====================================================== [ INFO: possible circular locking dependency detected ] 4.9.77-ge12a9c4 #18 Not tainted ------------------------------------------------------- syz-executor6/13050 is trying to acquire lock: 9pnet_virtio: no channels available for device HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH but task is already holding lock: (ashmem_mutex){+.+.+.}, at: [] ashmem_llseek+0x56/0x1f0 drivers/staging/android/ashmem.c:343 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756 __mutex_lock_common kernel/locking/mutex.c:521 [inline] mutex_lock_nested+0xbb/0x870 kernel/locking/mutex.c:621 ashmem_mmap+0x53/0x400 drivers/staging/android/ashmem.c:379 mmap_region+0x7dd/0xfd0 mm/mmap.c:1694 do_mmap+0x57b/0xbe0 mm/mmap.c:1473 do_mmap_pgoff include/linux/mm.h:2019 [inline] vm_mmap_pgoff+0x16b/0x1b0 mm/util.c:305 SYSC_mmap_pgoff mm/mmap.c:1523 [inline] SyS_mmap_pgoff+0x33f/0x560 mm/mmap.c:1481 SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86 entry_SYSCALL_64_fastpath+0x29/0xe8 lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756 __might_fault+0x14a/0x1d0 mm/memory.c:3994 copy_to_user arch/x86/include/asm/uaccess.h:718 [inline] filldir+0x1aa/0x340 fs/readdir.c:195 dir_emit_dot include/linux/fs.h:3203 [inline] dir_emit_dots include/linux/fs.h:3214 [inline] dcache_readdir+0x12d/0x5e0 fs/libfs.c:191 iterate_dir+0x4a6/0x5d0 fs/readdir.c:50 SYSC_getdents fs/readdir.c:230 [inline] SyS_getdents+0x14a/0x2a0 fs/readdir.c:211 entry_SYSCALL_64_fastpath+0x29/0xe8 check_prev_add kernel/locking/lockdep.c:1828 [inline] check_prevs_add kernel/locking/lockdep.c:1938 [inline] validate_chain kernel/locking/lockdep.c:2265 [inline] __lock_acquire+0x2bf9/0x3640 kernel/locking/lockdep.c:3345 lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756 down_write+0x41/0xa0 kernel/locking/rwsem.c:52 inode_lock include/linux/fs.h:746 [inline] shmem_file_llseek+0xef/0x240 mm/shmem.c:2403 vfs_llseek+0xa2/0xd0 fs/read_write.c:301 ashmem_llseek+0xe7/0x1f0 drivers/staging/android/ashmem.c:355 vfs_llseek fs/read_write.c:301 [inline] SYSC_lseek fs/read_write.c:314 [inline] SyS_lseek+0xeb/0x170 fs/read_write.c:305 entry_SYSCALL_64_fastpath+0x29/0xe8 other info that might help us debug this: Chain exists of: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(ashmem_mutex); lock(&mm->mmap_sem); lock(ashmem_mutex); lock(&sb->s_type->i_mutex_key#10); *** DEADLOCK *** 1 lock held by syz-executor6/13050: #0: (ashmem_mutex){+.+.+.}, at: [] ashmem_llseek+0x56/0x1f0 drivers/staging/android/ashmem.c:343 stack backtrace: CPU: 1 PID: 13050 Comm: syz-executor6 Not tainted 4.9.77-ge12a9c4 #18 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c17afb98 ffffffff81d941c9 ffffffff853a1c40 ffffffff853ab0c0 ffffffff853c1320 ffff8801c1c988d8 ffff8801c1c98000 ffff8801c17afbe0 ffffffff81238561 ffff8801c1c988d8 00000000c1c988b0 ffff8801c1c988d8 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_circular_bug+0x271/0x310 kernel/locking/lockdep.c:1202 [] check_prev_add kernel/locking/lockdep.c:1828 [inline] [] check_prevs_add kernel/locking/lockdep.c:1938 [inline] [] validate_chain kernel/locking/lockdep.c:2265 [inline] [] __lock_acquire+0x2bf9/0x3640 kernel/locking/lockdep.c:3345 [] lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756 [] down_write+0x41/0xa0 kernel/locking/rwsem.c:52 [] inode_lock include/linux/fs.h:746 [inline] [] shmem_file_llseek+0xef/0x240 mm/shmem.c:2403 [] vfs_llseek+0xa2/0xd0 fs/read_write.c:301 [] ashmem_llseek+0xe7/0x1f0 drivers/staging/android/ashmem.c:355 [] vfs_llseek fs/read_write.c:301 [inline] [] SYSC_lseek fs/read_write.c:314 [inline] [] SyS_lseek+0xeb/0x170 fs/read_write.c:305 [] entry_SYSCALL_64_fastpath+0x29/0xe8 l2tp_core: tunl 1: fd 19 wrong protocol, got 6, expected 17 l2tp_core: tunl 1: fd 22 wrong protocol, got 6, expected 17 audit: type=1400 audit(1516449308.483:66): avc: denied { create } for pid=13206 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_iscsi_socket permissive=1 IPVS: Creating netns size=2536 id=13 pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 13313 Comm: syz-executor3 Not tainted 4.9.77-ge12a9c4 #18 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c2bef980 ffffffff81d941c9 ffff8801c2befc60 0000000000000000 ffff8801c03a0a10 ffff8801c2befb50 ffff8801c03a0900 ffff8801c2befb78 ffffffff81661c5a 1ffff1003b644394 ffff8801c2befad0 00000001c0939067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa3a/0x1310 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1044 [] entry_SYSCALL_64_fastpath+0x29/0xe8 TCP: request_sock_TCPv6: Possible SYN flooding on port 20006. Sending cookies. Check SNMP counters. program syz-executor1 is using a deprecated SCSI ioctl, please convert it to SG_IO sd 0:0:1:0: ioctl_internal_command: ILLEGAL REQUEST asc=0x20 ascq=0x0 program syz-executor1 is using a deprecated SCSI ioctl, please convert it to SG_IO sd 0:0:1:0: ioctl_internal_command: ILLEGAL REQUEST asc=0x20 ascq=0x0 audit: type=1400 audit(1516449309.933:67): avc: denied { getattr } for pid=13449 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 9pnet_virtio: no channels available for device ./file0 9pnet_virtio: no channels available for device ./file0 IPv4: Oversized IP packet from 127.0.0.1 IPv4: Oversized IP packet from 127.0.0.1 IPv4: Oversized IP packet from 127.0.0.1 binder: 13748:13751 transaction failed 29189/-22, size 0-0 line 3004 binder: 13748:13760 transaction failed 29189/-22, size 0-0 line 3004 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 13780 Comm: syz-executor2 Not tainted 4.9.77-ge12a9c4 #18 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c6ee75d0 ffffffff81d941c9 ffff8801c6ee78b0 0000000000000000 ffff8801c03a1310 ffff8801c6ee77a0 ffff8801c03a1200 ffff8801c6ee77c8 ffffffff81661c5a 0000000041b58ab3 ffff8801c6ee7720 00000001d1d95067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa3a/0x1310 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1044 [] vfs_ioctl fs/ioctl.c:43 [inline] [] do_vfs_ioctl+0x1aa/0x1140 fs/ioctl.c:679 [] SYSC_ioctl fs/ioctl.c:694 [inline] [] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 [] entry_SYSCALL_64_fastpath+0x29/0xe8 audit: type=1400 audit(1516449311.973:68): avc: denied { ioctl } for pid=13829 comm="syz-executor1" path="socket:[23134]" dev="sockfs" ino=23134 ioctlcmd=0x8904 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 audit: type=1400 audit(1516449311.973:69): avc: denied { setopt } for pid=13824 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=1025 sclass=netlink_route_socket pig=13853 comm=syz-executor2 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=1025 sclass=netlink_route_socket pig=13853 comm=syz-executor2 IPv4: Oversized IP packet from 127.0.0.1 updating oom_score_adj for 13906 (syz-executor4) from 0 to 0 because it shares mm with 13899 (syz-executor4). Report if this is unexpected. updating oom_score_adj for 13911 (syz-executor4) from 0 to 0 because it shares mm with 13899 (syz-executor4). Report if this is unexpected. IPv4: Oversized IP packet from 127.0.0.1 IPv4: Oversized IP packet from 127.0.0.1 IPv4: Oversized IP packet from 127.0.0.1 IPv4: Oversized IP packet from 127.0.0.1 IPv4: Oversized IP packet from 127.0.0.1 IPv4: Oversized IP packet from 127.0.0.1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=23812 sclass=netlink_route_socket pig=14406 comm=syz-executor3 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=23812 sclass=netlink_route_socket pig=14415 comm=syz-executor3 l2tp_ppp: sess 59/32096: set debug=fffd40e binder: 14432:14442 transaction failed 29189/-22, size 0-0 line 3004 binder: 14432:14448 transaction failed 29189/-22, size 0-0 line 3004 binder: undelivered TRANSACTION_ERROR: 29189 00000000: 00 02 20 00 00 00 ff 03 13 29 bb 1c 02 bc 64 34 .. ......)....d4 00000010: e4 . binder: 14585:14592 ERROR: BC_REGISTER_LOOPER called without request binder: 14585:14592 ioctl c0306201 2000efd0 returned -14 binder: undelivered TRANSACTION_COMPLETE binder: undelivered transaction 156, process died. net_ratelimit: 8 callbacks suppressed IPv4: Oversized IP packet from 127.0.0.1 audit: type=1400 audit(1516449315.463:70): avc: denied { setattr } for pid=14618 comm="syz-executor4" name="map_files" dev="proc" ino=23505 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=dir permissive=1 binder: 14585:14606 ERROR: BC_REGISTER_LOOPER called without request binder: 14585:14606 got reply transaction with no transaction stack binder: 14585:14606 transaction failed 29201/-71, size 32-8 line 2920 binder_alloc: 14585: binder_alloc_buf, no vma binder: 14585:14592 transaction failed 29189/-3, size 0-0 line 3127 binder: 14585:14606 DecRefs 0 refcount change on invalid ref 1 ret -22 binder: 14585:14606 BC_INCREFS_DONE ufffffffffffffffe no match audit: type=1400 audit(1516449315.533:71): avc: denied { connect } for pid=14641 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 binder: undelivered TRANSACTION_ERROR: 29189 IPv4: Oversized IP packet from 127.0.0.1 IPv4: Oversized IP packet from 127.0.0.1 IPv4: Oversized IP packet from 127.0.0.1 IPv4: Oversized IP packet from 127.0.0.1 binder: 14770:14776 ERROR: BC_REGISTER_LOOPER called without request IPv4: Oversized IP packet from 127.0.0.1 9pnet_virtio: no channels available for device ./file0 binder: send failed reply for transaction 163 to 14770:14799 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 IPv4: Oversized IP packet from 127.0.0.1 binder: 14770:14799 ERROR: BC_REGISTER_LOOPER called without request binder: release 14770:14776 transaction 165 out, still active binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 165, target dead 9pnet_virtio: no channels available for device ./file0 IPv4: Oversized IP packet from 127.0.0.1 IPv4: Oversized IP packet from 127.0.0.1 IPv4: Oversized IP packet from 127.0.0.1 9pnet_virtio: no channels available for device ./file0 9pnet_virtio: no channels available for device ./file0 audit: type=1400 audit(1516449317.363:72): avc: denied { setpcap } for pid=15052 comm="syz-executor1" capability=8 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1516449317.363:73): avc: denied { call } for pid=15047 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 binder_alloc: binder_alloc_mmap_handler: 15047 20000000-20002000 already mapped failed -16 audit: type=1400 audit(1516449317.373:74): avc: denied { dac_override } for pid=15054 comm="syz-executor3" capability=1 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 binder: BINDER_SET_CONTEXT_MGR already set binder: 15047:15056 ioctl 40046207 0 returned -16