sd 0:0:1:0: [sg0] tag#136 CDB[30]: 00 00 00 00 00 00 00 00 00 00 00 00 BUG: using __this_cpu_add() in preemptible [00000000] code: syz-executor2/13992 caller is __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62 CPU: 0 PID: 13992 Comm: syz-executor2 Not tainted 4.4.104-ged884eb #2 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 5aca1f273c2dedef ffff8801d5287828 ffffffff81cc9b0f 0000000000000000 ffffffff839fd4a0[ 79.153972] device gre0 entered promiscuous mode ffff8801d5287868 ffffffff81d28d18 ffffffff83cecfa0 1ffff1003aa50f14 ffff8800b7f1cb40 ffff8800b7f1d8c0 Call Trace: [] __dump_stack /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:51 [] check_preemption_disabled+0x1b8/0x1f0 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:46 [] __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62 [] tcp_try_coalesce+0x200/0x4b0 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp_input.c:4278 device gre0 left promiscuous mode device gre0 entered promiscuous mode [] tcp_queue_rcv+0xfe/0x720 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp_input.c:4485 [] tcp_send_rcvq+0x391/0x4a0 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp_input.c:4531 [] tcp_sendmsg+0x1d1c/0x36a0 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp.c:1134 [] inet_sendmsg+0x26c/0x430 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:625 [inline] [] sock_sendmsg+0xb5/0xf0 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:635 [] SYSC_sendto+0x267/0x300 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:1665 [] SyS_sendto+0x9/0x10 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:1633 [] entry_SYSCALL_64_fastpath+0x16/0x76 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket audit: type=1326 audit(1512775174.617:62): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=14108 comm="syz-executor5" exe="/root/syz-executor5" sig=9 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x0 sd 0:0:1:0: [sg0] tag#123 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK sd 0:0:1:0: [sg0] tag#123 CDB: opcode=0xff (vendor) sd 0:0:1:0: [sg0] tag#123 CDB[00]: ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#123 CDB[10]: 00 00 00 00 10 27 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#123 CDB[20]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#123 CDB[30]: 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#123 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK sd 0:0:1:0: [sg0] tag#123 CDB: opcode=0xff (vendor) device gre0 entered promiscuous mode sd 0:0:1:0: [sg0] tag#123 CDB[00]: ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#123 CDB[10]: 00 00 00 00 10 27 00 00 00 00 00 00 00 00 00 00 device gre0 left promiscuous mode device gre0 entered promiscuous mode sd 0:0:1:0: [sg0] tag#123 CDB[20]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#123 CDB[30]: 00 00 00 00 00 00 00 00 00 00 00 00 nla_parse: 10 callbacks suppressed netlink: 1 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor7'. qtaguid: iface_stat: iface_check_stats_reset_and_adjust(lo): iface reset its stats unexpectedly netlink: 13 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 13 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor4'. device  entered promiscuous mode device  left promiscuous mode netlink: 5 bytes leftover after parsing attributes in process `syz-executor4'. device gre0 entered promiscuous mode netlink: 13 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 13 bytes leftover after parsing attributes in process `syz-executor3'. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=31 sclass=netlink_route_socket SELinux: unrecognized netlink message: protocol=0 nlmsg_type=31 sclass=netlink_route_socket SELinux: unrecognized netlink message: protocol=0 nlmsg_type=2 sclass=netlink_route_socket SELinux: unrecognized netlink message: protocol=0 nlmsg_type=2 sclass=netlink_route_socket sd 0:0:1:0: [sg0] tag#136 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK sd 0:0:1:0: [sg0] tag#136 CDB: opcode=0xff (vendor) sd 0:0:1:0: [sg0] tag#136 CDB[00]: ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#136 CDB[10]: 00 00 00 00 10 27 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#136 CDB[20]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#136 CDB[30]: 00 00 00 00 00 00 00 00 00 00 00 00 netlink: 13 bytes leftover after parsing attributes in process `syz-executor0'. sd 0:0:1:0: [sg0] tag#123 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK sd 0:0:1:0: [sg0] tag#123 CDB: opcode=0xff (vendor) netlink: 13 bytes leftover after parsing attributes in process `syz-executor0'. sd 0:0:1:0: [sg0] tag#123 CDB[00]: ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#123 CDB[10]: 00 00 00 00 10 27 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#123 CDB[20]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#123 CDB[30]: 00 00 00 00 00 00 00 00 00 00 00 00 device gre0 entered promiscuous mode device gre0 left promiscuous mode device gre0 entered promiscuous mode binder_alloc: binder_alloc_mmap_handler: 14920 20000000-20002000 already mapped failed -16 device gre0 entered promiscuous mode binder_alloc: binder_alloc_mmap_handler: 15126 20000000-20002000 already mapped failed -16 device gre0 entered promiscuous mode audit: type=1326 audit(1512775178.867:63): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=15436 comm="syz-executor1" exe="/root/syz-executor1" sig=9 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x0 device gre0 entered promiscuous mode binder_alloc: binder_alloc_mmap_handler: 15499 20000000-20002000 already mapped failed -16 device  entered promiscuous mode device  left promiscuous mode proc: unrecognized mount option "›" or missing value proc: unrecognized mount option "›" or missing value device gre0 entered promiscuous mode SELinux: unrecognized netlink message: protocol=0 nlmsg_type=2 sclass=netlink_route_socket device gre0 left promiscuous mode device gre0 entered promiscuous mode SELinux: unrecognized netlink message: protocol=0 nlmsg_type=2 sclass=netlink_route_socket binder: 15831:15833 got reply transaction with no transaction stack binder: 15831:15833 transaction failed 29201/-71, size 32-8 line 2924 binder: 15831:15833 ioctl 404c534a 2000b000 returned -22 binder: 15831:15833 BC_DEAD_BINDER_DONE 0000000000000002 not found binder_alloc: binder_alloc_mmap_handler: 15831 20004000-20008000 already mapped failed -16 binder: 15831:15850 ioctl c0306201 20007000 returned -14 binder: send failed reply for transaction 169 to 15831:15850 device gre0 entered promiscuous mode binder: 15831:15833 ioctl c0306201 2000afd0 returned -14 binder: 15831:15850 ioctl c018620b 2000cff1 returned -14 binder: 15831:15833 ioctl c018620b 20001fe8 returned -14 binder: 15831:15850 ioctl c0306201 20006fd0 returned -14 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29201 binder: 15831:15850 got reply transaction with no transaction stack binder: BINDER_SET_CONTEXT_MGR already set binder: 15831:15833 ioctl 40046207 0 returned -16 binder: 15831:15893 ioctl 404c534a 2000b000 returned -22 binder: 15831:15850 transaction failed 29201/-71, size 32-8 line 2924 binder: 15831:15906 BC_DEAD_BINDER_DONE 0000000000000002 not found binder_alloc: binder_alloc_mmap_handler: 15831 20004000-20008000 already mapped failed -16 binder: 15831:15833 ioctl c0306201 20007000 returned -14 binder_alloc: 15831: binder_alloc_buf, no vma SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket binder: 15831:15893 ioctl c018620b 20001fe8 returned -14 binder: 15831:15906 ioctl c0306201 20006fd0 returned -14 binder: 15831:15833 transaction failed 29189/-3, size 0-0 line 3131 binder: undelivered TRANSACTION_ERROR: 29189 nla_parse: 8 callbacks suppressed netlink: 13 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 13 bytes leftover after parsing attributes in process `syz-executor0'. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket netlink: 13 bytes leftover after parsing attributes in process `syz-executor0'. BUG: using __this_cpu_add() in preemptible [00000000] code: syz-executor3/15970 caller is __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62 CPU: 1 PID: 15970 Comm: syz-executor3 Not tainted 4.4.104-ged884eb #2 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 b2a53a4063dab28f ffff8800b510f828 ffffffff81cc9b0f[ 85.730673] netlink: 13 bytes leftover after parsing attributes in process `syz-executor5'. 0000000000000001 ffffffff839fd4a0 ffff8800b510f868 ffffffff81d28d18 ffffffff83cecfa0 1ffff10016a21f14 ffff8800b912ed80 ffff8800b912eb40 Call Trace: [] __dump_stack /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:51 [] check_preemption_disabled+0x1b8/0x1f0 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:46 [] __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62 [] tcp_try_coalesce+0x200/0x4b0 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp_input.c:4278 [] tcp_queue_rcv+0xfe/0x720 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp_input.c:4485 [] tcp_send_rcvq+0x391/0x4a0 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp_input.c:4531 [] tcp_sendmsg+0x1d1c/0x36a0 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp.c:1134 [] inet_sendmsg+0x26c/0x430 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:625 [inline] [] sock_sendmsg+0xb5/0xf0 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:635 [] SYSC_sendto+0x267/0x300 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:1665 [] SyS_sendto+0x9/0x10 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:1633 [] entry_SYSCALL_64_fastpath+0x16/0x76 netlink: 21 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 21 bytes leftover after parsing attributes in process `syz-executor0'. device gre0 entered promiscuous mode proc: unrecognized mount option "›" or missing value proc: unrecognized mount option "›" or missing value binder_alloc: binder_alloc_mmap_handler: 16164 20000000-20002000 already mapped failed -16 proc: unrecognized mount option "›" or missing value binder: 16195:16196 got reply transaction with no transaction stack binder: 16195:16196 transaction failed 29201/-71, size 32-8 line 2924 proc: unrecognized mount option "›" or missing value binder: 16195:16196 ioctl 404c534a 2000cfb4 returned -22 binder: 16195:16196 BC_DEAD_BINDER_DONE 0000000000000002 not found binder_alloc: binder_alloc_mmap_handler: 16195 20004000-20008000 already mapped failed -16 binder: 16195:16201 ioctl c0306201 20007000 returned -14 binder: send failed reply for transaction 174 to 16195:16201 binder: 16195:16196 ioctl c0306201 2000afd0 returned -14 binder: 16195:16196 ioctl c018620b 20001fe8 returned -14 netlink: 5 bytes leftover after parsing attributes in process `syz-executor0'. binder: 16195:16196 ioctl c0306201 20006fd0 returned -14 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29201 netlink: 5 bytes leftover after parsing attributes in process `syz-executor0'. binder: 16195:16196 got reply transaction with no transaction stack binder: BINDER_SET_CONTEXT_MGR already set binder: 16195:16196 transaction failed 29201/-71, size 32-8 line 2924 binder: 16195:16255 ioctl 404c534a 2000cfb4 returned -22 binder: 16195:16201 ioctl 40046207 0 returned -16 netlink: 5 bytes leftover after parsing attributes in process `syz-executor5'. binder: 16195:16196 BC_DEAD_BINDER_DONE 0000000000000002 not found binder: 16195:16223 got transaction to invalid handle binder: 16195:16223 transaction failed 29201/-22, size 0-0 line 3008 binder_alloc: 16195: binder_alloc_buf, no vma binder: 16195:16201 transaction failed 29189/-3, size 0-0 line 3131 binder: 16195:16223 ioctl c0306201 20007000 returned -14 binder: 16195:16223 ioctl c018620b 20001fe8 returned -14 binder: 16195:16223 ioctl c0306201 20006fd0 returned -14 netlink: 5 bytes leftover after parsing attributes in process `syz-executor5'. binder: undelivered TRANSACTION_ERROR: 29189 audit: type=1326 audit(1512775181.827:64): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=16258 comm="syz-executor0" exe="/root/syz-executor0" sig=9 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x0 binder: undelivered TRANSACTION_ERROR: 29201 audit: type=1326 audit(1512775182.277:65): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=16451 comm="syz-executor0" exe="/root/syz-executor0" sig=9 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x0 device gre0 entered promiscuous mode audit: type=1326 audit(1512775182.437:66): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=16451 comm="syz-executor0" exe="/root/syz-executor0" sig=9 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x0 proc: unrecognized mount option "›" or missing value proc: unrecognized mount option "›" or missing value SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket binder: 16641:16642 got reply transaction with no transaction stack binder: 16641:16642 transaction failed 29201/-71, size 32-8 line 2924 binder: 16641:16651 ioctl 404c534a 2000b000 returned -22 binder: 16641:16651 BC_DEAD_BINDER_DONE 0000000000000002 not found binder_alloc: binder_alloc_mmap_handler: 16641 20004000-20008000 already mapped failed -16 IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket binder: 16641:16677 ioctl c0306201 20007000 returned -14 binder: send failed reply for transaction 180 to 16641:16642 binder: 16641:16651 ioctl c0306201 2000afd0 returned -14 binder: 16641:16642 ioctl c018620b 2000cff1 returned -14 binder: 16641:16642 ioctl c018620b 20001fe8 returned -14 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29201 device  entered promiscuous mode binder: 16641:16642 ioctl c0306201 20006fd0 returned -14 binder: 16641:16642 got reply transaction with no transaction stack binder: BINDER_SET_CONTEXT_MGR already set binder: 16641:16642 transaction failed 29201/-71, size 32-8 line 2924 binder: 16641:16642 ioctl 404c534a 2000b000 returned -22 binder: 16641:16677 ioctl 40046207 0 returned -16 binder: 16641:16651 BC_DEAD_BINDER_DONE 0000000000000002 not found binder_alloc: binder_alloc_mmap_handler: 16641 20004000-20008000 already mapped failed -16 binder: 16641:16642 ioctl c0306201 20007000 returned -14 binder_alloc: 16641: binder_alloc_buf, no vma binder: 16641:16642 transaction failed 29189/-3, size 0-0 line 3131 binder: 16641:16642 ioctl c018620b 20001fe8 returned -14 device  left promiscuous mode binder: 16641:16677 ioctl c0306201 20006fd0 returned -14 binder: undelivered TRANSACTION_ERROR: 29189 device gre0 entered promiscuous mode sd 0:0:1:0: [sg0] tag#146 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK sd 0:0:1:0: [sg0] tag#146 CDB: opcode=0xff (vendor) sd 0:0:1:0: [sg0] tag#146 CDB[00]: ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#146 CDB[10]: 00 00 00 00 10 27 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#146 CDB[20]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#146 CDB[30]: 00 00 00 00 00 00 00 00 00 00 00 00 binder_alloc: binder_alloc_mmap_handler: 16929 20000000-20002000 already mapped failed -16 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=94 sclass=netlink_route_socket sd 0:0:1:0: [sg0] tag#146 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK sd 0:0:1:0: [sg0] tag#146 CDB: opcode=0xff (vendor) sd 0:0:1:0: [sg0] tag#146 CDB[00]: ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#146 CDB[10]: 00 00 00 00 10 27 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#146 CDB[20]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#146 CDB[30]: 00 00 00 00 00 00 00 00 00 00 00 00