net/socket.c:1665 [] SyS_sendto+0x40/0x50 net/socket.c:1633 [] entry_SYSCALL_64_fastpath+0x1c/0x98 IPv6: Can't replace route, no match found SELinux: unrecognized netlink message: protocol=0 nlmsg_type=8 sclass=netlink_route_socket mmap: syz-executor2 (7565) uses deprecated remap_file_pages() syscall. See Documentation/vm/remap_file_pages.txt. IPv6: Can't replace route, no match found SELinux: unrecognized netlink message: protocol=0 nlmsg_type=8 sclass=netlink_route_socket capability: warning: `syz-executor3' uses deprecated v2 capabilities in a way that may be insecure audit: type=1400 audit(1517384560.794:22): avc: denied { create } for pid=7675 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_crypto_socket permissive=1 audit: type=1401 audit(1517384560.844:23): op=fscreate invalid_context=7379737465035F753A6F626A6563745F723A516D6573675F657865635F743A003073000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 IPv4: Oversized IP packet from 127.0.0.1 syz-executor2 (7901): /proc/7898/oom_adj is deprecated, please use /proc/7898/oom_score_adj instead. TCP: request_sock_TCPv6: Possible SYN flooding on port 20026. Sending cookies. Check SNMP counters. audit: type=1400 audit(1517384562.124:24): avc: denied { create } for pid=7996 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_fib_lookup_socket permissive=1 audit: type=1400 audit(1517384562.174:25): avc: denied { create } for pid=7996 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_iscsi_socket permissive=1 netlink: 11 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 11 bytes leftover after parsing attributes in process `syz-executor6'. binder: 8018:8023 transaction failed 29189/-22, size 0-0 line 3005 binder: 8018:8025 got reply transaction with no transaction stack audit: type=1400 audit(1517384562.294:26): avc: denied { write } for pid=7996 comm="syz-executor3" path="socket:[17480]" dev="sockfs" ino=17480 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_fib_lookup_socket permissive=1 binder: 8018:8025 transaction failed 29201/-71, size 0-0 line 2921 audit: type=1400 audit(1517384562.324:27): avc: denied { set_context_mgr } for pid=8018 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 audit: type=1400 audit(1517384562.334:28): avc: denied { call } for pid=8018 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 binder: release 8018:8031 transaction 24 out, still active binder: undelivered TRANSACTION_COMPLETE binder: 8018:8025 ioctl 5600 20485000 returned -22 binder: release 8018:8031 transaction 24 in, still active binder: send failed reply for transaction 24, target dead binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 device syz4 entered promiscuous mode device syz4 left promiscuous mode binder: 8158:8159 ERROR: BC_REGISTER_LOOPER called without request binder: 8158:8160 got reply transaction with bad transaction stack, transaction 26 has target 8158:8159 binder: 8158:8160 transaction failed 29201/-71, size 32-0 line 2936 binder: BINDER_SET_CONTEXT_MGR already set binder: 8158:8161 ioctl 40046207 0 returned -16 binder_alloc: 8158: binder_alloc_buf, no vma binder: 8158:8160 transaction failed 29189/-3, size 0-0 line 3128 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 8158:8160 transaction 26 out, still active binder: undelivered TRANSACTION_COMPLETE binder: BINDER_SET_CONTEXT_MGR already set binder: 8174:8179 ioctl 40046207 0 returned -16 binder: 8174:8179 ERROR: BC_REGISTER_LOOPER called without request binder: undelivered TRANSACTION_ERROR: 29201 binder_alloc: 8158: binder_alloc_buf, no vma binder: 8174:8190 transaction failed 29189/-3, size 0-0 line 3128 binder: release 8158:8159 transaction 26 in, still active binder: send failed reply for transaction 26, target dead binder: 8174:8197 got reply transaction with no transaction stack binder: 8174:8197 transaction failed 29201/-71, size 32-0 line 2921 audit: type=1400 audit(1517384563.054:29): avc: denied { setattr } for pid=8199 comm="syz-executor1" name="comm" dev="proc" ino=16818 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=file permissive=1 audit: type=1400 audit(1517384563.054:30): avc: denied { execute } for pid=8199 comm="syz-executor1" name="comm" dev="proc" ino=16818 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=file permissive=1 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 audit: type=1400 audit(1517384564.294:31): avc: denied { create } for pid=8495 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_connector_socket permissive=1 ALSA: seq fatal error: cannot create timer (-16) audit: type=1400 audit(1517384564.344:32): avc: denied { ioctl } for pid=8495 comm="syz-executor5" path="socket:[16990]" dev="sockfs" ino=16990 ioctlcmd=891b scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_connector_socket permissive=1 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 8576 Comm: syz-executor4 Not tainted 4.4.113-g962d1f3 #2 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 3eb84e80cc23a532 ffff8801cc17f580 ffffffff81d028ed ffff8801d36a5c80 1ffff1003982febd ffff8801cc17f708 0000000000000000 0000000000000000 ffff8801cc17f730 ffffffff81605ec5 ffffffff81236530 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] handle_userfault+0x715/0xf50 fs/userfaultfd.c:316 [] do_anonymous_page mm/memory.c:2731 [inline] [] handle_pte_fault mm/memory.c:3295 [inline] [] __handle_mm_fault mm/memory.c:3426 [inline] [] handle_mm_fault+0x2938/0x3190 mm/memory.c:3455 [] __do_page_fault+0x35b/0xa00 arch/x86/mm/fault.c:1245 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1308 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1033 [] generic_perform_write+0x1eb/0x530 mm/filemap.c:2540 [] __generic_file_write_iter+0x35a/0x580 mm/filemap.c:2675 [] generic_file_write_iter+0x2f1/0x720 mm/filemap.c:2703 [] new_sync_write fs/read_write.c:478 [inline] [] __vfs_write+0x33c/0x450 fs/read_write.c:491 [] vfs_write+0x18a/0x530 fs/read_write.c:538 [] SYSC_write fs/read_write.c:585 [inline] [] SyS_write+0xd9/0x1b0 fs/read_write.c:577 [] entry_SYSCALL_64_fastpath+0x1c/0x98 device syz6 entered promiscuous mode device syz6 left promiscuous mode binder_alloc: binder_alloc_mmap_handler: 8712 20002000-20015000 already mapped failed -16 SELinux: policydb string SE Linux does not match my string SE Linux SELinux: policydb string SE Linux does not match my string SE Linux audit_printk_skb: 9 callbacks suppressed audit: type=1400 audit(1517384568.084:36): avc: denied { dyntransition } for pid=9478 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0,c1 tclass=process permissive=1 IPv4: Oversized IP packet from 127.0.0.1 binder: 9578:9581 ERROR: BC_REGISTER_LOOPER called without request binder: 9578:9588 ioctl c0306201 20005fd0 returned -14 binder: BINDER_SET_CONTEXT_MGR already set binder: 9578:9592 ioctl 40046207 0 returned -16 binder: 9578:9592 ioctl c0306201 20005fd0 returned -14 binder: 9599:9616 ioctl 5 20270fc5 returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 9599:9634 ioctl 40046207 0 returned -16 binder: 9599:9651 ioctl 5 20270fc5 returned -22 binder: release 9599:9616 transaction 33 out, still active binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 33, target dead