raw_sendmsg: syz-executor7 forgot to set AF_INET. Fix it! ====================================================== WARNING: possible circular locking dependency detected 4.16.0-rc2+ #235 Not tainted ------------------------------------------------------ syz-executor0/7733 is trying to acquire lock: (&mm->mmap_sem){++++}, at: [<000000005a1e3f11>] __might_fault+0xe0/0x1d0 mm/memory.c:4570 but task is already holding lock: (ashmem_mutex){+.+.}, at: [<00000000540e6a54>] ashmem_pin_unpin drivers/staging/android/ashmem.c:705 [inline] (ashmem_mutex){+.+.}, at: [<00000000540e6a54>] ashmem_ioctl+0x3db/0x11b0 drivers/staging/android/ashmem.c:782 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (ashmem_mutex){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908 ashmem_mmap+0x53/0x410 drivers/staging/android/ashmem.c:362 call_mmap include/linux/fs.h:1786 [inline] mmap_region+0xa99/0x15a0 mm/mmap.c:1705 do_mmap+0x6c0/0xe00 mm/mmap.c:1483 do_mmap_pgoff include/linux/mm.h:2223 [inline] vm_mmap_pgoff+0x1de/0x280 mm/util.c:355 SYSC_mmap_pgoff mm/mmap.c:1533 [inline] SyS_mmap_pgoff+0x462/0x5f0 mm/mmap.c:1491 do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline] do_fast_syscall_32+0x3ec/0xf9f arch/x86/entry/common.c:392 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 -> #0 (&mm->mmap_sem){++++}: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920 __might_fault+0x13a/0x1d0 mm/memory.c:4571 _copy_from_user+0x2c/0x110 lib/usercopy.c:10 copy_from_user include/linux/uaccess.h:147 [inline] ashmem_pin_unpin drivers/staging/android/ashmem.c:710 [inline] ashmem_ioctl+0x438/0x11b0 drivers/staging/android/ashmem.c:782 compat_ashmem_ioctl+0x3e/0x50 drivers/staging/android/ashmem.c:813 C_SYSC_ioctl fs/compat_ioctl.c:1461 [inline] compat_SyS_ioctl+0x151/0x2a30 fs/compat_ioctl.c:1407 do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline] do_fast_syscall_32+0x3ec/0xf9f arch/x86/entry/common.c:392 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(ashmem_mutex); lock(&mm->mmap_sem); lock(ashmem_mutex); lock(&mm->mmap_sem); *** DEADLOCK *** 1 lock held by syz-executor0/7733: #0: (ashmem_mutex){+.+.}, at: [<00000000540e6a54>] ashmem_pin_unpin drivers/staging/android/ashmem.c:705 [inline] #0: (ashmem_mutex){+.+.}, at: [<00000000540e6a54>] ashmem_ioctl+0x3db/0x11b0 drivers/staging/android/ashmem.c:782 stack backtrace: CPU: 1 PID: 7733 Comm: syz-executor0 Not tainted 4.16.0-rc2+ #235 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x24d lib/dump_stack.c:53 print_circular_bug.isra.38+0x2cd/0x2dc kernel/locking/lockdep.c:1223 check_prev_add kernel/locking/lockdep.c:1863 [inline] check_prevs_add kernel/locking/lockdep.c:1976 [inline] validate_chain kernel/locking/lockdep.c:2417 [inline] __lock_acquire+0x30a8/0x3e00 kernel/locking/lockdep.c:3431 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920 __might_fault+0x13a/0x1d0 mm/memory.c:4571 _copy_from_user+0x2c/0x110 lib/usercopy.c:10 copy_from_user include/linux/uaccess.h:147 [inline] ashmem_pin_unpin drivers/staging/android/ashmem.c:710 [inline] ashmem_ioctl+0x438/0x11b0 drivers/staging/android/ashmem.c:782 compat_ashmem_ioctl+0x3e/0x50 drivers/staging/android/ashmem.c:813 C_SYSC_ioctl fs/compat_ioctl.c:1461 [inline] compat_SyS_ioctl+0x151/0x2a30 fs/compat_ioctl.c:1407 do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline] do_fast_syscall_32+0x3ec/0xf9f arch/x86/entry/common.c:392 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 RIP: 0023:0xf7f90c99 RSP: 002b:00000000f778c09c EFLAGS: 00000286 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 0000000000000013 RCX: 0000000000007709 RDX: 0000000000910000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 device eql entered promiscuous mode device eql entered promiscuous mode device eql entered promiscuous mode device eql entered promiscuous mode device eql entered promiscuous mode audit: type=1400 audit(1519378396.333:29): avc: denied { create } for pid=7894 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 device eql entered promiscuous mode device eql entered promiscuous mode device eql entered promiscuous mode syz-executor4 uses obsolete (PF_INET,SOCK_PACKET) audit: type=1400 audit(1519378396.371:30): avc: denied { write } for pid=7894 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 device eql entered promiscuous mode device eql entered promiscuous mode TCP: request_sock_TCPv6: Possible SYN flooding on port 20006. Sending cookies. Check SNMP counters. TCP: request_sock_TCPv6: Possible SYN flooding on port 20006. Sending cookies. Check SNMP counters. TCP: request_sock_TCPv6: Possible SYN flooding on port 20006. Sending cookies. Check SNMP counters. TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. TCP: request_sock_TCPv6: Possible SYN flooding on port 20006. Sending cookies. Check SNMP counters. TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. audit: type=1400 audit(1519378397.370:31): avc: denied { setpcap } for pid=8147 comm="syz-executor0" capability=8 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 device eql entered promiscuous mode device eql entered promiscuous mode audit: type=1401 audit(1519378398.541:32): op=security_bounded_transition seresult=denied oldcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 newcontext=system_u:object_r:init_var_run_t:s0 device eql entered promiscuous mode audit: type=1401 audit(1519378398.737:33): op=security_bounded_transition seresult=denied oldcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 newcontext=system_u:object_r:init_var_run_t:s0 device eql entered promiscuous mode audit: type=1401 audit(1519378398.781:34): op=security_bounded_transition seresult=denied oldcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 newcontext=system_u:object_r:init_var_run_t:s0 audit: type=1401 audit(1519378398.815:35): op=security_bounded_transition seresult=denied oldcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 newcontext=system_u:object_r:init_var_run_t:s0 audit: type=1401 audit(1519378398.921:36): op=security_bounded_transition seresult=denied oldcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 newcontext=system_u:object_r:init_var_run_t:s0 audit: type=1401 audit(1519378398.943:37): op=security_bounded_transition seresult=denied oldcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 newcontext=system_u:object_r:init_var_run_t:s0 audit: type=1401 audit(1519378398.966:38): op=security_bounded_transition seresult=denied oldcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 newcontext=system_u:object_r:init_var_run_t:s0 binder: send failed reply for transaction 2 to 8859:8861 binder_alloc: 8859: binder_alloc_buf, no vma binder: 8859:8861 transaction failed 29189/-3, size 40-8 line 2963 binder: undelivered TRANSACTION_ERROR: 29189 binder: BINDER_SET_CONTEXT_MGR already set binder: release 8886:8892 transaction 8 out, still active binder: 8885:8891 ioctl 40046207 0 returned -16 binder: send failed reply for transaction 8, target dead binder: 8885:8891 transaction failed 29189/-22, size 40-8 line 2848 binder: BINDER_SET_CONTEXT_MGR already set binder: release 8903:8909 transaction 13 out, still active binder: 8907:8911 ioctl 40046207 0 returned -16 binder: send failed reply for transaction 13, target dead binder: 8907:8919 transaction failed 29189/-22, size 40-8 line 2848 binder: send failed reply for transaction 18 to 8920:8923 binder: undelivered TRANSACTION_ERROR: 29189 binder: BINDER_SET_CONTEXT_MGR already set binder: BINDER_SET_CONTEXT_MGR already set binder: 8929:8941 ioctl 40046207 0 returned -16 binder: release 8930:8939 transaction 22 out, still active binder: send failed reply for transaction 22, target dead binder: 8931:8942 ioctl 40046207 0 returned -16 binder: send failed reply for transaction 25 to 8929:8941 binder: 8931:8953 transaction failed 29189/-22, size 40-8 line 2848 binder: BINDER_SET_CONTEXT_MGR already set binder: 8954:8960 ioctl 40046207 0 returned -16 binder: send failed reply for transaction 30 to 8948:8956 binder: 8954:8960 transaction failed 29189/-22, size 40-8 line 2848 binder: send failed reply for transaction 35 to 8959:8963 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 8979:8989 transaction 39 out, still active binder: send failed reply for transaction 39, target dead binder: 9016:9017 got new transaction with bad transaction stack, transaction 43 has target 9016:0 binder: 9016:9017 transaction failed 29201/-71, size 0-0 line 2875 binder_alloc: binder_alloc_mmap_handler: 9016 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 9016:9017 ioctl 40046207 0 returned -16 binder_alloc: 9016: binder_alloc_buf, no vma binder: 9016:9019 transaction failed 29189/-3, size 40-8 line 2963 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 9016:9017 transaction 43 out, still active binder: send failed reply for transaction 43, target dead rfkill: input handler disabled binder: BINDER_SET_CONTEXT_MGR already set binder: 9026:9030 got new transaction with bad transaction stack, transaction 49 has target 9026:0 binder: 9026:9030 transaction failed 29201/-71, size 0-0 line 2875 binder: 9027:9034 ioctl 40046207 0 returned -16 rfkill: input handler enabled binder: release 9026:9030 transaction 49 out, still active binder: send failed reply for transaction 49, target dead binder: send failed reply for transaction 53 to 9027:9041 binder: send failed reply for transaction 56 to 9027:9034 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 syz-executor0 (9050) used greatest stack depth: 15232 bytes left binder: BINDER_SET_CONTEXT_MGR already set binder: 9057:9064 got new transaction with bad transaction stack, transaction 58 has target 9057:0 binder: 9057:9064 transaction failed 29201/-71, size 0-0 line 2875 binder: 9059:9069 got new transaction with bad transaction stack, transaction 62 has target 9057:0 binder: 9059:9067 ioctl 40046207 0 returned -16 binder: 9059:9069 transaction failed 29201/-71, size 0-0 line 2875 binder: release 9057:9064 transaction 58 out, still active binder: send failed reply for transaction 58, target dead binder: send failed reply for transaction 62 to 9059:9069 binder: 9087:9094 got new transaction with bad transaction stack, transaction 67 has target 9087:0 binder: 9087:9094 transaction failed 29201/-71, size 0-0 line 2875 binder: BINDER_SET_CONTEXT_MGR already set binder: 9083:9095 ioctl 40046207 0 returned -16 binder: 9083:9095 got new transaction with bad transaction stack, transaction 71 has target 9087:0 binder: release 9087:9094 transaction 67 out, still active binder: 9083:9095 transaction failed 29201/-71, size 0-0 line 2875 binder: send failed reply for transaction 67, target dead binder: send failed reply for transaction 71 to 9083:9095 binder: undelivered TRANSACTION_ERROR: 29189 syz-executor6 (9113) used greatest stack depth: 14032 bytes left kauditd_printk_skb: 6 callbacks suppressed audit: type=1400 audit(1519378401.736:45): avc: denied { net_admin } for pid=4302 comm="syz-executor0" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1519378401.770:46): avc: denied { net_admin } for pid=4304 comm="syz-executor7" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1519378401.775:47): avc: denied { dac_override } for pid=9220 comm="syz-executor6" capability=1 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1519378401.775:48): avc: denied { net_admin } for pid=4306 comm="syz-executor5" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1519378401.775:49): avc: denied { net_admin } for pid=4306 comm="syz-executor5" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1519378401.800:50): avc: denied { net_raw } for pid=9227 comm="syz-executor1" capability=13 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1519378401.849:51): avc: denied { net_admin } for pid=4303 comm="syz-executor1" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1519378401.849:52): avc: denied { net_admin } for pid=4303 comm="syz-executor1" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1519378401.849:53): avc: denied { net_admin } for pid=4303 comm="syz-executor1" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1519378401.849:54): avc: denied { net_admin } for pid=4303 comm="syz-executor1" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 binder: 9404:9407 unknown command 0 binder: 9404:9407 ioctl c0306201 20008000 returned -22 device eql entered promiscuous mode netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'. device lo entered promiscuous mode device lo left promiscuous mode