BUG: using __this_cpu_add() in preemptible [00000000] code: syz-executor0/14502 caller is __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62 CPU: 1 PID: 14502 Comm: syz-executor0 Not tainted 4.4.105-g36205b7 #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 82527cdf09c2ffee ffff8801d637f828 ffffffff81cc9b4f 0000000000000001 ffffffff839fd4a0 ffff8801d637f868 ffffffff81d28d58 ffffffff83ced1a0 1ffff1003ac6ff14 ffff8800bacc2000 ffff8800bacc2480 Call Trace: [] __dump_stack /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:51 [] check_preemption_disabled+0x1b8/0x1f0 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:46 binder: 14501:14514 BC_INCREFS_DONE u0000000000000000 node 270 cookie mismatch 0000000000000003 != 0000000000000000 binder: 14501:14514 got transaction to invalid handle binder: 14501:14514 transaction failed 29201/-22, size 40-16 line 3008 binder: 14501:14503 BC_CLEAR_DEATH_NOTIFICATION invalid ref 2 binder: 14501:14503 got reply transaction with no transaction stack binder: 14501:14503 transaction failed 29201/-71, size 0-8 line 2924 binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_COMPLETE [] __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62 [] tcp_try_coalesce+0x200/0x4b0 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp_input.c:4278 [] tcp_queue_rcv+0xfe/0x720 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp_input.c:4485 [] tcp_send_rcvq+0x391/0x4a0 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp_input.c:4531 [] tcp_sendmsg+0x1d1c/0x36a0 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp.c:1134 [] inet_sendmsg+0x26c/0x430 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:625 [inline] [] sock_sendmsg+0xb5/0xf0 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:635 [] SYSC_sendto+0x267/0x300 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:1665 [] SyS_sendto+0x9/0x10 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:1633 [] entry_SYSCALL_64_fastpath+0x16/0x76 SELinux: unrecognized netlink message: protocol=4 nlmsg_type=21 sclass=netlink_tcpdiag_socket device eql entered promiscuous mode device eql entered promiscuous mode binder_alloc: 14610: binder_alloc_buf size 562640715776 failed, no address space binder_alloc: allocated: 8 (num: 1 largest: 8), free: 4088 (num: 1 largest: 4088) binder: 14610:14612 transaction failed 29201/-28, size 12884901888-549755813888 line 3131 binder: send failed reply for transaction 275 to 14610:14634 binder: BINDER_SET_CONTEXT_MGR already set binder: 14610:14634 ioctl 40046207 0 returned -16 binder_alloc: 14610: binder_alloc_buf, no vma binder: 14610:14672 got reply transaction with no transaction stack binder: 14610:14672 transaction failed 29201/-71, size 12884901888-549755813888 line 2924 binder: 14610:14634 transaction failed 29189/-3, size 0-0 line 3131 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29201 loop_reread_partitions: partition scan of loop0 (2°]€fI¸Òæ¶Ì”B±!S,›ùDÏ') failed (rc=-13) loop: Write error at byte offset 18446744073709547520, length 512. blk_update_request: I/O error, dev loop0, sector 0 Buffer I/O error on dev loop0, logical block 0, lost async page write VFS: Dirty inode writeback failed for block device loop0 (err=-5). device gre0 entered promiscuous mode binder: 14894:14908 got reply transaction with bad transaction stack, transaction 280 has target 14894:0 binder: 14894:14908 transaction failed 29201/-71, size 12884901888-549755813888 line 2939 binder: BINDER_SET_CONTEXT_MGR already set binder: 14894:14895 ioctl 40046207 0 returned -16 binder_alloc: 14894: binder_alloc_buf, no vma binder: 14894:14920 transaction failed 29189/-3, size 0-0 line 3131 binder: 14914:14934 BC_INCREFS_DONE u0000000000000000 node 282 cookie mismatch 0000000000000003 != 0000000000000000 binder: 14894:14895 got reply transaction with no transaction stack binder: 14894:14895 transaction failed 29201/-71, size 12884901888-549755813888 line 2924 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 14894:14895 transaction 280 in, still active binder: send failed reply for transaction 280 to 14894:14908 binder: undelivered TRANSACTION_ERROR: 29189 binder: 14914:14934 got transaction to invalid handle binder: 14914:14942 BC_CLEAR_DEATH_NOTIFICATION invalid ref 2 binder: 14914:14934 transaction failed 29201/-22, size 40-16 line 3008 binder: 14914:14942 BC_FREE_BUFFER u0000000020000000 no match binder: 14914:14942 got reply transaction with no transaction stack binder: 14914:14942 transaction failed 29201/-71, size 0-8 line 2924 netlink: 3 bytes leftover after parsing attributes in process `syz-executor3'. binder: 14947:14951 got transaction with unaligned buffers size, 255 binder: BINDER_SET_CONTEXT_MGR already set binder: 14914:14934 ioctl 40046207 0 returned -16 binder: 14914:14934 BC_INCREFS_DONE u0000000000000000 no match binder: 14914:14934 got transaction to invalid handle binder: 14914:14934 transaction failed 29201/-22, size 40-16 line 3008 binder: 14914:14934 BC_CLEAR_DEATH_NOTIFICATION invalid ref 2 binder: 14914:14934 BC_FREE_BUFFER u0000000020000000 no match binder: 14914:14934 got reply transaction with no transaction stack binder: 14914:14934 transaction failed 29201/-71, size 0-8 line 2924 netlink: 3 bytes leftover after parsing attributes in process `syz-executor3'. binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29201 binder: BINDER_SET_CONTEXT_MGR already set binder: 14947:14967 ioctl 40046207 0 returned -16 binder_alloc: 14947: binder_alloc_buf, no vma binder: 14947:14967 transaction failed 29189/-3, size 0-0 line 3131 binder: 14947:14970 got reply transaction with no transaction stack binder: 14947:14970 transaction failed 29201/-71, size 96-56 line 2924 device gre0 entered promiscuous mode binder_alloc: 14972: binder_alloc_buf, no vma binder: 14972:14983 transaction failed 29189/-3, size 0-0 line 3131 binder_alloc: 14975: binder_alloc_buf size 562640715776 failed, no address space binder_alloc: allocated: 8 (num: 1 largest: 8), free: 4088 (num: 1 largest: 4088) binder: 14975:14980 transaction failed 29201/-28, size 12884901888-549755813888 line 3131 binder: send failed reply for transaction 297 to 14975:14985 binder: BINDER_SET_CONTEXT_MGR already set binder: 14975:14980 ioctl 40046207 0 returned -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 14972:14988 ioctl 40046207 0 returned -16 binder_alloc: 14975: binder_alloc_buf, no vma binder: 14975:14989 transaction failed 29189/-3, size 0-0 line 3131 binder: 14975:14980 got reply transaction with no transaction stack binder: 14975:14980 transaction failed 29201/-71, size 12884901888-549755813888 line 2924 binder_alloc: 14972: binder_alloc_buf, no vma binder: 14972:14988 transaction failed 29189/-3, size 0-0 line 3131 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29201 binder: 14947:14951 transaction failed 29201/-22, size 96-56 line 3176 binder: send failed reply for transaction 288 to 14947:14959 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29201 binder: 15030:15048 BC_INCREFS_DONE u0000000000000000 node 302 cookie mismatch 0000000000000003 != 0000000000000000 binder: 15030:15048 got transaction to invalid handle binder: 15030:15048 transaction failed 29201/-22, size 40-16 line 3008 binder: 15030:15032 BC_CLEAR_DEATH_NOTIFICATION invalid ref 2 binder: 15030:15032 got reply transaction with no transaction stack binder: 15030:15032 transaction failed 29201/-71, size 0-8 line 2924 binder: BINDER_SET_CONTEXT_MGR already set binder: 15030:15032 ioctl 40046207 0 returned -16 binder: 15030:15051 BC_INCREFS_DONE u0000000000000000 no match binder: 15030:15051 got transaction to invalid handle binder_alloc: 15030: binder_alloc_buf, no vma binder: 15030:15065 BC_CLEAR_DEATH_NOTIFICATION invalid ref 2 binder: 15030:15065 BC_FREE_BUFFER u0000000020000000 no match binder: 15030:15065 got reply transaction with no transaction stack binder: 15030:15065 transaction failed 29201/-71, size 0-8 line 2924 binder: 15030:15051 transaction failed 29201/-22, size 40-16 line 3008 binder: 15030:15032 transaction failed 29189/-3, size 0-0 line 3131 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_COMPLETE binder: 15138:15168 BC_INCREFS_DONE u0000000000000000 node 309 cookie mismatch 0000000000000003 != 0000000000000000 binder: 15138:15168 got transaction to invalid handle binder: 15138:15168 transaction failed 29201/-22, size 40-16 line 3008 binder: 15138:15168 got reply transaction with no transaction stack binder: 15138:15168 transaction failed 29201/-71, size 24-0 line 2924 binder: 15138:15190 BC_CLEAR_DEATH_NOTIFICATION invalid ref 2 binder: 15138:15190 unknown command 0 binder: 15138:15190 ioctl c0306201 20002fd0 returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 15138:15168 ioctl 40046207 0 returned -16 binder: 15138:15168 BC_INCREFS_DONE u0000000000000000 no match binder: 15138:15168 got transaction to invalid handle binder: 15138:15200 got reply transaction with no transaction stack binder: 15138:15213 BC_CLEAR_DEATH_NOTIFICATION invalid ref 2 binder: 15138:15213 BC_FREE_BUFFER u0000000020000000 no match binder: 15138:15213 got reply transaction with no transaction stack binder: 15138:15213 transaction failed 29201/-71, size 0-8 line 2924 binder: 15138:15168 transaction failed 29201/-22, size 40-16 line 3008 binder: 15138:15200 transaction failed 29201/-71, size 24-0 line 2924 binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29201 device eql entered promiscuous mode binder: 15317:15324 ERROR: BC_REGISTER_LOOPER called without request device eql entered promiscuous mode binder: 15317:15324 got reply transaction with no transaction stack SELinux: unrecognized netlink message: protocol=4 nlmsg_type=21 sclass=netlink_tcpdiag_socket PF_BRIDGE: RTM_SETLINK with unknown ifindex binder: 15317:15339 BC_FREE_BUFFER u0000000000000000 no match binder: 15317:15339 IncRefs 0 refcount change on invalid ref 1 ret -22 binder: 15317:15324 transaction failed 29201/-71, size 24-8 line 2924 binder: 15317:15339 unknown command 0 binder: 15317:15339 ioctl c0306201 20005fd0 returned -22 binder: 15357:15359 ERROR: BC_REGISTER_LOOPER called without request binder: undelivered TRANSACTION_ERROR: 29201 binder: 15317:15351 ERROR: BC_REGISTER_LOOPER called without request binder: release 15317:15339 transaction 316 out, still active binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 316, target dead binder: 15317:15339 BC_FREE_BUFFER u0000000000000000 no match binder: 15317:15339 IncRefs 0 refcount change on invalid ref 1 ret -22 PF_BRIDGE: RTM_SETLINK with unknown ifindex binder: 15317:15339 got transaction to invalid handle binder: BINDER_SET_CONTEXT_MGR already set binder: 15357:15365 ioctl 40046207 0 returned -16 binder: 15357:15369 ERROR: BC_REGISTER_LOOPER called without request binder: 15317:15339 transaction failed 29201/-22, size 72-8 line 3008 nla_parse: 16 callbacks suppressed netlink: 5 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor4'. binder: 15516 RLIMIT_NICE not set binder: 15515:15516 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 device eql entered promiscuous mode binder: 15601:15609 got reply transaction with bad transaction stack, transaction 327 has target 15601:0 binder: 15601:15623 BC_FREE_BUFFER u0000000000000000 no match binder: 15601:15609 transaction failed 29201/-71, size 24-8 line 2939 binder: 15601:15623 IncRefs 0 refcount change on invalid ref 1 ret -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 15601:15623 unknown command 0 binder: 15601:15623 ioctl c0306201 20005fd0 returned -22 binder: 15515:15528 ioctl 40046207 0 returned -16 binder: 15515:15635 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder_alloc: 15515: binder_alloc_buf, no vma binder: 15515:15528 transaction failed 29189/-3, size 0-0 line 3131 binder: release 15601:15609 transaction 327 out, still active binder: 15515:15635 BC_FREE_BUFFER u0000000020000000 no match binder: 15515:15635 got reply transaction with no transaction stack binder: 15515:15635 transaction failed 29201/-71, size 0-0 line 2924 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29201 binder: 15601:15609 got reply transaction with bad transaction stack, transaction 333 has target 15601:0 binder: 15601:15609 transaction failed 29201/-71, size 24-8 line 2939 binder: 15601:15609 BC_FREE_BUFFER u0000000000000000 no match binder: send failed reply for transaction 327, target dead binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_COMPLETE binder: undelivered transaction 325, process died. binder: 15601:15609 IncRefs 0 refcount change on invalid ref 1 ret -22 binder: 15601:15609 unknown command 0 binder: 15601:15609 ioctl c0306201 20005fd0 returned -22 binder: release 15601:15609 transaction 333 out, still active netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29201 binder: send failed reply for transaction 333, target dead netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor5'. loop_reread_partitions: partition scan of loop0 (2°]€fI¸Òæ¶Ì”B±!S,›ùDÏ') failed (rc=-13) loop: Write error at byte offset 18446744073709547520, length 512. blk_update_request: I/O error, dev loop0, sector 0 Buffer I/O error on dev loop0, logical block 0, lost async page write binder: 15795:15796 ERROR: BC_REGISTER_LOOPER called without request loop: Write error at byte offset 18446744073709547520, length 512. blk_update_request: I/O error, dev loop0, sector 0 binder: 15795:15796 got reply transaction with no transaction stack Buffer I/O error on dev loop0, logical block 0, lost async page write binder: 15795:15796 transaction failed 29201/-71, size 24-8 line 2924 loop_reread_partitions: partition scan of loop0 () failed (rc=-13) binder: release 15795:15796 transaction 337 in, still active IPVS: length: 24 != 3969435256 binder_alloc: 15795: binder_alloc_buf, no vma binder: 15795:15803 ERROR: BC_REGISTER_LOOPER called without request binder: send failed reply for transaction 337 to 15795:15803 binder: 15795:15844 BC_FREE_BUFFER u0000000000000000 no match binder: 15795:15829 transaction failed 29189/-3, size 0-0 line 3131 binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 binder: 15795:15844 unknown command 0 binder: 15795:15844 ioctl c0306201 20005fd0 returned -22 binder: undelivered TRANSACTION_ERROR: 29189 netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'. device gre0 entered promiscuous mode PF_BRIDGE: RTM_SETLINK with unknown ifindex binder: 16141:16142 ERROR: BC_REGISTER_LOOPER called without request PF_BRIDGE: RTM_SETLINK with unknown ifindex binder: 16141:16142 DecRefs 0 refcount change on invalid ref 0 ret -22 binder: 16141:16142 BC_INCREFS_DONE u0000000080000000 no match binder: release 16141:16142 transaction 342 out, still active binder: undelivered TRANSACTION_COMPLETE binder: 16141:16154 BC_FREE_BUFFER u0000020400000000 no match binder: 16141:16142 ERROR: BC_ENTER_LOOPER called after BC_REGISTER_LOOPER binder: BINDER_SET_CONTEXT_MGR already set binder: 16141:16154 ioctl 40046207 0 returned -16 binder_alloc: 16141: binder_alloc_buf, no vma binder: 16141:16177 transaction failed 29189/-3, size 0-0 line 3131 binder: 16141:16142 ERROR: BC_REGISTER_LOOPER called without request binder: 16141:16142 DecRefs 0 refcount change on invalid ref 0 ret -22 binder: undelivered TRANSACTION_ERROR: 29189 binder: 16141:16142 BC_INCREFS_DONE u0000000080000000 no match binder: 16141:16142 ERROR: BC_ENTER_LOOPER called after BC_REGISTER_LOOPER binder: release 16141:16142 transaction 342 in, still active binder: send failed reply for transaction 342, target dead binder: release 16141:16154 transaction 343 out, still active binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 343, target dead binder: 16262:16293 BC_INCREFS_DONE u0000000000000000 node 345 cookie mismatch 0000000000000003 != 0000000000000000 binder: 16262:16293 got transaction to invalid handle binder: 16262:16293 transaction failed 29201/-22, size 40-16 line 3008 device gre0 entered promiscuous mode device syz0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode IPVS: length: 24 != 3969435256 IPVS: length: 24 != 3969435256 device gre0 entered promiscuous mode binder: 16493:16515 BC_INCREFS_DONE u0000000000000000 node 347 cookie mismatch 0000000000000003 != 0000000000000000 binder: 16493:16515 got transaction to invalid handle binder: 16493:16496 BC_CLEAR_DEATH_NOTIFICATION invalid ref 2 binder: 16493:16515 transaction failed 29201/-22, size 40-16 line 3008 binder: 16493:16496 got reply transaction with no transaction stack binder: 16493:16496 transaction failed 29201/-71, size 0-8 line 2924 binder: BINDER_SET_CONTEXT_MGR already set binder: 16493:16496 ioctl 40046207 0 returned -16 binder: 16493:16522 BC_INCREFS_DONE u0000000000000000 no match binder: 16493:16522 got transaction to invalid handle binder_alloc: 16493: binder_alloc_buf, no vma binder: 16493:16549 transaction failed 29189/-3, size 0-0 line 3131 binder: 16493:16522 transaction failed 29201/-22, size 40-16 line 3008 binder: 16493:16496 BC_CLEAR_DEATH_NOTIFICATION invalid ref 2 binder: 16493:16496 BC_FREE_BUFFER u0000000020000000 no match binder: 16493:16496 got reply transaction with no transaction stack binder: 16493:16496 transaction failed 29201/-71, size 0-8 line 2924 binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_COMPLETE device eql entered promiscuous mode device eql entered promiscuous mode binder: 16638:16644 BC_INCREFS_DONE u0000000000000000 no match binder: 16728:16733 ERROR: BC_REGISTER_LOOPER called without request binder: 16728:16737 ERROR: BC_REGISTER_LOOPER called without request binder: BINDER_SET_CONTEXT_MGR already set binder: 16728:16733 ioctl 40046207 0 returned -16 binder: 16770:16787 ioctl c01064b5 20be0000 returned -22 binder_alloc: 16770: binder_alloc_buf size 562640715776 failed, no address space binder_alloc: allocated: 8 (num: 1 largest: 8), free: 4088 (num: 1 largest: 4088) binder: 16770:16774 transaction failed 29201/-28, size 12884901888-549755813888 line 3131 binder: send failed reply for transaction 356 to 16770:16787 binder: BINDER_SET_CONTEXT_MGR already set binder: 16770:16787 ioctl 40046207 0 returned -16 binder: 16770:16787 ioctl c01064b5 20be0000 returned -22 binder_alloc: 16770: binder_alloc_buf, no vma binder: 16770:16821 transaction failed 29189/-3, size 0-0 line 3131 binder: 16770:16787 got reply transaction with no transaction stack binder: 16770:16787 transaction failed 29201/-71, size 12884901888-549755813888 line 2924 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29201 binder: 16862:16863 ERROR: BC_REGISTER_LOOPER called without request binder: 16862:16863 BC_REQUEST_DEATH_NOTIFICATION invalid ref 4 binder: BINDER_SET_CONTEXT_MGR already set binder: 16862:16863 ioctl 40046207 0 returned -16 binder: send failed reply for transaction 361 to 16862:16872 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 device eql entered promiscuous mode nla_parse: 26 callbacks suppressed netlink: 2 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor6'. binder: 17196:17199 ERROR: BC_REGISTER_LOOPER called without request binder_alloc: binder_alloc_mmap_handler: 17196 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 17196:17207 ERROR: BC_REGISTER_LOOPER called without request binder: 17196:17199 ioctl 40046207 0 returned -16