QAT: Invalid ioctl QAT: Invalid ioctl ====================================================== WARNING: possible circular locking dependency detected 4.15.0+ #300 Not tainted ------------------------------------------------------ syz-executor4/6195 is trying to acquire lock: (&xt[i].mutex){+.+.}, at: [<000000001b5d8cc6>] xt_find_table_lock+0x3e/0x3e0 net/netfilter/x_tables.c:1041 but task is already holding lock: (sk_lock-AF_INET6){+.+.}, at: [<0000000039f9b82d>] lock_sock include/net/sock.h:1463 [inline] (sk_lock-AF_INET6){+.+.}, at: [<0000000039f9b82d>] ipv6_getsockopt+0x1c5/0x2e0 net/ipv6/ipv6_sockglue.c:1370 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (sk_lock-AF_INET6){+.+.}: lock_sock_nested+0xc2/0x110 net/core/sock.c:2777 lock_sock include/net/sock.h:1463 [inline] do_ipv6_setsockopt.isra.8+0x3c5/0x39d0 net/ipv6/ipv6_sockglue.c:167 ipv6_setsockopt+0xd7/0x130 net/ipv6/ipv6_sockglue.c:922 tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2905 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2975 SYSC_setsockopt net/socket.c:1849 [inline] SyS_setsockopt+0x189/0x360 net/socket.c:1828 do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x26/0x9b -> #1 (rtnl_mutex){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908 rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74 unregister_netdevice_notifier+0x91/0x4e0 net/core/dev.c:1673 clusterip_config_entry_put net/ipv4/netfilter/ipt_CLUSTERIP.c:114 [inline] clusterip_tg_destroy+0x389/0x6e0 net/ipv4/netfilter/ipt_CLUSTERIP.c:518 cleanup_entry+0x218/0x350 net/ipv4/netfilter/ip_tables.c:654 __do_replace+0x79d/0xa50 net/ipv4/netfilter/ip_tables.c:1089 do_replace net/ipv4/netfilter/ip_tables.c:1145 [inline] do_ipt_set_ctl+0x40f/0x5f0 net/ipv4/netfilter/ip_tables.c:1675 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115 ip_setsockopt+0x97/0xa0 net/ipv4/ip_sockglue.c:1259 tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2905 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2975 SYSC_setsockopt net/socket.c:1849 [inline] SyS_setsockopt+0x189/0x360 net/socket.c:1828 do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x26/0x9b -> #0 (&xt[i].mutex){+.+.}: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908 xt_find_table_lock+0x3e/0x3e0 net/netfilter/x_tables.c:1041 xt_request_find_table_lock+0x28/0xc0 net/netfilter/x_tables.c:1088 get_info+0x154/0x690 net/ipv6/netfilter/ip6_tables.c:989 do_ip6t_get_ctl+0x159/0xaf0 net/ipv6/netfilter/ip6_tables.c:1710 nf_sockopt net/netfilter/nf_sockopt.c:104 [inline] nf_getsockopt+0x6a/0xc0 net/netfilter/nf_sockopt.c:122 ipv6_getsockopt+0x1df/0x2e0 net/ipv6/ipv6_sockglue.c:1371 tcp_getsockopt+0x82/0xd0 net/ipv4/tcp.c:3359 sock_common_getsockopt+0x95/0xd0 net/core/sock.c:2934 SYSC_getsockopt net/socket.c:1880 [inline] SyS_getsockopt+0x178/0x340 net/socket.c:1862 do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x26/0x9b other info that might help us debug this: Chain exists of: &xt[i].mutex --> rtnl_mutex --> sk_lock-AF_INET6 Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(sk_lock-AF_INET6); lock(rtnl_mutex); lock(sk_lock-AF_INET6); lock(&xt[i].mutex); *** DEADLOCK *** 1 lock held by syz-executor4/6195: #0: (sk_lock-AF_INET6){+.+.}, at: [<0000000039f9b82d>] lock_sock include/net/sock.h:1463 [inline] #0: (sk_lock-AF_INET6){+.+.}, at: [<0000000039f9b82d>] ipv6_getsockopt+0x1c5/0x2e0 net/ipv6/ipv6_sockglue.c:1370 stack backtrace: CPU: 1 PID: 6195 Comm: syz-executor4 Not tainted 4.15.0+ #300 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 print_circular_bug.isra.38+0x2cd/0x2dc kernel/locking/lockdep.c:1223 check_prev_add kernel/locking/lockdep.c:1863 [inline] check_prevs_add kernel/locking/lockdep.c:1976 [inline] validate_chain kernel/locking/lockdep.c:2417 [inline] __lock_acquire+0x30a8/0x3e00 kernel/locking/lockdep.c:3431 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908 xt_find_table_lock+0x3e/0x3e0 net/netfilter/x_tables.c:1041 xt_request_find_table_lock+0x28/0xc0 net/netfilter/x_tables.c:1088 get_info+0x154/0x690 net/ipv6/netfilter/ip6_tables.c:989 do_ip6t_get_ctl+0x159/0xaf0 net/ipv6/netfilter/ip6_tables.c:1710 nf_sockopt net/netfilter/nf_sockopt.c:104 [inline] nf_getsockopt+0x6a/0xc0 net/netfilter/nf_sockopt.c:122 ipv6_getsockopt+0x1df/0x2e0 net/ipv6/ipv6_sockglue.c:1371 tcp_getsockopt+0x82/0xd0 net/ipv4/tcp.c:3359 sock_common_getsockopt+0x95/0xd0 net/core/sock.c:2934 SYSC_getsockopt net/socket.c:1880 [inline] SyS_getsockopt+0x178/0x340 net/socket.c:1862 do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x26/0x9b RIP: 0033:0x453299 RSP: 002b:00007f007381dc58 EFLAGS: 00000212 ORIG_RAX: 0000000000000037 RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000453299 RDX: 0000000000000040 RSI: 0000000000000029 RDI: 0000000000000013 RBP: 00000000000000e5 R08: 000000002000cffc R09: 0000000000000000 R10: 0000000020aeffe4 R11: 0000000000000212 R12: 00000000006f0618 R13: 00000000ffffffff R14: 00007f007381e6d4 R15: 0000000000000000 QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl binder: 6233 RLIMIT_NICE not set binder: 6227:6249 BC_INCREFS_DONE uffffffffffffffff no match SELinux: unrecognized netlink message: protocol=0 nlmsg_type=256 sclass=netlink_route_socket pig=6251 comm=syz-executor2 binder: 6227:6249 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 6227:6249 BC_FREE_BUFFER uffffffffffffffff no match binder: 6227:6249 got transaction to invalid handle binder: 6227:6249 transaction failed 29201/-22, size 24-16 line 2842 binder: send failed reply for transaction 7 to 6227:6256 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=256 sclass=netlink_route_socket pig=6251 comm=syz-executor2 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 binder: 6233 RLIMIT_NICE not set binder: 6227:6233 BC_INCREFS_DONE uffffffffffffffff no match binder: 6227:6233 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 6227:6233 BC_FREE_BUFFER uffffffffffffffff no match binder: 6227:6233 got transaction to invalid handle binder: 6227:6233 transaction failed 29201/-22, size 24-16 line 2842 binder: release 6227:6249 transaction 10 out, still active binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 10, target dead binder: 6282 RLIMIT_NICE not set binder: BINDER_SET_CONTEXT_MGR already set binder: 6279:6296 BC_INCREFS_DONE uffffffffffffffff no match binder: 6286:6292 ioctl 40046207 0 returned -16 binder: 6304 RLIMIT_NICE not set binder: BINDER_SET_CONTEXT_MGR already set binder: send failed reply for transaction 13 to 6279:6310 binder: 6279:6296 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 6286:6292 BC_INCREFS_DONE uffffffffffffffff no match binder: 6313 RLIMIT_NICE not set binder: 6286:6292 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 6297:6298 ioctl 40046207 0 returned -16 binder: release 6286:6304 transaction 14 out, still active binder: 6279:6296 BC_FREE_BUFFER uffffffffffffffff no match binder: undelivered TRANSACTION_COMPLETE binder: 6286:6292 BC_FREE_BUFFER uffffffffffffffff no match binder: 6279:6296 got transaction to invalid handle binder: 6286:6292 got transaction to invalid handle binder: 6279:6296 transaction failed 29201/-22, size 24-16 line 2842 binder: 6297:6298 BC_INCREFS_DONE uffffffffffffffff no match binder: 6286:6292 transaction failed 29201/-22, size 24-16 line 2842 binder: 6297:6298 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 binder: 6297:6313 transaction failed 29189/-22, size 0-0 line 2842 binder: send failed reply for transaction 14, target dead binder: undelivered TRANSACTION_ERROR: 29189 binder: 6326 RLIMIT_NICE not set binder: 6297:6298 BC_FREE_BUFFER uffffffffffffffff no match binder: 6297:6298 got transaction to invalid handle binder: 6297:6298 transaction failed 29201/-22, size 24-16 line 2842 binder: 6324:6331 BC_INCREFS_DONE uffffffffffffffff no match binder: 6324:6331 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 6324:6331 BC_FREE_BUFFER uffffffffffffffff no match binder: 6324:6331 got transaction to invalid handle binder: send failed reply for transaction 21 to 6324:6334 binder: 6324:6331 transaction failed 29201/-22, size 24-16 line 2842 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 binder: 6350 RLIMIT_NICE not set binder: BINDER_SET_CONTEXT_MGR already set binder: 6335:6347 ioctl 40046207 0 returned -16 binder: 6347 RLIMIT_NICE not set binder: 6343:6362 BC_INCREFS_DONE uffffffffffffffff no match binder: 6343:6362 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 6343:6362 BC_FREE_BUFFER uffffffffffffffff no match binder: 6335:6363 BC_INCREFS_DONE uffffffffffffffff no match binder: 6343:6362 got transaction to invalid handle binder: 6335:6363 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 6343:6362 transaction failed 29201/-22, size 24-16 line 2842 binder: send failed reply for transaction 24 to 6343:6362 binder: 6335:6363 BC_FREE_BUFFER uffffffffffffffff no match binder: undelivered TRANSACTION_COMPLETE binder: 6335:6363 got transaction to invalid handle binder: 6335:6363 transaction failed 29201/-22, size 24-16 line 2842 binder: 6335:6364 transaction failed 29189/-22, size 0-0 line 2842 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 kauditd_printk_skb: 51 callbacks suppressed audit: type=1326 audit(1517994309.374:81): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=6369 comm="syz-executor7" exe="/root/syz-executor7" sig=0 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x7ffc0000 binder: 6373 RLIMIT_NICE not set audit: type=1326 audit(1517994309.388:82): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=6369 comm="syz-executor7" exe="/root/syz-executor7" sig=0 arch=c000003e syscall=55 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517994309.441:83): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=6369 comm="syz-executor7" exe="/root/syz-executor7" sig=0 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x7ffc0000 binder: 6371:6385 BC_INCREFS_DONE uffffffffffffffff no match audit: type=1326 audit(1517994309.441:84): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=6369 comm="syz-executor7" exe="/root/syz-executor7" sig=0 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x7ffc0000 binder_alloc: 6371: binder_alloc_buf, no vma binder: 6371:6386 transaction failed 29189/-3, size 0-0 line 2957 binder: 6371:6385 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 6371:6385 BC_FREE_BUFFER uffffffffffffffff no match binder: 6371:6385 got transaction to invalid handle audit: type=1326 audit(1517994309.498:85): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=6369 comm="syz-executor7" exe="/root/syz-executor7" sig=0 arch=c000003e syscall=55 compat=0 ip=0x453299 code=0x7ffc0000 binder: 6371:6385 transaction failed 29201/-22, size 24-16 line 2842 audit: type=1326 audit(1517994309.498:86): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=6369 comm="syz-executor7" exe="/root/syz-executor7" sig=0 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517994309.498:87): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=6369 comm="syz-executor7" exe="/root/syz-executor7" sig=0 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x7ffc0000 binder: undelivered TRANSACTION_ERROR: 29189 audit: type=1326 audit(1517994309.503:88): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=6369 comm="syz-executor7" exe="/root/syz-executor7" sig=0 arch=c000003e syscall=55 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517994309.503:89): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=6369 comm="syz-executor7" exe="/root/syz-executor7" sig=0 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x7ffc0000 audit: type=1326 audit(1517994309.503:90): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=6369 comm="syz-executor7" exe="/root/syz-executor7" sig=0 arch=c000003e syscall=202 compat=0 ip=0x453299 code=0x7ffc0000 binder: 6426 RLIMIT_NICE not set binder: 6416:6436 BC_INCREFS_DONE uffffffffffffffff no match binder: 6416:6436 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 6416:6436 BC_FREE_BUFFER uffffffffffffffff no match binder_alloc: 6416: binder_alloc_buf, no vma binder: 6416:6436 got transaction to invalid handle binder: 6416:6437 transaction failed 29189/-3, size 0-0 line 2957 binder: 6416:6436 transaction failed 29201/-22, size 24-16 line 2842 binder: undelivered TRANSACTION_ERROR: 29189 binder: 6451 RLIMIT_NICE not set binder: 6443:6465 BC_INCREFS_DONE uffffffffffffffff no match binder: 6443:6465 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder_alloc: 6443: binder_alloc_buf, no vma binder: 6443:6476 transaction failed 29189/-3, size 0-0 line 2957 binder: 6443:6465 BC_FREE_BUFFER uffffffffffffffff no match binder: 6443:6465 got transaction to invalid handle binder: 6443:6465 transaction failed 29201/-22, size 24-16 line 2842 binder: undelivered TRANSACTION_ERROR: 29189 binder: 6506 RLIMIT_NICE not set binder: 6499:6513 BC_INCREFS_DONE uffffffffffffffff no match binder: 6499:6513 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 6499:6513 BC_FREE_BUFFER uffffffffffffffff no match binder: 6499:6513 got transaction to invalid handle binder: 6499:6513 transaction failed 29201/-22, size 24-16 line 2842 binder: send failed reply for transaction 37 to 6499:6514 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 binder: 6522 RLIMIT_NICE not set binder: send failed reply for transaction 40 to 6519:6545 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 binder: 6572 RLIMIT_NICE not set binder: send failed reply for transaction 42 to 6566:6592 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 binder: 6609 RLIMIT_NICE not set binder: send failed reply for transaction 44 to 6606:6627 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 binder: 6634 RLIMIT_NICE not set binder: send failed reply for transaction 46 to 6632:6656 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 binder: 6668 RLIMIT_NICE not set binder: send failed reply for transaction 48 to 6666:6686 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 binder: release 6709:6711 transaction 50 out, still active binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 50, target dead binder: 6720:6725 transaction failed 29189/-22, size 0-0 line 2842 binder: undelivered TRANSACTION_ERROR: 29189 binder: 6743:6750 transaction failed 29189/-22, size 0-0 line 2842 binder: undelivered TRANSACTION_ERROR: 29189 binder: 6773:6776 transaction failed 29189/-22, size 0-0 line 2842 binder: undelivered TRANSACTION_ERROR: 29189 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 1 binder_alloc: 6801: binder_alloc_buf, no vma CPU: 1 PID: 6818 Comm: syz-executor5 Not tainted 4.15.0+ #300 binder: 6801:6813 transaction failed 29189/-3, size 0-0 line 2957 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 binder: undelivered TRANSACTION_ERROR: 29189 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 1 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:422 [inline] slab_alloc mm/slab.c:3365 [inline] __do_kmalloc mm/slab.c:3703 [inline] __kmalloc_track_caller+0x5f/0x760 mm/slab.c:3720 memdup_user+0x2c/0x90 mm/util.c:160 map_lookup_elem+0x288/0xc30 kernel/bpf/syscall.c:584 SYSC_bpf kernel/bpf/syscall.c:1869 [inline] SyS_bpf+0xa3a/0x4860 kernel/bpf/syscall.c:1843 do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x26/0x9b RIP: 0033:0x453299 RSP: 002b:00007f57e20cfc58 EFLAGS: 00000212 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000453299 RDX: 00000000000000a6 RSI: 0000000020d5c000 RDI: 0000000000000001 RBP: 000000000000003f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006ef688 R13: 0000000000000014 R14: 00007f57e20d06d4 R15: ffffffffffffffff CPU: 0 PID: 6829 Comm: syz-executor0 Not tainted 4.15.0+ #300 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 binder_alloc: 6827: binder_alloc_buf, no vma Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 binder: 6827:6832 transaction failed 29189/-3, size 0-0 line 2957 binder: undelivered TRANSACTION_ERROR: 29189 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:422 [inline] slab_alloc mm/slab.c:3365 [inline] kmem_cache_alloc+0x47/0x760 mm/slab.c:3539 ptlock_alloc+0x24/0x70 mm/memory.c:4732 ptlock_init include/linux/mm.h:1796 [inline] pgtable_page_ctor include/linux/mm.h:1830 [inline] pte_alloc_one+0x59/0x100 arch/x86/mm/pgtable.c:32 __do_huge_pmd_anonymous_page mm/huge_memory.c:564 [inline] do_huge_pmd_anonymous_page+0x551/0x1b00 mm/huge_memory.c:728 create_huge_pmd mm/memory.c:3874 [inline] __handle_mm_fault+0x1a0c/0x3ce0 mm/memory.c:4078 handle_mm_fault+0x38f/0x930 mm/memory.c:4144 __do_page_fault+0x5c9/0xc90 arch/x86/mm/fault.c:1426 do_page_fault+0xee/0x720 arch/x86/mm/fault.c:1501 page_fault+0x2c/0x60 arch/x86/entry/entry_64.S:1148 RIP: 0010:copy_user_generic_unrolled+0xa0/0xc0 arch/x86/lib/copy_user_64.S:75 RSP: 0018:ffff8801d9587c48 EFLAGS: 00010202 RAX: ffffed0039f5d2b4 RBX: 0000000000000001 RCX: 0000000000000001 RDX: 0000000000000001 RSI: ffff8801cfae9612 RDI: 0000000020c10fc6 RBP: ffff8801d9587c78 R08: ffffed0039f5d2c3 R09: ffffed0039f5d2c3 R10: 0000000000000001 R11: ffffed0039f5d2c2 R12: 0000000020c10fc6 R13: ffff8801cfae9612 R14: 00007ffffffff000 R15: 0000000020c10fc7 copy_to_user include/linux/uaccess.h:155 [inline] user_read+0x16c/0x210 security/keys/user_defined.c:188 keyctl_read_key+0x299/0x310 security/keys/keyctl.c:799 SYSC_keyctl security/keys/keyctl.c:1679 [inline] SyS_keyctl+0x197/0x2c0 security/keys/keyctl.c:1637 do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x26/0x9b RIP: 0033:0x453299 RSP: 002b:00007f1967c8bc58 EFLAGS: 00000212 ORIG_RAX: 00000000000000fa RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000453299 RDX: 0000000020c10fc6 RSI: 0000000009483719 RDI: 000000000000000b RBP: 00000000000003b3 R08: 0000000000000000 R09: 0000000000000000 R10: 000000000000003a R11: 0000000000000212 R12: 00000000006f4968 R13: 0000000000000013 R14: 00007f1967c8c6d4 R15: ffffffffffffffff binder_alloc: 6836: binder_alloc_buf, no vma binder: 6836:6840 transaction failed 29189/-3, size 0-0 line 2957 binder: undelivered TRANSACTION_ERROR: 29189 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 0 PID: 6878 Comm: syz-executor1 Not tainted 4.15.0+ #300 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:422 [inline] slab_alloc mm/slab.c:3365 [inline] kmem_cache_alloc_trace+0x4b/0x750 mm/slab.c:3605 kmalloc include/linux/slab.h:512 [inline] kzalloc include/linux/slab.h:701 [inline] perf_event_alloc+0x200/0x2b00 kernel/events/core.c:9428 SYSC_perf_event_open+0x842/0x2f10 kernel/events/core.c:9997 SyS_perf_event_open+0x39/0x50 kernel/events/core.c:9883 do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x26/0x9b RIP: 0033:0x453299 RSP: 002b:00007fdb22177c58 EFLAGS: 00000212 ORIG_RAX: 000000000000012a RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000453299 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020001f88 RBP: 0000000000000434 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffffffffffff R11: 0000000000000212 R12: 00000000006f5580 R13: 0000000000000013 R14: 00007fdb221786d4 R15: ffffffffffffffff CPU: 1 PID: 6885 Comm: syz-executor6 Not tainted 4.15.0+ #300 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:422 [inline] slab_alloc mm/slab.c:3365 [inline] __do_kmalloc mm/slab.c:3703 [inline] __kmalloc_track_caller+0x5f/0x760 mm/slab.c:3720 memdup_user+0x2c/0x90 mm/util.c:160 map_lookup_elem+0x288/0xc30 kernel/bpf/syscall.c:584 SYSC_bpf kernel/bpf/syscall.c:1869 [inline] SyS_bpf+0xa3a/0x4860 kernel/bpf/syscall.c:1843 do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x26/0x9b RIP: 0033:0x453299 RSP: 002b:00007fcad9becc58 EFLAGS: 00000212 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000453299 RDX: 00000000000000a6 RSI: 0000000020d5c000 RDI: 0000000000000001 RBP: 000000000000003f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006ef688 R13: 0000000000000014 R14: 00007fcad9bed6d4 R15: ffffffffffffffff binder: send failed reply for transaction 61 to 6939:6942 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 binder: send failed reply for transaction 66 to 7008:7010 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 binder: send failed reply for transaction 68 to 7014:7021 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 binder: send failed reply for transaction 70 to 7036:7037 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 binder: send failed reply for transaction 72 to 7053:7054 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 binder: release 7068:7071 transaction 74 out, still active binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 74, target dead binder: release 7080:7087 transaction 76 out, still active binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 76, target dead binder: release 7092:7102 transaction 78 out, still active binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 78, target dead binder: send failed reply for transaction 80 to 7162:7168 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 QAT: Invalid ioctl QAT: Invalid ioctl binder: BINDER_SET_CONTEXT_MGR already set binder: send failed reply for transaction 82 to 7183:7185 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 binder: 7186:7190 ioctl 40046207 0 returned -16 binder: 7186:7204 transaction failed 29189/-22, size 0-0 line 2842 binder: undelivered TRANSACTION_ERROR: 29189 binder: send failed reply for transaction 85 to 7207:7212 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 binder: BINDER_SET_CONTEXT_MGR already set binder: 7229:7237 ioctl 40046207 0 returned -16 binder: release 7216:7220 transaction 87 out, still active binder_alloc: 7216: binder_alloc_buf, no vma binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 87, target dead binder: 7229:7254 transaction failed 29189/-3, size 0-0 line 2957 binder: undelivered TRANSACTION_ERROR: 29189 binder_alloc: 7289: binder_alloc_buf, no vma binder: 7289:7292 transaction failed 29189/-3, size 0-0 line 2957 binder: undelivered TRANSACTION_ERROR: 29189 binder_alloc: 7306: binder_alloc_buf, no vma binder: 7306:7309 transaction failed 29189/-3, size 0-0 line 2957 binder: BINDER_SET_CONTEXT_MGR already set binder: 7311:7314 ioctl 40046207 0 returned -16 binder: undelivered TRANSACTION_ERROR: 29189 binder: 7311:7314 transaction failed 29189/-22, size 0-0 line 2842 binder: undelivered TRANSACTION_ERROR: 29189 binder_alloc: 7322: binder_alloc_buf, no vma binder: 7322:7325 transaction failed 29189/-3, size 0-0 line 2957 binder: BINDER_SET_CONTEXT_MGR already set binder: 7328:7335 ioctl 40046207 0 returned -16 binder: 7328:7335 transaction failed 29189/-22, size 0-0 line 2842 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 binder_alloc: 7350: binder_alloc_buf, no vma binder: 7350:7353 transaction failed 29189/-3, size 0-0 line 2957 binder: undelivered TRANSACTION_ERROR: 29189 binder_alloc: 7360: binder_alloc_buf, no vma binder: 7360:7365 transaction failed 29189/-3, size 0-0 line 2957 binder_alloc: 7360: binder_alloc_buf, no vma binder: 7357:7363 transaction failed 29189/-3, size 0-0 line 2957 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 binder_alloc: 7395: binder_alloc_buf, no vma binder_alloc: 7395: binder_alloc_buf, no vma binder: 7395:7398 transaction failed 29189/-3, size 0-0 line 2957 binder: 7389:7392 transaction failed 29189/-3, size 0-0 line 2957 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 binder_alloc: 7412: binder_alloc_buf, no vma binder: 7412:7414 transaction failed 29189/-3, size 0-0 line 2957 binder: undelivered TRANSACTION_ERROR: 29189 binder: 7428:7432 transaction failed 29189/-22, size 0-0 line 2842 binder: 7420:7429 transaction failed 29189/-22, size 0-0 line 2842 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 binder_alloc: 7450: binder_alloc_buf, no vma binder: 7450:7453 transaction failed 29189/-3, size 0-0 line 2957 binder: undelivered TRANSACTION_ERROR: 29189 binder: 7464:7468 transaction failed 29189/-22, size 0-0 line 2842 binder_alloc: 7465: binder_alloc_buf, no vma binder: 7465:7473 transaction failed 29189/-3, size 0-0 line 2957 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 binder: 7492:7497 transaction failed 29189/-22, size 0-0 line 2842 binder_alloc: 7491: binder_alloc_buf, no vma binder: 7491:7501 transaction failed 29189/-3, size 0-0 line 2957 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 binder: 7523:7531 transaction failed 29189/-22, size 0-0 line 2842 binder: undelivered TRANSACTION_ERROR: 29189 binder: 7554:7558 transaction failed 29189/-22, size 0-0 line 2842 binder: undelivered TRANSACTION_ERROR: 29189 binder: 7577:7587 transaction failed 29189/-22, size 0-0 line 2842 binder: undelivered TRANSACTION_ERROR: 29189 binder: 7618:7623 transaction failed 29189/-22, size 0-0 line 2842 binder: undelivered TRANSACTION_ERROR: 29189 binder: 7643:7648 transaction failed 29189/-22, size 0-0 line 2842 kauditd_printk_skb: 30 callbacks suppressed audit: type=1400 audit(1517994315.257:121): avc: denied { net_bind_service } for pid=7651 comm="syz-executor5" capability=10 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 binder: send failed reply for transaction 132 to 7652:7658 binder: 7654:7655 transaction failed 29189/-22, size 0-0 line 2842 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 7667:7669 transaction 135 out, still active binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 135, target dead binder: 7672:7683 transaction failed 29189/-22, size 0-0 line 2842 binder: BINDER_SET_CONTEXT_MGR already set binder: release 7673:7684 transaction 138 out, still active binder: undelivered TRANSACTION_COMPLETE binder: 7675:7686 ioctl 40046207 0 returned -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 7693:7703 ioctl 40046207 0 returned -16 binder: send failed reply for transaction 138, target dead binder: undelivered TRANSACTION_ERROR: 29189 binder: 7693:7710 transaction failed 29189/-22, size 0-0 line 2842 binder: undelivered TRANSACTION_ERROR: 29189 binder: 7717:7722 transaction failed 29189/-22, size 0-0 line 2842 binder: BINDER_SET_CONTEXT_MGR already set binder: send failed reply for transaction 142 to 7721:7726 binder: 7718:7727 ioctl 40046207 0 returned -16 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 binder_alloc: 7741: binder_alloc_buf, no vma binder: 7741:7742 transaction failed 29189/-3, size 0-0 line 2957 binder_alloc: 7741: binder_alloc_buf, no vma binder: 7718:7740 transaction failed 29189/-3, size 0-0 line 2957 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 binder: send failed reply for transaction 147 to 7739:7752 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 binder: BINDER_SET_CONTEXT_MGR already set binder: send failed reply for transaction 149 to 7764:7775 binder: 7761:7771 transaction failed 29189/-22, size 0-0 line 2842 binder: 7766:7773 ioctl 40046207 0 returned -16 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 binder: 7766:7783 transaction failed 29189/-22, size 0-0 line 2842 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 binder: 7788:7795 transaction failed 29189/-22, size 0-0 line 2842 binder: undelivered TRANSACTION_ERROR: 29189 binder: 7804:7810 transaction failed 29189/-22, size 0-0 line 2842 binder: undelivered TRANSACTION_ERROR: 29189 binder_alloc: 7818: binder_alloc_buf, no vma binder: 7818:7822 transaction failed 29189/-3, size 0-0 line 2957 binder_alloc: 7818: binder_alloc_buf, no vma binder: BINDER_SET_CONTEXT_MGR already set binder: 7821:7823 transaction failed 29189/-3, size 0-0 line 2957 binder: 7830:7836 ioctl 40046207 0 returned -16 binder_alloc: 7818: binder_alloc_buf, no vma binder: undelivered TRANSACTION_ERROR: 29189 binder: 7830:7842 transaction failed 29189/-3, size 0-0 line 2957 binder_alloc: 7852: binder_alloc_buf, no vma binder: 7852:7853 transaction failed 29189/-3, size 0-0 line 2957 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 QAT: Invalid ioctl binder: send failed reply for transaction 161 to 7871:7878 QAT: Invalid ioctl binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 QAT: Invalid ioctl FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 QAT: Invalid ioctl CPU: 1 PID: 7897 Comm: syz-executor3 Not tainted 4.15.0+ #300 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:422 [inline] slab_alloc mm/slab.c:3365 [inline] kmem_cache_alloc_trace+0x4b/0x750 mm/slab.c:3605 kmalloc include/linux/slab.h:512 [inline] kzalloc include/linux/slab.h:701 [inline] binder_get_thread+0x1cf/0x870 drivers/android/binder.c:4279 binder_ioctl+0x20c/0x1417 drivers/android/binder.c:4566 vfs_ioctl fs/ioctl.c:46 [inline] do_vfs_ioctl+0x1b1/0x1520 fs/ioctl.c:686 SYSC_ioctl fs/ioctl.c:701 [inline] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692 do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x26/0x9b RIP: 0033:0x453299 RSP: 002b:00007f0c81ecdc58 EFLAGS: 00000212 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000453299 RDX: 0000000020007000 RSI: 00000000c0306201 RDI: 0000000000000013 RBP: 0000000000000185 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f1518 R13: 0000000000000015 R14: 00007f0c81ece6d4 R15: ffffffffffffffff binder: 7896:7897 ioctl c0306201 20007000 returned -12 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 1 PID: 7926 Comm: syz-executor3 Not tainted 4.15.0+ #300 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:422 [inline] slab_alloc mm/slab.c:3365 [inline] kmem_cache_alloc_trace+0x4b/0x750 mm/slab.c:3605 kmalloc include/linux/slab.h:512 [inline] kzalloc include/linux/slab.h:701 [inline] binder_transaction+0x13c1/0x81d0 drivers/android/binder.c:2894 binder_thread_write+0xb50/0x3840 drivers/android/binder.c:3507 binder_ioctl_write_read.isra.38+0x261/0xcb0 drivers/android/binder.c:4434 binder_ioctl+0xb72/0x1417 drivers/android/binder.c:4574 vfs_ioctl fs/ioctl.c:46 [inline] do_vfs_ioctl+0x1b1/0x1520 fs/ioctl.c:686 SYSC_ioctl fs/ioctl.c:701 [inline] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692 do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x26/0x9b RIP: 0033:0x453299 RSP: 002b:00007f0c81ecdc58 EFLAGS: 00000212 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000453299 RDX: 0000000020007000 RSI: 00000000c0306201 RDI: 0000000000000013 RBP: 0000000000000185 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f1518 R13: 0000000000000015 R14: 00007f0c81ece6d4 R15: ffffffffffffffff binder: 7921:7926 transaction failed 29201/-12, size 0-0 line 2898 binder: undelivered TRANSACTION_ERROR: 29201 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 0 PID: 7953 Comm: syz-executor3 Not tainted 4.15.0+ #300 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:422 [inline] slab_alloc mm/slab.c:3365 [inline] kmem_cache_alloc_trace+0x4b/0x750 mm/slab.c:3605 kmalloc include/linux/slab.h:512 [inline] kzalloc include/linux/slab.h:701 [inline] binder_transaction+0x1433/0x81d0 drivers/android/binder.c:2904 binder_thread_write+0xb50/0x3840 drivers/android/binder.c:3507 binder_ioctl_write_read.isra.38+0x261/0xcb0 drivers/android/binder.c:4434