BUG: using __this_cpu_add() in preemptible [00000000] code: syz-executor4/5387 caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 CPU: 0 PID: 5387 Comm: syz-executor4 Not tainted 4.4.113-g962d1f3 #2 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 0ecdfd844527b8b2 ffff8800acaaf800 ffffffff81d028ed 0000000000000000 ffffffff839fe3a0 ffffffff83cef6a0 ffff8800b019df00 0000000000000003 ffff8800acaaf840 ffffffff81d62834 ffffffff810002b8 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46 [] ? 0xffffffff810002b8 [] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 [] tcp_try_coalesce+0x249/0x4d0 net/ipv4/tcp_input.c:4278 [] tcp_queue_rcv+0x127/0x720 net/ipv4/tcp_input.c:4485 [] tcp_send_rcvq+0x39b/0x450 net/ipv4/tcp_input.c:4531 [] tcp_sendmsg+0x1e8f/0x2b10 net/ipv4/tcp.c:1134 [] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:635 [] SYSC_sendto+0x2c8/0x340 net/socket.c:1665 [] SyS_sendto+0x40/0x50 net/socket.c:1633 [] entry_SYSCALL_64_fastpath+0x1c/0x98 audit: type=1400 audit(1517317299.913:5): avc: denied { set_context_mgr } for pid=5479 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 binder: 5479:5500 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 5479:5518 Release 1 refcount change on invalid ref 0 ret -22 capability: warning: `syz-executor6' uses deprecated v2 capabilities in a way that may be insecure capability: warning: `syz-executor4' uses 32-bit capabilities (legacy support in use) SELinux: unknown mount option audit: type=1400 audit(1517317300.133:6): avc: denied { create } for pid=5551 comm="syz-executor7" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1400 audit(1517317300.203:7): avc: denied { write } for pid=5551 comm="syz-executor7" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket mmap: syz-executor1 (5641) uses deprecated remap_file_pages() syscall. See Documentation/vm/remap_file_pages.txt. TCP: request_sock_TCPv6: Possible SYN flooding on port 20030. Sending cookies. Check SNMP counters. TCP: request_sock_TCPv6: Possible SYN flooding on port 20030. Sending cookies. Check SNMP counters. binder: 5755:5759 ERROR: BC_REGISTER_LOOPER called without request binder_alloc: binder_alloc_mmap_handler: 5755 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 5755:5782 ERROR: BC_REGISTER_LOOPER called without request binder: 5755:5767 ioctl 40046207 0 returned -16 audit: type=1400 audit(1517317301.523:8): avc: denied { call } for pid=5755 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 binder: 5755:5782 got reply transaction with no transaction stack binder: 5755:5782 transaction failed 29201/-71, size 40-0 line 2921 binder_alloc: 5755: binder_alloc_buf, no vma binder: 5755:5767 transaction failed 29189/-3, size 0-0 line 3128 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 IPv4: Oversized IP packet from 127.0.0.1 netlink: 28 bytes leftover after parsing attributes in process `syz-executor5'. IPVS: length: 24 != 8 IPVS: length: 24 != 8 keychord: keycode 16224 out of range keychord: keycode 16224 out of range audit: type=1400 audit(1517317302.833:9): avc: denied { dyntransition } for pid=6135 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0,c1 tclass=process permissive=1 audit: type=1400 audit(1517317302.873:10): avc: denied { dyntransition } for pid=6135 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0,c1 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0,c1 tclass=process permissive=1 l2tp_ppp: tunl 59: set debug=370001ca SELinux: unrecognized netlink message: protocol=0 nlmsg_type=39 sclass=netlink_route_socket SELinux: unrecognized netlink message: protocol=0 nlmsg_type=39 sclass=netlink_route_socket binder: 6446:6448 ioctl 0 20000ff8 returned -22 binder: 6446:6449 ioctl 0 20000ff8 returned -22 audit: type=1400 audit(1517317304.313:11): avc: denied { create } for pid=6534 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 audit: type=1400 audit(1517317304.343:12): avc: denied { getopt } for pid=6534 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 audit: type=1400 audit(1517317304.383:13): avc: denied { setopt } for pid=6534 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 audit: type=1400 audit(1517317304.423:14): avc: denied { write } for pid=6534 comm="syz-executor3" path="socket:[13692]" dev="sockfs" ino=13692 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 audit: type=1400 audit(1517317304.493:15): avc: denied { ioctl } for pid=6567 comm="syz-executor4" path="socket:[13702]" dev="sockfs" ino=13702 ioctlcmd=6418 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 6565 Comm: syz-executor7 Not tainted 4.4.113-g962d1f3 #2 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 9e292c482fd7baaf ffff8800b7517a00 ffffffff81d028ed ffff8801cc26e780 1ffff10016ea2f4d ffff8800b7517b88 0000000000000000 0000000000000000 ffff8800b7517bb0 ffffffff81605ec5 ffffffff81236530 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] handle_userfault+0x715/0xf50 fs/userfaultfd.c:316 [] do_anonymous_page mm/memory.c:2731 [inline] [] handle_pte_fault mm/memory.c:3295 [inline] [] __handle_mm_fault mm/memory.c:3426 [inline] [] handle_mm_fault+0x2938/0x3190 mm/memory.c:3455 [] __do_page_fault+0x35b/0xa00 arch/x86/mm/fault.c:1245 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1308 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1033 [] entry_SYSCALL_64_fastpath+0x1c/0x98 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 6610 Comm: syz-executor7 Not tainted 4.4.113-g962d1f3 #2 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 1aad8934c9ac6127 ffff8800bb39fa00 ffffffff81d028ed ffff8801cc26ea80 1ffff10017673f4d ffff8800bb39fb88 0000000000000000 0000000000000000 ffff8800bb39fbb0 ffffffff81605ec5 ffffffff81236530 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] handle_userfault+0x715/0xf50 fs/userfaultfd.c:316 [] do_anonymous_page mm/memory.c:2731 [inline] [] handle_pte_fault mm/memory.c:3295 [inline] [] __handle_mm_fault mm/memory.c:3426 [inline] [] handle_mm_fault+0x2938/0x3190 mm/memory.c:3455 [] __do_page_fault+0x35b/0xa00 arch/x86/mm/fault.c:1245 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1308 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1033 [] entry_SYSCALL_64_fastpath+0x1c/0x98 audit: type=1400 audit(1517317305.043:16): avc: denied { getopt } for pid=6656 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 binder: 6809:6821 ioctl c0306201 204edfd0 returned -14 binder: 6809:6829 got reply transaction with bad transaction stack, transaction 7 has target 6809:0 binder: 6809:6829 transaction failed 29201/-71, size 32-0 line 2936 binder: BINDER_SET_CONTEXT_MGR already set binder: 6809:6851 ioctl 40046207 0 returned -16 binder_alloc: 6809: binder_alloc_buf, no vma binder: 6809:6829 ioctl c0306201 204edfd0 returned -14 binder: 6809:6857 transaction failed 29189/-3, size 0-0 line 3128 binder: 6809:6851 got reply transaction with no transaction stack binder: 6809:6851 transaction failed 29201/-71, size 32-0 line 2921 binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 6809:6829 transaction 7 out, still active binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29201 binder: send failed reply for transaction 7, target dead audit: type=1400 audit(1517317306.553:17): avc: denied { transfer } for pid=6910 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 binder: 6910:6940 DecRefs 0 refcount change on invalid ref 4 ret -22 binder_alloc: binder_alloc_mmap_handler: 6910 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 6910:6924 ioctl 40046207 0 returned -16 binder_alloc: 6910: binder_alloc_buf, no vma binder: 6910:6968 DecRefs 0 refcount change on invalid ref 4 ret -22 binder: 6910:6940 transaction failed 29189/-3, size 80-16 line 3128 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 6910:6924 transaction 12 out, still active binder: unexpected work type, 4, not freed binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 12, target dead binder: 7153:7155 ERROR: BC_REGISTER_LOOPER called without request audit: type=1400 audit(1517317307.533:18): avc: denied { create } for pid=7133 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_crypto_socket permissive=1 binder: BINDER_SET_CONTEXT_MGR already set binder: 7153:7172 ioctl 40046207 0 returned -16 binder: 7153:7155 ERROR: BC_REGISTER_LOOPER called without request binder: send failed reply for transaction 19 to 7153:7172 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 binder: 7184:7189 ERROR: BC_REGISTER_LOOPER called without request binder: 7179:7200 ioctl 894b 20072000 returned -22 binder: send failed reply for transaction 23 to 7184:7216 binder: undelivered TRANSACTION_COMPLETE binder: 7179:7205 ioctl 894b 20072000 returned -22 binder: undelivered TRANSACTION_ERROR: 29189 binder: 7241:7270 ioctl 894b 20072000 returned -22 netlink: 2 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor6'. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket tc_ctl_action: received NO action attribs tc_ctl_action: received NO action attribs device gre0 entered promiscuous mode