====================================================== [ INFO: possible circular locking dependency detected ] 4.9.84-ga9d0273 #44 Not tainted ------------------------------------------------------- syz-executor5/7241 is trying to acquire lock: (&mm->mmap_sem){++++++}, at: [] __might_fault+0xe4/0x1d0 mm/memory.c:3993 but task is already holding lock: (ashmem_mutex){+.+.+.}, at: [] ashmem_pin_unpin drivers/staging/android/ashmem.c:714 [inline] (ashmem_mutex){+.+.+.}, at: [] ashmem_ioctl+0x371/0xfe0 drivers/staging/android/ashmem.c:791 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756 __mutex_lock_common kernel/locking/mutex.c:521 [inline] mutex_lock_nested+0xbb/0x870 kernel/locking/mutex.c:621 ashmem_mmap+0x53/0x400 drivers/staging/android/ashmem.c:379 mmap_region+0x7dd/0xfd0 mm/mmap.c:1694 do_mmap+0x57b/0xbe0 mm/mmap.c:1473 do_mmap_pgoff include/linux/mm.h:2019 [inline] vm_mmap_pgoff+0x16b/0x1b0 mm/util.c:329 SYSC_mmap_pgoff mm/mmap.c:1523 [inline] SyS_mmap_pgoff+0x33f/0x560 mm/mmap.c:1481 SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86 do_syscall_64+0x1a4/0x490 arch/x86/entry/common.c:282 entry_SYSCALL_64_after_swapgs+0x47/0xc5 check_prev_add kernel/locking/lockdep.c:1828 [inline] check_prevs_add kernel/locking/lockdep.c:1938 [inline] validate_chain kernel/locking/lockdep.c:2265 [inline] __lock_acquire+0x2bf9/0x3640 kernel/locking/lockdep.c:3345 lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756 __might_fault+0x14a/0x1d0 mm/memory.c:3994 copy_from_user arch/x86/include/asm/uaccess.h:705 [inline] ashmem_pin_unpin drivers/staging/android/ashmem.c:719 [inline] ashmem_ioctl+0x3c0/0xfe0 drivers/staging/android/ashmem.c:791 vfs_ioctl fs/ioctl.c:43 [inline] do_vfs_ioctl+0x1aa/0x1140 fs/ioctl.c:679 SYSC_ioctl fs/ioctl.c:694 [inline] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 do_syscall_64+0x1a4/0x490 arch/x86/entry/common.c:282 entry_SYSCALL_64_after_swapgs+0x47/0xc5 other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(ashmem_mutex); lock(&mm->mmap_sem); lock(ashmem_mutex); lock(&mm->mmap_sem); *** DEADLOCK *** 1 lock held by syz-executor5/7241: #0: (ashmem_mutex){+.+.+.}, at: [] ashmem_pin_unpin drivers/staging/android/ashmem.c:714 [inline] #0: (ashmem_mutex){+.+.+.}, at: [] ashmem_ioctl+0x371/0xfe0 drivers/staging/android/ashmem.c:791 stack backtrace: CPU: 1 PID: 7241 Comm: syz-executor5 Not tainted 4.9.84-ga9d0273 #44 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801b1b77908 ffffffff81d956b9 ffffffff853a3a50 ffffffff853a3a50 ffffffff853c2f80 ffff8801d444d0d8 ffff8801d444c800 ffff8801b1b77950 ffffffff812387f1 ffff8801d444d0d8 00000000d444d0b0 ffff8801d444d0d8 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_circular_bug+0x271/0x310 kernel/locking/lockdep.c:1202 [] check_prev_add kernel/locking/lockdep.c:1828 [inline] [] check_prevs_add kernel/locking/lockdep.c:1938 [inline] [] validate_chain kernel/locking/lockdep.c:2265 [inline] [] __lock_acquire+0x2bf9/0x3640 kernel/locking/lockdep.c:3345 [] lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756 [] __might_fault+0x14a/0x1d0 mm/memory.c:3994 [] copy_from_user arch/x86/include/asm/uaccess.h:705 [inline] [] ashmem_pin_unpin drivers/staging/android/ashmem.c:719 [inline] [] ashmem_ioctl+0x3c0/0xfe0 drivers/staging/android/ashmem.c:791 [] vfs_ioctl fs/ioctl.c:43 [inline] [] do_vfs_ioctl+0x1aa/0x1140 fs/ioctl.c:679 [] SYSC_ioctl fs/ioctl.c:694 [inline] [] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 [] do_syscall_64+0x1a4/0x490 arch/x86/entry/common.c:282 [] entry_SYSCALL_64_after_swapgs+0x47/0xc5 SELinux: unrecognized netlink message: protocol=4 nlmsg_type=50 sclass=netlink_tcpdiag_socket pig=7256 comm=syz-executor4 binder: BINDER_SET_CONTEXT_MGR already set binder: 7340:7343 ioctl 40046207 0 returned -16 binder: 7340:7343 ERROR: BC_REGISTER_LOOPER called without request binder: 7343 RLIMIT_NICE not set binder: BINDER_SET_CONTEXT_MGR already set binder: 7342:7348 BC_ACQUIRE_DONE uffffffffffffffff no match binder: 7342:7348 BC_DEAD_BINDER_DONE 0000000000000001 not found binder: 7342:7348 got reply transaction with no transaction stack binder: 7342:7348 transaction failed 29201/-71, size 64-24 line 2920 binder: 7340:7349 ioctl 40046207 0 returned -16 binder_alloc: 7340: binder_alloc_buf, no vma binder: 7342:7348 transaction failed 29189/-3, size 0-0 line 3127 binder: BINDER_SET_CONTEXT_MGR already set binder: 7340:7343 ioctl 40046207 0 returned -16 binder_alloc: 7340: binder_alloc_buf, no vma binder: 7340:7353 transaction failed 29189/-3, size 0-0 line 3127 binder: release 7340:7343 transaction 14 in, still active binder: send failed reply for transaction 14 to 7342:7344 binder: undelivered transaction 15, process died. binder: 7342:7344 ioctl c0306201 20000140 returned -14 binder: BINDER_SET_CONTEXT_MGR already set binder: 7342:7344 BC_ACQUIRE_DONE uffffffffffffffff no match binder: 7342:7344 BC_DEAD_BINDER_DONE 0000000000000001 not found binder: 7342:7344 got reply transaction with no transaction stack binder: 7342:7344 transaction failed 29201/-71, size 64-24 line 2920 binder: 7356:7364 ioctl 40046207 0 returned -16 binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 binder: 7356:7378 ERROR: BC_REGISTER_LOOPER called without request binder: 7378 RLIMIT_NICE not set device gre0 entered promiscuous mode sock: sock_set_timeout: `syz-executor3' (pid 7403) tries to set negative timeout device gre0 entered promiscuous mode SELinux: unrecognized netlink message: protocol=0 nlmsg_type=59686 sclass=netlink_route_socket pig=7421 comm=syz-executor1 device gre0 entered promiscuous mode SELinux: unrecognized netlink message: protocol=0 nlmsg_type=59686 sclass=netlink_route_socket pig=7456 comm=syz-executor1 device gre0 entered promiscuous mode device eql entered promiscuous mode SELinux: unrecognized netlink message: protocol=0 nlmsg_type=59686 sclass=netlink_route_socket pig=7489 comm=syz-executor1 device gre0 entered promiscuous mode SELinux: ebitmap: map size 0 does not match my size 64 (high bit was 0) device gre0 entered promiscuous mode : renamed from gre0 device gre0 entered promiscuous mode SELinux: ebitmap: map size 0 does not match my size 64 (high bit was 0) SELinux: ebitmap: map size 0 does not match my size 64 (high bit was 0) device gre0 entered promiscuous mode SELinux: ebitmap: map size 0 does not match my size 64 (high bit was 0) SELinux: policydb version 0 does not match my version range 15-30 device gre0 entered promiscuous mode device gre0 entered promiscuous mode SELinux: policydb version 0 does not match my version range 15-30 SELinux: policydb version 0 does not match my version range 15-30 device gre0 entered promiscuous mode SELinux: policydb version 0 does not match my version range 15-30 SELinux: policydb version 0 does not match my version range 15-30 device gre0 entered promiscuous mode SELinux: policydb version 0 does not match my version range 15-30 capability: warning: `syz-executor5' uses 32-bit capabilities (legacy support in use) device gre0 entered promiscuous mode SELinux: policydb version 0 does not match my version range 15-30 SELinux: policydb version 0 does not match my version range 15-30 SELinux: policydb version 0 does not match my version range 15-30 SELinux: policydb version 0 does not match my version range 15-30 SELinux: policydb version 0 does not match my version range 15-30 SELinux: policydb version 1334771218 does not match my version range 15-30 SELinux: policydb version 1334771218 does not match my version range 15-30 SELinux: policydb string length 1786628238 does not match expected length 8 SELinux: policydb version 0 does not match my version range 15-30 SELinux: policydb version 0 does not match my version range 15-30 SELinux: policydb version 1913280915 does not match my version range 15-30 SELinux: policydb version 1913280915 does not match my version range 15-30 SELinux: policydb version 0 does not match my version range 15-30 SELinux: policydb version 0 does not match my version range 15-30 SELinux: policydb version 0 does not match my version range 15-30 device gre0 entered promiscuous mode device gre0 entered promiscuous mode syz-executor6: vmalloc: allocation failure: 0 bytes, mode:0x24000c2(GFP_KERNEL|__GFP_HIGHMEM) CPU: 1 PID: 8140 Comm: syz-executor6 Not tainted 4.9.84-ga9d0273 #44 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c24578e0 ffffffff81d956b9 1ffff1003848af1f ffff8801c00a3000 ffffffff83ab93e0 0000000000000001 0000000000400000 ffff8801c24579f0 ffffffff81451cd2 024000c200000246 0000000041b58ab3 ffffffff841959b5 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] warn_alloc+0x212/0x240 mm/page_alloc.c:3056 [] __vmalloc_node_range+0x3f5/0x5f0 mm/vmalloc.c:1722 [] __vmalloc_node mm/vmalloc.c:1744 [inline] [] __vmalloc_node_flags mm/vmalloc.c:1758 [inline] [] vmalloc+0x5b/0x70 mm/vmalloc.c:1773 [] sel_write_load+0x130/0xfd0 security/selinux/selinuxfs.c:514 [] __vfs_write+0x103/0x680 fs/read_write.c:510 [] vfs_write+0x189/0x530 fs/read_write.c:560 [] SYSC_write fs/read_write.c:607 [inline] [] SyS_write+0xd9/0x1b0 fs/read_write.c:599 [] do_syscall_64+0x1a4/0x490 arch/x86/entry/common.c:282 [] entry_SYSCALL_64_after_swapgs+0x47/0xc5 Mem-Info: active_anon:59797 inactive_anon:43 isolated_anon:0 active_file:3547 inactive_file:8398 isolated_file:0 unevictable:0 dirty:6419 writeback:0 unstable:0 slab_reclaimable:6502 slab_unreclaimable:59299 mapped:24210 shmem:50 pagetables:702 bounce:0 free:1469274 free_pcp:477 free_cma:0 Node 0 active_anon:226604kB inactive_anon:172kB active_file:14188kB inactive_file:33592kB unevictable:0kB isolated(anon):0kB isolated(file):0kB mapped:96720kB dirty:25676kB writeback:0kB shmem:200kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 86016kB writeback_tmp:0kB unstable:0kB pages_scanned:0 all_unreclaimable? no DMA free:15908kB min:160kB low:200kB high:240kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:15992kB managed:15908kB mlocked:0kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB device gre0 entered promiscuous mode lowmem_reserve[]: 0 2908 6410 6410 DMA32 free:2979952kB min:30592kB low:38240kB high:45888kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:3129292kB managed:2980720kB mlocked:0kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:768kB local_pcp:720kB free_cma:0kB lowmem_reserve[]: 0 0 3501 3501 Normal free:2899680kB min:36824kB low:46028kB high:55232kB active_anon:222320kB inactive_anon:172kB active_file:14188kB inactive_file:33596kB unevictable:0kB writepending:25680kB present:4718592kB managed:3585212kB mlocked:0kB slab_reclaimable:25992kB slab_unreclaimable:236284kB kernel_stack:5440kB pagetables:2528kB bounce:0kB free_pcp:1416kB local_pcp:716kB free_cma:0kB lowmem_reserve[]: 0 0 0 0 DMA: 1*4kB (U) 0*8kB 0*16kB 1*32kB (U) 2*64kB (U) 1*128kB (U) 1*256kB (U) 0*512kB 1*1024kB (U) 1*2048kB (M) 3*4096kB (M) = 15908kB DMA32: 2*4kB (M) 3*8kB (M) 1*16kB (M) 2*32kB (M) 2*64kB (M) 3*128kB (M) 2*256kB (M) 4*512kB (M) 1*1024kB (M) 1*2048kB (M) 726*4096kB (M) = 2979952kB Normal: 716*4kB (UME) 167*8kB (UME) 26*16kB (UME) 49*32kB (UM) 93*64kB (UM) 18*128kB (UM) 9*256kB (UME) 5*512kB (UM) 5*1024kB (UM) 3*2048kB (UME) 700*4096kB (M) = 2897768kB Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB 11995 total pagecache pages 0 pages in swap cache Swap cache stats: add 0, delete 0, find 0/0 Free swap = 0kB Total swap = 0kB 1965969 pages RAM 0 pages HighMem/MovableOnly 320509 pages reserved syz-executor6: vmalloc: allocation failure: 0 bytes, mode:0x24000c2(GFP_KERNEL|__GFP_HIGHMEM) CPU: 0 PID: 8156 Comm: syz-executor6 Not tainted 4.9.84-ga9d0273 #44 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c73678e0 ffffffff81d956b9 1ffff10038e6cf1f ffff8801c44d9800 ffffffff83ab93e0 0000000000000001 0000000000400000 ffff8801c73679f0 ffffffff81451cd2 024000c200000246 0000000041b58ab3 ffffffff841959b5 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] warn_alloc+0x212/0x240 mm/page_alloc.c:3056 [] __vmalloc_node_range+0x3f5/0x5f0 mm/vmalloc.c:1722 [] __vmalloc_node mm/vmalloc.c:1744 [inline] [] __vmalloc_node_flags mm/vmalloc.c:1758 [inline] [] vmalloc+0x5b/0x70 mm/vmalloc.c:1773 [] sel_write_load+0x130/0xfd0 security/selinux/selinuxfs.c:514 [] __vfs_write+0x103/0x680 fs/read_write.c:510 [] vfs_write+0x189/0x530 fs/read_write.c:560 [] SYSC_write fs/read_write.c:607 [inline] [] SyS_write+0xd9/0x1b0 fs/read_write.c:599 [] do_syscall_64+0x1a4/0x490 arch/x86/entry/common.c:282 [] entry_SYSCALL_64_after_swapgs+0x47/0xc5 Mem-Info: active_anon:56116 inactive_anon:43 isolated_anon:0 active_file:3547 inactive_file:8399 isolated_file:0 unevictable:0 dirty:6425 writeback:0 unstable:0 slab_reclaimable:6499 slab_unreclaimable:59078 mapped:24173 shmem:50 pagetables:646 bounce:0 free:1473475 free_pcp:483 free_cma:0 Node 0 active_anon:224464kB inactive_anon:172kB active_file:14188kB inactive_file:33596kB unevictable:0kB isolated(anon):0kB isolated(file):0kB mapped:96692kB dirty:25700kB writeback:0kB shmem:200kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 83968kB writeback_tmp:0kB unstable:0kB pages_scanned:0 all_unreclaimable? no DMA free:15908kB min:160kB low:200kB high:240kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:15992kB managed:15908kB mlocked:0kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB lowmem_reserve[]: 0 2908 6410 6410 DMA32 free:2979952kB min:30592kB low:38240kB high:45888kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:3129292kB managed:2980720kB mlocked:0kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:768kB local_pcp:48kB free_cma:0kB lowmem_reserve[]: 0 0 3501 3501 Normal free:2898024kB min:36824kB low:46028kB high:55232kB active_anon:224464kB inactive_anon:172kB active_file:14188kB inactive_file:33596kB unevictable:0kB writepending:25704kB present:4718592kB managed:3585212kB mlocked:0kB slab_reclaimable:25996kB slab_unreclaimable:236328kB kernel_stack:5408kB pagetables:2584kB bounce:0kB free_pcp:1160kB local_pcp:620kB free_cma:0kB lowmem_reserve[]: 0 0 0 0 DMA: 1*4kB (U) 0*8kB 0*16kB 1*32kB (U) 2*64kB (U) 1*128kB (U) 1*256kB (U) 0*512kB 1*1024kB (U) 1*2048kB (M) 3*4096kB (M) = 15908kB DMA32: 2*4kB (M) 3*8kB (M) 1*16kB (M) 2*32kB (M) 2*64kB (M) 3*128kB (M) 2*256kB (M) 4*512kB (M) 1*1024kB (M) 1*2048kB (M) 726*4096kB (M) = 2979952kB Normal: 716*4kB (UME) 167*8kB (UME) 26*16kB (UME) 53*32kB (UM) 93*64kB (UM) 19*128kB (UM) 9*256kB (UME) 5*512kB (UM) 5*1024kB (UM) 3*2048kB (UME) 700*4096kB (M) = 2898024kB Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB 12001 total pagecache pages 0 pages in swap cache Swap cache stats: add 0, delete 0, find 0/0 Free swap = 0kB Total swap = 0kB 1965969 pages RAM 0 pages HighMem/MovableOnly 320509 pages reserved random: crng init done SELinux: policydb version 0 does not match my version range 15-30 SELinux: policydb version 0 does not match my version range 15-30 SELinux: policydb version 0 does not match my version range 15-30 SELinux: policydb string length 33800 does not match expected length 8 SELinux: policydb string length 33800 does not match expected length 8 SELinux: policydb magic number 0x5e34f43f does not match expected magic number 0xf97cff8c SELinux: policydb string length -368 does not match expected length 8 SELinux: policydb version -752110059 does not match my version range 15-30 rfkill: input handler disabled SELinux: policydb version 6126 does not match my version range 15-30 rfkill: input handler enabled SELinux: policydb version -752110059 does not match my version range 15-30 SELinux: policydb version 6126 does not match my version range 15-30 SELinux: policydb version 0 does not match my version range 15-30 SELinux: policydb version 0 does not match my version range 15-30 SELinux: policydb version 0 does not match my version range 15-30 SELinux: policydb version 0 does not match my version range 15-30 SELinux: policydb version 0 does not match my version range 15-30 SELinux: policydb version 0 does not match my version range 15-30 device gre0 entered promiscuous mode SELinux: policydb version 0 does not match my version range 15-30 IPVS: length: 1018 != 24 SELinux: policydb string length 182 does not match expected length 8 SELinux: policydb string length 182 does not match expected length 8 SELinux: policydb version 0 does not match my version range 15-30 SELinux: policydb version 0 does not match my version range 15-30 IPVS: length: 1018 != 24 SELinux: policydb version 0 does not match my version range 15-30 SELinux: policydb version 0 does not match my version range 15-30 device gre0 entered promiscuous mode SELinux: policydb version 0 does not match my version range 15-30 SELinux: policydb version 0 does not match my version range 15-30 SELinux: policydb version -8643843 does not match my version range 15-30 device gre0 entered promiscuous mode SELinux: policydb version -8643843 does not match my version range 15-30 SELinux: policydb version 0 does not match my version range 15-30 device gre0 entered promiscuous mode SELinux: policydb version 0 does not match my version range 15-30 SELinux: policydb version 0 does not match my version range 15-30 SELinux: policydb version 0 does not match my version range 15-30 SELinux: policydb version 0 does not match my version range 15-30 SELinux: policydb string length -24 does not match expected length 8 device gre0 entered promiscuous mode SELinux: policydb version 0 does not match my version range 15-30 device gre0 entered promiscuous mode SELinux: policydb string length 0 does not match expected length 8 SELinux: policydb string length 0 does not match expected length 8 SELinux: policydb string length 3 does not match expected length 8 capability: warning: `syz-executor5' uses deprecated v2 capabilities in a way that may be insecure device gre0 entered promiscuous mode SELinux: policydb version 0 does not match my version range 15-30 device gre0 entered promiscuous mode SELinux: policydb version 0 does not match my version range 15-30 SELinux: policydb version -1319551890 does not match my version range 15-30 device gre0 entered promiscuous mode IPVS: Creating netns size=2536 id=10 SELinux: policydb version 0 does not match my version range 15-30 SELinux: policydb version -1319551890 does not match my version range 15-30 SELinux: policydb magic number 0x0 does not match expected magic number 0xf97cff8c SELinux: policydb version 0 does not match my version range 15-30 SELinux: policydb version 0 does not match my version range 15-30 SELinux: policydb version 0 does not match my version range 15-30 device gre0 entered promiscuous mode SELinux: policydb magic number 0x787cff8c does not match expected magic number 0xf97cff8c SELinux: policydb magic number 0x6e6d0c20 does not match expected magic number 0xf97cff8c device gre0 entered promiscuous mode NFQUEUE: number of total queues is 0 SELinux: policydb string length 382 does not match expected length 8