IPv4: Oversized IP packet from 127.0.0.1 ====================================================== [ INFO: possible circular locking dependency detected ] 4.4.119-g855ea74 #28 Not tainted ------------------------------------------------------- syz-executor3/18385 is trying to acquire lock: (&mm->mmap_sem){++++++}, at: [ 106.113950] SELinux: policydb version 1345060865 does not match my version range 15-30 SELinux: policydb version 1345060865 does not match my version range 15-30 [] __might_fault+0xe4/0x1d0 mm/memory.c:3809 but task is already holding lock: (ashmem_mutex){+.+.+.}, at: [] ashmem_pin_unpin drivers/staging/android/ashmem.c:701 [inline] (ashmem_mutex){+.+.+.}, at: [] ashmem_ioctl+0x367/0xfa0 drivers/staging/android/ashmem.c:778 binder: 18396:18398 ioctl c0306201 20000140 returned -14 binder: BINDER_SET_CONTEXT_MGR already set binder: 18396:18403 ioctl 40046207 0 returned -16 binder_alloc: 18396: binder_alloc_buf, no vma binder: 18396:18403 transaction failed 29189/-3, size 0-0 line 3128 binder: 18396:18403 ioctl c0306201 20000140 returned -14 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 18396:18398 transaction 105 out, still active binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 105, target dead which lock already depends on the new lock. the existing dependency chain (in reverse order) is: [] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592 [] __mutex_lock_common kernel/locking/mutex.c:521 [inline] [] mutex_lock_nested+0xbb/0x850 kernel/locking/mutex.c:621 [] ashmem_mmap+0x53/0x400 drivers/staging/android/ashmem.c:366 [] mmap_region+0x94f/0x1250 mm/mmap.c:1664 [] do_mmap+0x4fd/0x9d0 mm/mmap.c:1441 [] do_mmap_pgoff include/linux/mm.h:1915 [inline] [] vm_mmap_pgoff+0x16e/0x1c0 mm/util.c:296 [] SYSC_mmap_pgoff mm/mmap.c:1491 [inline] [] SyS_mmap_pgoff+0x33f/0x560 mm/mmap.c:1449 [] do_syscall_32_irqs_on arch/x86/entry/common.c:392 [inline] [] do_fast_syscall_32+0x321/0x8a0 arch/x86/entry/common.c:459 [] sysenter_flags_fixed+0xd/0x17 [] check_prev_add kernel/locking/lockdep.c:1853 [inline] [] check_prevs_add kernel/locking/lockdep.c:1958 [inline] [] validate_chain kernel/locking/lockdep.c:2144 [inline] [] __lock_acquire+0x371f/0x4b50 kernel/locking/lockdep.c:3213 [] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592 [] __might_fault+0x14a/0x1d0 mm/memory.c:3810 [] copy_from_user arch/x86/include/asm/uaccess.h:724 [inline] [] ashmem_pin_unpin drivers/staging/android/ashmem.c:706 [inline] [] ashmem_ioctl+0x3b4/0xfa0 drivers/staging/android/ashmem.c:778 [] compat_ashmem_ioctl+0x3e/0x50 drivers/staging/android/ashmem.c:809 [] C_SYSC_ioctl fs/compat_ioctl.c:1592 [inline] [] compat_SyS_ioctl+0x28a/0x2540 fs/compat_ioctl.c:1544 [] do_syscall_32_irqs_on arch/x86/entry/common.c:392 [inline] [] do_fast_syscall_32+0x321/0x8a0 arch/x86/entry/common.c:459 [] sysenter_flags_fixed+0xd/0x17 other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(ashmem_mutex); lock(&mm->mmap_sem); lock(ashmem_mutex); lock(&mm->mmap_sem); *** DEADLOCK *** 1 lock held by syz-executor3/18385: #0: (ashmem_mutex){+.+.+.}, at: [] ashmem_pin_unpin drivers/staging/android/ashmem.c:701 [inline] #0: (ashmem_mutex){+.+.+.}, at: [] ashmem_ioctl+0x367/0xfa0 drivers/staging/android/ashmem.c:778 stack backtrace: CPU: 1 PID: 18385 Comm: syz-executor3 Not tainted 4.4.119-g855ea74 #28 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 1a0796d8dcde3002 ffff8800aadf78a8 ffffffff81d0402d ffffffff851a0010 ffffffff851a0010 ffffffff851becd0 ffff8801d72568f8 ffff8801d7256000 ffff8800aadf78f0 ffffffff81233ba1 ffff8801d72568f8 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] print_circular_bug+0x271/0x310 kernel/locking/lockdep.c:1226 [] check_prev_add kernel/locking/lockdep.c:1853 [inline] [] check_prevs_add kernel/locking/lockdep.c:1958 [inline] [] validate_chain kernel/locking/lockdep.c:2144 [inline] [] __lock_acquire+0x371f/0x4b50 kernel/locking/lockdep.c:3213 [] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592 [] __might_fault+0x14a/0x1d0 mm/memory.c:3810 [] copy_from_user arch/x86/include/asm/uaccess.h:724 [inline] [] ashmem_pin_unpin drivers/staging/android/ashmem.c:706 [inline] [] ashmem_ioctl+0x3b4/0xfa0 drivers/staging/android/ashmem.c:778 [] compat_ashmem_ioctl+0x3e/0x50 drivers/staging/android/ashmem.c:809 [] C_SYSC_ioctl fs/compat_ioctl.c:1592 [inline] [] compat_SyS_ioctl+0x28a/0x2540 fs/compat_ioctl.c:1544 [] do_syscall_32_irqs_on arch/x86/entry/common.c:392 [inline] [] do_fast_syscall_32+0x321/0x8a0 arch/x86/entry/common.c:459 [] sysenter_flags_fixed+0xd/0x17 tmpfs: Bad mount option 'MÏÄ7šß!G´MxMö³É tmpfs: Bad mount option 'MÏÄ7šß!G´MxMö³É netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 11 bytes leftover after parsing attributes in process `syz-executor4'. binder: 18769:18772 got transaction with invalid data ptr netlink: 3 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 11 bytes leftover after parsing attributes in process `syz-executor4'. binder: 18769:18772 transaction failed 29201/-14, size 40-8 line 3147 binder: BINDER_SET_CONTEXT_MGR already set binder: 18769:18781 ioctl 40046207 0 returned -16 binder_alloc: 18769: binder_alloc_buf, no vma binder: 18769:18772 transaction failed 29189/-3, size 40-8 line 3128 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 binder: 18788:18792 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 audit: type=1401 audit(1520074449.516:87): op=setxattr invalid_context=D0B4DD5341DB546C17964063927C20C2E065869AAA32F6801DB62E4F7F5E4B213D472C35B09B1D056F363F2003EE814AB9CBF8249357B874CCB7E80C9556B27E5576D18D69BEBAB91DDB99344D32235144314EE5655E3701D6047FF21F6E3BAD9A0B6E47C28E420B4F1B381B0355EF7C6566327DB055640611E8EDD03C00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000[ 108.042392] binder: 18788:18792 BC_DEAD_BINDER_DONE 0000000000000001 not found binder: 18788:18792 DecRefs 0 refcount change on invalid ref 1 ret -22 binder: 18788:18792 tried to acquire reference to desc 0, got 1 instead binder: 18788:18792 BC_ACQUIRE_DONE u0000000000000000 no match binder: 18788:18819 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 binder: 18788:18819 BC_DEAD_BINDER_DONE 0000000000000001 not found binder: 18788:18819 DecRefs 0 refcount change on invalid ref 1 ret -22 binder: 18788:18819 BC_ACQUIRE_DONE u0000000000000000 no match binder: 18788:18819 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 audit: type=1401 audit(1520074449.636:88): op=setxattr invalid_context=D0B4DD5341DB546C17964063927C20C2E065869AAA32F6801DB62E4F7F5E4B213D472C35B09B1D056F363F2003EE814AB9CBF8249357B874CCB7E80C9556B27E5576D18D69BEBAB91DDB99344D32235144314EE5655E3701D6047FF21F6E3BAD9A0B6E47C28E420B4F1B381B0355EF7C6566327DB055640611E8EDD03C00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000[ 108.200114] binder: 18788:18792 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 audit: type=1400 audit(1520074449.786:89): avc: denied { getopt } for pid=18830 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 PF_BRIDGE: RTM_SETLINK with unknown ifindex PF_BRIDGE: RTM_SETLINK with unknown ifindex audit: type=1326 audit(1520074450.456:90): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=18983 comm="syz-executor1" exe="/root/syz-executor1" sig=31 arch=40000003 syscall=240 compat=1 ip=0xf77c8ba9 code=0x0 audit: type=1326 audit(1520074450.486:91): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=18983 comm="syz-executor1" exe="/root/syz-executor1" sig=31 arch=40000003 syscall=240 compat=1 ip=0xf77c8ba9 code=0x0 SELinux: policydb magic number 0x0 does not match expected magic number 0xf97cff8c SELinux: policydb magic number 0x0 does not match expected magic number 0xf97cff8c SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. netlink: 8 bytes leftover after parsing attributes in process `syz-executor7'. FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 19222 Comm: syz-executor6 Not tainted 4.4.119-g855ea74 #28 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 961ee54294835852 ffff8801d315f940 ffffffff81d0402d ffff8800ac2ecd80 1ffff1003a62bf35 ffff8801d315fac8 0000000000000000 0000000000000000 ffff8801d315faf0 ffffffff816072a5 ffffffff81237410 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] handle_userfault+0x715/0xf50 fs/userfaultfd.c:316 [] do_anonymous_page mm/memory.c:2731 [inline] [] handle_pte_fault mm/memory.c:3295 [inline] [] __handle_mm_fault mm/memory.c:3426 [inline] [] handle_mm_fault+0x2938/0x3190 mm/memory.c:3455 [] __do_page_fault+0x35b/0xa00 arch/x86/mm/fault.c:1245 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1308 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1033 [] compat_get_timespec+0xb6/0xe0 kernel/compat.c:180 [] C_SYSC_clock_nanosleep kernel/compat.c:847 [inline] [] compat_SyS_clock_nanosleep+0xa7/0x2c0 kernel/compat.c:838 [] do_syscall_32_irqs_on arch/x86/entry/common.c:392 [inline] [] do_fast_syscall_32+0x321/0x8a0 arch/x86/entry/common.c:459 [] sysenter_flags_fixed+0xd/0x17 IPVS: length: 413 != 24 IPVS: length: 413 != 24 audit: type=1400 audit(1520074452.106:92): avc: denied { create } for pid=19388 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_iscsi_socket permissive=1 binder: 19392:19398 ERROR: BC_REGISTER_LOOPER called without request IPVS: length: 413 != 24 binder: BINDER_SET_CONTEXT_MGR already set binder: 19392:19399 ioctl 40046207 0 returned -16 binder_alloc: 19392: binder_alloc_buf, no vma binder: 19392:19398 transaction failed 29189/-3, size 0-0 line 3128 binder: 19392:19399 ERROR: BC_REGISTER_LOOPER called without request IPv4: Oversized IP packet from 127.0.0.1 IPv4: Oversized IP packet from 127.0.0.1 audit: type=1401 audit(1520074452.996:93): op=security_bounded_transition seresult=denied oldcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 newcontext=system_u:object_r:hald_exec_t:s0 sd 0:0:1:0: [sg0] tag#68 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK audit: type=1400 audit(1520074453.156:94): avc: denied { write } for pid=19611 comm="syz-executor3" path="socket:[42680]" dev="sockfs" ino=42680 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_fib_lookup_socket permissive=1 sd 0:0:1:0: [sg0] tag#68 CDB: Test Unit Ready sd 0:0:1:0: [sg0] tag#68 CDB[00]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#68 CDB[10]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#68 CDB[20]: 00 00 00 binder: 19728:19731 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 l2tp_ppp: sess 4/0: set debug=9d59c0f 00000000: 00 03 00 00 00 00 00 02 ff 03 ae d0 68 ab 64 f2 ............h.d. 00000010: cc . binder: 19826:19828 ioctl 5441 2 returned -22 binder: 19826:19833 ioctl 80404519 20001040 returned -22 binder_alloc: binder_alloc_mmap_handler: 19826 20000000-20002000 already mapped failed -16 binder: 20024:20033 got transaction to invalid handle binder: 20024:20033 transaction failed 29201/-22, size -5422999730277281094-529090071758223803 line 3005 binder: 20024:20048 Acquire 1 refcount change on invalid ref 1 ret -22 binder: 20024:20048 DecRefs 0 refcount change on invalid ref 4 ret -22 binder: 20024:20048 transaction failed 29189/-22, size 112-24 line 3005 binder: 20024:20033 got transaction to invalid handle binder: 20024:20033 transaction failed 29201/-22, size -5422999730277281094-529090071758223803 line 3005 binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29201 audit: type=1400 audit(1520074455.096:95): avc: denied { create } for pid=20158 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:semanage_trans_lock_t:s0 tclass=key permissive=1 binder: 20184:20186 unknown command 604529415 binder: 20184:20186 ioctl c0306201 20000500 returned -22 binder: 20225:20228 Acquire 1 refcount change on invalid ref 5 ret -22 binder: 20225:20228 IncRefs 0 refcount change on invalid ref 1 ret -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 20225:20228 ioctl 40046207 0 returned -16 binder: 20225:20233 Acquire 1 refcount change on invalid ref 5 ret -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 20225:20240 ioctl 40046207 0 returned -16 binder: 20225:20233 IncRefs 0 refcount change on invalid ref 1 ret -22 SELinux: policydb string SE Linux does not match my string SE Linux SELinux: policydb string SE Linux does not match my string SE Linux Option 'D„Ú›Á´' to dns_resolver key: bad/missing value Option 'D„Ú›Á´' to dns_resolver key: bad/missing value binder: 20438:20442 ioctl 40046205 0 returned -22 binder: 20438:20459 ioctl 40046205 0 returned -22 binder: 20577:20582 unknown command 412594921 binder: 20577:20582 ioctl c0306201 20000340 returned -22 binder: 20577:20589 unknown command 412594921 binder: 20577:20589 ioctl c0306201 20000340 returned -22 binder: 20599:20605 ioctl c0306201 2000a000 returned -14 binder: 20599:20605 got transaction with invalid handle, 0 binder: 20599:20605 transaction failed 29201/-22, size 56-8 line 3220 binder: BINDER_SET_CONTEXT_MGR already set binder: 20599:20612 ioctl 40046207 0 returned -16 binder: 20599:20605 ioctl c0306201 2000a000 returned -14 binder_alloc: 20599: binder_alloc_buf, no vma binder: 20599:20612 transaction failed 29189/-3, size 56-8 line 3128 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 IPv4: Oversized IP packet from 127.0.0.1