BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor0/8532 caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 CPU: 1 PID: 8532 Comm: syz-executor0 Not tainted 4.9.72-gcb7518e #114 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cf7a76d8 ffffffff81d922b9 0000000000000001 ffffffff83c17a00 ffffffff83f444c0 ffff8801cf62c800 0000000000000003 ffff8801cf7a7718 ffffffff81df9294 ffff8801cf7a7730 ffffffff83f444c0 dffffc0000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46 ====================================================== [ INFO: possible circular locking dependency detected ] 4.9.72-gcb7518e #114 Not tainted ------------------------------------------------------- syz-executor4/8550 is trying to acquire lock: (&pipe->mutex/1){+.+.+.}, at: [] __pipe_lock fs/pipe.c:87 [inline] (&pipe->mutex/1){+.+.+.}, at: [] fifo_open+0x15c/0xa30 fs/pipe.c:916 but task is already holding lock: (&sig->cred_guard_mutex){+.+.+.}, at: [] prepare_bprm_creds+0x53/0x110 fs/exec.c:1370 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&sig->cred_guard_mutex){+.+.+.}: lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756 __mutex_lock_common kernel/locking/mutex.c:521 [inline] mutex_lock_interruptible_nested+0xcc/0x950 kernel/locking/mutex.c:650 proc_pid_attr_write+0x148/0x270 fs/proc/base.c:2506 __vfs_write+0x103/0x680 fs/read_write.c:510 __kernel_write+0xf0/0x340 fs/read_write.c:532 write_pipe_buf+0x159/0x1f0 fs/splice.c:816 splice_from_pipe_feed fs/splice.c:521 [inline] __splice_from_pipe+0x323/0x730 fs/splice.c:645 splice_from_pipe+0xf9/0x160 fs/splice.c:680 default_file_splice_write+0x40/0x90 fs/splice.c:828 do_splice_from fs/splice.c:870 [inline] do_splice fs/splice.c:1166 [inline] SYSC_splice fs/splice.c:1416 [inline] SyS_splice+0x7bd/0x1520 fs/splice.c:1399 entry_SYSCALL_64_fastpath+0x23/0xc6 -> #0 (&pipe->mutex/1){+.+.+.}: check_prev_add kernel/locking/lockdep.c:1828 [inline] check_prevs_add kernel/locking/lockdep.c:1938 [inline] validate_chain kernel/locking/lockdep.c:2265 [inline] __lock_acquire+0x2bf9/0x3640 kernel/locking/lockdep.c:3345 lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756 __mutex_lock_common kernel/locking/mutex.c:521 [inline] mutex_lock_nested+0xbb/0x870 kernel/locking/mutex.c:621 __pipe_lock fs/pipe.c:87 [inline] fifo_open+0x15c/0xa30 fs/pipe.c:916 do_dentry_open+0x607/0xc60 fs/open.c:766 vfs_open+0x105/0x220 fs/open.c:879 do_last fs/namei.c:3408 [inline] path_openat+0x5ac/0x2910 fs/namei.c:3531 do_filp_open+0x197/0x290 fs/namei.c:3566 do_open_execat+0xfa/0x4d0 fs/exec.c:844 do_execveat_common.isra.37+0x6d6/0x1f10 fs/exec.c:1724 do_execve fs/exec.c:1830 [inline] SYSC_execve fs/exec.c:1911 [inline] SyS_execve+0x42/0x50 fs/exec.c:1906 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 return_from_SYSCALL_64+0x0/0x7a other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&sig->cred_guard_mutex); lock(&pipe->mutex/1); lock(&sig->cred_guard_mutex); lock(&pipe->mutex/1); *** DEADLOCK *** 1 lock held by syz-executor4/8550: #0: (&sig->cred_guard_mutex){+.+.+.}, at: [] prepare_bprm_creds+0x53/0x110 fs/exec.c:1370 stack backtrace: [] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 [] ipcomp_alloc_tfms net/xfrm/xfrm_ipcomp.c:286 [inline] [] ipcomp_init_state+0x188/0x930 net/xfrm/xfrm_ipcomp.c:363 [] ipcomp4_init_state+0xb0/0x7d0 net/ipv4/ipcomp.c:137 [] __xfrm_init_state+0x3e7/0xb30 net/xfrm/xfrm_state.c:2096 [] xfrm_init_state+0x1a/0x20 net/xfrm/xfrm_state.c:2122 [] pfkey_msg2xfrm_state net/key/af_key.c:1281 [inline] [] pfkey_add+0x1fb9/0x3470 net/key/af_key.c:1498 [] pfkey_process+0x61e/0x730 net/key/af_key.c:2826 [] pfkey_sendmsg+0x3a9/0x760 net/key/af_key.c:3670 [] sock_sendmsg_nosec net/socket.c:635 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:645 [] ___sys_sendmsg+0x6d1/0x7e0 net/socket.c:1969 [] __sys_sendmsg+0xd6/0x190 net/socket.c:2003 [] SYSC_sendmsg net/socket.c:2014 [inline] [] SyS_sendmsg+0x2d/0x50 net/socket.c:2010 [] entry_SYSCALL_64_fastpath+0x23/0xc6 CPU: 0 PID: 8550 Comm: syz-executor4 Not tainted 4.9.72-gcb7518e #114 BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor0/8553 caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cf65f558 ffffffff81d922b9 ffffffff8539f3d0 ffffffff8539f3d0 ffffffff85364ea0 ffff8801cec668d8 ffff8801cec66000 ffff8801cf65f5a0 ffffffff812367e1 ffff8801cec668d8 00000000cec668b0 ffff8801cec668d8 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_circular_bug+0x271/0x310 kernel/locking/lockdep.c:1202 [] check_prev_add kernel/locking/lockdep.c:1828 [inline] [] check_prevs_add kernel/locking/lockdep.c:1938 [inline] [] validate_chain kernel/locking/lockdep.c:2265 [inline] [] __lock_acquire+0x2bf9/0x3640 kernel/locking/lockdep.c:3345 [] lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756 [] __mutex_lock_common kernel/locking/mutex.c:521 [inline] [] mutex_lock_nested+0xbb/0x870 kernel/locking/mutex.c:621 [] __pipe_lock fs/pipe.c:87 [inline] [] fifo_open+0x15c/0xa30 fs/pipe.c:916 [] do_dentry_open+0x607/0xc60 fs/open.c:766 [] vfs_open+0x105/0x220 fs/open.c:879 [] do_last fs/namei.c:3408 [inline] [] path_openat+0x5ac/0x2910 fs/namei.c:3531 [] do_filp_open+0x197/0x290 fs/namei.c:3566 [] do_open_execat+0xfa/0x4d0 fs/exec.c:844 [] do_execveat_common.isra.37+0x6d6/0x1f10 fs/exec.c:1724 [] do_execve fs/exec.c:1830 [inline] [] SYSC_execve fs/exec.c:1911 [inline] [] SyS_execve+0x42/0x50 fs/exec.c:1906 [] do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 [] entry_SYSCALL64_slow_path+0x25/0x25 CPU: 1 PID: 8553 Comm: syz-executor0 Not tainted 4.9.72-gcb7518e #114 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801ced476d8 ffffffff81d922b9 0000000000000001 ffffffff83c17a00 ffffffff83f444c0 ffff8801cf629800 0000000000000003 ffff8801ced47718 ffffffff81df9294 ffff8801ced47730 ffffffff83f444c0 dffffc0000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46 [] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 [] ipcomp_alloc_tfms net/xfrm/xfrm_ipcomp.c:286 [inline] [] ipcomp_init_state+0x188/0x930 net/xfrm/xfrm_ipcomp.c:363 [] ipcomp4_init_state+0xb0/0x7d0 net/ipv4/ipcomp.c:137 [] __xfrm_init_state+0x3e7/0xb30 net/xfrm/xfrm_state.c:2096 [] xfrm_init_state+0x1a/0x20 net/xfrm/xfrm_state.c:2122 [] pfkey_msg2xfrm_state net/key/af_key.c:1281 [inline] [] pfkey_add+0x1fb9/0x3470 net/key/af_key.c:1498 [] pfkey_process+0x61e/0x730 net/key/af_key.c:2826 [] pfkey_sendmsg+0x3a9/0x760 net/key/af_key.c:3670 [] sock_sendmsg_nosec net/socket.c:635 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:645 [] ___sys_sendmsg+0x6d1/0x7e0 net/socket.c:1969 [] __sys_sendmsg+0xd6/0x190 net/socket.c:2003 [] SYSC_sendmsg net/socket.c:2014 [inline] [] SyS_sendmsg+0x2d/0x50 net/socket.c:2010 [] entry_SYSCALL_64_fastpath+0x23/0xc6 binder: 8646:8650 transaction failed 29201/-22, size 0-0 line 3127 binder_alloc: binder_alloc_mmap_handler: 8646 2011a000-2051a000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 8646:8650 ioctl 40046207 0 returned -16 binder_alloc: 8646: binder_alloc_buf, no vma binder: 8646:8661 transaction failed 29189/-3, size 0-0 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 binder: 8825:8826 got transaction with invalid offset (0, min 0 max 0) or object. binder: 8825:8826 transaction failed 29201/-22, size 0-8 line 3190 binder_alloc: binder_alloc_mmap_handler: 8825 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 8825:8826 ioctl 40046207 0 returned -16 binder_alloc: 8825: binder_alloc_buf, no vma binder: 8825:8836 transaction failed 29189/-3, size 0-8 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 audit: type=1400 audit(1514400259.001:43): avc: denied { transfer } for pid=8983 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 8982 Comm: syz-executor1 Not tainted 4.9.72-gcb7518e #114 binder_alloc: binder_alloc_mmap_handler: 8983 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 8983:8993 ioctl 40046207 0 returned -16 binder_alloc: 8983: binder_alloc_buf, no vma binder: 8983:8993 transaction failed 29189/-3, size 80-16 line 3127 binder: release 8983:8986 transaction 82 out, still active binder: unexpected work type, 4, not freed binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 82, target dead Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cd217960 ffffffff81d922b9 ffff8801cd217c40 0000000000000000 ffff8801d9af3310 ffff8801cd217b30 ffff8801d9af3200 ffff8801cd217b58 ffffffff8165fb7a ffff8801cd217980 ffff8801cd217ab0 00000001cf835067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa3a/0x1310 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1007 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'. device gre0 left promiscuous mode netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'. binder: release 9314:9328 transaction 92 in, still active binder: send failed reply for transaction 92 to 9314:9315 binder_alloc: binder_alloc_mmap_handler: 9314 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 9314:9315 ioctl 40046207 0 returned -16 binder_alloc: 9314: binder_alloc_buf, no vma binder: 9314:9328 transaction failed 29189/-3, size 0-0 line 3127 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 audit: type=1400 audit(1514400260.771:44): avc: denied { create } for pid=9374 comm="syz-executor7" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_rdma_socket permissive=1 IPv6: ADDRCONF(NETDEV_CHANGE): gre0: link becomes ready device gre0 entered promiscuous mode sg_write: data in/out 458716/24 bytes for SCSI command 0x42-- guessing data in; program syz-executor0 not setting count and/or reply_len properly device gre0 entered promiscuous mode sock: sock_set_timeout: `syz-executor5' (pid 9720) tries to set negative timeout sock: sock_set_timeout: `syz-executor5' (pid 9720) tries to set negative timeout netlink: 5 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor4'. binder: BINDER_SET_CONTEXT_MGR already set binder: 9837:9849 ioctl 40046207 0 returned -16 binder_alloc: 9837: binder_alloc_buf, no vma binder: 9837:9843 transaction failed 29189/-3, size 40-8 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 9837:9843 transaction 95 out, still active binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 95, target dead netlink: 2 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor6'. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=11538 sclass=netlink_route_socket pig=10081 comm=syz-executor0 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=11538 sclass=netlink_route_socket pig=10091 comm=syz-executor0 audit: type=1400 audit(1514400262.971:45): avc: denied { setattr } for pid=10073 comm="syz-executor6" name="fscreate" dev="proc" ino=21256 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=file permissive=1 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 10117 Comm: syz-executor3 Not tainted 4.9.72-gcb7518e #114 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c5cc7960 ffffffff81d922b9 ffff8801c5cc7c40 0000000000000000 ffff8801c300b490 ffff8801c5cc7b30 ffff8801c300b380 ffff8801c5cc7b58 ffffffff8165fb7a ffff8801c5cc7980 ffff8801c5cc7ab0 00000001b4f8f067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa3a/0x1310 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1007 [] entry_SYSCALL_64_fastpath+0x23/0xc6 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 10115 Comm: syz-executor6 Not tainted 4.9.72-gcb7518e #114 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c63474e0 ffffffff81d922b9 ffff8801c63477c0 0000000000000000 ffff8801c8cff010 ffff8801c63476b0 ffff8801c8cfef00 ffff8801c63476d8 ffffffff8165fb7a ffff8801b49b6000 ffff8801c6347630 00000001d01de067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa3a/0x1310 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1007 [] generic_perform_write+0x1dc/0x500 mm/filemap.c:2731 [] __generic_file_write_iter+0x348/0x570 mm/filemap.c:2866 [] generic_file_write_iter+0x2d5/0x600 mm/filemap.c:2894 [] new_sync_write fs/read_write.c:499 [inline] [] __vfs_write+0x4bf/0x680 fs/read_write.c:512 [] vfs_write+0x189/0x530 fs/read_write.c:560 [] SYSC_write fs/read_write.c:607 [inline] [] SyS_write+0xd9/0x1b0 fs/read_write.c:599 [] entry_SYSCALL_64_fastpath+0x23/0xc6 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=17 sclass=netlink_audit_socket pig=10169 comm=syz-executor1 binder: 10240:10251 got transaction with too large buffer binder: 10240:10251 transaction failed 29201/-22, size 40-8 line 3286 binder: BINDER_SET_CONTEXT_MGR already set binder: 10240:10264 ioctl 40046207 0 returned -16 binder_alloc: 10240: binder_alloc_buf, no vma binder: 10240:10251 transaction failed 29189/-3, size 40-8 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=2865 sclass=netlink_route_socket pig=10337 comm=syz-executor2 device lo left promiscuous mode binder_alloc: binder_alloc_mmap_handler: 10450 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 10450:10451 ioctl 40046207 0 returned -16 binder_alloc: 10450: binder_alloc_buf, no vma binder: 10450:10454 transaction failed 29189/-3, size 40-8 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 10450:10451 transaction 103 out, still active binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 103, target dead netlink: 3 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor2'. audit: type=1400 audit(1514400264.971:46): avc: denied { create } for pid=10607 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_crypto_socket permissive=1 binder: release 10659:10685 transaction 108 in, still active binder: send failed reply for transaction 108 to 10659:10670 binder: BINDER_SET_CONTEXT_MGR already set device lo entered promiscuous mode qtaguid: iface_stat: iface_check_stats_reset_and_adjust(lo): iface reset its stats unexpectedly binder_alloc: 10659: binder_alloc_buf, no vma binder: 10659:10670 transaction failed 29189/-3, size 0-0 line 3127 binder: 10659:10685 ioctl 40046207 0 returned -16 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 nla_parse: 2 callbacks suppressed netlink: 21 bytes leftover after parsing attributes in process `syz-executor7'. keychord: using input dev AT Translated Set 2 keyboard for fevent keychord: using input dev AT Translated Set 2 keyboard for fevent device gre0 entered promiscuous mode netlink: 6 bytes leftover after parsing attributes in process `syz-executor5'. device gre0 entered promiscuous mode netlink: 6 bytes leftover after parsing attributes in process `syz-executor5'. binder: 11017:11023 ioctl 40046205 10000ffffffff returned -22 binder: 11017:11033 ioctl 40046205 10000ffffffff returned -22