binder: BINDER_SET_CONTEXT_MGR already set binder: 5739:5741 ioctl 40046207 0 returned -16 ====================================================== [ INFO: possible circular locking dependency detected ] 4.4.174+ #17 Not tainted ------------------------------------------------------- syz-executor.2/5794 is trying to acquire lock: (rtnl_mutex){+.+.+.}, at: [] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:70 but task is already holding lock: (sk_lock-AF_INET6){+.+.+.}, at: [] lock_sock include/net/sock.h:1497 [inline] (sk_lock-AF_INET6){+.+.+.}, at: [] do_ipv6_setsockopt.isra.0+0x28a/0x30c0 net/ipv6/ipv6_sockglue.c:166 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: [] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592 [] lock_sock_nested+0xc6/0x120 net/core/sock.c:2463 [] lock_sock include/net/sock.h:1497 [inline] [] do_ipv6_setsockopt.isra.0+0x2eba/0x30c0 net/ipv6/ipv6_sockglue.c:166 [] compat_ipv6_setsockopt net/ipv6/ipv6_sockglue.c:935 [inline] [] compat_ipv6_setsockopt+0xe7/0x1d0 net/ipv6/ipv6_sockglue.c:916 [] compat_udpv6_setsockopt+0x4e/0x90 net/ipv6/udp.c:1446 [] compat_sock_common_setsockopt+0xb4/0x150 net/core/sock.c:2674 [] C_SYSC_setsockopt net/compat.c:385 [inline] [] compat_SyS_setsockopt+0x15c/0x720 net/compat.c:368 [] do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline] [] do_fast_syscall_32+0x32d/0xa90 arch/x86/entry/common.c:397 [] sysenter_flags_fixed+0xd/0x1a [] check_prev_add kernel/locking/lockdep.c:1853 [inline] [] check_prevs_add kernel/locking/lockdep.c:1958 [inline] [] validate_chain kernel/locking/lockdep.c:2144 [inline] [] __lock_acquire+0x37d6/0x4f50 kernel/locking/lockdep.c:3213 [] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592 [] __mutex_lock_common kernel/locking/mutex.c:521 [inline] [] mutex_lock_nested+0xc1/0xb80 kernel/locking/mutex.c:621 [] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:70 [] ipv6_sock_mc_close+0x10e/0x350 net/ipv6/mcast.c:288 [] do_ipv6_setsockopt.isra.0+0x1bd1/0x30c0 net/ipv6/ipv6_sockglue.c:202 [] compat_ipv6_setsockopt net/ipv6/ipv6_sockglue.c:935 [inline] [] compat_ipv6_setsockopt+0xe7/0x1d0 net/ipv6/ipv6_sockglue.c:916 [] compat_udpv6_setsockopt+0x4e/0x90 net/ipv6/udp.c:1446 [] compat_sock_common_setsockopt+0xb4/0x150 net/core/sock.c:2674 [] C_SYSC_setsockopt net/compat.c:385 [inline] [] compat_SyS_setsockopt+0x15c/0x720 net/compat.c:368 [] do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline] [] do_fast_syscall_32+0x32d/0xa90 arch/x86/entry/common.c:397 [] sysenter_flags_fixed+0xd/0x1a other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(sk_lock-AF_INET6); lock(rtnl_mutex); lock(sk_lock-AF_INET6); lock(rtnl_mutex); *** DEADLOCK *** 1 lock held by syz-executor.2/5794: #0: (sk_lock-AF_INET6){+.+.+.}, at: [] lock_sock include/net/sock.h:1497 [inline] #0: (sk_lock-AF_INET6){+.+.+.}, at: [] do_ipv6_setsockopt.isra.0+0x28a/0x30c0 net/ipv6/ipv6_sockglue.c:166 stack backtrace: CPU: 0 PID: 5794 Comm: syz-executor.2 Not tainted 4.4.174+ #17 0000000000000000 48cd4a81a2b1cd43 ffff8800a3b97540 ffffffff81aad1a1 ffffffff84057a80 ffff8801bdaf4740 ffffffff83a8db50 ffffffff83acc5b0 ffffffff83a8db50 ffff8800a3b97590 ffffffff813abcda ffff8800a3b97670 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x120 lib/dump_stack.c:51 [] print_circular_bug.cold+0x2f7/0x44e kernel/locking/lockdep.c:1226 [] check_prev_add kernel/locking/lockdep.c:1853 [inline] [] check_prevs_add kernel/locking/lockdep.c:1958 [inline] [] validate_chain kernel/locking/lockdep.c:2144 [inline] [] __lock_acquire+0x37d6/0x4f50 kernel/locking/lockdep.c:3213 [] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592 [] __mutex_lock_common kernel/locking/mutex.c:521 [inline] [] mutex_lock_nested+0xc1/0xb80 kernel/locking/mutex.c:621 [] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:70 [] ipv6_sock_mc_close+0x10e/0x350 net/ipv6/mcast.c:288 [] do_ipv6_setsockopt.isra.0+0x1bd1/0x30c0 net/ipv6/ipv6_sockglue.c:202 [] compat_ipv6_setsockopt net/ipv6/ipv6_sockglue.c:935 [inline] [] compat_ipv6_setsockopt+0xe7/0x1d0 net/ipv6/ipv6_sockglue.c:916 [] compat_udpv6_setsockopt+0x4e/0x90 net/ipv6/udp.c:1446 [] compat_sock_common_setsockopt+0xb4/0x150 net/core/sock.c:2674 [] C_SYSC_setsockopt net/compat.c:385 [inline] [] compat_SyS_setsockopt+0x15c/0x720 net/compat.c:368 [] do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline] [] do_fast_syscall_32+0x32d/0xa90 arch/x86/entry/common.c:397 [] sysenter_flags_fixed+0xd/0x1a binder: 5816:5822 unknown command 1127662992 binder: 5816:5822 ioctl c0306201 20012000 returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 5832:5834 ioctl 40046207 0 returned -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 5832:5834 ioctl 40046207 0 returned -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 5860:5865 ioctl 40046207 0 returned -16 binder: 5860:5865 unknown command 51143443 binder: 5860:5865 ioctl c0306201 20000300 returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 5860:5874 ioctl 40046207 0 returned -16 binder: 5860:5874 unknown command 51143443 binder: 5860:5874 ioctl c0306201 20000300 returned -22 binder: 5889:5896 unknown command 0 binder: 5889:5896 ioctl c0306201 20000300 returned -22 binder: 5889:5896 ERROR: BC_REGISTER_LOOPER called without request binder: 5889:5896 BC_REQUEST_DEATH_NOTIFICATION invalid ref 3 binder: 5889:5896 ERROR: BC_ENTER_LOOPER called after BC_REGISTER_LOOPER binder: 5889:5907 BC_CLEAR_DEATH_NOTIFICATION death notification not active binder: 5889:5896 got transaction to invalid handle binder: 5889:5896 transaction failed 29201/-22, size 96-24 line 3014 binder: 5891:5900 unknown command 51143443 binder: 5891:5900 ioctl c0306201 20000300 returned -22 binder: undelivered death notification, 0000000000000000 binder: 5945:5947 unknown command 51143443 binder: 5945:5947 ioctl c0306201 20000300 returned -22 binder: undelivered death notification, 0000000000000000 binder: 5967:5969 unknown command 51143443 binder: 5967:5969 ioctl c0306201 20000300 returned -22 binder: undelivered death notification, 0000000000000000 binder: undelivered death notification, 0000000000000000 binder: BINDER_SET_CONTEXT_MGR already set binder: 6000:6015 ioctl 40046207 0 returned -16 binder: 6000:6005 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 6000:6005 unknown command 51143443 binder: 6000:6005 ioctl c0306201 20000300 returned -22 binder: 6035:6038 unknown command 51143443 binder: 6035:6038 ioctl c0306201 20000300 returned -22 audit: type=1400 audit(1560297243.116:21): avc: denied { create } for pid=6045 comm="syz-executor.1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_iscsi_socket permissive=1 binder: BINDER_SET_CONTEXT_MGR already set binder: 6045:6049 ioctl 40046207 0 returned -16 binder: 6045:6046 unknown command -371349351 binder: 6045:6046 ioctl c0306201 20012000 returned -22 binder: 6045:6046 unknown command 1430785169 binder: 6045:6046 ioctl c0306201 20000300 returned -22 binder: 6057:6059 unknown command 51143443 binder: 6057:6059 ioctl c0306201 20000300 returned -22 binder: 6045:6046 unknown command -371349351 binder: 6045:6083 unknown command 1430785169 binder: 6045:6046 ioctl c0306201 20012000 returned -22 binder: 6045:6083 ioctl c0306201 20000300 returned -22 binder: 6087:6088 unknown command 51143443 binder: 6087:6088 ioctl c0306201 20000300 returned -22 binder: 6101:6102 BC_REQUEST_DEATH_NOTIFICATION invalid ref 2 binder: 6101:6106 unknown command 20 binder: 6101:6106 ioctl c0306201 20000300 returned -22 binder: 6101:6106 unknown command 0 binder: 6101:6106 ioctl c0306201 200003c0 returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 6111:6113 ioctl 40046207 0 returned -16 binder: 6111:6113 unknown command 51143443 binder: 6111:6113 ioctl c0306201 20000300 returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 6139:6144 ioctl 40046207 0 returned -16 binder: 6101:6102 BC_REQUEST_DEATH_NOTIFICATION invalid ref 2 binder: 6166:6169 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 6166:6176 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 6166:6169 ioctl 40042409 0 returned -22 binder: 6166:6169 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: 6166:6194 Acquire 1 refcount change on invalid ref 0 ret -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 6188:6191 ioctl 40046207 0 returned -16 binder: 6166:6176 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 6166:6176 ioctl 40042409 0 returned -22 binder: 6166:6176 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: 6211:6215 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 6211:6215 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 6233:6237 unknown command 1073741829 binder: 6233:6237 ioctl c0306201 20012000 returned -22 binder: 6233:6242 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 6233:6237 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: 6258:6261 ioctl 6611 0 returned -22 binder: 6258:6261 unknown command 455446244 binder: 6258:6261 ioctl c0306201 20000300 returned -22 binder: 6258:6261 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: 6258:6261 ioctl 6611 0 returned -22 binder: undelivered death notification, 0000000000000000 binder: 6294:6298 unknown command 1073741829 binder: BINDER_SET_CONTEXT_MGR already set binder: 6294:6306 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 6294:6298 ioctl c0306201 20012000 returned -22 binder: 6297:6300 ioctl 40046207 0 returned -16 binder: 6294:6298 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: undelivered death notification, 0000000000000000 binder: 6330:6333 unknown command 1073741829 binder: 6330:6333 ioctl c0306201 20012000 returned -22 binder: 6330:6333 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 6330:6333 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 audit: type=1400 audit(1560297245.786:22): avc: denied { connect } for pid=6304 comm="syz-executor.2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 binder: 6341:6345 unknown command 1073741829 binder: BINDER_SET_CONTEXT_MGR already set binder: 6341:6345 ioctl c0306201 20012000 returned -22 binder: 6341:6345 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 6341:6345 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: 6340:6347 ioctl 40046207 0 returned -16 binder: 6357:6360 unknown command 1073741829 binder: 6357:6360 ioctl c0306201 20012000 returned -22 binder: 6357:6360 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 6368:6369 unknown command 1073741829 binder: 6368:6369 ioctl c0306201 20012000 returned -22 binder: 6368:6374 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 6376:6377 unknown command 4195427 binder: 6376:6377 ioctl c0306201 20012000 returned -22 binder: 6376:6377 unknown command -102678401 binder: 6376:6377 ioctl c0306201 20000300 returned -22 binder: 6376:6377 ioctl 5419 20000080 returned -22 binder: 6376:6377 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: 6388:6393 unknown command 1073741829 binder: 6388:6393 ioctl c0306201 20012000 returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 6387:6403 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 6387:6391 ioctl 40046207 0 returned -16 binder: 6409:6412 unknown command 1073741829 binder: BINDER_SET_CONTEXT_MGR already set binder: 6409:6412 ioctl c0306201 20012000 returned -22 binder: 6414:6415 ioctl 40046207 0 returned -16 binder: 6414:6415 unknown command 131052 binder: 6414:6415 ioctl c0306201 20012000 returned -22 binder: 6414:6415 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 6414:6427 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: 6447:6452 unknown command 4195333 binder: 6447:6452 ioctl c0306201 20012000 returned -22 binder: 6447:6452 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 6457:6462 unknown command 1208771342 binder: 6457:6462 ioctl c0306201 20000300 returned -22 binder: 6457:6462 BC_CLEAR_DEATH_NOTIFICATION death notification not active binder: 6483:6485 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: undelivered death notification, 0000000000000000 binder: 6522:6525 BC_CLEAR_DEATH_NOTIFICATION invalid ref -19 binder: undelivered death notification, 0000000000000000 binder: undelivered death notification, 0000000000000000 binder: 6551:6554 unknown command 994994013 binder: 6551:6554 ioctl c0306201 20000300 returned -22 binder: 6551:6554 unknown command -1173593329 binder: undelivered death notification, 0000000000000000 binder: 6551:6554 ioctl c0306201 200003c0 returned -22 binder: undelivered death notification, 0000000000000000 binder: BINDER_SET_CONTEXT_MGR already set binder: 6598:6601 ioctl 40046207 0 returned -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 6608:6612 ioctl 40046207 0 returned -16 binder: 6614:6616 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 6614:6616 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 6614:6616 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: BINDER_SET_CONTEXT_MGR already set binder: 6614:6616 ioctl 40046207 0 returned -16 binder: 6614:6621 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 6614:6621 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 6614:6621 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: undelivered death notification, 0000000000000000