BUG: using __this_cpu_add() in preemptible [00000000] code: syz-executor4/15207 caller is __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62 CPU: 1 PID: 15207 Comm: syz-executor4 Not tainted 4.4.105-g36205b7 #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 d2c7fa552880d9ab ffff8800b89c7828 ffffffff81cc9b4f 0000000000000001 ffffffff839fd4a0 ffff8800b89c7868 ffffffff81d28d58 ffffffff83ced1a0 1ffff10017138f14 ffff8801d5945b00 ffff8801d5944d80 Call Trace: [] __dump_stack /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:51 [] check_preemption_disabled+0x1b8/0x1f0 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:46 [] __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62 [] tcp_try_coalesce+0x200/0x4b0 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp_input.c:4278 [] tcp_queue_rcv+0xfe/0x720 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp_input.c:4485 [] tcp_send_rcvq+0x391/0x4a0 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp_input.c:4531 [] tcp_sendmsg+0x1d1c/0x36a0 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp.c:1134 [] inet_sendmsg+0x26c/0x430 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:625 [inline] [] sock_sendmsg+0xb5/0xf0 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:635 [] SYSC_sendto+0x267/0x300 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:1665 [] SyS_sendto+0x9/0x10 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:1633 [] entry_SYSCALL_64_fastpath+0x16/0x76 BUG: using __this_cpu_add() in preemptible [00000000] code: syz-executor4/15184 caller is __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62 CPU: 1 PID: 15184 Comm: syz-executor4 Not tainted 4.4.105-g36205b7 #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 b653028b790c8b21 ffff8801d6307828 ffffffff81cc9b4f 0000000000000001 ffffffff839fd4a0 ffff8801d6307868 ffffffff81d28d58 ffffffff83ced1a0 1ffff1003ac60f14 ffff8801d5944480 ffff8801d5944000 Call Trace: [] __dump_stack /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:51 [] check_preemption_disabled+0x1b8/0x1f0 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:46 [] __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62 [] tcp_try_coalesce+0x200/0x4b0 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp_input.c:4278 [] tcp_queue_rcv+0xfe/0x720 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp_input.c:4485 [] tcp_send_rcvq+0x391/0x4a0 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp_input.c:4531 [] tcp_sendmsg+0x1d1c/0x36a0 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp.c:1134 [] inet_sendmsg+0x26c/0x430 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:625 [inline] [] sock_sendmsg+0xb5/0xf0 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:635 [] SYSC_sendto+0x267/0x300 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:1665 [] SyS_sendto+0x9/0x10 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:1633 [] entry_SYSCALL_64_fastpath+0x16/0x76 binder: 15275:15278 BC_DEAD_BINDER_DONE 0000000000000000 not found binder: 15275:15278 got reply transaction with no transaction stack binder: 15275:15278 transaction failed 29201/-71, size 72-40 line 2924 binder: 15275:15288 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: 15275 invalid dec weak, ref 778 desc 0 s 1 w 0 binder: 15275:15288 DecRefs 0 refcount change on invalid ref 4 ret -22 binder: 15275:15288 BC_CLEAR_DEATH_NOTIFICATION death notification cookie mismatch 0000000000000000 != fffffffffffffffe binder: 15275:15288 got reply transaction with no transaction stack binder: 15275:15288 transaction failed 29201/-71, size 0-48 line 2924 binder: BINDER_SET_CONTEXT_MGR already set binder: 15275:15292 ioctl 40046207 0 returned -16 binder: 15275:15292 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 15275:15292 BC_DEAD_BINDER_DONE 0000000000000000 not found binder: 15275:15292 got reply transaction with no transaction stack binder: 15275:15292 transaction failed 29201/-71, size 72-40 line 2924 binder: 15275:15292 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: 15275:15292 DecRefs 0 refcount change on invalid ref 0 ret -22 binder: 15275:15292 DecRefs 0 refcount change on invalid ref 4 ret -22 binder: 15275:15292 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: 15275:15292 got reply transaction with no transaction stack binder: 15275:15292 transaction failed 29201/-71, size 0-48 line 2924 device gre0 entered promiscuous mode netlink: 13 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 13 bytes leftover after parsing attributes in process `syz-executor2'. binder: 15326:15328 ioctl 40485404 20e8bfb8 returned -22 binder: release 15326:15328 transaction 784 out, still active binder: 15326:15328 ioctl 40485404 20e8bfb8 returned -22 binder: unexpected work type, 4, not freed binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 784, target dead binder: release 15326:15328 transaction 790 out, still active binder: unexpected work type, 4, not freed binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 790, target dead device gre0 entered promiscuous mode device gre0 entered promiscuous mode binder: release 15411:15417 transaction 796 out, still active binder: unexpected work type, 4, not freed binder: 15411:15427 transaction failed 29189/-22, size 80-16 line 3008 binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 796, target dead netlink: 13 bytes leftover after parsing attributes in process `syz-executor7'. binder: undelivered TRANSACTION_ERROR: 29189 netlink: 13 bytes leftover after parsing attributes in process `syz-executor7'. sock: process `syz-executor5' is using obsolete setsockopt SO_BSDCOMPAT binder: release 15532:15537 transaction 804 out, still active binder: unexpected work type, 4, not freed binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 804, target dead binder: release 15532:15541 transaction 810 out, still active binder: unexpected work type, 4, not freed binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 810, target dead binder: 15602:15606 BC_FREE_BUFFER u0000000000000000 no match binder: 15602:15606 BC_DEAD_BINDER_DONE 0000000000000004 not found binder: 15602:15606 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER binder: 15602:15606 BC_CLEAR_DEATH_NOTIFICATION invalid ref 2 binder: 15602:15614 DecRefs 0 refcount change on invalid ref 2 ret -22 binder: 15602:15606 got reply transaction with no transaction stack binder: 15602:15606 transaction failed 29201/-71, size 72-40 line 2924 binder: 15602:15614 BC_REQUEST_DEATH_NOTIFICATION death notification already set binder: 15602:15606 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: 15602 invalid dec weak, ref 816 desc 0 s 1 w 0 binder: 15602:15606 ERROR: BC_ENTER_LOOPER called after BC_REGISTER_LOOPER binder: 15602:15606 DecRefs 0 refcount change on invalid ref 4 ret -22 binder: 15602:15617 BC_CLEAR_DEATH_NOTIFICATION death notification not active binder: 15602:15606 unknown command 0 binder: 15602:15606 ioctl c0306201 2000bfd0 returned -22 binder: 15602:15617 BC_FREE_BUFFER u0000000000000000 no match binder: 15602:15617 BC_REQUEST_DEATH_NOTIFICATION death notification already set binder: 15602:15617 BC_DEAD_BINDER_DONE 0000000000000004 not found binder: 15602:15617 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER binder: 15602:15617 BC_CLEAR_DEATH_NOTIFICATION invalid ref 2 binder: 15602:15606 DecRefs 0 refcount change on invalid ref 2 ret -22 binder: 15602:15606 BC_REQUEST_DEATH_NOTIFICATION death notification already set binder: 15602:15617 got reply transaction with no transaction stack binder: 15602:15617 transaction failed 29201/-71, size 72-40 line 2924 binder: 15602:15657 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: release 15651:15658 transaction 822 out, still active device gre0 entered promiscuous mode binder: 15602 invalid dec weak, ref 819 desc 0 s 1 w 0 binder_alloc: 15651: binder_alloc_buf, no vma binder: unexpected work type, 4, not freed binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 822, target dead binder: 15602:15657 DecRefs 0 refcount change on invalid ref 4 ret -22 binder: 15602:15657 BC_CLEAR_DEATH_NOTIFICATION death notification cookie mismatch 0000000000000000 != fffffffffffffffe binder: 15651:15658 transaction failed 29189/-3, size 80-16 line 3131 binder: 15602:15657 got reply transaction with no transaction stack binder: 15602:15657 transaction failed 29201/-71, size 0-48 line 2924 binder: undelivered death notification, 0000000000000000 binder: undelivered TRANSACTION_ERROR: 29189 device lo entered promiscuous mode binder: 15793:15795 got transaction with invalid offset (40, min 24 max 40) or object. binder: 15793:15795 transaction failed 29201/-22, size 40-16 line 3194 binder: BINDER_SET_CONTEXT_MGR already set binder: 15793:15795 ioctl 40046207 0 returned -16 binder: undelivered TRANSACTION_ERROR: 29201 binder_alloc: 15826: binder_alloc_buf, no vma binder: 15826:15829 transaction failed 29189/-3, size 40-16 line 3131 binder: BINDER_SET_CONTEXT_MGR already set binder: 15826:15858 ioctl 40046207 0 returned -16 binder_alloc: 15826: binder_alloc_buf, no vma binder: 15826:15858 transaction failed 29189/-3, size 40-16 line 3131 binder: 15876:15879 BC_FREE_BUFFER u0000000000000000 no match binder: undelivered TRANSACTION_ERROR: 29189 binder: 15876:15879 BC_DEAD_BINDER_DONE 0000000000000004 not found binder: 15876:15879 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER binder: 15876:15879 BC_CLEAR_DEATH_NOTIFICATION invalid ref 2 binder: 15876:15879 got reply transaction with no transaction stack binder: 15876:15879 transaction failed 29201/-71, size 72-40 line 2924 binder: 15876:15879 DecRefs 0 refcount change on invalid ref 2 ret -22 binder: 15876:15879 BC_REQUEST_DEATH_NOTIFICATION death notification already set binder: 15876:15909 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: undelivered TRANSACTION_ERROR: 29189 binder: 15876 invalid dec weak, ref 838 desc 0 s 1 w 0 binder: 15876:15909 unknown command 0 binder: 15876:15922 tried to acquire reference to desc 0, got 1 instead binder: 15876:15909 ioctl c0306201 2000bfd0 returned -22 binder: 15876:15909 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 15876:15879 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: 15876:15909 BC_FREE_BUFFER u0000000000000000 no match binder: 15876:15909 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 15876:15879 DecRefs 0 refcount change on invalid ref 2 ret -22 binder: 15876:15941 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: 15876:15941 DecRefs 0 refcount change on invalid ref 0 ret -22 binder: 15876:15941 DecRefs 0 refcount change on invalid ref 4 ret -22 binder: 15876:15941 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: 15876:15941 got reply transaction with no transaction stack binder: 15876:15941 transaction failed 29201/-71, size 0-48 line 2924 binder: 15876:15909 BC_DEAD_BINDER_DONE 0000000000000004 not found binder: 15876:15909 ERROR: BC_REGISTER_LOOPER called without request binder: 15876:15909 BC_CLEAR_DEATH_NOTIFICATION invalid ref 2 binder: 15876:15909 got reply transaction with no transaction stack binder: 15876:15909 transaction failed 29201/-71, size 72-40 line 2924 device gre0 entered promiscuous mode binder: 15876:15879 unknown command 0 binder: 15876:15879 ioctl c0306201 20003fd0 returned -22 binder: undelivered death notification, 0000000000000000 binder: release 16013:16015 transaction 845 out, still active binder: unexpected work type, 4, not freed binder: 16013:16017 transaction failed 29189/-22, size 80-16 line 3008 binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 845, target dead binder: undelivered TRANSACTION_ERROR: 29189 audit: type=1400 audit(1513035758.074:28): avc: denied { read } for pid=16022 comm="syz-executor0" path="socket:[23420]" dev="sockfs" ino=23420 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 binder: release 16047:16048 transaction 852 out, still active binder: unexpected work type, 4, not freed binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 852, target dead binder: release 16047:16055 transaction 858 out, still active binder: unexpected work type, 4, not freed binder: unexpected work type, 4, not freed binder: 16081:16087 ioctl c06864a1 20013f9c returned -22 binder: undelivered TRANSACTION_COMPLETE binder: 16081:16087 BC_DEAD_BINDER_DONE 0000000000000000 not found binder: send failed reply for transaction 858, target dead binder: 16081:16087 DecRefs 0 refcount change on invalid ref 2 ret -22 binder: 16081 invalid dec weak, ref 864 desc 0 s 1 w 0 binder: 16081:16100 unknown command 0 binder: 16081:16100 ioctl c0306201 2000bfd0 returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 16081:16105 ioctl c06864a1 20013f9c returned -22 binder: 16081:16105 BC_DEAD_BINDER_DONE 0000000000000000 not found binder: 16081:16087 ioctl 40046207 0 returned -16 binder: 16081 invalid dec weak, ref 865 desc 0 s 1 w 0 binder: 16081:16100 BC_CLEAR_DEATH_NOTIFICATION death notification not active binder: 16081:16087 DecRefs 0 refcount change on invalid ref 2 ret -22 binder: 16081:16100 got reply transaction with no transaction stack binder: 16081:16100 transaction failed 29201/-71, size 0-48 line 2924 binder: 16135 invalid dec weak, ref 868 desc 0 s 1 w 0 binder: 16135:16139 BC_CLEAR_DEATH_NOTIFICATION death notification cookie mismatch 0000000000000000 != fffffffffffffffe device gre0 entered promiscuous mode binder: 16135:16139 unknown command 0 binder: BINDER_SET_CONTEXT_MGR already set binder: 16135:16139 ioctl c0306201 2000bfd0 returned -22 binder: 16135:16159 ioctl 40046207 0 returned -16 binder: 16135:16165 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode binder: 16255:16257 BC_FREE_BUFFER u0000000000000000 no match binder: 16255:16257 BC_DEAD_BINDER_DONE 0000000000000004 not found binder: 16255:16257 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER binder: 16255:16257 BC_CLEAR_DEATH_NOTIFICATION invalid ref 2 binder: 16255:16264 DecRefs 0 refcount change on invalid ref 2 ret -22 binder: 16255:16257 got reply transaction with no transaction stack binder: 16255:16264 BC_REQUEST_DEATH_NOTIFICATION death notification already set binder: 16255:16257 transaction failed 29201/-71, size 72-40 line 2924 binder: 16255:16257 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: 16255:16257 got transaction to invalid handle binder: 16255:16257 transaction failed 29201/-22, size 0-8 line 3008 binder: 16255:16269 BC_CLEAR_DEATH_NOTIFICATION death notification not active binder: 16255:16257 BC_FREE_BUFFER u0000000000000000 no match binder: 16255:16278 DecRefs 0 refcount change on invalid ref 2 ret -22 binder: 16255:16278 BC_REQUEST_DEATH_NOTIFICATION death notification already set binder: 16255:16257 BC_REQUEST_DEATH_NOTIFICATION death notification already set binder: 16255:16257 BC_DEAD_BINDER_DONE 0000000000000004 not found binder: 16255:16257 ERROR: BC_REGISTER_LOOPER called without request binder: 16255:16257 BC_CLEAR_DEATH_NOTIFICATION invalid ref 2 binder: 16255:16257 got reply transaction with no transaction stack binder: 16255:16257 transaction failed 29201/-71, size 72-40 line 2924 keychord: invalid keycode count 0 binder: undelivered death notification, 0000000000000000 keychord: invalid keycode count 0 device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode binder: 16529:16530 BC_DEAD_BINDER_DONE 0000000000000000 not found binder: 16529:16530 got reply transaction with no transaction stack binder: 16529:16530 transaction failed 29201/-71, size 72-40 line 2924 binder: 16529:16533 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: 16529 invalid dec weak, ref 877 desc 0 s 1 w 0 binder: 16529:16533 DecRefs 0 refcount change on invalid ref 4 ret -22 binder: 16529:16533 unknown command 0 binder: BINDER_SET_CONTEXT_MGR already set binder: 16529:16550 ioctl 40046207 0 returned -16 binder: 16529:16530 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 16529:16550 BC_DEAD_BINDER_DONE 0000000000000003 not found device gre0 entered promiscuous mode binder: 16529:16530 BC_DEAD_BINDER_DONE 0000000000000000 not found binder: 16529:16550 DecRefs 0 refcount change on invalid ref 0 ret -22 binder: 16529:16533 ioctl c0306201 2000bfd0 returned -22 binder: 16529:16530 got reply transaction with no transaction stack binder: 16529:16550 DecRefs 0 refcount change on invalid ref 4 ret -22 binder: 16529:16530 transaction failed 29201/-71, size 72-40 line 2924 binder: 16529:16550 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: 16529:16550 got reply transaction with no transaction stack binder: 16529:16550 transaction failed 29201/-71, size 0-48 line 2924 device gre0 entered promiscuous mode keychord: invalid keycode count 0 keychord: invalid keycode count 0 binder: 16633:16635 BC_DEAD_BINDER_DONE 0000000000000000 not found binder: 16633 invalid dec weak, ref 882 desc 0 s 1 w 0 binder: 16633:16635 BC_CLEAR_DEATH_NOTIFICATION death notification not active binder: 16633:16635 got reply transaction with no transaction stack binder: 16633:16635 transaction failed 29201/-71, size 0-48 line 2924 binder: BINDER_SET_CONTEXT_MGR already set binder: 16633:16635 ioctl 40046207 0 returned -16 binder: 16633:16642 BC_DEAD_BINDER_DONE 0000000000000000 not found binder: 16633:16642 DecRefs 0 refcount change on invalid ref 0 ret -22 binder: 16633:16642 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: 16633:16642 got reply transaction with no transaction stack binder: 16633:16642 transaction failed 29201/-71, size 0-48 line 2924 device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode binder: 16917:16918 DecRefs 0 refcount change on invalid ref 2 ret -22 binder: 16917 invalid dec weak, ref 886 desc 0 s 1 w 0 binder: 16917:16918 BC_CLEAR_DEATH_NOTIFICATION death notification cookie mismatch 0000000000000000 != fffffffffffffffe binder: 16917:16918 got reply transaction with no transaction stack binder: 16917:16918 transaction failed 29201/-71, size 0-48 line 2924 binder: BINDER_SET_CONTEXT_MGR already set binder: 16917:16932 ioctl 40046207 0 returned -16 binder: 16917:16918 DecRefs 0 refcount change on invalid ref 2 ret -22 binder: 16917:16927 DecRefs 0 refcount change on invalid ref 0 ret -22 binder: 16917:16927 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: 16917:16918 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 16917:16927 got reply transaction with no transaction stack binder: 16917:16927 transaction failed 29201/-71, size 0-48 line 2924 binder: 16962 invalid dec weak, ref 890 desc 0 s 1 w 0 binder: 16962:16968 BC_CLEAR_DEATH_NOTIFICATION death notification cookie mismatch 0000000000000000 != fffffffffffffffe binder: 16962:16968 got reply transaction with no transaction stack binder: 16962:16968 transaction failed 29201/-71, size 0-48 line 2924 binder: BINDER_SET_CONTEXT_MGR already set binder: 16962:16990 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 16962:16997 DecRefs 0 refcount change on invalid ref 0 ret -22 binder: 16962:16968 ioctl 40046207 0 returned -16 binder: 16962:16997 unknown command 8 binder: 16962:16997 ioctl c0306201 2000bfd0 returned -22 BUG: using __this_cpu_add() in preemptible [00000000] code: syz-executor0/17014 caller is __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62 CPU: 1 PID: 17014 Comm: syz-executor0 Not tainted 4.4.105-g36205b7 #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 aa2611eabd3cf3ab ffff8801d5957828 ffffffff81cc9b4f 0000000000000001 ffffffff839fd4a0 ffff8801d5957868 ffffffff81d28d58 ffffffff83ced1a0 1ffff1003ab2af14 ffff8800b895bb00 ffff8800b895b680 Call Trace: [] __dump_stack /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:51 [] check_preemption_disabled+0x1b8/0x1f0 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:46 [] __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62 [] tcp_try_coalesce+0x200/0x4b0 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp_input.c:4278 [] tcp_queue_rcv+0xfe/0x720 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp_input.c:4485 [] tcp_send_rcvq+0x391/0x4a0 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp_input.c:4531 [] tcp_sendmsg+0x1d1c/0x36a0 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp.c:1134 [] inet_sendmsg+0x26c/0x430 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:625 [inline] [] sock_sendmsg+0xb5/0xf0 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:635 [] SYSC_sendto+0x267/0x300 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:1665 [] SyS_sendto+0x9/0x10 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:1633 [] entry_SYSCALL_64_fastpath+0x16/0x76 binder: 17029:17032 BC_DEAD_BINDER_DONE 0000000000000000 not found binder: 17029:17032 DecRefs 0 refcount change on invalid ref 2 ret -22 binder: 17029 invalid dec weak, ref 894 desc 0 s 1 w 0 binder: 17029:17032 BC_CLEAR_DEATH_NOTIFICATION death notification cookie mismatch 0000000000000000 != fffffffffffffffe nla_parse: 2 callbacks suppressed netlink: 1 bytes leftover after parsing attributes in process `syz-executor1'. binder: BINDER_SET_CONTEXT_MGR already set binder: 17029:17057 ioctl 40046207 0 returned -16 binder: 17029:17057 BC_DEAD_BINDER_DONE 0000000000000000 not found binder: 17029:17032 unknown command 0 binder: 17029:17032 ioctl c0306201 2000bfd0 returned -22 binder: 17029:17032 DecRefs 0 refcount change on invalid ref 2 ret -22 binder: 17029:17032 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 17029:17056 DecRefs 0 refcount change on invalid ref 0 ret -22 binder: 17029:17056 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: 17029:17056 got reply transaction with no transaction stack binder: 17029:17056 transaction failed 29201/-71, size 0-48 line 2924 netlink: 1 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor6'. binder: 17140:17143 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 17140:17143 BC_DEAD_BINDER_DONE 0000000000000000 not found netlink: 8 bytes leftover after parsing attributes in process `syz-executor6'. binder: 17140:17143 DecRefs 0 refcount change on invalid ref 2 ret -22 binder: 17140:17143 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 17140:17143 DecRefs 0 refcount change on invalid ref 0 ret -22 binder: 17140:17143 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: 17140:17143 got reply transaction with no transaction stack binder: 17140:17143 transaction failed 29201/-71, size 0-48 line 2924 binder: 17140:17153 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 17140:17143 BC_DEAD_BINDER_DONE 0000000000000000 not found binder: 17140:17153 DecRefs 0 refcount change on invalid ref 2 ret -22 binder: 17140:17153 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 device gre0 entered promiscuous mode netlink: 8 bytes leftover after parsing attributes in process `syz-executor6'. device gre0 entered promiscuous mode binder: 17212:17213 got transaction with invalid offset (40, min 24 max 40) or object. binder: 17212:17213 transaction failed 29201/-22, size 40-16 line 3194 device gre0 entered promiscuous mode device gre0 entered promiscuous mode binder: BINDER_SET_CONTEXT_MGR already set binder: 17212:17227 ioctl 40046207 0 returned -16 binder: undelivered TRANSACTION_ERROR: 29201 device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode sock: process `syz-executor1' is using obsolete setsockopt SO_BSDCOMPAT device gre0 entered promiscuous mode device gre0 entered promiscuous mode binder_alloc: binder_alloc_mmap_handler: 17449 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 17449:17457 ioctl 40046207 0 returned -16 binder_alloc: 17449: binder_alloc_buf, no vma binder: 17449:17473 transaction failed 29189/-3, size 80-16 line 3131 device gre0 entered promiscuous mode binder: undelivered TRANSACTION_ERROR: 29189 binder: release 17449:17457 transaction 902 out, still active binder: unexpected work type, 4, not freed binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 902, target dead binder: 17484:17485 BC_CLEAR_DEATH_NOTIFICATION death notification not active binder: 17484:17486 BC_FREE_BUFFER u0000000000000000 no match binder: 17484:17486 BC_DEAD_BINDER_DONE 0000000000000004 not found binder: 17484:17486 ERROR: BC_REGISTER_LOOPER called without request binder: 17488:17495 BC_DEAD_BINDER_DONE 0000000000000000 not found binder: 17488:17495 got reply transaction with no transaction stack binder: 17488:17495 transaction failed 29201/-71, size 72-40 line 2924 binder: 17488:17495 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: 17488 invalid dec weak, ref 913 desc 0 s 1 w 0 binder: 17488:17495 DecRefs 0 refcount change on invalid ref 4 ret -22 binder: 17488:17495 BC_CLEAR_DEATH_NOTIFICATION death notification cookie mismatch 0000000000000000 != fffffffffffffffe binder: 17488:17495 got reply transaction with no transaction stack binder: 17488:17495 transaction failed 29201/-71, size 0-48 line 2924 binder: 17491:17494 BC_FREE_BUFFER u0000000000000000 no match binder: 17491:17494 BC_DEAD_BINDER_DONE 0000000000000004 not found binder: 17491:17494 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER binder: 17491:17494 BC_CLEAR_DEATH_NOTIFICATION invalid ref 2 binder: 17491:17494 got reply transaction with no transaction stack binder: 17491:17494 transaction failed 29201/-71, size 72-40 line 2924 binder: 17491:17494 DecRefs 0 refcount change on invalid ref 2 ret -22 binder: 17491:17494 BC_REQUEST_DEATH_NOTIFICATION death notification already set binder: BINDER_SET_CONTEXT_MGR already set binder: 17488:17497 ioctl 40046207 0 returned -16 binder: 17488:17495 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 17488:17495 BC_DEAD_BINDER_DONE 0000000000000000 not found binder: 17484:17506 ioctl c0306201 20010000 returned -14 binder: 17484:17486 BC_CLEAR_DEATH_NOTIFICATION invalid ref 2 binder: 17484:17486 got reply transaction with no transaction stack binder: 17484:17486 transaction failed 29201/-71, size 72-40 line 2924 binder: 17491 invalid dec weak, ref 911 desc 0 s 1 w 0 binder: 17491:17509 DecRefs 0 refcount change on invalid ref 4 ret -22 binder: 17491:17509 BC_CLEAR_DEATH_NOTIFICATION death notification cookie mismatch 0000000000000003 != fffffffffffffffe binder: 17491:17509 got reply transaction with no transaction stack binder: 17491:17509 transaction failed 29201/-71, size 0-48 line 2924 binder: 17492 invalid dec weak, ref 920 desc 0 s 1 w 0 binder: 17492:17500 BC_CLEAR_DEATH_NOTIFICATION death notification cookie mismatch 0000000000000000 != fffffffffffffffe binder: 17492:17500 got reply transaction with no transaction stack binder: 17492:17500 transaction failed 29201/-71, size 0-48 line 2924 binder: 17488:17497 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: 17488:17495 got reply transaction with no transaction stack binder: 17488:17495 transaction failed 29201/-71, size 72-40 line 2924 binder: 17491:17509 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 17491:17502 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: 17488:17497 DecRefs 0 refcount change on invalid ref 0 ret -22 binder: 17488:17497 DecRefs 0 refcount change on invalid ref 4 ret -22 binder: 17488:17497 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: 17488:17497 got reply transaction with no transaction stack binder: 17488:17497 transaction failed 29201/-71, size 0-48 line 2924 binder: 17491:17509 BC_FREE_BUFFER u0000000000000000 no match binder: 17491:17509 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 17491:17509 BC_DEAD_BINDER_DONE 0000000000000004 not found binder: 17491:17509 ERROR: BC_REGISTER_LOOPER called without request binder: 17491:17509 BC_CLEAR_DEATH_NOTIFICATION invalid ref 2 binder: 17491:17509 got reply transaction with no transaction stack binder: 17491:17509 transaction failed 29201/-71, size 72-40 line 2924 binder: BINDER_SET_CONTEXT_MGR already set binder: 17492:17501 ioctl 40046207 0 returned -16 binder: 17484 invalid dec weak, ref 909 desc 0 s 1 w 0 binder: 17484:17486 ERROR: BC_ENTER_LOOPER called after BC_REGISTER_LOOPER binder: 17484:17486 DecRefs 0 refcount change on invalid ref 4 ret -22 binder: 17484:17486 BC_CLEAR_DEATH_NOTIFICATION death notification cookie mismatch 0000000000000003 != fffffffffffffffe binder: 17484:17486 got reply transaction with no transaction stack binder: 17484:17486 transaction failed 29201/-71, size 0-48 line 2924 binder: 17491:17502 DecRefs 0 refcount change on invalid ref 2 ret -22 binder: 17491:17502 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 17492 invalid dec weak, ref 926 desc 0 s 1 w 0 binder: 17492:17501 BC_CLEAR_DEATH_NOTIFICATION death notification not active binder: 17492:17501 got reply transaction with no transaction stack binder: 17492:17501 transaction failed 29201/-71, size 0-48 line 2924 binder: 17484:17506 tried to acquire reference to desc 0, got 1 instead binder: 17484:17506 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: 17484:17486 BC_FREE_BUFFER u0000000000000000 no match binder: 17484:17486 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 17484:17486 BC_DEAD_BINDER_DONE 0000000000000004 not found binder: 17484:17486 ERROR: BC_REGISTER_LOOPER called without request binder: 17484:17486 BC_CLEAR_DEATH_NOTIFICATION invalid ref 2 binder: 17484:17486 got reply transaction with no transaction stack binder: 17484:17486 transaction failed 29201/-71, size 72-40 line 2924 binder: 17491:17518 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: 17491:17518 DecRefs 0 refcount change on invalid ref 0 ret -22 binder: 17491:17518 DecRefs 0 refcount change on invalid ref 4 ret -22 binder: 17491:17518 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: 17491:17518 got reply transaction with no transaction stack binder: 17491:17518 transaction failed 29201/-71, size 0-48 line 2924 binder: 17484:17506 DecRefs 0 refcount change on invalid ref 2 ret -22 binder: 17484:17506 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 17484:17485 DecRefs 0 refcount change on invalid ref 2 ret -22 binder: 17484:17485 BC_REQUEST_DEATH_NOTIFICATION death notification already set binder: undelivered death notification, 0000000000000000 binder: 17484:17486 ioctl c0306201 20010000 returned -14 netlink: 1 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor3'.