BUG: using __this_cpu_add() in preemptible [00000000] code: syz-executor6/7654 caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 CPU: 1 PID: 7654 Comm: syz-executor6 Not tainted 4.4.113-g962d1f3 #2 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 ada538d7a57527b3 ffff8801d4a67800 ffffffff81d028ed 0000000000000001 ffffffff839fe3a0 ffffffff83cef6a0 ffff8801d71fc740 0000000000000003 ffff8801d4a67840 ffffffff81d62834 ffffffff810002b8 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46 [] ? 0xffffffff810002b8 [] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 [] tcp_try_coalesce+0x249/0x4d0 net/ipv4/tcp_input.c:4278 [] tcp_queue_rcv+0x127/0x720 net/ipv4/tcp_input.c:4485 [] tcp_send_rcvq+0x39b/0x450 net/ipv4/tcp_input.c:4531 [] tcp_sendmsg+0x1e8f/0x2b10 net/ipv4/tcp.c:1134 [] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:635 [] SYSC_sendto+0x2c8/0x340 net/socket.c:1665 [] SyS_sendto+0x40/0x50 net/socket.c:1633 [] entry_SYSCALL_64_fastpath+0x1c/0x98 audit: type=1400 audit(1517375872.487:19): avc: denied { listen } for pid=7675 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 BUG: using __this_cpu_add() in preemptible [00000000] code: syz-executor6/7691 caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 CPU: 1 PID: 7691 Comm: syz-executor6 Not tainted 4.4.113-g962d1f3 #2 audit: type=1400 audit(1517375872.547:20): avc: denied { ioctl } for pid=7675 comm="syz-executor1" path="socket:[14210]" dev="sockfs" ino=14210 ioctlcmd=5411 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 7cfe83dbfef9eb69 ffff8801d486f800 ffffffff81d028ed 0000000000000001 ffffffff839fe3a0 ffffffff83cef6a0 ffff8801c5150000 0000000000000003 ffff8801d486f840 ffffffff81d62834 ffffffff810002b8 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46 [] ? 0xffffffff810002b8 [] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 [] tcp_try_coalesce+0x249/0x4d0 net/ipv4/tcp_input.c:4278 [] tcp_queue_rcv+0x127/0x720 net/ipv4/tcp_input.c:4485 [] tcp_send_rcvq+0x39b/0x450 net/ipv4/tcp_input.c:4531 [] tcp_sendmsg+0x1e8f/0x2b10 net/ipv4/tcp.c:1134 [] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:635 [] SYSC_sendto+0x2c8/0x340 net/socket.c:1665 [] SyS_sendto+0x40/0x50 net/socket.c:1633 [] entry_SYSCALL_64_fastpath+0x1c/0x98 PF_BRIDGE: RTM_NEWNEIGH with unknown ifindex PF_BRIDGE: RTM_NEWNEIGH with unknown ifindex syz-executor4 (7805) used greatest stack depth: 23928 bytes left SELinux: policydb version -779868606 does not match my version range 15-30 SELinux: policydb string SE Linux does not match my string SE Linux audit: type=1400 audit(1517375874.457:21): avc: denied { set_context_mgr } for pid=8013 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 SELinux: policydb version -779868606 does not match my version range 15-30 binder: 8013:8017 transaction failed 29189/-22, size 0-0 line 3005 binder: BINDER_SET_CONTEXT_MGR already set binder: 8013:8017 ioctl 40046207 0 returned -16 tmpfs: Bad mount option  iÊ€T6¬ SELinux: policydb string SE Linux does not match my string SE Linux tmpfs: Bad mount option  iÊ€T6¬ binder: 8013:8031 got reply transaction with no transaction stack binder: 8013:8031 transaction failed 29201/-71, size 0-0 line 2921 binder: BINDER_SET_CONTEXT_MGR already set binder: 8013:8035 ioctl 40046207 0 returned -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 8013:8031 transaction failed 29189/-22, size 0-0 line 3005 binder: 8013:8035 ioctl 40046207 0 returned -16 binder: 8013:8038 got reply transaction with no transaction stack binder: 8013:8038 transaction failed 29201/-71, size 0-0 line 2921 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 TCP: request_sock_TCPv6: Possible SYN flooding on port 20018. Sending cookies. Check SNMP counters. audit: type=1400 audit(1517375875.237:22): avc: denied { create } for pid=8190 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1400 audit(1517375875.237:23): avc: denied { write } for pid=8198 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. audit: type=1400 audit(1517375875.317:24): avc: denied { setopt } for pid=8190 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. audit: type=1400 audit(1517375875.427:25): avc: denied { create } for pid=8219 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 audit: type=1400 audit(1517375875.487:26): avc: denied { write } for pid=8219 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 netlink: 5 bytes leftover after parsing attributes in process `syz-executor5'. binder: 8385:8395 ioctl 40046205 200000000039ea returned -22 binder: 8385:8408 ioctl 40046205 200000000039ea returned -22 sock: sock_set_timeout: `syz-executor0' (pid 8445) tries to set negative timeout sock: sock_set_timeout: `syz-executor0' (pid 8453) tries to set negative timeout netlink: 9 bytes leftover after parsing attributes in process `syz-executor4'. A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. netlink: 9 bytes leftover after parsing attributes in process `syz-executor4'. A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. device lo entered promiscuous mode audit: type=1400 audit(1517375877.267:27): avc: denied { ioctl } for pid=8672 comm="syz-executor6" path="socket:[15859]" dev="sockfs" ino=15859 ioctlcmd=8927 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1400 audit(1517375877.297:28): avc: denied { call } for pid=8669 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 audit: type=1400 audit(1517375877.307:29): avc: denied { getopt } for pid=8672 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 binder: 8669:8678 got transaction with invalid offset (0, min 0 max 0) or object. binder_alloc: binder_alloc_mmap_handler: 8669 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 8669:8704 ioctl 40046207 0 returned -16 binder: 8669:8678 transaction failed 29201/-22, size 0-8 line 3191 binder: undelivered TRANSACTION_ERROR: 29201 binder: 8765:8768 ERROR: BC_REGISTER_LOOPER called without request audit: type=1400 audit(1517375877.777:30): avc: denied { transfer } for pid=8765 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 binder: 8765:8779 IncRefs 0 refcount change on invalid ref 1 ret -22 binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder_alloc: 8765: binder_alloc_buf, no vma binder: 8765:8779 transaction failed 29189/-3, size 0-0 line 3128 binder: 8765:8768 ERROR: BC_REGISTER_LOOPER called without request binder: 8765:8779 IncRefs 0 refcount change on invalid ref 1 ret -22 binder: 8765:8768 got reply transaction with no transaction stack binder: 8765:8768 transaction failed 29201/-71, size 24-8 line 2921 binder: undelivered TRANSACTION_COMPLETE binder: undelivered transaction 64, process died. binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29189 TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. binder: 8848:8860 got transaction with fd, -1, but target does not allow fds binder: 8848:8860 transaction failed 29201/-1, size 24-8 line 3233 device gre0 entered promiscuous mode binder: BINDER_SET_CONTEXT_MGR already set binder: 8848:8860 ioctl 40046207 0 returned -16 binder_alloc: 8848: binder_alloc_buf, no vma binder: 8848:8868 transaction failed 29189/-3, size 24-8 line 3128 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 binder: 8943:8946 ERROR: BC_REGISTER_LOOPER called without request binder: 8943:8960 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER netlink: 92 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 92 bytes leftover after parsing attributes in process `syz-executor7'. syz-executor6 (8953) used greatest stack depth: 23016 bytes left netlink: 92 bytes leftover after parsing attributes in process `syz-executor7'. tmpfs: Bad mount option  iÊ€T6¬ binder: BINDER_SET_CONTEXT_MGR already set binder: 9386:9389 ioctl 40046207 0 returned -16 binder_alloc: 9386: binder_alloc_buf, no vma binder: 9386:9389 transaction failed 29189/-3, size 0-0 line 3128 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 9386:9404 transaction 74 out, still active binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 74, target dead binder_alloc: 9616: binder_alloc_buf, no vma binder: 9616:9619 transaction failed 29189/-3, size 0-0 line 3128 binder: BINDER_SET_CONTEXT_MGR already set binder_alloc: 9616: binder_alloc_buf, no vma binder: 9616:9625 transaction failed 29189/-3, size 0-0 line 3128 binder: 9616:9619 ioctl 40046207 0 returned -16 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 nla_parse: 1 callbacks suppressed netlink: 24 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor0'. SELinux: unknown mount option PF_BRIDGE: RTM_SETLINK with unknown ifindex SELinux: unknown mount option PF_BRIDGE: RTM_SETLINK with unknown ifindex