======================================================
WARNING: possible circular locking dependency detected
4.14.151+ #0 Not tainted
------------------------------------------------------
syz-executor.2/15837 is trying to acquire lock:
 (&sb->s_type->i_mutex_key#10){+.+.}, at: [<000000002067305d>] inode_lock include/linux/fs.h:724 [inline]
 (&sb->s_type->i_mutex_key#10){+.+.}, at: [<000000002067305d>] shmem_fallocate+0x150/0xae0 mm/shmem.c:2904

but task is already holding lock:
 (ashmem_mutex){+.+.}, at: [<00000000e89fbf6f>] ashmem_shrink_scan+0x53/0x4f0 drivers/staging/android/ashmem.c:446

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #2 (ashmem_mutex){+.+.}:
       __mutex_lock_common kernel/locking/mutex.c:756 [inline]
       __mutex_lock+0xf7/0x13e0 kernel/locking/mutex.c:893
       ashmem_mmap+0x4c/0x450 drivers/staging/android/ashmem.c:369
       call_mmap include/linux/fs.h:1803 [inline]
       mmap_region+0x7d9/0xfb0 mm/mmap.c:1736
       do_mmap+0x548/0xb80 mm/mmap.c:1512
       do_mmap_pgoff include/linux/mm.h:2220 [inline]
       vm_mmap_pgoff+0x177/0x1c0 mm/util.c:333
       SYSC_mmap_pgoff mm/mmap.c:1564 [inline]
       SyS_mmap_pgoff+0xf4/0x1b0 mm/mmap.c:1520
       do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x42/0xb7

-> #1 (&mm->mmap_sem){++++}:
       down_read+0x37/0xa0 kernel/locking/rwsem.c:24
       __do_page_fault+0x8a4/0xbb0 arch/x86/mm/fault.c:1356
audit: type=1400 audit(2000000450.690:19101): avc:  denied  { map } for  pid=15841 comm="syz-executor.0" path="/root/syzkaller-testdir041159109/syzkaller.La4szZ/8/file0/bus" dev="ramfs" ino=114436 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ramfs_t:s0 tclass=file permissive=1
       page_fault+0x22/0x50 arch/x86/entry/entry_64.S:1122
       fault_in_pages_readable include/linux/pagemap.h:614 [inline]
       iov_iter_fault_in_readable+0x29c/0x350 lib/iov_iter.c:421
       generic_perform_write+0x158/0x460 mm/filemap.c:3122
       __generic_file_write_iter+0x32e/0x550 mm/filemap.c:3257
       generic_file_write_iter+0x36f/0x650 mm/filemap.c:3285
       call_write_iter include/linux/fs.h:1798 [inline]
       new_sync_write fs/read_write.c:471 [inline]
       __vfs_write+0x401/0x5a0 fs/read_write.c:484
       vfs_write+0x17f/0x4d0 fs/read_write.c:546
       SYSC_write fs/read_write.c:594 [inline]
       SyS_write+0x102/0x250 fs/read_write.c:586
       do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x42/0xb7

-> #0 (&sb->s_type->i_mutex_key#10){+.+.}:
       lock_acquire+0x12b/0x360 kernel/locking/lockdep.c:3994
       down_write+0x34/0x90 kernel/locking/rwsem.c:54
       inode_lock include/linux/fs.h:724 [inline]
       shmem_fallocate+0x150/0xae0 mm/shmem.c:2904
       ashmem_shrink_scan drivers/staging/android/ashmem.c:453 [inline]
       ashmem_shrink_scan+0x1ca/0x4f0 drivers/staging/android/ashmem.c:437
       ashmem_ioctl+0x2b4/0xd20 drivers/staging/android/ashmem.c:795
       vfs_ioctl fs/ioctl.c:46 [inline]
       file_ioctl fs/ioctl.c:500 [inline]
       do_vfs_ioctl+0xabe/0x1040 fs/ioctl.c:684
       SYSC_ioctl fs/ioctl.c:701 [inline]
       SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
       do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x42/0xb7

other info that might help us debug this:

Chain exists of:
  &sb->s_type->i_mutex_key#10 --> &mm->mmap_sem --> ashmem_mutex

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(ashmem_mutex);
                               lock(&mm->mmap_sem);
                               lock(ashmem_mutex);
  lock(&sb->s_type->i_mutex_key#10);

 *** DEADLOCK ***

1 lock held by syz-executor.2/15837:
 #0:  (ashmem_mutex){+.+.}, at: [<00000000e89fbf6f>] ashmem_shrink_scan+0x53/0x4f0 drivers/staging/android/ashmem.c:446

stack backtrace:
CPU: 0 PID: 15837 Comm: syz-executor.2 Not tainted 4.14.151+ #0
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0xca/0x134 lib/dump_stack.c:53
 print_circular_bug.isra.0.cold+0x2dc/0x425 kernel/locking/lockdep.c:1258
 check_prev_add kernel/locking/lockdep.c:1901 [inline]
 check_prevs_add kernel/locking/lockdep.c:2018 [inline]
 validate_chain kernel/locking/lockdep.c:2460 [inline]
 __lock_acquire+0x2f5f/0x4320 kernel/locking/lockdep.c:3487
 lock_acquire+0x12b/0x360 kernel/locking/lockdep.c:3994
 down_write+0x34/0x90 kernel/locking/rwsem.c:54
 inode_lock include/linux/fs.h:724 [inline]
 shmem_fallocate+0x150/0xae0 mm/shmem.c:2904
 ashmem_shrink_scan drivers/staging/android/ashmem.c:453 [inline]
 ashmem_shrink_scan+0x1ca/0x4f0 drivers/staging/android/ashmem.c:437
 ashmem_ioctl+0x2b4/0xd20 drivers/staging/android/ashmem.c:795
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:500 [inline]
 do_vfs_ioctl+0xabe/0x1040 fs/ioctl.c:684
 SYSC_ioctl fs/ioctl.c:701 [inline]
 SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
 do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45a219
RSP: 002b:00007f7d06753c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a219
RDX: 0000000000000000 RSI: 000000000000770a RDI: 0000000000000004
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f7d067546d4
R13: 00000000004c198d R14: 00000000004d5668 R15: 00000000ffffffff
==================================================================
BUG: KASAN: use-after-free in xfrm6_tunnel_free_spi net/ipv6/xfrm6_tunnel.c:208 [inline]
BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x4e0/0x560 net/ipv6/xfrm6_tunnel.c:303
Read of size 8 at addr ffff88819f6842b8 by task kworker/1:3/3078

CPU: 1 PID: 3078 Comm: kworker/1:3 Not tainted 4.14.151+ #0
Workqueue: events xfrm_state_gc_task
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0xca/0x134 lib/dump_stack.c:53
 print_address_description+0x60/0x226 mm/kasan/report.c:187
 __kasan_report.cold+0x1a/0x41 mm/kasan/report.c:316
 xfrm6_tunnel_free_spi net/ipv6/xfrm6_tunnel.c:208 [inline]
 xfrm6_tunnel_destroy+0x4e0/0x560 net/ipv6/xfrm6_tunnel.c:303
 xfrm_state_gc_destroy net/xfrm/xfrm_state.c:449 [inline]
 xfrm_state_gc_task+0x3d6/0x550 net/xfrm/xfrm_state.c:470
 process_one_work+0x7f1/0x1580 kernel/workqueue.c:2134
 worker_thread+0xdd/0xdf0 kernel/workqueue.c:2271
 kthread+0x31f/0x430 kernel/kthread.c:232
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:404

Allocated by task 9641:
 save_stack mm/kasan/common.c:76 [inline]
 set_track mm/kasan/common.c:85 [inline]
 __kasan_kmalloc.part.0+0x53/0xc0 mm/kasan/common.c:501
 kmalloc include/linux/slab.h:493 [inline]
 kzalloc include/linux/slab.h:661 [inline]
 ops_init+0xee/0x3f0 net/core/net_namespace.c:108
 setup_net+0x259/0x550 net/core/net_namespace.c:295
 copy_net_ns+0x195/0x480 net/core/net_namespace.c:419
 create_new_namespaces+0x373/0x760 kernel/nsproxy.c:107
 unshare_nsproxy_namespaces+0xa5/0x1e0 kernel/nsproxy.c:206
 SYSC_unshare kernel/fork.c:2543 [inline]
 SyS_unshare+0x34e/0x6c0 kernel/fork.c:2493
 do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
 0xffffffffffffffff

Freed by task 20836:
 save_stack mm/kasan/common.c:76 [inline]
 set_track mm/kasan/common.c:85 [inline]
 __kasan_slab_free+0x164/0x210 mm/kasan/common.c:463
 slab_free_hook mm/slub.c:1407 [inline]
 slab_free_freelist_hook mm/slub.c:1458 [inline]
 slab_free mm/slub.c:3039 [inline]
 kfree+0x108/0x3a0 mm/slub.c:3976
 ops_free net/core/net_namespace.c:132 [inline]
 ops_free_list.part.0+0x1f9/0x330 net/core/net_namespace.c:154
 ops_free_list net/core/net_namespace.c:152 [inline]
 cleanup_net+0x466/0x870 net/core/net_namespace.c:488
 process_one_work+0x7f1/0x1580 kernel/workqueue.c:2134
 worker_thread+0xdd/0xdf0 kernel/workqueue.c:2271
 kthread+0x31f/0x430 kernel/kthread.c:232
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:404
 0xffffffffffffffff

The buggy address belongs to the object at ffff88819f684200
 which belongs to the cache kmalloc-8192 of size 8192
The buggy address is located 184 bytes inside of
 8192-byte region [ffff88819f684200, ffff88819f686200)
The buggy address belongs to the page:
page:ffffea00067da000 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
flags: 0x4000000000010200(slab|head)
raw: 4000000000010200 0000000000000000 0000000000000000 0000000100030003
raw: 0000000000000000 0000000100000001 ffff8881d6402400 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88819f684180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88819f684200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88819f684280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                        ^
 ffff88819f684300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88819f684380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================