BUG: using __this_cpu_add() in preemptible [00000000] code: syz-executor6/7276 caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 CPU: 1 PID: 7276 Comm: syz-executor6 Not tainted 4.4.113-g962d1f3 #2 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 49d1ab7854efa86e ffff8801c6a7f800 ffffffff81d028ed 0000000000000001 ffffffff839fe3a0 ffffffff83cef6a0 ffff8801c1f72f80 0000000000000003 ffff8801c6a7f840 ffffffff81d62834 ffffffff810002b8 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46 [] ? 0xffffffff810002b8 [] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 [] tcp_try_coalesce+0x249/0x4d0 net/ipv4/tcp_input.c:4278 [] tcp_queue_rcv+0x127/0x720 net/ipv4/tcp_input.c:4485 [] tcp_send_rcvq+0x39b/0x450 net/ipv4/tcp_input.c:4531 [] tcp_sendmsg+0x1e8f/0x2b10 net/ipv4/tcp.c:1134 [] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:635 [] SYSC_sendto+0x2c8/0x340 net/socket.c:1665 [] SyS_sendto+0x40/0x50 net/socket.c:1633 [] entry_SYSCALL_64_fastpath+0x1c/0x98 BUG: using __this_cpu_add() in preemptible [00000000] code: syz-executor6/7302 caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 CPU: 0 PID: 7302 Comm: syz-executor6 Not tainted 4.4.113-g962d1f3 #2 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 1870386250306fe4 ffff8801cfcaf800 ffffffff81d028ed 0000000000000000 ffffffff839fe3a0 ffffffff83cef6a0 ffff8801d22b97c0 0000000000000003 ffff8801cfcaf840 ffffffff81d62834 ffffffff810002b8 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46 [] ? 0xffffffff810002b8 [] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 [] tcp_try_coalesce+0x249/0x4d0 net/ipv4/tcp_input.c:4278 [] tcp_queue_rcv+0x127/0x720 net/ipv4/tcp_input.c:4485 [] tcp_send_rcvq+0x39b/0x450 net/ipv4/tcp_input.c:4531 [] tcp_sendmsg+0x1e8f/0x2b10 net/ipv4/tcp.c:1134 [] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:635 [] SYSC_sendto+0x2c8/0x340 net/socket.c:1665 [] SyS_sendto+0x40/0x50 net/socket.c:1633 [] entry_SYSCALL_64_fastpath+0x1c/0x98 l2tp_core: tunl 2: fd 19 wrong protocol, got 1, expected 17 l2tp_core: tunl 2: fd 19 wrong protocol, got 1, expected 17 binder: undelivered death notification, 0000000000000000 binder: BINDER_SET_CONTEXT_MGR already set binder: 7443:7468 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: 7443:7444 ioctl 40046207 0 returned -16 audit: type=1400 audit(1517374052.919:21): avc: denied { create } for pid=7447 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_connector_socket permissive=1 audit: type=1400 audit(1517374053.139:22): avc: denied { create } for pid=7507 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_iscsi_socket permissive=1 binder: 7538:7551 ERROR: BC_REGISTER_LOOPER called without request binder: 7538:7551 ioctl 4b30 7 returned -22 audit: type=1400 audit(1517374053.339:23): avc: denied { transfer } for pid=7538 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 binder: BINDER_SET_CONTEXT_MGR already set binder: 7538:7561 ERROR: BC_REGISTER_LOOPER called without request binder: 7538:7551 ioctl 40046207 0 returned -16 binder: 7538:7584 ioctl 4b30 7 returned -22 binder: 7538:7561 got reply transaction with no transaction stack binder: 7538:7561 transaction failed 29201/-71, size 32-8 line 2921 binder: undelivered TRANSACTION_ERROR: 29201 binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_COMPLETE binder: undelivered transaction 25, process died. audit: type=1400 audit(1517374053.959:24): avc: denied { setattr } for pid=7657 comm="syz-executor7" name="comm" dev="proc" ino=17003 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=file permissive=1 audit: type=1400 audit(1517374054.699:25): avc: denied { getattr } for pid=7889 comm="syz-executor5" path="socket:[17477]" dev="sockfs" ino=17477 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 device gre0 entered promiscuous mode audit: type=1400 audit(1517374054.829:26): avc: denied { getopt } for pid=7916 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 TCP: request_sock_TCP: Possible SYN flooding on port 20022. Sending cookies. Check SNMP counters. TCP: request_sock_TCP: Possible SYN flooding on port 20018. Sending cookies. Check SNMP counters. TCP: request_sock_TCPv6: Possible SYN flooding on port 20026. Sending cookies. Check SNMP counters. netlink: 3 bytes leftover after parsing attributes in process `syz-executor2'. audit: type=1326 audit(1517374056.449:27): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=8277 comm="syz-executor1" exe="/root/syz-executor1" sig=31 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x0 audit: type=1326 audit(1517374056.479:28): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=8258 comm="syz-executor4" exe="/root/syz-executor4" sig=31 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x0 netlink: 3 bytes leftover after parsing attributes in process `syz-executor2'. binder: BINDER_SET_CONTEXT_MGR already set audit: type=1326 audit(1517374056.529:29): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=8277 comm="syz-executor1" exe="/root/syz-executor1" sig=31 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x0 binder: 8273:8296 ioctl 40046207 0 returned -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 8448:8483 ioctl 40046207 0 returned -16 binder_alloc: 8448: binder_alloc_buf, no vma binder: 8448:8492 transaction failed 29189/-3, size 0-0 line 3128 binder: undelivered TRANSACTION_COMPLETE binder: undelivered transaction 32, process died. binder: undelivered TRANSACTION_COMPLETE netlink: 1 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor6'. binder: 8610:8628 tried to acquire reference to desc 0, got 1 instead binder: BINDER_SET_CONTEXT_MGR already set binder: 8610:8616 ioctl 40046207 0 returned -16 binder: 8610:8616 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 netlink: 7 bytes leftover after parsing attributes in process `syz-executor4'. audit: type=1400 audit(1517374057.859:30): avc: denied { read } for pid=8643 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 netlink: 7 bytes leftover after parsing attributes in process `syz-executor4'. audit: type=1326 audit(1517374058.029:31): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=8711 comm="syz-executor4" exe="/root/syz-executor4" sig=31 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x0 audit: type=1326 audit(1517374058.079:32): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=8711 comm="syz-executor4" exe="/root/syz-executor4" sig=31 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x0 sock: process `syz-executor6' is using obsolete getsockopt SO_BSDCOMPAT SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket binder: 8813:8815 transaction failed 29189/-22, size 0-0 line 3005 binder: 8817:8823 ioctl 5408 20003000 returned -22 binder: undelivered TRANSACTION_ERROR: 29189 binder: 8813:8829 transaction failed 29189/-22, size 0-0 line 3005 binder: 8817:8823 ERROR: BC_REGISTER_LOOPER called without request SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket binder: undelivered TRANSACTION_ERROR: 29189 binder: 8817 invalid dec weak, ref 45 desc 0 s 1 w 0 binder: unexpected work type, 4, not freed binder: 8817:8823 ioctl 5408 20003000 returned -22 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_COMPLETE binder: undelivered transaction 42, process died. binder: 8817:8837 got reply transaction with bad transaction stack, transaction 47 has target 8817:0 binder: 8817 invalid dec weak, ref 49 desc 0 s 1 w 0 binder: 8817:8837 transaction failed 29201/-71, size 32-8 line 2936 binder: release 8817:8837 transaction 47 out, still active binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29201 binder: send failed reply for transaction 47, target dead binder: 8875:8878 ERROR: BC_REGISTER_LOOPER called without request binder: 8875:8878 unknown command 0 binder: 8875:8878 ioctl c0306201 20013fd0 returned -22 binder: 8875:8891 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER binder: 8875:8891 unknown command 0 binder: 8875:8891 ioctl c0306201 20013fd0 returned -22 audit: type=1400 audit(1517374059.319:33): avc: denied { set_context_mgr } for pid=9131 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 binder: 9131:9134 IncRefs 0 refcount change on invalid ref 1 ret -22 binder: 9131:9134 unknown command 0 binder: 9131:9134 ioctl c0306201 2000dfd0 returned -22 binder: 9319:9323 BC_CLEAR_DEATH_NOTIFICATION invalid ref 2 binder: 9319:9323 got reply transaction with no transaction stack binder: 9319:9323 transaction failed 29201/-71, size 64-16 line 2921 binder_alloc: binder_alloc_mmap_handler: 9319 20265000-20279000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 9319:9333 ioctl 40046207 0 returned -16 binder: 9319:9333 unknown command 0 binder: 9319:9333 ioctl c0306201 20000fd0 returned -22 device gre0 entered promiscuous mode binder: undelivered TRANSACTION_ERROR: 29201 audit_printk_skb: 9 callbacks suppressed audit: type=1400 audit(1517374060.469:37): avc: denied { ioctl } for pid=9380 comm="syz-executor6" path="socket:[19048]" dev="sockfs" ino=19048 ioctlcmd=8903 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 audit: type=1401 audit(1517374060.649:38): op=setxattr invalid_context="" device gre0 entered promiscuous mode audit: type=1401 audit(1517374060.699:39): op=setxattr invalid_context="" binder: 9493:9494 ERROR: BC_REGISTER_LOOPER called without request audit: type=1400 audit(1517374060.969:40): avc: denied { call } for pid=9493 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 audit: type=1400 audit(1517374061.039:41): avc: denied { transfer } for pid=9493 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 binder: 9493:9494 ioctl c0306201 2000efd0 returned -14 binder: BINDER_SET_CONTEXT_MGR already set binder: 9493:9503 ioctl 40046207 0 returned -16 binder: 9493:9503 DecRefs 0 refcount change on invalid ref 1 ret -22 binder: 9493:9503 unknown command 0 binder: 9493:9503 ioctl c0306201 2000efd0 returned -22 binder: undelivered TRANSACTION_COMPLETE binder: undelivered transaction 58, process died. IPVS: length: 24 != 8 IPVS: length: 24 != 8 audit: type=1400 audit(1517374061.629:42): avc: denied { bind } for pid=9641 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 device gre0 entered promiscuous mode PF_BRIDGE: RTM_NEWNEIGH with unknown ifindex PF_BRIDGE: RTM_NEWNEIGH with unknown ifindex