audit: type=1400 audit(1540806920.986:11): avc:  denied  { set_context_mgr } for  pid=4188 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1

======================================================
[ INFO: possible circular locking dependency detected ]
audit: type=1400 audit(1540806921.016:12): avc:  denied  { call } for  pid=4188 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1
binder_alloc: 4188: binder_alloc_buf, no vma
binder: 4188:4192 transaction failed 29189/-3, size 0-0 line 3137
binder: undelivered TRANSACTION_ERROR: 29189
4.4.162+ #117 Not tainted
binder: 4201:4202 transaction failed 29189/-22, size 0-0 line 3014
binder: undelivered TRANSACTION_ERROR: 29189
-------------------------------------------------------
syz-executor2/4194 is trying to acquire lock:
 (rtnl_mutex){+.+.+.}, at: [  125.995890] binder: 4206:4207 transaction failed 29189/-22, size 0-0 line 3014
binder: undelivered TRANSACTION_ERROR: 29189
[<ffffffff8225a727>] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:70

but task is already holding lock:
 (sk_lock-AF_INET6){+.+.+.}, at: [<ffffffff825eab82>] lock_sock include/net/sock.h:1493 [inline]
 (sk_lock-AF_INET6){+.+.+.}, at: [<ffffffff825eab82>] do_ipv6_setsockopt.isra.4+0x252/0x2d50 net/ipv6/ipv6_sockglue.c:166
binder: 4209:4210 transaction failed 29189/-22, size 0-0 line 3014
binder: undelivered TRANSACTION_ERROR: 29189

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:
binder: 4212:4213 transaction failed 29189/-22, size 0-0 line 3014
binder: undelivered TRANSACTION_ERROR: 29189

       [<ffffffff81202cde>] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592
       [<ffffffff821d0406>] lock_sock_nested+0xc6/0x120 net/core/sock.c:2459
       [<ffffffff823c5646>] lock_sock include/net/sock.h:1493 [inline]
       [<ffffffff823c5646>] do_ip_setsockopt.isra.4+0x176/0x2a20 net/ipv4/ip_sockglue.c:627
       [<ffffffff823c7f2a>] ip_setsockopt+0x3a/0xa0 net/ipv4/ip_sockglue.c:1220
       [<ffffffff8246da2a>] udp_setsockopt+0x4a/0x90 net/ipv4/udp.c:2162
       [<ffffffff825ed78a>] ipv6_setsockopt+0x10a/0x130 net/ipv6/ipv6_sockglue.c:899
       [<ffffffff823e4e68>] tcp_setsockopt+0x88/0xe0 net/ipv4/tcp.c:2643
       [<ffffffff821ca60a>] sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:2659
       [<ffffffff821c8046>] SYSC_setsockopt net/socket.c:1780 [inline]
       [<ffffffff821c8046>] SyS_setsockopt+0x166/0x260 net/socket.c:1759
       [<ffffffff827062e1>] entry_SYSCALL_64_fastpath+0x1e/0x9a

       [<ffffffff811ff0fc>] check_prev_add kernel/locking/lockdep.c:1853 [inline]
       [<ffffffff811ff0fc>] check_prevs_add kernel/locking/lockdep.c:1958 [inline]
       [<ffffffff811ff0fc>] validate_chain kernel/locking/lockdep.c:2144 [inline]
       [<ffffffff811ff0fc>] __lock_acquire+0x3e6c/0x5f10 kernel/locking/lockdep.c:3213
       [<ffffffff81202cde>] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592
       [<ffffffff826fad9b>] __mutex_lock_common kernel/locking/mutex.c:521 [inline]
       [<ffffffff826fad9b>] mutex_lock_nested+0xbb/0x8d0 kernel/locking/mutex.c:621
       [<ffffffff8225a727>] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:70
       [<ffffffff82624cce>] ipv6_sock_mc_close+0x10e/0x350 net/ipv6/mcast.c:288
       [<ffffffff825eb637>] do_ipv6_setsockopt.isra.4+0xd07/0x2d50 net/ipv6/ipv6_sockglue.c:202
       [<ffffffff825ed717>] ipv6_setsockopt+0x97/0x130 net/ipv6/ipv6_sockglue.c:904
       [<ffffffff8260258a>] udpv6_setsockopt+0x4a/0x90 net/ipv6/udp.c:1436
       [<ffffffff821ca60a>] sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:2659
       [<ffffffff821c8046>] SYSC_setsockopt net/socket.c:1780 [inline]
       [<ffffffff821c8046>] SyS_setsockopt+0x166/0x260 net/socket.c:1759
       [<ffffffff827062e1>] entry_SYSCALL_64_fastpath+0x1e/0x9a

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(sk_lock-AF_INET6);
                               lock(rtnl_mutex);
                               lock(sk_lock-AF_INET6);
  lock(rtnl_mutex);

 *** DEADLOCK ***

1 lock held by syz-executor2/4194:
 #0:  (sk_lock-AF_INET6){+.+.+.}, at: [<ffffffff825eab82>] lock_sock include/net/sock.h:1493 [inline]
 #0:  (sk_lock-AF_INET6){+.+.+.}, at: [<ffffffff825eab82>] do_ipv6_setsockopt.isra.4+0x252/0x2d50 net/ipv6/ipv6_sockglue.c:166

stack backtrace:
CPU: 1 PID: 4194 Comm: syz-executor2 Not tainted 4.4.162+ #117
 0000000000000000 7cfca8150d660acb ffff8801d9caf5a8 ffffffff81a994bd
 ffffffff83a85b10 ffffffff83ac4720 ffffffff83a85b10 ffff8801c15120a8
 ffff8801c15117c0 ffff8801d9caf5f0 ffffffff813a834a 0000000000000001
Call Trace:
 [<ffffffff81a994bd>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81a994bd>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
 [<ffffffff813a834a>] print_circular_bug.cold.34+0x2f7/0x432 kernel/locking/lockdep.c:1226
 [<ffffffff811ff0fc>] check_prev_add kernel/locking/lockdep.c:1853 [inline]
 [<ffffffff811ff0fc>] check_prevs_add kernel/locking/lockdep.c:1958 [inline]
 [<ffffffff811ff0fc>] validate_chain kernel/locking/lockdep.c:2144 [inline]
 [<ffffffff811ff0fc>] __lock_acquire+0x3e6c/0x5f10 kernel/locking/lockdep.c:3213
 [<ffffffff81202cde>] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592
 [<ffffffff826fad9b>] __mutex_lock_common kernel/locking/mutex.c:521 [inline]
 [<ffffffff826fad9b>] mutex_lock_nested+0xbb/0x8d0 kernel/locking/mutex.c:621
 [<ffffffff8225a727>] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:70
 [<ffffffff82624cce>] ipv6_sock_mc_close+0x10e/0x350 net/ipv6/mcast.c:288
 [<ffffffff825eb637>] do_ipv6_setsockopt.isra.4+0xd07/0x2d50 net/ipv6/ipv6_sockglue.c:202
 [<ffffffff825ed717>] ipv6_setsockopt+0x97/0x130 net/ipv6/ipv6_sockglue.c:904
 [<ffffffff8260258a>] udpv6_setsockopt+0x4a/0x90 net/ipv6/udp.c:1436
 [<ffffffff821ca60a>] sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:2659
 [<ffffffff821c8046>] SYSC_setsockopt net/socket.c:1780 [inline]
 [<ffffffff821c8046>] SyS_setsockopt+0x166/0x260 net/socket.c:1759
 [<ffffffff827062e1>] entry_SYSCALL_64_fastpath+0x1e/0x9a
binder: 4335:4337 transaction failed 29189/-22, size 0-0 line 3014
binder: undelivered TRANSACTION_ERROR: 29189
binder: 4358:4360 transaction failed 29189/-22, size 0-0 line 3014
binder: undelivered TRANSACTION_ERROR: 29189
binder: 4380:4391 transaction failed 29189/-22, size 0-0 line 3014
binder: undelivered TRANSACTION_ERROR: 29189
binder: 4462:4465 ioctl 80184540 20000000 returned -22
binder: 4462:4466 ioctl 80184540 20000000 returned -22
binder: 4490:4495 BC_ACQUIRE_DONE uffffffffffffffff no match
binder: 4490:4495 BC_ACQUIRE_DONE u0000000000000000 no match
binder: 4490:4495 got transaction to invalid handle
binder: 4490:4495 transaction failed 29201/-22, size 88-40 line 3014
binder: BINDER_SET_CONTEXT_MGR already set
binder: 4516:4517 ioctl 40046207 0 returned -16
binder: 4490:4527 BC_ACQUIRE_DONE uffffffffffffffff no match
binder: 4490:4527 BC_ACQUIRE_DONE u0000000000000000 no match
binder: 4490:4527 got transaction to invalid handle
binder: 4490:4527 transaction failed 29201/-22, size 88-40 line 3014
binder: BINDER_SET_CONTEXT_MGR already set
binder: 4567:4571 ioctl 40046207 0 returned -16
binder: 4575:4581 ioctl 4b63 20000000 returned -22
binder: BINDER_SET_CONTEXT_MGR already set
binder: 4602:4603 ioctl 40046207 0 returned -16
binder: 4623:4627 ioctl 4028700f 20000000 returned -22
binder: 4620:4625 BC_ACQUIRE_DONE uffffffffffffffff no match
binder: 4620:4625 BC_ACQUIRE_DONE u0000000000000000 no match
binder: 4623:4627 ioctl 4028700f 20000000 returned -22
binder: BINDER_SET_CONTEXT_MGR already set
binder: 4620:4625 got transaction to invalid handle
binder: 4620:4625 transaction failed 29201/-22, size 88-40 line 3014
binder: 4645:4649 ioctl 8040451a 20000000 returned -22
binder: 4648:4654 BC_ACQUIRE_DONE uffffffffffffffff no match
binder: 4648:4654 BC_ACQUIRE_DONE u0000000000000000 no match
binder: 4633:4635 ioctl 40046207 0 returned -16
binder: 4648:4654 got transaction to invalid handle
binder: BINDER_SET_CONTEXT_MGR already set
binder: 4648:4654 transaction failed 29201/-22, size 88-40 line 3014
binder: 4681:4682 ioctl 4b64 20000040 returned -22
binder: 4672:4678 ioctl 40046207 0 returned -16
binder: 4699:4703 BC_ACQUIRE_DONE uffffffffffffffff no match
binder: 4699:4703 BC_ACQUIRE_DONE u0000000000000000 no match
binder: 4699:4703 got transaction to invalid handle
binder: BINDER_SET_CONTEXT_MGR already set
binder: 4699:4703 transaction failed 29201/-22, size 88-40 line 3014
binder: 4713:4723 ioctl 40046207 0 returned -16
binder: 4738:4742 got reply transaction with no transaction stack
binder: 4739:4743 BC_ACQUIRE_DONE uffffffffffffffff no match
binder: 4739:4743 BC_ACQUIRE_DONE u0000000000000000 no match
binder: 4738:4742 transaction failed 29201/-71, size 24-48 line 2922
binder: 4739:4743 got transaction to invalid handle
binder: 4738:4752 got reply transaction with no transaction stack
binder: 4739:4743 transaction failed 29201/-22, size 88-40 line 3014
binder: 4738:4752 transaction failed 29201/-71, size 24-48 line 2922
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_ERROR: 29201
binder: 4761:4766 ioctl 5411 20000000 returned -22
binder: 4765:4771 BC_ACQUIRE_DONE uffffffffffffffff no match
binder: 4765:4771 BC_ACQUIRE_DONE u0000000000000000 no match
binder: 4782:4785 unknown command 0
binder: 4765:4771 got transaction to invalid handle
binder: 4782:4785 ioctl c0306201 20000080 returned -22
binder: 4765:4771 transaction failed 29201/-22, size 88-40 line 3014
binder: 4807:4810 BC_ACQUIRE_DONE uffffffffffffffff no match
binder: 4807:4810 BC_ACQUIRE_DONE u0000000000000000 no match
binder: 4807:4810 got transaction to invalid handle
binder: 4807:4810 transaction failed 29201/-22, size 88-40 line 3014
binder: BINDER_SET_CONTEXT_MGR already set
binder: 4827:4828 ioctl 40046207 0 returned -16
binder: 4848:4851 BC_ACQUIRE_DONE uffffffffffffffff no match
binder: 4848:4851 BC_ACQUIRE_DONE u0000000000000000 no match
binder: BINDER_SET_CONTEXT_MGR already set
binder: 4848:4851 got transaction to invalid handle
binder: 4861:4868 ioctl 40046207 0 returned -16
binder: 4848:4851 transaction failed 29201/-22, size 88-40 line 3014
audit: type=1400 audit(1540806926.086:13): avc:  denied  { create } for  pid=4892 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_iscsi_socket permissive=1
binder: 4896:4905 BC_ACQUIRE_DONE uffffffffffffffff no match
binder: 4896:4905 BC_ACQUIRE_DONE uffffffffffffffff no match
binder: 4896:4905 got transaction to invalid handle
binder: 4896:4905 transaction failed 29201/-22, size 88-40 line 3014
binder: 4907:4908 BC_ACQUIRE_DONE uffffffffffffffff no match
binder: 4907:4908 BC_ACQUIRE_DONE uffffffffffffffff no match
binder: 4907:4908 got transaction to invalid handle
binder: 4907:4908 transaction failed 29201/-22, size 88-40 line 3014
binder: BINDER_SET_CONTEXT_MGR already set
binder: 4937:4959 ioctl 40046207 0 returned -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 4991:4997 ioctl 40046207 0 returned -16
binder: 5011:5021 BC_ACQUIRE_DONE uffffffffffffffff no match
binder: BINDER_SET_CONTEXT_MGR already set
binder: 5011:5021 BC_ACQUIRE_DONE uffffffffffffffff no match
binder: 5019:5030 ioctl 40046207 0 returned -16
binder: 5011:5021 got transaction to invalid handle
binder: 5011:5021 transaction failed 29201/-22, size 88-40 line 3014
binder: 5057:5064 BC_ACQUIRE_DONE uffffffffffffffff no match
binder: 5057:5064 BC_ACQUIRE_DONE uffffffffffffffff no match
binder: 5057:5064 got transaction to invalid handle
binder: 5057:5064 transaction failed 29201/-22, size 88-40 line 3014
binder: 5080:5082 BC_ACQUIRE_DONE uffffffffffffffff no match
binder: 5080:5082 BC_ACQUIRE_DONE uffffffffffffffff no match
binder: 5080:5082 got transaction to invalid handle
binder: BINDER_SET_CONTEXT_MGR already set
binder: 5080:5082 transaction failed 29201/-22, size 88-40 line 3014
binder: 5094:5098 ioctl 40046207 0 returned -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: BINDER_SET_CONTEXT_MGR already set
binder: 5094:5098 ioctl 40046207 0 returned -16
binder: 5111:5114 BC_ACQUIRE_DONE uffffffffffffffff no match
binder: 5094:5107 ioctl 40046207 0 returned -16
binder: 5111:5114 BC_ACQUIRE_DONE uffffffffffffffff no match
binder: 5129:5133 ioctl 8954 20000000 returned -22
binder: 5111:5114 got transaction to invalid handle
binder: 5129:5133 ioctl 8954 20000000 returned -22
binder: BINDER_SET_CONTEXT_MGR already set
binder: 5111:5114 transaction failed 29201/-22, size 88-40 line 3014
binder: 5137:5143 ioctl 54a0 0 returned -22
binder: 5129:5139 ioctl 40046207 0 returned -16
binder: 5157:5166 BC_ACQUIRE_DONE uffffffffffffffff no match
binder: BINDER_SET_CONTEXT_MGR already set
binder: 5156:5167 ioctl 40046207 0 returned -16
binder: 5157:5166 BC_ACQUIRE_DONE uffffffffffffffff no match
binder: 5157:5166 got transaction to invalid handle
binder: 5157:5166 transaction failed 29201/-22, size 88-40 line 3014
binder: BINDER_SET_CONTEXT_MGR already set
binder: 5185:5195 ioctl 40046207 0 returned -16
binder: 5208:5212 BC_ACQUIRE_DONE uffffffffffffffff no match
binder: 5208:5212 BC_ACQUIRE_DONE uffffffffffffffff no match
binder: 5223:5228 ioctl 800c6613 20000000 returned -22
binder: BINDER_SET_CONTEXT_MGR already set
binder: 5207:5219 ioctl 40046207 0 returned -16
binder: 5236:5242 BC_ACQUIRE_DONE uffffffffffffffff no match
binder: 5223:5238 ioctl 800c6613 20000000 returned -22
binder: BINDER_SET_CONTEXT_MGR already set
binder: 5236:5242 BC_ACQUIRE_DONE uffffffffffffffff no match
binder: 5237:5243 ioctl 40046207 0 returned -16
binder: 5260:5262 BC_ACQUIRE_DONE uffffffffffffffff no match
binder: BINDER_SET_CONTEXT_MGR already set
binder: 5257:5261 ioctl 40046207 0 returned -16
binder: 5260:5262 BC_ACQUIRE_DONE uffffffffffffffff no match
binder: 5275:5278 BC_ACQUIRE_DONE uffffffffffffffff no match
binder: BINDER_SET_CONTEXT_MGR already set
binder: 5280:5287 ioctl 40046207 0 returned -16
binder: 5275:5278 BC_ACQUIRE_DONE uffffffffffffffff no match
binder: 5306:5309 BC_ACQUIRE_DONE uffffffffffffffff no match
binder: 5320:5323 ioctl 41009432 20000100 returned -22
binder: 5306:5309 BC_ACQUIRE_DONE uffffffffffffffff no match
binder: 5320:5323 ioctl 41009432 20000100 returned -22