======================================================
WARNING: possible circular locking dependency detected
4.14.155-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.2/15759 is trying to acquire lock:
 (&sb->s_type->i_mutex_key#10){+.+.}, at: [<00000000cc552936>] inode_lock include/linux/fs.h:724 [inline]
 (&sb->s_type->i_mutex_key#10){+.+.}, at: [<00000000cc552936>] shmem_fallocate+0x150/0xae0 mm/shmem.c:2904

but task is already holding lock:
 (ashmem_mutex){+.+.}, at: [<0000000088a034e9>] ashmem_shrink_scan+0x53/0x4f0 drivers/staging/android/ashmem.c:446

which lock already depends on the new lock.

device eql entered promiscuous mode

the existing dependency chain (in reverse order) is:

-> #2 (ashmem_mutex){+.+.}:
       __mutex_lock_common kernel/locking/mutex.c:756 [inline]
       __mutex_lock+0xf7/0x13e0 kernel/locking/mutex.c:893
       ashmem_mmap+0x4c/0x450 drivers/staging/android/ashmem.c:369
       call_mmap include/linux/fs.h:1803 [inline]
       mmap_region+0x7d9/0xfb0 mm/mmap.c:1736
       do_mmap+0x548/0xb80 mm/mmap.c:1512
       do_mmap_pgoff include/linux/mm.h:2215 [inline]
       vm_mmap_pgoff+0x177/0x1c0 mm/util.c:333
       SYSC_mmap_pgoff mm/mmap.c:1564 [inline]
       SyS_mmap_pgoff+0xf4/0x1b0 mm/mmap.c:1520
       do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x42/0xb7

-> #1 (&mm->mmap_sem){++++}:
       down_read+0x37/0xa0 kernel/locking/rwsem.c:24
       __do_page_fault+0x8a4/0xbb0 arch/x86/mm/fault.c:1356
       page_fault+0x22/0x50 arch/x86/entry/entry_64.S:1122
       fault_in_pages_readable include/linux/pagemap.h:614 [inline]
       iov_iter_fault_in_readable+0x29c/0x350 lib/iov_iter.c:421
       generic_perform_write+0x158/0x460 mm/filemap.c:3123
       __generic_file_write_iter+0x32e/0x550 mm/filemap.c:3258
       generic_file_write_iter+0x36f/0x650 mm/filemap.c:3286
       call_write_iter include/linux/fs.h:1798 [inline]
       new_sync_write fs/read_write.c:471 [inline]
       __vfs_write+0x401/0x5a0 fs/read_write.c:484
       vfs_write+0x17f/0x4d0 fs/read_write.c:546
       SYSC_write fs/read_write.c:594 [inline]
       SyS_write+0x102/0x250 fs/read_write.c:586
       do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x42/0xb7

-> #0 (&sb->s_type->i_mutex_key#10){+.+.}:
       lock_acquire+0x12b/0x360 kernel/locking/lockdep.c:3994
       down_write+0x34/0x90 kernel/locking/rwsem.c:54
       inode_lock include/linux/fs.h:724 [inline]
       shmem_fallocate+0x150/0xae0 mm/shmem.c:2904
       ashmem_shrink_scan drivers/staging/android/ashmem.c:453 [inline]
       ashmem_shrink_scan+0x1ca/0x4f0 drivers/staging/android/ashmem.c:437
       ashmem_ioctl+0x2b4/0xd20 drivers/staging/android/ashmem.c:795
       vfs_ioctl fs/ioctl.c:46 [inline]
       file_ioctl fs/ioctl.c:500 [inline]
       do_vfs_ioctl+0xabe/0x1040 fs/ioctl.c:684
       SYSC_ioctl fs/ioctl.c:701 [inline]
       SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
       do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x42/0xb7

other info that might help us debug this:

Chain exists of:
  &sb->s_type->i_mutex_key#10 --> &mm->mmap_sem --> ashmem_mutex

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(ashmem_mutex);
                               lock(&mm->mmap_sem);
                               lock(ashmem_mutex);
  lock(&sb->s_type->i_mutex_key#10);

 *** DEADLOCK ***

1 lock held by syz-executor.2/15759:
 #0:  (ashmem_mutex){+.+.}, at: [<0000000088a034e9>] ashmem_shrink_scan+0x53/0x4f0 drivers/staging/android/ashmem.c:446

stack backtrace:
CPU: 1 PID: 15759 Comm: syz-executor.2 Not tainted 4.14.155-syzkaller #0
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0xe5/0x154 lib/dump_stack.c:58
 print_circular_bug.isra.0.cold+0x2dc/0x425 kernel/locking/lockdep.c:1258
 check_prev_add kernel/locking/lockdep.c:1901 [inline]
 check_prevs_add kernel/locking/lockdep.c:2018 [inline]
 validate_chain kernel/locking/lockdep.c:2460 [inline]
 __lock_acquire+0x2f5f/0x4320 kernel/locking/lockdep.c:3487
 lock_acquire+0x12b/0x360 kernel/locking/lockdep.c:3994
 down_write+0x34/0x90 kernel/locking/rwsem.c:54
 inode_lock include/linux/fs.h:724 [inline]
 shmem_fallocate+0x150/0xae0 mm/shmem.c:2904
 ashmem_shrink_scan drivers/staging/android/ashmem.c:453 [inline]
 ashmem_shrink_scan+0x1ca/0x4f0 drivers/staging/android/ashmem.c:437
 ashmem_ioctl+0x2b4/0xd20 drivers/staging/android/ashmem.c:795
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:500 [inline]
 do_vfs_ioctl+0xabe/0x1040 fs/ioctl.c:684
 SYSC_ioctl fs/ioctl.c:701 [inline]
 SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
 do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45a639
RSP: 002b:00007f938be33c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a639
RDX: 0000000000000000 RSI: 000000000000770a RDI: 0000000000000003
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f938be346d4
R13: 00000000004c1dd4 R14: 00000000004d5d28 R15: 00000000ffffffff
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
device eql entered promiscuous mode
SELinux: failed to load policy
SELinux: failed to load policy
device eql entered promiscuous mode
SELinux: failed to load policy
SELinux: failed to load policy
SELinux: failed to load policy