======================================================
[ INFO: possible circular locking dependency detected ]
4.9.203-syzkaller #0 Not tainted
-------------------------------------------------------
syz-executor.0/12147 is trying to acquire lock:
 (&sb->s_type->i_mutex_key#10){+.+.+.}, at: [<000000004ee63f61>] inode_lock include/linux/fs.h:771 [inline]
 (&sb->s_type->i_mutex_key#10){+.+.+.}, at: [<000000004ee63f61>] shmem_fallocate+0x143/0xab0 mm/shmem.c:2683

but task is already holding lock:
 (ashmem_mutex){+.+.+.}, at: [<000000001031e431>] ashmem_shrink_scan+0x56/0x4c0 drivers/staging/android/ashmem.c:455

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

       lock_acquire+0x133/0x3d0 kernel/locking/lockdep.c:3759
       __mutex_lock_common kernel/locking/mutex.c:521 [inline]
       mutex_lock_nested+0xc7/0x920 kernel/locking/mutex.c:621
       ashmem_mmap+0x53/0x470 drivers/staging/android/ashmem.c:378
       mmap_region+0x7e7/0xfa0 mm/mmap.c:1726
       do_mmap+0x539/0xbc0 mm/mmap.c:1505
       do_mmap_pgoff include/linux/mm.h:2066 [inline]
       vm_mmap_pgoff+0x179/0x1c0 mm/util.c:329
       SYSC_mmap_pgoff mm/mmap.c:1555 [inline]
       SyS_mmap_pgoff+0xfa/0x1b0 mm/mmap.c:1513
       SYSC_mmap arch/x86/kernel/sys_x86_64.c:96 [inline]
       SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:87
       do_syscall_64+0x1ad/0x5c0 arch/x86/entry/common.c:288
       entry_SYSCALL_64_after_swapgs+0x5d/0xdb

       lock_acquire+0x133/0x3d0 kernel/locking/lockdep.c:3759
       down_read+0x44/0xb0 kernel/locking/rwsem.c:22
       __do_page_fault+0x7bd/0xa60 arch/x86/mm/fault.c:1337
       do_page_fault+0x28/0x30 arch/x86/mm/fault.c:1464
       page_fault+0x25/0x30 arch/x86/entry/entry_64.S:956
       generic_perform_write+0x1b6/0x500 mm/filemap.c:2930
       __generic_file_write_iter+0x340/0x530 mm/filemap.c:3065
       generic_file_write_iter+0x38a/0x630 mm/filemap.c:3093
       new_sync_write fs/read_write.c:498 [inline]
       __vfs_write+0x3c1/0x560 fs/read_write.c:511
       vfs_write+0x185/0x520 fs/read_write.c:559
       SYSC_write fs/read_write.c:607 [inline]
       SyS_write+0x121/0x270 fs/read_write.c:599
       do_syscall_64+0x1ad/0x5c0 arch/x86/entry/common.c:288
       entry_SYSCALL_64_after_swapgs+0x5d/0xdb

       check_prev_add kernel/locking/lockdep.c:1828 [inline]
       check_prevs_add kernel/locking/lockdep.c:1938 [inline]
       validate_chain kernel/locking/lockdep.c:2265 [inline]
       __lock_acquire+0x2d22/0x4390 kernel/locking/lockdep.c:3345
       lock_acquire+0x133/0x3d0 kernel/locking/lockdep.c:3759
       down_write+0x41/0xa0 kernel/locking/rwsem.c:52
       inode_lock include/linux/fs.h:771 [inline]
       shmem_fallocate+0x143/0xab0 mm/shmem.c:2683
       ashmem_shrink_scan drivers/staging/android/ashmem.c:462 [inline]
       ashmem_shrink_scan+0x1c3/0x4c0 drivers/staging/android/ashmem.c:446
       ashmem_ioctl+0x29b/0xdd0 drivers/staging/android/ashmem.c:804
       vfs_ioctl fs/ioctl.c:43 [inline]
       file_ioctl fs/ioctl.c:493 [inline]
       do_vfs_ioctl+0xb87/0x11d0 fs/ioctl.c:677
       SYSC_ioctl fs/ioctl.c:694 [inline]
       SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
       do_syscall_64+0x1ad/0x5c0 arch/x86/entry/common.c:288
       entry_SYSCALL_64_after_swapgs+0x5d/0xdb

other info that might help us debug this:

Chain exists of:
 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(ashmem_mutex);
                               lock(&mm->mmap_sem);
                               lock(ashmem_mutex);
  lock(&sb->s_type->i_mutex_key#10);

 *** DEADLOCK ***

1 lock held by syz-executor.0/12147:
 #0:  (ashmem_mutex){+.+.+.}, at: [<000000001031e431>] ashmem_shrink_scan+0x56/0x4c0 drivers/staging/android/ashmem.c:455

stack backtrace:
CPU: 1 PID: 12147 Comm: syz-executor.0 Not tainted 4.9.203-syzkaller #0
 ffff8801a442f6b8 ffffffff81b55f6b ffffffff83cb8000 ffffffff83ce7ac0
 ffffffff83cae9d0 ffffffff8424ff40 ffff8801aec2af80 ffff8801a442f710
 ffffffff81406eaa ffff8801aec2b870 ffffffff8405a4c0 ffff8801aec2b858
Call Trace:
 [<00000000445b7002>] __dump_stack lib/dump_stack.c:15 [inline]
 [<00000000445b7002>] dump_stack+0xcb/0x130 lib/dump_stack.c:56
 [<00000000d92803b1>] print_circular_bug.cold+0x2f6/0x454 kernel/locking/lockdep.c:1202
 [<0000000060dfa051>] check_prev_add kernel/locking/lockdep.c:1828 [inline]
 [<0000000060dfa051>] check_prevs_add kernel/locking/lockdep.c:1938 [inline]
 [<0000000060dfa051>] validate_chain kernel/locking/lockdep.c:2265 [inline]
 [<0000000060dfa051>] __lock_acquire+0x2d22/0x4390 kernel/locking/lockdep.c:3345
 [<00000000a92b43ec>] lock_acquire+0x133/0x3d0 kernel/locking/lockdep.c:3759
 [<00000000a799a743>] down_write+0x41/0xa0 kernel/locking/rwsem.c:52
 [<000000004ee63f61>] inode_lock include/linux/fs.h:771 [inline]
 [<000000004ee63f61>] shmem_fallocate+0x143/0xab0 mm/shmem.c:2683
 [<000000009be6929d>] ashmem_shrink_scan drivers/staging/android/ashmem.c:462 [inline]
 [<000000009be6929d>] ashmem_shrink_scan+0x1c3/0x4c0 drivers/staging/android/ashmem.c:446
 [<000000009ee598db>] ashmem_ioctl+0x29b/0xdd0 drivers/staging/android/ashmem.c:804
 [<000000000bb49d83>] vfs_ioctl fs/ioctl.c:43 [inline]
 [<000000000bb49d83>] file_ioctl fs/ioctl.c:493 [inline]
 [<000000000bb49d83>] do_vfs_ioctl+0xb87/0x11d0 fs/ioctl.c:677
 [<000000007aff1111>] SYSC_ioctl fs/ioctl.c:694 [inline]
 [<000000007aff1111>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
 [<000000003cb6b5fb>] do_syscall_64+0x1ad/0x5c0 arch/x86/entry/common.c:288
 [<00000000afe4fadc>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
audit_printk_skb: 93 callbacks suppressed
audit: type=1400 audit(3032.422:1103): avc:  denied  { create } for  pid=12183 comm="syz-executor.3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
audit: type=1400 audit(3033.156:1104): avc:  denied  { create } for  pid=12212 comm="syz-executor.3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
audit: type=1400 audit(3037.223:1105): avc:  denied  { create } for  pid=12382 comm="syz-executor.4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
audit: type=1400 audit(3038.145:1106): avc:  denied  { create } for  pid=12422 comm="syz-executor.4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
audit: type=1400 audit(3038.701:1107): avc:  denied  { create } for  pid=12447 comm="syz-executor.4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
 loop4: p1 < p5 p6 p7 p8 p9 p10 p11 p12 p13 p14 p15 p16 p17 p18 p19 p20 p21 p22 p23 p24 p25 p26 p27 p28 p29 p30 p31 p32 p33 p34 p35 p36 p37 p38 p39 p40 p41 p42 p43 p44 p45 p46 p47 p48 p49 p50 p51 p52 p53 p54 p55 p56 p57 p58 p59 p60 p61 p62 p63 p64 p65 p66 p67 p68 p69 p70 p71 p72 p73 p74 p75 p76 p77 p78 p79 p80 p81 p82 p83 p84 p85 p86 p87 p88 p89 p90 p91 p92 p93 p94 p95 p96 p97 p98 p99 p100 p101 p102 p103 p104 p105 p106 p107 p108 p109 p110 p111 p112 p113 p114 p115 p116 p117 p118 p119 p120 p121 p122 p123 p124 p125 p126 p127 p128 p129 p130 p131 p132 p133 p134 p135 p136 p137 p138 p139 p140 p141 p142 p143 p144 p145 p146 p147 p148 p149 p150 p151 p152 p153 p154 p155 p156 p157 p158 p159 p160 p161 p162 p163 p164 p165 p166 p167 p168 p169 p170 p171 p172 p173 p174 p175 p176 p177 p178 p179 p180 p181 p182 p183 p184 p185 p186 p187 p188 p189 p190 p191 p192 p193 p194 p195 p196 p197 p198 p199 p200 p201 p202 p203 p204 p205 p206 p207 p208 p209 p210 p211 p212 p213 p214 p215 p216 p217 p218 p219 p
loop4: p1 size 2 extends beyond EOD, truncated
loop4: p4 start 1854537728 is beyond EOD, truncated
loop4: p5 start 1854537728 is beyond EOD, truncated
loop4: p6 start 1854537728 is beyond EOD, truncated
loop4: p7 start 1854537728 is beyond EOD, truncated
loop4: p8 start 1854537728 is beyond EOD, truncated
loop4: p9 start 1854537728 is beyond EOD, truncated
loop4: p10 start 1854537728 is beyond EOD, truncated
loop4: p11 start 1854537728 is beyond EOD, truncated
loop4: p12 start 1854537728 is beyond EOD, truncated
loop4: p13 start 1854537728 is beyond EOD, truncated
loop4: p14 start 1854537728 is beyond EOD, truncated
loop4: p15 start 1854537728 is beyond EOD, truncated
loop4: p16 start 1854537728 is beyond EOD, truncated
loop4: p17 start 1854537728 is beyond EOD, truncated
loop4: p18 start 1854537728 is beyond EOD, truncated
loop4: p19 start 1854537728 is beyond EOD, truncated
loop4: p20 start 1854537728 is beyond EOD, truncated
loop4: p21 start 1854537728 is beyond EOD, truncated
loop4: p22 start 1854537728 is beyond EOD, truncated
loop4: p23 start 1854537728 is beyond EOD, truncated
loop4: p24 start 1854537728 is beyond EOD, truncated
loop4: p25 start 1854537728 is beyond EOD, truncated
loop4: p26 start 1854537728 is beyond EOD, truncated
loop4: p27 start 1854537728 is beyond EOD, truncated
loop4: p28 start 1854537728 is beyond EOD, truncated
loop4: p29 start 1854537728 is beyond EOD, truncated
loop4: p30 start 1854537728 is beyond EOD, truncated
loop4: p31 start 1854537728 is beyond EOD, truncated
loop4: p32 start 1854537728 is beyond EOD, truncated
loop4: p33 start 1854537728 is beyond EOD, truncated
loop4: p34 start 1854537728 is beyond EOD, truncated
loop4: p35 start 1854537728 is beyond EOD, truncated
loop4: p36 start 1854537728 is beyond EOD, truncated
loop4: p37 start 1854537728 is beyond EOD, truncated
loop4: p38 start 1854537728 is beyond EOD, truncated
loop4: p39 start 1854537728 is beyond EOD, truncated
loop4: p40 start 1854537728 is beyond EOD, truncated
loop4: p41 start 1854537728 is beyond EOD, truncated
loop4: p42 start 1854537728 is beyond EOD, truncated
loop4: p43 start 1854537728 is beyond EOD, truncated
loop4: p44 start 1854537728 is beyond EOD, truncated
loop4: p45 start 1854537728 is beyond EOD, truncated
loop4: p46 start 1854537728 is beyond EOD, truncated
loop4: p47 start 1854537728 is beyond EOD, truncated
loop4: p48 start 1854537728 is beyond EOD, truncated
loop4: p49 start 1854537728 is beyond EOD, truncated
loop4: p50 start 1854537728 is beyond EOD, truncated
loop4: p51 start 1854537728 is beyond EOD, truncated
loop4: p52 start 1854537728 is beyond EOD, truncated
loop4: p53 start 1854537728 is beyond EOD, truncated
loop4: p54 start 1854537728 is beyond EOD, truncated
loop4: p55 start 1854537728 is beyond EOD, truncated
loop4: p56 start 1854537728 is beyond EOD, truncated
loop4: p57 start 1854537728 is beyond EOD, truncated
loop4: p58 start 1854537728 is beyond EOD, truncated
loop4: p59 start 1854537728 is beyond EOD, truncated
loop4: p60 start 1854537728 is beyond EOD, truncated
loop4: p61 start 1854537728 is beyond EOD, truncated
loop4: p62 start 1854537728 is beyond EOD, truncated
loop4: p63 start 1854537728 is beyond EOD, truncated
loop4: p64 start 1854537728 is beyond EOD, truncated
loop4: p65 start 1854537728 is beyond EOD, truncated
loop4: p66 start 1854537728 is beyond EOD, truncated
loop4: p67 start 1854537728 is beyond EOD, truncated