BUG: using __this_cpu_add() in preemptible [00000000] code: syz-executor2/9059 caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 CPU: 0 PID: 9059 Comm: syz-executor2 Not tainted 4.4.113-g962d1f3 #2 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 50bf8dbe432e28e4 ffff8801c9427800 ffffffff81d028ed 0000000000000000 ffffffff839fe3a0 ffffffff83cef6a0 ffff8801c88a17c0 0000000000000003 ffff8801c9427840 ffffffff81d62834 ffffffff810002b8 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46 [] ? 0xffffffff810002b8 [] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 [] tcp_try_coalesce+0x249/0x4d0 net/ipv4/tcp_input.c:4278 [] tcp_queue_rcv+0x127/0x720 net/ipv4/tcp_input.c:4485 [] tcp_send_rcvq+0x39b/0x450 net/ipv4/tcp_input.c:4531 [] tcp_sendmsg+0x1e8f/0x2b10 net/ipv4/tcp.c:1134 [] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:635 [] SYSC_sendto+0x2c8/0x340 net/socket.c:1665 [] SyS_sendto+0x40/0x50 net/socket.c:1633 [] entry_SYSCALL_64_fastpath+0x1c/0x98 binder: 9289:9290 tried to acquire reference to desc 0, got 1 instead binder: BINDER_SET_CONTEXT_MGR already set binder: 9289:9290 ioctl 40046207 0 returned -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 9289:9309 ioctl 40046207 0 returned -16 netlink: 20 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 20 bytes leftover after parsing attributes in process `syz-executor1'. Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable binder: 9710:9716 BC_DEAD_BINDER_DONE 0000000000000000 not found binder: 9710:9716 ioctl 800454d3 20162ffc returned -22 binder: 9710:9716 BC_DEAD_BINDER_DONE 0000000000000000 not found netlink: 3 bytes leftover after parsing attributes in process `syz-executor7'. binder: 9710:9749 ioctl 800454d3 20162ffc returned -22 netlink: 3 bytes leftover after parsing attributes in process `syz-executor7'. audit: type=1400 audit(1517383737.071:46): avc: denied { getopt } for pid=9733 comm="syz-executor7" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 netlink: 3 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor7'. binder: 9759:9775 ERROR: BC_REGISTER_LOOPER called without request audit: type=1400 audit(1517383737.261:47): avc: denied { transfer } for pid=9759 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 binder: release 9759:9787 transaction 49 out, still active binder: undelivered TRANSACTION_COMPLETE binder: 9759:9775 transaction failed 29189/0, size 24-8 line 3388 binder: 9759:9787 ioctl c018620b 20000000 returned -14 binder: send failed reply for transaction 49, target dead binder_alloc: binder_alloc_mmap_handler: 9759 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 9759:9814 ERROR: BC_REGISTER_LOOPER called without request binder: 9759:9820 got reply transaction with no transaction stack binder: 9759:9820 transaction failed 29201/-71, size 24-8 line 2921 binder: undelivered TRANSACTION_ERROR: 29201 binder: 9759:9821 ioctl c018620b 20000000 returned -14 binder: 9759:9821 IncRefs 0 refcount change on invalid ref 1 ret -22 binder_alloc: 9759: binder_alloc_buf, no vma binder: 9759:9787 ioctl 40046207 0 returned -16 binder: 9759:9814 transaction failed 29189/-3, size 0-0 line 3128 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29190 binder: 9834:9850 ERROR: BC_REGISTER_LOOPER called without request binder: BINDER_SET_CONTEXT_MGR already set binder: 9827:9854 ioctl 40046207 0 returned -16 binder: 9827:9854 ERROR: BC_REGISTER_LOOPER called without request binder: 9827:9862 got reply transaction with bad transaction stack, transaction 56 has target 9834:9850 binder: 9834:9850 got reply transaction with bad transaction stack, transaction 57 has target 9834:0 binder: 9827:9862 transaction failed 29201/-71, size 24-8 line 2936 binder: 9834:9850 transaction failed 29201/-71, size 24-8 line 2936 binder: release 9827:9862 transaction 56 out, still active binder: release 9834:9850 transaction 57 out, still active binder: release 9834:9850 transaction 56 in, still active binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29201 binder: 9827:9862 ioctl c018620b 20000000 returned -14 binder: 9827:9862 IncRefs 0 refcount change on invalid ref 1 ret -22 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29201 binder: 9834:9876 ioctl c018620b 20000000 returned -14 binder: 9834:9876 IncRefs 0 refcount change on invalid ref 1 ret -22 binder: send failed reply for transaction 57, target dead binder: send failed reply for transaction 56, target dead ': renamed from gre0 binder: 9882:9898 ERROR: BC_REGISTER_LOOPER called without request binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: 9882:9916 ioctl c018620b 20000000 returned -14 binder: invalid inc weak node for 63 binder: 9882:9916 IncRefs 0 refcount change on invalid ref 1 ret -22 binder: undelivered TRANSACTION_COMPLETE binder: undelivered transaction 62, process died. IPVS: length: 24 != 8 IPVS: length: 24 != 8 FAULT_FLAG_ALLOW_RETRY missing 30 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 10056 Comm: syz-executor6 Not tainted 4.4.113-g962d1f3 #2 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 43487e344f71035a ffff8800a65077d0 ffffffff81d028ed ffff8801cb2bc780 1ffff10014ca0f07 ffff8800a6507958 0000000000000000 0000000000000000 ffff8800a6507980 ffffffff81605ec5 ffffffff81236530 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] handle_userfault+0x715/0xf50 fs/userfaultfd.c:316 [] do_anonymous_page mm/memory.c:2731 [inline] [] handle_pte_fault mm/memory.c:3295 [inline] [] __handle_mm_fault mm/memory.c:3426 [inline] [] handle_mm_fault+0x2938/0x3190 mm/memory.c:3455 [] __do_page_fault+0x35b/0xa00 arch/x86/mm/fault.c:1245 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1308 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1033 [] SYSC_select fs/select.c:640 [inline] [] SyS_select+0x14a/0x1d0 fs/select.c:622 [] entry_SYSCALL_64_fastpath+0x1c/0x98 CPU: 0 PID: 10051 Comm: syz-executor6 Not tainted 4.4.113-g962d1f3 #2 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 aa58ed6b16f552f4 ffff8801c7bff6d0 ffffffff81d028ed ffff8801cb2bc780 1ffff10038f7fee7 ffff8801c7bff858 0000000000000000 0000000000000000 ffff8801c7bff880 ffffffff81605ec5 ffffffff81236530 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] handle_userfault+0x715/0xf50 fs/userfaultfd.c:316 [] do_anonymous_page mm/memory.c:2731 [inline] [] handle_pte_fault mm/memory.c:3295 [inline] [] __handle_mm_fault mm/memory.c:3426 [inline] [] handle_mm_fault+0x2938/0x3190 mm/memory.c:3455 [] __do_page_fault+0x35b/0xa00 arch/x86/mm/fault.c:1245 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1308 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1033 [] vfs_ioctl fs/ioctl.c:43 [inline] [] do_vfs_ioctl+0x7aa/0xee0 fs/ioctl.c:607 [] SYSC_ioctl fs/ioctl.c:622 [inline] [] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:613 [] entry_SYSCALL_64_fastpath+0x1c/0x98 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 10057 Comm: syz-executor6 Not tainted 4.4.113-g962d1f3 #2 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 0d5204ee420746c0 ffff8800aa0877d0 ffffffff81d028ed ffff8801cb2bc900 1ffff10015410f07 ffff8800aa087958 0000000000000000 0000000000000000 ffff8800aa087980 ffffffff81605ec5 ffffffff81236530 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] handle_userfault+0x715/0xf50 fs/userfaultfd.c:316 [] do_anonymous_page mm/memory.c:2731 [inline] [] handle_pte_fault mm/memory.c:3295 [inline] [] __handle_mm_fault mm/memory.c:3426 [inline] [] handle_mm_fault+0x2938/0x3190 mm/memory.c:3455 [] __do_page_fault+0x35b/0xa00 arch/x86/mm/fault.c:1245 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1308 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1033 [] SYSC_select fs/select.c:640 [inline] [] SyS_select+0x14a/0x1d0 fs/select.c:622 [] entry_SYSCALL_64_fastpath+0x1c/0x98 audit: type=1400 audit(1517383739.331:48): avc: denied { write } for pid=10089 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 audit: type=1400 audit(1517383739.351:49): avc: denied { ioctl } for pid=10089 comm="syz-executor5" path="socket:[20025]" dev="sockfs" ino=20025 ioctlcmd=8903 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 audit: type=1400 audit(1517383739.561:50): avc: denied { setattr } for pid=10151 comm="syz-executor1" name="NETLINK" dev="sockfs" ino=19188 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 binder: BINDER_SET_CONTEXT_MGR already set binder: 10145:10162 ioctl 40046207 0 returned -16 binder_alloc: 10145: binder_alloc_buf, no vma binder: 10145:10171 transaction failed 29189/-3, size 0-0 line 3128 binder_alloc: 10145: binder_alloc_buf, no vma binder: 10145:10177 transaction failed 29189/-3, size 0-0 line 3128 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 10145:10149 transaction 67 out, still active binder: release 10145:10149 transaction 66 in, still active binder: undelivered TRANSACTION_COMPLETE binder: release 10145:10162 transaction 66 out, still active binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 67, target dead binder: send failed reply for transaction 66, target dead binder: 10200:10203 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER binder: 10200:10219 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER device lo entered promiscuous mode audit: type=1400 audit(1517383740.471:51): avc: denied { setattr } for pid=10328 comm="syz-executor0" name="comm" dev="proc" ino=19294 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=file permissive=1 audit: type=1326 audit(1517383740.691:52): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=10379 comm="syz-executor1" exe="/root/syz-executor1" sig=31 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x0 audit: type=1326 audit(1517383740.751:53): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=10379 comm="syz-executor1" exe="/root/syz-executor1" sig=31 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x0 netlink: 3 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. binder_alloc: binder_alloc_mmap_handler: 10575 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 10575:10590 ioctl 40046207 0 returned -16 TCP: request_sock_TCP: Possible SYN flooding on port 20026. Sending cookies. Check SNMP counters. binder: release 10575:10580 transaction 71 out, still active A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 71, target dead device gre0 entered promiscuous mode netlink: 3 bytes leftover after parsing attributes in process `syz-executor7'. audit: type=1400 audit(1517383743.381:54): avc: denied { setopt } for pid=10944 comm="syz-executor7" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 netlink: 3 bytes leftover after parsing attributes in process `syz-executor7'. binder: 10952:10964 unknown command 72 binder: 10952:10964 ioctl c0306201 20007000 returned -22 binder: 10952:10972 unknown command 72 binder: 10952:10972 ioctl c0306201 20007000 returned -22 binder: 10989:10992 ioctl 5608 0 returned -22 binder: 10989:10992 ioctl 5411 20169000 returned -22 binder: release 10989:10992 transaction 74 in, still active binder: send failed reply for transaction 74 to 10989:10996 binder: BINDER_SET_CONTEXT_MGR already set binder: 10989:10996 ioctl 40046207 0 returned -16 binder: 10989:10997 ioctl 5608 0 returned -22 binder_alloc: 10989: binder_alloc_buf, no vma binder: 10989:10996 transaction failed 29189/-3, size 0-0 line 3128 binder: 10989:10992 ioctl 5411 20169000 returned -22 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189