BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor4/8563
caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62
CPU: 1 PID: 8563 Comm: syz-executor4 Not tainted 4.9.80-g550c01d #29
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
device lo entered promiscuous mode
ffff8801c6d47478 ffffffff81d94b69 0000000000000001 ffffffff83c18800
ffffffff83f454c0 ffff8801b4270000[ 68.396526] 0000000000000003 ffff8801c6d474b8[ 68.401110] ffffffff81dfc144[ 68.404020] ffff8801c6d474d0 ffffffff83f454c0 dffffc0000000000
[<ffffffff81d94b69>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81d94b69>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff81dfc144>] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46
[<ffffffff81dfc1ac>] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62
[<ffffffff833fcdd8>] ipcomp_alloc_tfms net/xfrm/xfrm_ipcomp.c:286 [inline]
[<ffffffff833fcdd8>] ipcomp_init_state+0x188/0x930 net/xfrm/xfrm_ipcomp.c:363
[<ffffffff83512ee5>] ipcomp6_init_state+0xb5/0x820 net/ipv6/ipcomp6.c:165
[<ffffffff833db4c7>] __xfrm_init_state+0x3e7/0xb30 net/xfrm/xfrm_state.c:2096
[<ffffffff833fa626>] xfrm_state_construct net/xfrm/xfrm_user.c:590 [inline]
[<ffffffff833fa626>] xfrm_add_sa+0x1916/0x2e40 net/xfrm/xfrm_user.c:639
[<ffffffff833eac73>] xfrm_user_rcv_msg+0x413/0x6a0 net/xfrm/xfrm_user.c:2525
[<ffffffff8309537e>] netlink_rcv_skb+0x13e/0x370 net/netlink/af_netlink.c:2351
[<ffffffff833e716f>] xfrm_netlink_rcv+0x6f/0x90 net/xfrm/xfrm_user.c:2533
[<ffffffff83093f01>] netlink_unicast_kernel net/netlink/af_netlink.c:1275 [inline]
[<ffffffff83093f01>] netlink_unicast+0x511/0x750 net/netlink/af_netlink.c:1301
[<ffffffff83094a28>] netlink_sendmsg+0x8e8/0xc50 net/netlink/af_netlink.c:1847
[<ffffffff82ed7baa>] sock_sendmsg_nosec net/socket.c:635 [inline]
[<ffffffff82ed7baa>] sock_sendmsg+0xca/0x110 net/socket.c:645
[<ffffffff82ed97a1>] ___sys_sendmsg+0x6d1/0x7e0 net/socket.c:1969
[<ffffffff82edb7d6>] __sys_sendmsg+0xd6/0x190 net/socket.c:2003
[<ffffffff82edb8bd>] SYSC_sendmsg net/socket.c:2014 [inline]
[<ffffffff82edb8bd>] SyS_sendmsg+0x2d/0x50 net/socket.c:2010
[<ffffffff838b346e>] entry_SYSCALL_64_fastpath+0x29/0xe8
device lo left promiscuous mode
binder: 8564:8571 got transaction with fd, -1, but target does not allow fds
binder: 8564:8571 transaction failed 29201/-1, size 24-16 line 3232
binder: undelivered TRANSACTION_ERROR: 29201
binder: 8610:8613 got transaction with invalid offset (40, min 0 max 24) or object.
binder: 8610:8613 transaction failed 29201/-22, size 24-8 line 3190
binder: undelivered TRANSACTION_ERROR: 29201
device lo entered promiscuous mode
device lo left promiscuous mode
binder: 8630:8636 got transaction with invalid offset (40, min 0 max 24) or object.
binder: 8630:8636 transaction failed 29201/-22, size 24-8 line 3190
binder: 8630:8654 got transaction to invalid handle
binder: 8630:8654 transaction failed 29201/-22, size 0-8 line 3004
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_ERROR: 29201
binder: 8665:8675 got transaction with invalid offset (40, min 0 max 24) or object.
binder: 8665:8675 transaction failed 29201/-22, size 24-8 line 3190
binder: 8665:8692 got transaction to invalid handle
binder: 8665:8692 transaction failed 29201/-22, size 0-8 line 3004
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_ERROR: 29201
binder: 8699:8713 got transaction with fd, -1, but target does not allow fds
binder: 8699:8713 transaction failed 29201/-1, size 24-8 line 3232
binder: undelivered TRANSACTION_ERROR: 29201
binder: 8739:8742 got transaction with fd, -1, but target does not allow fds
binder: 8739:8742 transaction failed 29201/-1, size 24-8 line 3232
binder: undelivered TRANSACTION_ERROR: 29201
binder: 8773:8784 got transaction with fd, -1, but target does not allow fds
binder: 8773:8784 transaction failed 29201/-1, size 24-8 line 3232
binder: undelivered TRANSACTION_ERROR: 29201
binder: 8827:8838 got transaction with fd, -1, but target does not allow fds
binder: 8827:8838 transaction failed 29201/-1, size 24-8 line 3232
binder_alloc: binder_alloc_mmap_handler: 8827 20000000-20002000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 8827:8838 ioctl 40046207 0 returned -16
binder_alloc: 8827: binder_alloc_buf, no vma
binder: 8827:8861 transaction failed 29189/-3, size 24-8 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
binder: BINDER_SET_CONTEXT_MGR already set
binder: 8869:8873 ioctl 40046207 0 returned -16
binder: 8869:8873 got transaction with fd, -1, but target does not allow fds
binder: 8869:8873 transaction failed 29201/-1, size 24-8 line 3232
binder_alloc: binder_alloc_mmap_handler: 8869 20000000-20002000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 8869:8873 ioctl 40046207 0 returned -16
binder: 8869:8873 got transaction with fd, -1, but target does not allow fds
binder: 8869:8873 transaction failed 29201/-1, size 24-8 line 3232
binder: release 8863:8870 transaction 198 out, still active
binder: release 8863:8870 transaction 196 in, still active
binder: undelivered TRANSACTION_COMPLETE
binder: 8862:8874 got transaction with fd, -1, but target does not allow fds
binder: 8862:8874 transaction failed 29201/-1, size 24-8 line 3232
binder: BINDER_SET_CONTEXT_MGR already set
binder: 8863:8884 ioctl 40046207 0 returned -16
binder_alloc: 8863: binder_alloc_buf, no vma
binder: 8863:8884 transaction failed 29189/-3, size 0-0 line 3127
binder_alloc: 8863: binder_alloc_buf, no vma
binder: 8863:8870 transaction failed 29189/-3, size 0-0 line 3127
binder: BINDER_SET_CONTEXT_MGR already set
binder: 8895:8905 ioctl 40046207 0 returned -16
A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check.
binder_alloc: 8862: binder_alloc_buf, no vma
binder: 8895:8905 transaction failed 29189/-3, size 24-8 line 3127
binder_alloc: binder_alloc_mmap_handler: 8895 20000000-20002000 already mapped failed -16
A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check.
binder: BINDER_SET_CONTEXT_MGR already set
binder: 8895:8905 ioctl 40046207 0 returned -16
binder_alloc: 8862: binder_alloc_buf, no vma
binder: 8895:8905 transaction failed 29189/-3, size 24-8 line 3127
binder: BINDER_SET_CONTEXT_MGR already set
binder: 8939:8940 ioctl 40046207 0 returned -16
binder_alloc: 8862: binder_alloc_buf, no vma
binder: 8939:8951 transaction failed 29189/-3, size 24-8 line 3127
binder: BINDER_SET_CONTEXT_MGR already set
binder: 8939:8940 ioctl 40046207 0 returned -16
binder_alloc: 8862: binder_alloc_buf, no vma
binder: 8939:8940 transaction failed 29189/-3, size 24-8 line 3127
binder: BINDER_SET_CONTEXT_MGR already set
binder: 8988:8991 ioctl 40046207 0 returned -16
binder_alloc: 8862: binder_alloc_buf, no vma
binder: 8988:8991 transaction failed 29189/-3, size 24-8 line 3127
binder_alloc: binder_alloc_mmap_handler: 8988 20000000-20002000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 8988:8991 ioctl 40046207 0 returned -16
binder_alloc: 8862: binder_alloc_buf, no vma
binder: 8988:8991 transaction failed 29189/-3, size 24-8 line 3127
binder: BINDER_SET_CONTEXT_MGR already set
binder: 9011:9013 ioctl 40046207 0 returned -16
binder_alloc: 8862: binder_alloc_buf, no vma
binder: 9011:9013 transaction failed 29189/-3, size 24-8 line 3127
binder_alloc: binder_alloc_mmap_handler: 9011 20000000-20002000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 9011:9013 ioctl 40046207 0 returned -16
binder_alloc: 8862: binder_alloc_buf, no vma
binder: 9011:9022 transaction failed 29189/-3, size 24-8 line 3127
binder: BINDER_SET_CONTEXT_MGR already set
binder: 9016:9032 ioctl 40046207 0 returned -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 9027:9031 ioctl 40046207 0 returned -16
binder_alloc: 8862: binder_alloc_buf, no vma
binder: 9027:9031 transaction failed 29189/-3, size 24-8 line 3127
binder_alloc: binder_alloc_mmap_handler: 9027 20000000-20002000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 9027:9031 ioctl 40046207 0 returned -16
binder_alloc: 8862: binder_alloc_buf, no vma
binder: 9027:9031 transaction failed 29189/-3, size 24-8 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
binder: release 8863:8884 transaction 196 out, still active
binder: undelivered TRANSACTION_COMPLETE
binder: send failed reply for transaction 198, target dead
binder: send failed reply for transaction 196, target dead
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_ERROR: 29201
binder: 9060:9072 got transaction with fd, -1, but target does not allow fds
binder: 9060:9072 transaction failed 29201/-1, size 24-8 line 3232
binder_alloc: binder_alloc_mmap_handler: 9060 20000000-20002000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 9060:9072 ioctl 40046207 0 returned -16
binder_alloc: 9060: binder_alloc_buf, no vma
binder: 9060:9087 transaction failed 29189/-3, size 24-8 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
binder: 9101:9108 got transaction with fd, -1, but target does not allow fds
binder: 9101:9108 transaction failed 29201/-1, size 24-8 line 3232
device eql entered promiscuous mode
binder_alloc: binder_alloc_mmap_handler: 9101 20000000-20002000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 9101:9108 ioctl 40046207 0 returned -16
binder_alloc: 9101: binder_alloc_buf, no vma
binder: 9101:9108 transaction failed 29189/-3, size 24-8 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
binder: 9158:9162 got transaction with fd, -1, but target does not allow fds
binder: 9158:9162 transaction failed 29201/-1, size 24-8 line 3232
binder_alloc: binder_alloc_mmap_handler: 9158 20000000-20002000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 9158:9162 ioctl 40046207 0 returned -16
binder_alloc: 9158: binder_alloc_buf, no vma
binder: 9158:9193 transaction failed 29189/-3, size 24-8 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
IPv6: Can't replace route, no match found
binder: 9207:9213 ioctl 40206435 20ccffe0 returned -22
binder: 9207:9213 got transaction with fd, -1, but target does not allow fds
binder: 9207:9213 transaction failed 29201/-1, size 24-8 line 3232
binder_alloc: binder_alloc_mmap_handler: 9207 20000000-20002000 already mapped failed -16
binder: 9207:9213 ioctl 40206435 20ccffe0 returned -22
binder: BINDER_SET_CONTEXT_MGR already set
binder: 9207:9237 ioctl 40046207 0 returned -16
binder_alloc: 9207: binder_alloc_buf, no vma
binder: 9207:9241 transaction failed 29189/-3, size 24-8 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
binder: 9245:9258 got transaction with fd, -1, but target does not allow fds
binder: 9245:9258 transaction failed 29201/-1, size 24-8 line 3232
binder_alloc: binder_alloc_mmap_handler: 9245 20000000-20002000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 9245:9258 ioctl 40046207 0 returned -16
binder_alloc: 9245: binder_alloc_buf, no vma
binder: 9245:9275 transaction failed 29189/-3, size 24-8 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
updating oom_score_adj for 9325 (syz-executor4) from 0 to 0 because it shares mm with 9314 (syz-executor4). Report if this is unexpected.
binder_alloc: 9307: binder_alloc_buf, no vma
binder: 9307:9322 transaction failed 29189/-3, size 24-8 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
updating oom_score_adj for 9345 (syz-executor4) from 0 to 0 because it shares mm with 9314 (syz-executor4). Report if this is unexpected.
binder: 9349:9353 unknown command 0
binder: 9349:9353 ioctl c0306201 20008000 returned -22
binder_alloc: binder_alloc_mmap_handler: 9349 20000000-20002000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 9349:9353 ioctl 40046207 0 returned -16
binder: 9349:9363 unknown command 0
binder: 9349:9363 ioctl c0306201 20008000 returned -22
binder: 9382:9392 got transaction with fd, -1, but target does not allow fds
binder: 9382:9392 transaction failed 29201/-1, size 24-8 line 3232
binder_alloc: binder_alloc_mmap_handler: 9382 20000000-20002000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 9382:9401 ioctl 40046207 0 returned -16
binder_alloc: 9382: binder_alloc_buf, no vma
binder: 9382:9401 transaction failed 29189/-3, size 24-8 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
binder: 9434:9437 got transaction with invalid offsets size, 835
binder: 9434:9437 transaction failed 29201/-22, size 24-835 line 3163
binder: BINDER_SET_CONTEXT_MGR already set
binder: 9434:9441 ioctl 40046207 0 returned -16
binder_alloc: 9434: binder_alloc_buf, no vma
binder: 9434:9437 transaction failed 29189/-3, size 24-835 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
binder: 9445:9456 got transaction with fd, -1, but target does not allow fds
binder: 9445:9456 transaction failed 29201/-1, size 24-8 line 3232
binder: BINDER_SET_CONTEXT_MGR already set
binder: 9445:9466 ioctl 40046207 0 returned -16
binder_alloc: 9445: binder_alloc_buf, no vma
binder: 9445:9466 transaction failed 29189/-3, size 24-8 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
netlink: 2 bytes leftover after parsing attributes in process `syz-executor7'.
netlink: 2 bytes leftover after parsing attributes in process `syz-executor7'.
netlink: 2 bytes leftover after parsing attributes in process `syz-executor7'.
netlink: 2 bytes leftover after parsing attributes in process `syz-executor7'.
SELinux: ebitmap: truncated map
binder: 9549:9550 got transaction with fd, -1, but target does not allow fds
binder: 9549:9550 transaction failed 29201/-1, size 24-8 line 3232
binder_alloc: binder_alloc_mmap_handler: 9549 20000000-20002000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 9549:9550 ioctl 40046207 0 returned -16
binder_alloc: 9549: binder_alloc_buf, no vma
binder: 9549:9550 transaction failed 29189/-3, size 24-8 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=44 sclass=netlink_tcpdiag_socket pig=9603 comm=syz-executor1
binder: 9579:9587 got transaction with fd, -1, but target does not allow fds
binder: 9579:9587 transaction failed 29201/-1, size 24-8 line 3232
binder_alloc: binder_alloc_mmap_handler: 9579 20000000-20002000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 9579:9587 ioctl 40046207 0 returned -16
binder_alloc: 9579: binder_alloc_buf, no vma
binder: 9579:9605 transaction failed 29189/-3, size 24-8 line 3127
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=44 sclass=netlink_tcpdiag_socket pig=9613 comm=syz-executor1
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
binder: 9618:9619 got transaction with fd, -1, but target does not allow fds
binder: 9618:9619 transaction failed 29201/-1, size 24-8 line 3232
binder_alloc: binder_alloc_mmap_handler: 9618 20000000-20002000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 9618:9619 ioctl 40046207 0 returned -16
binder_alloc: 9618: binder_alloc_buf, no vma
binder: 9618:9619 transaction failed 29189/-3, size 24-8 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
binder: 9643:9650 got transaction with fd, -1, but target does not allow fds
binder: 9643:9650 transaction failed 29201/-1, size 24-8 line 3232
binder_alloc: binder_alloc_mmap_handler: 9643 20000000-20002000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 9643:9650 ioctl 40046207 0 returned -16
binder_alloc: 9643: binder_alloc_buf, no vma
binder: 9643:9664 transaction failed 29189/-3, size 24-8 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
device lo entered promiscuous mode
netlink: 4 bytes leftover after parsing attributes in process `syz-executor5'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor5'.
binder: 9676:9680 transaction failed 29189/-22, size 24-8 line 3004
syz-executor1 (9682) used greatest stack depth: 23184 bytes left
binder: 9676:9690 transaction failed 29189/-22, size 24-8 line 3004
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29189
binder: 9722:9724 got transaction with fd, -1, but target does not allow fds
binder: 9722:9724 transaction failed 29201/-1, size 24-8 line 3232
binder: BINDER_SET_CONTEXT_MGR already set
binder: 9722:9741 ioctl 40046207 0 returned -16
binder_alloc: 9722: binder_alloc_buf, no vma
binder: 9722:9741 transaction failed 29189/-3, size 24-8 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
binder: 9783:9786 got transaction with fd, -1, but target does not allow fds
binder: 9783:9786 transaction failed 29201/-1, size 24-8 line 3232
binder_alloc: binder_alloc_mmap_handler: 9783 20000000-20002000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 9783:9786 ioctl 40046207 0 returned -16
binder_alloc: 9783: binder_alloc_buf, no vma
binder: 9783:9786 transaction failed 29189/-3, size 24-8 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
binder: 9801:9810 got transaction with fd, -1, but target does not allow fds
binder: 9801:9810 transaction failed 29201/-1, size 24-8 line 3232
binder: BINDER_SET_CONTEXT_MGR already set
binder: 9821:9823 ioctl 40046207 0 returned -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 9801:9825 ioctl 40046207 0 returned -16
binder_alloc: 9801: binder_alloc_buf, no vma
binder: 9801:9825 transaction failed 29189/-3, size 24-8 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
binder: 9821:9833 ERROR: BC_REGISTER_LOOPER called without request
binder: undelivered TRANSACTION_ERROR: 29201
binder: 9821:9833 transaction failed 29189/-22, size 0-0 line 3004
binder: 9821:9840 ERROR: BC_REGISTER_LOOPER called without request
binder: undelivered TRANSACTION_ERROR: 29189
binder: 9821:9833 unknown command 76
binder: 9821:9833 ioctl c0306201 2000a000 returned -22
binder: 9821:9844 got reply transaction with no transaction stack
binder: 9821:9844 transaction failed 29201/-71, size 24-8 line 2920
binder: undelivered TRANSACTION_ERROR: 29201
binder: 9849:9860 got transaction with invalid offset (56, min 0 max 24) or object.
binder: 9849:9860 transaction failed 29201/-22, size 24-8 line 3190
binder_alloc: binder_alloc_mmap_handler: 9849 20000000-20002000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 9849:9860 ioctl 40046207 0 returned -16
binder_alloc: 9849: binder_alloc_buf, no vma
binder: 9849:9892 transaction failed 29189/-3, size 24-8 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
audit: type=1400 audit(1517937194.772:38): avc: denied { setpcap } for pid=9912 comm="syz-executor4" capability=8 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
binder: 9908:9911 got transaction with fd, -1, but target does not allow fds
binder: 9908:9911 transaction failed 29201/-1, size 24-8 line 3232
binder_alloc: binder_alloc_mmap_handler: 9908 20000000-20002000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 9908:9911 ioctl 40046207 0 returned -16
binder_alloc: 9908: binder_alloc_buf, no vma
binder: 9908:9925 transaction failed 29189/-3, size 24-8 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
binder: 9934:9937 got transaction with fd, -1, but target does not allow fds
binder: 9934:9937 transaction failed 29201/-1, size 24-8 line 3232
binder_alloc: binder_alloc_mmap_handler: 9934 20000000-20002000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 9934:9937 ioctl 40046207 0 returned -16
binder_alloc: 9934: binder_alloc_buf, no vma
binder: 9934:9944 transaction failed 29189/-3, size 24-8 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
binder: 9952:9955 got transaction with fd, -1, but target does not allow fds
binder: 9952:9955 transaction failed 29201/-1, size 24-8 line 3232
binder: BINDER_SET_CONTEXT_MGR already set
binder: 9952:9961 ioctl 40046207 0 returned -16
binder_alloc: 9952: binder_alloc_buf, no vma
binder: 9952:9961 transaction failed 29189/-3, size 24-8 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
binder: 9972:9992 got transaction with fd, -1, but target does not allow fds
binder: 9972:9992 transaction failed 29201/-1, size 24-8 line 3232
binder_alloc: binder_alloc_mmap_handler: 9972 20000000-20002000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 9972:9977 ioctl 40046207 0 returned -16
binder_alloc: 9972: binder_alloc_buf, no vma
binder: 9972:9977 transaction failed 29189/-3, size 24-8 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
binder: 10004:10010 got transaction with fd, -1, but target does not allow fds
binder: 10004:10010 transaction failed 29201/-1, size 24-8 line 3232
binder_alloc: binder_alloc_mmap_handler: 10004 20000000-20002000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 10004:10010 ioctl 40046207 0 returned -16
binder_alloc: 10004: binder_alloc_buf, no vma
binder: 10004:10010 transaction failed 29189/-3, size 24-8 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
binder: BINDER_SET_CONTEXT_MGR already set
binder: 10061:10066 ioctl 40046207 0 returned -16
binder: 10060:10077 got transaction with fd, -1, but target does not allow fds
binder: 10060:10077 transaction failed 29201/-1, size 24-8 line 3232
binder_alloc: binder_alloc_mmap_handler: 10060 20000000-20002000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 10060:10063 ioctl 40046207 0 returned -16
binder_alloc: 10060: binder_alloc_buf, no vma
binder: 10060:10063 transaction failed 29189/-3, size 24-8 line 3127
binder: BINDER_SET_CONTEXT_MGR already set
binder: 10061:10094 ioctl 40046207 0 returned -16
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
binder: 10107:10110 ioctl 5462 2064a000 returned -22
binder: 10107:10110 got transaction with fd, -1, but target does not allow fds
binder: 10107:10110 transaction failed 29201/-1, size 24-8 line 3232
binder_alloc: binder_alloc_mmap_handler: 10107 20000000-20002000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 10107:10110 ioctl 40046207 0 returned -16
binder: 10107:10110 ioctl 5462 2064a000 returned -22
binder_alloc: 10107: binder_alloc_buf, no vma
binder: 10107:10110 transaction failed 29189/-3, size 24-8 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
binder: 10176:10178 got transaction with fd, -1, but target does not allow fds
binder: 10176:10178 transaction failed 29201/-1, size 24-8 line 3232
binder_alloc: binder_alloc_mmap_handler: 10176 20000000-20002000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 10176:10178 ioctl 40046207 0 returned -16
netlink: 3 bytes leftover after parsing attributes in process `syz-executor5'.
binder_alloc: 10176: binder_alloc_buf, no vma
binder: 10176:10217 transaction failed 29189/-3, size 24-8 line 3127
netlink: 3 bytes leftover after parsing attributes in process `syz-executor5'.
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
binder: 10241:10243 got transaction with fd, -1, but target does not allow fds
binder: 10241:10243 transaction failed 29201/-1, size 24-8 line 3232
binder_alloc: binder_alloc_mmap_handler: 10241 20000000-20002000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 10241:10243 ioctl 40046207 0 returned -16
binder_alloc: 10241: binder_alloc_buf, no vma
binder: 10241:10243 transaction failed 29189/-3, size 24-8 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
binder: 10267:10273 got transaction with fd, -1, but target does not allow fds
binder: 10267:10273 transaction failed 29201/-1, size 24-8 line 3232
======================================================
[ INFO: possible circular locking dependency detected ]
4.9.80-g550c01d #29 Not tainted
-------------------------------------------------------
syz-executor5/10295 is trying to acquire lock:
binder_alloc: binder_alloc_mmap_handler: 10267 20000000-20002000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 10267:10273 ioctl 40046207 0 returned -16
binder_alloc: 10267: binder_alloc_buf, no vma
binder: 10267:10288 transaction failed 29189/-3, size 24-8 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
(&sb->s_type->i_mutex_key#10){++++++}, at: [<ffffffff8148454f>] inode_lock include/linux/fs.h:746 [inline]
(&sb->s_type->i_mutex_key#10){++++++}, at: [<ffffffff8148454f>] shmem_file_llseek+0xef/0x240 mm/shmem.c:2403
but task is already holding lock:
(ashmem_mutex){+.+.+.}, at: [<ffffffff82d49446>] ashmem_llseek+0x56/0x1f0 drivers/staging/android/ashmem.c:343
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756
__mutex_lock_common kernel/locking/mutex.c:521 [inline]
mutex_lock_nested+0xbb/0x870 kernel/locking/mutex.c:621
ashmem_mmap+0x53/0x400 drivers/staging/android/ashmem.c:379
mmap_region+0x7dd/0xfd0 mm/mmap.c:1694
do_mmap+0x57b/0xbe0 mm/mmap.c:1473
do_mmap_pgoff include/linux/mm.h:2019 [inline]
vm_mmap_pgoff+0x16b/0x1b0 mm/util.c:305
SYSC_mmap_pgoff mm/mmap.c:1523 [inline]
SyS_mmap_pgoff+0x33f/0x560 mm/mmap.c:1481
SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline]
SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86
entry_SYSCALL_64_fastpath+0x29/0xe8
lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756
__might_fault+0x14a/0x1d0 mm/memory.c:3994
copy_to_user arch/x86/include/asm/uaccess.h:718 [inline]
filldir+0x1aa/0x340 fs/readdir.c:195
dir_emit_dot include/linux/fs.h:3203 [inline]
dir_emit_dots include/linux/fs.h:3214 [inline]
dcache_readdir+0x12d/0x5e0 fs/libfs.c:191
iterate_dir+0x4a6/0x5d0 fs/readdir.c:50
SYSC_getdents fs/readdir.c:230 [inline]
SyS_getdents+0x14a/0x2a0 fs/readdir.c:211
entry_SYSCALL_64_fastpath+0x29/0xe8
check_prev_add kernel/locking/lockdep.c:1828 [inline]
check_prevs_add kernel/locking/lockdep.c:1938 [inline]
validate_chain kernel/locking/lockdep.c:2265 [inline]
__lock_acquire+0x2bf9/0x3640 kernel/locking/lockdep.c:3345
lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756
down_write+0x41/0xa0 kernel/locking/rwsem.c:52
inode_lock include/linux/fs.h:746 [inline]
shmem_file_llseek+0xef/0x240 mm/shmem.c:2403
vfs_llseek+0xa2/0xd0 fs/read_write.c:301
ashmem_llseek+0xe7/0x1f0 drivers/staging/android/ashmem.c:355
vfs_llseek fs/read_write.c:301 [inline]
SYSC_lseek fs/read_write.c:314 [inline]
SyS_lseek+0xeb/0x170 fs/read_write.c:305
entry_SYSCALL_64_fastpath+0x29/0xe8
other info that might help us debug this:
Chain exists of:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(ashmem_mutex);
lock(&mm->mmap_sem);
lock(ashmem_mutex);
lock(&sb->s_type->i_mutex_key#10);
*** DEADLOCK ***
1 lock held by syz-executor5/10295:
#0: (ashmem_mutex){+.+.+.}, at: [<ffffffff82d49446>] ashmem_llseek+0x56/0x1f0 drivers/staging/android/ashmem.c:343
stack backtrace:
CPU: 0 PID: 10295 Comm: syz-executor5 Not tainted 4.9.80-g550c01d #29
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
ffff8801c6bcfb98 ffffffff81d94b69 ffffffff853a0d50 ffffffff853aaa40
ffffffff853c20e0 ffff8801d564e8d8 ffff8801d564e000 ffff8801c6bcfbe0
ffffffff81238641 ffff8801d564e8d8 00000000d564e8b0 ffff8801d564e8d8
Call Trace:
[<ffffffff81d94b69>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81d94b69>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff81238641>] print_circular_bug+0x271/0x310 kernel/locking/lockdep.c:1202
[<ffffffff8123ea79>] check_prev_add kernel/locking/lockdep.c:1828 [inline]
[<ffffffff8123ea79>] check_prevs_add kernel/locking/lockdep.c:1938 [inline]
[<ffffffff8123ea79>] validate_chain kernel/locking/lockdep.c:2265 [inline]
[<ffffffff8123ea79>] __lock_acquire+0x2bf9/0x3640 kernel/locking/lockdep.c:3345
[<ffffffff8123fefe>] lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756
[<ffffffff838acc81>] down_write+0x41/0xa0 kernel/locking/rwsem.c:52
[<ffffffff8148454f>] inode_lock include/linux/fs.h:746 [inline]
[<ffffffff8148454f>] shmem_file_llseek+0xef/0x240 mm/shmem.c:2403
[<ffffffff8156bb42>] vfs_llseek+0xa2/0xd0 fs/read_write.c:301
[<ffffffff82d494d7>] ashmem_llseek+0xe7/0x1f0 drivers/staging/android/ashmem.c:355
[<ffffffff8156f5ab>] vfs_llseek fs/read_write.c:301 [inline]
[<ffffffff8156f5ab>] SYSC_lseek fs/read_write.c:314 [inline]
[<ffffffff8156f5ab>] SyS_lseek+0xeb/0x170 fs/read_write.c:305
[<ffffffff838b346e>] entry_SYSCALL_64_fastpath+0x29/0xe8
binder: 10312:10317 got transaction with fd, -1, but target does not allow fds
binder: 10312:10317 transaction failed 29201/-1, size 24-8 line 3232
binder: 10331:10335 unknown command 1074815799
binder: 10331:10335 ioctl c0306201 20cdd000 returned -22
binder: 10331:10338 unknown command 1074815799
binder_alloc: binder_alloc_mmap_handler: 10312 20000000-20002000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 10312:10317 ioctl 40046207 0 returned -16
binder_alloc: 10312: binder_alloc_buf, no vma
binder: 10312:10317 transaction failed 29189/-3, size 24-8 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
binder: 10331:10338 ioctl c0306201 20cdd000 returned -22
binder: 10347:10356 got transaction with fd, -1, but target does not allow fds
binder: 10347:10356 transaction failed 29201/-1, size 24-8 line 3232
binder_alloc: binder_alloc_mmap_handler: 10347 20000000-20002000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 10347:10356 ioctl 40046207 0 returned -16
binder_alloc: 10347: binder_alloc_buf, no vma
binder: 10347:10372 transaction failed 29189/-3, size 24-8 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
binder: 10380:10383 got transaction with fd, -1, but target does not allow fds
binder: 10380:10383 transaction failed 29201/-1, size 24-8 line 3232
binder_alloc: binder_alloc_mmap_handler: 10380 20000000-20002000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 10380:10403 ioctl 40046207 0 returned -16
binder_alloc: 10380: binder_alloc_buf, no vma
binder: 10380:10433 transaction failed 29189/-3, size 24-8 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
binder_alloc: binder_alloc_mmap_handler: 10452 20000000-20002000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 10452:10453 ioctl 40046207 0 returned -16
binder_alloc: 10452: binder_alloc_buf, no vma
binder: 10452:10453 transaction failed 29189/-3, size 0-0 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
binder: release 10452:10453 transaction 311 out, still active
binder: undelivered TRANSACTION_COMPLETE
binder: send failed reply for transaction 311, target dead
binder: 10475:10476 got transaction with fd, -1, but target does not allow fds
binder: 10475:10476 transaction failed 29201/-1, size 24-8 line 3232
binder_alloc: binder_alloc_mmap_handler: 10475 20000000-20002000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 10475:10476 ioctl 40046207 0 returned -16
binder_alloc: 10475: binder_alloc_buf, no vma
binder: 10475:10498 transaction failed 29189/-3, size 24-8 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
binder: 10510:10514 got transaction with fd, -1, but target does not allow fds
binder: 10510:10514 transaction failed 29201/-1, size 24-8 line 3232
binder_alloc: binder_alloc_mmap_handler: 10510 20000000-20002000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 10510:10514 ioctl 40046207 0 returned -16
binder_alloc: 10510: binder_alloc_buf, no vma
binder: 10510:10533 transaction failed 29189/-3, size 24-8 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
binder: 10560:10567 got transaction with fd, -1, but target does not allow fds
binder: 10560:10567 transaction failed 29201/-1, size 24-8 line 3232
binder_alloc: binder_alloc_mmap_handler: 10560 20000000-20002000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 10560:10567 ioctl 40046207 0 returned -16
binder_alloc: 10560: binder_alloc_buf, no vma
binder: 10560:10594 transaction failed 29189/-3, size 24-8 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
binder: 10606:10609 got transaction to invalid handle
binder: 10606:10609 transaction failed 29201/-22, size 80-16 line 3004
binder: 10606:10609 got transaction with fd, -1, but target does not allow fds
binder: 10606:10609 transaction failed 29201/-1, size 24-8 line 3232
binder_alloc: binder_alloc_mmap_handler: 10606 20000000-20002000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 10606:10609 ioctl 40046207 0 returned -16
binder: 10606:10651 got transaction to invalid handle
binder: 10606:10651 transaction failed 29201/-22, size 80-16 line 3004
binder_alloc: 10606: binder_alloc_buf, no vma
binder: 10606:10650 transaction failed 29189/-3, size 24-8 line 3127
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29201
binder: 10659:10660 got transaction with fd, -1, but target does not allow fds
binder: 10659:10660 transaction failed 29201/-1, size 24-8 line 3232
binder: BINDER_SET_CONTEXT_MGR already set
binder: 10682:10683 ioctl 40046207 0 returned -16
binder: 10682:10683 got transaction to invalid handle
binder: 10682:10683 transaction failed 29201/-22, size 80-16 line 3004