====================================================== WARNING: possible circular locking dependency detected 4.15.0+ #293 Not tainted ------------------------------------------------------ syz-executor7/5668 is trying to acquire lock: (sk_lock-AF_INET6){+.+.}, at: [<00000000d622a885>] lock_sock include/net/sock.h:1461 [inline] (sk_lock-AF_INET6){+.+.}, at: [<00000000d622a885>] do_ipv6_setsockopt.isra.8+0x3c5/0x39d0 net/ipv6/ipv6_sockglue.c:167 but task is already holding lock: (rtnl_mutex){+.+.}, at: [<0000000013bfdfdc>] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (rtnl_mutex){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908 rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74 register_netdevice_notifier+0xad/0x860 net/core/dev.c:1607 tee_tg_check+0x1a0/0x280 net/netfilter/xt_TEE.c:106 xt_check_target+0x22c/0x7d0 net/netfilter/x_tables.c:845 check_target net/ipv6/netfilter/ip6_tables.c:533 [inline] find_check_entry.isra.7+0x935/0xcf0 net/ipv6/netfilter/ip6_tables.c:575 translate_table+0xf52/0x1690 net/ipv6/netfilter/ip6_tables.c:744 do_replace net/ipv6/netfilter/ip6_tables.c:1160 [inline] do_ip6t_set_ctl+0x370/0x5f0 net/ipv6/netfilter/ip6_tables.c:1686 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115 ipv6_setsockopt+0x115/0x150 net/ipv6/ipv6_sockglue.c:928 rawv6_setsockopt+0x4a/0xf0 net/ipv6/raw.c:1060 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2978 SYSC_setsockopt net/socket.c:1849 [inline] SyS_setsockopt+0x189/0x360 net/socket.c:1828 entry_SYSCALL_64_fastpath+0x29/0xa0 -> #0 (sk_lock-AF_INET6){+.+.}: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920 lock_sock_nested+0xc2/0x110 net/core/sock.c:2780 lock_sock include/net/sock.h:1461 [inline] do_ipv6_setsockopt.isra.8+0x3c5/0x39d0 net/ipv6/ipv6_sockglue.c:167 ipv6_setsockopt+0xd7/0x150 net/ipv6/ipv6_sockglue.c:922 tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2905 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2978 SYSC_setsockopt net/socket.c:1849 [inline] SyS_setsockopt+0x189/0x360 net/socket.c:1828 entry_SYSCALL_64_fastpath+0x29/0xa0 other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(rtnl_mutex); lock(sk_lock-AF_INET6); lock(rtnl_mutex); lock(sk_lock-AF_INET6); *** DEADLOCK *** 1 lock held by syz-executor7/5668: #0: (rtnl_mutex){+.+.}, at: [<0000000013bfdfdc>] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74 stack backtrace: CPU: 1 PID: 5668 Comm: syz-executor7 Not tainted 4.15.0+ #293 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 print_circular_bug.isra.38+0x2cd/0x2dc kernel/locking/lockdep.c:1223 check_prev_add kernel/locking/lockdep.c:1863 [inline] check_prevs_add kernel/locking/lockdep.c:1976 [inline] validate_chain kernel/locking/lockdep.c:2417 [inline] __lock_acquire+0x30a8/0x3e00 kernel/locking/lockdep.c:3431 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920 lock_sock_nested+0xc2/0x110 net/core/sock.c:2780 lock_sock include/net/sock.h:1461 [inline] do_ipv6_setsockopt.isra.8+0x3c5/0x39d0 net/ipv6/ipv6_sockglue.c:167 ipv6_setsockopt+0xd7/0x150 net/ipv6/ipv6_sockglue.c:922 tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2905 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2978 SYSC_setsockopt net/socket.c:1849 [inline] SyS_setsockopt+0x189/0x360 net/socket.c:1828 entry_SYSCALL_64_fastpath+0x29/0xa0 RIP: 0033:0x453299 RSP: 002b:00007fd97fa5ac58 EFLAGS: 00000212 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000453299 RDX: 000000000000002d RSI: 0000000000000029 RDI: 000000000000001a RBP: 00000000000005ca R08: 0000000000000014 R09: 0000000000000000 R10: 00000000202eafec R11: 0000000000000212 R12: 00000000006f7b90 R13: 00000000ffffffff R14: 00007fd97fa5b6d4 R15: 0000000000000000 raw_sendmsg: syz-executor4 forgot to set AF_INET. Fix it! binder_alloc: binder_alloc_mmap_handler: 5785 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder_alloc: 5785: binder_alloc_buf, no vma binder: 5785:5793 ioctl 40046207 0 returned -16 binder: 5785:5802 transaction failed 29189/-3, size 40-8 line 2957 binder: 5785:5820 IncRefs 0 refcount change on invalid ref 1 ret -22 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 5785:5793 transaction 5 out, still active binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 5, target dead binder: 5846:5847 ioctl 80044501 20700000 returned -22 capability: warning: `syz-executor6' uses 32-bit capabilities (legacy support in use) x_tables: ip_tables: TCPMSS target: only valid for protocol 6 binder: release 5843:5855 transaction 10 out, still active binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 10, target dead binder: 5846:5858 ioctl 80044501 20700000 returned -22 x_tables: ip_tables: TCPMSS target: only valid for protocol 6 binder: release 5866:5868 transaction 14 out, still active binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 14, target dead binder: release 5885:5892 transaction 18 out, still active binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 18, target dead binder_alloc: 5901: binder_alloc_buf, no vma binder: 5901:5903 transaction failed 29189/-3, size 40-8 line 2957 binder: 5901:5914 IncRefs 0 refcount change on invalid ref 1 ret -22 binder: undelivered TRANSACTION_ERROR: 29189 binder_alloc: 5932: binder_alloc_buf, no vma binder: 5932:5944 transaction failed 29189/-3, size 40-8 line 2957 binder: undelivered TRANSACTION_ERROR: 29189 binder_alloc: 5962: binder_alloc_buf, no vma binder: 5962:5969 transaction failed 29189/-3, size 40-8 line 2957 binder: BINDER_SET_CONTEXT_MGR already set binder: 5964:5970 ioctl 40046207 0 returned -16 binder: 5962:5980 IncRefs 0 refcount change on invalid ref 1 ret -22 binder_alloc: 5962: binder_alloc_buf, no vma binder: 5964:5970 transaction failed 29189/-3, size 40-8 line 2957 binder: 5964:5990 IncRefs 0 refcount change on invalid ref 1 ret -22 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 6002:6016 transaction 29 out, still active binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 29, target dead binder: release 6053:6062 transaction 33 out, still active binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 33, target dead binder: 6073:6075 transaction failed 29189/-22, size 40-8 line 2842 binder: undelivered TRANSACTION_ERROR: 29189 binder: 6109:6120 transaction failed 29189/-22, size 40-8 line 2842 binder: undelivered TRANSACTION_ERROR: 29189 binder: 6136:6150 transaction failed 29189/-22, size 40-8 line 2842 binder: undelivered TRANSACTION_ERROR: 29189 binder_alloc: 6174: binder_alloc_buf, no vma binder: 6174:6178 transaction failed 29189/-3, size 40-8 line 2957 binder: undelivered TRANSACTION_ERROR: 29189 binder_alloc: 6207: binder_alloc_buf, no vma binder: 6207:6220 transaction failed 29189/-3, size 40-8 line 2957 binder: undelivered TRANSACTION_ERROR: 29189 binder_alloc: 6242: binder_alloc_buf, no vma binder: 6242:6246 transaction failed 29189/-3, size 40-8 line 2957 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 6325:6336 transaction 46 out, still active binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 46, target dead binder: release 6352:6358 transaction 50 out, still active binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 50, target dead FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 1 CPU: 1 PID: 6425 Comm: syz-executor2 Not tainted 4.15.0+ #293 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:418 [inline] slab_alloc mm/slab.c:3364 [inline] kmem_cache_alloc+0x47/0x760 mm/slab.c:3538 dst_alloc+0x11f/0x1a0 net/core/dst.c:104 rt_dst_alloc+0xe9/0x520 net/ipv4/route.c:1497 __mkroute_output net/ipv4/route.c:2239 [inline] ip_route_output_key_hash_rcu+0xa59/0x2f00 net/ipv4/route.c:2467 ip_route_output_key_hash+0x20b/0x370 net/ipv4/route.c:2296 __ip_route_output_key include/net/route.h:125 [inline] ip_route_output_flow+0x26/0xa0 net/ipv4/route.c:2550 ip_route_connect include/net/route.h:307 [inline] __ip4_datagram_connect+0x680/0x1240 net/ipv4/datagram.c:51 ip4_datagram_connect+0x2f/0x50 net/ipv4/datagram.c:92 inet_dgram_connect+0x16b/0x1f0 net/ipv4/af_inet.c:542 SYSC_connect+0x213/0x4a0 net/socket.c:1639 SyS_connect+0x24/0x30 net/socket.c:1620 entry_SYSCALL_64_fastpath+0x29/0xa0 RIP: 0033:0x453299 RSP: 002b:00007f38971adc58 EFLAGS: 00000212 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 00007f38971adaa0 RCX: 0000000000453299 RDX: 0000000000000010 RSI: 0000000020390000 RDI: 0000000000000013 RBP: 00007f38971ada90 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b8096 R13: 00007f38971adbc8 R14: 00000000004b8096 R15: 0000000000000000 binder_alloc: 6490: binder_alloc_buf, no vma binder: 6490:6498 transaction failed 29189/-3, size 40-8 line 2957 binder: undelivered TRANSACTION_ERROR: 29189 binder_alloc: 6520: binder_alloc_buf, no vma binder: 6520:6523 transaction failed 29189/-3, size 40-8 line 2957 binder: undelivered TRANSACTION_ERROR: 29189 binder_alloc: 6539: binder_alloc_buf, no vma binder: 6539:6544 transaction failed 29189/-3, size 40-8 line 2957 binder: undelivered TRANSACTION_ERROR: 29189 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 0 PID: 6559 Comm: syz-executor7 Not tainted 4.15.0+ #293 binder_alloc: 6565: binder_alloc_buf, no vma Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 binder: 6565:6569 transaction failed 29189/-3, size 40-8 line 2957 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 binder: undelivered TRANSACTION_ERROR: 29189 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:418 [inline] slab_alloc mm/slab.c:3364 [inline] __do_kmalloc mm/slab.c:3702 [inline] __kmalloc_track_caller+0x5f/0x760 mm/slab.c:3719 memdup_user+0x2c/0x90 mm/util.c:160 map_update_elem kernel/bpf/syscall.c:671 [inline] SYSC_bpf kernel/bpf/syscall.c:1872 [inline] SyS_bpf+0x1f4a/0x4860 kernel/bpf/syscall.c:1843 entry_SYSCALL_64_fastpath+0x29/0xa0 RIP: 0033:0x453299 RSP: 002b:00007fd97fa5ac58 EFLAGS: 00000212 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007fd97fa5aaa0 RCX: 0000000000453299 RDX: 0000000000000020 RSI: 0000000020b61fe0 RDI: 0000000000000002 RBP: 00007fd97fa5aa90 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b8096 R13: 00007fd97fa5abc8 R14: 00000000004b8096 R15: 0000000000000000 binder_alloc: 6583: binder_alloc_buf, no vma binder: 6583:6588 transaction failed 29189/-3, size 40-8 line 2957 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 0 PID: 6600 Comm: syz-executor7 Not tainted 4.15.0+ #293 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:418 [inline] slab_alloc mm/slab.c:3364 [inline] kmem_cache_alloc+0x47/0x760 mm/slab.c:3538 ptlock_alloc+0x24/0x70 mm/memory.c:4718 ptlock_init include/linux/mm.h:1796 [inline] pgtable_page_ctor include/linux/mm.h:1830 [inline] pte_alloc_one+0x59/0x100 arch/x86/mm/pgtable.c:32 do_huge_pmd_anonymous_page+0xc20/0x1b00 mm/huge_memory.c:689 create_huge_pmd mm/memory.c:3860 [inline] __handle_mm_fault+0x1a0c/0x3ce0 mm/memory.c:4064 handle_mm_fault+0x38f/0x930 mm/memory.c:4130 __do_page_fault+0x5c9/0xc90 arch/x86/mm/fault.c:1426 do_page_fault+0xee/0x720 arch/x86/mm/fault.c:1501 page_fault+0x2c/0x60 arch/x86/entry/entry_64.S:1261 RIP: 0010:copy_user_generic_unrolled+0x9e/0xc0 arch/x86/lib/copy_user_64.S:74 RSP: 0018:ffff8801c62af858 EFLAGS: 00010202 RAX: 0000000000000004 RBX: 0000000020859000 RCX: 0000000000000004 RDX: 0000000000000004 RSI: 0000000020859000 RDI: ffff8801bfa60540 RBP: ffff8801c62af888 R08: ffffed0037f4c0a8 R09: ffffed0037f4c0a8 R10: 0000000000000001 R11: ffffed0037f4c0a8 R12: 0000000000000004 R13: ffff8801bfa60540 R14: 00007ffffffff000 R15: 0000000020859004 copy_from_user include/linux/uaccess.h:147 [inline] memdup_user+0x54/0x90 mm/util.c:164 map_update_elem kernel/bpf/syscall.c:671 [inline] SYSC_bpf kernel/bpf/syscall.c:1872 [inline] SyS_bpf+0x1f4a/0x4860 kernel/bpf/syscall.c:1843 entry_SYSCALL_64_fastpath+0x29/0xa0 RIP: 0033:0x453299 RSP: 002b:00007fd97fa5ac58 EFLAGS: 00000212 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007fd97fa5aaa0 RCX: 0000000000453299 RDX: 0000000000000020 RSI: 0000000020b61fe0 RDI: 0000000000000002 RBP: 00007fd97fa5aa90 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b8096 R13: 00007fd97fa5abc8 R14: 00000000004b8096 R15: 0000000000000000 binder: undelivered TRANSACTION_ERROR: 29189 binder: 6647:6654 transaction failed 29189/-22, size 40-8 line 2842 binder: undelivered TRANSACTION_ERROR: 29189 binder: 6668:6677 transaction failed 29189/-22, size 40-8 line 2842 binder: undelivered TRANSACTION_ERROR: 29189 binder: 6693:6702 transaction failed 29189/-22, size 40-8 line 2842 binder: undelivered TRANSACTION_ERROR: 29189 binder: 6738 RLIMIT_NICE not set binder: BINDER_SET_CONTEXT_MGR already set binder: 6715:6738 ioctl 40046207 0 returned -16 binder_alloc: 6715: binder_alloc_buf, no vma binder: 6715:6738 transaction failed 29189/-3, size 0-0 line 2957 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_COMPLETE binder: 6836:6839 got transaction with invalid offset (0, min 0 max 0) or object. binder: 6836:6839 transaction failed 29201/-22, size 0-8 line 3020 binder: undelivered TRANSACTION_ERROR: 29201 binder: 6860:6870 got transaction with invalid offset (0, min 0 max 0) or object. binder: 6860:6870 transaction failed 29201/-22, size 0-8 line 3020 binder: undelivered TRANSACTION_ERROR: 29201 binder: 6913:6926 got transaction with invalid offset (0, min 0 max 0) or object. binder: 6913:6926 transaction failed 29201/-22, size 0-8 line 3020 binder: undelivered TRANSACTION_ERROR: 29201 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 binder: 6952 RLIMIT_NICE not set CPU: 0 PID: 6956 Comm: syz-executor3 Not tainted 4.15.0+ #293 binder: BINDER_SET_CONTEXT_MGR already set Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 binder: 6954:6959 ioctl 40046207 0 returned -16 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 binder: 6952 RLIMIT_NICE not set binder: release 6954:6959 transaction 82 out, still active binder: undelivered TRANSACTION_COMPLETE should_failslab+0xec/0x120 mm/failslab.c:32 binder: release 6933:6952 transaction 82 in, still active slab_pre_alloc_hook mm/slab.h:418 [inline] slab_alloc mm/slab.c:3364 [inline] kmem_cache_alloc_trace+0x4b/0x750 mm/slab.c:3604 kmalloc include/linux/slab.h:499 [inline] kzalloc include/linux/slab.h:688 [inline] alloc_pipe_info+0xb1/0x350 fs/pipe.c:628 binder: send failed reply for transaction 82, target dead splice_direct_to_actor+0x64a/0x820 fs/splice.c:920 binder: undelivered TRANSACTION_COMPLETE binder: undelivered transaction 83, process died. do_splice_direct+0x29b/0x3c0 fs/splice.c:1061 do_sendfile+0x5c9/0xe80 fs/read_write.c:1413 SYSC_sendfile64 fs/read_write.c:1468 [inline] SyS_sendfile64+0xbd/0x160 fs/read_write.c:1460 entry_SYSCALL_64_fastpath+0x29/0xa0 RIP: 0033:0x453299 RSP: 002b:00007fbab6f0ec58 EFLAGS: 00000212 ORIG_RAX: 0000000000000028 RAX: ffffffffffffffda RBX: 00007fbab6f0eaa0 RCX: 0000000000453299 RDX: 0000000020000000 RSI: 0000000000000014 RDI: 0000000000000013 RBP: 00007fbab6f0ea90 R08: 0000000000000000 R09: 0000000000000000 R10: 00000000ffffffff R11: 0000000000000212 R12: 00000000004b8096 R13: 00007fbab6f0ebc8 R14: 00000000004b8096 R15: 0000000000000000 kauditd_printk_skb: 75 callbacks suppressed audit: type=1400 audit(1517608351.385:165): avc: denied { setuid } for pid=6967 comm="syz-executor1" capability=7 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 binder: release 6971:6975 transaction 85 out, still active binder: undelivered TRANSACTION_COMPLETE FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 binder: send failed reply for transaction 85, target dead CPU: 1 PID: 6984 Comm: syz-executor3 Not tainted 4.15.0+ #293 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:418 [inline] slab_alloc mm/slab.c:3364 [inline] __do_kmalloc mm/slab.c:3702 [inline] __kmalloc+0x63/0x760 mm/slab.c:3713 kmalloc_array include/linux/slab.h:618 [inline] kcalloc include/linux/slab.h:629 [inline] alloc_pipe_info+0x135/0x350 fs/pipe.c:645 splice_direct_to_actor+0x64a/0x820 fs/splice.c:920 do_splice_direct+0x29b/0x3c0 fs/splice.c:1061 do_sendfile+0x5c9/0xe80 fs/read_write.c:1413 SYSC_sendfile64 fs/read_write.c:1468 [inline] SyS_sendfile64+0xbd/0x160 fs/read_write.c:1460 entry_SYSCALL_64_fastpath+0x29/0xa0 RIP: 0033:0x453299 RSP: 002b:00007fbab6f0ec58 EFLAGS: 00000212 ORIG_RAX: 0000000000000028 RAX: ffffffffffffffda RBX: 00007fbab6f0eaa0 RCX: 0000000000453299 RDX: 0000000020000000 RSI: 0000000000000014 RDI: 0000000000000013 RBP: 00007fbab6f0ea90 R08: 0000000000000000 R09: 0000000000000000 R10: 00000000ffffffff R11: 0000000000000212 R12: 00000000004b8096 R13: 00007fbab6f0ebc8 R14: 00000000004b8096 R15: 0000000000000000 CPU: 0 PID: 6977 Comm: syz-executor5 Not tainted 4.15.0+ #293 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:418 [inline] slab_alloc mm/slab.c:3364 [inline] kmem_cache_alloc_trace+0x4b/0x750 mm/slab.c:3604 kmalloc include/linux/slab.h:499 [inline] kzalloc include/linux/slab.h:688 [inline] alloc_pipe_info+0xb1/0x350 fs/pipe.c:628 splice_direct_to_actor+0x64a/0x820 fs/splice.c:920 do_splice_direct+0x29b/0x3c0 fs/splice.c:1061 do_sendfile+0x5c9/0xe80 fs/read_write.c:1413 SYSC_sendfile64 fs/read_write.c:1468 [inline] SyS_sendfile64+0xbd/0x160 fs/read_write.c:1460 entry_SYSCALL_64_fastpath+0x29/0xa0 RIP: 0033:0x453299 RSP: 002b:00007f4773fdbc58 EFLAGS: 00000212 ORIG_RAX: 0000000000000028 RAX: ffffffffffffffda RBX: 00007f4773fdb950 RCX: 0000000000453299 RDX: 0000000020023000 RSI: 0000000000000014 RDI: 0000000000000013 RBP: 00007f4773fdb940 R08: 0000000000000000 R09: 0000000000000000 R10: 00000000026a950b R11: 0000000000000212 R12: 00000000004b7d6f R13: 00007f4773fdbac8 R14: 00000000004b7d7a R15: 0000000000000000 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 0 PID: 7006 Comm: syz-executor3 Not tainted 4.15.0+ #293 binder: release 6994:7005 transaction 87 out, still active Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 87, target dead should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:418 [inline] slab_alloc mm/slab.c:3364 [inline] kmem_cache_alloc+0x47/0x760 mm/slab.c:3538 radix_tree_node_alloc.constprop.19+0x1b4/0x2d0 lib/radix-tree.c:397 radix_tree_extend+0x302/0x540 lib/radix-tree.c:636 __radix_tree_create+0x5a7/0x790 lib/radix-tree.c:827 __radix_tree_insert+0xf4/0x7b0 lib/radix-tree.c:993 radix_tree_insert include/linux/radix-tree.h:296 [inline] shmem_add_to_page_cache+0x84d/0xdb0 mm/shmem.c:606 shmem_getpage_gfp+0x218b/0x37b0 mm/shmem.c:1801 shmem_getpage mm/shmem.c:131 [inline] shmem_file_read_iter+0x358/0xe80 mm/shmem.c:2447 call_read_iter include/linux/fs.h:1775 [inline] generic_file_splice_read+0x3f9/0x7b0 fs/splice.c:307 do_splice_to+0x10a/0x160 fs/splice.c:880 splice_direct_to_actor+0x242/0x820 fs/splice.c:952 do_splice_direct+0x29b/0x3c0 fs/splice.c:1061 do_sendfile+0x5c9/0xe80 fs/read_write.c:1413 SYSC_sendfile64 fs/read_write.c:1468 [inline] SyS_sendfile64+0xbd/0x160 fs/read_write.c:1460 entry_SYSCALL_64_fastpath+0x29/0xa0 RIP: 0033:0x453299 RSP: 002b:00007fbab6f0ec58 EFLAGS: 00000212 ORIG_RAX: 0000000000000028 RAX: ffffffffffffffda RBX: 00007fbab6f0eaa0 RCX: 0000000000453299 RDX: 0000000020000000 RSI: 0000000000000014 RDI: 0000000000000013 RBP: 00007fbab6f0ea90 R08: 0000000000000000 R09: 0000000000000000 R10: 00000000ffffffff R11: 0000000000000212 R12: 00000000004b8096 R13: 00007fbab6f0ebc8 R14: 00000000004b8096 R15: 0000000000000000 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 0 PID: 7027 Comm: syz-executor0 Not tainted 4.15.0+ #293 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:418 [inline] slab_alloc mm/slab.c:3364 [inline] kmem_cache_alloc_trace+0x4b/0x750 mm/slab.c:3604 kmalloc include/linux/slab.h:499 [inline] kzalloc include/linux/slab.h:688 [inline] binder_transaction+0x13c1/0x81d0 drivers/android/binder.c:2894 binder_thread_write+0xc57/0x3840 drivers/android/binder.c:3518 binder_ioctl_write_read.isra.38+0x261/0xcb0 drivers/android/binder.c:4434 binder_ioctl+0xb72/0x1417 drivers/android/binder.c:4574 vfs_ioctl fs/ioctl.c:46 [inline] do_vfs_ioctl+0x1b1/0x1520 fs/ioctl.c:686 SYSC_ioctl fs/ioctl.c:701 [inline] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692 entry_SYSCALL_64_fastpath+0x29/0xa0 RIP: 0033:0x453299 RSP: 002b:00007f72c98a7c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f72c98a7aa0 RCX: 0000000000453299 RDX: 0000000020008000 RSI: 00000000c0306201 RDI: 0000000000000013 RBP: 00007f72c98a7a90 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b8096 R13: 00007f72c98a7bc8 R14: 00000000004b8096 R15: 0000000000000000 binder: 7017:7027 transaction failed 29201/-12, size 40-8 line 2898 binder: undelivered TRANSACTION_ERROR: 29201 binder: release 7049:7051 transaction 91 out, still active binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 91, target dead binder_alloc: binder_alloc_mmap_handler: 7073 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 7073:7086 ioctl 40046207 0 returned -16 binder_alloc: 7073: binder_alloc_buf, no vma binder: 7073:7093 transaction failed 29189/-3, size 40-8 line 2957 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 7073:7086 transaction 95 out, still active binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 95, target dead binder_alloc: binder_alloc_mmap_handler: 7119 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 7119:7121 ioctl 40046207 0 returned -16 binder_alloc: 7119: binder_alloc_buf, no vma binder: 7119:7121 transaction failed 29189/-3, size 40-8 line 2957 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 7119:7121 transaction 100 out, still active binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 100, target dead binder_alloc: binder_alloc_mmap_handler: 7160 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 7160:7171 ioctl 40046207 0 returned -16 binder_alloc: 7160: binder_alloc_buf, no vma binder: 7160:7189 transaction failed 29189/-3, size 40-8 line 2957 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 7160:7171 transaction 105 out, still active binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 105, target dead binder: 7204:7211 IncRefs 0 refcount change on invalid ref 2 ret -22 binder: 7204:7217 IncRefs 0 refcount change on invalid ref 2 ret -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 7204:7211 ioctl 40046207 0 returned -16 binder: release 7204:7211 transaction 110 out, still active binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 110, target dead binder_alloc: binder_alloc_mmap_handler: 7222 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 7222:7223 ioctl 40046207 0 returned -16 binder_alloc: 7222: binder_alloc_buf, no vma binder: 7222:7252 transaction failed 29189/-3, size 40-8 line 2957 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 7222:7223 transaction 114 out, still active binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 114, target dead binder_alloc: binder_alloc_mmap_handler: 7266 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 7266:7268 ioctl 40046207 0 returned -16 binder_alloc: 7266: binder_alloc_buf, no vma binder: 7266:7288 transaction failed 29189/-3, size 40-8 line 2957 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 7266:7268 transaction 119 out, still active binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 119, target dead binder: 7308:7314 ERROR: BC_REGISTER_LOOPER called without request binder: 7308:7314 IncRefs 0 refcount change on invalid ref 1 ret -22 binder: 7308:7314 BC_ACQUIRE_DONE uffffffffffffffff no match binder: 7314 RLIMIT_NICE not set binder: BINDER_SET_CONTEXT_MGR already set binder: 7308:7323 ioctl 40046207 0 returned -16 binder: 7308:7325 ERROR: BC_REGISTER_LOOPER called without request binder: 7308:7325 IncRefs 0 refcount change on invalid ref 1 ret -22 binder: 7308:7325 BC_ACQUIRE_DONE uffffffffffffffff no match binder: 7325 RLIMIT_NICE not set binder_alloc: binder_alloc_mmap_handler: 7332 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder_alloc: 7332: binder_alloc_buf, no vma binder: 7332:7342 ioctl 40046207 0 returned -16 binder: 7332:7348 transaction failed 29189/-3, size 40-8 line 2957 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 7332:7342 transaction 125 out, still active binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 125, target dead binder_alloc: binder_alloc_mmap_handler: 7385 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 7385:7388 ioctl 40046207 0 returned -16 binder_alloc: 7385: binder_alloc_buf, no vma binder: 7385:7399 transaction failed 29189/-3, size 40-8 line 2957 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 7385:7388 transaction 130 out, still active binder: unexpected work type, 4, not freed binder_alloc: binder_alloc_mmap_handler: 7410 20000000-20002000 already mapped failed -16 binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 130, target dead binder: BINDER_SET_CONTEXT_MGR already set binder: 7410:7415 ioctl 40046207 0 returned -16 binder_alloc: 7410: binder_alloc_buf, no vma binder: 7410:7420 transaction failed 29189/-3, size 40-8 line 2957 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 7410:7415 transaction 135 out, still active binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 135, target dead binder: BINDER_SET_CONTEXT_MGR already set binder: 7462:7474 ioctl 40046207 0 returned -16 binder_alloc: 7462: binder_alloc_buf, no vma binder: 7462:7480 transaction failed 29189/-3, size 40-8 line 2957 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 7462:7474 transaction 140 out, still active binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 140, target dead binder_alloc: binder_alloc_mmap_handler: 7505 20000000-20002000 already mapped failed -16 binder_alloc: 7505: binder_alloc_buf, no vma binder: BINDER_SET_CONTEXT_MGR already set binder: 7505:7518 transaction failed 29189/-3, size 40-8 line 2957 binder: 7505:7509 ioctl 40046207 0 returned -16 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 7505:7509 transaction 145 out, still active binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 145, target dead binder: 7542:7547 unknown command 0 binder: 7542:7547 ioctl c0306201 20008000 returned -22 binder_alloc: binder_alloc_mmap_handler: 7542 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder_alloc: 7542: binder_alloc_buf, no vma binder: 7542:7570 transaction failed 29189/-3, size 40-8 line 2957 binder: 7542:7547 ioctl 40046207 0 returned -16 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 7542:7547 transaction 150 out, still active binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 150, target dead binder_alloc: binder_alloc_mmap_handler: 7581 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder_alloc: 7581: binder_alloc_buf, no vma binder: 7581:7601 transaction failed 29189/-3, size 40-8 line 2957 binder: 7581:7583 ioctl 40046207 0 returned -16 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 7581:7583 transaction 155 out, still active binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 155, target dead binder_alloc: 7633: binder_alloc_buf, no vma binder: 7633:7636 transaction failed 29189/-3, size 40-8 line 2957