====================================================== [ INFO: possible circular locking dependency detected ] 4.4.118-g5f7f76a #24 Not tainted ------------------------------------------------------- syz-executor7/16714 is trying to acquire lock: (&mm->mmap_sem){++++++}, at: [] __might_fault+0xe4/0x1d0 mm/memory.c:3809 but task is already holding lock: (ashmem_mutex){+.+.+.}, at: [] ashmem_pin_unpin drivers/staging/android/ashmem.c:701 [inline] (ashmem_mutex){+.+.+.}, at: [] ashmem_ioctl+0x367/0xfa0 drivers/staging/android/ashmem.c:778 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: [] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592 [] __mutex_lock_common kernel/locking/mutex.c:521 [inline] [] mutex_lock_nested+0xbb/0x850 kernel/locking/mutex.c:621 [] ashmem_mmap+0x53/0x400 drivers/staging/android/ashmem.c:366 [] mmap_region+0x94f/0x1250 mm/mmap.c:1664 [] do_mmap+0x4fd/0x9d0 mm/mmap.c:1441 [] do_mmap_pgoff include/linux/mm.h:1915 [inline] [] vm_mmap_pgoff+0x16e/0x1c0 mm/util.c:296 [] SYSC_mmap_pgoff mm/mmap.c:1491 [inline] [] SyS_mmap_pgoff+0x33f/0x560 mm/mmap.c:1449 [] SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline] [] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86 [] entry_SYSCALL_64_fastpath+0x1c/0x98 [] check_prev_add kernel/locking/lockdep.c:1853 [inline] [] check_prevs_add kernel/locking/lockdep.c:1958 [inline] [] validate_chain kernel/locking/lockdep.c:2144 [inline] [] __lock_acquire+0x371f/0x4b50 kernel/locking/lockdep.c:3213 [] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592 [] __might_fault+0x14a/0x1d0 mm/memory.c:3810 [] copy_from_user arch/x86/include/asm/uaccess.h:724 [inline] [] ashmem_pin_unpin drivers/staging/android/ashmem.c:706 [inline] [] ashmem_ioctl+0x3b4/0xfa0 drivers/staging/android/ashmem.c:778 [] vfs_ioctl fs/ioctl.c:43 [inline] [] do_vfs_ioctl+0x7aa/0xee0 fs/ioctl.c:607 [] SYSC_ioctl fs/ioctl.c:622 [inline] [] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:613 [] entry_SYSCALL_64_fastpath+0x1c/0x98 other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(ashmem_mutex); lock(&mm->mmap_sem); lock(ashmem_mutex); lock(&mm->mmap_sem); *** DEADLOCK *** 1 lock held by syz-executor7/16714: #0: (ashmem_mutex){+.+.+.}, at: [] ashmem_pin_unpin drivers/staging/android/ashmem.c:701 [inline] #0: (ashmem_mutex){+.+.+.}, at: [] ashmem_ioctl+0x367/0xfa0 drivers/staging/android/ashmem.c:778 stack backtrace: CPU: 0 PID: 16714 Comm: syz-executor7 Not tainted 4.4.118-g5f7f76a #24 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 f9f95f130a9d126a ffff8801d6f7f9b8 ffffffff81d0402d ffffffff851a0010 ffffffff851a0010 ffffffff851beb20 ffff8800b4fb20f8 ffff8800b4fb1800 ffff8801d6f7fa00 ffffffff81233ba1 ffff8800b4fb20f8 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] print_circular_bug+0x271/0x310 kernel/locking/lockdep.c:1226 [] check_prev_add kernel/locking/lockdep.c:1853 [inline] [] check_prevs_add kernel/locking/lockdep.c:1958 [inline] [] validate_chain kernel/locking/lockdep.c:2144 [inline] [] __lock_acquire+0x371f/0x4b50 kernel/locking/lockdep.c:3213 [] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592 [] __might_fault+0x14a/0x1d0 mm/memory.c:3810 [] copy_from_user arch/x86/include/asm/uaccess.h:724 [inline] [] ashmem_pin_unpin drivers/staging/android/ashmem.c:706 [inline] [] ashmem_ioctl+0x3b4/0xfa0 drivers/staging/android/ashmem.c:778 [] vfs_ioctl fs/ioctl.c:43 [inline] [] do_vfs_ioctl+0x7aa/0xee0 fs/ioctl.c:607 [] SYSC_ioctl fs/ioctl.c:622 [inline] [] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:613 [] entry_SYSCALL_64_fastpath+0x1c/0x98 device syz7 entered promiscuous mode device syz7 left promiscuous mode device gre0 entered promiscuous mode SELinux: unknown mount option SELinux: unknown mount option device gre0 entered promiscuous mode SELinux: unknown mount option device gre0 entered promiscuous mode SELinux: unknown mount option SELinux: unknown mount option SELinux: unknown mount option device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode capability: warning: `syz-executor1' uses deprecated v2 capabilities in a way that may be insecure device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode netlink: 4 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor2'. device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode netlink: 17 bytes leftover after parsing attributes in process `syz-executor4'. device gre0 entered promiscuous mode netlink: 17 bytes leftover after parsing attributes in process `syz-executor4'. device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode