BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor5/5996 caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 CPU: 1 PID: 5996 Comm: syz-executor5 Not tainted 4.9.68-gfb66dc2 #107 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d74d76d8 ffffffff81d90889 0000000000000001 ffffffff83c17800 ffffffff83f42ec0 ffff8801d8979800 0000000000000003 ffff8801d74d7718 ffffffff81df7854 ffff8801d74d7730 ffffffff83f42ec0 dffffc0000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46 [] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 [] ipcomp_alloc_tfms net/xfrm/xfrm_ipcomp.c:286 [inline] [] ipcomp_init_state+0x188/0x930 net/xfrm/xfrm_ipcomp.c:363 [] ipcomp4_init_state+0xb0/0x7d0 net/ipv4/ipcomp.c:137 [] __xfrm_init_state+0x3e7/0xb30 net/xfrm/xfrm_state.c:2096 [] xfrm_init_state+0x1a/0x20 net/xfrm/xfrm_state.c:2122 [] pfkey_msg2xfrm_state net/key/af_key.c:1281 [inline] [] pfkey_add+0x1fb9/0x3470 net/key/af_key.c:1498 [] pfkey_process+0x61e/0x730 net/key/af_key.c:2826 [] pfkey_sendmsg+0x3a9/0x760 net/key/af_key.c:3670 [] sock_sendmsg_nosec net/socket.c:635 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:645 [] ___sys_sendmsg+0x6d1/0x7e0 net/socket.c:1968 [] __sys_sendmsg+0xd6/0x190 net/socket.c:2002 [] SYSC_sendmsg net/socket.c:2013 [inline] [] SyS_sendmsg+0x2d/0x50 net/socket.c:2009 [] entry_SYSCALL_64_fastpath+0x23/0xc6 device gre0 entered promiscuous mode device gre0 left promiscuous mode device gre0 entered promiscuous mode binder: 6074:6075 got reply transaction with no transaction stack binder: 6074:6075 transaction failed 29201/-71, size 2-1144397507205 line 2923 device gre0 entered promiscuous mode device gre0 left promiscuous mode binder: 6074:6079 Acquire 1 refcount change on invalid ref 1 ret -22 binder: 6074:6079 got transaction to invalid handle binder: 6074:6079 transaction failed 29201/-22, size 64-32 line 3007 binder: send failed reply for transaction 48 to 6074:6079 binder: 6074:6075 ioctl c0306201 2000efd0 returned -14 binder: 6074:6079 BC_CLEAR_DEATH_NOTIFICATION invalid ref 2 binder: 6074:6079 BC_FREE_BUFFER u000000002000c000 matched unreturned buffer nla_parse: 1 callbacks suppressed netlink: 11 bytes leftover after parsing attributes in process `syz-executor2'. binder: 6074:6102 unknown command 0 binder: 6074:6102 ioctl c0306201 20004000 returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 6074:6075 ioctl 40046207 0 returned -16 binder: 6074:6075 Acquire 1 refcount change on invalid ref 1 ret -22 binder: 6074:6075 got transaction to invalid handle binder: 6074:6075 transaction failed 29201/-22, size 64-32 line 3007 binder: 6074:6102 unknown command 0 binder: 6074:6102 ioctl c0306201 20007000 returned -22 binder: 6074:6102 BC_CLEAR_DEATH_NOTIFICATION invalid ref 2 binder: 6074:6102 BC_FREE_BUFFER u000000002000c000 no match device eql entered promiscuous mode netlink: 11 bytes leftover after parsing attributes in process `syz-executor2'. device sit0 entered promiscuous mode netlink: 2 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. binder: BINDER_SET_CONTEXT_MGR already set binder: 6158:6159 ioctl 40046207 0 returned -16 binder_alloc: 6158: binder_alloc_buf, no vma binder: 6158:6166 transaction failed 29189/-3, size 0-0 line 3130 binder_alloc: 6158: binder_alloc_buf, no vma binder: 6158:6166 transaction failed 29189/-3, size 0-0 line 3130 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 6158:6159 transaction 51 out, still active binder: undelivered TRANSACTION_COMPLETE binder: release 6158:6159 transaction 52 out, still active binder: release 6158:6159 transaction 51 in, still active binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 52, target dead binder: send failed reply for transaction 51, target dead binder: undelivered TRANSACTION_ERROR: 29189 netlink: 1 bytes leftover after parsing attributes in process `syz-executor0'. PF_BRIDGE: RTM_SETLINK with unknown ifindex netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor0'. PF_BRIDGE: RTM_SETLINK with unknown ifindex device lo entered promiscuous mode IPVS: length: 24 != 8 sock: sock_set_timeout: `syz-executor5' (pid 6263) tries to set negative timeout audit: type=1400 audit(1513075655.834:35): avc: denied { net_bind_service } for pid=6278 comm="syz-executor6" capability=10 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 binder: 6287:6290 ERROR: BC_REGISTER_LOOPER called without request binder_alloc: 6287: binder_alloc_buf, no vma binder: 6287:6315 transaction failed 29189/-3, size 0-0 line 3130 device gre0 entered promiscuous mode binder: BINDER_SET_CONTEXT_MGR already set binder: 6287:6326 ioctl 40046207 0 returned -16 binder: 6287:6344 ERROR: BC_REGISTER_LOOPER called without request binder_alloc: 6287: binder_alloc_buf, no vma binder: 6287:6347 transaction failed 29189/-3, size 0-0 line 3130 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 tty_warn_deprecated_flags: 'syz-executor0' is using deprecated serial flags (with no effect): 00008000 Option 'tgˆa9mļw& [% SM?4-' to dns_resolver key: bad/missing value tty_warn_deprecated_flags: 'syz-executor0' is using deprecated serial flags (with no effect): 00008000 Option 'tgˆa9mļw& [% SM?4-' to dns_resolver key: bad/missing value Option ' Option '