BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor5/5489
caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62
CPU: 0 PID: 5489 Comm: syz-executor5 Not tainted 4.9.68-gfb66dc2 #107
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801c89276d8 ffffffff81d90889 0000000000000000 ffffffff83c17800
 ffffffff83f42ec0 ffff8801d9179800 0000000000000003 ffff8801c8927718
 ffffffff81df7854 ffff8801c8927730 ffffffff83f42ec0 dffffc0000000000
Call Trace:
 [<ffffffff81d90889>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d90889>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff81df7854>] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46
 [<ffffffff81df78bc>] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62
 [<ffffffff833f3f78>] ipcomp_alloc_tfms net/xfrm/xfrm_ipcomp.c:286 [inline]
 [<ffffffff833f3f78>] ipcomp_init_state+0x188/0x930 net/xfrm/xfrm_ipcomp.c:363
 [<ffffffff83360470>] ipcomp4_init_state+0xb0/0x7d0 net/ipv4/ipcomp.c:137
 [<ffffffff833d2677>] __xfrm_init_state+0x3e7/0xb30 net/xfrm/xfrm_state.c:2096
 [<ffffffff833d2dda>] xfrm_init_state+0x1a/0x20 net/xfrm/xfrm_state.c:2122
 [<ffffffff8356cb49>] pfkey_msg2xfrm_state net/key/af_key.c:1281 [inline]
 [<ffffffff8356cb49>] pfkey_add+0x1fb9/0x3470 net/key/af_key.c:1498
 [<ffffffff835645ee>] pfkey_process+0x61e/0x730 net/key/af_key.c:2826
 [<ffffffff83565e99>] pfkey_sendmsg+0x3a9/0x760 net/key/af_key.c:3670
 [<ffffffff82ecfb9a>] sock_sendmsg_nosec net/socket.c:635 [inline]
 [<ffffffff82ecfb9a>] sock_sendmsg+0xca/0x110 net/socket.c:645
 [<ffffffff82ed1791>] ___sys_sendmsg+0x6d1/0x7e0 net/socket.c:1968
 [<ffffffff82ed37c6>] __sys_sendmsg+0xd6/0x190 net/socket.c:2002
 [<ffffffff82ed38ad>] SYSC_sendmsg net/socket.c:2013 [inline]
 [<ffffffff82ed38ad>] SyS_sendmsg+0x2d/0x50 net/socket.c:2009
 [<ffffffff838aa9c5>] entry_SYSCALL_64_fastpath+0x23/0xc6
BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor5/5493
caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62
CPU: 1 PID: 5493 Comm: syz-executor5 Not tainted 4.9.68-gfb66dc2 #107
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801cd88f6d8 ffffffff81d90889 0000000000000001 ffffffff83c17800
 ffffffff83f42ec0 ffff8801c75e8000 0000000000000003 ffff8801cd88f718
 ffffffff81df7854 ffff8801cd88f730 ffffffff83f42ec0 dffffc0000000000
Call Trace:
 [<ffffffff81d90889>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d90889>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff81df7854>] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46
 [<ffffffff81df78bc>] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62
 [<ffffffff833f3f78>] ipcomp_alloc_tfms net/xfrm/xfrm_ipcomp.c:286 [inline]
 [<ffffffff833f3f78>] ipcomp_init_state+0x188/0x930 net/xfrm/xfrm_ipcomp.c:363
 [<ffffffff83360470>] ipcomp4_init_state+0xb0/0x7d0 net/ipv4/ipcomp.c:137
 [<ffffffff833d2677>] __xfrm_init_state+0x3e7/0xb30 net/xfrm/xfrm_state.c:2096
 [<ffffffff833d2dda>] xfrm_init_state+0x1a/0x20 net/xfrm/xfrm_state.c:2122
 [<ffffffff8356cb49>] pfkey_msg2xfrm_state net/key/af_key.c:1281 [inline]
 [<ffffffff8356cb49>] pfkey_add+0x1fb9/0x3470 net/key/af_key.c:1498
 [<ffffffff835645ee>] pfkey_process+0x61e/0x730 net/key/af_key.c:2826
 [<ffffffff83565e99>] pfkey_sendmsg+0x3a9/0x760 net/key/af_key.c:3670
 [<ffffffff82ecfb9a>] sock_sendmsg_nosec net/socket.c:635 [inline]
 [<ffffffff82ecfb9a>] sock_sendmsg+0xca/0x110 net/socket.c:645
 [<ffffffff82ed1791>] ___sys_sendmsg+0x6d1/0x7e0 net/socket.c:1968
 [<ffffffff82ed37c6>] __sys_sendmsg+0xd6/0x190 net/socket.c:2002
 [<ffffffff82ed38ad>] SYSC_sendmsg net/socket.c:2013 [inline]
 [<ffffffff82ed38ad>] SyS_sendmsg+0x2d/0x50 net/socket.c:2009
 [<ffffffff838aa9c5>] entry_SYSCALL_64_fastpath+0x23/0xc6
netlink: 2 bytes leftover after parsing attributes in process `syz-executor1'.
9pnet_virtio: no channels available for device ./file0
9pnet_virtio: no channels available for device ./file0
device lo entered promiscuous mode
device lo left promiscuous mode
audit: type=1400 audit(1513075958.663:38): avc:  denied  { create } for  pid=5614 comm="syz-executor7" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_scsitransport_socket permissive=1
device syz2 entered promiscuous mode
device gre0 entered promiscuous mode
device lo entered promiscuous mode
device gre0 entered promiscuous mode
device lo left promiscuous mode
audit: type=1400 audit(1513075958.853:39): avc:  denied  { call } for  pid=5649 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1
binder: 5649:5650 ioctl c018620b 2000bfe8 returned -14
binder: release 5649:5650 transaction 5 out, still active
binder: release 5649:5650 transaction 4 in, still active
binder: undelivered TRANSACTION_COMPLETE
device lo entered promiscuous mode
device lo left promiscuous mode
binder: 5649:5650 BC_DEAD_BINDER_DONE 0000000000000004 not found
device lo entered promiscuous mode
device lo left promiscuous mode
binder: 5649:5650 DecRefs 0 refcount change on invalid ref 2 ret -22
binder: BINDER_SET_CONTEXT_MGR already set
binder: 5649:5650 ioctl 40046207 0 returned -16
binder: release 5649:5661 transaction 4 out, still active
binder: undelivered TRANSACTION_COMPLETE
binder: send failed reply for transaction 5, target dead
binder: send failed reply for transaction 4, target dead
binder: 5649:5679 transaction failed 29189/-22, size 0-0 line 3007
binder: undelivered TRANSACTION_ERROR: 29189
binder: 5649:5684 BC_DEAD_BINDER_DONE 0000000000000004 not found
binder: 5649:5684 DecRefs 0 refcount change on invalid ref 2 ret -22
binder: 5734:5736 ERROR: BC_REGISTER_LOOPER called without request
binder: BINDER_SET_CONTEXT_MGR already set
binder: 5738:5743 ioctl 40046207 0 returned -16
device lo entered promiscuous mode
binder_alloc: binder_alloc_mmap_handler: 5734 20000000-20002000 already mapped failed -16
device lo left promiscuous mode
binder: 5734:5748 ERROR: BC_REGISTER_LOOPER called without request
FAULT_FLAG_ALLOW_RETRY missing 31
binder: BINDER_SET_CONTEXT_MGR already set
binder: 5734:5736 ioctl 40046207 0 returned -16
device lo entered promiscuous mode
binder_alloc: 5734: binder_alloc_buf, no vma
binder: 5734:5736 transaction failed 29189/-3, size 0-0 line 3130
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered transaction 11, process died.
device lo left promiscuous mode
CPU: 0 PID: 5701 Comm: syz-executor5 Not tainted 4.9.68-gfb66dc2 #107
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801c9cbf870 ffffffff81d90889 ffff8801c9cbfb50 0000000000000000
 ffff8801ce607490 ffff8801c9cbfa40 ffff8801ce607380 ffff8801c9cbfa68
 ffffffff8165e497 0000000000005e64 ffff8801d1cdd0f0 ffff8801d1cdd0a0
Call Trace:
 [<ffffffff81d90889>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d90889>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8165e497>] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323
 [<ffffffff814cd722>] do_anonymous_page mm/memory.c:2783 [inline]
 [<ffffffff814cd722>] handle_pte_fault mm/memory.c:3488 [inline]
 [<ffffffff814cd722>] __handle_mm_fault mm/memory.c:3577 [inline]
 [<ffffffff814cd722>] handle_mm_fault+0x1f82/0x2530 mm/memory.c:3614
 [<ffffffff810dd452>] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406
 [<ffffffff810ddbf7>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469
 [<ffffffff838abb98>] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012
 [<ffffffff8205c8c5>] SYSC_getrandom drivers/char/random.c:1899 [inline]
 [<ffffffff8205c8c5>] SyS_getrandom+0x165/0x2a0 drivers/char/random.c:1880
 [<ffffffff838aa9c5>] entry_SYSCALL_64_fastpath+0x23/0xc6
binder: 5795:5799 ioctl 40046205 20000000000000 returned -22
binder: 5795:5806 ERROR: BC_REGISTER_LOOPER called without request
binder: 5795:5799 got transaction to invalid handle
binder: 5795:5799 transaction failed 29201/-22, size 0-8 line 3007
binder: 5795:5799 BC_FREE_BUFFER u0000000000000000 no match
binder: release 5795:5799 transaction 14 out, still active
binder: send failed reply for transaction 14, target dead
binder: 5795:5799 ioctl 40046205 6 returned -22
binder: 5795:5824 ioctl 40046205 20000000000000 returned -22
binder: 5795:5806 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 5795: binder_alloc_buf, no vma
binder: 5795:5806 transaction failed 29189/-3, size 0-0 line 3130
binder: 5795:5806 got transaction to invalid handle
binder: 5795:5806 transaction failed 29201/-22, size 0-8 line 3007
device gre0 entered promiscuous mode
binder: undelivered TRANSACTION_ERROR: 29189
A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check.
audit: type=1400 audit(1513075960.053:40): avc:  denied  { net_broadcast } for  pid=5916 comm="syz-executor7" capability=11  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
device gre0 entered promiscuous mode
A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check.
device lo entered promiscuous mode
device lo left promiscuous mode
IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE
IPv6: NLM_F_CREATE should be set when creating new route
IPv6: NLM_F_CREATE should be set when creating new route
device lo entered promiscuous mode
device lo left promiscuous mode
blk_update_request: I/O error, dev loop7, sector 0
Buffer I/O error on dev loop7, logical block 0, lost async page write
blk_update_request: I/O error, dev loop7, sector 8
Buffer I/O error on dev loop7, logical block 1, lost async page write
IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE
IPv6: NLM_F_CREATE should be set when creating new route
IPv6: NLM_F_CREATE should be set when creating new route