BUG: using __this_cpu_add() in preemptible [00000000] code: syz-executor3/18256 caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 CPU: 0 PID: 18256 Comm: syz-executor3 Not tainted 4.4.113-g962d1f3 #2 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 790883949278a1c9 ffff8800a7a97800 ffffffff81d028ed 0000000000000000 ffffffff839fe3a0 ffffffff83cef6a0 ffff8800ba41af80 0000000000000003 ffff8800a7a97840 ffffffff81d62834 ffffffff810002b8 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46 [] ? 0xffffffff810002b8 [] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 [] tcp_try_coalesce+0x249/0x4d0 net/ipv4/tcp_input.c:4278 [] tcp_queue_rcv+0x127/0x720 net/ipv4/tcp_input.c:4485 [] tcp_send_rcvq+0x39b/0x450 net/ipv4/tcp_input.c:4531 [] tcp_sendmsg+0x1e8f/0x2b10 net/ipv4/tcp.c:1134 [] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:635 [] SYSC_sendto+0x2c8/0x340 net/socket.c:1665 [] SyS_sendto+0x40/0x50 net/socket.c:1633 [] entry_SYSCALL_64_fastpath+0x1c/0x98 device syz4 left promiscuous mode binder_alloc: 18306: binder_alloc_buf, no vma binder: 18306:18310 transaction failed 29189/-3, size 0-0 line 3128 binder: BINDER_SET_CONTEXT_MGR already set binder_alloc: 18306: binder_alloc_buf, no vma binder: 18306:18310 ioctl 40046207 0 returned -16 binder: 18306:18336 transaction failed 29189/-3, size 0-0 line 3128 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 binder: tried to use weak ref as strong ref binder: 18365:18373 Release 1 refcount change on invalid ref 2 ret -22 binder: BINDER_SET_CONTEXT_MGR already set binder_alloc: binder_alloc_mmap_handler: 18365 20000000-20002000 already mapped failed -16 binder: 18365:18402 ioctl 40046207 0 returned -16 binder: 18365:18373 ioctl c0306201 20c56000 returned -11 binder_alloc: 18365: binder_alloc_buf, no vma binder: 18365:18419 transaction failed 29189/-3, size 80-16 line 3128 binder: release 18365:18373 transaction 134 out, still active binder: unexpected work type, 4, not freed binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 binder: send failed reply for transaction 134, target dead TCP: request_sock_TCPv6: Possible SYN flooding on port 20022. Sending cookies. Check SNMP counters. netlink: 8 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor3'. FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 18600 Comm: syz-executor6 Not tainted 4.4.113-g962d1f3 #2 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 8628c16093b9e6f1 ffff8801d7237a40 ffffffff81d028ed ffff8800b3a53680 1ffff1003ae46f55 ffff8801d7237bc8 0000000000000000 0000000000000000 ffff8801d7237bf0 ffffffff81605ec5 ffffffff81236530 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] handle_userfault+0x715/0xf50 fs/userfaultfd.c:316 [] do_anonymous_page mm/memory.c:2731 [inline] [] handle_pte_fault mm/memory.c:3295 [inline] [] __handle_mm_fault mm/memory.c:3426 [inline] [] handle_mm_fault+0x2938/0x3190 mm/memory.c:3455 [] __do_page_fault+0x35b/0xa00 arch/x86/mm/fault.c:1245 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1308 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1033 [] entry_SYSCALL_64_fastpath+0x1c/0x98 binder: 18720:18722 transaction failed 29189/-22, size 0-0 line 3005 binder: 18720:18737 transaction failed 29189/-22, size 0-0 line 3005 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 netlink: 7 bytes leftover after parsing attributes in process `syz-executor0'. binder: 19288:19293 ioctl 40046205 8001 returned -22 binder_alloc: binder_alloc_mmap_handler: 19288 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 19288:19293 ioctl 40046207 0 returned -16 binder: 19288:19328 ioctl 40046205 8001 returned -22 binder_alloc: 19288: binder_alloc_buf, no vma binder: 19288:19293 transaction failed 29189/-3, size 40-8 line 3128 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 19288:19303 transaction 143 out, still active binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 143, target dead binder: BINDER_SET_CONTEXT_MGR already set binder: 19435:19448 ioctl 40046207 0 returned -16 binder: release 19435:19440 transaction 148 out, still active binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 148, target dead binder: 19568:19577 ERROR: BC_REGISTER_LOOPER called without request audit: type=1400 audit(1517385790.567:49): avc: denied { call } for pid=19568 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 audit: type=1400 audit(1517385790.607:50): avc: denied { set_context_mgr } for pid=19609 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 binder: 19568:19577 got reply transaction with no transaction stack binder: 19568:19577 transaction failed 29201/-71, size 56-56 line 2921 binder: 19609:19618 ERROR: BC_REGISTER_LOOPER called without request binder: 19568:19592 got reply transaction with bad transaction stack, transaction 150 has target 19568:19577 binder: 19568:19592 transaction failed 29201/-71, size 32-0 line 2936 binder: BINDER_SET_CONTEXT_MGR already set binder: 19568:19606 ERROR: BC_REGISTER_LOOPER called without request binder: 19568:19592 ioctl 40046207 0 returned -16 binder: 19609:19618 DecRefs 0 refcount change on invalid ref 1 ret -22 binder_alloc: 19568: binder_alloc_buf, no vma binder: 19568:19606 transaction failed 29189/-3, size 0-0 line 3128 binder: 19568:19592 got reply transaction with no transaction stack binder: 19568:19592 transaction failed 29201/-71, size 56-56 line 2921 binder: 19609:19618 BC_INCREFS_DONE node 152 has no pending increfs request binder: release 19609:19612 transaction 153 out, still active binder: 19609:19612 ERROR: BC_REGISTER_LOOPER called without request binder: release 19609:19618 transaction 153 in, still active binder: send failed reply for transaction 153, target dead binder: release 19609:19618 transaction 158 out, still active binder: release 19609:19612 transaction 158 in, still active binder: send failed reply for transaction 158, target dead binder: undelivered TRANSACTION_ERROR: 29189 binder: release 19568:19577 transaction 150 in, still active binder: send failed reply for transaction 150 to 19568:19592 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29189 vmalloc: allocation failure: 0 bytes syz-executor0: page allocation failure: order:0, mode:0x24000c2 CPU: 0 PID: 19762 Comm: syz-executor0 Not tainted 4.4.113-g962d1f3 #2 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 4035be47e3edad03 ffff8800b8f2f938 ffffffff81d028ed 1ffff100171e5f2a ffff8800b5e4af80 00000000024000c2 0000000000000000 0000000000000001 ffff8800b8f2fa48 ffffffff814301e9 ffffffff838ac3a0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] warn_alloc_failed+0x1d9/0x240 mm/page_alloc.c:2757 [] __vmalloc_node_range+0x41d/0x630 mm/vmalloc.c:1692 [] __vmalloc_node mm/vmalloc.c:1715 [inline] [] __vmalloc_node_flags mm/vmalloc.c:1729 [inline] [] vmalloc+0x5b/0x70 mm/vmalloc.c:1744 [] sel_write_load+0x130/0xff0 security/selinux/selinuxfs.c:527 [] __vfs_write+0x103/0x450 fs/read_write.c:489 [] vfs_write+0x18a/0x530 fs/read_write.c:538 [] SYSC_write fs/read_write.c:585 [inline] [] SyS_write+0xd9/0x1b0 fs/read_write.c:577 [] entry_SYSCALL_64_fastpath+0x1c/0x98 Mem-Info: active_anon:50388 inactive_anon:45 isolated_anon:0 active_file:3780 inactive_file:8432 isolated_file:0 unevictable:0 dirty:137 writeback:0 unstable:0 slab_reclaimable:6195 slab_unreclaimable:60485 mapped:24136 shmem:51 pagetables:611 bounce:0 free:1476912 free_pcp:675 free_cma:0 DMA free:15904kB min:160kB low:200kB high:240kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:15992kB managed:15904kB mlocked:0kB dirty:0kB writeback:0kB mapped:0kB shmem:0kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB unstable:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? yes lowmem_reserve[]: 0 2911 6411 6411 DMA32 free:2669436kB min:30608kB low:38260kB high:45912kB active_anon:99512kB inactive_anon:64kB active_file:7516kB inactive_file:16928kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:3129292kB managed:2982736kB mlocked:0kB dirty:292kB writeback:0kB mapped:40896kB shmem:76kB slab_reclaimable:11252kB slab_unreclaimable:108376kB kernel_stack:3008kB pagetables:1032kB unstable:0kB bounce:0kB free_pcp:1380kB local_pcp:692kB free_cma:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? no lowmem_reserve[]: 0 0 3500 3500 Normal free:3222796kB min:36808kB low:46008kB high:55212kB active_anon:99996kB inactive_anon:116kB active_file:7616kB inactive_file:16800kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:4718592kB managed:3584660kB mlocked:0kB dirty:272kB writeback:0kB mapped:55648kB shmem:128kB slab_reclaimable:13528kB slab_unreclaimable:133628kB kernel_stack:3008kB pagetables:1416kB unstable:0kB bounce:0kB free_pcp:1292kB local_pcp:688kB free_cma:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? no lowmem_reserve[]: 0 0 0 0 DMA: 0*4kB 0*8kB 0*16kB 1*32kB (U) 2*64kB (U) 1*128kB (U) 1*256kB (U) 0*512kB 1*1024kB (U) 1*2048kB (M) 3*4096kB (M) = 15904kB DMA32: 615*4kB (UME) 382*8kB (UME) 277*16kB (UM) 274*32kB (UME) 234*64kB (UM) 94*128kB (UME) 77*256kB (M) 66*512kB (UME) 72*1024kB (M) 8*2048kB (UM) 606*4096kB (M) = 2671516kB Normal: 779*4kB (UME) 484*8kB (UME) 365*16kB (UME) 346*32kB (UME) 234*64kB (UME) 164*128kB (UME) 104*256kB (M) 88*512kB (M) 123*1024kB (UM) 2*2048kB (ME) 722*4096kB (M) = 3218908kB Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB 12266 total pagecache pages 0 pages in swap cache Swap cache stats: add 0, delete 0, find 0/0 Free swap = 0kB Total swap = 0kB 1965969 pages RAM 0 pages HighMem/MovableOnly 320144 pages reserved vmalloc: allocation failure: 0 bytes syz-executor0: page allocation failure: order:0, mode:0x24000c2 CPU: 1 PID: 19769 Comm: syz-executor0 Not tainted 4.4.113-g962d1f3 #2 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 657f0ec2a5314cc6 ffff8801d40af938 ffffffff81d028ed 1ffff1003a815f2a ffff8800b5e497c0 00000000024000c2 0000000000000000 0000000000000001 ffff8801d40afa48 ffffffff814301e9 ffffffff838ac3a0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] warn_alloc_failed+0x1d9/0x240 mm/page_alloc.c:2757 [] __vmalloc_node_range+0x41d/0x630 mm/vmalloc.c:1692 [] __vmalloc_node mm/vmalloc.c:1715 [inline] [] __vmalloc_node_flags mm/vmalloc.c:1729 [inline] [] vmalloc+0x5b/0x70 mm/vmalloc.c:1744 [] sel_write_load+0x130/0xff0 security/selinux/selinuxfs.c:527 [] __vfs_write+0x103/0x450 fs/read_write.c:489 [] vfs_write+0x18a/0x530 fs/read_write.c:538 [] SYSC_write fs/read_write.c:585 [inline] [] SyS_write+0xd9/0x1b0 fs/read_write.c:577 [] entry_SYSCALL_64_fastpath+0x1c/0x98 Mem-Info: active_anon:49335 inactive_anon:45 isolated_anon:0 active_file:3784 inactive_file:8432 isolated_file:0 unevictable:0 dirty:145 writeback:0 unstable:0 slab_reclaimable:6195 slab_unreclaimable:60495 mapped:24132 shmem:51 pagetables:625 bounce:0 free:1476598 free_pcp:662 free_cma:0 DMA free:15904kB min:160kB low:200kB high:240kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:15992kB managed:15904kB mlocked:0kB dirty:0kB writeback:0kB mapped:0kB shmem:0kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB unstable:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? yes lowmem_reserve[]: 0 2911 6411 6411 DMA32 free:2671580kB min:30608kB low:38260kB high:45912kB active_anon:97388kB inactive_anon:64kB active_file:7516kB inactive_file:16928kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:3129292kB managed:2982736kB mlocked:0kB dirty:292kB writeback:0kB mapped:40832kB shmem:76kB slab_reclaimable:11252kB slab_unreclaimable:108404kB kernel_stack:3072kB pagetables:1056kB unstable:0kB bounce:0kB free_pcp:1392kB local_pcp:700kB free_cma:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? no lowmem_reserve[]: 0 0 3500 3500 Normal free:3218908kB min:36808kB low:46008kB high:55212kB active_anon:99952kB inactive_anon:116kB active_file:7620kB inactive_file:16800kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:4718592kB managed:3584660kB mlocked:0kB dirty:296kB writeback:0kB mapped:55696kB shmem:128kB slab_reclaimable:13528kB slab_unreclaimable:133576kB kernel_stack:2944kB pagetables:1444kB unstable:0kB bounce:0kB free_pcp:1248kB local_pcp:580kB free_cma:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? no lowmem_reserve[]: 0 0 0 0 DMA: 0*4kB 0*8kB 0*16kB 1*32kB (U) 2*64kB (U) 1*128kB (U) 1*256kB (U) 0*512kB 1*1024kB (U) 1*2048kB (M) 3*4096kB (M) = 15904kB DMA32: 615*4kB (UME) 382*8kB (UME) 277*16kB (UM) 276*32kB (UME) 234*64kB (UM) 94*128kB (UME) 77*256kB (M) 66*512kB (UME) 72*1024kB (M) 8*2048kB (UM) 606*4096kB (M) = 2671580kB Normal: 779*4kB (UME) 484*8kB (UME) 365*16kB (UME) 346*32kB (UME) 234*64kB (UME) 164*128kB (UME) 104*256kB (M) 88*512kB (M) 123*1024kB (UM) 2*2048kB (ME) 722*4096kB (M) = 3218908kB Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB 12272 total pagecache pages 0 pages in swap cache Swap cache stats: add 0, delete 0, find 0/0 Free swap = 0kB Total swap = 0kB 1965969 pages RAM 0 pages HighMem/MovableOnly 320144 pages reserved netlink: 7 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 7 bytes leftover after parsing attributes in process `syz-executor7'. FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 20107 Comm: syz-executor7 Not tainted 4.4.113-g962d1f3 #2 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 997c8afc8421fb52 ffff8800b69e76d0 ffffffff81d028ed ffff8800b3a53b00 1ffff10016d3cee7 ffff8800b69e7858 0000000000000000 0000000000000000 ffff8800b69e7880 ffffffff81605ec5 ffffffff81236530 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] handle_userfault+0x715/0xf50 fs/userfaultfd.c:316 [] do_anonymous_page mm/memory.c:2731 [inline] [] handle_pte_fault mm/memory.c:3295 [inline] [] __handle_mm_fault mm/memory.c:3426 [inline] [] handle_mm_fault+0x2938/0x3190 mm/memory.c:3455 [] __do_page_fault+0x35b/0xa00 arch/x86/mm/fault.c:1245 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1308 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1033 [] vfs_ioctl fs/ioctl.c:43 [inline] [] do_vfs_ioctl+0x7aa/0xee0 fs/ioctl.c:607 [] SYSC_ioctl fs/ioctl.c:622 [inline] [] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:613 [] entry_SYSCALL_64_fastpath+0x1c/0x98 netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 20107 Comm: syz-executor7 Not tainted 4.4.113-g962d1f3 #2 netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 997c8afc8421fb52 ffff8800b69e76d0 ffffffff81d028ed ffff8800bacca480 1ffff10016d3cee7 ffff8800b69e7858 0000000000000000 0000000000000000 ffff8800b69e7880 ffffffff81605ec5 ffffffff81236530 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] handle_userfault+0x715/0xf50 fs/userfaultfd.c:316 [] do_anonymous_page mm/memory.c:2731 [inline] [] handle_pte_fault mm/memory.c:3295 [inline] [] __handle_mm_fault mm/memory.c:3426 [inline] [] handle_mm_fault+0x2938/0x3190 mm/memory.c:3455 [] __do_page_fault+0x35b/0xa00 arch/x86/mm/fault.c:1245 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1308 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1033 [] vfs_ioctl fs/ioctl.c:43 [inline] [] do_vfs_ioctl+0x7aa/0xee0 fs/ioctl.c:607 [] SYSC_ioctl fs/ioctl.c:622 [inline] [] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:613 [] entry_SYSCALL_64_fastpath+0x1c/0x98 tc_dump_action: action bad kind tc_dump_action: action bad kind binder: 20310:20312 transaction failed 29201/-22, size 0--4880856391614455847 line 3128 binder: BINDER_SET_CONTEXT_MGR already set binder: 20310:20312 ioctl 40046207 0 returned -16 binder_alloc: 20310: binder_alloc_buf, no vma binder: 20310:20315 transaction failed 29189/-3, size 0--4880856391614455847 line 3128 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 netlink: 24 bytes leftover after parsing attributes in process `syz-executor6'.