BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor4/7587 caller is __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62 CPU: 0 PID: 7587 Comm: syz-executor4 Not tainted 4.4.105-g36205b7 #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 f310af3eb1afa706 ffff8800b97076b8 ffffffff81cc9b4f 0000000000000000 ffffffff839fd4a0 ffff8800b97076f8 ffffffff81d28d58 ffffffff83d093a0 ffff8801da767910 dffffc0000000000 ffffffff83cff4e0 Call Trace: [] __dump_stack /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:51 [] check_preemption_disabled+0x1b8/0x1f0 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:46 [] __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62 [] ipcomp_alloc_tfms /syzkaller/managers/android-44-kasan-gce/kernel/net/xfrm/xfrm_ipcomp.c:286 [inline] [] ipcomp_init_state+0x168/0x8e0 /syzkaller/managers/android-44-kasan-gce/kernel/net/xfrm/xfrm_ipcomp.c:363 [] ipcomp4_init_state+0x9e/0x840 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/ipcomp.c:137 [] __xfrm_init_state+0x354/0xa40 /syzkaller/managers/android-44-kasan-gce/kernel/net/xfrm/xfrm_state.c:2058 [] xfrm_init_state+0xe/0x10 /syzkaller/managers/android-44-kasan-gce/kernel/net/xfrm/xfrm_state.c:2084 [] pfkey_msg2xfrm_state /syzkaller/managers/android-44-kasan-gce/kernel/net/key/af_key.c:1281 [inline] [] pfkey_add+0x1e18/0x3d80 /syzkaller/managers/android-44-kasan-gce/kernel/net/key/af_key.c:1498 [] pfkey_process+0x58d/0x900 /syzkaller/managers/android-44-kasan-gce/kernel/net/key/af_key.c:2826 [] pfkey_sendmsg+0x35b/0x6c0 /syzkaller/managers/android-44-kasan-gce/kernel/net/key/af_key.c:3670 [] sock_sendmsg_nosec /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:625 [inline] [] sock_sendmsg+0xb5/0xf0 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:635 [] ___sys_sendmsg+0x66d/0x7d0 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:1961 [] __sys_sendmsg+0xc3/0x160 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:1995 [] SYSC_sendmsg /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:2006 [inline] [] SyS_sendmsg+0xd/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:2002 [] entry_SYSCALL_64_fastpath+0x16/0x76 BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor1/7594 caller is __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62 CPU: 1 PID: 7594 Comm: syz-executor1 Not tainted 4.4.105-g36205b7 #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 70b31447aab24c7b ffff8800b90af6b8 ffffffff81cc9b4f 0000000000000001 ffffffff839fd4a0 ffff8800b90af6f8 ffffffff81d28d58 ffffffff83d093a0 ffff8801d3deeeb0 dffffc0000000000 ffffffff83cff4e0 Call Trace: [] __dump_stack /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:51 [] check_preemption_disabled+0x1b8/0x1f0 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:46 [] __this_cpu_preempt_check+0x13/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/lib/smp_processor_id.c:62 [] ipcomp_alloc_tfms /syzkaller/managers/android-44-kasan-gce/kernel/net/xfrm/xfrm_ipcomp.c:286 [inline] [] ipcomp_init_state+0x168/0x8e0 /syzkaller/managers/android-44-kasan-gce/kernel/net/xfrm/xfrm_ipcomp.c:363 [] ipcomp4_init_state+0x9e/0x840 /syzkaller/managers/android-44-kasan-gce/kernel/net/ipv4/ipcomp.c:137 [] __xfrm_init_state+0x354/0xa40 /syzkaller/managers/android-44-kasan-gce/kernel/net/xfrm/xfrm_state.c:2058 [] xfrm_init_state+0xe/0x10 /syzkaller/managers/android-44-kasan-gce/kernel/net/xfrm/xfrm_state.c:2084 [] pfkey_msg2xfrm_state /syzkaller/managers/android-44-kasan-gce/kernel/net/key/af_key.c:1281 [inline] [] pfkey_add+0x1e18/0x3d80 /syzkaller/managers/android-44-kasan-gce/kernel/net/key/af_key.c:1498 [] pfkey_process+0x58d/0x900 /syzkaller/managers/android-44-kasan-gce/kernel/net/key/af_key.c:2826 [] pfkey_sendmsg+0x35b/0x6c0 /syzkaller/managers/android-44-kasan-gce/kernel/net/key/af_key.c:3670 [] sock_sendmsg_nosec /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:625 [inline] [] sock_sendmsg+0xb5/0xf0 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:635 [] ___sys_sendmsg+0x66d/0x7d0 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:1961 [] __sys_sendmsg+0xc3/0x160 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:1995 [] SYSC_sendmsg /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:2006 [inline] [] SyS_sendmsg+0xd/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:2002 [] entry_SYSCALL_64_fastpath+0x16/0x76 netlink: 3 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. audit: type=1400 audit(1513080914.290:18): avc: denied { create } for pid=7891 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_connector_socket permissive=1 audit: type=1400 audit(1513080915.090:19): avc: denied { set_context_mgr } for pid=8162 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 audit: type=1400 audit(1513080915.180:20): avc: denied { call } for pid=8162 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 binder: BINDER_SET_CONTEXT_MGR already set binder: 8192:8203 got transaction with too large buffer binder: 8192:8203 transaction failed 29201/-22, size 40-48 line 3290 binder: 8162:8204 ioctl 40046207 0 returned -16 binder_alloc: 8162: binder_alloc_buf, no vma binder: 8162:8196 transaction failed 29189/-3, size 40-48 line 3131 binder_alloc: 8162: binder_alloc_buf, no vma binder: 8162:8178 transaction failed 29189/-3, size 40-48 line 3131 binder_alloc: binder_alloc_mmap_handler: 8192 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 8192:8229 ioctl 40046207 0 returned -16 audit: type=1400 audit(1513080915.800:21): avc: denied { listen } for pid=8388 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket binder_alloc: 8483: binder_alloc_buf, no vma binder: 8483:8484 transaction failed 29189/-3, size 40-48 line 3131 binder_alloc: 8483: binder_alloc_buf, no vma binder: BINDER_SET_CONTEXT_MGR already set binder: 8483:8496 transaction failed 29189/-3, size 40-48 line 3131 binder: 8483:8484 ioctl 40046207 0 returned -16 binder: 8513:8518 got transaction with too large buffer binder: 8513:8518 transaction failed 29201/-22, size 40-48 line 3290 binder_alloc: binder_alloc_mmap_handler: 8513 20000000-20002000 already mapped failed -16 binder_alloc: 8513: binder_alloc_buf, no vma binder: BINDER_SET_CONTEXT_MGR already set binder: 8513:8518 ioctl 40046207 0 returned -16 binder: 8513:8545 transaction failed 29189/-3, size 40-48 line 3131 binder: 8600:8621 ioctl c0306201 20008000 returned -14 binder_alloc: binder_alloc_mmap_handler: 8600 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 8600:8604 ioctl 40046207 0 returned -16 binder: 8600:8632 ioctl c0306201 20008000 returned -14 binder: 8797:8802 got transaction with invalid offset (56, min 0 max 24) or object. binder: 8797:8802 transaction failed 29201/-22, size 24-48 line 3194 binder_alloc: binder_alloc_mmap_handler: 8797 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 8797:8818 ioctl 40046207 0 returned -16 binder_alloc: 8797: binder_alloc_buf, no vma binder: 8797:8840 transaction failed 29189/-3, size 24-48 line 3131 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket binder: 9031:9032 got transaction with too large buffer binder: 9031:9032 transaction failed 29201/-22, size 40-48 line 3290 binder_alloc: binder_alloc_mmap_handler: 9031 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 9031:9032 ioctl 40046207 0 returned -16 binder_alloc: 9031: binder_alloc_buf, no vma binder: 9031:9045 transaction failed 29189/-3, size 40-48 line 3131 binder: 9170:9171 got transaction with too large buffer binder: 9170:9171 transaction failed 29201/-22, size 40-48 line 3290 binder: BINDER_SET_CONTEXT_MGR already set binder: 9170:9199 ioctl 40046207 0 returned -16 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket nla_parse: 6 callbacks suppressed netlink: 3 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor5'. binder: 9303:9305 got transaction with too large buffer binder: 9303:9305 transaction failed 29201/-22, size 40-48 line 3290 binder_alloc: binder_alloc_mmap_handler: 9303 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 9303:9308 ioctl 40046207 0 returned -16 netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor4'. IPVS: Creating netns size=2552 id=9 netlink: 3 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor7'. binder: 9808:9812 got transaction with too large buffer binder: 9808:9812 transaction failed 29201/-22, size 40-48 line 3290 binder_alloc: binder_alloc_mmap_handler: 9808 20000000-20002000 already mapped failed -16 binder_alloc: 9808: binder_alloc_buf, no vma binder: BINDER_SET_CONTEXT_MGR already set binder: 9808:9812 ioctl 40046207 0 returned -16 binder: 9808:9821 transaction failed 29189/-3, size 40-48 line 3131 binder: 9842:9843 got transaction with too large buffer binder: 9842:9843 transaction failed 29201/-22, size 40-48 line 3290 binder: BINDER_SET_CONTEXT_MGR already set binder: 9842:9865 ioctl 40046207 0 returned -16 device gre0 entered promiscuous mode audit: type=1400 audit(1513080922.110:22): avc: denied { setopt } for pid=10160 comm="syz-executor7" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 SELinux: unrecognized netlink message: protocol=6 nlmsg_type=0 sclass=netlink_xfrm_socket SELinux: unrecognized netlink message: protocol=6 nlmsg_type=0 sclass=netlink_xfrm_socket device gre0 entered promiscuous mode