====================================================== WARNING: possible circular locking dependency detected 4.16.0-rc3+ #335 Not tainted ------------------------------------------------------ syz-executor2/5907 is trying to acquire lock: (&mm->mmap_sem){++++}, at: [<000000009b02b6b8>] __might_fault+0xe0/0x1d0 mm/memory.c:4570 but task is already holding lock: (ashmem_mutex){+.+.}, at: [<000000000fb9cb25>] ashmem_pin_unpin drivers/staging/android/ashmem.c:705 [inline] (ashmem_mutex){+.+.}, at: [<000000000fb9cb25>] ashmem_ioctl+0x3db/0x11b0 drivers/staging/android/ashmem.c:782 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (ashmem_mutex){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908 ashmem_mmap+0x53/0x410 drivers/staging/android/ashmem.c:362 call_mmap include/linux/fs.h:1786 [inline] mmap_region+0xa99/0x15a0 mm/mmap.c:1705 do_mmap+0x6c0/0xe00 mm/mmap.c:1483 do_mmap_pgoff include/linux/mm.h:2223 [inline] vm_mmap_pgoff+0x1de/0x280 mm/util.c:355 SYSC_mmap_pgoff mm/mmap.c:1533 [inline] SyS_mmap_pgoff+0x462/0x5f0 mm/mmap.c:1491 SYSC_mmap arch/x86/kernel/sys_x86_64.c:100 [inline] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:91 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 -> #0 (&mm->mmap_sem){++++}: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920 __might_fault+0x13a/0x1d0 mm/memory.c:4571 _copy_from_user+0x2c/0x110 lib/usercopy.c:10 copy_from_user include/linux/uaccess.h:147 [inline] ashmem_pin_unpin drivers/staging/android/ashmem.c:710 [inline] ashmem_ioctl+0x438/0x11b0 drivers/staging/android/ashmem.c:782 vfs_ioctl fs/ioctl.c:46 [inline] do_vfs_ioctl+0x1b1/0x1520 fs/ioctl.c:686 SYSC_ioctl fs/ioctl.c:701 [inline] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(ashmem_mutex); lock(&mm->mmap_sem); lock(ashmem_mutex); lock(&mm->mmap_sem); *** DEADLOCK *** 1 lock held by syz-executor2/5907: #0: (ashmem_mutex){+.+.}, at: [<000000000fb9cb25>] ashmem_pin_unpin drivers/staging/android/ashmem.c:705 [inline] #0: (ashmem_mutex){+.+.}, at: [<000000000fb9cb25>] ashmem_ioctl+0x3db/0x11b0 drivers/staging/android/ashmem.c:782 stack backtrace: CPU: 1 PID: 5907 Comm: syz-executor2 Not tainted 4.16.0-rc3+ #335 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x24d lib/dump_stack.c:53 print_circular_bug.isra.38+0x2cd/0x2dc kernel/locking/lockdep.c:1223 check_prev_add kernel/locking/lockdep.c:1863 [inline] check_prevs_add kernel/locking/lockdep.c:1976 [inline] validate_chain kernel/locking/lockdep.c:2417 [inline] __lock_acquire+0x30a8/0x3e00 kernel/locking/lockdep.c:3431 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920 __might_fault+0x13a/0x1d0 mm/memory.c:4571 _copy_from_user+0x2c/0x110 lib/usercopy.c:10 copy_from_user include/linux/uaccess.h:147 [inline] ashmem_pin_unpin drivers/staging/android/ashmem.c:710 [inline] ashmem_ioctl+0x438/0x11b0 drivers/staging/android/ashmem.c:782 vfs_ioctl fs/ioctl.c:46 [inline] do_vfs_ioctl+0x1b1/0x1520 fs/ioctl.c:686 SYSC_ioctl fs/ioctl.c:701 [inline] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x453d69 RSP: 002b:00007fbb22b2bc68 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fbb22b2c6d4 RCX: 0000000000453d69 RDX: 0000000000000000 RSI: 0000000000007709 RDI: 0000000000000013 RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 0000000000000189 R14: 00000000006f2578 R15: 0000000000000000 binder: 5934 RLIMIT_NICE not set binder: 5927:5934 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: 5927:5934 unknown command 536907575 binder: 5950 RLIMIT_NICE not set binder: 5927:5956 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: 5927:5934 ioctl c0306201 20008fd0 returned -22 tc_dump_action: action bad kind tc_dump_action: action bad kind binder: 5979 RLIMIT_NICE not set binder: 5981 RLIMIT_NICE not set binder: 5975:5979 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: 5977:5981 BC_DEAD_BINDER_DONE 0000000000000003 not found tc_dump_action: action bad kind binder: 5997 RLIMIT_NICE not set binder: 5992:5997 BC_DEAD_BINDER_DONE 0000000000000003 not found mmap: syz-executor5 (6013) uses deprecated remap_file_pages() syscall. See Documentation/vm/remap_file_pages.txt. binder: 6027 RLIMIT_NICE not set binder: 6022:6027 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: 6073 RLIMIT_NICE not set binder: 6094 RLIMIT_NICE not set binder: 6117 RLIMIT_NICE not set binder: 6118 RLIMIT_NICE not set binder: 6151 RLIMIT_NICE not set xt_CONNSECMARK: invalid mode: 0 xt_CONNSECMARK: invalid mode: 0 binder: 6181 RLIMIT_NICE not set xt_CONNSECMARK: invalid mode: 0 binder: 6211 RLIMIT_NICE not set xt_CONNSECMARK: invalid mode: 0 binder: 6227 RLIMIT_NICE not set binder: 6262 RLIMIT_NICE not set binder: 6282:6289 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 6296 RLIMIT_NICE not set binder: 6307:6311 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 6311 RLIMIT_NICE not set binder: 6337:6351 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 6361 RLIMIT_NICE not set binder: 6430:6433 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 6430:6433 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 6453 RLIMIT_NICE not set binder: 6467:6472 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 6467:6472 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 6483 RLIMIT_NICE not set binder: 6510:6518 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 6510:6533 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 6518 RLIMIT_NICE not set binder: 6534:6540 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 6534:6540 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 6540 RLIMIT_NICE not set binder: 6555:6561 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 6555:6570 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 6561 RLIMIT_NICE not set binder: 6581:6585 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 6582:6591 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 6582:6591 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 6581:6585 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 6585 RLIMIT_NICE not set binder: 6591 RLIMIT_NICE not set binder: 6611:6620 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 6611:6620 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 6613:6616 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 6620 RLIMIT_NICE not set binder: 6613:6627 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 6628:6632 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 6616 RLIMIT_NICE not set binder: 6628:6632 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 6632 RLIMIT_NICE not set binder: 6650:6659 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 6650:6668 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 1 CPU: 0 PID: 6672 Comm: syz-executor2 Not tainted 4.16.0-rc3+ #335 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x24d lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:422 [inline] slab_alloc_node mm/slab.c:3286 [inline] kmem_cache_alloc_node_trace+0x5a/0x760 mm/slab.c:3648 kmalloc_node include/linux/slab.h:550 [inline] kzalloc_node include/linux/slab.h:712 [inline] __get_vm_area_node+0xae/0x340 mm/vmalloc.c:1402 __vmalloc_node_range+0xa3/0x650 mm/vmalloc.c:1754 __vmalloc_node mm/vmalloc.c:1804 [inline] __vmalloc+0x45/0x50 mm/vmalloc.c:1810 bpf_prog_alloc+0xaa/0x350 kernel/bpf/core.c:84 __get_filter+0xe0/0x220 net/core/filter.c:1289 sk_attach_filter+0x1d/0x80 net/core/filter.c:1324 sock_setsockopt+0x1666/0x1af0 net/core/sock.c:928 SYSC_setsockopt net/socket.c:1845 [inline] SyS_setsockopt+0x2ff/0x360 net/socket.c:1828 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x453d69 RSP: 002b:00007fbb22b2bc68 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 00007fbb22b2c6d4 RCX: 0000000000453d69 RDX: 000000000000001a RSI: 0000000000000001 RDI: 0000000000000013 RBP: 000000000072bea0 R08: 0000000000000010 R09: 0000000000000000 R10: 0000000020b86000 R11: 0000000000000246 R12: 0000000000000014 R13: 00000000000004f2 R14: 00000000006f7750 R15: 0000000000000000 syz-executor2: vmalloc: allocation failure: 4096 bytes, mode:0x14080c0(GFP_KERNEL|__GFP_ZERO), nodemask=(null) binder: 6678 RLIMIT_NICE not set syz-executor2 cpuset=/ mems_allowed=0 CPU: 0 PID: 6672 Comm: syz-executor2 Not tainted 4.16.0-rc3+ #335 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x24d lib/dump_stack.c:53 warn_alloc+0x19a/0x2b0 mm/page_alloc.c:3310 __vmalloc_node_range+0x4f0/0x650 mm/vmalloc.c:1775 __vmalloc_node mm/vmalloc.c:1804 [inline] __vmalloc+0x45/0x50 mm/vmalloc.c:1810 bpf_prog_alloc+0xaa/0x350 kernel/bpf/core.c:84 __get_filter+0xe0/0x220 net/core/filter.c:1289 sk_attach_filter+0x1d/0x80 net/core/filter.c:1324 sock_setsockopt+0x1666/0x1af0 net/core/sock.c:928 SYSC_setsockopt net/socket.c:1845 [inline] SyS_setsockopt+0x2ff/0x360 net/socket.c:1828 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x453d69 RSP: 002b:00007fbb22b2bc68 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 00007fbb22b2c6d4 RCX: 0000000000453d69 RDX: 000000000000001a RSI: 0000000000000001 RDI: 0000000000000013 RBP: 000000000072bea0 R08: 0000000000000010 R09: 0000000000000000 R10: 0000000020b86000 R11: 0000000000000246 R12: 0000000000000014 R13: 00000000000004f2 R14: 00000000006f7750 R15: 0000000000000000 CPU: 1 PID: 6679 Comm: syz-executor3 Not tainted 4.16.0-rc3+ #335 Mem-Info: Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x24d lib/dump_stack.c:53 active_anon:98875 inactive_anon:63 isolated_anon:0 active_file:3556 inactive_file:8473 isolated_file:0 unevictable:0 dirty:296 writeback:0 unstable:0 slab_reclaimable:7472 slab_unreclaimable:91939 mapped:24341 shmem:70 pagetables:825 bounce:0 free:1388915 free_pcp:340 free_cma:0 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 Node 0 active_anon:395500kB inactive_anon:252kB active_file:14224kB inactive_file:33892kB unevictable:0kB isolated(anon):0kB isolated(file):0kB mapped:97364kB dirty:1184kB writeback:0kB shmem:280kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 172032kB writeback_tmp:0kB unstable:0kB all_unreclaimable? no Node 0 DMA free:15908kB min:164kB low:204kB high:244kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:15992kB managed:15908kB mlocked:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB lowmem_reserve[]: 0 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:422 [inline] slab_alloc_node mm/slab.c:3286 [inline] kmem_cache_alloc_node_trace+0x5a/0x760 mm/slab.c:3648 2864 6373 kmalloc_node include/linux/slab.h:550 [inline] kzalloc_node include/linux/slab.h:712 [inline] __get_vm_area_node+0xae/0x340 mm/vmalloc.c:1402 __vmalloc_node_range+0xa3/0x650 mm/vmalloc.c:1754 6373 __vmalloc_node mm/vmalloc.c:1804 [inline] __vmalloc+0x45/0x50 mm/vmalloc.c:1810 Node 0 bpf_prog_alloc+0xaa/0x350 kernel/bpf/core.c:84 DMA32 free:2934696kB min:30292kB low:37864kB high:45436kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:3129292kB managed:2935320kB mlocked:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:624kB local_pcp:624kB free_cma:0kB lowmem_reserve[]: __get_filter+0xe0/0x220 net/core/filter.c:1289 0 sk_attach_filter+0x1d/0x80 net/core/filter.c:1324 sock_setsockopt+0x1666/0x1af0 net/core/sock.c:928 0 3509 3509 Node 0 Normal free:2605056kB min:37120kB low:46400kB high:55680kB active_anon:395500kB inactive_anon:252kB active_file:14224kB inactive_file:33892kB unevictable:0kB writepending:1184kB present:4718592kB managed:3593748kB mlocked:0kB kernel_stack:4832kB pagetables:3300kB bounce:0kB free_pcp:736kB local_pcp:484kB free_cma:0kB lowmem_reserve[]: SYSC_setsockopt net/socket.c:1845 [inline] SyS_setsockopt+0x2ff/0x360 net/socket.c:1828 0 0 0 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287 0 Node 0 DMA: 1*4kB entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x453d69 (U) RSP: 002b:00007efe5e5b7c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 00007efe5e5b86d4 RCX: 0000000000453d69 RDX: 000000000000001a RSI: 0000000000000001 RDI: 0000000000000013 0*8kB RBP: 000000000072bea0 R08: 0000000000000010 R09: 0000000000000000 R10: 0000000020b86000 R11: 0000000000000246 R12: 0000000000000014 R13: 00000000000004f2 R14: 00000000006f7750 R15: 0000000000000000 syz-executor3: vmalloc: allocation failure: 4096 bytes, mode:0x14080c0(GFP_KERNEL|__GFP_ZERO), nodemask=(null) 0*16kB syz-executor3 cpuset=/ 1*32kB mems_allowed=0 CPU: 1 PID: 6679 Comm: syz-executor3 Not tainted 4.16.0-rc3+ #335 (U) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x24d lib/dump_stack.c:53 2*64kB warn_alloc+0x19a/0x2b0 mm/page_alloc.c:3310 (U) 1*128kB (U) __vmalloc_node_range+0x4f0/0x650 mm/vmalloc.c:1775 1*256kB __vmalloc_node mm/vmalloc.c:1804 [inline] __vmalloc+0x45/0x50 mm/vmalloc.c:1810 (U) bpf_prog_alloc+0xaa/0x350 kernel/bpf/core.c:84 0*512kB 1*1024kB (U) __get_filter+0xe0/0x220 net/core/filter.c:1289 sk_attach_filter+0x1d/0x80 net/core/filter.c:1324 1*2048kB sock_setsockopt+0x1666/0x1af0 net/core/sock.c:928 (M) 3*4096kB (M) = 15908kB Node 0 DMA32: SYSC_setsockopt net/socket.c:1845 [inline] SyS_setsockopt+0x2ff/0x360 net/socket.c:1828 6*4kB (M) 4*8kB do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287 (M) 1*16kB (M) 3*32kB entry_SYSCALL_64_after_hwframe+0x42/0xb7 (M) RIP: 0033:0x453d69 RSP: 002b:00007efe5e5b7c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 00007efe5e5b86d4 RCX: 0000000000453d69 0*64kB RDX: 000000000000001a RSI: 0000000000000001 RDI: 0000000000000013 RBP: 000000000072bea0 R08: 0000000000000010 R09: 0000000000000000 R10: 0000000020b86000 R11: 0000000000000246 R12: 0000000000000014 R13: 00000000000004f2 R14: 00000000006f7750 R15: 0000000000000000 2*128kB xt_CONNSECMARK: invalid mode: 0 (M) 2*256kB (M) binder: 6690:6692 Acquire 1 refcount change on invalid ref 0 ret -22 2*512kB (M) 2*1024kB (M) 1*2048kB (M) 715*4096kB binder: 6690:6692 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 (M) = 2934696kB Node 0 Normal: 1*4kB (M) binder: 6692 RLIMIT_NICE not set 444*8kB (UME) 2264*16kB (UME) 460*32kB (UME) 106*64kB (UME) binder: 6700:6704 Acquire 1 refcount change on invalid ref 0 ret -22 60*128kB (UME) 27*256kB (UME) 11*512kB (UME) 8*1024kB binder: 6700:6704 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 (UME) binder: 6704 RLIMIT_NICE not set 2*2048kB (UM) 613*4096kB (M) = 2604644kB Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB 12098 total pagecache pages 0 pages in swap cache Swap cache stats: add 0, delete 0, find 0/0 Free swap = 0kB Total swap = 0kB 1965969 pages RAM 0 pages HighMem/MovableOnly 329725 pages reserved binder: 6719:6725 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 6719:6725 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 6725 RLIMIT_NICE not set xt_CONNSECMARK: invalid mode: 0 binder: 6742:6747 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 6742:6747 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 6747 RLIMIT_NICE not set xt_CONNSECMARK: invalid mode: 0 x_tables: ip6_tables: SYNPROXY target: used from hooks INPUT/OUTPUT, but only usable from INPUT/FORWARD binder: 6772:6778 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 6772:6778 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 6778 RLIMIT_NICE not set x_tables: ip6_tables: SYNPROXY target: used from hooks INPUT/OUTPUT, but only usable from INPUT/FORWARD binder: 6811:6819 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 6811:6819 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 6819 RLIMIT_NICE not set FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 binder: 6844:6848 Acquire 1 refcount change on invalid ref 0 ret -22 CPU: 0 PID: 6837 Comm: syz-executor0 Not tainted 4.16.0-rc3+ #335 capability: warning: `syz-executor4' uses 32-bit capabilities (legacy support in use) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 binder: 6844:6848 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x24d lib/dump_stack.c:53 binder: 6848 RLIMIT_NICE not set fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 xt_CONNSECMARK: invalid mode: 0 xt_CONNSECMARK: invalid mode: 0 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:422 [inline] slab_alloc_node mm/slab.c:3286 [inline] kmem_cache_alloc_node+0x56/0x760 mm/slab.c:3629 __alloc_skb+0xf1/0x780 net/core/skbuff.c:193 alloc_skb_fclone include/linux/skbuff.h:1025 [inline] tcp_send_fin+0x27f/0xd20 net/ipv4/tcp_output.c:3101 tcp_shutdown+0xe1/0x110 net/ipv4/tcp.c:2154 inet_shutdown+0x170/0x350 net/ipv4/af_inet.c:836 SYSC_shutdown net/socket.c:1901 [inline] SyS_shutdown+0x137/0x290 net/socket.c:1892 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x453d69 RSP: 002b:00007fcb405c5c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000030 RAX: ffffffffffffffda RBX: 00007fcb405c66d4 RCX: 0000000000453d69 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000013 RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000014 R13: 00000000000005d0 R14: 00000000006f8c20 R15: 0000000000000000 binder: 6878:6882 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 6878:6882 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 6882 RLIMIT_NICE not set binder: 6895:6901 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 6914 RLIMIT_NICE not set xt_CONNSECMARK: invalid mode: 0 binder: 6922:6932 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 6932 RLIMIT_NICE not set binder: 6967:6975 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 6975 RLIMIT_NICE not set binder: 6984:6989 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 7003 RLIMIT_NICE not set binder: 7015:7024 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 7024 RLIMIT_NICE not set binder: 7044:7049 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 7049 RLIMIT_NICE not set binder: 7064:7073 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 7073 RLIMIT_NICE not set binder: 7091:7099 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 7099 RLIMIT_NICE not set binder: 7133:7142 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 7142 RLIMIT_NICE not set binder: 7165:7170 unknown command 4175000 binder: 7165:7170 ioctl c0306201 20012000 returned -22 binder: 7170 RLIMIT_NICE not set binder: 7191:7197 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 7197 RLIMIT_NICE not set x_tables: ip6_tables: REDIRECT target: used from hooks PREROUTING/INPUT/OUTPUT, but only usable from PREROUTING/OUTPUT binder: 7226:7229 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 7245 RLIMIT_NICE not set x_tables: ip6_tables: REDIRECT target: used from hooks PREROUTING/INPUT/OUTPUT, but only usable from PREROUTING/OUTPUT kauditd_printk_skb: 8 callbacks suppressed audit: type=1400 audit(1519950629.613:30): avc: denied { write } for pid=7254 comm="syz-executor3" name="net" dev="proc" ino=18993 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=dir permissive=1 binder: 7256:7261 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 7261 RLIMIT_NICE not set audit: type=1400 audit(1519950629.654:31): avc: denied { add_name } for pid=7254 comm="syz-executor3" name="pfkey" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=dir permissive=1 audit: type=1400 audit(1519950629.655:32): avc: denied { create } for pid=7254 comm="syz-executor3" name="pfkey" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:insmod_t:s0 tclass=file permissive=1 binder: 7293:7303 unknown command 4175000 connsecmark_tg_check: 11 callbacks suppressed xt_CONNSECMARK: invalid mode: 0 binder: 7293:7303 ioctl c0306201 20012000 returned -22 binder: 7303 RLIMIT_NICE not set xt_CONNSECMARK: invalid mode: 0 binder: 7323:7330 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 xt_CONNSECMARK: invalid mode: 0 binder: 7339 RLIMIT_NICE not set binder: 7359:7364 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 7364 RLIMIT_NICE not set xt_CONNSECMARK: invalid mode: 0 binder: 7391:7395 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 xt_CONNSECMARK: invalid mode: 0 binder: 7395 RLIMIT_NICE not set binder: 7418:7423 unknown command 4175000 binder: 7418:7423 ioctl c0306201 20012000 returned -22 xt_CONNSECMARK: invalid mode: 0 binder: 7435 RLIMIT_NICE not set binder: 7458:7462 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 7462 RLIMIT_NICE not set binder: 7471:7477 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 7477 RLIMIT_NICE not set xt_CONNSECMARK: invalid mode: 0 binder: 7535:7543 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 xt_CONNSECMARK: invalid mode: 0 binder: 7543 RLIMIT_NICE not set binder: 7560:7565 unknown command 4175000 binder: 7560:7565 ioctl c0306201 20012000 returned -22 binder: 7565 RLIMIT_NICE not set xt_CONNSECMARK: invalid mode: 0 binder: 7580:7589 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 7589 RLIMIT_NICE not set xt_CONNSECMARK: invalid mode: 0 binder: 7623:7628 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 7628 RLIMIT_NICE not set binder: 7648:7653 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 7653 RLIMIT_NICE not set binder: 7684 RLIMIT_NICE not set binder: 7698:7705 unknown command 5 binder: 7698:7705 ioctl c0306201 20012000 returned -22 binder: 7698:7705 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 7705 RLIMIT_NICE not set binder: 7733:7738 unknown command 5 binder: 7733:7738 ioctl c0306201 20012000 returned -22 binder: 7733:7738 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 7738 RLIMIT_NICE not set binder: 7758:7760 unknown command 5 binder: 7758:7760 ioctl c0306201 20012000 returned -22 binder: 7758:7760 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 7760 RLIMIT_NICE not set binder: 7807 RLIMIT_NICE not set binder: 7835:7840 unknown command 25349 binder: 7835:7840 ioctl c0306201 20012000 returned -22 binder: 7835:7858 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 7840 RLIMIT_NICE not set binder: 7876:7884 unknown command 25349 binder: 7876:7884 ioctl c0306201 20012000 returned -22 binder: 7876:7884 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 7884 RLIMIT_NICE not set x_tables: ip6_tables: SYNPROXY target: used from hooks OUTPUT, but only usable from INPUT/FORWARD x_tables: ip6_tables: SYNPROXY target: used from hooks OUTPUT, but only usable from INPUT/FORWARD binder: 7924:7934 unknown command 25349 binder: 7924:7934 ioctl c0306201 20012000 returned -22 binder: 7924:7934 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 7951 RLIMIT_NICE not set binder: 7985:7993 unknown command 287493 binder: 7985:7993 ioctl c0306201 20012000 returned -22 binder: 7985:8006 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 8018 RLIMIT_NICE not set binder: 8037:8040 unknown command 287493 binder: 8037:8040 ioctl c0306201 20012000 returned -22 binder: 8037:8049 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 8040 RLIMIT_NICE not set binder: 8085:8092 unknown command 287493 binder: 8085:8092 ioctl c0306201 20012000 returned -22 binder: 8085:8111 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 8092 RLIMIT_NICE not set binder: 8135 RLIMIT_NICE not set binder: 8166 RLIMIT_NICE not set binder: 8195 RLIMIT_NICE not set binder: 8219 RLIMIT_NICE not set binder: 8245 RLIMIT_NICE not set binder: 8271 RLIMIT_NICE not set Cannot find add_set index 5 as target binder: 8300 RLIMIT_NICE not set Cannot find add_set index 5 as target binder: 8321 RLIMIT_NICE not set binder: 8352 RLIMIT_NICE not set QAT: Invalid ioctl audit: type=1400 audit(1519950632.614:33): avc: denied { setuid } for pid=8462 comm="syz-executor0" capability=7 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 binder: 8469:8475 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 8469:8475 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0