BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor4/8563 caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 CPU: 1 PID: 8563 Comm: syz-executor4 Not tainted 4.9.80-g550c01d #29 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 device lo entered promiscuous mode ffff8801c6d47478 ffffffff81d94b69 0000000000000001 ffffffff83c18800 ffffffff83f454c0 ffff8801b4270000[ 68.396526] 0000000000000003 ffff8801c6d474b8[ 68.401110] ffffffff81dfc144[ 68.404020] ffff8801c6d474d0 ffffffff83f454c0 dffffc0000000000 [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46 [] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 [] ipcomp_alloc_tfms net/xfrm/xfrm_ipcomp.c:286 [inline] [] ipcomp_init_state+0x188/0x930 net/xfrm/xfrm_ipcomp.c:363 [] ipcomp6_init_state+0xb5/0x820 net/ipv6/ipcomp6.c:165 [] __xfrm_init_state+0x3e7/0xb30 net/xfrm/xfrm_state.c:2096 [] xfrm_state_construct net/xfrm/xfrm_user.c:590 [inline] [] xfrm_add_sa+0x1916/0x2e40 net/xfrm/xfrm_user.c:639 [] xfrm_user_rcv_msg+0x413/0x6a0 net/xfrm/xfrm_user.c:2525 [] netlink_rcv_skb+0x13e/0x370 net/netlink/af_netlink.c:2351 [] xfrm_netlink_rcv+0x6f/0x90 net/xfrm/xfrm_user.c:2533 [] netlink_unicast_kernel net/netlink/af_netlink.c:1275 [inline] [] netlink_unicast+0x511/0x750 net/netlink/af_netlink.c:1301 [] netlink_sendmsg+0x8e8/0xc50 net/netlink/af_netlink.c:1847 [] sock_sendmsg_nosec net/socket.c:635 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:645 [] ___sys_sendmsg+0x6d1/0x7e0 net/socket.c:1969 [] __sys_sendmsg+0xd6/0x190 net/socket.c:2003 [] SYSC_sendmsg net/socket.c:2014 [inline] [] SyS_sendmsg+0x2d/0x50 net/socket.c:2010 [] entry_SYSCALL_64_fastpath+0x29/0xe8 device lo left promiscuous mode binder: 8564:8571 got transaction with fd, -1, but target does not allow fds binder: 8564:8571 transaction failed 29201/-1, size 24-16 line 3232 binder: undelivered TRANSACTION_ERROR: 29201 binder: 8610:8613 got transaction with invalid offset (40, min 0 max 24) or object. binder: 8610:8613 transaction failed 29201/-22, size 24-8 line 3190 binder: undelivered TRANSACTION_ERROR: 29201 device lo entered promiscuous mode device lo left promiscuous mode binder: 8630:8636 got transaction with invalid offset (40, min 0 max 24) or object. binder: 8630:8636 transaction failed 29201/-22, size 24-8 line 3190 binder: 8630:8654 got transaction to invalid handle binder: 8630:8654 transaction failed 29201/-22, size 0-8 line 3004 binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29201 binder: 8665:8675 got transaction with invalid offset (40, min 0 max 24) or object. binder: 8665:8675 transaction failed 29201/-22, size 24-8 line 3190 binder: 8665:8692 got transaction to invalid handle binder: 8665:8692 transaction failed 29201/-22, size 0-8 line 3004 binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29201 binder: 8699:8713 got transaction with fd, -1, but target does not allow fds binder: 8699:8713 transaction failed 29201/-1, size 24-8 line 3232 binder: undelivered TRANSACTION_ERROR: 29201 binder: 8739:8742 got transaction with fd, -1, but target does not allow fds binder: 8739:8742 transaction failed 29201/-1, size 24-8 line 3232 binder: undelivered TRANSACTION_ERROR: 29201 binder: 8773:8784 got transaction with fd, -1, but target does not allow fds binder: 8773:8784 transaction failed 29201/-1, size 24-8 line 3232 binder: undelivered TRANSACTION_ERROR: 29201 binder: 8827:8838 got transaction with fd, -1, but target does not allow fds binder: 8827:8838 transaction failed 29201/-1, size 24-8 line 3232 binder_alloc: binder_alloc_mmap_handler: 8827 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 8827:8838 ioctl 40046207 0 returned -16 binder_alloc: 8827: binder_alloc_buf, no vma binder: 8827:8861 transaction failed 29189/-3, size 24-8 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 binder: BINDER_SET_CONTEXT_MGR already set binder: 8869:8873 ioctl 40046207 0 returned -16 binder: 8869:8873 got transaction with fd, -1, but target does not allow fds binder: 8869:8873 transaction failed 29201/-1, size 24-8 line 3232 binder_alloc: binder_alloc_mmap_handler: 8869 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 8869:8873 ioctl 40046207 0 returned -16 binder: 8869:8873 got transaction with fd, -1, but target does not allow fds binder: 8869:8873 transaction failed 29201/-1, size 24-8 line 3232 binder: release 8863:8870 transaction 198 out, still active binder: release 8863:8870 transaction 196 in, still active binder: undelivered TRANSACTION_COMPLETE binder: 8862:8874 got transaction with fd, -1, but target does not allow fds binder: 8862:8874 transaction failed 29201/-1, size 24-8 line 3232 binder: BINDER_SET_CONTEXT_MGR already set binder: 8863:8884 ioctl 40046207 0 returned -16 binder_alloc: 8863: binder_alloc_buf, no vma binder: 8863:8884 transaction failed 29189/-3, size 0-0 line 3127 binder_alloc: 8863: binder_alloc_buf, no vma binder: 8863:8870 transaction failed 29189/-3, size 0-0 line 3127 binder: BINDER_SET_CONTEXT_MGR already set binder: 8895:8905 ioctl 40046207 0 returned -16 A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. binder_alloc: 8862: binder_alloc_buf, no vma binder: 8895:8905 transaction failed 29189/-3, size 24-8 line 3127 binder_alloc: binder_alloc_mmap_handler: 8895 20000000-20002000 already mapped failed -16 A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. binder: BINDER_SET_CONTEXT_MGR already set binder: 8895:8905 ioctl 40046207 0 returned -16 binder_alloc: 8862: binder_alloc_buf, no vma binder: 8895:8905 transaction failed 29189/-3, size 24-8 line 3127 binder: BINDER_SET_CONTEXT_MGR already set binder: 8939:8940 ioctl 40046207 0 returned -16 binder_alloc: 8862: binder_alloc_buf, no vma binder: 8939:8951 transaction failed 29189/-3, size 24-8 line 3127 binder: BINDER_SET_CONTEXT_MGR already set binder: 8939:8940 ioctl 40046207 0 returned -16 binder_alloc: 8862: binder_alloc_buf, no vma binder: 8939:8940 transaction failed 29189/-3, size 24-8 line 3127 binder: BINDER_SET_CONTEXT_MGR already set binder: 8988:8991 ioctl 40046207 0 returned -16 binder_alloc: 8862: binder_alloc_buf, no vma binder: 8988:8991 transaction failed 29189/-3, size 24-8 line 3127 binder_alloc: binder_alloc_mmap_handler: 8988 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 8988:8991 ioctl 40046207 0 returned -16 binder_alloc: 8862: binder_alloc_buf, no vma binder: 8988:8991 transaction failed 29189/-3, size 24-8 line 3127 binder: BINDER_SET_CONTEXT_MGR already set binder: 9011:9013 ioctl 40046207 0 returned -16 binder_alloc: 8862: binder_alloc_buf, no vma binder: 9011:9013 transaction failed 29189/-3, size 24-8 line 3127 binder_alloc: binder_alloc_mmap_handler: 9011 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 9011:9013 ioctl 40046207 0 returned -16 binder_alloc: 8862: binder_alloc_buf, no vma binder: 9011:9022 transaction failed 29189/-3, size 24-8 line 3127 binder: BINDER_SET_CONTEXT_MGR already set binder: 9016:9032 ioctl 40046207 0 returned -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 9027:9031 ioctl 40046207 0 returned -16 binder_alloc: 8862: binder_alloc_buf, no vma binder: 9027:9031 transaction failed 29189/-3, size 24-8 line 3127 binder_alloc: binder_alloc_mmap_handler: 9027 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 9027:9031 ioctl 40046207 0 returned -16 binder_alloc: 8862: binder_alloc_buf, no vma binder: 9027:9031 transaction failed 29189/-3, size 24-8 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 binder: release 8863:8884 transaction 196 out, still active binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 198, target dead binder: send failed reply for transaction 196, target dead binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29201 binder: 9060:9072 got transaction with fd, -1, but target does not allow fds binder: 9060:9072 transaction failed 29201/-1, size 24-8 line 3232 binder_alloc: binder_alloc_mmap_handler: 9060 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 9060:9072 ioctl 40046207 0 returned -16 binder_alloc: 9060: binder_alloc_buf, no vma binder: 9060:9087 transaction failed 29189/-3, size 24-8 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 binder: 9101:9108 got transaction with fd, -1, but target does not allow fds binder: 9101:9108 transaction failed 29201/-1, size 24-8 line 3232 device eql entered promiscuous mode binder_alloc: binder_alloc_mmap_handler: 9101 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 9101:9108 ioctl 40046207 0 returned -16 binder_alloc: 9101: binder_alloc_buf, no vma binder: 9101:9108 transaction failed 29189/-3, size 24-8 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 binder: 9158:9162 got transaction with fd, -1, but target does not allow fds binder: 9158:9162 transaction failed 29201/-1, size 24-8 line 3232 binder_alloc: binder_alloc_mmap_handler: 9158 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 9158:9162 ioctl 40046207 0 returned -16 binder_alloc: 9158: binder_alloc_buf, no vma binder: 9158:9193 transaction failed 29189/-3, size 24-8 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 IPv6: Can't replace route, no match found binder: 9207:9213 ioctl 40206435 20ccffe0 returned -22 binder: 9207:9213 got transaction with fd, -1, but target does not allow fds binder: 9207:9213 transaction failed 29201/-1, size 24-8 line 3232 binder_alloc: binder_alloc_mmap_handler: 9207 20000000-20002000 already mapped failed -16 binder: 9207:9213 ioctl 40206435 20ccffe0 returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 9207:9237 ioctl 40046207 0 returned -16 binder_alloc: 9207: binder_alloc_buf, no vma binder: 9207:9241 transaction failed 29189/-3, size 24-8 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 binder: 9245:9258 got transaction with fd, -1, but target does not allow fds binder: 9245:9258 transaction failed 29201/-1, size 24-8 line 3232 binder_alloc: binder_alloc_mmap_handler: 9245 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 9245:9258 ioctl 40046207 0 returned -16 binder_alloc: 9245: binder_alloc_buf, no vma binder: 9245:9275 transaction failed 29189/-3, size 24-8 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 updating oom_score_adj for 9325 (syz-executor4) from 0 to 0 because it shares mm with 9314 (syz-executor4). Report if this is unexpected. binder_alloc: 9307: binder_alloc_buf, no vma binder: 9307:9322 transaction failed 29189/-3, size 24-8 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 updating oom_score_adj for 9345 (syz-executor4) from 0 to 0 because it shares mm with 9314 (syz-executor4). Report if this is unexpected. binder: 9349:9353 unknown command 0 binder: 9349:9353 ioctl c0306201 20008000 returned -22 binder_alloc: binder_alloc_mmap_handler: 9349 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 9349:9353 ioctl 40046207 0 returned -16 binder: 9349:9363 unknown command 0 binder: 9349:9363 ioctl c0306201 20008000 returned -22 binder: 9382:9392 got transaction with fd, -1, but target does not allow fds binder: 9382:9392 transaction failed 29201/-1, size 24-8 line 3232 binder_alloc: binder_alloc_mmap_handler: 9382 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 9382:9401 ioctl 40046207 0 returned -16 binder_alloc: 9382: binder_alloc_buf, no vma binder: 9382:9401 transaction failed 29189/-3, size 24-8 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 binder: 9434:9437 got transaction with invalid offsets size, 835 binder: 9434:9437 transaction failed 29201/-22, size 24-835 line 3163 binder: BINDER_SET_CONTEXT_MGR already set binder: 9434:9441 ioctl 40046207 0 returned -16 binder_alloc: 9434: binder_alloc_buf, no vma binder: 9434:9437 transaction failed 29189/-3, size 24-835 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 binder: 9445:9456 got transaction with fd, -1, but target does not allow fds binder: 9445:9456 transaction failed 29201/-1, size 24-8 line 3232 binder: BINDER_SET_CONTEXT_MGR already set binder: 9445:9466 ioctl 40046207 0 returned -16 binder_alloc: 9445: binder_alloc_buf, no vma binder: 9445:9466 transaction failed 29189/-3, size 24-8 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 netlink: 2 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor7'. SELinux: ebitmap: truncated map binder: 9549:9550 got transaction with fd, -1, but target does not allow fds binder: 9549:9550 transaction failed 29201/-1, size 24-8 line 3232 binder_alloc: binder_alloc_mmap_handler: 9549 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 9549:9550 ioctl 40046207 0 returned -16 binder_alloc: 9549: binder_alloc_buf, no vma binder: 9549:9550 transaction failed 29189/-3, size 24-8 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 SELinux: unrecognized netlink message: protocol=4 nlmsg_type=44 sclass=netlink_tcpdiag_socket pig=9603 comm=syz-executor1 binder: 9579:9587 got transaction with fd, -1, but target does not allow fds binder: 9579:9587 transaction failed 29201/-1, size 24-8 line 3232 binder_alloc: binder_alloc_mmap_handler: 9579 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 9579:9587 ioctl 40046207 0 returned -16 binder_alloc: 9579: binder_alloc_buf, no vma binder: 9579:9605 transaction failed 29189/-3, size 24-8 line 3127 SELinux: unrecognized netlink message: protocol=4 nlmsg_type=44 sclass=netlink_tcpdiag_socket pig=9613 comm=syz-executor1 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 binder: 9618:9619 got transaction with fd, -1, but target does not allow fds binder: 9618:9619 transaction failed 29201/-1, size 24-8 line 3232 binder_alloc: binder_alloc_mmap_handler: 9618 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 9618:9619 ioctl 40046207 0 returned -16 binder_alloc: 9618: binder_alloc_buf, no vma binder: 9618:9619 transaction failed 29189/-3, size 24-8 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 binder: 9643:9650 got transaction with fd, -1, but target does not allow fds binder: 9643:9650 transaction failed 29201/-1, size 24-8 line 3232 binder_alloc: binder_alloc_mmap_handler: 9643 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 9643:9650 ioctl 40046207 0 returned -16 binder_alloc: 9643: binder_alloc_buf, no vma binder: 9643:9664 transaction failed 29189/-3, size 24-8 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 device lo entered promiscuous mode netlink: 4 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor5'. binder: 9676:9680 transaction failed 29189/-22, size 24-8 line 3004 syz-executor1 (9682) used greatest stack depth: 23184 bytes left binder: 9676:9690 transaction failed 29189/-22, size 24-8 line 3004 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 binder: 9722:9724 got transaction with fd, -1, but target does not allow fds binder: 9722:9724 transaction failed 29201/-1, size 24-8 line 3232 binder: BINDER_SET_CONTEXT_MGR already set binder: 9722:9741 ioctl 40046207 0 returned -16 binder_alloc: 9722: binder_alloc_buf, no vma binder: 9722:9741 transaction failed 29189/-3, size 24-8 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 binder: 9783:9786 got transaction with fd, -1, but target does not allow fds binder: 9783:9786 transaction failed 29201/-1, size 24-8 line 3232 binder_alloc: binder_alloc_mmap_handler: 9783 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 9783:9786 ioctl 40046207 0 returned -16 binder_alloc: 9783: binder_alloc_buf, no vma binder: 9783:9786 transaction failed 29189/-3, size 24-8 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 binder: 9801:9810 got transaction with fd, -1, but target does not allow fds binder: 9801:9810 transaction failed 29201/-1, size 24-8 line 3232 binder: BINDER_SET_CONTEXT_MGR already set binder: 9821:9823 ioctl 40046207 0 returned -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 9801:9825 ioctl 40046207 0 returned -16 binder_alloc: 9801: binder_alloc_buf, no vma binder: 9801:9825 transaction failed 29189/-3, size 24-8 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: 9821:9833 ERROR: BC_REGISTER_LOOPER called without request binder: undelivered TRANSACTION_ERROR: 29201 binder: 9821:9833 transaction failed 29189/-22, size 0-0 line 3004 binder: 9821:9840 ERROR: BC_REGISTER_LOOPER called without request binder: undelivered TRANSACTION_ERROR: 29189 binder: 9821:9833 unknown command 76 binder: 9821:9833 ioctl c0306201 2000a000 returned -22 binder: 9821:9844 got reply transaction with no transaction stack binder: 9821:9844 transaction failed 29201/-71, size 24-8 line 2920 binder: undelivered TRANSACTION_ERROR: 29201 binder: 9849:9860 got transaction with invalid offset (56, min 0 max 24) or object. binder: 9849:9860 transaction failed 29201/-22, size 24-8 line 3190 binder_alloc: binder_alloc_mmap_handler: 9849 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 9849:9860 ioctl 40046207 0 returned -16 binder_alloc: 9849: binder_alloc_buf, no vma binder: 9849:9892 transaction failed 29189/-3, size 24-8 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 audit: type=1400 audit(1517937194.772:38): avc: denied { setpcap } for pid=9912 comm="syz-executor4" capability=8 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 binder: 9908:9911 got transaction with fd, -1, but target does not allow fds binder: 9908:9911 transaction failed 29201/-1, size 24-8 line 3232 binder_alloc: binder_alloc_mmap_handler: 9908 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 9908:9911 ioctl 40046207 0 returned -16 binder_alloc: 9908: binder_alloc_buf, no vma binder: 9908:9925 transaction failed 29189/-3, size 24-8 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 binder: 9934:9937 got transaction with fd, -1, but target does not allow fds binder: 9934:9937 transaction failed 29201/-1, size 24-8 line 3232 binder_alloc: binder_alloc_mmap_handler: 9934 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 9934:9937 ioctl 40046207 0 returned -16 binder_alloc: 9934: binder_alloc_buf, no vma binder: 9934:9944 transaction failed 29189/-3, size 24-8 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 binder: 9952:9955 got transaction with fd, -1, but target does not allow fds binder: 9952:9955 transaction failed 29201/-1, size 24-8 line 3232 binder: BINDER_SET_CONTEXT_MGR already set binder: 9952:9961 ioctl 40046207 0 returned -16 binder_alloc: 9952: binder_alloc_buf, no vma binder: 9952:9961 transaction failed 29189/-3, size 24-8 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 binder: 9972:9992 got transaction with fd, -1, but target does not allow fds binder: 9972:9992 transaction failed 29201/-1, size 24-8 line 3232 binder_alloc: binder_alloc_mmap_handler: 9972 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 9972:9977 ioctl 40046207 0 returned -16 binder_alloc: 9972: binder_alloc_buf, no vma binder: 9972:9977 transaction failed 29189/-3, size 24-8 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 binder: 10004:10010 got transaction with fd, -1, but target does not allow fds binder: 10004:10010 transaction failed 29201/-1, size 24-8 line 3232 binder_alloc: binder_alloc_mmap_handler: 10004 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 10004:10010 ioctl 40046207 0 returned -16 binder_alloc: 10004: binder_alloc_buf, no vma binder: 10004:10010 transaction failed 29189/-3, size 24-8 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 binder: BINDER_SET_CONTEXT_MGR already set binder: 10061:10066 ioctl 40046207 0 returned -16 binder: 10060:10077 got transaction with fd, -1, but target does not allow fds binder: 10060:10077 transaction failed 29201/-1, size 24-8 line 3232 binder_alloc: binder_alloc_mmap_handler: 10060 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 10060:10063 ioctl 40046207 0 returned -16 binder_alloc: 10060: binder_alloc_buf, no vma binder: 10060:10063 transaction failed 29189/-3, size 24-8 line 3127 binder: BINDER_SET_CONTEXT_MGR already set binder: 10061:10094 ioctl 40046207 0 returned -16 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 binder: 10107:10110 ioctl 5462 2064a000 returned -22 binder: 10107:10110 got transaction with fd, -1, but target does not allow fds binder: 10107:10110 transaction failed 29201/-1, size 24-8 line 3232 binder_alloc: binder_alloc_mmap_handler: 10107 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 10107:10110 ioctl 40046207 0 returned -16 binder: 10107:10110 ioctl 5462 2064a000 returned -22 binder_alloc: 10107: binder_alloc_buf, no vma binder: 10107:10110 transaction failed 29189/-3, size 24-8 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 binder: 10176:10178 got transaction with fd, -1, but target does not allow fds binder: 10176:10178 transaction failed 29201/-1, size 24-8 line 3232 binder_alloc: binder_alloc_mmap_handler: 10176 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 10176:10178 ioctl 40046207 0 returned -16 netlink: 3 bytes leftover after parsing attributes in process `syz-executor5'. binder_alloc: 10176: binder_alloc_buf, no vma binder: 10176:10217 transaction failed 29189/-3, size 24-8 line 3127 netlink: 3 bytes leftover after parsing attributes in process `syz-executor5'. binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 binder: 10241:10243 got transaction with fd, -1, but target does not allow fds binder: 10241:10243 transaction failed 29201/-1, size 24-8 line 3232 binder_alloc: binder_alloc_mmap_handler: 10241 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 10241:10243 ioctl 40046207 0 returned -16 binder_alloc: 10241: binder_alloc_buf, no vma binder: 10241:10243 transaction failed 29189/-3, size 24-8 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: 10267:10273 got transaction with fd, -1, but target does not allow fds binder: 10267:10273 transaction failed 29201/-1, size 24-8 line 3232 ====================================================== [ INFO: possible circular locking dependency detected ] 4.9.80-g550c01d #29 Not tainted ------------------------------------------------------- syz-executor5/10295 is trying to acquire lock: binder_alloc: binder_alloc_mmap_handler: 10267 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 10267:10273 ioctl 40046207 0 returned -16 binder_alloc: 10267: binder_alloc_buf, no vma binder: 10267:10288 transaction failed 29189/-3, size 24-8 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 (&sb->s_type->i_mutex_key#10){++++++}, at: [] inode_lock include/linux/fs.h:746 [inline] (&sb->s_type->i_mutex_key#10){++++++}, at: [] shmem_file_llseek+0xef/0x240 mm/shmem.c:2403 but task is already holding lock: (ashmem_mutex){+.+.+.}, at: [] ashmem_llseek+0x56/0x1f0 drivers/staging/android/ashmem.c:343 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756 __mutex_lock_common kernel/locking/mutex.c:521 [inline] mutex_lock_nested+0xbb/0x870 kernel/locking/mutex.c:621 ashmem_mmap+0x53/0x400 drivers/staging/android/ashmem.c:379 mmap_region+0x7dd/0xfd0 mm/mmap.c:1694 do_mmap+0x57b/0xbe0 mm/mmap.c:1473 do_mmap_pgoff include/linux/mm.h:2019 [inline] vm_mmap_pgoff+0x16b/0x1b0 mm/util.c:305 SYSC_mmap_pgoff mm/mmap.c:1523 [inline] SyS_mmap_pgoff+0x33f/0x560 mm/mmap.c:1481 SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86 entry_SYSCALL_64_fastpath+0x29/0xe8 lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756 __might_fault+0x14a/0x1d0 mm/memory.c:3994 copy_to_user arch/x86/include/asm/uaccess.h:718 [inline] filldir+0x1aa/0x340 fs/readdir.c:195 dir_emit_dot include/linux/fs.h:3203 [inline] dir_emit_dots include/linux/fs.h:3214 [inline] dcache_readdir+0x12d/0x5e0 fs/libfs.c:191 iterate_dir+0x4a6/0x5d0 fs/readdir.c:50 SYSC_getdents fs/readdir.c:230 [inline] SyS_getdents+0x14a/0x2a0 fs/readdir.c:211 entry_SYSCALL_64_fastpath+0x29/0xe8 check_prev_add kernel/locking/lockdep.c:1828 [inline] check_prevs_add kernel/locking/lockdep.c:1938 [inline] validate_chain kernel/locking/lockdep.c:2265 [inline] __lock_acquire+0x2bf9/0x3640 kernel/locking/lockdep.c:3345 lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756 down_write+0x41/0xa0 kernel/locking/rwsem.c:52 inode_lock include/linux/fs.h:746 [inline] shmem_file_llseek+0xef/0x240 mm/shmem.c:2403 vfs_llseek+0xa2/0xd0 fs/read_write.c:301 ashmem_llseek+0xe7/0x1f0 drivers/staging/android/ashmem.c:355 vfs_llseek fs/read_write.c:301 [inline] SYSC_lseek fs/read_write.c:314 [inline] SyS_lseek+0xeb/0x170 fs/read_write.c:305 entry_SYSCALL_64_fastpath+0x29/0xe8 other info that might help us debug this: Chain exists of: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(ashmem_mutex); lock(&mm->mmap_sem); lock(ashmem_mutex); lock(&sb->s_type->i_mutex_key#10); *** DEADLOCK *** 1 lock held by syz-executor5/10295: #0: (ashmem_mutex){+.+.+.}, at: [] ashmem_llseek+0x56/0x1f0 drivers/staging/android/ashmem.c:343 stack backtrace: CPU: 0 PID: 10295 Comm: syz-executor5 Not tainted 4.9.80-g550c01d #29 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c6bcfb98 ffffffff81d94b69 ffffffff853a0d50 ffffffff853aaa40 ffffffff853c20e0 ffff8801d564e8d8 ffff8801d564e000 ffff8801c6bcfbe0 ffffffff81238641 ffff8801d564e8d8 00000000d564e8b0 ffff8801d564e8d8 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_circular_bug+0x271/0x310 kernel/locking/lockdep.c:1202 [] check_prev_add kernel/locking/lockdep.c:1828 [inline] [] check_prevs_add kernel/locking/lockdep.c:1938 [inline] [] validate_chain kernel/locking/lockdep.c:2265 [inline] [] __lock_acquire+0x2bf9/0x3640 kernel/locking/lockdep.c:3345 [] lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756 [] down_write+0x41/0xa0 kernel/locking/rwsem.c:52 [] inode_lock include/linux/fs.h:746 [inline] [] shmem_file_llseek+0xef/0x240 mm/shmem.c:2403 [] vfs_llseek+0xa2/0xd0 fs/read_write.c:301 [] ashmem_llseek+0xe7/0x1f0 drivers/staging/android/ashmem.c:355 [] vfs_llseek fs/read_write.c:301 [inline] [] SYSC_lseek fs/read_write.c:314 [inline] [] SyS_lseek+0xeb/0x170 fs/read_write.c:305 [] entry_SYSCALL_64_fastpath+0x29/0xe8 binder: 10312:10317 got transaction with fd, -1, but target does not allow fds binder: 10312:10317 transaction failed 29201/-1, size 24-8 line 3232 binder: 10331:10335 unknown command 1074815799 binder: 10331:10335 ioctl c0306201 20cdd000 returned -22 binder: 10331:10338 unknown command 1074815799 binder_alloc: binder_alloc_mmap_handler: 10312 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 10312:10317 ioctl 40046207 0 returned -16 binder_alloc: 10312: binder_alloc_buf, no vma binder: 10312:10317 transaction failed 29189/-3, size 24-8 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 binder: 10331:10338 ioctl c0306201 20cdd000 returned -22 binder: 10347:10356 got transaction with fd, -1, but target does not allow fds binder: 10347:10356 transaction failed 29201/-1, size 24-8 line 3232 binder_alloc: binder_alloc_mmap_handler: 10347 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 10347:10356 ioctl 40046207 0 returned -16 binder_alloc: 10347: binder_alloc_buf, no vma binder: 10347:10372 transaction failed 29189/-3, size 24-8 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 binder: 10380:10383 got transaction with fd, -1, but target does not allow fds binder: 10380:10383 transaction failed 29201/-1, size 24-8 line 3232 binder_alloc: binder_alloc_mmap_handler: 10380 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 10380:10403 ioctl 40046207 0 returned -16 binder_alloc: 10380: binder_alloc_buf, no vma binder: 10380:10433 transaction failed 29189/-3, size 24-8 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 binder_alloc: binder_alloc_mmap_handler: 10452 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 10452:10453 ioctl 40046207 0 returned -16 binder_alloc: 10452: binder_alloc_buf, no vma binder: 10452:10453 transaction failed 29189/-3, size 0-0 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 10452:10453 transaction 311 out, still active binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 311, target dead binder: 10475:10476 got transaction with fd, -1, but target does not allow fds binder: 10475:10476 transaction failed 29201/-1, size 24-8 line 3232 binder_alloc: binder_alloc_mmap_handler: 10475 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 10475:10476 ioctl 40046207 0 returned -16 binder_alloc: 10475: binder_alloc_buf, no vma binder: 10475:10498 transaction failed 29189/-3, size 24-8 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 binder: 10510:10514 got transaction with fd, -1, but target does not allow fds binder: 10510:10514 transaction failed 29201/-1, size 24-8 line 3232 binder_alloc: binder_alloc_mmap_handler: 10510 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 10510:10514 ioctl 40046207 0 returned -16 binder_alloc: 10510: binder_alloc_buf, no vma binder: 10510:10533 transaction failed 29189/-3, size 24-8 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 binder: 10560:10567 got transaction with fd, -1, but target does not allow fds binder: 10560:10567 transaction failed 29201/-1, size 24-8 line 3232 binder_alloc: binder_alloc_mmap_handler: 10560 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 10560:10567 ioctl 40046207 0 returned -16 binder_alloc: 10560: binder_alloc_buf, no vma binder: 10560:10594 transaction failed 29189/-3, size 24-8 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 binder: 10606:10609 got transaction to invalid handle binder: 10606:10609 transaction failed 29201/-22, size 80-16 line 3004 binder: 10606:10609 got transaction with fd, -1, but target does not allow fds binder: 10606:10609 transaction failed 29201/-1, size 24-8 line 3232 binder_alloc: binder_alloc_mmap_handler: 10606 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 10606:10609 ioctl 40046207 0 returned -16 binder: 10606:10651 got transaction to invalid handle binder: 10606:10651 transaction failed 29201/-22, size 80-16 line 3004 binder_alloc: 10606: binder_alloc_buf, no vma binder: 10606:10650 transaction failed 29189/-3, size 24-8 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 binder: 10659:10660 got transaction with fd, -1, but target does not allow fds binder: 10659:10660 transaction failed 29201/-1, size 24-8 line 3232 binder: BINDER_SET_CONTEXT_MGR already set binder: 10682:10683 ioctl 40046207 0 returned -16 binder: 10682:10683 got transaction to invalid handle binder: 10682:10683 transaction failed 29201/-22, size 80-16 line 3004