audit: type=1401 audit(1521921731.287:8): op=security_bounded_transition seresult=denied oldcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 newcontext=system_u:object_r:updpwd_exec_t:s0 audit: type=1400 audit(1521921731.337:9): avc: denied { set_context_mgr } for pid=5305 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 ====================================================== [ INFO: possible circular locking dependency detected ] 4.4.120-gd63fdf6 #29 Not tainted ------------------------------------------------------- syz-executor5/5306 is trying to acquire lock: (&sb->s_type->i_mutex_key#10){+.+.+.}, at: [] shmem_file_llseek+0xf1/0x240 mm/shmem.c:1816 but task is already holding lock: (ashmem_mutex){+.+.+.}, at: [] ashmem_llseek+0x56/0x1f0 drivers/staging/android/ashmem.c:330 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (ashmem_mutex){+.+.+.}: [] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592 [] __mutex_lock_common kernel/locking/mutex.c:521 [inline] [] mutex_lock_nested+0xbb/0x850 kernel/locking/mutex.c:621 [] ashmem_mmap+0x53/0x400 drivers/staging/android/ashmem.c:366 [] mmap_region+0x94f/0x1250 mm/mmap.c:1664 [] do_mmap+0x4fd/0x9d0 mm/mmap.c:1441 [] do_mmap_pgoff include/linux/mm.h:1915 [inline] [] vm_mmap_pgoff+0x16e/0x1c0 mm/util.c:296 [] SYSC_mmap_pgoff mm/mmap.c:1491 [inline] [] SyS_mmap_pgoff+0x33f/0x560 mm/mmap.c:1449 [] do_syscall_32_irqs_on arch/x86/entry/common.c:392 [inline] [] do_fast_syscall_32+0x321/0x8a0 arch/x86/entry/common.c:459 [] sysenter_flags_fixed+0xd/0x17 -> #1 (&mm->mmap_sem){++++++}: [] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592 [] __might_fault+0x14a/0x1d0 mm/memory.c:3810 [] copy_to_user arch/x86/include/asm/uaccess.h:760 [inline] [] filldir+0x162/0x2d0 fs/readdir.c:180 [] dir_emit_dot include/linux/fs.h:3070 [inline] [] dir_emit_dots include/linux/fs.h:3081 [inline] [] dcache_readdir+0x11e/0x7b0 fs/libfs.c:150 [] iterate_dir+0x1c8/0x420 fs/readdir.c:42 [] SYSC_getdents fs/readdir.c:215 [inline] [] SyS_getdents+0x14a/0x270 fs/readdir.c:196 [] entry_SYSCALL_64_fastpath+0x1c/0x98 -> #0 (&sb->s_type->i_mutex_key#10){+.+.+.}: [] check_prev_add kernel/locking/lockdep.c:1853 [inline] [] check_prevs_add kernel/locking/lockdep.c:1958 [inline] [] validate_chain kernel/locking/lockdep.c:2144 [inline] [] __lock_acquire+0x371f/0x4b50 kernel/locking/lockdep.c:3213 [] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592 [] __mutex_lock_common kernel/locking/mutex.c:521 [inline] [] mutex_lock_nested+0xbb/0x850 kernel/locking/mutex.c:621 [] shmem_file_llseek+0xf1/0x240 mm/shmem.c:1816 [] vfs_llseek+0xa2/0xd0 fs/read_write.c:260 [] ashmem_llseek+0xe7/0x1f0 drivers/staging/android/ashmem.c:342 [] vfs_llseek fs/read_write.c:260 [inline] [] SYSC_lseek fs/read_write.c:285 [inline] [] SyS_lseek fs/read_write.c:276 [inline] [] C_SYSC_lseek fs/read_write.c:297 [inline] [] compat_SyS_lseek+0xeb/0x170 fs/read_write.c:295 [] do_syscall_32_irqs_on arch/x86/entry/common.c:392 [inline] [] do_fast_syscall_32+0x321/0x8a0 arch/x86/entry/common.c:459 [] sysenter_flags_fixed+0xd/0x17 other info that might help us debug this: Chain exists of: &sb->s_type->i_mutex_key#10 --> &mm->mmap_sem --> ashmem_mutex Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(ashmem_mutex); lock(&mm->mmap_sem); lock(ashmem_mutex); lock(&sb->s_type->i_mutex_key#10); *** DEADLOCK *** 1 lock held by syz-executor5/5306: #0: (ashmem_mutex){+.+.+.}, at: [] ashmem_llseek+0x56/0x1f0 drivers/staging/android/ashmem.c:330 stack backtrace: CPU: 0 PID: 5306 Comm: syz-executor5 Not tainted 4.4.120-gd63fdf6 #29 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 704ff873da906717 ffff8801c620fa58 ffffffff81d0408d ffffffff851a0010 ffffffff851a99a0 ffffffff851be2b0 ffff8800ab82d0f8 ffff8800ab82c800 ffff8801c620faa0 ffffffff81233ba1 ffff8800ab82d0f8 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] print_circular_bug+0x271/0x310 kernel/locking/lockdep.c:1226 [] check_prev_add kernel/locking/lockdep.c:1853 [inline] [] check_prevs_add kernel/locking/lockdep.c:1958 [inline] [] validate_chain kernel/locking/lockdep.c:2144 [inline] [] __lock_acquire+0x371f/0x4b50 kernel/locking/lockdep.c:3213 [] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592 [] __mutex_lock_common kernel/locking/mutex.c:521 [inline] [] mutex_lock_nested+0xbb/0x850 kernel/locking/mutex.c:621 [] shmem_file_llseek+0xf1/0x240 mm/shmem.c:1816 [] vfs_llseek+0xa2/0xd0 fs/read_write.c:260 [] ashmem_llseek+0xe7/0x1f0 drivers/staging/android/ashmem.c:342 [] vfs_llseek fs/read_write.c:260 [inline] [] SYSC_lseek fs/read_write.c:285 [inline] [] SyS_lseek fs/read_write.c:276 [inline] [] C_SYSC_lseek fs/read_write.c:297 [inline] [] compat_SyS_lseek+0xeb/0x170 fs/read_write.c:295 [] do_syscall_32_irqs_on arch/x86/entry/common.c:392 [inline] [] do_fast_syscall_32+0x321/0x8a0 arch/x86/entry/common.c:459 [] sysenter_flags_fixed+0xd/0x17 binder: 5305:5319 DecRefs 0 refcount change on invalid ref 0 ret -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 5305:5319 ioctl 40046207 0 returned -16 binder: 5340:5345 ioctl 40046205 0 returned -22 binder: 5340:5354 ioctl 40046205 0 returned -22 device bridge0 entered promiscuous mode binder: 5369:5370 BC_INCREFS_DONE u0000000000000000 no match binder: 5369:5370 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER binder: 5369:5372 BC_INCREFS_DONE u0000000000000000 no match binder: 5369:5372 ERROR: BC_REGISTER_LOOPER called after BC_ENTER_LOOPER mmap: syz-executor5 (5468) uses deprecated remap_file_pages() syscall. See Documentation/vm/remap_file_pages.txt. syz-executor6 (5477): /proc/5477/oom_adj is deprecated, please use /proc/5477/oom_score_adj instead. syz-executor1 uses obsolete (PF_INET,SOCK_PACKET) sd 0:0:1:0: [sg0] tag#104 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK sd 0:0:1:0: [sg0] tag#104 CDB: Test Unit Ready sd 0:0:1:0: [sg0] tag#104 CDB[00]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#104 CDB[10]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#104 CDB[20]: 00 00 00 sd 0:0:1:0: [sg0] tag#104 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK sd 0:0:1:0: [sg0] tag#104 CDB: Test Unit Ready sd 0:0:1:0: [sg0] tag#104 CDB[00]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#104 CDB[10]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#104 CDB[20]: 00 00 00 Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable tmpfs: No value for mount option 'b4djE>ʄ[G9HH}nXZhmgzMx,2' Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode capability: warning: `syz-executor6' uses 32-bit capabilities (legacy support in use) audit: type=1400 audit(1521921733.727:10): avc: denied { setattr } for pid=5686 comm="syz-executor2" name="setgroups" dev="proc" ino=14376 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=file permissive=1 audit: type=1400 audit(1521921734.027:11): avc: denied { call } for pid=5730 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 binder: 5730:5744 ioctl 80404519 20000000 returned -22 binder_alloc: binder_alloc_mmap_handler: 5730 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 5730:5748 ioctl 40046207 0 returned -16 binder_alloc: 5730: binder_alloc_buf, no vma binder: 5730:5748 ioctl 80404519 20000000 returned -22 binder_alloc: 5730: binder_alloc_buf, no vma binder: 5730:5736 transaction failed 29189/-3, size 40-8 line 3128 binder: 5730:5744 transaction failed 29189/-3, size 40-8 line 3128 audit: type=1400 audit(1521921734.517:12): avc: denied { transfer } for pid=5869 comm="syz-executor7" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 binder: 5869:5879 BC_INCREFS_DONE u00000000204edf8a node 9 cookie mismatch 0000000000000000 != 0000000000000001 binder: 5869:5879 ioctl c0086420 20000000 returned -22 binder_alloc: binder_alloc_mmap_handler: 5869 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 5869:5879 ioctl 40046207 0 returned -16 binder_alloc: 5869: binder_alloc_buf, no vma binder: 5869:5882 transaction failed 29189/-3, size 40-8 line 3128 binder: 5869:5882 BC_INCREFS_DONE u0000000000000000 no match binder: 5869:5885 ioctl c0086420 20000000 returned -22 binder: release 5869:5870 transaction 8 out, still active binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 8, target dead binder: 5907:5910 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: BINDER_SET_CONTEXT_MGR already set binder: 5907:5921 ioctl 40046207 0 returned -16 binder: 5907:5928 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 5940:5941 unknown command 0 binder: 5940:5941 ioctl c0306201 2000dfd0 returned -22 binder: 5940:5943 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 5940:5941 unknown command 536907575 binder: 5940:5943 unknown command 0 binder: 5940:5941 ioctl c0306201 20008fd0 returned -22 binder: 5940:5943 ioctl c0306201 2000dfd0 returned -22 audit: type=1400 audit(1521921734.987:13): avc: denied { create } for pid=5985 comm="syz-executor7" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 capability: warning: `syz-executor0' uses deprecated v2 capabilities in a way that may be insecure binder: 6115:6123 transaction failed 29201/-22, size 780001872016229775-2919921291494367320 line 3128 binder: BINDER_SET_CONTEXT_MGR already set binder_alloc: 6115: binder_alloc_buf, no vma binder: 6115:6141 BC_FREE_BUFFER u0000000000000000 no match binder: 6115:6136 transaction failed 29189/-3, size 780001872016229775-2919921291494367320 line 3128 binder: 6115:6123 ioctl 40046207 0 returned -16 binder: 6151:6154 ioctl 5 20001600 returned -22 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 audit: type=1400 audit(1521921735.687:14): avc: denied { read } for pid=6151 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 binder: 6151:6154 ioctl 5 20001600 returned -22 binder: 6197:6198 unknown command 1074299152 binder: 6197:6198 ioctl c0306201 20008000 returned -22 binder: 6197:6198 unknown command 1074299152 binder: 6197:6198 ioctl c0306201 20008000 returned -22 binder: 6220:6224 got transaction with invalid offset (0, min 0 max 0) or object. audit: type=1400 audit(1521921735.897:15): avc: denied { write } for pid=6222 comm="syz-executor6" path="socket:[14935]" dev="sockfs" ino=14935 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 binder: 6220:6224 transaction failed 29201/-22, size 0-8 line 3191 binder: 6220:6236 got transaction with unaligned buffers size, 58534 binder: 6220:6236 transaction failed 29201/-22, size 0-0 line 3173 binder: BINDER_SET_CONTEXT_MGR already set binder: 6220:6236 ioctl 40046207 0 returned -16 binder_alloc: 6220: binder_alloc_buf, no vma binder: 6220:6236 transaction failed 29189/-3, size 0-8 line 3128 binder_alloc: 6220: binder_alloc_buf, no vma binder: 6220:6236 transaction failed 29189/-3, size 0-0 line 3128 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 keychord: unsupported version 8 keychord: unsupported version 8 binder: 6561:6567 got transaction to invalid handle binder: 6561:6567 transaction failed 29201/-22, size 0-0 line 3005 binder: 6561:6573 got transaction to invalid handle binder: 6561:6573 transaction failed 29201/-22, size 0-0 line 3005 binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29201 netlink: 11 bytes leftover after parsing attributes in process `syz-executor7'. audit: type=1400 audit(1521921738.407:16): avc: denied { read } for pid=6614 comm="syz-executor7" path="socket:[15395]" dev="sockfs" ino=15395 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 vmalloc: allocation failure: 0 bytes syz-executor4: page allocation failure: order:0, mode:0x24000c2 CPU: 0 PID: 6625 Comm: syz-executor4 Not tainted 4.4.120-gd63fdf6 #29 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 6952637174470fb5 ffff8801d8607898 ffffffff81d0408d 1ffff1003b0c0f16 ffff8801d7149800 00000000024000c2 0000000000000000 0000000000000001 ffff8801d86079a8 ffffffff81431059 ffffffff838ac620 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] warn_alloc_failed+0x1d9/0x240 mm/page_alloc.c:2757 [] __vmalloc_node_range+0x41d/0x630 mm/vmalloc.c:1692 [] __vmalloc_node mm/vmalloc.c:1715 [inline] [] __vmalloc_node_flags mm/vmalloc.c:1729 [inline] [] vmalloc+0x5b/0x70 mm/vmalloc.c:1744 [] sel_write_load+0x130/0xff0 security/selinux/selinuxfs.c:527 [] __vfs_write+0x103/0x450 fs/read_write.c:489 [] vfs_write+0x18a/0x530 fs/read_write.c:538 [] SYSC_pwrite64 fs/read_write.c:627 [inline] [] SyS_pwrite64+0x13f/0x170 fs/read_write.c:614 [] sys32_pwrite+0x39/0x50 arch/x86/ia32/sys_ia32.c:186 [] do_syscall_32_irqs_on arch/x86/entry/common.c:392 [inline] [] do_fast_syscall_32+0x321/0x8a0 arch/x86/entry/common.c:459 [] sysenter_flags_fixed+0xd/0x17 Mem-Info: active_anon:54354 inactive_anon:44 isolated_anon:0 active_file:3524 inactive_file:8463 isolated_file:0 unevictable:0 dirty:67 writeback:0 unstable:0 slab_reclaimable:5592 slab_unreclaimable:59073 mapped:23853 shmem:51 pagetables:646 bounce:0 free:1472714 free_pcp:504 free_cma:0 DMA free:15904kB min:160kB low:200kB high:240kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:15992kB managed:15904kB mlocked:0kB dirty:0kB writeback:0kB mapped:0kB shmem:0kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB unstable:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? yes lowmem_reserve[]: 0 2911 6411 6411 DMA32 free:2675332kB min:30608kB low:38260kB high:45912kB active_anon:96612kB inactive_anon:52kB active_file:6912kB inactive_file:15248kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:3129292kB managed:2982732kB mlocked:0kB dirty:60kB writeback:0kB mapped:43096kB shmem:60kB slab_reclaimable:10244kB slab_unreclaimable:107136kB kernel_stack:1728kB pagetables:788kB unstable:0kB bounce:0kB free_pcp:1300kB local_pcp:664kB free_cma:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? no lowmem_reserve[]: 0 0 3500 3500 Normal free:3199620kB min:36808kB low:46008kB high:55212kB active_anon:120804kB inactive_anon:124kB active_file:7184kB inactive_file:18604kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:4718592kB managed:3584660kB mlocked:0kB dirty:208kB writeback:0kB mapped:52316kB shmem:144kB slab_reclaimable:12124kB slab_unreclaimable:129156kB kernel_stack:4256kB pagetables:1796kB unstable:0kB bounce:0kB free_pcp:716kB local_pcp:400kB free_cma:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? no lowmem_reserve[]: 0 0 0 0 DMA: 0*4kB 0*8kB 0*16kB 1*32kB (U) 2*64kB (U) 1*128kB (U) 1*256kB (U) 0*512kB 1*1024kB (U) 1*2048kB (M) 3*4096kB (M) = 15904kB DMA32: 325*4kB (ME) 120*8kB (UME) 106*16kB (UM) 115*32kB (UM) 50*64kB (UME) 19*128kB (UME) 11*256kB (UM) 8*512kB (UME) 23*1024kB (UME) 1*2048kB (U) 642*4096kB (M) = 2675412kB Normal: 103*4kB (UME) 123*8kB (UM) 129*16kB (UME) 82*32kB (UM) 29*64kB (UM) 13*128kB (UME) 7*256kB (UME) 7*512kB (UME) 34*1024kB (UME) 4*2048kB (UME) 767*4096kB (M) = 3199620kB Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB 12037 total pagecache pages 0 pages in swap cache Swap cache stats: add 0, delete 0, find 0/0 Free swap = 0kB Total swap = 0kB 1965969 pages RAM 0 pages HighMem/MovableOnly 320145 pages reserved audit: type=1400 audit(1521921738.457:17): avc: denied { ioctl } for pid=6614 comm="syz-executor7" path="socket:[15395]" dev="sockfs" ino=15395 ioctlcmd=7459 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 netlink: 11 bytes leftover after parsing attributes in process `syz-executor7'. device bridge0 entered promiscuous mode binder: BINDER_SET_CONTEXT_MGR already set binder: 6690:6694 ioctl 40046207 0 returned -16 binder_alloc: 6690: binder_alloc_buf, no vma binder: 6690:6691 transaction failed 29189/-3, size 0-0 line 3128 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_COMPLETE binder: undelivered transaction 27, process died. binder: 6782:6783 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 audit: type=1400 audit(1521921739.587:18): avc: denied { create } for pid=6788 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_crypto_socket permissive=1 binder: 6782:6805 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 sd 0:0:1:0: [sg0] tag#58 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK sd 0:0:1:0: [sg0] tag#58 CDB: opcode=0x6 sd 0:0:1:0: [sg0] tag#58 CDB[00]: 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#58 CDB[10]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#58 CDB[20]: 00 00 00 sd 0:0:1:0: [sg0] tag#58 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK sd 0:0:1:0: [sg0] tag#58 CDB: opcode=0x6 binder_alloc: 6821: binder_alloc_buf size 1099276746752 failed, no address space binder_alloc: allocated: 0 (num: 0 largest: 0), free: 8192 (num: 1 largest: 8192) binder: 6821:6830 transaction failed 29201/-28, size 0-1099276746752 line 3128 binder_alloc: binder_alloc_mmap_handler: 6821 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 6821:6830 ioctl 40046207 0 returned -16 sd 0:0:1:0: [sg0] tag#58 CDB[00]: 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#58 CDB[10]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#58 CDB[20]: 00 00 00 binder: 7000:7001 ioctl 4b49 20000100 returned -22 binder: 7000:7001 ioctl 4b49 20000100 returned -22 TCP: request_sock_TCP: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. TCP: request_sock_TCP: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. IPv4: Oversized IP packet from 127.0.0.1 binder: 7218:7221 got transaction with invalid offset (0, min 0 max 40) or object. binder: 7218:7221 transaction failed 29201/-22, size 40-8 line 3191 IPv4: Oversized IP packet from 127.0.0.1 binder: 7218:7221 BC_INCREFS_DONE node 31 has no pending increfs request binder_alloc: binder_alloc_mmap_handler: 7218 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 7218:7221 ioctl 40046207 0 returned -16 binder_alloc: 7218: binder_alloc_buf, no vma binder: 7218:7230 transaction failed 29189/-3, size 40-8 line 3128 BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor3/7268 caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 CPU: 1 PID: 7268 Comm: syz-executor3 Not tainted 4.4.120-gd63fdf6 #29 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 9859b4a0925bfe0c ffff8801c6b07638 ffffffff81d0408d 0000000000000001 ffffffff839fe5a0 ffffffff83d0be20 ffff8801d3c10000