IPv6: ADDRCONF(NETDEV_UP): veth1_macvtap: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready
======================================================
WARNING: possible circular locking dependency detected
4.14.275-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.5/10039 is trying to acquire lock:
 (sb_writers#6){.+.+}, at: [<ffffffff81862781>] file_start_write include/linux/fs.h:2714 [inline]
 (sb_writers#6){.+.+}, at: [<ffffffff81862781>] vfs_fallocate+0x5c1/0x790 fs/open.c:318

but task is already holding lock:
 (ashmem_mutex){+.+.}, at: [<ffffffff858dfade>] ashmem_shrink_scan drivers/staging/android/ashmem.c:494 [inline]
 (ashmem_mutex){+.+.}, at: [<ffffffff858dfade>] ashmem_ioctl+0x27e/0xd00 drivers/staging/android/ashmem.c:843

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #3 (ashmem_mutex){+.+.}:
       __mutex_lock_common kernel/locking/mutex.c:756 [inline]
       __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
       ashmem_mmap+0x50/0x5c0 drivers/staging/android/ashmem.c:393
       call_mmap include/linux/fs.h:1785 [inline]
       mmap_region+0xa1a/0x1220 mm/mmap.c:1717
       do_mmap+0x5b3/0xcb0 mm/mmap.c:1495
       do_mmap_pgoff include/linux/mm.h:2185 [inline]
       vm_mmap_pgoff+0x14e/0x1a0 mm/util.c:333
       SYSC_mmap_pgoff mm/mmap.c:1545 [inline]
       SyS_mmap_pgoff+0x249/0x510 mm/mmap.c:1503
       do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x46/0xbb

-> #2 (&mm->mmap_sem){++++}:
       __might_fault mm/memory.c:4687 [inline]
       __might_fault+0x137/0x1b0 mm/memory.c:4672
       _copy_to_user+0x27/0xd0 lib/usercopy.c:25
       copy_to_user include/linux/uaccess.h:155 [inline]
       filldir+0x1d5/0x390 fs/readdir.c:237
       dir_emit_dot include/linux/fs.h:3361 [inline]
       dir_emit_dots include/linux/fs.h:3372 [inline]
       dcache_readdir+0x180/0x860 fs/libfs.c:192
       iterate_dir+0x1a0/0x5e0 fs/readdir.c:52
       SYSC_getdents fs/readdir.c:272 [inline]
       SyS_getdents+0x125/0x240 fs/readdir.c:253
       do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x46/0xbb

-> #1 (&type->i_mutex_dir_key#5){++++}:
       down_write+0x34/0x90 kernel/locking/rwsem.c:54
       inode_lock include/linux/fs.h:719 [inline]
       do_last fs/namei.c:3331 [inline]
       path_openat+0xde2/0x2970 fs/namei.c:3569
       do_filp_open+0x179/0x3c0 fs/namei.c:3603
       do_sys_open+0x296/0x410 fs/open.c:1081
       do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x46/0xbb

-> #0 (sb_writers#6){.+.+}:
       lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
       percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline]
       percpu_down_read include/linux/percpu-rwsem.h:59 [inline]
       __sb_start_write+0x64/0x260 fs/super.c:1342
       file_start_write include/linux/fs.h:2714 [inline]
       vfs_fallocate+0x5c1/0x790 fs/open.c:318
       ashmem_shrink_scan.part.0+0x135/0x3d0 drivers/staging/android/ashmem.c:501
       ashmem_shrink_scan drivers/staging/android/ashmem.c:494 [inline]
       ashmem_ioctl+0x294/0xd00 drivers/staging/android/ashmem.c:843
       vfs_ioctl fs/ioctl.c:46 [inline]
       file_ioctl fs/ioctl.c:500 [inline]
       do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684
       SYSC_ioctl fs/ioctl.c:701 [inline]
       SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
       do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x46/0xbb

other info that might help us debug this:

Chain exists of:
  sb_writers#6 --> &mm->mmap_sem --> ashmem_mutex

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(ashmem_mutex);
                               lock(&mm->mmap_sem);
                               lock(ashmem_mutex);
  lock(sb_writers#6);

 *** DEADLOCK ***

1 lock held by syz-executor.5/10039:
 #0:  (ashmem_mutex){+.+.}, at: [<ffffffff858dfade>] ashmem_shrink_scan drivers/staging/android/ashmem.c:494 [inline]
 #0:  (ashmem_mutex){+.+.}, at: [<ffffffff858dfade>] ashmem_ioctl+0x27e/0xd00 drivers/staging/android/ashmem.c:843

stack backtrace:
CPU: 0 PID: 10039 Comm: syz-executor.5 Not tainted 4.14.275-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x281 lib/dump_stack.c:58
 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258
 check_prev_add kernel/locking/lockdep.c:1905 [inline]
 check_prevs_add kernel/locking/lockdep.c:2022 [inline]
 validate_chain kernel/locking/lockdep.c:2464 [inline]
 __lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491
 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
 percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:36 [inline]
 percpu_down_read include/linux/percpu-rwsem.h:59 [inline]
 __sb_start_write+0x64/0x260 fs/super.c:1342
 file_start_write include/linux/fs.h:2714 [inline]
 vfs_fallocate+0x5c1/0x790 fs/open.c:318
 ashmem_shrink_scan.part.0+0x135/0x3d0 drivers/staging/android/ashmem.c:501
 ashmem_shrink_scan drivers/staging/android/ashmem.c:494 [inline]
 ashmem_ioctl+0x294/0xd00 drivers/staging/android/ashmem.c:843
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:500 [inline]
 do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684
 SYSC_ioctl fs/ioctl.c:701 [inline]
 SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x7fc66f7a50e9
RSP: 002b:00007fc66e11a168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fc66f8b7f60 RCX: 00007fc66f7a50e9
RDX: 0000000000000000 RSI: 000000000000770a RDI: 0000000000000005
RBP: 00007fc66f7ff08d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffd856288df R14: 00007fc66e11a300 R15: 0000000000022000
IPv6: ADDRCONF(NETDEV_UP): veth1_macvtap: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready
new mount options do not match the existing superblock, will be ignored
UDF-fs: warning (device loop1): udf_load_vrs: No VRS found
UDF-fs: Scanning with blocksize 512 failed
new mount options do not match the existing superblock, will be ignored
new mount options do not match the existing superblock, will be ignored
UDF-fs: warning (device loop1): udf_load_vrs: No VRS found
UDF-fs: Scanning with blocksize 1024 failed
new mount options do not match the existing superblock, will be ignored
UDF-fs: warning (device loop1): udf_load_vrs: No VRS found
UDF-fs: Scanning with blocksize 2048 failed
new mount options do not match the existing superblock, will be ignored
UDF-fs: error (device loop1): udf_read_tagged: read failed, block=256, location=256
new mount options do not match the existing superblock, will be ignored
UDF-fs: error (device loop1): udf_read_tagged: read failed, block=512, location=512
UDF-fs: warning (device loop1): udf_load_vrs: No anchor found
UDF-fs: Scanning with blocksize 4096 failed
UDF-fs: warning (device loop1): udf_fill_super: No partition found (1)
new mount options do not match the existing superblock, will be ignored
new mount options do not match the existing superblock, will be ignored
new mount options do not match the existing superblock, will be ignored
UDF-fs: warning (device loop1): udf_load_vrs: No VRS found
UDF-fs: Scanning with blocksize 512 failed
new mount options do not match the existing superblock, will be ignored
new mount options do not match the existing superblock, will be ignored
new mount options do not match the existing superblock, will be ignored
UDF-fs: warning (device loop1): udf_load_vrs: No VRS found
UDF-fs: Scanning with blocksize 1024 failed
new mount options do not match the existing superblock, will be ignored
UDF-fs: warning (device loop1): udf_load_vrs: No VRS found
new mount options do not match the existing superblock, will be ignored
UDF-fs: Scanning with blocksize 2048 failed
UDF-fs: error (device loop1): udf_read_tagged: read failed, block=256, location=256
UDF-fs: error (device loop1): udf_read_tagged: read failed, block=512, location=512
UDF-fs: warning (device loop1): udf_load_vrs: No anchor found
new mount options do not match the existing superblock, will be ignored
UDF-fs: Scanning with blocksize 4096 failed
UDF-fs: warning (device loop1): udf_fill_super: No partition found (1)
new mount options do not match the existing superblock, will be ignored
IPVS: ftp: loaded support on port[0] = 21
UDF-fs: warning (device loop1): udf_load_vrs: No VRS found
UDF-fs: Scanning with blocksize 512 failed
UDF-fs: warning (device loop1): udf_load_vrs: No VRS found
UDF-fs: Scanning with blocksize 1024 failed
UDF-fs: warning (device loop1): udf_load_vrs: No VRS found
UDF-fs: Scanning with blocksize 2048 failed
UDF-fs: error (device loop1): udf_read_tagged: read failed, block=256, location=256
UDF-fs: error (device loop1): udf_read_tagged: read failed, block=512, location=512
UDF-fs: warning (device loop1): udf_load_vrs: No anchor found
UDF-fs: Scanning with blocksize 4096 failed
UDF-fs: warning (device loop1): udf_fill_super: No partition found (1)
UDF-fs: warning (device loop1): udf_load_vrs: No VRS found
UDF-fs: Scanning with blocksize 512 failed
UDF-fs: warning (device loop1): udf_load_vrs: No VRS found
UDF-fs: Scanning with blocksize 1024 failed
hpfs: hpfs_map_sector(): read error
UDF-fs: warning (device loop1): udf_load_vrs: No VRS found
UDF-fs: Scanning with blocksize 2048 failed
UDF-fs: error (device loop1): udf_read_tagged: read failed, block=256, location=256
UDF-fs: error (device loop1): udf_read_tagged: read failed, block=512, location=512
print_req_error: I/O error, dev loop5, sector 1
UDF-fs: warning (device loop1): udf_load_vrs: No anchor found
Buffer I/O error on dev loop5, logical block 1, async page read
UDF-fs: Scanning with blocksize 4096 failed
print_req_error: I/O error, dev loop5, sector 2
Buffer I/O error on dev loop5, logical block 2, async page read
UDF-fs: warning (device loop1): udf_fill_super: No partition found (1)
print_req_error: I/O error, dev loop5, sector 3
Buffer I/O error on dev loop5, logical block 3, async page read
hpfs: hpfs_map_sector(): read error
hpfs: hpfs_map_sector(): read error
print_req_error: I/O error, dev loop1, sector 0
hpfs: hpfs_map_sector(): read error
kvm: vcpu 0: requested 128 ns lapic timer period limited to 500000 ns
kvm: vcpu 0: requested 128 ns lapic timer period limited to 500000 ns
device team1 entered promiscuous mode
Zero length message leads to an empty skb
kvm: vcpu 0: requested 128 ns lapic timer period limited to 500000 ns
kvm: vcpu 0: requested 128 ns lapic timer period limited to 500000 ns
kvm: vcpu 0: requested 128 ns lapic timer period limited to 500000 ns
kvm: vcpu 0: requested 128 ns lapic timer period limited to 500000 ns
kvm: vcpu 0: requested 128 ns lapic timer period limited to 500000 ns
kvm: vcpu 0: requested 128 ns lapic timer period limited to 500000 ns
kvm: vcpu 0: requested 128 ns lapic timer period limited to 500000 ns
kvm: vcpu 0: requested 128 ns lapic timer period limited to 500000 ns

**********************************************************
**   NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE   **
**                                                      **
** trace_printk() being used. Allocating extra memory.  **
**                                                      **
** This means that this is a DEBUG kernel and it is     **
** unsafe for production use.                           **
**                                                      **
** If you see this message and you are not debugging    **
** the kernel, report this immediately to your vendor!  **
**                                                      **
**   NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE   **
**********************************************************