BUG: using __this_cpu_add() in preemptible [00000000] code: syz-executor3/23389
caller is __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62
CPU: 1 PID: 23389 Comm: syz-executor3 Not tainted 4.4.105-g8a53962 #3
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
netlink: 2 bytes leftover after parsing attributes in process `syz-executor2'.
audit: type=1326 audit(1513001310.023:372): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=23385 comm="syz-executor6" exe="/root/syz-executor6" sig=31 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x0
audit: type=1326 audit(1513001310.023:373): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=23385 comm="syz-executor6" exe="/root/syz-executor6" sig=31 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x0
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket
 0000000000000000 dd6cf62fb96fe70e ffff8800b7477828 ffffffff81cc9b0f
 0000000000000001 ffffffff839fd4a0 ffff8800b7477868 ffffffff81d28d18
 ffffffff83ced1a0 1ffff10016e8ef14 ffff8800b8113200 ffff8800b8112480
Call Trace:
 [<ffffffff81cc9b0f>] __dump_stack /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:15 [inline]
 [<ffffffff81cc9b0f>] dump_stack+0x8e/0xcf /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:51
 [<ffffffff81d28d18>] check_preemption_disabled+0x1b8/0x1f0 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:46
 [<ffffffff81d28d83>] __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62
 [<ffffffff830dc140>] tcp_try_coalesce+0x200/0x4b0 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp_input.c:4278
 [<ffffffff830e5c2e>] tcp_queue_rcv+0xfe/0x720 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp_input.c:4485
 [<ffffffff830ffe91>] tcp_send_rcvq+0x391/0x4a0 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp_input.c:4531
 [<ffffffff830d208c>] tcp_sendmsg+0x1d1c/0x36a0 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp.c:1134
 [<ffffffff8319020c>] inet_sendmsg+0x26c/0x430 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/af_inet.c:755
 [<ffffffff82d93fc5>] sock_sendmsg_nosec /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:625 [inline]
 [<ffffffff82d93fc5>] sock_sendmsg+0xb5/0xf0 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:635
 [<ffffffff82d94e07>] SYSC_sendto+0x267/0x300 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:1665
 [<ffffffff82d97139>] SyS_sendto+0x9/0x10 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:1633
 [<ffffffff8374aaf6>] entry_SYSCALL_64_fastpath+0x16/0x76
BUG: using __this_cpu_add() in preemptible [00000000] code: syz-executor3/23389
caller is __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62
CPU: 1 PID: 23389 Comm: syz-executor3 Not tainted 4.4.105-g8a53962 #3
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 dd6cf62fb96fe70e ffff8800b7477828 ffffffff81cc9b0f
 0000000000000001 ffffffff839fd4a0 ffff8800b7477868 ffffffff81d28d18
 ffffffff83ced1a0 1ffff10016e8ef14 ffff8801d6fefb00 ffff8801d6fef8c0
Call Trace:
 [<ffffffff81cc9b0f>] __dump_stack /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:15 [inline]
 [<ffffffff81cc9b0f>] dump_stack+0x8e/0xcf /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:51
 [<ffffffff81d28d18>] check_preemption_disabled+0x1b8/0x1f0 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:46
 [<ffffffff81d28d83>] __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62
 [<ffffffff830dc140>] tcp_try_coalesce+0x200/0x4b0 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp_input.c:4278
 [<ffffffff830e5c2e>] tcp_queue_rcv+0xfe/0x720 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp_input.c:4485
 [<ffffffff830ffe91>] tcp_send_rcvq+0x391/0x4a0 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp_input.c:4531
 [<ffffffff830d208c>] tcp_sendmsg+0x1d1c/0x36a0 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp.c:1134
 [<ffffffff8319020c>] inet_sendmsg+0x26c/0x430 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/af_inet.c:755
 [<ffffffff82d93fc5>] sock_sendmsg_nosec /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:625 [inline]
 [<ffffffff82d93fc5>] sock_sendmsg+0xb5/0xf0 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:635
 [<ffffffff82d94e07>] SYSC_sendto+0x267/0x300 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:1665
 [<ffffffff82d97139>] SyS_sendto+0x9/0x10 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:1633
 [<ffffffff8374aaf6>] entry_SYSCALL_64_fastpath+0x16/0x76
binder: 23524:23530 ERROR: BC_REGISTER_LOOPER called without request
binder: 23530 RLIMIT_NICE not set
binder: BINDER_SET_CONTEXT_MGR already set
binder: 23524:23540 ioctl 40046207 0 returned -16
binder: 23524:23530 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 23524: binder_alloc_buf, no vma
binder: 23524:23543 transaction failed 29189/-3, size 0-0 line 3131
binder: release 23524:23530 transaction 302 in, still active
binder: send failed reply for transaction 302 to 23524:23540
binder: undelivered TRANSACTION_ERROR: 29189
netlink: 13 bytes leftover after parsing attributes in process `syz-executor4'.
IPv6: NLM_F_REPLACE set, but no existing node found!
ALSA: seq fatal error: cannot create timer (-19)
IPv6: NLM_F_REPLACE set, but no existing node found!
ALSA: seq fatal error: cannot create timer (-19)
device gre0 entered promiscuous mode
device gre0 entered promiscuous mode
skbuff: bad partial csum: csum=0/65534 len=4124
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=51555 sclass=netlink_route_socket
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=51555 sclass=netlink_route_socket
audit: type=1326 audit(1513001312.683:374): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=24170 comm="syz-executor3" exe="/root/syz-executor3" sig=31 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x0
audit: type=1326 audit(1513001312.713:375): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=24170 comm="syz-executor3" exe="/root/syz-executor3" sig=31 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x0
device lo entered promiscuous mode
device gre0 entered promiscuous mode
nla_parse: 5 callbacks suppressed
netlink: 3 bytes leftover after parsing attributes in process `syz-executor7'.
device lo entered promiscuous mode
netlink: 3 bytes leftover after parsing attributes in process `syz-executor7'.
netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'.
netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'.
netlink: 2 bytes leftover after parsing attributes in process `syz-executor1'.
netlink: 2 bytes leftover after parsing attributes in process `syz-executor1'.
loop: Write error at byte offset 0, length 512.
blk_update_request: I/O error, dev loop5, sector 0
Buffer I/O error on dev loop5, logical block 0, lost async page write
loop: Write error at byte offset 0, length 512.
blk_update_request: I/O error, dev loop5, sector 0
Buffer I/O error on dev loop5, logical block 0, lost async page write
VFS: Dirty inode writeback failed for block device loop5 (err=-5).
binder: 24963:24967 ERROR: BC_REGISTER_LOOPER called without request
binder: 24967 RLIMIT_NICE not set
netlink: 13 bytes leftover after parsing attributes in process `syz-executor5'.
binder: BINDER_SET_CONTEXT_MGR already set
binder: 24963:24979 ioctl 40046207 0 returned -16
binder: 24963:24967 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 24963: binder_alloc_buf, no vma
binder: 24963:24988 transaction failed 29189/-3, size 0-0 line 3131
netlink: 13 bytes leftover after parsing attributes in process `syz-executor5'.
binder: release 24963:24967 transaction 305 in, still active
binder: send failed reply for transaction 305 to 24963:24979
binder: undelivered TRANSACTION_ERROR: 29189
audit: type=1326 audit(1513001316.413:376): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=25052 comm="syz-executor6" exe="/root/syz-executor6" sig=31 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x0
audit: type=1326 audit(1513001316.433:377): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=25052 comm="syz-executor6" exe="/root/syz-executor6" sig=31 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x0
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket
netlink: 8 bytes leftover after parsing attributes in process `syz-executor6'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor6'.
ICMPv6: NA: someone advertises our address fe80:0000:0000:0000:0000:0000:0000:03aa on syz3!
ICMPv6: NA: someone advertises our address fe80:0000:0000:0000:0000:0000:0000:03aa on syz3!
audit: type=1326 audit(1513001318.283:378): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=25513 comm="syz-executor2" exe="/root/syz-executor2" sig=31 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x0
device gre0 entered promiscuous mode
audit: type=1326 audit(1513001318.313:379): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=25513 comm="syz-executor2" exe="/root/syz-executor2" sig=31 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x0
audit: type=1326 audit(1513001318.733:380): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=25564 comm="syz-executor4" exe="/root/syz-executor4" sig=31 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x0
audit: type=1326 audit(1513001318.763:381): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=25564 comm="syz-executor4" exe="/root/syz-executor4" sig=31 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x0
audit: type=1326 audit(1513001318.913:382): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=25636 comm="syz-executor7" exe="/root/syz-executor7" sig=31 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x0
audit: type=1326 audit(1513001318.943:383): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=25636 comm="syz-executor7" exe="/root/syz-executor7" sig=31 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x0
nla_parse: 2 callbacks suppressed
netlink: 8 bytes leftover after parsing attributes in process `syz-executor2'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor2'.
netlink: 1 bytes leftover after parsing attributes in process `syz-executor3'.
binder: 25849:25851 ERROR: BC_REGISTER_LOOPER called without request
netlink: 1 bytes leftover after parsing attributes in process `syz-executor3'.
binder: 25851 RLIMIT_NICE not set
binder: BINDER_SET_CONTEXT_MGR already set
binder: 25849:25862 ioctl 40046207 0 returned -16
binder: 25849:25851 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 25849: binder_alloc_buf, no vma
binder: 25849:25884 transaction failed 29189/-3, size 0-0 line 3131
binder: release 25849:25851 transaction 308 in, still active
binder: send failed reply for transaction 308 to 25849:25862
binder: undelivered TRANSACTION_ERROR: 29189