BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor2/3845 caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 CPU: 0 PID: 3845 Comm: syz-executor2 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a646f6d8 ffffffff81d90889 0000000000000000 ffffffff83c17800 ffffffff83f42ec0 ffff8801a5159800 0000000000000003 ffff8801a646f718 ffffffff81df7854[ 49.009566] device gre0 entered promiscuous mode ffff8801a646f730 ffffffff83f42ec0 dffffc0000000000 [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46 [] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 [] ipcomp_alloc_tfms net/xfrm/xfrm_ipcomp.c:286 [inline] [] ipcomp_init_state+0x188/0x930 net/xfrm/xfrm_ipcomp.c:363 [] ipcomp4_init_state+0xb0/0x7d0 net/ipv4/ipcomp.c:137 [] __xfrm_init_state+0x3e7/0xb30 net/xfrm/xfrm_state.c:2096 [] xfrm_init_state+0x1a/0x20 net/xfrm/xfrm_state.c:2122 [] pfkey_msg2xfrm_state net/key/af_key.c:1281 [inline] [] pfkey_add+0x1fb9/0x3470 net/key/af_key.c:1498 [] pfkey_process+0x61e/0x730 net/key/af_key.c:2826 [] pfkey_sendmsg+0x3a9/0x760 net/key/af_key.c:3670 [] sock_sendmsg_nosec net/socket.c:635 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:645 [] ___sys_sendmsg+0x6d1/0x7e0 net/socket.c:1968 [] __sys_sendmsg+0xd6/0x190 net/socket.c:2002 capability: warning: `syz-executor6' uses 32-bit capabilities (legacy support in use) audit: type=1400 audit(1513074755.841:13): avc: denied { create } for pid=3907 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [] SYSC_sendmsg net/socket.c:2013 [inline] [] SyS_sendmsg+0x2d/0x50 net/socket.c:2009 [] entry_SYSCALL_64_fastpath+0x23/0xc6 netlink: 13 bytes leftover after parsing attributes in process `syz-executor5'. binder: 4002:4004 ERROR: BC_REGISTER_LOOPER called without request binder: 4002:4020 BC_DEAD_BINDER_DONE 0000000000000000 not found binder: 4002:4020 got reply transaction with no transaction stack binder: 4002:4020 transaction failed 29201/-71, size 48-16 line 2923 binder: 4002:4004 ERROR: BC_REGISTER_LOOPER called without request binder: 4002:4020 BC_DEAD_BINDER_DONE 0000000000000000 not found binder: 4002:4020 got reply transaction with no transaction stack binder: 4002:4020 transaction failed 29201/-71, size 48-16 line 2923 binder: 4091:4092 ioctl 40046205 0 returned -22 binder: 4091:4092 ERROR: BC_REGISTER_LOOPER called without request binder: 4091:4092 got transaction to invalid handle binder: 4091:4092 transaction failed 29201/-22, size 0-8 line 3007 binder: 4091:4101 got reply transaction with bad transaction stack, transaction 6 has target 4091:4092 binder: 4091:4101 transaction failed 29201/-71, size 24-8 line 2938 device syz0 entered promiscuous mode binder: release 4091:4101 transaction 6 out, still active binder: 4091:4101 BC_FREE_BUFFER u0000000000000000 no match binder: 4091:4101 ioctl 40046205 6 returned -22 binder: 4091:4118 ioctl 40046205 0 returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 4091:4101 ioctl 40046207 0 returned -16 binder: 4091:4118 ERROR: BC_REGISTER_LOOPER called without request binder: 4091:4118 ioctl c0306201 20008fd0 returned -11 binder_alloc: 4091: binder_alloc_buf, no vma binder: 4091:4101 transaction failed 29189/-3, size 0-0 line 3130 binder: 4091:4118 unknown command 0 binder: 4091:4118 ioctl c0306201 20002fd0 returned -22 binder: undelivered TRANSACTION_ERROR: 29189 binder: 4091:4118 BC_FREE_BUFFER u0000000000000000 no match device gre0 entered promiscuous mode binder: release 4091:4092 transaction 6 in, still active binder: send failed reply for transaction 6, target dead binder: undelivered TRANSACTION_ERROR: 29201 netlink: 5 bytes leftover after parsing attributes in process `syz-executor5'. device gre0 entered promiscuous mode netlink: 8 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor5'. binder: 4269:4270 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: 4269:4270 BC_INCREFS_DONE u000000002011a000 no match binder: 4269:4278 got transaction with unaligned buffers size, 58534 binder: 4269:4278 transaction failed 29201/-22, size 0-40 line 3175 binder: BINDER_SET_CONTEXT_MGR already set binder: 4269:4305 ioctl 40046207 0 returned -16 binder_alloc: binder_alloc_mmap_handler: 4269 2011a000-2051a000 already mapped failed -16 binder: 4269:4278 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: 4269:4278 BC_INCREFS_DONE u000000002011a000 no match binder_alloc: 4269: binder_alloc_buf, no vma binder: 4269:4278 transaction failed 29189/-3, size 32-24 line 3130 binder_alloc: 4269: binder_alloc_buf, no vma binder: 4269:4278 transaction failed 29189/-3, size 0-40 line 3130 device gre0 entered promiscuous mode binder_alloc: 4269: binder_alloc_buf, no vma binder: 4269:4270 transaction failed 29189/-3, size 32-24 line 3130 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 netlink: 2 bytes leftover after parsing attributes in process `syz-executor7'. pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads device gre0 entered promiscuous mode device gre0 entered promiscuous mode pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads device gre0 entered promiscuous mode device gre0 left promiscuous mode SELinux: unrecognized netlink message: protocol=0 nlmsg_type=5 sclass=netlink_route_socket pig=4431 comm=syz-executor1 device gre0 entered promiscuous mode SELinux: unrecognized netlink message: protocol=0 nlmsg_type=4 sclass=netlink_route_socket pig=4431 comm=syz-executor1 device gre0 left promiscuous mode SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=4438 comm=syz-executor1 syz-executor3 uses obsolete (PF_INET,SOCK_PACKET) SELinux: unrecognized netlink message: protocol=0 nlmsg_type=5 sclass=netlink_route_socket pig=4461 comm=syz-executor1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=4 sclass=netlink_route_socket pig=4438 comm=syz-executor1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=4485 comm=syz-executor1 device gre0 entered promiscuous mode binder: 4499:4505 got transaction to invalid handle binder: 4499:4505 transaction failed 29201/-22, size 0-0 line 3007 binder: 4499:4511 got transaction to invalid handle binder: 4499:4511 transaction failed 29201/-22, size 0-0 line 3007 binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29201 device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode @: renamed from syz3 device gre0 entered promiscuous mode device gre0 left promiscuous mode device gre0 entered promiscuous mode device gre0 left promiscuous mode binder: 4678:4685 ERROR: BC_REGISTER_LOOPER called without request binder: 4678:4685 ioctl c0306201 20008fd0 returned -11 binder: 4678:4685 BC_DEAD_BINDER_DONE 0000000000000000 not found binder: 4678:4685 got reply transaction with no transaction stack binder: 4678:4685 transaction failed 29201/-71, size 48-16 line 2923 binder: 4678:4685 ERROR: BC_REGISTER_LOOPER called without request binder: 4678:4685 BC_DEAD_BINDER_DONE 0000000000000000 not found binder: 4678:4685 got reply transaction with no transaction stack binder: 4678:4685 transaction failed 29201/-71, size 48-16 line 2923 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=4804 comm=syz-executor7 binder: 4891:4892 ERROR: BC_REGISTER_LOOPER called without request binder: 4891:4906 BC_DEAD_BINDER_DONE 0000000000000000 not found binder: 4891:4906 got reply transaction with no transaction stack IPVS: Creating netns size=2536 id=9 binder: 4891:4906 transaction failed 29201/-71, size 48-16 line 2923 binder: BINDER_SET_CONTEXT_MGR already set binder: 4891:4906 ERROR: BC_REGISTER_LOOPER called without request binder: 4891:4917 BC_DEAD_BINDER_DONE 0000000000000000 not found binder: 4891:4917 got reply transaction with no transaction stack binder: 4891:4917 transaction failed 29201/-71, size 48-16 line 2923 device gre0 entered promiscuous mode IPVS: Creating netns size=2536 id=10 device gre0 left promiscuous mode device gre0 entered promiscuous mode binder: 4891:4892 ioctl 40046207 0 returned -16 capability: warning: `syz-executor6' uses deprecated v2 capabilities in a way that may be insecure device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads audit_printk_skb: 55 callbacks suppressed audit: type=1400 audit(1513074760.711:31): avc: denied { connect } for pid=5089 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 FAULT_FLAG_ALLOW_RETRY missing 30 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 5151 Comm: syz-executor1 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c26274a0 ffffffff81d90889 ffff8801c2627780 0000000000000000 ffff8801a8867f10 ffff8801c2627670 ffff8801a8867e00 ffff8801c2627698 ffffffff8165e497 0000000000005e64 ffff8801d055d0f0 ffff8801d055d0a0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] SYSC_poll fs/select.c:983 [inline] [] SyS_poll+0x120/0x3f0 fs/select.c:971 [] entry_SYSCALL_64_fastpath+0x23/0xc6 CPU: 0 PID: 5164 Comm: syz-executor1 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d19e7940 ffffffff81d90889 ffff8801d19e7c20 0000000000000000 ffff8801a8867f10 ffff8801d19e7b10 ffff8801a8867e00 ffff8801d19e7b38 ffffffff8165e497 0000000000005e64 ffff8801cf3be8f0 ffff8801cf3be8a0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 5151 Comm: syz-executor1 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c26274a0 ffffffff81d90889 ffff8801c2627780 0000000000000000 ffff8801a72fe590 ffff8801c2627670 ffff8801a72fe480 ffff8801c2627698 ffffffff8165e497 0000000000005e64 ffff8801d055d0f0 ffff8801d055d0a0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] SYSC_poll fs/select.c:983 [inline] [] SyS_poll+0x120/0x3f0 fs/select.c:971 [] entry_SYSCALL_64_fastpath+0x23/0xc6 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 5164 Comm: syz-executor1 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d19e7940 ffffffff81d90889 ffff8801d19e7c20 0000000000000000 ffff8801a72fe590 ffff8801d19e7b10 ffff8801a72fe480 ffff8801d19e7b38 ffffffff8165e497 0000000000005e64 ffff8801cf3be8f0 ffff8801cf3be8a0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads PF_BRIDGE: RTM_SETLINK with unknown ifindex audit: type=1400 audit(1513074762.251:32): avc: denied { bind } for pid=5211 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 PF_BRIDGE: RTM_SETLINK with unknown ifindex mmap: syz-executor3 (5237) uses deprecated remap_file_pages() syscall. See Documentation/vm/remap_file_pages.txt. nla_parse: 21 callbacks suppressed netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 73 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 73 bytes leftover after parsing attributes in process `syz-executor0'. binder: 5398:5400 ERROR: BC_REGISTER_LOOPER called without request netlink: 11 bytes leftover after parsing attributes in process `syz-executor6'. audit: type=1400 audit(1513074763.141:33): avc: denied { transfer } for pid=5398 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 binder: 5398:5400 ioctl 8904 20004ffc returned -22 binder: 5398:5400 ioctl c0306201 2000ffd0 returned -14 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_COMPLETE netlink: 11 bytes leftover after parsing attributes in process `syz-executor6'. binder: undelivered transaction 26, process died. binder: 5398:5400 ERROR: BC_REGISTER_LOOPER called without request binder_alloc: 5398: binder_alloc_buf, no vma binder: 5398:5405 transaction failed 29189/-3, size 0-0 line 3130 binder: 5398:5400 got reply transaction with no transaction stack binder: 5398:5400 transaction failed 29201/-71, size 32-8 line 2923 binder: 5398:5400 ioctl 8904 20004ffc returned -22 binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29189 device gre0 entered promiscuous mode binder: 5535:5537 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 5535:5537 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: 5535:5544 BC_DEAD_BINDER_DONE 0000000000000000 not found binder: undelivered death notification, 0000000000000000 binder: 5554:5556 DecRefs 0 refcount change on invalid ref 1 ret -22 binder_alloc: 5554: binder_alloc_buf, no vma binder: 5554:5567 transaction failed 29189/-3, size 0-0 line 3130 audit: type=1400 audit(1513074763.701:34): avc: denied { dyntransition } for pid=5562 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=process permissive=1 binder: 5554:5567 DecRefs 0 refcount change on invalid ref 912 ret -22 binder: 5554:5567 unknown command 0 binder: 5554:5567 ioctl c0306201 20003000 returned -22 device lo entered promiscuous mode device lo left promiscuous mode binder: BINDER_SET_CONTEXT_MGR already set binder: 5554:5585 ioctl 40046207 0 returned -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 5554:5585 ioctl 40046207 0 returned -16 binder: 5554:5585 DecRefs 0 refcount change on invalid ref 1 ret -22 binder_alloc: 5554: binder_alloc_buf, no vma binder: 5554:5599 transaction failed 29189/-3, size 0-0 line 3130 binder: 5554:5610 DecRefs 0 refcount change on invalid ref 912 ret -22 binder: 5554:5610 unknown command 0 binder: 5554:5610 ioctl c0306201 20003000 returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 5554:5599 ioctl 40046207 0 returned -16 device lo entered promiscuous mode binder: undelivered TRANSACTION_ERROR: 29189 device lo left promiscuous mode binder: undelivered death notification, 0000000000000000 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered death notification, 0000000000000000 audit: type=1400 audit(1513074764.201:35): avc: denied { getattr } for pid=5646 comm="syz-executor1" path="socket:[14038]" dev="sockfs" ino=14038 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 device gre0 entered promiscuous mode IPVS: Creating netns size=2536 id=11 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=63367 sclass=netlink_route_socket pig=5745 comm=syz-executor1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=63367 sclass=netlink_route_socket pig=5745 comm=syz-executor1 pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads device lo entered promiscuous mode device syz7 entered promiscuous mode binder: 5840:5859 BC_ACQUIRE_DONE uffffffffffffffff no match