syzbot

audit: type=1400 audit(1520889706.124:7): avc:  denied  { map } for  pid=4128 comm="syzkaller630279" path="/root/syzkaller630279704" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1

audit: type=1400 audit(1520889706.124:8): avc:  denied  { map } for  pid=4128 comm="syzkaller630279" path="/dev/ashmem" dev="devtmpfs" ino=1139 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1
======================================================
WARNING: possible circular locking dependency detected
4.16.0-rc5+ #351 Not tainted
------------------------------------------------------
syzkaller630279/4128 is trying to acquire lock:
 (&mm->mmap_sem){++++}, at: [<000000001d32bb58>] __might_fault+0xe0/0x1d0 mm/memory.c:4570

but task is already holding lock:
 (ashmem_mutex){+.+.}, at: [<00000000ed7c74f0>] ashmem_pin_unpin drivers/staging/android/ashmem.c:705 [inline]
 (ashmem_mutex){+.+.}, at: [<00000000ed7c74f0>] ashmem_ioctl+0x3db/0x11b0 drivers/staging/android/ashmem.c:782

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 (ashmem_mutex){+.+.}:
       __mutex_lock_common kernel/locking/mutex.c:756 [inline]
       __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893
       mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908
       ashmem_mmap+0x53/0x410 drivers/staging/android/ashmem.c:362
       call_mmap include/linux/fs.h:1786 [inline]
       mmap_region+0xa99/0x15a0 mm/mmap.c:1705
       do_mmap+0x6c0/0xe00 mm/mmap.c:1483
       do_mmap_pgoff include/linux/mm.h:2223 [inline]
       vm_mmap_pgoff+0x1de/0x280 mm/util.c:355
       SYSC_mmap_pgoff mm/mmap.c:1533 [inline]
       SyS_mmap_pgoff+0x462/0x5f0 mm/mmap.c:1491
       SYSC_mmap arch/x86/kernel/sys_x86_64.c:100 [inline]
       SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:91
       do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x42/0xb7

-> #0 (&mm->mmap_sem){++++}:
       lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920
       __might_fault+0x13a/0x1d0 mm/memory.c:4571
       _copy_from_user+0x2c/0x110 lib/usercopy.c:10
       copy_from_user include/linux/uaccess.h:147 [inline]
       ashmem_pin_unpin drivers/staging/android/ashmem.c:710 [inline]
       ashmem_ioctl+0x438/0x11b0 drivers/staging/android/ashmem.c:782
       vfs_ioctl fs/ioctl.c:46 [inline]
       do_vfs_ioctl+0x1b1/0x1520 fs/ioctl.c:686
       SYSC_ioctl fs/ioctl.c:701 [inline]
       SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
       do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x42/0xb7

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(ashmem_mutex);
                               lock(&mm->mmap_sem);
                               lock(ashmem_mutex);
  lock(&mm->mmap_sem);

 *** DEADLOCK ***

1 lock held by syzkaller630279/4128:
 #0:  (ashmem_mutex){+.+.}, at: [<00000000ed7c74f0>] ashmem_pin_unpin drivers/staging/android/ashmem.c:705 [inline]
 #0:  (ashmem_mutex){+.+.}, at: [<00000000ed7c74f0>] ashmem_ioctl+0x3db/0x11b0 drivers/staging/android/ashmem.c:782

stack backtrace:
CPU: 1 PID: 4128 Comm: syzkaller630279 Not tainted 4.16.0-rc5+ #351
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x24d lib/dump_stack.c:53
 print_circular_bug.isra.38+0x2cd/0x2dc kernel/locking/lockdep.c:1223
 check_prev_add kernel/locking/lockdep.c:1863 [inline]
 check_prevs_add kernel/locking/lockdep.c:1976 [inline]
 validate_chain kernel/locking/lockdep.c:2417 [inline]
 __lock_acquire+0x30a8/0x3e00 kernel/locking/lockdep.c:3431
 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920
 __might_fault+0x13a/0x1d0 mm/memory.c:4571
 _copy_from_user+0x2c/0x110 lib/usercopy.c:10
 copy_from_user include/linux/uaccess.h:147 [inline]
 ashmem_pin_unpin drivers/staging/android/ashmem.c:710 [inline]
 ashmem_ioctl+0x438/0x11b0 drivers/staging/android/ashmem.c:782
 vfs_ioctl fs/ioctl.c:46 [inline]
 do_vfs_ioctl+0x1b1/0x1520 fs/ioctl.c:686
 SYSC_ioctl fs/ioctl.c:701 [inline]
 SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x43fd19
RSP: 002b:00007ffdf4578d98 EFLAGS: 00000217 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fd19
RDX: 0000000000000000 RSI: 0000000000007709 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 000000000000000