[ 37.685095] audit: type=1800 audit(1549173022.652:26): pid=7627 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 37.721197] audit: type=1800 audit(1549173022.652:27): pid=7627 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [ 37.747208] audit: type=1800 audit(1549173022.652:28): pid=7627 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 38.653770] audit: type=1800 audit(1549173023.642:29): pid=7627 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.85' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 49.737873] [ 49.739576] ====================================================== [ 49.745869] WARNING: possible circular locking dependency detected [ 49.752166] 5.0.0-rc4+ #58 Not tainted [ 49.756062] ------------------------------------------------------ [ 49.762357] syz-executor817/7781 is trying to acquire lock: [ 49.768044] 00000000b2eb843d (&mm->mmap_sem){++++}, at: __do_page_fault+0x9c2/0xd60 [ 49.775832] [ 49.775832] but task is already holding lock: [ 49.781782] 00000000527669ab (&sb->s_type->i_mutex_key#12){+.+.}, at: generic_file_write_iter+0xdf/0x610 [ 49.791393] [ 49.791393] which lock already depends on the new lock. [ 49.791393] [ 49.799691] [ 49.799691] the existing dependency chain (in reverse order) is: [ 49.807287] [ 49.807287] -> #2 (&sb->s_type->i_mutex_key#12){+.+.}: [ 49.814032] down_write+0x38/0x90 [ 49.817987] shmem_fallocate+0x15a/0xc60 [ 49.822549] ashmem_shrink_scan+0x1d7/0x4f0 [ 49.827372] ashmem_ioctl+0x2f0/0x11a0 [ 49.831762] do_vfs_ioctl+0xd6e/0x1390 [ 49.836174] ksys_ioctl+0xab/0xd0 [ 49.840127] __x64_sys_ioctl+0x73/0xb0 [ 49.844519] do_syscall_64+0x103/0x610 [ 49.848908] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 49.854590] [ 49.854590] -> #1 (ashmem_mutex){+.+.}: [ 49.860025] __mutex_lock+0xf7/0x1310 [ 49.864325] mutex_lock_nested+0x16/0x20 [ 49.868883] ashmem_mmap+0x55/0x520 [ 49.873010] mmap_region+0xc37/0x1760 [ 49.877310] do_mmap+0x8e2/0x1080 [ 49.881264] vm_mmap_pgoff+0x1c5/0x230 [ 49.885651] ksys_mmap_pgoff+0x4aa/0x630 [ 49.890219] __x64_sys_mmap+0xe9/0x1b0 [ 49.894618] do_syscall_64+0x103/0x610 [ 49.899017] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 49.904745] [ 49.904745] -> #0 (&mm->mmap_sem){++++}: [ 49.910271] lock_acquire+0x16f/0x3f0 [ 49.914573] down_read+0x3b/0x90 [ 49.918441] __do_page_fault+0x9c2/0xd60 [ 49.923031] do_page_fault+0x71/0x581 [ 49.927361] page_fault+0x1e/0x30 [ 49.931316] iov_iter_fault_in_readable+0x377/0x450 [ 49.937091] generic_perform_write+0x195/0x530 [ 49.942172] __generic_file_write_iter+0x25e/0x630 [ 49.947604] generic_file_write_iter+0x360/0x610 [ 49.952861] __vfs_write+0x613/0x8e0 [ 49.957075] vfs_write+0x20c/0x580 [ 49.961136] ksys_write+0xea/0x1f0 [ 49.965190] __x64_sys_write+0x73/0xb0 [ 49.969593] do_syscall_64+0x103/0x610 [ 49.974010] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 49.979714] [ 49.979714] other info that might help us debug this: [ 49.979714] [ 49.987843] Chain exists of: [ 49.987843] &mm->mmap_sem --> ashmem_mutex --> &sb->s_type->i_mutex_key#12 [ 49.987843] [ 49.999355] Possible unsafe locking scenario: [ 49.999355] [ 50.005385] CPU0 CPU1 [ 50.010024] ---- ---- [ 50.014663] lock(&sb->s_type->i_mutex_key#12); [ 50.019405] lock(ashmem_mutex); [ 50.025349] lock(&sb->s_type->i_mutex_key#12); [ 50.032612] lock(&mm->mmap_sem); [ 50.036126] [ 50.036126] *** DEADLOCK *** [ 50.036126] [ 50.042159] 2 locks held by syz-executor817/7781: [ 50.046971] #0: 0000000013193594 (sb_writers#5){.+.+}, at: vfs_write+0x429/0x580 [ 50.054576] #1: 00000000527669ab (&sb->s_type->i_mutex_key#12){+.+.}, at: generic_file_write_iter+0xdf/0x610 [ 50.064613] [ 50.064613] stack backtrace: [ 50.069091] CPU: 0 PID: 7781 Comm: syz-executor817 Not tainted 5.0.0-rc4+ #58 [ 50.076341] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 50.085679] Call Trace: [ 50.088267] dump_stack+0x172/0x1f0 [ 50.091881] print_circular_bug.isra.0.cold+0x1cc/0x28f [ 50.097229] __lock_acquire+0x2f00/0x4700 [ 50.101358] ? mark_held_locks+0x100/0x100 [ 50.105589] ? mark_held_locks+0x100/0x100 [ 50.109824] ? __lock_is_held+0xb6/0x140 [ 50.113878] lock_acquire+0x16f/0x3f0 [ 50.117661] ? __do_page_fault+0x9c2/0xd60 [ 50.121885] down_read+0x3b/0x90 [ 50.125227] ? __do_page_fault+0x9c2/0xd60 [ 50.129442] __do_page_fault+0x9c2/0xd60 [ 50.133484] do_page_fault+0x71/0x581 [ 50.137266] page_fault+0x1e/0x30 [ 50.140702] RIP: 0010:iov_iter_fault_in_readable+0x377/0x450 [ 50.146480] Code: 89 f6 41 88 57 e0 e8 b8 2b 47 fe 45 85 f6 74 c1 e9 70 fe ff ff e8 29 2a 47 fe 0f 1f 00 0f ae e8 44 89 f0 48 8b 8d 68 ff ff ff <8a> 11 89 c3 0f 1f 00 41 88 57 d0 31 ff 89 de e8 85 2b 47 fe 85 db [ 50.165377] RSP: 0018:ffff8880908df9b8 EFLAGS: 00010293 [ 50.170721] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000020ed853f [ 50.177969] RDX: 0000000000000000 RSI: ffffffff8328b1e7 RDI: 0000000000000007 [ 50.185227] RBP: ffff8880908dfa58 R08: ffff88808e9e81c0 R09: fffff94000418d17 [ 50.192475] R10: fffff94000418d16 R11: ffffea00020c68b7 R12: 0000000000001000 [ 50.199739] R13: 0000000000001000 R14: 0000000000000000 R15: ffff8880908dfa30 [ 50.206997] ? iov_iter_fault_in_readable+0x367/0x450 [ 50.212168] ? iov_iter_fault_in_readable+0x367/0x450 [ 50.217356] ? copy_page_from_iter+0x750/0x750 [ 50.221920] generic_perform_write+0x195/0x530 [ 50.226483] ? page_endio+0x780/0x780 [ 50.230267] ? current_time+0x140/0x140 [ 50.234223] ? lock_acquire+0x16f/0x3f0 [ 50.238177] __generic_file_write_iter+0x25e/0x630 [ 50.243090] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 50.248088] generic_file_write_iter+0x360/0x610 [ 50.252826] ? __generic_file_write_iter+0x630/0x630 [ 50.257908] ? __fget+0x340/0x540 [ 50.261369] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 50.266896] ? iov_iter_init+0xea/0x220 [ 50.270850] __vfs_write+0x613/0x8e0 [ 50.274546] ? kernel_read+0x120/0x120 [ 50.278415] ? rcu_read_lock_sched_held+0x110/0x130 [ 50.283412] ? rcu_sync_lockdep_assert+0x73/0xb0 [ 50.288145] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 50.293732] ? __sb_start_write+0x1ac/0x360 [ 50.298049] vfs_write+0x20c/0x580 [ 50.301571] ksys_write+0xea/0x1f0 [ 50.305089] ? __ia32_sys_read+0xb0/0xb0 [ 50.309147] ? do_syscall_64+0x26/0x610 [ 50.313100] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 50.318441] ? do_syscall_64+0x26/0x610 [ 50.322393] __x64_sys_write+0x73/0xb0 [ 50.326265] do_syscall_64+0x103/0x610 [ 50.330134] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 50.335301] RIP: 0033:0x445839 [ 50.338472] Code: e8 9c bb 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb 11 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 50.357350] RSP: 002b:00007fa80b68fda8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 50.365034] RAX: ffffffffffffffda RBX: 00000000006dac28 RCX: 0000000000445839 [ 50.372283] RDX: 00000000fffffda2 RSI: 0000000020000540 RDI: 0000000000000004 [ 50.379543] RBP: 00000000006dac20 R08: 0000000000000000 R09: 0000000000000000 [ 50.386792] R10: 0000000000000000 R11: 000