======================================================
[ INFO: possible circular locking dependency detected ]
4.9.141+ #1 Not tainted
-------------------------------------------------------
syz-executor.2/3659 is trying to acquire lock:
(&sig->cred_guard_mutex){+.+.+.}, at: [<ffffffff810d2941>] mm_access+0x51/0x140 kernel/fork.c:1028
but task is already holding lock:
(&sb->s_type->i_mutex_key){++++++}, at: [<ffffffff8152a634>] inode_lock_shared include/linux/fs.h:776 [inline]
(&sb->s_type->i_mutex_key){++++++}, at: [<ffffffff8152a634>] lookup_slow+0x154/0x470 fs/namei.c:1645
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756
down_read+0x44/0xb0 kernel/locking/rwsem.c:22
inode_lock_shared include/linux/fs.h:776 [inline]
do_last fs/namei.c:3314 [inline]
path_openat+0x1309/0x2790 fs/namei.c:3534
do_filp_open+0x197/0x270 fs/namei.c:3568
do_open_execat+0x10f/0x640 fs/exec.c:844
open_exec+0x43/0x60 fs/exec.c:876
load_script+0x5a4/0x740 fs/binfmt_script.c:100
search_binary_handler+0x14f/0x6f0 fs/exec.c:1621
exec_binprm fs/exec.c:1663 [inline]
do_execveat_common.isra.14+0x1139/0x1ed0 fs/exec.c:1785
do_execveat fs/exec.c:1840 [inline]
SYSC_execveat fs/exec.c:1921 [inline]
SyS_execveat+0x55/0x70 fs/exec.c:1913
do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
entry_SYSCALL_64_after_swapgs+0x5d/0xdb
check_prev_add kernel/locking/lockdep.c:1828 [inline]
check_prevs_add kernel/locking/lockdep.c:1938 [inline]
validate_chain kernel/locking/lockdep.c:2265 [inline]
__lock_acquire+0x3189/0x4a10 kernel/locking/lockdep.c:3345
lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756
__mutex_lock_common kernel/locking/mutex.c:521 [inline]
mutex_lock_killable_nested+0xcc/0x9f0 kernel/locking/mutex.c:641
mm_access+0x51/0x140 kernel/fork.c:1028
map_files_d_revalidate+0xf6/0x6e0 fs/proc/base.c:1933
d_revalidate fs/namei.c:789 [inline]
lookup_slow+0x361/0x470 fs/namei.c:1656
walk_component+0x822/0xcf0 fs/namei.c:1784
lookup_last fs/namei.c:2266 [inline]
path_lookupat.isra.10+0x186/0x410 fs/namei.c:2283
filename_lookup.part.18+0x177/0x370 fs/namei.c:2317
filename_lookup fs/namei.c:2310 [inline]
user_path_at_empty+0x53/0x70 fs/namei.c:2578
user_path_at include/linux/namei.h:55 [inline]
SYSC_quotactl fs/quota/quota.c:862 [inline]
SyS_quotactl+0x7c4/0x1250 fs/quota/quota.c:834
do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
entry_SYSCALL_64_after_swapgs+0x5d/0xdb
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&sb->s_type->i_mutex_key);
lock(&sig->cred_guard_mutex);
lock(&sb->s_type->i_mutex_key);
lock(&sig->cred_guard_mutex);
*** DEADLOCK ***
1 lock held by syz-executor.2/3659:
#0: (&sb->s_type->i_mutex_key){++++++}, at: [<ffffffff8152a634>] inode_lock_shared include/linux/fs.h:776 [inline]
#0: (&sb->s_type->i_mutex_key){++++++}, at: [<ffffffff8152a634>] lookup_slow+0x154/0x470 fs/namei.c:1645
stack backtrace:
CPU: 0 PID: 3659 Comm: syz-executor.2 Not tainted 4.9.141+ #1
ffff8800a0bef388 ffffffff81b42e79 ffffffff83ca2fd0 ffffffff83c73360
ffffffff83ca2fd0 ffff88015e8ab850 ffff88015e8aaf80 ffff8800a0bef3d0
ffffffff813fee40 0000000000000001 000000005e8ab830 0000000000000001
Call Trace:
[<ffffffff81b42e79>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81b42e79>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff813fee40>] print_circular_bug.cold.36+0x2f7/0x432 kernel/locking/lockdep.c:1202
[<ffffffff8120a539>] check_prev_add kernel/locking/lockdep.c:1828 [inline]
[<ffffffff8120a539>] check_prevs_add kernel/locking/lockdep.c:1938 [inline]
[<ffffffff8120a539>] validate_chain kernel/locking/lockdep.c:2265 [inline]
[<ffffffff8120a539>] __lock_acquire+0x3189/0x4a10 kernel/locking/lockdep.c:3345
[<ffffffff8120c8d0>] lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756
[<ffffffff8280c45c>] __mutex_lock_common kernel/locking/mutex.c:521 [inline]
[<ffffffff8280c45c>] mutex_lock_killable_nested+0xcc/0x9f0 kernel/locking/mutex.c:641
[<ffffffff810d2941>] mm_access+0x51/0x140 kernel/fork.c:1028
[<ffffffff81666cb6>] map_files_d_revalidate+0xf6/0x6e0 fs/proc/base.c:1933
[<ffffffff8152a841>] d_revalidate fs/namei.c:789 [inline]
[<ffffffff8152a841>] lookup_slow+0x361/0x470 fs/namei.c:1656
[<ffffffff81539cf2>] walk_component+0x822/0xcf0 fs/namei.c:1784
[<ffffffff8153b6b6>] lookup_last fs/namei.c:2266 [inline]
[<ffffffff8153b6b6>] path_lookupat.isra.10+0x186/0x410 fs/namei.c:2283
[<ffffffff8153f697>] filename_lookup.part.18+0x177/0x370 fs/namei.c:2317
[<ffffffff8153fa53>] filename_lookup fs/namei.c:2310 [inline]
[<ffffffff8153fa53>] user_path_at_empty+0x53/0x70 fs/namei.c:2578
[<ffffffff81654594>] user_path_at include/linux/namei.h:55 [inline]
[<ffffffff81654594>] SYSC_quotactl fs/quota/quota.c:862 [inline]
[<ffffffff81654594>] SyS_quotactl+0x7c4/0x1250 fs/quota/quota.c:834
[<ffffffff810056ef>] do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
[<ffffffff82817893>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
ip6_tunnel: ip6tnl3 xmit: Local address not yet configured!
ip6_tunnel: ip6tnl3 xmit: Local address not yet configured!
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=3757 comm=syz-executor.1
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=3757 comm=syz-executor.1
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=3757 comm=syz-executor.1
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=3757 comm=syz-executor.1
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=3757 comm=syz-executor.1
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=65535 sclass=netlink_route_socket pig=3759 comm=syz-executor.4
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=32784 sclass=netlink_route_socket pig=3759 comm=syz-executor.4
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=3757 comm=syz-executor.1
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=3757 comm=syz-executor.1
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=3757 comm=syz-executor.1
audit: type=1400 audit(1574649326.221:522): avc: denied { net_broadcast } for pid=3823 comm="syz-executor.5" capability=11 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready
qtaguid: iface_stat: create6(lo): no inet dev
IPv6: ADDRCONF(NETDEV_CHANGE): sit13: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): sit14: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): vti10: link becomes ready
ip6_tunnel: ip6tnl3 xmit: Local address not yet configured!
ip6_tunnel: ip6tnl3 xmit: Local address not yet configured!
input: syz1 as /devices/virtual/input/input306
input: syz1 as /devices/virtual/input/input307
audit: type=1400 audit(1574649327.461:523): avc: denied { associate } for pid=3906 comm="syz-executor.3" name=7374617409C0D2FEBCF9DF2DEAC8C177FF179C58371248E91193513049F831550D6F7DE66CF6783F9DB5116B34D31B0512A5608AAFF01E7952340CD6FD scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1
syz-executor.1: [ 1640.883119] tc_dump_action: action bad kind
vmalloc: allocation failure: 0 bytes, mode:0x24000c2(GFP_KERNEL|__GFP_HIGHMEM)
CPU: 0 PID: 3947 Comm: syz-executor.1 Not tainted 4.9.141+ #1
ffff8800b99f78a0 ffffffff81b42e79 1ffff1001733ef16 ffff8801d3304740
ffffffff82aa8c00 0000000000000001 0000000000400000 ffff8800b99f79e8
ffffffff814fc7c8 0000000041b58ab3 ffffffff82e37a10 ffffffff81427db0
Call Trace:
[<ffffffff81b42e79>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81b42e79>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff814fc7c8>] warn_alloc.cold.31+0x7f/0x9c mm/page_alloc.c:3068
[<ffffffff814c9f8e>] __vmalloc_node_range+0x35e/0x600 mm/vmalloc.c:1723
[<ffffffff814ca71b>] __vmalloc_node mm/vmalloc.c:1745 [inline]
[<ffffffff814ca71b>] __vmalloc_node_flags mm/vmalloc.c:1759 [inline]
[<ffffffff814ca71b>] vmalloc+0x5b/0x70 mm/vmalloc.c:1774
[<ffffffff81a122d5>] sel_write_load+0x135/0xfa0 security/selinux/selinuxfs.c:514
[<ffffffff81508085>] __vfs_write+0x115/0x580 fs/read_write.c:507
[<ffffffff8150ab97>] vfs_write+0x187/0x520 fs/read_write.c:557
[<ffffffff8150e9c9>] SYSC_write fs/read_write.c:604 [inline]
[<ffffffff8150e9c9>] SyS_write+0xd9/0x1c0 fs/read_write.c:596
[<ffffffff810056ef>] do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
[<ffffffff82817893>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Mem-Info:
active_anon:951884 inactive_anon:99621 isolated_anon:0
active_file:5292 inactive_file:41309 isolated_file:0
unevictable:6 dirty:361 writeback:0 unstable:0
slab_reclaimable:8217 slab_unreclaimable:88143
mapped:85690 shmem:152001 pagetables:23939 bounce:0
free:350262 free_pcp:415 free_cma:0
Node 0 active_anon:3807536kB inactive_anon:398484kB active_file:21168kB inactive_file:165236kB unevictable:24kB isolated(anon):0kB isolated(file):0kB mapped:342760kB dirty:1444kB writeback:0kB shmem:608004kB writeback_tmp:0kB unstable:0kB pages_scanned:0 all_unreclaimable? no
DMA32 free:1391916kB min:4696kB low:7712kB high:10728kB active_anon:1213904kB inactive_anon:104164kB active_file:252kB inactive_file:72088kB unevictable:24kB writepending:104kB present:3145324kB managed:3020132kB mlocked:24kB slab_reclaimable:6464kB slab_unreclaimable:179112kB kernel_stack:11488kB pagetables:18752kB bounce:0kB free_pcp:860kB local_pcp:204kB free_cma:0kB
Normal free:9132kB min:5580kB low:9168kB high:12756kB active_anon:2593532kB inactive_anon:294320kB active_file:20916kB inactive_file:93148kB unevictable:0kB writepending:1340kB present:4718592kB managed:3589312kB mlocked:0kB slab_reclaimable:26404kB slab_unreclaimable:173460kB kernel_stack:24768kB pagetables:77004kB bounce:0kB free_pcp:800kB local_pcp:424kB free_cma:0kB
DMA32: 678*4kB (U) 813*8kB (UM) 619*16kB (UME) 370*32kB (UME) 161*64kB (UME) 188*128kB (UM) 59*256kB (UM) 57*512kB (UM) 46*1024kB (UM) 29*2048kB (UM) 287*4096kB (UM) = 1391664kB
0 pages in swap cache
Swap cache stats: add 0, delete 0, find 0/0
Free swap = 0kB
Total swap = 0kB
1965979 pages RAM
0 pages HighMem/MovableOnly
313618 pages reserved
syz-executor.1: vmalloc: allocation failure: 0 bytes, mode:0x24000c2(GFP_KERNEL|__GFP_HIGHMEM)
CPU: 1 PID: 3955 Comm: syz-executor.1 Not tainted 4.9.141+ #1
ffff8800b69378a0 ffffffff81b42e79 1ffff10016d26f16 ffff8800a9785f00
ffffffff82aa8c00 0000000000000001 0000000000400000 ffff8800b69379e8
ffffffff814fc7c8 0000000041b58ab3 ffffffff82e37a10 ffffffff81427db0
Call Trace:
[<ffffffff81b42e79>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81b42e79>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff814fc7c8>] warn_alloc.cold.31+0x7f/0x9c mm/page_alloc.c:3068
[<ffffffff814c9f8e>] __vmalloc_node_range+0x35e/0x600 mm/vmalloc.c:1723
[<ffffffff814ca71b>] __vmalloc_node mm/vmalloc.c:1745 [inline]
[<ffffffff814ca71b>] __vmalloc_node_flags mm/vmalloc.c:1759 [inline]
[<ffffffff814ca71b>] vmalloc+0x5b/0x70 mm/vmalloc.c:1774
[<ffffffff81a122d5>] sel_write_load+0x135/0xfa0 security/selinux/selinuxfs.c:514
[<ffffffff81508085>] __vfs_write+0x115/0x580 fs/read_write.c:507
[<ffffffff8150ab97>] vfs_write+0x187/0x520 fs/read_write.c:557
[<ffffffff8150e9c9>] SYSC_write fs/read_write.c:604 [inline]
[<ffffffff8150e9c9>] SyS_write+0xd9/0x1c0 fs/read_write.c:596
[<ffffffff810056ef>] do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
[<ffffffff82817893>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Mem-Info:
active_anon:951909 inactive_anon:99621 isolated_anon:0
active_file:5292 inactive_file:41309 isolated_file:0
unevictable:6 dirty:361 writeback:0 unstable:0
slab_reclaimable:8217 slab_unreclaimable:88175
mapped:85690 shmem:152001 pagetables:23939 bounce:0
free:350199 free_pcp:411 free_cma:0
Node 0 active_anon:3807636kB inactive_anon:398484kB active_file:21168kB inactive_file:165236kB unevictable:24kB isolated(anon):0kB isolated(file):0kB mapped:342760kB dirty:1444kB writeback:0kB shmem:608004kB writeback_tmp:0kB unstable:0kB pages_scanned:0 all_unreclaimable? no
DMA32 free:1391664kB min:4696kB low:7712kB high:10728kB active_anon:1214104kB inactive_anon:104164kB active_file:252kB inactive_file:72088kB unevictable:24kB writepending:104kB present:3145324kB managed:3020132kB mlocked:24kB slab_reclaimable:6464kB slab_unreclaimable:179240kB kernel_stack:11456kB pagetables:18752kB bounce:0kB free_pcp:844kB local_pcp:652kB free_cma:0kB
Normal free:9132kB min:5580kB low:9168kB high:12756kB active_anon:2593532kB inactive_anon:294320kB active_file:20916kB inactive_file:93148kB unevictable:0kB writepending:1340kB present:4718592kB managed:3589312kB mlocked:0kB slab_reclaimable:26404kB slab_unreclaimable:173460kB kernel_stack:24768kB pagetables:77004kB bounce:0kB free_pcp:800kB local_pcp:376kB free_cma:0kB
DMA32: 678*4kB (U) 813*8kB (UM) 619*16kB (UME) 371*32kB (UME) 161*64kB (UME) 188*128kB (UM) 59*256kB (UM) 57*512kB (UM) 46*1024kB (UM) 29*2048kB (UM) 287*4096kB (UM) = 1391696kB
0 pages in swap cache
Swap cache stats: add 0, delete 0, find 0/0
Free swap = 0kB
Total swap = 0kB
1965979 pages RAM
0 pages HighMem/MovableOnly
313618 pages reserved
device lo entered promiscuous mode
netlink: 16 bytes leftover after parsing attributes in process `syz-executor.3'.
netlink: 16 bytes leftover after parsing attributes in process `syz-executor.3'.
binder: 3996:4005 got transaction to invalid handle
binder: 3996:4005 transaction failed 29201/-22, size 96-24 line 3013
audit: type=1400 audit(1574649332.311:524): avc: denied { call } for pid=3996 comm="syz-executor.1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1
binder: 3996:4005 BC_FREE_BUFFER u0000000020ffc000 no match
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered transaction 357, process died.
audit: type=1400 audit(1574649332.621:525): avc: denied { connect } for pid=4043 comm="syz-executor.1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
input: syz1 as /devices/virtual/input/input311
input: syz1 as /devices/virtual/input/input312