BUG: using __this_cpu_add() in preemptible [00000000] code: syz-executor3/831 binder_alloc: binder_alloc_mmap_handler: 811 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 811:826 ioctl 40046207 0 returned -16 binder: 811:839 ERROR: BC_REGISTER_LOOPER called without request binder: undelivered TRANSACTION_ERROR: 29201 caller is __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62 CPU: 1 PID: 831 Comm: syz-executor3 Not tainted 4.4.105-g8a53962 #3 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 13af759e9eae4435 ffff8800b7997828 ffffffff81cc9b0f 0000000000000001 ffffffff839fd4a0 ffff8800b7997868 ffffffff81d28d18 ffffffff83ced1a0 1ffff10016f32f14 ffff8801d481e900 ffff8801d481e6c0 Call Trace: [] __dump_stack /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:51 [] check_preemption_disabled+0x1b8/0x1f0 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:46 [] __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62 [] tcp_try_coalesce+0x200/0x4b0 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp_input.c:4278 [] tcp_queue_rcv+0xfe/0x720 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp_input.c:4485 [] tcp_send_rcvq+0x391/0x4a0 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp_input.c:4531 [] tcp_sendmsg+0x1d1c/0x36a0 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp.c:1134 [] inet_sendmsg+0x26c/0x430 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:625 [inline] [] sock_sendmsg+0xb5/0xf0 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:635 [] SYSC_sendto+0x267/0x300 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:1665 [] SyS_sendto+0x9/0x10 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:1633 [] entry_SYSCALL_64_fastpath+0x16/0x76 BUG: using __this_cpu_add() in preemptible [00000000] code: syz-executor3/861 caller is __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62 CPU: 1 PID: 861 Comm: syz-executor3 Not tainted 4.4.105-g8a53962 #3 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 045c75c2dd8f4109 ffff8801d257f828 ffffffff81cc9b0f 0000000000000001 ffffffff839fd4a0 ffff8801d257f868 ffffffff81d28d18 ffffffff83ced1a0 1ffff1003a4aff14 ffff8801d481e000 ffff8801d481e6c0 Call Trace: [] __dump_stack /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:51 [] check_preemption_disabled+0x1b8/0x1f0 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:46 [] __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62 [] tcp_try_coalesce+0x200/0x4b0 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp_input.c:4278 [] tcp_queue_rcv+0xfe/0x720 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp_input.c:4485 [] tcp_send_rcvq+0x391/0x4a0 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp_input.c:4531 [] tcp_sendmsg+0x1d1c/0x36a0 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/tcp.c:1134 [] inet_sendmsg+0x26c/0x430 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:625 [inline] [] sock_sendmsg+0xb5/0xf0 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:635 [] SYSC_sendto+0x267/0x300 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:1665 [] SyS_sendto+0x9/0x10 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:1633 [] entry_SYSCALL_64_fastpath+0x16/0x76 device syz1 entered promiscuous mode device gre0 entered promiscuous mode blk_update_request: 119 callbacks suppressed blk_update_request: I/O error, dev loop7, sector 0 buffer_io_error: 119 callbacks suppressed Buffer I/O error on dev loop7, logical block 0, lost async page write blk_update_request: I/O error, dev loop7, sector 8 Buffer I/O error on dev loop7, logical block 1, lost async page write blk_update_request: I/O error, dev loop7, sector 16 Buffer I/O error on dev loop7, logical block 2, lost async page write device syz4 entered promiscuous mode blk_update_request: I/O error, dev loop7, sector 24 Buffer I/O error on dev loop7, logical block 3, lost async page write blk_update_request: I/O error, dev loop7, sector 32 Buffer I/O error on dev loop7, logical block 4, lost async page write blk_update_request: I/O error, dev loop7, sector 40 Buffer I/O error on dev loop7, logical block 5, lost async page write blk_update_request: I/O error, dev loop7, sector 48 Buffer I/O error on dev loop7, logical block 6, lost async page write blk_update_request: I/O error, dev loop7, sector 56 Buffer I/O error on dev loop7, logical block 7, lost async page write blk_update_request: I/O error, dev loop7, sector 64 Buffer I/O error on dev loop7, logical block 8, lost async page write blk_update_request: I/O error, dev loop7, sector 72 Buffer I/O error on dev loop7, logical block 9, lost async page write binder_alloc: 1121: binder_alloc_buf, no vma binder: 1121:1132 transaction failed 29189/-3, size 48-48 line 3131 binder_alloc: 1121: binder_alloc_buf, no vma binder: 1121:1145 transaction failed 29189/-3, size 0-32 line 3131 binder: undelivered TRANSACTION_ERROR: 29189 device gre0 entered promiscuous mode SELinux: unrecognized netlink message: protocol=6 nlmsg_type=4095 sclass=netlink_xfrm_socket SELinux: unrecognized netlink message: protocol=6 nlmsg_type=4095 sclass=netlink_xfrm_socket binder: 1346:1350 BC_DEAD_BINDER_DONE 0000000000000000 not found binder: 1346:1350 BC_INCREFS_DONE node 402 has no pending increfs request binder: 1346:1350 unknown command 0 binder: 1346:1350 ioctl c0306201 20004000 returned -22 binder_alloc: binder_alloc_mmap_handler: 1346 2011a000-2051a000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 1346:1375 ioctl 40046207 0 returned -16 binder: 1346:1402 BC_DEAD_BINDER_DONE 0000000000000000 not found binder: 1346:1402 BC_INCREFS_DONE node 402 has no pending increfs request binder: 1346:1402 unknown command 0 binder: 1346:1402 ioctl c0306201 20004000 returned -22 nla_parse: 10 callbacks suppressed netlink: 21 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 21 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 6 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 6 bytes leftover after parsing attributes in process `syz-executor6'. binder: 1566:1570 BC_DEAD_BINDER_DONE 0000000000000000 not found binder: 1566:1570 BC_INCREFS_DONE node 403 has no pending increfs request binder: 1566:1570 got transaction with invalid offset (48, min 0 max 48) or object. binder: 1566:1570 transaction failed 29201/-22, size 48-48 line 3194 binder_alloc: binder_alloc_mmap_handler: 1566 2011a000-2051a000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 1566:1577 BC_DEAD_BINDER_DONE 0000000000000000 not found binder: 1566:1570 ioctl 40046207 0 returned -16 binder: 1566:1577 unknown command 0 binder: 1566:1577 ioctl c0306201 20004000 returned -22 sg_write: data in/out 327644/210 bytes for SCSI command 0xc2-- guessing data in; program syz-executor1 not setting count and/or reply_len properly netlink: 5 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor1'. binder: 1752:1755 ERROR: BC_REGISTER_LOOPER called without request binder: 1752:1766 got reply transaction with no transaction stack binder: 1752:1766 transaction failed 29201/-71, size 32-8 line 2924 binder_alloc: binder_alloc_mmap_handler: 1752 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 1752:1778 ERROR: BC_REGISTER_LOOPER called without request binder: 1752:1766 ioctl 40046207 0 returned -16 device gre0 entered promiscuous mode binder: undelivered TRANSACTION_ERROR: 29201 device gre0 entered promiscuous mode binder: 2027:2035 got transaction with invalid parent offset or type binder: 2027:2035 transaction failed 29201/-22, size 80-8 line 3316 binder_alloc: binder_alloc_mmap_handler: 2027 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 2027:2035 ioctl 40046207 0 returned -16 binder_alloc: 2027: binder_alloc_buf, no vma binder: 2055:2056 BC_REQUEST_DEATH_NOTIFICATION invalid ref 4 binder: 2055:2056 DecRefs 0 refcount change on invalid ref 3 ret -22 binder: 2055:2056 got reply transaction with bad transaction stack, transaction 411 has target 2055:0 binder: 2055:2056 transaction failed 29201/-71, size 48-56 line 2939 binder: 2055:2056 BC_DEAD_BINDER_DONE 0000000000000002 not found binder: 2055:2056 BC_FREE_BUFFER u0000000000000000 no match binder: tried to use weak ref as strong ref binder: 2055:2056 got transaction to invalid handle binder: 2055:2056 transaction failed 29201/-22, size 0-32 line 3008 binder_alloc: binder_alloc_mmap_handler: 2055 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 2055:2056 ioctl 40046207 0 returned -16 binder_alloc: 2055: binder_alloc_buf, no vma binder: 2055:2057 transaction failed 29189/-3, size 80-16 line 3131 binder: 2055:2056 IncRefs 0 refcount change on invalid ref 2 ret -22 binder: 2055:2056 BC_REQUEST_DEATH_NOTIFICATION invalid ref 4 binder: 2055:2056 DecRefs 0 refcount change on invalid ref 3 ret -22 binder: 2055:2056 got reply transaction with no transaction stack binder: 2055:2056 transaction failed 29201/-71, size 48-56 line 2924 binder: release 2055:2056 transaction 411 out, still active binder: send failed reply for transaction 411, target dead binder: 2027:2048 transaction failed 29189/-3, size 80-8 line 3131 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 binder: 2096:2100 ioctl 85 20416000 returned -22 binder: 2096:2100 got reply transaction with no transaction stack binder: 2096:2100 transaction failed 29201/-71, size 56-24 line 2924 binder: 2096:2122 ioctl 85 20416000 returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 2096:2132 ioctl 40046207 0 returned -16 binder: undelivered TRANSACTION_ERROR: 29201 netlink: 5 bytes leftover after parsing attributes in process `syz-executor7'. sg_write: data in/out 327644/210 bytes for SCSI command 0xc2-- guessing data in; program syz-executor0 not setting count and/or reply_len properly skbuff: bad partial csum: csum=53081/14726 len=2273 device gre0 entered promiscuous mode netlink: 1 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 6 bytes leftover after parsing attributes in process `syz-executor1'. FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 2518 Comm: syz-executor2 Not tainted 4.4.105-g8a53962 #3 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 2d12d05b06098b72 ffff8801d28cfa80 ffffffff81cc9b0f 1ffff1003a519f5b 0000000000000030 ffff8801d28cfc20 ffffffff815db6db ffff8800b7ad00a0 ffff8800b7ad00a0 ffff8800b7ad00a0 ffff8801d28cfbf8 Call Trace: [] __dump_stack /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:51 [] handle_userfault+0x75b/0x1570 /syzkaller/managers/android-44-kasan-gce/kernel/fs/userfaultfd.c:316 [] do_anonymous_page /syzkaller/managers/android-44-kasan-gce/kernel/mm/memory.c:2731 [inline] [] handle_pte_fault /syzkaller/managers/android-44-kasan-gce/kernel/mm/memory.c:3295 [inline] [] __handle_mm_fault /syzkaller/managers/android-44-kasan-gce/kernel/mm/memory.c:3426 [inline] [] handle_mm_fault+0x2731/0x39b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/memory.c:3455 [] __do_page_fault+0x2d0/0x910 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/mm/fault.c:1245 [] do_page_fault+0x22/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/mm/fault.c:1308 [] page_fault+0x28/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/entry/entry_64.S:985 [] SYSC_sigaltstack /syzkaller/managers/android-44-kasan-gce/kernel/kernel/signal.c:3165 [inline] [] SyS_sigaltstack+0x63/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/signal.c:3163 [] entry_SYSCALL_64_fastpath+0x16/0x76 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 2562 Comm: syz-executor2 Not tainted 4.4.105-g8a53962 #3 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 6551e52b2f0f6348 ffff8801d2ed7a80 ffffffff81cc9b0f 1ffff1003a5daf5b 0000000000000030 ffff8801d2ed7c20 ffffffff815db6db ffff8800b7ad00a0 ffff8800b7ad00a0 ffff8800b7ad00a0 ffff8801d2ed7bf8 Call Trace: [] __dump_stack /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:51 [] handle_userfault+0x75b/0x1570 /syzkaller/managers/android-44-kasan-gce/kernel/fs/userfaultfd.c:316 [] do_anonymous_page /syzkaller/managers/android-44-kasan-gce/kernel/mm/memory.c:2731 [inline] [] handle_pte_fault /syzkaller/managers/android-44-kasan-gce/kernel/mm/memory.c:3295 [inline] [] __handle_mm_fault /syzkaller/managers/android-44-kasan-gce/kernel/mm/memory.c:3426 [inline] [] handle_mm_fault+0x2731/0x39b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/memory.c:3455 [] __do_page_fault+0x2d0/0x910 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/mm/fault.c:1245 [] do_page_fault+0x22/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/mm/fault.c:1308 [] page_fault+0x28/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/entry/entry_64.S:985 [] SYSC_sigaltstack /syzkaller/managers/android-44-kasan-gce/kernel/kernel/signal.c:3165 [inline] [] SyS_sigaltstack+0x63/0x90 /syzkaller/managers/android-44-kasan-gce/kernel/kernel/signal.c:3163 [] entry_SYSCALL_64_fastpath+0x16/0x76 binder: 2632:2634 BC_REQUEST_DEATH_NOTIFICATION invalid ref 4 binder: 2632:2634 DecRefs 0 refcount change on invalid ref 3 ret -22 binder: 2632:2634 got reply transaction with bad transaction stack, transaction 423 has target 2632:0 binder: 2632:2634 transaction failed 29201/-71, size 48-56 line 2939 binder: 2632:2646 BC_DEAD_BINDER_DONE 0000000000000002 not found binder: 2632:2646 BC_FREE_BUFFER u0000000000000000 no match binder: tried to use weak ref as strong ref binder: 2632:2646 got transaction to invalid handle binder: 2632:2646 transaction failed 29201/-22, size 0-32 line 3008 binder: BINDER_SET_CONTEXT_MGR already set binder_alloc: binder_alloc_mmap_handler: 2632 20000000-20002000 already mapped failed -16 binder: 2632:2634 ioctl 40046207 0 returned -16 binder_alloc: 2632: binder_alloc_buf, no vma binder: 2632:2651 transaction failed 29189/-3, size 80-16 line 3131 binder: 2632:2646 IncRefs 0 refcount change on invalid ref 2 ret -22 binder: 2632:2646 BC_REQUEST_DEATH_NOTIFICATION invalid ref 4 binder: 2632:2646 DecRefs 0 refcount change on invalid ref 3 ret -22 binder: 2632:2646 got reply transaction with no transaction stack binder: 2632:2646 transaction failed 29201/-71, size 48-56 line 2924 binder: release 2632:2634 transaction 423 out, still active binder: send failed reply for transaction 423, target dead binder: 2756:2770 got transaction with invalid parent offset or type binder: 2756:2770 transaction failed 29201/-22, size 80-8 line 3316 binder_alloc: binder_alloc_mmap_handler: 2756 20000000-20002000 already mapped failed -16 binder_alloc: 2756: binder_alloc_buf, no vma binder: 2756:2770 transaction failed 29189/-3, size 80-8 line 3131 binder: BINDER_SET_CONTEXT_MGR already set binder: 2756:2801 ioctl 40046207 0 returned -16 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 device gre0 entered promiscuous mode audit: type=1400 audit(1512952643.640:36): avc: denied { bind } for pid=2886 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 audit: type=1400 audit(1512952643.670:37): avc: denied { getopt } for pid=2886 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 nla_parse: 7 callbacks suppressed netlink: 1 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor3'. tc_dump_action: action bad kind netlink: 5 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor4'. SELinux: unrecognized netlink message: protocol=6 nlmsg_type=35840 sclass=netlink_xfrm_socket SELinux: unrecognized netlink message: protocol=6 nlmsg_type=35840 sclass=netlink_xfrm_socket tc_dump_action: action bad kind netlink: 2 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor2'. audit: type=1400 audit(1512952644.630:38): avc: denied { getopt } for pid=3194 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_fib_lookup_socket permissive=1