TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.

======================================================
[ INFO: possible circular locking dependency detected ]
netlink: 8 bytes leftover after parsing attributes in process `syz-executor5'.
4.4.120-gd63fdf6 #29 Not tainted
-------------------------------------------------------
syz-executor1/6503 is trying to acquire lock:
 (&mm->mmap_sem){++++++}, at: [   49.699670] audit: type=1400 audit(1521172208.609:22): avc:  denied  { bind } for  pid=6506 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
[<ffffffff81495684>] __might_fault+0xe4/0x1d0 mm/memory.c:3809

but task is already holding lock:
 (ashmem_mutex){+.+.+.}, at: [<ffffffff82c628a7>] ashmem_pin_unpin drivers/staging/android/ashmem.c:701 [inline]
 (ashmem_mutex){+.+.+.}, at: [<ffffffff82c628a7>] ashmem_ioctl+0x367/0xfa0 drivers/staging/android/ashmem.c:778

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

       [<ffffffff8123d7ce>] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592
       [<ffffffff8376a39b>] __mutex_lock_common kernel/locking/mutex.c:521 [inline]
       [<ffffffff8376a39b>] mutex_lock_nested+0xbb/0x850 kernel/locking/mutex.c:621
       [<ffffffff82c61463>] ashmem_mmap+0x53/0x400 drivers/staging/android/ashmem.c:366
       [<ffffffff814b0e4f>] mmap_region+0x94f/0x1250 mm/mmap.c:1664
       [<ffffffff814b1c4d>] do_mmap+0x4fd/0x9d0 mm/mmap.c:1441
       [<ffffffff814700ce>] do_mmap_pgoff include/linux/mm.h:1915 [inline]
       [<ffffffff814700ce>] vm_mmap_pgoff+0x16e/0x1c0 mm/util.c:296
       [<ffffffff814afe1f>] SYSC_mmap_pgoff mm/mmap.c:1491 [inline]
       [<ffffffff814afe1f>] SyS_mmap_pgoff+0x33f/0x560 mm/mmap.c:1449
       [<ffffffff81006d91>] do_syscall_32_irqs_on arch/x86/entry/common.c:392 [inline]
       [<ffffffff81006d91>] do_fast_syscall_32+0x321/0x8a0 arch/x86/entry/common.c:459
       [<ffffffff837752ea>] sysenter_flags_fixed+0xd/0x17

       [<ffffffff8123ab2f>] check_prev_add kernel/locking/lockdep.c:1853 [inline]
       [<ffffffff8123ab2f>] check_prevs_add kernel/locking/lockdep.c:1958 [inline]
       [<ffffffff8123ab2f>] validate_chain kernel/locking/lockdep.c:2144 [inline]
       [<ffffffff8123ab2f>] __lock_acquire+0x371f/0x4b50 kernel/locking/lockdep.c:3213
       [<ffffffff8123d7ce>] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592
       [<ffffffff814956ea>] __might_fault+0x14a/0x1d0 mm/memory.c:3810
       [<ffffffff82c628f4>] copy_from_user arch/x86/include/asm/uaccess.h:724 [inline]
       [<ffffffff82c628f4>] ashmem_pin_unpin drivers/staging/android/ashmem.c:706 [inline]
       [<ffffffff82c628f4>] ashmem_ioctl+0x3b4/0xfa0 drivers/staging/android/ashmem.c:778
       [<ffffffff82c6351e>] compat_ashmem_ioctl+0x3e/0x50 drivers/staging/android/ashmem.c:809
       [<ffffffff8161e5da>] C_SYSC_ioctl fs/compat_ioctl.c:1592 [inline]
       [<ffffffff8161e5da>] compat_SyS_ioctl+0x28a/0x2540 fs/compat_ioctl.c:1544
       [<ffffffff81006d91>] do_syscall_32_irqs_on arch/x86/entry/common.c:392 [inline]
       [<ffffffff81006d91>] do_fast_syscall_32+0x321/0x8a0 arch/x86/entry/common.c:459
       [<ffffffff837752ea>] sysenter_flags_fixed+0xd/0x17

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(ashmem_mutex);
                               lock(&mm->mmap_sem);
                               lock(ashmem_mutex);
  lock(&mm->mmap_sem);

 *** DEADLOCK ***

1 lock held by syz-executor1/6503:
 #0:  (ashmem_mutex){+.+.+.}, at: [<ffffffff82c628a7>] ashmem_pin_unpin drivers/staging/android/ashmem.c:701 [inline]
 #0:  (ashmem_mutex){+.+.+.}, at: [<ffffffff82c628a7>] ashmem_ioctl+0x367/0xfa0 drivers/staging/android/ashmem.c:778

stack backtrace:
CPU: 1 PID: 6503 Comm: syz-executor1 Not tainted 4.4.120-gd63fdf6 #29
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 f7cd4f912ced6a55 ffff8801d73e78a8 ffffffff81d0408d
 ffffffff851a0010 ffffffff851a0010 ffffffff851becd0 ffff8800ba6fe8f8
 ffff8800ba6fe000 ffff8801d73e78f0 ffffffff81233ba1 ffff8800ba6fe8f8
Call Trace:
 [<ffffffff81d0408d>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d0408d>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
 [<ffffffff81233ba1>] print_circular_bug+0x271/0x310 kernel/locking/lockdep.c:1226
 [<ffffffff8123ab2f>] check_prev_add kernel/locking/lockdep.c:1853 [inline]
 [<ffffffff8123ab2f>] check_prevs_add kernel/locking/lockdep.c:1958 [inline]
 [<ffffffff8123ab2f>] validate_chain kernel/locking/lockdep.c:2144 [inline]
 [<ffffffff8123ab2f>] __lock_acquire+0x371f/0x4b50 kernel/locking/lockdep.c:3213
 [<ffffffff8123d7ce>] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592
 [<ffffffff814956ea>] __might_fault+0x14a/0x1d0 mm/memory.c:3810
 [<ffffffff82c628f4>] copy_from_user arch/x86/include/asm/uaccess.h:724 [inline]
 [<ffffffff82c628f4>] ashmem_pin_unpin drivers/staging/android/ashmem.c:706 [inline]
 [<ffffffff82c628f4>] ashmem_ioctl+0x3b4/0xfa0 drivers/staging/android/ashmem.c:778
 [<ffffffff82c6351e>] compat_ashmem_ioctl+0x3e/0x50 drivers/staging/android/ashmem.c:809
 [<ffffffff8161e5da>] C_SYSC_ioctl fs/compat_ioctl.c:1592 [inline]
 [<ffffffff8161e5da>] compat_SyS_ioctl+0x28a/0x2540 fs/compat_ioctl.c:1544
 [<ffffffff81006d91>] do_syscall_32_irqs_on arch/x86/entry/common.c:392 [inline]
 [<ffffffff81006d91>] do_fast_syscall_32+0x321/0x8a0 arch/x86/entry/common.c:459
 [<ffffffff837752ea>] sysenter_flags_fixed+0xd/0x17
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
netlink: 11 bytes leftover after parsing attributes in process `syz-executor4'.
audit: type=1400 audit(1521172209.789:23): avc:  denied  { read } for  pid=6586 comm="syz-executor4" path="socket:[15410]" dev="sockfs" ino=15410 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1
netlink: 11 bytes leftover after parsing attributes in process `syz-executor4'.
netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'.
netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'.
netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'.
netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'.
binder: 6691:6707 ioctl 4c05 20000080 returned -22
binder_alloc: 6691: binder_alloc_buf, no vma
binder: 6691:6715 BC_INCREFS_DONE node 19 has no pending increfs request
binder: 6691:6712 transaction failed 29189/-3, size 40-8 line 3128
binder: BINDER_SET_CONTEXT_MGR already set
binder: 6691:6707 ioctl 40046207 0 returned -16
binder: 6691:6730 ioctl 4c05 20000080 returned -22
binder_alloc: 6691: binder_alloc_buf, no vma
binder: 6691:6715 transaction failed 29189/-3, size 40-8 line 3128
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=770 sclass=netlink_route_socket
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=257 sclass=netlink_route_socket
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=257 sclass=netlink_route_socket
binder: 6849:6850 Acquire 1 refcount change on invalid ref 0 ret -22
binder: 6849:6850 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0
binder: 6849:6850 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0
IPv4: Oversized IP packet from 127.0.0.1
IPv4: Oversized IP packet from 127.0.0.1
binder: 6849:6856 BC_DEAD_BINDER_DONE 0000000000000000 not found
binder: 6849:6856 Acquire 1 refcount change on invalid ref 0 ret -22
binder: 6849:6858 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0
binder: 6849:6860 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0
device lo entered promiscuous mode
device lo left promiscuous mode
binder: 6879:6887 BC_FREE_BUFFER u0000000000000000 no match
device lo entered promiscuous mode
device lo left promiscuous mode
binder_alloc: binder_alloc_mmap_handler: 6879 2000c000-2000e000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 6879:6887 ioctl 40046207 0 returned -16
binder: 6879:6909 BC_FREE_BUFFER u0000000000000000 no match
SELinux: unrecognized netlink message: protocol=9 nlmsg_type=19 sclass=netlink_audit_socket
SELinux: unrecognized netlink message: protocol=9 nlmsg_type=19 sclass=netlink_audit_socket
audit: type=1400 audit(1521172212.119:24): avc:  denied  { transfer } for  pid=7020 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1
binder_alloc: binder_alloc_mmap_handler: 7020 20000000-20002000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder_alloc: 7020: binder_alloc_buf, no vma
binder: 7020:7032 ioctl 40046207 0 returned -16
binder: 7020:7050 transaction failed 29189/-3, size 40-8 line 3128
binder: send failed reply for transaction 26 to 7020:7032
binder: undelivered TRANSACTION_ERROR: 29189
netlink: 12 bytes leftover after parsing attributes in process `syz-executor1'.
audit: type=1400 audit(1521172212.409:25): avc:  denied  { ioctl } for  pid=7100 comm="syz-executor2" path="socket:[15941]" dev="sockfs" ino=15941 ioctlcmd=8917 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1
netlink: 3 bytes leftover after parsing attributes in process `syz-executor3'.
netlink: 3 bytes leftover after parsing attributes in process `syz-executor3'.
SELinux:  policydb magic number 0x0 does not match expected magic number 0xf97cff8c
SELinux:  policydb magic number 0x0 does not match expected magic number 0xf97cff8c
keychord: keycode 8270 out of range
keychord: invalid keycode count 0
keychord: keycode 8270 out of range
device syz_tun entered promiscuous mode
device syz_tun left promiscuous mode
keychord: invalid keycode count 0
keychord: invalid keycode count 0
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
device bridge0 entered promiscuous mode
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=2066 sclass=netlink_route_socket
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=2066 sclass=netlink_route_socket
binder: BINDER_SET_CONTEXT_MGR already set
binder: 7740:7749 ioctl 40046207 0 returned -16
binder_alloc: 7740: binder_alloc_buf, no vma
binder: 7740:7746 transaction failed 29189/-3, size 0-0 line 3128
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered transaction 31, process died.
binder: 7855:7860 got transaction to invalid handle
binder: 7855:7860 transaction failed 29201/-22, size 0-0 line 3005
binder: 7855:7860 got transaction to invalid handle
binder: 7855:7860 transaction failed 29201/-22, size 0-0 line 3005
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_ERROR: 29201
audit: type=1400 audit(1521172215.589:26): avc:  denied  { write } for  pid=7957 comm="syz-executor2" name="map_files" dev="proc" ino=18758 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=dir permissive=1
audit: type=1400 audit(1521172215.619:27): avc:  denied  { setattr } for  pid=7957 comm="syz-executor2" name="map_files" dev="proc" ino=18758 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=dir permissive=1
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=286 sclass=netlink_route_socket
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=286 sclass=netlink_route_socket
IPVS: Creating netns size=2552 id=11
IPVS: Creating netns size=2552 id=12
keychord: invalid keycode count 0
binder: 8323:8326 transaction failed 29189/-22, size 40-8 line 3005
binder: 8323:8326 ioctl c018620b 20000040 returned -14
binder: 8323:8326 BC_INCREFS_DONE u0000000000000000 no match
binder: 8323:8339 transaction failed 29189/-22, size 40-8 line 3005
binder: 8323:8326 ioctl c018620b 20000040 returned -14
binder: 8323:8339 BC_INCREFS_DONE u0000000000000000 no match
audit: type=1326 audit(1521172217.829:28): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=8477 comm="syz-executor6" exe="/root/syz-executor6" sig=9 arch=40000003 syscall=240 compat=1 ip=0xf770aba9 code=0x0
binder_alloc: 8472: binder_alloc_buf, no vma
binder: 8472:8486 transaction failed 29189/-3, size 0-40 line 3128
binder: BINDER_SET_CONTEXT_MGR already set
binder: 8472:8486 ioctl 40046207 0 returned -16
binder_alloc: 8472: binder_alloc_buf, no vma
binder: 8472:8498 transaction failed 29189/-3, size 0-40 line 3128
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29189
IPv4: Oversized IP packet from 127.0.0.1
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=257 sclass=netlink_route_socket
SELinux:  policydb magic number 0xb322cd0b does not match expected magic number 0xf97cff8c
SELinux:  policydb magic number 0xb322cd0b does not match expected magic number 0xf97cff8c
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=257 sclass=netlink_route_socket