====================================================== [ INFO: possible circular locking dependency detected ] 4.9.84-ga9d0273 #44 Not tainted ------------------------------------------------------- syz-executor5/6694 is trying to acquire lock: (&mm->mmap_sem){++++++}, at: [] __might_fault+0xe4/0x1d0 mm/memory.c:3993 but task is already holding lock: (ashmem_mutex){+.+.+.}, at: [] ashmem_pin_unpin drivers/staging/android/ashmem.c:714 [inline] (ashmem_mutex){+.+.+.}, at: [] ashmem_ioctl+0x371/0xfe0 drivers/staging/android/ashmem.c:791 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756 __mutex_lock_common kernel/locking/mutex.c:521 [inline] mutex_lock_nested+0xbb/0x870 kernel/locking/mutex.c:621 ashmem_mmap+0x53/0x400 drivers/staging/android/ashmem.c:379 mmap_region+0x7dd/0xfd0 mm/mmap.c:1694 do_mmap+0x57b/0xbe0 mm/mmap.c:1473 do_mmap_pgoff include/linux/mm.h:2019 [inline] vm_mmap_pgoff+0x16b/0x1b0 mm/util.c:329 SYSC_mmap_pgoff mm/mmap.c:1523 [inline] SyS_mmap_pgoff+0x33f/0x560 mm/mmap.c:1481 SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86 do_syscall_64+0x1a4/0x490 arch/x86/entry/common.c:282 entry_SYSCALL_64_after_swapgs+0x47/0xc5 check_prev_add kernel/locking/lockdep.c:1828 [inline] check_prevs_add kernel/locking/lockdep.c:1938 [inline] validate_chain kernel/locking/lockdep.c:2265 [inline] __lock_acquire+0x2bf9/0x3640 kernel/locking/lockdep.c:3345 lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756 __might_fault+0x14a/0x1d0 mm/memory.c:3994 copy_from_user arch/x86/include/asm/uaccess.h:705 [inline] ashmem_pin_unpin drivers/staging/android/ashmem.c:719 [inline] ashmem_ioctl+0x3c0/0xfe0 drivers/staging/android/ashmem.c:791 vfs_ioctl fs/ioctl.c:43 [inline] do_vfs_ioctl+0x1aa/0x1140 fs/ioctl.c:679 SYSC_ioctl fs/ioctl.c:694 [inline] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 do_syscall_64+0x1a4/0x490 arch/x86/entry/common.c:282 entry_SYSCALL_64_after_swapgs+0x47/0xc5 other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(ashmem_mutex); lock(&mm->mmap_sem); lock(ashmem_mutex); lock(&mm->mmap_sem); *** DEADLOCK *** 1 lock held by syz-executor5/6694: #0: (ashmem_mutex){+.+.+.}, at: [] ashmem_pin_unpin drivers/staging/android/ashmem.c:714 [inline] #0: (ashmem_mutex){+.+.+.}, at: [] ashmem_ioctl+0x371/0xfe0 drivers/staging/android/ashmem.c:791 stack backtrace: CPU: 0 PID: 6694 Comm: syz-executor5 Not tainted 4.9.84-ga9d0273 #44 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801b2a7f908 ffffffff81d956b9 ffffffff853a2b20 ffffffff853a2b20 ffffffff853c32e0 ffff8801d0bd08d8 ffff8801d0bd0000 ffff8801b2a7f950 ffffffff812387f1 ffff8801d0bd08d8 00000000d0bd08b0 ffff8801d0bd08d8 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_circular_bug+0x271/0x310 kernel/locking/lockdep.c:1202 [] check_prev_add kernel/locking/lockdep.c:1828 [inline] [] check_prevs_add kernel/locking/lockdep.c:1938 [inline] [] validate_chain kernel/locking/lockdep.c:2265 [inline] [] __lock_acquire+0x2bf9/0x3640 kernel/locking/lockdep.c:3345 [] lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756 [] __might_fault+0x14a/0x1d0 mm/memory.c:3994 [] copy_from_user arch/x86/include/asm/uaccess.h:705 [inline] [] ashmem_pin_unpin drivers/staging/android/ashmem.c:719 [inline] [] ashmem_ioctl+0x3c0/0xfe0 drivers/staging/android/ashmem.c:791 [] vfs_ioctl fs/ioctl.c:43 [inline] [] do_vfs_ioctl+0x1aa/0x1140 fs/ioctl.c:679 [] SYSC_ioctl fs/ioctl.c:694 [inline] [] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 [] do_syscall_64+0x1a4/0x490 arch/x86/entry/common.c:282 [] entry_SYSCALL_64_after_swapgs+0x47/0xc5 : renamed from gre0 : renamed from gre0 : renamed from gre0 audit: type=1400 audit(1519638561.246:13): avc: denied { write } for pid=7240 comm="syz-executor5" name="net" dev="proc" ino=18512 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=dir permissive=1 audit: type=1400 audit(1519638561.276:14): avc: denied { add_name } for pid=7240 comm="syz-executor5" name="pfkey" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=dir permissive=1 audit: type=1400 audit(1519638561.296:15): avc: denied { create } for pid=7240 comm="syz-executor5" name="pfkey" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:insmod_t:s0 tclass=file permissive=1 device gre0 entered promiscuous mode audit: type=1400 audit(1519638562.276:16): avc: denied { setgid } for pid=7717 comm="syz-executor3" capability=6 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1519638562.306:17): avc: denied { create } for pid=7717 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 audit: type=1400 audit(1519638562.336:18): avc: denied { write } for pid=7717 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode audit: type=1400 audit(1519638565.346:19): avc: denied { create } for pid=9063 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_crypto_socket permissive=1 random: crng init done capability: warning: `syz-executor3' uses deprecated v2 capabilities in a way that may be insecure