[ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Started OpenBSD Secure Shell server. [ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.119' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 27.704060] [ 27.705740] ====================================================== [ 27.712031] WARNING: possible circular locking dependency detected [ 27.718325] 4.14.243-syzkaller #0 Not tainted [ 27.722791] ------------------------------------------------------ [ 27.729082] syz-executor846/7984 is trying to acquire lock: [ 27.734760] (sb_writers#6){.+.+}, at: [] vfs_fallocate+0x5c1/0x790 [ 27.742710] [ 27.742710] but task is already holding lock: [ 27.748691] (ashmem_mutex){+.+.}, at: [] ashmem_ioctl+0x27e/0xd00 [ 27.756551] [ 27.756551] which lock already depends on the new lock. [ 27.756551] [ 27.764835] [ 27.764835] the existing dependency chain (in reverse order) is: [ 27.772428] [ 27.772428] -> #3 (ashmem_mutex){+.+.}: [ 27.777898] __mutex_lock+0xc4/0x1310 [ 27.782198] ashmem_mmap+0x50/0x5c0 [ 27.786317] mmap_region+0xa1a/0x1220 [ 27.790651] do_mmap+0x5b3/0xcb0 [ 27.794511] vm_mmap_pgoff+0x14e/0x1a0 [ 27.798891] SyS_mmap_pgoff+0x249/0x510 [ 27.803356] do_syscall_64+0x1d5/0x640 [ 27.807737] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 27.813413] [ 27.813413] -> #2 (&mm->mmap_sem){++++}: [ 27.818928] __might_fault+0x137/0x1b0 [ 27.823308] _copy_to_user+0x27/0xd0 [ 27.827516] filldir+0x1d5/0x390 [ 27.831419] dcache_readdir+0x180/0x860 [ 27.835885] iterate_dir+0x1a0/0x5e0 [ 27.840091] SyS_getdents+0x125/0x240 [ 27.844399] do_syscall_64+0x1d5/0x640 [ 27.848779] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 27.854454] [ 27.854454] -> #1 (&type->i_mutex_dir_key#5){++++}: [ 27.860923] down_write+0x34/0x90 [ 27.864870] path_openat+0xde2/0x2970 [ 27.869170] do_filp_open+0x179/0x3c0 [ 27.873467] do_sys_open+0x296/0x410 [ 27.877677] do_syscall_64+0x1d5/0x640 [ 27.882062] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 27.887741] [ 27.887741] -> #0 (sb_writers#6){.+.+}: [ 27.893180] lock_acquire+0x170/0x3f0 [ 27.897484] __sb_start_write+0x64/0x260 [ 27.902042] vfs_fallocate+0x5c1/0x790 [ 27.906428] ashmem_shrink_scan.part.0+0x135/0x3d0 [ 27.911851] ashmem_ioctl+0x294/0xd00 [ 27.916149] do_vfs_ioctl+0x75a/0xff0 [ 27.920444] SyS_ioctl+0x7f/0xb0 [ 27.924397] do_syscall_64+0x1d5/0x640 [ 27.928795] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 27.934475] [ 27.934475] other info that might help us debug this: [ 27.934475] [ 27.942586] Chain exists of: [ 27.942586] sb_writers#6 --> &mm->mmap_sem --> ashmem_mutex [ 27.942586] [ 27.952802] Possible unsafe locking scenario: [ 27.952802] [ 27.958828] CPU0 CPU1 [ 27.963468] ---- ---- [ 27.968106] lock(ashmem_mutex); [ 27.971546] lock(&mm->mmap_sem); [ 27.977601] lock(ashmem_mutex); [ 27.983541] lock(sb_writers#6); [ 27.986968] [ 27.986968] *** DEADLOCK *** [ 27.986968] [ 27.992999] 1 lock held by syz-executor846/7984: [ 27.997742] #0: (ashmem_mutex){+.+.}, at: [] ashmem_ioctl+0x27e/0xd00 [ 28.006042] [ 28.006042] stack backtrace: [ 28.010544] CPU: 0 PID: 7984 Comm: syz-executor846 Not tainted 4.14.243-syzkaller #0 [ 28.018450] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.027781] Call Trace: [ 28.030362] dump_stack+0x1b2/0x281 [ 28.033968] print_circular_bug.constprop.0.cold+0x2d7/0x41e [ 28.039790] __lock_acquire+0x2e0e/0x3f20 [ 28.043913] ? aa_file_perm+0x304/0xab0 [ 28.047859] ? __lock_acquire+0x5fc/0x3f20 [ 28.052066] ? trace_hardirqs_on+0x10/0x10 [ 28.056281] ? aa_path_link+0x3a0/0x3a0 [ 28.060242] ? trace_hardirqs_on+0x10/0x10 [ 28.064451] ? cache_alloc_refill+0x2fa/0x350 [ 28.068920] lock_acquire+0x170/0x3f0 [ 28.072696] ? vfs_fallocate+0x5c1/0x790 [ 28.076731] __sb_start_write+0x64/0x260 [ 28.080766] ? vfs_fallocate+0x5c1/0x790 [ 28.084798] ? shmem_evict_inode+0x8b0/0x8b0 [ 28.089178] vfs_fallocate+0x5c1/0x790 [ 28.093042] ashmem_shrink_scan.part.0+0x135/0x3d0 [ 28.097957] ? mutex_trylock+0x152/0x1a0 [ 28.102076] ? ashmem_ioctl+0x27e/0xd00 [ 28.106027] ashmem_ioctl+0x294/0xd00 [ 28.109799] ? userfaultfd_unmap_prep+0x450/0x450 [ 28.114628] ? ashmem_shrink_scan+0x80/0x80 [ 28.118925] ? lock_downgrade+0x740/0x740 [ 28.123050] ? ashmem_shrink_scan+0x80/0x80 [ 28.127346] do_vfs_ioctl+0x75a/0xff0 [ 28.131122] ? ioctl_preallocate+0x1a0/0x1a0 [ 28.135517] ? __fget+0x225/0x360 [ 28.138945] ? fput+0xb/0x140 [ 28.142025] ? SyS_mmap_pgoff+0x25e/0x510 [ 28.146146] ? security_file_ioctl+0x83/0xb0 [ 28.150526] SyS_ioctl+0x7f/0xb0 [ 28.153869] ? do_vfs_ioctl+0xff0/0xff0 [ 28.157817] do_syscall_64+0x1d5/0x640 [ 28.161678] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 28.166841] RIP: 0033:0x43eec9 [ 28.170004] RSP: 002b:00007ffca5195468 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 28.177682] RAX: ffffffffffffffda RBX: 0000000000400488 RCX: 000000000043eec9 [ 28.184936] RDX: 0000000000000000 RSI: 000000000000770a RDI: 0000000000000003 [ 28.192181] RBP: 0000000000402eb0 R08: 0000000000000000 R09: 0000000000000000 [ 28.199438] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402f40