BUG: using __this_cpu_add() in preemptible [00000000] code: syz-executor0/5188 caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 CPU: 1 PID: 5188 Comm: syz-executor0 Not tainted 4.4.113-g962d1f3 #2 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 a8c15b789b712f19 ffff8801cc6a7800 ffffffff81d028ed 0000000000000001 ffffffff839fe3a0 ffffffff83cef6a0 ffff8800b12c0000 0000000000000003 ffff8801cc6a7840 ffffffff81d62834 ffffffff810002b8 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46 [] ? 0xffffffff810002b8 [] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 [] tcp_try_coalesce+0x249/0x4d0 net/ipv4/tcp_input.c:4278 [] tcp_queue_rcv+0x127/0x720 net/ipv4/tcp_input.c:4485 [] tcp_send_rcvq+0x39b/0x450 net/ipv4/tcp_input.c:4531 [] tcp_sendmsg+0x1e8f/0x2b10 net/ipv4/tcp.c:1134 [] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:635 [] SYSC_sendto+0x2c8/0x340 net/socket.c:1665 [] SyS_sendto+0x40/0x50 net/socket.c:1633 [] entry_SYSCALL_64_fastpath+0x1c/0x98 mmap: syz-executor4 (5221) uses deprecated remap_file_pages() syscall. See Documentation/vm/remap_file_pages.txt. l2tp_core: tunl 2: fd 19 wrong protocol, got 1, expected 17 l2tp_core: tunl 2: fd 19 wrong protocol, got 1, expected 17 l2tp_core: tunl 2: fd 19 wrong protocol, got 1, expected 17 sd 0:0:1:0: [sg0] tag#224 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK sd 0:0:1:0: [sg0] tag#224 CDB: Test Unit Ready sd 0:0:1:0: [sg0] tag#224 CDB[00]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#224 CDB[10]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#224 CDB[20]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#224 CDB[30]: 00 00 00 sd 0:0:1:0: [sg0] tag#224 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK sd 0:0:1:0: [sg0] tag#224 CDB: Test Unit Ready sd 0:0:1:0: [sg0] tag#224 CDB[00]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#224 CDB[10]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#224 CDB[20]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#224 CDB[30]: 00 00 00 audit: type=1400 audit(1517383968.393:7): avc: denied { ioctl } for pid=5552 comm="syz-executor0" path="socket:[12538]" dev="sockfs" ino=12538 ioctlcmd=540e scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 binder: 5568:5572 ERROR: BC_REGISTER_LOOPER called without request binder: 5568:5572 ERROR: BC_ENTER_LOOPER called after BC_REGISTER_LOOPER binder: 5568:5590 ERROR: BC_REGISTER_LOOPER called without request binder: 5608:5614 BC_INCREFS_DONE u0000000000000000 no match binder: 5608:5628 BC_INCREFS_DONE u0000000000000000 no match tmpfs: No value for mount option '3VxZTݕZ4"q,1' tmpfs: No value for mount option '3VxZTݕZ4"q,1' audit: type=1400 audit(1517383968.973:8): avc: denied { create } for pid=5714 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 capability: warning: `syz-executor6' uses 32-bit capabilities (legacy support in use) audit: type=1400 audit(1517383969.183:9): avc: denied { set_context_mgr } for pid=5772 comm="syz-executor7" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 audit: type=1400 audit(1517383969.863:10): avc: denied { write } for pid=5961 comm="syz-executor2" path="socket:[12769]" dev="sockfs" ino=12769 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 audit: type=1400 audit(1517383969.893:11): avc: denied { create } for pid=5967 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_crypto_socket permissive=1 audit: type=1400 audit(1517383969.933:12): avc: denied { setopt } for pid=5961 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 TCP: request_sock_TCP: Possible SYN flooding on port 20022. Sending cookies. Check SNMP counters. binder: 6064:6074 BC_DEAD_BINDER_DONE 0000000000000000 not found binder: 6064:6076 tried to acquire reference to desc 0, got 1 instead binder: 6064:6074 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 6085:6089 transaction failed 29201/-22, size 0--4880856391614455847 line 3128 binder: BINDER_SET_CONTEXT_MGR already set binder: 6085:6104 ioctl 40046207 0 returned -16 binder_alloc: 6085: binder_alloc_buf, no vma binder: 6085:6089 transaction failed 29189/-3, size 0--4880856391614455847 line 3128 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 syz-executor0 uses obsolete (PF_INET,SOCK_PACKET) netlink: 7 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 7 bytes leftover after parsing attributes in process `syz-executor3'. device gre0 entered promiscuous mode audit_printk_skb: 21 callbacks suppressed audit: type=1400 audit(1517383972.133:20): avc: denied { setattr } for pid=6538 comm="syz-executor1" name="fdinfo" dev="proc" ino=13370 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=dir permissive=1 BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor1/6556 caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 CPU: 0 PID: 6556 Comm: syz-executor1 Not tainted 4.4.113-g962d1f3 #2 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 ad56c1efb65a2cd6 ffff8800b9c6f6c8 ffffffff81d028ed 0000000000000000 ffffffff839fe3a0 ffffffff83d0b8a0 ffff8800a9f297c0 0000000000000003 ffff8800b9c6f708 ffffffff81d62834 ffff8800b9c6f720 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46 [] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 [] ipcomp_alloc_tfms net/xfrm/xfrm_ipcomp.c:286 [inline] [] ipcomp_init_state+0x188/0x980 net/xfrm/xfrm_ipcomp.c:363 [] ipcomp4_init_state+0xb0/0x7d0 net/ipv4/ipcomp.c:137 [] __xfrm_init_state+0x3e7/0xb30 net/xfrm/xfrm_state.c:2058 [] xfrm_init_state+0x1a/0x20 net/xfrm/xfrm_state.c:2084 [] pfkey_msg2xfrm_state net/key/af_key.c:1289 [inline] [] pfkey_add+0x1fbb/0x3490 net/key/af_key.c:1506 [] pfkey_process+0x68b/0x750 net/key/af_key.c:2834 [] pfkey_sendmsg+0x3a9/0x760 net/key/af_key.c:3678 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:635 [] ___sys_sendmsg+0x6c1/0x7c0 net/socket.c:1962 [] __sys_sendmsg+0xd3/0x190 net/socket.c:1996 [] SYSC_sendmsg net/socket.c:2007 [inline] [] SyS_sendmsg+0x2d/0x50 net/socket.c:2003 [] entry_SYSCALL_64_fastpath+0x1c/0x98 BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor1/6556 caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 CPU: 0 PID: 6556 Comm: syz-executor1 Not tainted 4.4.113-g962d1f3 #2 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 ad56c1efb65a2cd6 ffff8800b9c6f6c8 ffffffff81d028ed 0000000000000000 ffffffff839fe3a0 ffffffff83d0b8a0 ffff8800a9f297c0 0000000000000003 ffff8800b9c6f708 ffffffff81d62834 ffff8800b9c6f720 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46 [] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 [] ipcomp_alloc_tfms net/xfrm/xfrm_ipcomp.c:286 [inline] [] ipcomp_init_state+0x188/0x980 net/xfrm/xfrm_ipcomp.c:363 [] ipcomp4_init_state+0xb0/0x7d0 net/ipv4/ipcomp.c:137 [] __xfrm_init_state+0x3e7/0xb30 net/xfrm/xfrm_state.c:2058 [] xfrm_init_state+0x1a/0x20 net/xfrm/xfrm_state.c:2084 [] pfkey_msg2xfrm_state net/key/af_key.c:1289 [inline] [] pfkey_add+0x1fbb/0x3490 net/key/af_key.c:1506 [] pfkey_process+0x68b/0x750 net/key/af_key.c:2834 [] pfkey_sendmsg+0x3a9/0x760 net/key/af_key.c:3678 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:635 [] ___sys_sendmsg+0x6c1/0x7c0 net/socket.c:1962 [] __sys_sendmsg+0xd3/0x190 net/socket.c:1996 [] SYSC_sendmsg net/socket.c:2007 [inline] [] SyS_sendmsg+0x2d/0x50 net/socket.c:2003 [] entry_SYSCALL_64_fastpath+0x1c/0x98 device gre0 entered promiscuous mode SELinux: unrecognized netlink message: protocol=4 nlmsg_type=0 sclass=netlink_tcpdiag_socket SELinux: unrecognized netlink message: protocol=4 nlmsg_type=0 sclass=netlink_tcpdiag_socket device syz4 entered promiscuous mode device syz4 left promiscuous mode audit: type=1400 audit(1517383973.853:21): avc: denied { getattr } for pid=6751 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 binder: 6812:6814 ERROR: BC_REGISTER_LOOPER called without request audit: type=1400 audit(1517383974.123:22): avc: denied { transfer } for pid=6812 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 binder: 6812:6829 ioctl c0306201 20009000 returned -14 binder: BINDER_SET_CONTEXT_MGR already set binder: 6812:6829 ioctl 40046207 0 returned -16 binder_alloc: 6812: binder_alloc_buf, no vma binder: 6812:6814 transaction failed 29189/-3, size 0-0 line 3128 binder: undelivered TRANSACTION_ERROR: 29189 binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: undelivered transaction 12, process died. IPv4: Oversized IP packet from 127.0.0.1 IPv4: Oversized IP packet from 127.0.0.1 netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'. device gre0 entered promiscuous mode