audit: type=1400 audit(1519567503.862:4929): avc: denied { net_admin } for pid=4287 comm="syz-executor1" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 ====================================================== WARNING: possible circular locking dependency detected 4.16.0-rc2+ #328 Not tainted ------------------------------------------------------ audit: type=1400 audit(1519567503.917:4930): avc: denied { net_admin } for pid=4300 comm="syz-executor7" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 syz-executor7/14428 is trying to acquire lock: (&mm->mmap_sem){++++}, at: [<00000000e3dcf823>] __might_fault+0xe0/0x1d0 mm/memory.c:4570 but task is already holding lock: (ashmem_mutex){+.+.}, at: [<000000006603faea>] ashmem_pin_unpin drivers/staging/android/ashmem.c:705 [inline] (ashmem_mutex){+.+.}, at: [<000000006603faea>] ashmem_ioctl+0x3db/0x11b0 drivers/staging/android/ashmem.c:782 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: audit: type=1400 audit(1519567503.919:4931): avc: denied { net_admin } for pid=4300 comm="syz-executor7" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 -> #1 (ashmem_mutex){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908 audit: type=1400 audit(1519567503.935:4932): avc: denied { net_admin } for pid=4299 comm="syz-executor6" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 ashmem_mmap+0x53/0x410 drivers/staging/android/ashmem.c:362 call_mmap include/linux/fs.h:1786 [inline] mmap_region+0xa99/0x15a0 mm/mmap.c:1705 do_mmap+0x6c0/0xe00 mm/mmap.c:1483 do_mmap_pgoff include/linux/mm.h:2223 [inline] vm_mmap_pgoff+0x1de/0x280 mm/util.c:355 audit: type=1400 audit(1519567503.943:4933): avc: denied { net_admin } for pid=4287 comm="syz-executor1" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 SYSC_mmap_pgoff mm/mmap.c:1533 [inline] SyS_mmap_pgoff+0x462/0x5f0 mm/mmap.c:1491 SYSC_mmap arch/x86/kernel/sys_x86_64.c:100 [inline] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:91 do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 -> #0 audit: type=1400 audit(1519567503.946:4934): avc: denied { dac_override } for pid=14409 comm="syz-executor3" capability=1 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 (&mm->mmap_sem){++++}: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920 __might_fault+0x13a/0x1d0 mm/memory.c:4571 _copy_from_user+0x2c/0x110 lib/usercopy.c:10 audit: type=1400 audit(1519567503.952:4935): avc: denied { net_raw } for pid=14408 comm="syz-executor0" capability=13 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 copy_from_user include/linux/uaccess.h:147 [inline] ashmem_pin_unpin drivers/staging/android/ashmem.c:710 [inline] ashmem_ioctl+0x438/0x11b0 drivers/staging/android/ashmem.c:782 vfs_ioctl fs/ioctl.c:46 [inline] do_vfs_ioctl+0x1b1/0x1520 fs/ioctl.c:686 SYSC_ioctl fs/ioctl.c:701 [inline] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692 do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287 audit: type=1400 audit(1519567503.955:4936): avc: denied { sys_admin } for pid=14407 comm="syz-executor5" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 entry_SYSCALL_64_after_hwframe+0x42/0xb7 other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(ashmem_mutex); lock(&mm->mmap_sem); lock(ashmem_mutex); lock(&mm->mmap_sem); *** DEADLOCK *** 1 lock held by syz-executor7/14428: #0: (ashmem_mutex){+.+.}, at: [<000000006603faea>] ashmem_pin_unpin drivers/staging/android/ashmem.c:705 [inline] #0: (ashmem_mutex){+.+.}, at: [<000000006603faea>] ashmem_ioctl+0x3db/0x11b0 drivers/staging/android/ashmem.c:782 stack backtrace: CPU: 0 PID: 14428 Comm: syz-executor7 Not tainted 4.16.0-rc2+ #328 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x24d lib/dump_stack.c:53 print_circular_bug.isra.38+0x2cd/0x2dc kernel/locking/lockdep.c:1223 check_prev_add kernel/locking/lockdep.c:1863 [inline] check_prevs_add kernel/locking/lockdep.c:1976 [inline] validate_chain kernel/locking/lockdep.c:2417 [inline] __lock_acquire+0x30a8/0x3e00 kernel/locking/lockdep.c:3431 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920 __might_fault+0x13a/0x1d0 mm/memory.c:4571 _copy_from_user+0x2c/0x110 lib/usercopy.c:10 copy_from_user include/linux/uaccess.h:147 [inline] ashmem_pin_unpin drivers/staging/android/ashmem.c:710 [inline] ashmem_ioctl+0x438/0x11b0 drivers/staging/android/ashmem.c:782 vfs_ioctl fs/ioctl.c:46 [inline] do_vfs_ioctl+0x1b1/0x1520 fs/ioctl.c:686 SYSC_ioctl fs/ioctl.c:701 [inline] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692 do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x453de9 RSP: 002b:00007f01834cac68 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f01834cb6d4 RCX: 0000000000453de9 RDX: 0000000000000000 RSI: 0000000000007709 RDI: 0000000000000013 RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 000000000000017a R14: 00000000006f2410 R15: 0000000000000000 xt_limit: Overflow, try lower: 0/0 netlink: 'syz-executor0': attribute type 18 has an invalid length. x86/PAT: syz-executor2:14588 map pfn RAM range req write-combining for [mem 0x1c6a90000-0x1c6a93fff], got write-back netlink: 'syz-executor0': attribute type 18 has an invalid length. x_tables: ip6_tables: TCPOPTSTRIP target: only valid in mangle table, not security x_tables: ip6_tables: TCPOPTSTRIP target: only valid in mangle table, not security binder: 14704:14709 ERROR: BC_REGISTER_LOOPER called without request binder: 14704:14717 ERROR: BC_REGISTER_LOOPER called without request do_dccp_setsockopt: sockopt(CHANGE_L/R) is deprecated: fix your app device eql entered promiscuous mode binder_alloc: binder_alloc_mmap_handler: 15029 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 15029:15057 ioctl 40046207 0 returned -16 xt_connbytes: Forcing CT accounting to be enabled QAT: Invalid ioctl QAT: Invalid ioctl TCP: request_sock_TCP: Possible SYN flooding on port 20026. Sending cookies. Check SNMP counters. kauditd_printk_skb: 770 callbacks suppressed audit: type=1400 audit(1519567508.806:5707): avc: denied { net_admin } for pid=4299 comm="syz-executor6" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1519567508.845:5708): avc: denied { net_admin } for pid=4298 comm="syz-executor5" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1519567508.846:5709): avc: denied { net_raw } for pid=15222 comm="syz-executor0" capability=13 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1519567508.846:5710): avc: denied { dac_read_search } for pid=15218 comm="syz-executor1" capability=2 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1519567508.846:5711): avc: denied { sys_admin } for pid=15220 comm="syz-executor4" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1519567508.870:5712): avc: denied { sys_admin } for pid=15220 comm="syz-executor4" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1519567508.870:5713): avc: denied { net_admin } for pid=5977 comm="syz-executor0" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1519567508.895:5714): avc: denied { dac_read_search } for pid=15218 comm="syz-executor1" capability=2 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1519567508.895:5715): avc: denied { map_create } for pid=15227 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 audit: type=1400 audit(1519567508.895:5716): avc: denied { map_read map_write } for pid=15227 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 rfkill: input handler disabled rfkill: input handler enabled QAT: Invalid ioctl QAT: Invalid ioctl netlink: 24 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor1'. FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 1 CPU: 0 PID: 15446 Comm: syz-executor4 Not tainted 4.16.0-rc2+ #328 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x24d lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:422 [inline] slab_alloc mm/slab.c:3365 [inline] kmem_cache_alloc+0x47/0x760 mm/slab.c:3539 kmem_cache_zalloc include/linux/slab.h:691 [inline] avc_alloc_node+0x27/0x4d0 security/selinux/avc.c:549 avc_insert security/selinux/avc.c:668 [inline] avc_compute_av+0x22a/0x710 security/selinux/avc.c:974 avc_has_perm_noaudit+0x3ee/0x520 security/selinux/avc.c:1110 cred_has_capability+0x18c/0x3d0 security/selinux/hooks.c:1743 selinux_capable+0x36/0x40 security/selinux/hooks.c:2239 security_capable+0x82/0xc0 security/security.c:278 ns_capable_common+0x11a/0x160 kernel/capability.c:375 ns_capable+0x22/0x30 kernel/capability.c:397 may_mount fs/namespace.c:1664 [inline] SYSC_umount fs/namespace.c:1693 [inline] SyS_umount+0xf3/0x460 fs/namespace.c:1683 do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x453de9 RSP: 002b:00007f647d023c68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 RAX: ffffffffffffffda RBX: 00007f647d0246d4 RCX: 0000000000453de9 RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000020000580 RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000013 R13: 000000000000064a R14: 00000000006f9790 R15: 0000000000000000 device bridge0 entered promiscuous mode device bridge0 left promiscuous mode sctp: [Deprecated]: syz-executor6 (pid 16004) Use of int in maxseg socket option. Use struct sctp_assoc_value instead sctp: [Deprecated]: syz-executor6 (pid 16012) Use of int in maxseg socket option. Use struct sctp_assoc_value instead x86/PAT: syz-executor7:16145 map pfn RAM range req write-combining for [mem 0x1c6a90000-0x1c6a93fff], got write-back x86/PAT: syz-executor7:16148 map pfn RAM range req write-combining for [mem 0x1bac30000-0x1bac33fff], got write-back x86/PAT: syz-executor7:16171 map pfn RAM range req write-combining for [mem 0x1c6a90000-0x1c6a93fff], got write-back kernel msg: ebtables bug: please report to author: counter_offset != totalcnt kernel msg: ebtables bug: please report to author: counter_offset != totalcnt kauditd_printk_skb: 978 callbacks suppressed audit: type=1400 audit(1519567513.823:6695): avc: denied { net_admin } for pid=5977 comm="syz-executor0" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1519567513.884:6696): avc: denied { net_admin } for pid=16262 comm="syz-executor2" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 xt_connbytes: Forcing CT accounting to be enabled audit: type=1400 audit(1519567513.886:6697): avc: denied { net_raw } for pid=16269 comm="syz-executor0" capability=13 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1519567513.888:6698): avc: denied { sys_admin } for pid=16266 comm="syz-executor4" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1