BUG: using __this_cpu_add() in preemptible [00000000] code: syz-executor3/11134 caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 CPU: 0 PID: 11134 Comm: syz-executor3 Not tainted 4.4.113-g962d1f3 #2 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 5f5bea4cf63c1e32 ffff8800af717800 ffffffff81d028ed 0000000000000000 ffffffff839fe3a0 ffffffff83cef6a0 ffff8800b72cdf00 0000000000000003 ffff8800af717840 ffffffff81d62834 ffffffff810002b8 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46 [] ? 0xffffffff810002b8 [] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 [] tcp_try_coalesce+0x249/0x4d0 net/ipv4/tcp_input.c:4278 [] tcp_queue_rcv+0x127/0x720 net/ipv4/tcp_input.c:4485 [] tcp_send_rcvq+0x39b/0x450 net/ipv4/tcp_input.c:4531 [] tcp_sendmsg+0x1e8f/0x2b10 net/ipv4/tcp.c:1134 [] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:635 [] SYSC_sendto+0x2c8/0x340 net/socket.c:1665 [] SyS_sendto+0x40/0x50 net/socket.c:1633 [] entry_SYSCALL_64_fastpath+0x1c/0x98 audit: type=1400 audit(1517374473.062:32): avc: denied { attach_queue } for pid=11180 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=tun_socket permissive=1 mip6: mip6_destopt_init_state: spi is not 0: 3708026880 mip6: mip6_destopt_init_state: spi is not 0: 3708026880 binder: 11378:11381 ERROR: BC_REGISTER_LOOPER called without request binder: BINDER_SET_CONTEXT_MGR already set binder: 11385:11388 ioctl 40046207 0 returned -16 binder_alloc: 11385: binder_alloc_buf, no vma binder: 11378:11381 transaction failed 29189/-3, size 32-8 line 3128 binder: send failed reply for transaction 79 to 11385:11388 binder: BINDER_SET_CONTEXT_MGR already set binder: 11385:11388 ioctl 40046207 0 returned -16 binder_alloc: 11378: binder_alloc_buf, no vma binder: 11385:11392 transaction failed 29189/-3, size 80-16 line 3128 binder: undelivered TRANSACTION_ERROR: 29190 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 binder: 11378:11404 unknown command 0 binder: 11378:11404 ioctl c0306201 20004000 returned -22 netlink: 64 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 64 bytes leftover after parsing attributes in process `syz-executor0'. binder: 11509:11517 ERROR: BC_REGISTER_LOOPER called without request binder: 11509:11517 got reply with fd, -1, but target does not allow fds binder: 11509:11517 transaction failed 29201/-1, size 24-8 line 3233 binder: send failed reply for transaction 84 to 11509:11527 binder: undelivered TRANSACTION_ERROR: 29190 binder: undelivered TRANSACTION_COMPLETE binder: 11509:11527 ERROR: BC_REGISTER_LOOPER called without request binder: 11509:11527 got reply with fd, -1, but target does not allow fds binder: 11509:11527 transaction failed 29201/-1, size 24-8 line 3233 binder: send failed reply for transaction 87 to 11509:11535 binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29190 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29201 sd 0:0:1:0: [sg0] tag#239 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK sd 0:0:1:0: [sg0] tag#239 CDB: Test Unit Ready sd 0:0:1:0: [sg0] tag#239 CDB[00]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#239 CDB[10]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#239 CDB[20]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#239 CDB[30]: 00 00 00 sd 0:0:1:0: [sg0] tag#239 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK sd 0:0:1:0: [sg0] tag#239 CDB: Test Unit Ready sd 0:0:1:0: [sg0] tag#239 CDB[00]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#239 CDB[10]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#239 CDB[20]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#239 CDB[30]: 00 00 00 sd 0:0:1:0: [sg0] tag#239 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK sd 0:0:1:0: [sg0] tag#239 CDB: Test Unit Ready sd 0:0:1:0: [sg0] tag#239 CDB[00]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#239 CDB[10]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#239 CDB[20]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#239 CDB[30]: 00 00 00 binder_alloc: binder_alloc_mmap_handler: 11717 201a2000-201a5000 already mapped failed -16 binder_alloc: binder_alloc_mmap_handler: 11717 20fc3000-20fc7000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 11819:11833 ioctl 40046207 0 returned -16 binder: send failed reply for transaction 90 to 11819:11825 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 audit: type=1401 audit(1517374475.732:33): op=fscreate invalid_context=8CFF7CF9080000005345204C696E757807E230452D85E29699802CDCA4CB0BA736E6A1FA1E6D105A1B74BE496F6BE8A276AD1CF94FDB10F41A95C809879527FAE05BBE94EA2C04AB5D5B3E3024262C7D94544434F679AF75E7D01603055085AA40EB8B2576C4492A27D224564C63E6858DA7C3644E9E741C3C6F0F21DDBFC2CA34F8E2B0F50EFEC97012F00049E61E82EB4388BEA0F1576D86363594EDE44486A9C340EDA77114C87BCC8A3FA866F5BFB9100FE9C924E773718C25B225BBA2A5B4C178D153C5F2E5C74B012C89423A9846137350E63979DE821B711205C3096C2D9982FC1F007F567A3992A67DA5E58BC0E082C349741042AD522E938DB0FBA78A189B8EDBF7CE1A8181CFCD58D0B02AF2A8C32AC87C394F4554511B1596FB8385067C884FD77C8175153E5285757AC965955EBDAC206E92034A0C3A7E650E197C07782FAB0C5B510B41C25106068838C33304737168A6537F0D59224E7E66B9206F4A4F36B84804BDADBBDE51D7F61F42218D668362BD5AACD919B0303F5F764CF2BAE5021406C2E601DF64192C8DCB8988AA494662D22A767A5FE72A70E1D144FF951D1CB41E4A60EB46463F00931405417F3CEB4131082A85A03739D063985CE2B9B1AF90DEF30A965F[ 74.998771] Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable audit: type=1326 audit(1517374476.872:34): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=12040 comm="syz-executor1" exe="/root/syz-executor1" sig=31 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517374476.942:35): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=12040 comm="syz-executor1" exe="/root/syz-executor1" sig=31 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x7ffc0000 device gre0 entered promiscuous mode binder: 12242:12262 got transaction with invalid offset (56, min 0 max 72) or object. binder: 12242:12262 transaction failed 29201/-22, size 72-40 line 3191 binder: send failed reply for transaction 92 to 12242:12246 binder: BINDER_SET_CONTEXT_MGR already set binder: 12242:12262 ioctl 40046207 0 returned -16 binder_alloc: 12242: binder_alloc_buf, no vma binder: 12242:12262 transaction failed 29189/-3, size 0-0 line 3128 binder: 12242:12262 got reply transaction with no transaction stack binder: 12242:12262 transaction failed 29201/-71, size 72-40 line 2921 binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29190 TCP: request_sock_TCP: Possible SYN flooding on port 20010. Sending cookies. Check SNMP counters. device gre0 entered promiscuous mode netlink: 20 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 20 bytes leftover after parsing attributes in process `syz-executor0'. audit: type=1326 audit(1517374479.812:36): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=12783 comm="syz-executor3" exe="/root/syz-executor3" sig=31 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x0 audit: type=1326 audit(1517374479.902:37): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=12783 comm="syz-executor3" exe="/root/syz-executor3" sig=31 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x0 netlink: 92 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 92 bytes leftover after parsing attributes in process `syz-executor6'. binder: 12946:12947 BC_INCREFS_DONE node 96 has no pending increfs request binder: 12946:12965 DecRefs 0 refcount change on invalid ref 0 ret -22 binder_alloc: binder_alloc_mmap_handler: 12946 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 12946:12965 ioctl 40046207 0 returned -16 binder: 12946:12965 BC_INCREFS_DONE u0000000000000000 no match binder: 13034:13039 BC_REQUEST_DEATH_NOTIFICATION invalid ref 5 binder_alloc: 13034: binder_alloc_buf, no vma binder: 13034:13053 transaction failed 29189/-3, size 0-0 line 3128 binder: 13034:13053 BC_REQUEST_DEATH_NOTIFICATION invalid ref 5 binder: BINDER_SET_CONTEXT_MGR already set binder_alloc: 13034: binder_alloc_buf, no vma binder: 13034:13085 transaction failed 29189/-3, size 0-0 line 3128 binder: 13034:13077 ioctl 40046207 0 returned -16 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 sock: sock_set_timeout: `syz-executor0' (pid 13142) tries to set negative timeout sock: sock_set_timeout: `syz-executor0' (pid 13142) tries to set negative timeout netlink: 9 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 9 bytes leftover after parsing attributes in process `syz-executor4'. binder: 13311:13315 BC_FREE_BUFFER uffffffffffffffff no match binder: 13311:13315 DecRefs 0 refcount change on invalid ref 4 ret -22 binder: 13311:13315 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER binder: 13311:13330 transaction failed 29201/-22, size -430-538 line 3128 binder_alloc: binder_alloc_mmap_handler: 13311 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 13311:13330 ioctl 40046207 0 returned -16 binder: 13311:13337 BC_FREE_BUFFER uffffffffffffffff no match binder: 13311:13337 DecRefs 0 refcount change on invalid ref 4 ret -22 binder: 13311:13337 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER binder_alloc: 13311: binder_alloc_buf, no vma binder: 13311:13347 transaction failed 29189/-3, size -430-538 line 3128 binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29189 tmpfs: Bad mount option  iÊ€T6¬ tmpfs: Bad mount option  iÊ€T6¬ SELinux: unrecognized netlink message: protocol=6 nlmsg_type=64745 sclass=netlink_xfrm_socket netlink: 28 bytes leftover after parsing attributes in process `syz-executor1'.