device gre0 entered promiscuous mode BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor5/14351 caller is __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62 CPU: 0 PID: 14351 Comm: syz-executor5 Not tainted 4.4.105-g36205b7 #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 0326cd18e57e05ad ffff8800b7c3f6b8 ffffffff81cc9b4f 0000000000000000 ffffffff839fd4a0 ffff8800b7c3f6f8 ffffffff81d28d58 ffffffff83d093a0 ffff8800bae38a60 dffffc0000000000 ffffffff83cff4e0 Call Trace: [] __dump_stack /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:51 [] check_preemption_disabled+0x1b8/0x1f0 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:46 [] __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62 [] ipcomp_alloc_tfms /syzkaller/managers/android-44-kasan-gce/kernel/net/xfrm/xfrm_ipcomp.c:286 [inline] [] ipcomp_init_state+0x168/0x8e0 /syzkaller/managers/android-44-kasan-gce/kernel/net/xfrm/xfrm_ipcomp.c:363 [] ipcomp4_init_state+0x9e/0x840 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/ipcomp.c:137 [] __xfrm_init_state+0x354/0xa40 /syzkaller/managers/android-44-kasan-gce/kernel/net/xfrm/xfrm_state.c:2058 [] xfrm_init_state+0xe/0x10 /syzkaller/managers/android-44-kasan-gce/kernel/net/xfrm/xfrm_state.c:2084 [] pfkey_msg2xfrm_state /syzkaller/managers/android-44-kasan-gce/kernel/net/key/af_key.c:1281 [inline] [] pfkey_add+0x1e18/0x3d80 /syzkaller/managers/android-44-kasan-gce/kernel/net/key/af_key.c:1498 [] pfkey_process+0x58d/0x900 /syzkaller/managers/android-44-kasan-gce/kernel/net/key/af_key.c:2826 [] pfkey_sendmsg+0x35b/0x6c0 /syzkaller/managers/android-44-kasan-gce/kernel/net/key/af_key.c:3670 [] sock_sendmsg_nosec /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:625 [inline] [] sock_sendmsg+0xb5/0xf0 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:635 [] ___sys_sendmsg+0x66d/0x7d0 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:1961 [] __sys_sendmsg+0xc3/0x160 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:1995 [] SYSC_sendmsg /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:2006 [inline] [] SyS_sendmsg+0xd/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:2002 [] entry_SYSCALL_64_fastpath+0x16/0x76 audit: type=1326 audit(1513083982.469:73): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=14423 comm="syz-executor0" exe="/root/syz-executor0" sig=9 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x0 audit: type=1326 audit(1513083982.589:74): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=14423 comm="syz-executor0" exe="/root/syz-executor0" sig=9 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x0 device gre0 entered promiscuous mode keychord: invalid keycode count 0 keychord: invalid keycode count 0 device gre0 entered promiscuous mode device gre0 entered promiscuous mode nla_parse: 12 callbacks suppressed netlink: 1 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 13 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 13 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor6'. audit: type=1326 audit(1513083984.029:75): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=14871 comm="syz-executor5" exe="/root/syz-executor5" sig=9 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x0 BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor6/14884 caller is __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62 CPU: 0 PID: 14884 Comm: syz-executor6 Not tainted 4.4.105-g36205b7 #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 b6999cca14ae4b09 ffff8800b89cf6b8 ffffffff81cc9b4f 0000000000000000 ffffffff839fd4a0 ffff8800b89cf6f8 ffffffff81d28d58 ffffffff83d093a0 ffff8801d118c530 dffffc0000000000 ffffffff83cff4e0 Call Trace: audit: type=1326 audit(1513083984.129:76): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=14871 comm="syz-executor5" exe="/root/syz-executor5" sig=9 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x0 [] __dump_stack /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:51 [] check_preemption_disabled+0x1b8/0x1f0 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:46 [] __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62 [] ipcomp_alloc_tfms /syzkaller/managers/android-44-kasan-gce/kernel/net/xfrm/xfrm_ipcomp.c:286 [inline] [] ipcomp_init_state+0x168/0x8e0 /syzkaller/managers/android-44-kasan-gce/kernel/net/xfrm/xfrm_ipcomp.c:363 [] ipcomp4_init_state+0x9e/0x840 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/ipcomp.c:137 [] __xfrm_init_state+0x354/0xa40 /syzkaller/managers/android-44-kasan-gce/kernel/net/xfrm/xfrm_state.c:2058 [] xfrm_init_state+0xe/0x10 /syzkaller/managers/android-44-kasan-gce/kernel/net/xfrm/xfrm_state.c:2084 [] pfkey_msg2xfrm_state /syzkaller/managers/android-44-kasan-gce/kernel/net/key/af_key.c:1281 [inline] [] pfkey_add+0x1e18/0x3d80 /syzkaller/managers/android-44-kasan-gce/kernel/net/key/af_key.c:1498 binder: 14916:14922 ioctl 8953 20d73fbc returned -22 binder_alloc: 14916: binder_alloc_buf, no vma binder: 14916:14922 transaction failed 29189/-3, size 80-16 line 3131 binder: BINDER_SET_CONTEXT_MGR already set binder: 14916:14922 ioctl 40046207 0 returned -16 binder: 14916:14922 ioctl 8953 20d73fbc returned -22 binder_alloc: 14916: binder_alloc_buf, no vma binder: 14916:14922 transaction failed 29189/-3, size 80-16 line 3131 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 [] pfkey_process+0x58d/0x900 /syzkaller/managers/android-44-kasan-gce/kernel/net/key/af_key.c:2826 [] pfkey_sendmsg+0x35b/0x6c0 /syzkaller/managers/android-44-kasan-gce/kernel/net/key/af_key.c:3670 [] sock_sendmsg_nosec /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:625 [inline] [] sock_sendmsg+0xb5/0xf0 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:635 [] ___sys_sendmsg+0x66d/0x7d0 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:1961 [] __sys_sendmsg+0xc3/0x160 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:1995 [] SYSC_sendmsg /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:2006 [inline] [] SyS_sendmsg+0xd/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:2002 [] entry_SYSCALL_64_fastpath+0x16/0x76 device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode binder: undelivered death notification, 0000000000000000 binder: undelivered death notification, 0000000000000000 binder: BINDER_SET_CONTEXT_MGR already set binder: 15197:15204 ioctl 40046207 0 returned -16 keychord: invalid keycode count 0 device gre0 entered promiscuous mode device gre0 entered promiscuous mode keychord: invalid keycode count 0 device gre0 entered promiscuous mode keychord: invalid keycode count 0 keychord: invalid keycode count 0 keychord: invalid keycode count 0 device gre0 entered promiscuous mode keychord: invalid keycode count 0 netlink: 1 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor1'. device gre0 entered promiscuous mode netlink: 1 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor3'. binder: 15547:15554 transaction failed 29189/-22, size 80-16 line 3008 audit_printk_skb: 7 callbacks suppressed audit: type=1326 audit(1513083986.579:79): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=15576 comm="syz-executor7" exe="/root/syz-executor7" sig=9 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x0 audit: type=1326 audit(1513083986.679:80): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=15576 comm="syz-executor7" exe="/root/syz-executor7" sig=9 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x0 binder: undelivered TRANSACTION_ERROR: 29189 device gre0 entered promiscuous mode BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor7/15674 caller is __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62 CPU: 0 PID: 15674 Comm: syz-executor7 Not tainted 4.4.105-g36205b7 #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 a79857e2036f9ba8 ffff8800b8b576b8 ffffffff81cc9b4f 0000000000000000 ffffffff839fd4a0 ffff8800b8b576f8 ffffffff81d28d58 ffffffff83d093a0 ffff8801da764f90 dffffc0000000000 ffffffff83cff4e0 Call Trace: [] __dump_stack /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:51 [] check_preemption_disabled+0x1b8/0x1f0 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:46 [] __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62 [] ipcomp_alloc_tfms /syzkaller/managers/android-44-kasan-gce/kernel/net/xfrm/xfrm_ipcomp.c:286 [inline] [] ipcomp_init_state+0x168/0x8e0 /syzkaller/managers/android-44-kasan-gce/kernel/net/xfrm/xfrm_ipcomp.c:363 [] ipcomp4_init_state+0x9e/0x840 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/ipcomp.c:137 [] __xfrm_init_state+0x354/0xa40 /syzkaller/managers/android-44-kasan-gce/kernel/net/xfrm/xfrm_state.c:2058 [] xfrm_init_state+0xe/0x10 /syzkaller/managers/android-44-kasan-gce/kernel/net/xfrm/xfrm_state.c:2084 [] pfkey_msg2xfrm_state /syzkaller/managers/android-44-kasan-gce/kernel/net/key/af_key.c:1281 [inline] [] pfkey_add+0x1e18/0x3d80 /syzkaller/managers/android-44-kasan-gce/kernel/net/key/af_key.c:1498 [] pfkey_process+0x58d/0x900 /syzkaller/managers/android-44-kasan-gce/kernel/net/key/af_key.c:2826 [] pfkey_sendmsg+0x35b/0x6c0 /syzkaller/managers/android-44-kasan-gce/kernel/net/key/af_key.c:3670 [] sock_sendmsg_nosec /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:625 [inline] [] sock_sendmsg+0xb5/0xf0 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:635 [] ___sys_sendmsg+0x66d/0x7d0 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:1961 [] __sys_sendmsg+0xc3/0x160 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:1995 [] SYSC_sendmsg /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:2006 [inline] [] SyS_sendmsg+0xd/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:2002 [] entry_SYSCALL_64_fastpath+0x16/0x76 BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor7/15727 caller is __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62 CPU: 1 PID: 15727 Comm: syz-executor7 Not tainted 4.4.105-g36205b7 #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 0da930046fc13244 ffff8800baf676b8 ffffffff81cc9b4f 0000000000000001 ffffffff839fd4a0 ffff8800baf676f8 ffffffff81d28d58 ffffffff83d093a0 ffff8800b7ccf910 dffffc0000000000 ffffffff83cff4e0 Call Trace: [] __dump_stack /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:51 [] check_preemption_disabled+0x1b8/0x1f0 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:46 [] __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62 [] ipcomp_alloc_tfms /syzkaller/managers/android-44-kasan-gce/kernel/net/xfrm/xfrm_ipcomp.c:286 [inline] [] ipcomp_init_state+0x168/0x8e0 /syzkaller/managers/android-44-kasan-gce/kernel/net/xfrm/xfrm_ipcomp.c:363 [] ipcomp4_init_state+0x9e/0x840 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/ipcomp.c:137 [] __xfrm_init_state+0x354/0xa40 /syzkaller/managers/android-44-kasan-gce/kernel/net/xfrm/xfrm_state.c:2058 [] xfrm_init_state+0xe/0x10 /syzkaller/managers/android-44-kasan-gce/kernel/net/xfrm/xfrm_state.c:2084 [] pfkey_msg2xfrm_state /syzkaller/managers/android-44-kasan-gce/kernel/net/key/af_key.c:1281 [inline] [] pfkey_add+0x1e18/0x3d80 /syzkaller/managers/android-44-kasan-gce/kernel/net/key/af_key.c:1498 [] pfkey_process+0x58d/0x900 /syzkaller/managers/android-44-kasan-gce/kernel/net/key/af_key.c:2826 [] pfkey_sendmsg+0x35b/0x6c0 /syzkaller/managers/android-44-kasan-gce/kernel/net/key/af_key.c:3670 [] sock_sendmsg_nosec /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:625 [inline] [] sock_sendmsg+0xb5/0xf0 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:635 [] ___sys_sendmsg+0x66d/0x7d0 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:1961 [] __sys_sendmsg+0xc3/0x160 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:1995 [] SYSC_sendmsg /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:2006 [inline] [] SyS_sendmsg+0xd/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:2002 [] entry_SYSCALL_64_fastpath+0x16/0x76 binder: 15774:15777 BC_FREE_BUFFER u0000000000000000 no match device gre0 entered promiscuous mode binder: 15774:15791 DecRefs 0 refcount change on invalid ref 3 ret -22 binder: 15774:15777 BC_DEAD_BINDER_DONE 0000000000000004 not found binder: 15774:15791 BC_REQUEST_DEATH_NOTIFICATION death notification already set binder: 15774:15777 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER binder: 15774:15777 BC_CLEAR_DEATH_NOTIFICATION invalid ref 2 binder: 15774:15806 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: 15774:15777 got reply transaction with no transaction stack binder: 15774 invalid dec weak, ref 521 desc 0 s 1 w 0 binder: 15774:15777 transaction failed 29201/-71, size 72-40 line 2924 binder: 15774:15791 tried to acquire reference to desc 0, got 1 instead binder: 15774:15806 unknown command 0 binder: 15774:15791 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 15774:15806 ioctl c0306201 2000bfd0 returned -22 binder: 15774:15777 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: 15774:15791 BC_FREE_BUFFER u0000000000000000 no match device gre0 entered promiscuous mode binder: 15774:15791 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 15774:15791 BC_DEAD_BINDER_DONE 0000000000000004 not found binder: 15774:15791 ERROR: BC_REGISTER_LOOPER called without request binder: 15774:15791 BC_CLEAR_DEATH_NOTIFICATION invalid ref 2 binder: 15774:15791 got reply transaction with no transaction stack binder: 15774:15791 transaction failed 29201/-71, size 72-40 line 2924 binder: undelivered death notification, 0000000000000000 device gre0 entered promiscuous mode binder_alloc: 15965: binder_alloc_buf, no vma binder: 15965:15967 transaction failed 29189/-3, size 80-16 line 3131 BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor3/15958 caller is __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62 CPU: 0 PID: 15958 Comm: syz-executor3 Not tainted 4.4.105-g36205b7 #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 bf616ba40c2f3439 ffff8801d629f6b8 ffffffff81cc9b4f 0000000000000000 ffffffff839fd4a0 ffff8801d629f6f8 ffffffff81d28d58 ffffffff83d093a0 ffff8800ba89eeb0 dffffc0000000000 ffffffff83cff4e0 Call Trace: [] __dump_stack /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:51 [] check_preemption_disabled+0x1b8/0x1f0 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:46 [] __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62 [] ipcomp_alloc_tfms /syzkaller/managers/android-44-kasan-gce/kernel/net/xfrm/xfrm_ipcomp.c:286 [inline] [] ipcomp_init_state+0x168/0x8e0 /syzkaller/managers/android-44-kasan-gce/kernel/net/xfrm/xfrm_ipcomp.c:363 [] ipcomp4_init_state+0x9e/0x840 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/ipcomp.c:137 [] __xfrm_init_state+0x354/0xa40 /syzkaller/managers/android-44-kasan-gce/kernel/net/xfrm/xfrm_state.c:2058 [] xfrm_init_state+0xe/0x10 /syzkaller/managers/android-44-kasan-gce/kernel/net/xfrm/xfrm_state.c:2084 [] pfkey_msg2xfrm_state /syzkaller/managers/android-44-kasan-gce/kernel/net/key/af_key.c:1281 [inline] [] pfkey_add+0x1e18/0x3d80 /syzkaller/managers/android-44-kasan-gce/kernel/net/key/af_key.c:1498 [] pfkey_process+0x58d/0x900 /syzkaller/managers/android-44-kasan-gce/kernel/net/key/af_key.c:2826 [] pfkey_sendmsg+0x35b/0x6c0 /syzkaller/managers/android-44-kasan-gce/kernel/net/key/af_key.c:3670 [] sock_sendmsg_nosec /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:625 [inline] [] sock_sendmsg+0xb5/0xf0 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:635 [] ___sys_sendmsg+0x66d/0x7d0 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:1961 [] __sys_sendmsg+0xc3/0x160 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:1995 [] SYSC_sendmsg /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:2006 [inline] [] SyS_sendmsg+0xd/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:2002 [] entry_SYSCALL_64_fastpath+0x16/0x76 binder: BINDER_SET_CONTEXT_MGR already set binder: 15965:15982 ioctl 40046207 0 returned -16 binder_alloc: 15965: binder_alloc_buf, no vma binder: 15965:15976 transaction failed 29189/-3, size 80-16 line 3131 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 audit: type=1326 audit(1513083988.939:81): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=16024 comm="syz-executor6" exe="/root/syz-executor6" sig=9 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x0 device gre0 entered promiscuous mode keychord: invalid keycode count 0 keychord: invalid keycode count 0 audit: type=1326 audit(1513083989.029:82): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=16024 comm="syz-executor6" exe="/root/syz-executor6" sig=9 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x0 netlink: 1 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor7'. BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor1/16111 caller is __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62 CPU: 1 PID: 16111 Comm: syz-executor1 Not tainted 4.4.105-g36205b7 #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 be9a8898b6110cc1 ffff8801d616f6b8 ffffffff81cc9b4f 0000000000000001 ffffffff839fd4a0 ffff8801d616f6f8 ffffffff81d28d58 ffffffff83d093a0 ffff8800b7ccdf20 dffffc0000000000 ffffffff83cff4e0 Call Trace: [] __dump_stack /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:51 [] check_preemption_disabled+0x1b8/0x1f0 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:46 [] __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62 [] ipcomp_alloc_tfms /syzkaller/managers/android-44-kasan-gce/kernel/net/xfrm/xfrm_ipcomp.c:286 [inline] [] ipcomp_init_state+0x168/0x8e0 /syzkaller/managers/android-44-kasan-gce/kernel/net/xfrm/xfrm_ipcomp.c:363 [] ipcomp4_init_state+0x9e/0x840 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/ipcomp.c:137 [] __xfrm_init_state+0x354/0xa40 /syzkaller/managers/android-44-kasan-gce/kernel/net/xfrm/xfrm_state.c:2058 [] xfrm_init_state+0xe/0x10 /syzkaller/managers/android-44-kasan-gce/kernel/net/xfrm/xfrm_state.c:2084 [] pfkey_msg2xfrm_state /syzkaller/managers/android-44-kasan-gce/kernel/net/key/af_key.c:1281 [inline] [] pfkey_add+0x1e18/0x3d80 /syzkaller/managers/android-44-kasan-gce/kernel/net/key/af_key.c:1498 [] pfkey_process+0x58d/0x900 /syzkaller/managers/android-44-kasan-gce/kernel/net/key/af_key.c:2826 [] pfkey_sendmsg+0x35b/0x6c0 /syzkaller/managers/android-44-kasan-gce/kernel/net/key/af_key.c:3670 [] sock_sendmsg_nosec /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:625 [inline] [] sock_sendmsg+0xb5/0xf0 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:635 [] ___sys_sendmsg+0x66d/0x7d0 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:1961 [] __sys_sendmsg+0xc3/0x160 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:1995 [] SYSC_sendmsg /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:2006 [inline] [] SyS_sendmsg+0xd/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:2002 [] entry_SYSCALL_64_fastpath+0x16/0x76 BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor1/16124 caller is __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62 CPU: 0 PID: 16124 Comm: syz-executor1 Not tainted 4.4.105-g36205b7 #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 2487a4a664484f79 ffff8801d441f6b8 ffffffff81cc9b4f 0000000000000000 ffffffff839fd4a0 ffff8801d441f6f8 ffffffff81d28d58 ffffffff83d093a0 ffff8800b8a22eb0 dffffc0000000000 ffffffff83cff4e0 Call Trace: [] __dump_stack /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:51 [] check_preemption_disabled+0x1b8/0x1f0 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:46 [] __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62 [] ipcomp_alloc_tfms /syzkaller/managers/android-44-kasan-gce/kernel/net/xfrm/xfrm_ipcomp.c:286 [inline] [] ipcomp_init_state+0x168/0x8e0 /syzkaller/managers/android-44-kasan-gce/kernel/net/xfrm/xfrm_ipcomp.c:363 [] ipcomp4_init_state+0x9e/0x840 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/ipcomp.c:137 [] __xfrm_init_state+0x354/0xa40 /syzkaller/managers/android-44-kasan-gce/kernel/net/xfrm/xfrm_state.c:2058 [] xfrm_init_state+0xe/0x10 /syzkaller/managers/android-44-kasan-gce/kernel/net/xfrm/xfrm_state.c:2084 [] pfkey_msg2xfrm_state /syzkaller/managers/android-44-kasan-gce/kernel/net/key/af_key.c:1281 [inline] [] pfkey_add+0x1e18/0x3d80 /syzkaller/managers/android-44-kasan-gce/kernel/net/key/af_key.c:1498 [] pfkey_process+0x58d/0x900 /syzkaller/managers/android-44-kasan-gce/kernel/net/key/af_key.c:2826 [] pfkey_sendmsg+0x35b/0x6c0 /syzkaller/managers/android-44-kasan-gce/kernel/net/key/af_key.c:3670 [] sock_sendmsg_nosec /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:625 [inline] [] sock_sendmsg+0xb5/0xf0 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:635 [] ___sys_sendmsg+0x66d/0x7d0 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:1961 [] __sys_sendmsg+0xc3/0x160 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:1995 [] SYSC_sendmsg /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:2006 [inline] [] SyS_sendmsg+0xd/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:2002 [] entry_SYSCALL_64_fastpath+0x16/0x76 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 16235 Comm: syz-executor3 Not tainted 4.4.105-g36205b7 #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 afc88421d9ab44ee ffff8801d7117970 ffffffff81cc9b4f 1ffff1003ae22f39 0000000000000030 ffff8801d7117b10 ffffffff815db71b ffff8800b915b460 ffff8800b915b460 ffff8800b915b460 ffff8801d7117ae8 Call Trace: [] __dump_stack /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:51 [] handle_userfault+0x75b/0x1570 /syzkaller/managers/android-44-kasan-gce/kernel/fs/userfaultfd.c:316 [] do_anonymous_page /syzkaller/managers/android-44-kasan-gce/kernel/mm/memory.c:2731 [inline] [] handle_pte_fault /syzkaller/managers/android-44-kasan-gce/kernel/mm/memory.c:3295 [inline] [] __handle_mm_fault /syzkaller/managers/android-44-kasan-gce/kernel/mm/memory.c:3426 [inline] [] handle_mm_fault+0x2731/0x39b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/memory.c:3455 [] __do_page_fault+0x2d0/0x910 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/mm/fault.c:1245 [] do_page_fault+0x22/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/mm/fault.c:1308 [] page_fault+0x28/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/arch/x86/entry/entry_64.S:985 [] entry_SYSCALL_64_fastpath+0x16/0x76 netlink: 64 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 64 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor3'. device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode binder: 16638:16639 BC_FREE_BUFFER u0000000000000000 no match binder: 16638:16639 BC_DEAD_BINDER_DONE 0000000000000004 not found binder: 16638:16650 DecRefs 0 refcount change on invalid ref 2 ret -22 binder_alloc: 16643: binder_alloc_buf, no vma binder: 16643:16644 transaction failed 29189/-3, size 80-16 line 3131 binder: 16638:16639 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER binder: 16638:16639 BC_CLEAR_DEATH_NOTIFICATION invalid ref 2 binder: 16638:16639 got reply transaction with no transaction stack binder: 16638:16639 transaction failed 29201/-71, size 72-40 line 2924 binder: 16638:16650 BC_REQUEST_DEATH_NOTIFICATION death notification already set binder: 16638:16639 ioctl c0306201 20010000 returned -14 binder: BINDER_SET_CONTEXT_MGR already set binder: 16643:16653 ioctl 40046207 0 returned -16 binder: 16638 invalid dec weak, ref 533 desc 0 s 1 w 0 binder: 16638:16639 ERROR: BC_ENTER_LOOPER called after BC_REGISTER_LOOPER binder: undelivered TRANSACTION_ERROR: 29189 binder: 16638:16639 DecRefs 0 refcount change on invalid ref 4 ret -22 binder: 16638:16639 unknown command 0 binder: 16638:16685 tried to acquire reference to desc 0, got 1 instead binder: 16638:16639 ioctl c0306201 2000bfd0 returned -22 binder: 16638:16650 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 16638:16639 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: 16638:16650 BC_FREE_BUFFER u0000000000000000 no match binder: 16638:16650 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 16638:16650 BC_DEAD_BINDER_DONE 0000000000000004 not found binder: 16638:16650 ERROR: BC_REGISTER_LOOPER called without request binder: 16638:16650 BC_CLEAR_DEATH_NOTIFICATION invalid ref 2 binder: 16638:16639 DecRefs 0 refcount change on invalid ref 2 ret -22 binder: 16638:16639 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 16638:16650 got reply transaction with no transaction stack binder: 16638:16650 transaction failed 29201/-71, size 72-40 line 2924 binder: undelivered death notification, 0000000000000000 binder: 16724:16732 BC_FREE_BUFFER u0000000000000000 no match binder: 16724:16732 BC_DEAD_BINDER_DONE 0000000000000004 not found binder: 16724:16745 DecRefs 0 refcount change on invalid ref 2 ret -22 binder: 16724:16745 BC_REQUEST_DEATH_NOTIFICATION death notification already set binder: 16724:16732 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER