BUG: using __this_cpu_add() in preemptible [00000000] code: syz-executor7/5701 caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 CPU: 0 PID: 5701 Comm: syz-executor7 Not tainted 4.4.113-g962d1f3 #2 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 269d372812938cf3 ffff8801d8c87800 ffffffff81d028ed 0000000000000000 ffffffff839fe3a0 ffffffff83cef6a0 ffff8801d8d4c740 0000000000000003 ffff8801d8c87840 ffffffff81d62834 ffffffff810002b8 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46 [] ? 0xffffffff810002b8 [] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 [] tcp_try_coalesce+0x249/0x4d0 net/ipv4/tcp_input.c:4278 [] tcp_queue_rcv+0x127/0x720 net/ipv4/tcp_input.c:4485 [] tcp_send_rcvq+0x39b/0x450 net/ipv4/tcp_input.c:4531 [] tcp_sendmsg+0x1e8f/0x2b10 net/ipv4/tcp.c:1134 [] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:635 [] SYSC_sendto+0x2c8/0x340 net/socket.c:1665 [] SyS_sendto+0x40/0x50 net/socket.c:1633 [] entry_SYSCALL_64_fastpath+0x1c/0x98 BUG: using __this_cpu_add() in preemptible [00000000] code: syz-executor7/5743 caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 CPU: 1 PID: 5743 Comm: syz-executor7 Not tainted 4.4.113-g962d1f3 #2 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 ec7212fb099e06c5 ffff8801c697f800 ffffffff81d028ed 0000000000000001 ffffffff839fe3a0 ffffffff83cef6a0 ffff8801d8624740 0000000000000003 ffff8801c697f840 ffffffff81d62834 ffffffff810002b8 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46 [] ? 0xffffffff810002b8 [] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 [] tcp_try_coalesce+0x249/0x4d0 net/ipv4/tcp_input.c:4278 [] tcp_queue_rcv+0x127/0x720 net/ipv4/tcp_input.c:4485 [] tcp_send_rcvq+0x39b/0x450 net/ipv4/tcp_input.c:4531 [] tcp_sendmsg+0x1e8f/0x2b10 net/ipv4/tcp.c:1134 [] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:635 [] SYSC_sendto+0x2c8/0x340 net/socket.c:1665 [] SyS_sendto+0x40/0x50 net/socket.c:1633 [] entry_SYSCALL_64_fastpath+0x1c/0x98 keychord: invalid keycode count 0 binder: 5802:5809 ERROR: BC_REGISTER_LOOPER called without request keychord: invalid keycode count 0 audit: type=1400 audit(1517374980.232:11): avc: denied { call } for pid=5802 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 binder: 5802:5826 got reply transaction with no transaction stack binder: 5802:5826 transaction failed 29201/-71, size 24-8 line 2921 binder: release 5802:5809 transaction 5 in, still active binder: send failed reply for transaction 5 to 5802:5822 binder: undelivered TRANSACTION_COMPLETE binder: 5802:5822 ERROR: BC_REGISTER_LOOPER called without request binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 binder_alloc: 5802: binder_alloc_buf, no vma binder: 5802:5809 transaction failed 29189/-3, size 0-0 line 3128 binder: 5802:5826 got reply transaction with no transaction stack binder: 5802:5826 transaction failed 29201/-71, size 24-8 line 2921 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 netlink: 9 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 9 bytes leftover after parsing attributes in process `syz-executor6'. device syz2 entered promiscuous mode device syz2 left promiscuous mode SELinux: unrecognized netlink message: protocol=4 nlmsg_type=0 sclass=netlink_tcpdiag_socket SELinux: unrecognized netlink message: protocol=4 nlmsg_type=0 sclass=netlink_tcpdiag_socket binder: 6198:6207 transaction failed 29189/-22, size 0-0 line 3005 binder: undelivered TRANSACTION_ERROR: 29189 syz-executor4 uses obsolete (PF_INET,SOCK_PACKET) audit_printk_skb: 3 callbacks suppressed audit: type=1400 audit(1517374982.532:13): avc: denied { create } for pid=6412 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_connector_socket permissive=1 audit: type=1400 audit(1517374982.592:14): avc: denied { write } for pid=6412 comm="syz-executor1" path="socket:[13053]" dev="sockfs" ino=13053 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_connector_socket permissive=1 netlink: 3 bytes leftover after parsing attributes in process `syz-executor4'. audit: type=1400 audit(1517374983.052:15): avc: denied { transfer } for pid=6561 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 binder: 6561:6579 DecRefs 0 refcount change on invalid ref 4 ret -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 6561:6579 ioctl 40046207 0 returned -16 binder_alloc: 6561: binder_alloc_buf, no vma binder: 6561:6569 DecRefs 0 refcount change on invalid ref 4 ret -22 binder: 6561:6601 transaction failed 29189/-3, size 80-16 line 3128 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 6561:6569 transaction 12 out, still active binder: unexpected work type, 4, not freed binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 12, target dead binder: 6640:6641 transaction failed 29189/-22, size 0-0 line 3005 BUG: using __this_cpu_add() in preemptible [00000000] code: syz-executor7/6643 caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 CPU: 0 PID: 6643 Comm: syz-executor7 Not tainted 4.4.113-g962d1f3 #2 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 1482176ca32c3a8d ffff8801d757f800 ffffffff81d028ed 0000000000000000 ffffffff839fe3a0 ffffffff83cef6a0 ffff8801d7435f00[ 49.376806] binder: 6640:6654 transaction failed 29189/-22, size 0-0 line 3005 0000000000000003 ffff8801d757f840 ffffffff81d62834 ffffffff810002b8 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46 [] ? 0xffffffff810002b8 [] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 [] tcp_try_coalesce+0x249/0x4d0 net/ipv4/tcp_input.c:4278 [] tcp_queue_rcv+0x127/0x720 net/ipv4/tcp_input.c:4485 [] tcp_send_rcvq+0x39b/0x450 net/ipv4/tcp_input.c:4531 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 [] tcp_sendmsg+0x1e8f/0x2b10 net/ipv4/tcp.c:1134 [] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:635 [] SYSC_sendto+0x2c8/0x340 net/socket.c:1665 [] SyS_sendto+0x40/0x50 net/socket.c:1633 [] entry_SYSCALL_64_fastpath+0x1c/0x98 audit: type=1400 audit(1517374983.732:16): avc: denied { ioctl } for pid=6682 comm="syz-executor1" path="socket:[13248]" dev="sockfs" ino=13248 ioctlcmd=8903 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1400 audit(1517374983.812:17): avc: denied { create } for pid=6682 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1400 audit(1517374983.832:18): avc: denied { write } for pid=6682 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1400 audit(1517374983.842:19): avc: denied { ioctl } for pid=6682 comm="syz-executor1" path="socket:[13248]" dev="sockfs" ino=13248 ioctlcmd=8903 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1400 audit(1517374983.852:20): avc: denied { create } for pid=6724 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 audit: type=1400 audit(1517374983.862:21): avc: denied { ioctl } for pid=6724 comm="syz-executor3" path="socket:[13268]" dev="sockfs" ino=13268 ioctlcmd=8916 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=63938 sclass=netlink_route_socket SELinux: unrecognized netlink message: protocol=0 nlmsg_type=63938 sclass=netlink_route_socket SELinux: truncated policydb string identifier netlink: 5 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor6'. IPv4: Oversized IP packet from 127.0.0.1 IPv4: Oversized IP packet from 127.0.0.1 netlink: 5 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 9 bytes leftover after parsing attributes in process `syz-executor4'. audit_printk_skb: 16 callbacks suppressed audit: type=1400 audit(1517374987.962:27): avc: denied { set_context_mgr } for pid=7621 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 audit: type=1400 audit(1517374988.012:28): avc: denied { call } for pid=7621 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 binder: BINDER_SET_CONTEXT_MGR already set binder: 7637:7643 ioctl 40046207 0 returned -16 binder: 7637:7639 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 7637:7643 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder_alloc: 7621: binder_alloc_buf, no vma binder: BINDER_SET_CONTEXT_MGR already set binder_alloc: binder_alloc_mmap_handler: 7621 20000000-20002000 already mapped failed -16 binder: 7621:7659 ioctl 40046207 0 returned -16 binder: 7621:7626 transaction failed 29189/-3, size 40-6 line 3128 binder: undelivered TRANSACTION_ERROR: 29189 audit: type=1400 audit(1517374988.262:29): avc: denied { read } for pid=7699 comm="syz-executor5" path="socket:[15878]" dev="sockfs" ino=15878 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_fib_lookup_socket permissive=1 binder: 7693:7697 ioctl 4c06 13 returned -22 binder: release 7693:7697 transaction 25 in, still active binder: send failed reply for transaction 25 to 7693:7714 binder: BINDER_SET_CONTEXT_MGR already set binder: 7693:7697 ioctl 40046207 0 returned -16 binder_alloc: 7693: binder_alloc_buf, no vma binder: 7693:7722 transaction failed 29189/-3, size 0-0 line 3128 binder: 7693:7714 BC_FREE_BUFFER u0000000020000000 no match binder: 7693:7697 ioctl 4c06 14 returned -22 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 binder: 7823:7824 BC_FREE_BUFFER u0000000020e55000 matched unreturned buffer binder_alloc: 7823:7833 FREE_BUFFER u0000000020e55000 user freed buffer twice binder: BINDER_SET_CONTEXT_MGR already set binder: 7823:7833 BC_FREE_BUFFER u0000000020e55000 no match binder: 7823:7848 BC_FREE_BUFFER u0000000020e55000 no match binder_alloc: 7823: binder_alloc_buf, no vma binder: 7823:7833 transaction failed 29189/-3, size 0-0 line 3128 binder: 7823:7840 ioctl 40046207 0 returned -16 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 7823:7824 transaction 28 out, still active binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 28, target dead audit: type=1400 audit(1517374989.072:30): avc: denied { getattr } for pid=7865 comm="syz-executor4" name="NETLINK" dev="sockfs" ino=16010 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 audit: type=1400 audit(1517374989.122:31): avc: denied { dyntransition } for pid=7865 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=process permissive=1 audit: type=1400 audit(1517374989.212:32): avc: denied { create } for pid=7906 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_connector_socket permissive=1 audit: type=1400 audit(1517374989.272:33): avc: denied { write } for pid=7906 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_connector_socket permissive=1 audit: type=1400 audit(1517374989.312:34): avc: denied { ioctl } for pid=7906 comm="syz-executor0" path="socket:[16057]" dev="sockfs" ino=16057 ioctlcmd=8916 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_connector_socket permissive=1 audit: type=1400 audit(1517374989.342:35): avc: denied { attach_queue } for pid=7885 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=tun_socket permissive=1