[ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Started OpenBSD Secure Shell server. [ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.35' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 27.940875] [ 27.942577] ====================================================== [ 27.948866] WARNING: possible circular locking dependency detected [ 27.955155] 4.14.243-syzkaller #0 Not tainted [ 27.959666] ------------------------------------------------------ [ 27.966019] syz-executor111/7950 is trying to acquire lock: [ 27.971706] (sb_writers#6){.+.+}, at: [] vfs_fallocate+0x5c1/0x790 [ 27.979677] [ 27.979677] but task is already holding lock: [ 27.985686] (ashmem_mutex){+.+.}, at: [] ashmem_ioctl+0x27e/0xd00 [ 27.993642] [ 27.993642] which lock already depends on the new lock. [ 27.993642] [ 28.001925] [ 28.001925] the existing dependency chain (in reverse order) is: [ 28.009518] [ 28.009518] -> #3 (ashmem_mutex){+.+.}: [ 28.014954] __mutex_lock+0xc4/0x1310 [ 28.019250] ashmem_mmap+0x50/0x5c0 [ 28.023370] mmap_region+0xa1a/0x1220 [ 28.027679] do_mmap+0x5b3/0xcb0 [ 28.031556] vm_mmap_pgoff+0x14e/0x1a0 [ 28.035934] SyS_mmap_pgoff+0x249/0x510 [ 28.040420] do_syscall_64+0x1d5/0x640 [ 28.044800] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 28.050568] [ 28.050568] -> #2 (&mm->mmap_sem){++++}: [ 28.056084] __might_fault+0x137/0x1b0 [ 28.060466] _copy_to_user+0x27/0xd0 [ 28.064683] filldir+0x1d5/0x390 [ 28.068582] dcache_readdir+0x180/0x860 [ 28.073152] iterate_dir+0x1a0/0x5e0 [ 28.077368] SyS_getdents+0x125/0x240 [ 28.081660] do_syscall_64+0x1d5/0x640 [ 28.086040] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 28.091717] [ 28.091717] -> #1 (&type->i_mutex_dir_key#5){++++}: [ 28.098194] down_write+0x34/0x90 [ 28.102139] path_openat+0xde2/0x2970 [ 28.106430] do_filp_open+0x179/0x3c0 [ 28.110744] do_sys_open+0x296/0x410 [ 28.114966] do_syscall_64+0x1d5/0x640 [ 28.119344] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 28.125026] [ 28.125026] -> #0 (sb_writers#6){.+.+}: [ 28.130455] lock_acquire+0x170/0x3f0 [ 28.134755] __sb_start_write+0x64/0x260 [ 28.139311] vfs_fallocate+0x5c1/0x790 [ 28.143695] ashmem_shrink_scan.part.0+0x135/0x3d0 [ 28.149121] ashmem_ioctl+0x294/0xd00 [ 28.153413] do_vfs_ioctl+0x75a/0xff0 [ 28.157702] SyS_ioctl+0x7f/0xb0 [ 28.161561] do_syscall_64+0x1d5/0x640 [ 28.165941] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 28.171620] [ 28.171620] other info that might help us debug this: [ 28.171620] [ 28.179732] Chain exists of: [ 28.179732] sb_writers#6 --> &mm->mmap_sem --> ashmem_mutex [ 28.179732] [ 28.189953] Possible unsafe locking scenario: [ 28.189953] [ 28.195984] CPU0 CPU1 [ 28.200618] ---- ---- [ 28.205252] lock(ashmem_mutex); [ 28.208690] lock(&mm->mmap_sem); [ 28.214717] lock(ashmem_mutex); [ 28.220657] lock(sb_writers#6); [ 28.224084] [ 28.224084] *** DEADLOCK *** [ 28.224084] [ 28.230114] 1 lock held by syz-executor111/7950: [ 28.235112] #0: (ashmem_mutex){+.+.}, at: [] ashmem_ioctl+0x27e/0xd00 [ 28.243416] [ 28.243416] stack backtrace: [ 28.248015] CPU: 1 PID: 7950 Comm: syz-executor111 Not tainted 4.14.243-syzkaller #0 [ 28.255873] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.265200] Call Trace: [ 28.267764] dump_stack+0x1b2/0x281 [ 28.271380] print_circular_bug.constprop.0.cold+0x2d7/0x41e [ 28.277154] __lock_acquire+0x2e0e/0x3f20 [ 28.281277] ? aa_file_perm+0x304/0xab0 [ 28.285224] ? __lock_acquire+0x5fc/0x3f20 [ 28.289430] ? trace_hardirqs_on+0x10/0x10 [ 28.293651] ? aa_path_link+0x3a0/0x3a0 [ 28.297598] ? trace_hardirqs_on+0x10/0x10 [ 28.301807] ? cache_alloc_refill+0x2fa/0x350 [ 28.306278] lock_acquire+0x170/0x3f0 [ 28.310053] ? vfs_fallocate+0x5c1/0x790 [ 28.314099] __sb_start_write+0x64/0x260 [ 28.318228] ? vfs_fallocate+0x5c1/0x790 [ 28.322263] ? shmem_evict_inode+0x8b0/0x8b0 [ 28.326656] vfs_fallocate+0x5c1/0x790 [ 28.330516] ashmem_shrink_scan.part.0+0x135/0x3d0 [ 28.335445] ? mutex_trylock+0x152/0x1a0 [ 28.339478] ? ashmem_ioctl+0x27e/0xd00 [ 28.343424] ashmem_ioctl+0x294/0xd00 [ 28.347198] ? userfaultfd_unmap_prep+0x450/0x450 [ 28.352009] ? ashmem_shrink_scan+0x80/0x80 [ 28.356304] ? lock_downgrade+0x740/0x740 [ 28.360437] ? ashmem_shrink_scan+0x80/0x80 [ 28.364730] do_vfs_ioctl+0x75a/0xff0 [ 28.368503] ? ioctl_preallocate+0x1a0/0x1a0 [ 28.372881] ? __fget+0x225/0x360 [ 28.376305] ? fput+0xb/0x140 [ 28.379382] ? SyS_mmap_pgoff+0x25e/0x510 [ 28.383504] ? security_file_ioctl+0x83/0xb0 [ 28.387881] SyS_ioctl+0x7f/0xb0 [ 28.391216] ? do_vfs_ioctl+0xff0/0xff0 [ 28.395165] do_syscall_64+0x1d5/0x640 [ 28.399025] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 28.404185] RIP: 0033:0x43eec9 [ 28.407347] RSP: 002b:00007ffd94826378 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 28.415026] RAX: ffffffffffffffda RBX: 0000000000400488 RCX: 000000000043eec9 [ 28.422267] RDX: 0000000000000000 RSI: 000000000000770a RDI: 0000000000000003 [ 28.429513] RBP: 0000000000402eb0 R08: 0000000000000000 R09: 0000000000000000 [ 28.436753] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000