Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.122' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 27.198933] [ 27.200557] ====================================================== [ 27.206843] WARNING: possible circular locking dependency detected [ 27.213133] 4.14.244-syzkaller #0 Not tainted [ 27.217594] ------------------------------------------------------ [ 27.223882] syz-executor278/7960 is trying to acquire lock: [ 27.229560] (sb_writers#6){.+.+}, at: [] vfs_fallocate+0x5c1/0x790 [ 27.237507] [ 27.237507] but task is already holding lock: [ 27.243447] (ashmem_mutex){+.+.}, at: [] ashmem_ioctl+0x27e/0xd00 [ 27.251302] [ 27.251302] which lock already depends on the new lock. [ 27.251302] [ 27.259586] [ 27.259586] the existing dependency chain (in reverse order) is: [ 27.267175] [ 27.267175] -> #3 (ashmem_mutex){+.+.}: [ 27.272652] __mutex_lock+0xc4/0x1310 [ 27.276948] ashmem_mmap+0x50/0x5c0 [ 27.281103] mmap_region+0xa1a/0x1220 [ 27.285397] do_mmap+0x5b3/0xcb0 [ 27.289258] vm_mmap_pgoff+0x14e/0x1a0 [ 27.293639] SyS_mmap_pgoff+0x249/0x510 [ 27.298107] do_syscall_64+0x1d5/0x640 [ 27.302487] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 27.308166] [ 27.308166] -> #2 (&mm->mmap_sem){++++}: [ 27.313684] __might_fault+0x137/0x1b0 [ 27.318108] _copy_to_user+0x27/0xd0 [ 27.322317] filldir+0x1d5/0x390 [ 27.326174] dcache_readdir+0x180/0x860 [ 27.330676] iterate_dir+0x1a0/0x5e0 [ 27.334881] SyS_getdents+0x125/0x240 [ 27.339188] do_syscall_64+0x1d5/0x640 [ 27.343568] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 27.349247] [ 27.349247] -> #1 (&type->i_mutex_dir_key#5){++++}: [ 27.355751] down_write+0x34/0x90 [ 27.359694] path_openat+0xde2/0x2970 [ 27.363984] do_filp_open+0x179/0x3c0 [ 27.368278] do_sys_open+0x296/0x410 [ 27.372481] do_syscall_64+0x1d5/0x640 [ 27.376869] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 27.382550] [ 27.382550] -> #0 (sb_writers#6){.+.+}: [ 27.387988] lock_acquire+0x170/0x3f0 [ 27.392290] __sb_start_write+0x64/0x260 [ 27.396848] vfs_fallocate+0x5c1/0x790 [ 27.401232] ashmem_shrink_scan.part.0+0x135/0x3d0 [ 27.406655] ashmem_ioctl+0x294/0xd00 [ 27.411013] do_vfs_ioctl+0x75a/0xff0 [ 27.415340] SyS_ioctl+0x7f/0xb0 [ 27.419203] do_syscall_64+0x1d5/0x640 [ 27.423585] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 27.429315] [ 27.429315] other info that might help us debug this: [ 27.429315] [ 27.437427] Chain exists of: [ 27.437427] sb_writers#6 --> &mm->mmap_sem --> ashmem_mutex [ 27.437427] [ 27.447638] Possible unsafe locking scenario: [ 27.447638] [ 27.453674] CPU0 CPU1 [ 27.458315] ---- ---- [ 27.462971] lock(ashmem_mutex); [ 27.466397] lock(&mm->mmap_sem); [ 27.472437] lock(ashmem_mutex); [ 27.478377] lock(sb_writers#6); [ 27.481801] [ 27.481801] *** DEADLOCK *** [ 27.481801] [ 27.487828] 1 lock held by syz-executor278/7960: [ 27.492549] #0: (ashmem_mutex){+.+.}, at: [] ashmem_ioctl+0x27e/0xd00 [ 27.500841] [ 27.500841] stack backtrace: [ 27.505308] CPU: 1 PID: 7960 Comm: syz-executor278 Not tainted 4.14.244-syzkaller #0 [ 27.513156] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.522479] Call Trace: [ 27.525041] dump_stack+0x1b2/0x281 [ 27.528660] print_circular_bug.constprop.0.cold+0x2d7/0x41e [ 27.534444] __lock_acquire+0x2e0e/0x3f20 [ 27.538566] ? aa_file_perm+0x304/0xab0 [ 27.542525] ? __lock_acquire+0x5fc/0x3f20 [ 27.546730] ? trace_hardirqs_on+0x10/0x10 [ 27.550933] ? aa_path_link+0x3a0/0x3a0 [ 27.554894] ? lock_downgrade+0x740/0x740 [ 27.559025] ? trace_hardirqs_on+0x10/0x10 [ 27.563229] ? kernel_text_address+0xbd/0xf0 [ 27.567608] lock_acquire+0x170/0x3f0 [ 27.571384] ? vfs_fallocate+0x5c1/0x790 [ 27.575431] __sb_start_write+0x64/0x260 [ 27.579462] ? vfs_fallocate+0x5c1/0x790 [ 27.583493] ? shmem_evict_inode+0x8b0/0x8b0 [ 27.587872] vfs_fallocate+0x5c1/0x790 [ 27.591734] ashmem_shrink_scan.part.0+0x135/0x3d0 [ 27.596638] ? mutex_trylock+0x152/0x1a0 [ 27.600668] ? ashmem_ioctl+0x27e/0xd00 [ 27.604612] ashmem_ioctl+0x294/0xd00 [ 27.608388] ? lock_acquire+0x170/0x3f0 [ 27.612349] ? lock_downgrade+0x740/0x740 [ 27.616468] ? ashmem_shrink_scan+0x80/0x80 [ 27.620760] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 27.625848] ? debug_check_no_obj_freed+0x2c0/0x680 [ 27.630833] ? ashmem_shrink_scan+0x80/0x80 [ 27.635124] do_vfs_ioctl+0x75a/0xff0 [ 27.638893] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 27.644314] ? ioctl_preallocate+0x1a0/0x1a0 [ 27.648710] ? kmem_cache_free+0x23a/0x2b0 [ 27.652914] ? putname+0xcd/0x110 [ 27.656340] ? do_sys_open+0x208/0x410 [ 27.660199] ? filp_open+0x60/0x60 [ 27.663711] ? security_file_ioctl+0x83/0xb0 [ 27.668091] SyS_ioctl+0x7f/0xb0 [ 27.671429] ? do_vfs_ioctl+0xff0/0xff0 [ 27.675378] do_syscall_64+0x1d5/0x640 [ 27.679236] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 27.684400] RIP: 0033:0x43ef09 [ 27.687562] RSP: 002b:00007ffd74eca0d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 27.695242] RAX: ffffffffffffffda RBX: 0000000000400488 RCX: 000