audit_printk_skb: 97 callbacks suppressed ====================================================== [ INFO: possible circular locking dependency detected ] 4.4.120-gd63fdf6 #29 Not tainted audit: type=1400 audit(1521744801.591:120): avc: denied { create } for pid=9822 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1400 audit(1521744801.601:121): avc: denied { create } for pid=9822 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1400 audit(1521744801.601:122): avc: denied { write } for pid=9822 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1400 audit(1521744801.601:123): avc: denied { create } for pid=9822 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1400 audit(1521744801.601:124): avc: denied { write } for pid=9822 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1400 audit(1521744801.601:125): avc: denied { create } for pid=9846 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 audit: type=1400 audit(1521744801.601:126): avc: denied { write } for pid=9846 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 ------------------------------------------------------- syz-executor7/9827 is trying to acquire lock: (&sb->s_type->i_mutex_key#10){+.+.+.}, at: [] shmem_file_llseek+0xf1/0x240 mm/shmem.c:1816 but task is already holding lock: (ashmem_mutex){+.+.+.}, at: [] ashmem_llseek+0x56/0x1f0 drivers/staging/android/ashmem.c:330 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: [] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592 [] __mutex_lock_common kernel/locking/mutex.c:521 [inline] [] mutex_lock_nested+0xbb/0x850 kernel/locking/mutex.c:621 [] ashmem_mmap+0x53/0x400 drivers/staging/android/ashmem.c:366 [] mmap_region+0x94f/0x1250 mm/mmap.c:1664 [] do_mmap+0x4fd/0x9d0 mm/mmap.c:1441 [] do_mmap_pgoff include/linux/mm.h:1915 [inline] [] vm_mmap_pgoff+0x16e/0x1c0 mm/util.c:296 [] SYSC_mmap_pgoff mm/mmap.c:1491 [inline] [] SyS_mmap_pgoff+0x33f/0x560 mm/mmap.c:1449 [] do_syscall_32_irqs_on arch/x86/entry/common.c:392 [inline] [] do_fast_syscall_32+0x321/0x8a0 arch/x86/entry/common.c:459 [] sysenter_flags_fixed+0xd/0x17 [] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592 [] __might_fault+0x14a/0x1d0 mm/memory.c:3810 [] copy_to_user arch/x86/include/asm/uaccess.h:760 [inline] [] filldir+0x162/0x2d0 fs/readdir.c:180 [] dir_emit_dot include/linux/fs.h:3070 [inline] [] dir_emit_dots include/linux/fs.h:3081 [inline] [] dcache_readdir+0x11e/0x7b0 fs/libfs.c:150 [] iterate_dir+0x1c8/0x420 fs/readdir.c:42 [] SYSC_getdents fs/readdir.c:215 [inline] [] SyS_getdents+0x14a/0x270 fs/readdir.c:196 [] entry_SYSCALL_64_fastpath+0x1c/0x98 [] check_prev_add kernel/locking/lockdep.c:1853 [inline] [] check_prevs_add kernel/locking/lockdep.c:1958 [inline] [] validate_chain kernel/locking/lockdep.c:2144 [inline] [] __lock_acquire+0x371f/0x4b50 kernel/locking/lockdep.c:3213 [] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592 [] __mutex_lock_common kernel/locking/mutex.c:521 [inline] [] mutex_lock_nested+0xbb/0x850 kernel/locking/mutex.c:621 [] shmem_file_llseek+0xf1/0x240 mm/shmem.c:1816 [] vfs_llseek+0xa2/0xd0 fs/read_write.c:260 [] ashmem_llseek+0xe7/0x1f0 drivers/staging/android/ashmem.c:342 [] vfs_llseek fs/read_write.c:260 [inline] [] SYSC_lseek fs/read_write.c:285 [inline] [] SyS_lseek fs/read_write.c:276 [inline] [] C_SYSC_lseek fs/read_write.c:297 [inline] [] compat_SyS_lseek+0xeb/0x170 fs/read_write.c:295 [] do_syscall_32_irqs_on arch/x86/entry/common.c:392 [inline] [] do_fast_syscall_32+0x321/0x8a0 arch/x86/entry/common.c:459 [] sysenter_flags_fixed+0xd/0x17 other info that might help us debug this: Chain exists of: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(ashmem_mutex); lock(&mm->mmap_sem); lock(ashmem_mutex); lock(&sb->s_type->i_mutex_key#10); *** DEADLOCK *** 1 lock held by syz-executor7/9827: #0: (ashmem_mutex){+.+.+.}, at: [] ashmem_llseek+0x56/0x1f0 drivers/staging/android/ashmem.c:330 stack backtrace: CPU: 0 PID: 9827 Comm: syz-executor7 Not tainted 4.4.120-gd63fdf6 #29 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 78f1789872bdd258 ffff8800b2e5fa58 ffffffff81d0408d ffffffff851a0010 ffffffff851a9b50 ffffffff851bf030 ffff8800bb2d88f8 ffff8800bb2d8000 ffff8800b2e5faa0 ffffffff81233ba1 ffff8800bb2d88f8 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] print_circular_bug+0x271/0x310 kernel/locking/lockdep.c:1226 [] check_prev_add kernel/locking/lockdep.c:1853 [inline] [] check_prevs_add kernel/locking/lockdep.c:1958 [inline] [] validate_chain kernel/locking/lockdep.c:2144 [inline] [] __lock_acquire+0x371f/0x4b50 kernel/locking/lockdep.c:3213 [] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592 [] __mutex_lock_common kernel/locking/mutex.c:521 [inline] [] mutex_lock_nested+0xbb/0x850 kernel/locking/mutex.c:621 [] shmem_file_llseek+0xf1/0x240 mm/shmem.c:1816 [] vfs_llseek+0xa2/0xd0 fs/read_write.c:260 [] ashmem_llseek+0xe7/0x1f0 drivers/staging/android/ashmem.c:342 [] vfs_llseek fs/read_write.c:260 [inline] [] SYSC_lseek fs/read_write.c:285 [inline] [] SyS_lseek fs/read_write.c:276 [inline] [] C_SYSC_lseek fs/read_write.c:297 [inline] [] compat_SyS_lseek+0xeb/0x170 fs/read_write.c:295 [] do_syscall_32_irqs_on arch/x86/entry/common.c:392 [inline] [] do_fast_syscall_32+0x321/0x8a0 arch/x86/entry/common.c:459 [] sysenter_flags_fixed+0xd/0x17 BUG: using __this_cpu_add() in preemptible [00000000] code: syz-executor7/9866 caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 CPU: 1 PID: 9866 Comm: syz-executor7 Not tainted 4.4.120-gd63fdf6 #29 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 5feb7f459c6cb7de ffff8800b12d75b8 ffffffff81d0408d 0000000000000001 ffffffff839fe5a0 ffffffff83cefc20 ffff8800ba5ac800 0000000000000003 ffff8800b12d75f8 ffffffff81d63fe4 ffffffff810002b8 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46 [] ? 0xffffffff810002b8 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket [] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 [] tcp_try_coalesce+0x249/0x4d0 net/ipv4/tcp_input.c:4278 [] tcp_queue_rcv+0x127/0x720 net/ipv4/tcp_input.c:4485 [] tcp_send_rcvq+0x39b/0x450 net/ipv4/tcp_input.c:4531 [] tcp_sendmsg+0x1e8f/0x2b10 net/ipv4/tcp.c:1134 audit: type=1400 audit(1521744802.411:127): avc: denied { set_context_mgr } for pid=9897 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 binder: 9897:9899 BC_ACQUIRE_DONE node 26 has no pending acquire request binder: BINDER_SET_CONTEXT_MGR already set binder: 9897:9901 ioctl 40046207 0 returned -16 [] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:635 [] sock_write_iter+0x226/0x3b0 net/socket.c:834 [] do_iter_readv_writev+0x138/0x1e0 fs/read_write.c:664 [] compat_do_readv_writev+0x2d4/0x6e0 fs/read_write.c:982 [] compat_writev+0xdc/0x150 fs/read_write.c:1090 [] C_SYSC_writev fs/read_write.c:1110 [inline] [] compat_SyS_writev+0xd8/0x1b0 fs/read_write.c:1099 [] do_syscall_32_irqs_on arch/x86/entry/common.c:392 [inline] [] do_fast_syscall_32+0x321/0x8a0 arch/x86/entry/common.c:459 [] sysenter_flags_fixed+0xd/0x17 BUG: using __this_cpu_add() in preemptible [00000000] code: syz-executor7/9866 caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 CPU: 1 PID: 9866 Comm: syz-executor7 Not tainted 4.4.120-gd63fdf6 #29 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 5feb7f459c6cb7de ffff8800b12d75b8 ffffffff81d0408d 0000000000000001 ffffffff839fe5a0 ffffffff83cefc20 ffff8800ba5ac800 0000000000000003 ffff8800b12d75f8 ffffffff81d63fe4 ffffffff810002b8 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46 [] ? 0xffffffff810002b8 [] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 [] tcp_try_coalesce+0x249/0x4d0 net/ipv4/tcp_input.c:4278 [] tcp_queue_rcv+0x127/0x720 net/ipv4/tcp_input.c:4485 [] tcp_send_rcvq+0x39b/0x450 net/ipv4/tcp_input.c:4531 [] tcp_sendmsg+0x1e8f/0x2b10 net/ipv4/tcp.c:1134 [] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:635 [] sock_write_iter+0x226/0x3b0 net/socket.c:834 [] do_iter_readv_writev+0x138/0x1e0 fs/read_write.c:664 [] compat_do_readv_writev+0x2d4/0x6e0 fs/read_write.c:982 [] compat_writev+0xdc/0x150 fs/read_write.c:1090 [] C_SYSC_writev fs/read_write.c:1110 [inline] [] compat_SyS_writev+0xd8/0x1b0 fs/read_write.c:1099 [] do_syscall_32_irqs_on arch/x86/entry/common.c:392 [inline] [] do_fast_syscall_32+0x321/0x8a0 arch/x86/entry/common.c:459 [] sysenter_flags_fixed+0xd/0x17 binder: 10172:10175 transaction failed 29189/-22, size 40-8 line 3005 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=12561 sclass=netlink_route_socket binder: 10172:10175 transaction failed 29189/-22, size 40-8 line 3005 binder: 10234:10235 transaction failed 29189/-22, size 40-8 line 3005 binder: 10274:10275 transaction failed 29189/-22, size 40-8 line 3005 binder: 10278:10293 transaction failed 29189/-22, size 40-8 line 3005 binder: 10403:10404 transaction failed 29189/-22, size 40-8 line 3005 SELinux: unknown mount option SELinux: unknown mount option SELinux: unknown mount option binder: 10539:10545 transaction failed 29189/-22, size 0-8 line 3005 SELinux: unknown mount option binder: undelivered TRANSACTION_ERROR: 29189 SELinux: unknown mount option SELinux: unknown mount option binder: 10596:10608 transaction failed 29189/-22, size 0-8 line 3005 SELinux: unknown mount option binder: undelivered TRANSACTION_ERROR: 29189 binder: 10642:10650 transaction failed 29189/-22, size 0-8 line 3005 SELinux: unknown mount option ALSA: seq fatal error: cannot create timer (-22) binder: undelivered TRANSACTION_ERROR: 29189 ALSA: seq fatal error: cannot create timer (-22) SELinux: unknown mount option binder: 10667:10683 transaction failed 29189/-22, size 40-0 line 3005 binder: undelivered TRANSACTION_ERROR: 29189 SELinux: unknown mount option binder: 10713:10714 transaction failed 29189/-22, size 40-0 line 3005 binder: undelivered TRANSACTION_ERROR: 29189 audit_printk_skb: 7 callbacks suppressed audit: type=1400 audit(1521744807.411:130): avc: denied { create } for pid=10718 comm="syz-executor7" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 audit: type=1400 audit(1521744807.471:131): avc: denied { create } for pid=10718 comm="syz-executor7" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 binder: 10756:10761 transaction failed 29189/-22, size 40-8 line 3005 binder: 10777:10790 transaction failed 29189/-22, size 40-8 line 3005 binder: 11007:11008 transaction failed 29189/-22, size 2316750164561231872-2306036317101752320 line 3005 binder: 11007:11008 transaction failed 29189/-22, size 2316750164561231872-2306036317101752320 line 3005 SELinux: unknown mount option binder: 11048:11050 transaction failed 29189/-22, size 40-8 line 3005 binder: 11048:11052 transaction failed 29189/-22, size 40-8 line 3005 SELinux: unknown mount option binder: 11089:11091 transaction failed 29189/-22, size 40-8 line 3005 SELinux: unknown mount option binder: 11105:11107 transaction failed 29189/-22, size 40-8 line 3005 binder: 11151:11162 transaction failed 29189/-22, size 40-8 line 3005 binder: 11212:11213 transaction failed 29189/-22, size 40-8 line 3005 binder: 11212:11213 transaction failed 29189/-22, size 40-8 line 3005 audit: type=1400 audit(1521744809.651:132): avc: denied { create } for pid=11222 comm="syz-executor7" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 binder: 11219:11231 transaction failed 29189/-22, size 40-8 line 3005 binder: 11219:11231 transaction failed 29189/-22, size 40-8 line 3005 audit: type=1400 audit(1521744809.701:133): avc: denied { write } for pid=11222 comm="syz-executor7" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 binder: 11261:11266 transaction failed 29189/-22, size -7998391933204430808--8858587112496692286 line 3005 binder: 11261:11266 transaction failed 29189/-22, size -7998391933204430808--8858587112496692286 line 3005 audit: type=1400 audit(1521744809.921:134): avc: denied { create } for pid=11276 comm="syz-executor7" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 binder: 11282:11286 transaction failed 29189/-22, size 40-8 line 3005 audit: type=1400 audit(1521744810.011:135): avc: denied { create } for pid=11276 comm="syz-executor7" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 audit: type=1400 audit(1521744810.021:136): avc: denied { write } for pid=11276 comm="syz-executor7" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 binder: 11282:11297 transaction failed 29189/-22, size 40-8 line 3005 audit: type=1400 audit(1521744810.251:137): avc: denied { create } for pid=11315 comm="syz-executor7" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 audit: type=1400 audit(1521744810.371:138): avc: denied { create } for pid=11315 comm="syz-executor7" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 audit: type=1400 audit(1521744810.401:139): avc: denied { write } for pid=11315 comm="syz-executor7" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 binder: 11395:11405 transaction failed 29189/-22, size 40-8 line 3005 binder: 11395:11405 transaction failed 29189/-22, size 40-8 line 3005 binder: 11438:11439 transaction failed 29189/-22, size 40-8 line 3005 binder: 11438:11441 transaction failed 29189/-22, size 40-8 line 3005 binder: 11460:11465 transaction failed 29189/-22, size 40-8 line 3005 binder: 11460:11475 transaction failed 29189/-22, size 40-8 line 3005 binder: 11519:11523 transaction failed 29189/-22, size 40-8 line 3005 binder: 11519:11523 transaction failed 29189/-22, size 40-8 line 3005 binder: 11568:11574 transaction failed 29189/-22, size 40-8 line 3005 binder: 11568:11586 transaction failed 29189/-22, size 40-8 line 3005