SELinux: unrecognized netlink message: protocol=0 nlmsg_type=951 sclass=netlink_route_socket pig=22776 comm=syz-executor3 netlink: 16 bytes leftover after parsing attributes in process `syz-executor3'. ====================================================== WARNING: possible circular locking dependency detected 4.16.0-rc4+ #252 Not tainted ------------------------------------------------------ syz-executor2/22785 is trying to acquire lock: (&mm->mmap_sem){++++}, at: [<00000000f4e78785>] __might_fault+0xe0/0x1d0 mm/memory.c:4570 but task is already holding lock: (ashmem_mutex){+.+.}, at: [<000000007f40cdf5>] ashmem_pin_unpin drivers/staging/android/ashmem.c:705 [inline] (ashmem_mutex){+.+.}, at: [<000000007f40cdf5>] ashmem_ioctl+0x3db/0x11b0 drivers/staging/android/ashmem.c:782 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (ashmem_mutex){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908 ashmem_mmap+0x53/0x410 drivers/staging/android/ashmem.c:362 call_mmap include/linux/fs.h:1786 [inline] mmap_region+0xa99/0x15a0 mm/mmap.c:1705 do_mmap+0x6c0/0xe00 mm/mmap.c:1483 do_mmap_pgoff include/linux/mm.h:2223 [inline] vm_mmap_pgoff+0x1de/0x280 mm/util.c:355 SYSC_mmap_pgoff mm/mmap.c:1533 [inline] SyS_mmap_pgoff+0x462/0x5f0 mm/mmap.c:1491 do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline] do_fast_syscall_32+0x3ec/0xf9f arch/x86/entry/common.c:392 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 -> #0 (&mm->mmap_sem){++++}: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920 __might_fault+0x13a/0x1d0 mm/memory.c:4571 _copy_from_user+0x2c/0x110 lib/usercopy.c:10 copy_from_user include/linux/uaccess.h:147 [inline] ashmem_pin_unpin drivers/staging/android/ashmem.c:710 [inline] ashmem_ioctl+0x438/0x11b0 drivers/staging/android/ashmem.c:782 compat_ashmem_ioctl+0x3e/0x50 drivers/staging/android/ashmem.c:813 C_SYSC_ioctl fs/compat_ioctl.c:1461 [inline] compat_SyS_ioctl+0x151/0x2a30 fs/compat_ioctl.c:1407 do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline] do_fast_syscall_32+0x3ec/0xf9f arch/x86/entry/common.c:392 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(ashmem_mutex); lock(&mm->mmap_sem); lock(ashmem_mutex); lock(&mm->mmap_sem); *** DEADLOCK *** 1 lock held by syz-executor2/22785: #0: (ashmem_mutex){+.+.}, at: [<000000007f40cdf5>] ashmem_pin_unpin drivers/staging/android/ashmem.c:705 [inline] #0: (ashmem_mutex){+.+.}, at: [<000000007f40cdf5>] ashmem_ioctl+0x3db/0x11b0 drivers/staging/android/ashmem.c:782 stack backtrace: CPU: 1 PID: 22785 Comm: syz-executor2 Not tainted 4.16.0-rc4+ #252 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x24d lib/dump_stack.c:53 print_circular_bug.isra.38+0x2cd/0x2dc kernel/locking/lockdep.c:1223 check_prev_add kernel/locking/lockdep.c:1863 [inline] check_prevs_add kernel/locking/lockdep.c:1976 [inline] validate_chain kernel/locking/lockdep.c:2417 [inline] __lock_acquire+0x30a8/0x3e00 kernel/locking/lockdep.c:3431 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920 __might_fault+0x13a/0x1d0 mm/memory.c:4571 _copy_from_user+0x2c/0x110 lib/usercopy.c:10 copy_from_user include/linux/uaccess.h:147 [inline] ashmem_pin_unpin drivers/staging/android/ashmem.c:710 [inline] ashmem_ioctl+0x438/0x11b0 drivers/staging/android/ashmem.c:782 compat_ashmem_ioctl+0x3e/0x50 drivers/staging/android/ashmem.c:813 C_SYSC_ioctl fs/compat_ioctl.c:1461 [inline] compat_SyS_ioctl+0x151/0x2a30 fs/compat_ioctl.c:1407 do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline] do_fast_syscall_32+0x3ec/0xf9f arch/x86/entry/common.c:392 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 RIP: 0023:0xf7f1bc99 RSP: 002b:00000000f771709c EFLAGS: 00000286 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 0000000000000013 RCX: 0000000000007709 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 QAT: Invalid ioctl QAT: Invalid ioctl netlink: 16 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 16 bytes leftover after parsing attributes in process `syz-executor3'. audit: type=1400 audit(1520305376.078:83): avc: denied { accept } for pid=22872 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 1 PID: 23168 Comm: syz-executor7 Not tainted 4.16.0-rc4+ #252 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x24d lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:422 [inline] slab_alloc_node mm/slab.c:3286 [inline] kmem_cache_alloc_node+0x56/0x760 mm/slab.c:3629 __alloc_skb+0xf1/0x780 net/core/skbuff.c:193 alloc_skb include/linux/skbuff.h:983 [inline] netlink_alloc_large_skb net/netlink/af_netlink.c:1180 [inline] netlink_sendmsg+0xa86/0xe60 net/netlink/af_netlink.c:1872 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg+0xca/0x110 net/socket.c:640 sock_write_iter+0x31a/0x5d0 net/socket.c:909 call_write_iter include/linux/fs.h:1781 [inline] new_sync_write fs/read_write.c:469 [inline] __vfs_write+0x684/0x970 fs/read_write.c:482 vfs_write+0x189/0x510 fs/read_write.c:544 SYSC_write fs/read_write.c:589 [inline] SyS_write+0xef/0x220 fs/read_write.c:581 do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline] do_fast_syscall_32+0x3ec/0xf9f arch/x86/entry/common.c:392 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 RIP: 0023:0xf7fb6c99 RSP: 002b:00000000f77b209c EFLAGS: 00000286 ORIG_RAX: 0000000000000004 RAX: ffffffffffffffda RBX: 0000000000000013 RCX: 0000000020000100 RDX: 0000000000000024 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 netlink: 16 bytes leftover after parsing attributes in process `syz-executor7'. FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 1 PID: 23220 Comm: syz-executor6 Not tainted 4.16.0-rc4+ #252 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x24d lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:422 [inline] slab_alloc mm/slab.c:3365 [inline] kmem_cache_alloc+0x47/0x760 mm/slab.c:3539 dst_alloc+0x11f/0x1a0 net/core/dst.c:104 rt_dst_alloc+0xe9/0x520 net/ipv4/route.c:1507 __mkroute_output net/ipv4/route.c:2251 [inline] ip_route_output_key_hash_rcu+0xa59/0x2f00 net/ipv4/route.c:2479 ip_route_output_key_hash+0x20b/0x370 net/ipv4/route.c:2308 __ip_route_output_key include/net/route.h:125 [inline] ip_route_connect include/net/route.h:300 [inline] dccp_v4_connect+0xdd2/0x1750 net/dccp/ipv4.c:75 __inet_stream_connect+0x2d4/0xf00 net/ipv4/af_inet.c:620 inet_stream_connect+0x58/0xa0 net/ipv4/af_inet.c:684 SYSC_connect+0x213/0x4a0 net/socket.c:1639 SyS_connect+0x24/0x30 net/socket.c:1620 do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline] do_fast_syscall_32+0x3ec/0xf9f arch/x86/entry/common.c:392 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 RIP: 0023:0xf7fccc99 RSP: 002b:00000000f77c809c EFLAGS: 00000286 ORIG_RAX: 000000000000016a RAX: ffffffffffffffda RBX: 0000000000000013 RCX: 0000000020772000 RDX: 0000000000000010 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 net_ratelimit: 90 callbacks suppressed dccp_xmit_packet: Payload too large (65423) for featneg. audit: type=1400 audit(1520305378.074:84): avc: denied { connect } for pid=23367 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 dccp_xmit_packet: Payload too large (65423) for featneg. dccp_xmit_packet: Payload too large (65423) for featneg. dccp_xmit_packet: Payload too large (65423) for featneg. dccp_xmit_packet: Payload too large (65423) for featneg. dccp_xmit_packet: Payload too large (65423) for featneg. dccp_xmit_packet: Payload too large (65423) for featneg. dccp_xmit_packet: Payload too large (65423) for featneg. dccp_xmit_packet: Payload too large (65423) for featneg. dccp_xmit_packet: Payload too large (65423) for featneg. QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl selinux_nlmsg_perm: 2 callbacks suppressed SELinux: unrecognized netlink message: protocol=4 nlmsg_type=88 sclass=netlink_tcpdiag_socket pig=23639 comm=syz-executor7 audit: type=1400 audit(1520305379.341:85): avc: denied { create } for pid=23814 comm="syz-executor7" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_connector_socket permissive=1 QAT: Invalid ioctl QAT: Invalid ioctl nla_parse: 37 callbacks suppressed netlink: 16 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 16 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 16 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 16 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 16 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 16 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 16 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 16 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 16 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 16 bytes leftover after parsing attributes in process `syz-executor7'. audit: type=1326 audit(1520305380.563:86): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=24244 comm="syz-executor5" exe="/root/syz-executor5" sig=31 arch=40000003 syscall=240 compat=1 ip=0xf7f88c99 code=0x0 SELinux: unrecognized netlink message: protocol=4 nlmsg_type=88 sclass=netlink_tcpdiag_socket pig=24470 comm=syz-executor3 can: request_module (can-proto-5) failed. can: request_module (can-proto-5) failed. SELinux: unrecognized netlink message: protocol=4 nlmsg_type=88 sclass=netlink_tcpdiag_socket pig=24733 comm=syz-executor7 SELinux: unrecognized netlink message: protocol=4 nlmsg_type=88 sclass=netlink_tcpdiag_socket pig=24747 comm=syz-executor7 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=22446 sclass=netlink_route_socket pig=24932 comm=syz-executor7 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=22446 sclass=netlink_route_socket pig=24944 comm=syz-executor7 audit: type=1400 audit(1520305382.983:87): avc: denied { ioctl } for pid=25170 comm="syz-executor7" path="socket:[70739]" dev="sockfs" ino=70739 ioctlcmd=0x8933 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_iscsi_socket permissive=1 net_ratelimit: 138 callbacks suppressed dccp_xmit_packet: Payload too large (65423) for featneg. dccp_xmit_packet: Payload too large (65423) for featneg. dccp_xmit_packet: Payload too large (65423) for featneg. dccp_xmit_packet: Payload too large (65423) for featneg. dccp_xmit_packet: Payload too large (65423) for featneg. dccp_xmit_packet: Payload too large (65423) for featneg. dccp_xmit_packet: Payload too large (65423) for featneg. dccp_xmit_packet: Payload too large (65423) for featneg. dccp_xmit_packet: Payload too large (65423) for featneg. dccp_xmit_packet: Payload too large (65423) for featneg. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=5464 sclass=netlink_route_socket pig=25741 comm=syz-executor7 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 1 PID: 25748 Comm: syz-executor1 Not tainted 4.16.0-rc4+ #252 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x24d lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:422 [inline] slab_alloc_node mm/slab.c:3286 [inline] kmem_cache_alloc_node+0x56/0x760 mm/slab.c:3629 __alloc_skb+0xf1/0x780 net/core/skbuff.c:193 alloc_skb include/linux/skbuff.h:983 [inline] alloc_skb_with_frags+0x10d/0x750 net/core/skbuff.c:5224 sock_alloc_send_pskb+0x787/0x9b0 net/core/sock.c:2085 sock_alloc_send_skb+0x32/0x40 net/core/sock.c:2102 dccp_sendmsg+0x2a6/0xdc0 net/dccp/proto.c:792 inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:764 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg+0xca/0x110 net/socket.c:640 ___sys_sendmsg+0x320/0x8b0 net/socket.c:2046 __sys_sendmmsg+0x31b/0x620 net/socket.c:2129 C_SYSC_sendmmsg net/compat.c:745 [inline] compat_SyS_sendmmsg+0x32/0x40 net/compat.c:742 do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline] do_fast_syscall_32+0x3ec/0xf9f arch/x86/entry/common.c:392 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 RIP: 0023:0xf7f59c99 RSP: 002b:00000000f775509c EFLAGS: 00000286 ORIG_RAX: 0000000000000159 RAX: ffffffffffffffda RBX: 0000000000000015 RCX: 0000000020009d00 RDX: 0000000000000005 RSI: 0000000024008001 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=5464 sclass=netlink_route_socket pig=25761 comm=syz-executor7 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=5464 sclass=netlink_route_socket pig=25769 comm=syz-executor7