====================================================== [ INFO: possible circular locking dependency detected ] 4.4.120-gd63fdf6 #29 Not tainted ------------------------------------------------------- syz-executor3/7347 is trying to acquire lock: binder: 7345:7348 ERROR: BC_REGISTER_LOOPER called without request (&sb->s_type->i_mutex_key#10){+.+.+.}, at: [] shmem_file_llseek+0xf1/0x240 mm/shmem.c:1816 but task is already holding lock: (ashmem_mutex){+.+.+.}, at: [] ashmem_llseek+0x56/0x1f0 drivers/staging/android/ashmem.c:330 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: [] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592 [] __mutex_lock_common kernel/locking/mutex.c:521 [inline] [] mutex_lock_nested+0xbb/0x850 kernel/locking/mutex.c:621 [] ashmem_mmap+0x53/0x400 drivers/staging/android/ashmem.c:366 [] mmap_region+0x94f/0x1250 mm/mmap.c:1664 [] do_mmap+0x4fd/0x9d0 mm/mmap.c:1441 [] do_mmap_pgoff include/linux/mm.h:1915 [inline] [] vm_mmap_pgoff+0x16e/0x1c0 mm/util.c:296 [] SYSC_mmap_pgoff mm/mmap.c:1491 [inline] [] SyS_mmap_pgoff+0x33f/0x560 mm/mmap.c:1449 [] do_syscall_32_irqs_on arch/x86/entry/common.c:392 [inline] [] do_fast_syscall_32+0x321/0x8a0 arch/x86/entry/common.c:459 [] sysenter_flags_fixed+0xd/0x17 [] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592 [] __might_fault+0x14a/0x1d0 mm/memory.c:3810 [] copy_to_user arch/x86/include/asm/uaccess.h:760 [inline] [] filldir+0x162/0x2d0 fs/readdir.c:180 [] dir_emit_dot include/linux/fs.h:3070 [inline] [] dir_emit_dots include/linux/fs.h:3081 [inline] [] dcache_readdir+0x11e/0x7b0 fs/libfs.c:150 [] iterate_dir+0x1c8/0x420 fs/readdir.c:42 [] SYSC_getdents fs/readdir.c:215 [inline] [] SyS_getdents+0x14a/0x270 fs/readdir.c:196 [] entry_SYSCALL_64_fastpath+0x1c/0x98 [] check_prev_add kernel/locking/lockdep.c:1853 [inline] [] check_prevs_add kernel/locking/lockdep.c:1958 [inline] [] validate_chain kernel/locking/lockdep.c:2144 [inline] [] __lock_acquire+0x371f/0x4b50 kernel/locking/lockdep.c:3213 [] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592 [] __mutex_lock_common kernel/locking/mutex.c:521 [inline] [] mutex_lock_nested+0xbb/0x850 kernel/locking/mutex.c:621 [] shmem_file_llseek+0xf1/0x240 mm/shmem.c:1816 [] vfs_llseek+0xa2/0xd0 fs/read_write.c:260 [] ashmem_llseek+0xe7/0x1f0 drivers/staging/android/ashmem.c:342 [] vfs_llseek fs/read_write.c:260 [inline] [] SYSC_lseek fs/read_write.c:285 [inline] [] SyS_lseek fs/read_write.c:276 [inline] [] C_SYSC_lseek fs/read_write.c:297 [inline] [] compat_SyS_lseek+0xeb/0x170 fs/read_write.c:295 [] do_syscall_32_irqs_on arch/x86/entry/common.c:392 [inline] [] do_fast_syscall_32+0x321/0x8a0 arch/x86/entry/common.c:459 [] sysenter_flags_fixed+0xd/0x17 other info that might help us debug this: Chain exists of: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(ashmem_mutex); lock(&mm->mmap_sem); lock(ashmem_mutex); lock(&sb->s_type->i_mutex_key#10); *** DEADLOCK *** 1 lock held by syz-executor3/7347: #0: (ashmem_mutex){+.+.+.}, at: [] ashmem_llseek+0x56/0x1f0 drivers/staging/android/ashmem.c:330 stack backtrace: CPU: 1 PID: 7347 Comm: syz-executor3 Not tainted 4.4.120-gd63fdf6 #29 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 aea8c0bc6716e0cc ffff8800a756fa58 ffffffff81d0408d ffffffff851a0010 ffffffff851a9d00 ffffffff851becd0 ffff8801d3d9a0f8 ffff8801d3d99800 ffff8800a756faa0 ffffffff81233ba1 ffff8801d3d9a0f8 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] print_circular_bug+0x271/0x310 kernel/locking/lockdep.c:1226 [] check_prev_add kernel/locking/lockdep.c:1853 [inline] [] check_prevs_add kernel/locking/lockdep.c:1958 [inline] [] validate_chain kernel/locking/lockdep.c:2144 [inline] [] __lock_acquire+0x371f/0x4b50 kernel/locking/lockdep.c:3213 [] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592 [] __mutex_lock_common kernel/locking/mutex.c:521 [inline] [] mutex_lock_nested+0xbb/0x850 kernel/locking/mutex.c:621 [] shmem_file_llseek+0xf1/0x240 mm/shmem.c:1816 [] vfs_llseek+0xa2/0xd0 fs/read_write.c:260 [] ashmem_llseek+0xe7/0x1f0 drivers/staging/android/ashmem.c:342 [] vfs_llseek fs/read_write.c:260 [inline] [] SYSC_lseek fs/read_write.c:285 [inline] [] SyS_lseek fs/read_write.c:276 [inline] [] C_SYSC_lseek fs/read_write.c:297 [inline] [] compat_SyS_lseek+0xeb/0x170 fs/read_write.c:295 [] do_syscall_32_irqs_on arch/x86/entry/common.c:392 [inline] [] do_fast_syscall_32+0x321/0x8a0 arch/x86/entry/common.c:459 [] sysenter_flags_fixed+0xd/0x17 syz-executor1 uses obsolete (PF_INET,SOCK_PACKET) binder: BINDER_SET_CONTEXT_MGR already set binder: 7345:7354 ERROR: BC_REGISTER_LOOPER called without request binder: 7345:7358 ioctl 40046207 0 returned -16 netlink: 20 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 20 bytes leftover after parsing attributes in process `syz-executor6'. IPVS: Creating netns size=2552 id=9 binder: 7607:7626 transaction failed 29201/-22, size -4510158517134296680--4948027573987248742 line 3128 binder: undelivered TRANSACTION_ERROR: 29201 binder: 7607:7626 ioctl c0306201 20004000 returned -14 binder: BINDER_SET_CONTEXT_MGR already set binder: 7607:7635 ioctl 40046207 0 returned -16 binder_alloc: binder_alloc_mmap_handler: 7607 2000c000-2000e000 already mapped failed -16 binder_alloc: 7607: binder_alloc_buf, no vma binder: 7607:7636 transaction failed 29189/-3, size -4510158517134296680--4948027573987248742 line 3128 binder: undelivered TRANSACTION_ERROR: 29189 audit_printk_skb: 60 callbacks suppressed audit: type=1400 audit(1521933809.905:94): avc: denied { create } for pid=7756 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1400 audit(1521933809.925:95): avc: denied { create } for pid=7751 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 audit: type=1400 audit(1521933809.925:96): avc: denied { write } for pid=7751 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket audit: type=1400 audit(1521933809.995:97): avc: denied { read } for pid=7751 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 audit: type=1400 audit(1521933810.025:98): avc: denied { create } for pid=7751 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 audit: type=1400 audit(1521933810.065:99): avc: denied { create } for pid=7756 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 IPVS: Creating netns size=2552 id=10 audit: type=1400 audit(1521933810.105:100): avc: denied { write } for pid=7756 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 tmpfs: No value for mount option 'b4djE>ʄ[G9HH}nXZhmgzMx,2' TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. tmpfs: No value for mount option 'b4djE>ʄ[G9HH}nXZhmgzMx,2' audit: type=1400 audit(1521933811.015:101): avc: denied { set_context_mgr } for pid=7977 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 audit: type=1400 audit(1521933811.095:102): avc: denied { create } for pid=7994 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 binder: 7977:7989 got reply transaction with no transaction stack binder: 7977:7989 transaction failed 29201/-71, size 0-0 line 2921 audit: type=1400 audit(1521933811.165:103): avc: denied { create } for pid=7994 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 binder: BINDER_SET_CONTEXT_MGR already set binder: 7977:7982 ioctl c0306201 20004000 returned -14 binder: 8005:8010 ioctl 40046207 0 returned -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 7977:7982 ioctl 40046207 0 returned -16 binder_alloc: binder_alloc_mmap_handler: 7977 2000c000-2000e000 already mapped failed -16 binder: 7977:7986 got new transaction with bad transaction stack, transaction 20 has target 7977:7982 binder: 7977:7986 transaction failed 29201/-71, size 0-0 line 3032 binder: 8019:8020 got transaction to invalid handle binder: 8019:8020 transaction failed 29201/-22, size 281474976710655-0 line 3005 binder: release 7977:7982 transaction 20 in, still active binder: send failed reply for transaction 20 to 7977:7986 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 binder: 8005:8016 ioctl 5416 20000200 returned -22 binder: 8005:8016 ERROR: BC_REGISTER_LOOPER called without request binder: undelivered TRANSACTION_ERROR: 29201 binder: 8005:8037 transaction failed 29189/-22, size 0-0 line 3005 binder: 8005:8016 ERROR: BC_REGISTER_LOOPER called without request binder: 8005:8010 ioctl 5416 20000200 returned -22 SELinux: unknown mount option binder: 8005:8037 unknown command 0 binder: 8005:8037 ioctl c0306201 2000a000 returned -22 binder: release 8005:8016 transaction 27 in, still active binder: send failed reply for transaction 27 to 8005:8037 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=771 sclass=netlink_audit_socket SELinux: unrecognized netlink message: protocol=9 nlmsg_type=771 sclass=netlink_audit_socket binder: 8114:8119 ioctl c0086420 20000000 returned -22 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=55682 sclass=netlink_route_socket binder: 8114:8128 ioctl c008641d 20000140 returned -22 binder: 8114:8128 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: 8114:8128 unknown command 536907575 binder: 8114:8142 BC_CLEAR_DEATH_NOTIFICATION death notification not active binder: 8114:8128 ioctl c0306201 20008fd0 returned -22 binder: 8114:8142 ioctl c0086420 20000000 returned -22 binder: 8114:8128 ioctl c008641d 20000140 returned -22 binder: undelivered death notification, 0000000000000000 TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. PF_BRIDGE: RTM_SETLINK with unknown ifindex binder: undelivered death notification, 0000000000000000 binder: undelivered death notification, 0000000000000000 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=48964 sclass=netlink_route_socket SELinux: unrecognized netlink message: protocol=0 nlmsg_type=48964 sclass=netlink_route_socket SELinux: policydb string SE Linup does not match my string SE Linux SELinux: policydb string SE Linup does not match my string SE Linux IPv4: Oversized IP packet from 127.0.0.1 audit_printk_skb: 94 callbacks suppressed IPv4: Oversized IP packet from 127.0.0.1 audit: type=1400 audit(1521933815.125:135): avc: denied { create } for pid=8721 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1400 audit(1521933815.205:136): avc: denied { create } for pid=8721 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 binder: 8765:8771 unknown command 112 binder: 8765:8771 ioctl c0306201 20008fd0 returned -22 binder: 8765:8779 unknown command 112 binder: 8765:8779 ioctl c0306201 20008fd0 returned -22 audit: type=1400 audit(1521933815.415:137): avc: denied { create } for pid=8785 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1400 audit(1521933815.445:138): avc: denied { write } for pid=8785 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1400 audit(1521933815.475:139): avc: denied { create } for pid=8785 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1400 audit(1521933815.495:140): avc: denied { create } for pid=8785 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1400 audit(1521933815.525:141): avc: denied { write } for pid=8785 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1400 audit(1521933815.575:142): avc: denied { create } for pid=8785 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1400 audit(1521933815.775:143): avc: denied { create } for pid=8866 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 audit: type=1400 audit(1521933815.805:144): avc: denied { write } for pid=8866 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 binder: 8897:8926 unknown command 0 binder: 8897:8926 ioctl c0306201 2018b000 returned -22 binder: 8897:8929 ioctl c0306201 20000000 returned -14 binder_alloc: binder_alloc_mmap_handler: 8897 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 8897:8929 ioctl 40046207 0 returned -16 binder_alloc: 8897: binder_alloc_buf, no vma binder: 8897:8933 transaction failed 29189/-3, size 0-0 line 3128 binder: 8897:8933 ioctl c0306201 20000000 returned -14 binder: 8897:8932 unknown command 0 binder: 8897:8932 ioctl c0306201 2018b000 returned -22 binder: release 8897:8917 transaction 37 out, still active binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 37, target dead