[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.201' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 29.700940] [ 29.702700] ====================================================== [ 29.708987] WARNING: possible circular locking dependency detected [ 29.715289] 4.14.288-syzkaller #0 Not tainted [ 29.719758] ------------------------------------------------------ [ 29.726062] syz-executor303/7973 is trying to acquire lock: [ 29.731744] (sb_writers#6){.+.+}, at: [] vfs_fallocate+0x5c1/0x790 [ 29.739700] [ 29.739700] but task is already holding lock: [ 29.745661] (ashmem_mutex){+.+.}, at: [] ashmem_ioctl+0x27e/0xd00 [ 29.753526] [ 29.753526] which lock already depends on the new lock. [ 29.753526] [ 29.761817] [ 29.761817] the existing dependency chain (in reverse order) is: [ 29.769414] [ 29.769414] -> #3 (ashmem_mutex){+.+.}: [ 29.774857] __mutex_lock+0xc4/0x1310 [ 29.779155] ashmem_mmap+0x50/0x5c0 [ 29.783278] mmap_region+0xa1a/0x1220 [ 29.787598] do_mmap+0x5b3/0xcb0 [ 29.791484] vm_mmap_pgoff+0x14e/0x1a0 [ 29.795875] SyS_mmap_pgoff+0x249/0x510 [ 29.800345] do_syscall_64+0x1d5/0x640 [ 29.804727] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.810409] [ 29.810409] -> #2 (&mm->mmap_sem){++++}: [ 29.815937] __might_fault+0x137/0x1b0 [ 29.820332] _copy_to_user+0x27/0xd0 [ 29.824538] filldir+0x1d5/0x390 [ 29.828396] dcache_readdir+0x180/0x860 [ 29.832872] iterate_dir+0x1a0/0x5e0 [ 29.837087] SyS_getdents+0x125/0x240 [ 29.841392] do_syscall_64+0x1d5/0x640 [ 29.845780] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.851459] [ 29.851459] -> #1 (&type->i_mutex_dir_key#5){++++}: [ 29.857937] down_write+0x34/0x90 [ 29.861890] path_openat+0xde2/0x2970 [ 29.866195] do_filp_open+0x179/0x3c0 [ 29.870501] do_sys_open+0x296/0x410 [ 29.874711] do_syscall_64+0x1d5/0x640 [ 29.879093] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.884774] [ 29.884774] -> #0 (sb_writers#6){.+.+}: [ 29.890207] lock_acquire+0x170/0x3f0 [ 29.894505] __sb_start_write+0x64/0x260 [ 29.899079] vfs_fallocate+0x5c1/0x790 [ 29.903465] ashmem_shrink_scan.part.0+0x135/0x3d0 [ 29.908887] ashmem_ioctl+0x294/0xd00 [ 29.913185] do_vfs_ioctl+0x75a/0xff0 [ 29.917477] SyS_ioctl+0x7f/0xb0 [ 29.921334] do_syscall_64+0x1d5/0x640 [ 29.925714] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.931393] [ 29.931393] other info that might help us debug this: [ 29.931393] [ 29.939503] Chain exists of: [ 29.939503] sb_writers#6 --> &mm->mmap_sem --> ashmem_mutex [ 29.939503] [ 29.949705] Possible unsafe locking scenario: [ 29.949705] [ 29.955730] CPU0 CPU1 [ 29.960367] ---- ---- [ 29.965024] lock(ashmem_mutex); [ 29.968458] lock(&mm->mmap_sem); [ 29.974485] lock(ashmem_mutex); [ 29.980431] lock(sb_writers#6); [ 29.983854] [ 29.983854] *** DEADLOCK *** [ 29.983854] [ 29.989883] 1 lock held by syz-executor303/7973: [ 29.994607] #0: (ashmem_mutex){+.+.}, at: [] ashmem_ioctl+0x27e/0xd00 [ 30.003073] [ 30.003073] stack backtrace: [ 30.007546] CPU: 0 PID: 7973 Comm: syz-executor303 Not tainted 4.14.288-syzkaller #0 [ 30.015395] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022 [ 30.024727] Call Trace: [ 30.027296] dump_stack+0x1b2/0x281 [ 30.030898] print_circular_bug.constprop.0.cold+0x2d7/0x41e [ 30.036675] __lock_acquire+0x2e0e/0x3f20 [ 30.040800] ? aa_file_perm+0x304/0xab0 [ 30.044748] ? __lock_acquire+0x5fc/0x3f20 [ 30.048957] ? trace_hardirqs_on+0x10/0x10 [ 30.053167] ? aa_path_link+0x3a0/0x3a0 [ 30.057118] ? lock_downgrade+0x740/0x740 [ 30.061239] ? trace_hardirqs_on+0x10/0x10 [ 30.065464] ? kernel_text_address+0xbd/0xf0 [ 30.069848] lock_acquire+0x170/0x3f0 [ 30.073629] ? vfs_fallocate+0x5c1/0x790 [ 30.077695] __sb_start_write+0x64/0x260 [ 30.081730] ? vfs_fallocate+0x5c1/0x790 [ 30.085764] ? shmem_evict_inode+0x8b0/0x8b0 [ 30.090143] vfs_fallocate+0x5c1/0x790 [ 30.094006] ashmem_shrink_scan.part.0+0x135/0x3d0 [ 30.099087] ? mutex_trylock+0x152/0x1a0 [ 30.103359] ? ashmem_ioctl+0x27e/0xd00 [ 30.107308] ashmem_ioctl+0x294/0xd00 [ 30.111108] ? lock_acquire+0x170/0x3f0 [ 30.115069] ? lock_downgrade+0x740/0x740 [ 30.119204] ? ashmem_shrink_scan+0x80/0x80 [ 30.123512] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 30.128598] ? debug_check_no_obj_freed+0x2c0/0x680 [ 30.133708] ? ashmem_shrink_scan+0x80/0x80 [ 30.138012] do_vfs_ioctl+0x75a/0xff0 [ 30.141793] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 30.147217] ? ioctl_preallocate+0x1a0/0x1a0 [ 30.151601] ? kmem_cache_free+0x23a/0x2b0 [ 30.155904] ? putname+0xcd/0x110 [ 30.159331] ? do_sys_open+0x208/0x410 [ 30.163192] ? filp_open+0x60/0x60 [ 30.166717] ? security_file_ioctl+0x83/0xb0 [ 30.171101] SyS_ioctl+0x7f/0xb0 [ 30.174445] ? do_vfs_ioctl+0xff0/0xff0 [ 30.178408] do_syscall_64+0x1d5/0x640 [ 30.182285] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 30.187449] RIP: 0033:0x7fc378e8d089 [ 30.191135] RSP: 002b:00007fff187071b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 30.198831] RAX: ffffffffffffffda RBX: 00000000