====================================================== WARNING: possible circular locking dependency detected 4.19.0-rc1+ #215 Not tainted ------------------------------------------------------ syz-executor4/20352 is trying to acquire lock: 0000000080c30e7e (&rp->fetch_lock){+.+.}, at: mon_bin_vma_fault+0xdc/0x4a0 drivers/usb/mon/mon_bin.c:1237 but task is already holding lock: 000000007db40ae4 (&mm->mmap_sem){++++}, at: __mm_populate+0x31a/0x4d0 mm/gup.c:1250 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&mm->mmap_sem){++++}: __might_fault+0x155/0x1e0 mm/memory.c:4578 _copy_to_user+0x30/0x110 lib/usercopy.c:25 copy_to_user include/linux/uaccess.h:155 [inline] mon_bin_read+0x334/0x650 drivers/usb/mon/mon_bin.c:825 __vfs_read+0x117/0x9b0 fs/read_write.c:416 vfs_read+0x17f/0x3c0 fs/read_write.c:452 ksys_read+0x101/0x260 fs/read_write.c:578 __do_sys_read fs/read_write.c:588 [inline] __se_sys_read fs/read_write.c:586 [inline] __x64_sys_read+0x73/0xb0 fs/read_write.c:586 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe -> #0 (&rp->fetch_lock){+.+.}: lock_acquire+0x1e4/0x4f0 kernel/locking/lockdep.c:3901 __mutex_lock_common kernel/locking/mutex.c:925 [inline] __mutex_lock+0x171/0x1700 kernel/locking/mutex.c:1073 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1088 mon_bin_vma_fault+0xdc/0x4a0 drivers/usb/mon/mon_bin.c:1237 __do_fault+0xee/0x450 mm/memory.c:3240 do_read_fault mm/memory.c:3652 [inline] do_fault mm/memory.c:3752 [inline] handle_pte_fault mm/memory.c:3983 [inline] __handle_mm_fault+0x2b4a/0x4350 mm/memory.c:4107 handle_mm_fault+0x53e/0xc80 mm/memory.c:4144 faultin_page mm/gup.c:518 [inline] __get_user_pages+0x823/0x1b50 mm/gup.c:718 populate_vma_page_range+0x2db/0x3d0 mm/gup.c:1222 __mm_populate+0x286/0x4d0 mm/gup.c:1270 mm_populate include/linux/mm.h:2307 [inline] vm_mmap_pgoff+0x27f/0x2c0 mm/util.c:362 ksys_mmap_pgoff+0x4da/0x660 mm/mmap.c:1585 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:100 [inline] __se_sys_mmap arch/x86/kernel/sys_x86_64.c:91 [inline] __x64_sys_mmap+0xe9/0x1b0 arch/x86/kernel/sys_x86_64.c:91 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&mm->mmap_sem); lock(&rp->fetch_lock); lock(&mm->mmap_sem); lock(&rp->fetch_lock); *** DEADLOCK *** 1 lock held by syz-executor4/20352: #0: 000000007db40ae4 (&mm->mmap_sem){++++}, at: __mm_populate+0x31a/0x4d0 mm/gup.c:1250 stack backtrace: CPU: 1 PID: 20352 Comm: syz-executor4 Not tainted 4.19.0-rc1+ #215 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113 print_circular_bug.isra.34.cold.55+0x1bd/0x27d kernel/locking/lockdep.c:1222 check_prev_add kernel/locking/lockdep.c:1862 [inline] check_prevs_add kernel/locking/lockdep.c:1975 [inline] validate_chain kernel/locking/lockdep.c:2416 [inline] __lock_acquire+0x3449/0x5020 kernel/locking/lockdep.c:3412 lock_acquire+0x1e4/0x4f0 kernel/locking/lockdep.c:3901 __mutex_lock_common kernel/locking/mutex.c:925 [inline] __mutex_lock+0x171/0x1700 kernel/locking/mutex.c:1073 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1088 mon_bin_vma_fault+0xdc/0x4a0 drivers/usb/mon/mon_bin.c:1237 __do_fault+0xee/0x450 mm/memory.c:3240 do_read_fault mm/memory.c:3652 [inline] do_fault mm/memory.c:3752 [inline] handle_pte_fault mm/memory.c:3983 [inline] __handle_mm_fault+0x2b4a/0x4350 mm/memory.c:4107 handle_mm_fault+0x53e/0xc80 mm/memory.c:4144 faultin_page mm/gup.c:518 [inline] __get_user_pages+0x823/0x1b50 mm/gup.c:718 populate_vma_page_range+0x2db/0x3d0 mm/gup.c:1222 __mm_populate+0x286/0x4d0 mm/gup.c:1270 mm_populate include/linux/mm.h:2307 [inline] vm_mmap_pgoff+0x27f/0x2c0 mm/util.c:362 ksys_mmap_pgoff+0x4da/0x660 mm/mmap.c:1585 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:100 [inline] __se_sys_mmap arch/x86/kernel/sys_x86_64.c:91 [inline] __x64_sys_mmap+0xe9/0x1b0 arch/x86/kernel/sys_x86_64.c:91 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x457089 Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fb4bb84ec78 EFLAGS: 00000246 ORIG_RAX: 0000000000000009 RAX: ffffffffffffffda RBX: 00007fb4bb84f6d4 RCX: 0000000000457089 RDX: 0000000001fffffd RSI: 0000000000400000 RDI: 0000000020a05000 RBP: 00000000009300a0 R08: 0000000000000003 R09: 0000000000000000 R10: 0000000000008011 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000004d2b78 R14: 00000000004c7e05 R15: 0000000000000000 netlink: 9 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 9 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 9 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 9 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 9 bytes leftover after parsing attributes in process `syz-executor5'. Unknown ioctl -2144293252 Unknown ioctl -2144293252 netlink: 9 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 9 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 9 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 9 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 9 bytes leftover after parsing attributes in process `syz-executor6'. nla_parse: 6 callbacks suppressed netlink: 9 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 9 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 9 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 9 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 9 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 9 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 9 bytes leftover after parsing attributes in process `syz-executor6'.