kauditd_printk_skb: 8 callbacks suppressed audit: type=1400 audit(1520672053.551:30): avc: denied { map } for pid=6577 comm="syz-executor3" path="/dev/ashmem" dev="devtmpfs" ino=126 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1 ====================================================== WARNING: possible circular locking dependency detected 4.16.0-rc4+ #258 Not tainted ------------------------------------------------------ syz-executor3/6579 is trying to acquire lock: (&mm->mmap_sem){++++}, at: [<0000000039da0790>] __might_fault+0xe0/0x1d0 mm/memory.c:4570 but task is already holding lock: (ashmem_mutex){+.+.}, at: [<000000005cbc6066>] ashmem_pin_unpin drivers/staging/android/ashmem.c:705 [inline] (ashmem_mutex){+.+.}, at: [<000000005cbc6066>] ashmem_ioctl+0x3db/0x11b0 drivers/staging/android/ashmem.c:782 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (ashmem_mutex){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908 ashmem_mmap+0x53/0x410 drivers/staging/android/ashmem.c:362 call_mmap include/linux/fs.h:1786 [inline] mmap_region+0xa99/0x15a0 mm/mmap.c:1705 do_mmap+0x6c0/0xe00 mm/mmap.c:1483 do_mmap_pgoff include/linux/mm.h:2223 [inline] vm_mmap_pgoff+0x1de/0x280 mm/util.c:355 SYSC_mmap_pgoff mm/mmap.c:1533 [inline] SyS_mmap_pgoff+0x462/0x5f0 mm/mmap.c:1491 do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline] do_fast_syscall_32+0x3ec/0xf9f arch/x86/entry/common.c:392 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 -> #0 (&mm->mmap_sem){++++}: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920 __might_fault+0x13a/0x1d0 mm/memory.c:4571 _copy_from_user+0x2c/0x110 lib/usercopy.c:10 copy_from_user include/linux/uaccess.h:147 [inline] ashmem_pin_unpin drivers/staging/android/ashmem.c:710 [inline] ashmem_ioctl+0x438/0x11b0 drivers/staging/android/ashmem.c:782 compat_ashmem_ioctl+0x3e/0x50 drivers/staging/android/ashmem.c:813 C_SYSC_ioctl fs/compat_ioctl.c:1461 [inline] compat_SyS_ioctl+0x151/0x2a30 fs/compat_ioctl.c:1407 do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline] do_fast_syscall_32+0x3ec/0xf9f arch/x86/entry/common.c:392 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(ashmem_mutex); lock(&mm->mmap_sem); lock(ashmem_mutex); lock(&mm->mmap_sem); *** DEADLOCK *** 1 lock held by syz-executor3/6579: #0: (ashmem_mutex){+.+.}, at: [<000000005cbc6066>] ashmem_pin_unpin drivers/staging/android/ashmem.c:705 [inline] #0: (ashmem_mutex){+.+.}, at: [<000000005cbc6066>] ashmem_ioctl+0x3db/0x11b0 drivers/staging/android/ashmem.c:782 stack backtrace: CPU: 1 PID: 6579 Comm: syz-executor3 Not tainted 4.16.0-rc4+ #258 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x24d lib/dump_stack.c:53 print_circular_bug.isra.38+0x2cd/0x2dc kernel/locking/lockdep.c:1223 check_prev_add kernel/locking/lockdep.c:1863 [inline] check_prevs_add kernel/locking/lockdep.c:1976 [inline] validate_chain kernel/locking/lockdep.c:2417 [inline] __lock_acquire+0x30a8/0x3e00 kernel/locking/lockdep.c:3431 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920 __might_fault+0x13a/0x1d0 mm/memory.c:4571 _copy_from_user+0x2c/0x110 lib/usercopy.c:10 copy_from_user include/linux/uaccess.h:147 [inline] ashmem_pin_unpin drivers/staging/android/ashmem.c:710 [inline] ashmem_ioctl+0x438/0x11b0 drivers/staging/android/ashmem.c:782 compat_ashmem_ioctl+0x3e/0x50 drivers/staging/android/ashmem.c:813 C_SYSC_ioctl fs/compat_ioctl.c:1461 [inline] compat_SyS_ioctl+0x151/0x2a30 fs/compat_ioctl.c:1407 do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline] do_fast_syscall_32+0x3ec/0xf9f arch/x86/entry/common.c:392 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 RIP: 0023:0xf7f07c99 RSP: 002b:00000000f770309c EFLAGS: 00000286 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 0000000000000013 RCX: 0000000000007709 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 audit: type=1400 audit(1520672054.118:31): avc: denied { map } for pid=6590 comm="syz-executor2" path="/proc/287/net/pfkey" dev="proc" ino=4026533059 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1 audit: type=1400 audit(1520672054.804:32): avc: denied { set_context_mgr } for pid=6818 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 binder: 6818:6821 BC_FREE_BUFFER ufa06905aa58c99b0 no match audit: type=1400 audit(1520672054.804:33): avc: denied { call } for pid=6818 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 binder: 6818:6821 unknown command 867962196 binder: BINDER_SET_CONTEXT_MGR already set binder_alloc: binder_alloc_mmap_handler: 6818 2000c000-20010000 already mapped failed -16 binder: 6818:6825 ioctl 40046207 0 returned -16 binder: 6818:6821 ioctl c0306201 20002fd0 returned -22 binder: 6818:6821 got new transaction with bad transaction stack, transaction 2 has target 6818:0 binder: 6818:6821 transaction failed 29201/-71, size 0-0 line 2875 binder: release 6818:6821 transaction 2 out, still active binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29201 binder: send failed reply for transaction 2, target dead binder: 6833:6837 BC_FREE_BUFFER ufa06905aa58c99b0 no match binder: 6833:6837 unknown command 867962196 binder: 6833:6837 ioctl c0306201 20002fd0 returned -22 binder: release 6833:6837 transaction 5 out, still active binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 5, target dead FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 1 CPU: 1 PID: 7235 Comm: syz-executor1 Not tainted 4.16.0-rc4+ #258 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x24d lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:422 [inline] slab_alloc mm/slab.c:3365 [inline] kmem_cache_alloc_trace+0x4b/0x740 mm/slab.c:3605 kmalloc include/linux/slab.h:512 [inline] kzalloc include/linux/slab.h:701 [inline] kvm_irqfd_assign arch/x86/kvm/../../../virt/kvm/eventfd.c:296 [inline] kvm_irqfd+0x16c/0x1d70 arch/x86/kvm/../../../virt/kvm/eventfd.c:572 kvm_vm_ioctl+0x1124/0x1cf0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2997 kvm_vm_compat_ioctl+0x2ed/0x3f0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3141 C_SYSC_ioctl fs/compat_ioctl.c:1461 [inline] compat_SyS_ioctl+0x151/0x2a30 fs/compat_ioctl.c:1407 do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline] do_fast_syscall_32+0x3ec/0xf9f arch/x86/entry/common.c:392 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 RIP: 0023:0xf7f68c99 RSP: 002b:00000000f776409c EFLAGS: 00000286 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 0000000000000014 RCX: 000000004020ae76 RDX: 0000000020c68000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 1 PID: 7272 Comm: syz-executor1 Not tainted 4.16.0-rc4+ #258 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x24d lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:422 [inline] slab_alloc mm/slab.c:3365 [inline] kmem_cache_alloc+0x47/0x760 mm/slab.c:3539 kmem_cache_zalloc include/linux/slab.h:691 [inline] fill_pool lib/debugobjects.c:110 [inline] __debug_object_init+0xa99/0x1040 lib/debugobjects.c:339 debug_object_init+0x17/0x20 lib/debugobjects.c:391 __init_work+0x2b/0x60 kernel/workqueue.c:506 kvm_irqfd_assign arch/x86/kvm/../../../virt/kvm/eventfd.c:303 [inline] kvm_irqfd+0x2ce/0x1d70 arch/x86/kvm/../../../virt/kvm/eventfd.c:572 kvm_vm_ioctl+0x1124/0x1cf0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2997 kvm_vm_compat_ioctl+0x2ed/0x3f0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3141 C_SYSC_ioctl fs/compat_ioctl.c:1461 [inline] compat_SyS_ioctl+0x151/0x2a30 fs/compat_ioctl.c:1407 do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline] do_fast_syscall_32+0x3ec/0xf9f arch/x86/entry/common.c:392 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 RIP: 0023:0xf7f68c99 RSP: 002b:00000000f776409c EFLAGS: 00000286 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 0000000000000014 RCX: 000000004020ae76 RDX: 0000000020c68000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 irq bypass consumer (token 000000002f5e757f) registration fails: -16 audit: type=1400 audit(1520672057.776:34): avc: denied { create } for pid=7503 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_rdma_socket permissive=1 audit: type=1400 audit(1520672058.109:35): avc: denied { create } for pid=7620 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_crypto_socket permissive=1 irq bypass consumer (token 00000000d298a173) registration fails: -16 irq bypass consumer (token 0000000053c0aa25) registration fails: -16 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 1 PID: 7795 Comm: syz-executor0 Not tainted 4.16.0-rc4+ #258 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x24d lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:422 [inline] slab_alloc mm/slab.c:3365 [inline] kmem_cache_alloc+0x47/0x760 mm/slab.c:3539 kmem_cache_zalloc include/linux/slab.h:691 [inline] ebitmap_cpy+0xce/0x260 security/selinux/ss/ebitmap.c:60 mls_context_cpy security/selinux/ss/context.h:51 [inline] mls_compute_sid+0x555/0x930 security/selinux/ss/mls.c:556 security_compute_sid+0x8df/0x18f0 security/selinux/ss/services.c:1725 security_transition_sid+0x75/0x90 security/selinux/ss/services.c:1764 socket_sockcreate_sid security/selinux/hooks.c:4335 [inline] selinux_socket_create+0x3cf/0x740 security/selinux/hooks.c:4368 security_socket_create+0x83/0xc0 security/security.c:1338 __sock_create+0xf7/0x850 net/socket.c:1240 sock_create net/socket.c:1325 [inline] SYSC_socket net/socket.c:1355 [inline] SyS_socket+0xeb/0x1d0 net/socket.c:1335 do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline] do_fast_syscall_32+0x3ec/0xf9f arch/x86/entry/common.c:392 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 RIP: 0023:0xf7fa0c99 RSP: 002b:00000000f779c09c EFLAGS: 00000286 ORIG_RAX: 0000000000000167 RAX: ffffffffffffffda RBX: 000000000000000a RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 irq bypass consumer (token 00000000fea79623) registration fails: -16 QAT: Invalid ioctl QAT: Invalid ioctl binder_alloc: 8065: binder_alloc_buf size 4104 failed, no address space binder_alloc: allocated: 0 (num: 0 largest: 0), free: 4096 (num: 1 largest: 4096) binder: 8065:8068 transaction failed 29201/-28, size 0-8 line 2963 binder: BINDER_SET_CONTEXT_MGR already set binder: 8065:8089 ioctl 40046207 0 returned -16 binder_alloc: 8065: binder_alloc_buf, no vma binder: 8065:8068 transaction failed 29189/-3, size 0-8 line 2963 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 audit: type=1400 audit(1520672060.181:36): avc: denied { map } for pid=8226 comm="syz-executor3" path="/selinux/mls" dev="selinuxfs" ino=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1 irq bypass consumer (token 00000000f501f724) registration fails: -16 irq bypass consumer (token 00000000b31d414a) registration fails: -16 irq bypass consumer (token 00000000d484118e) registration fails: -16 irq bypass consumer (token 00000000ecb45ddd) registration fails: -16 irq bypass consumer (token 00000000cc2ae4c0) registration fails: -16 QAT: Invalid ioctl QAT: Invalid ioctl irq bypass consumer (token 00000000ef5fd90d) registration fails: -16 irq bypass consumer (token 00000000a32a32fa) registration fails: -16 irq bypass consumer (token 000000005ca322ca) registration fails: -16 irq bypass consumer (token 00000000e7aafff5) registration fails: -16 irq bypass consumer (token 0000000059514911) registration fails: -16 irq bypass consumer (token 000000006f71b9d7) registration fails: -16