====================================================== WARNING: possible circular locking dependency detected 4.15.0-rc4-mm1+ #49 Not tainted ------------------------------------------------------ syz-executor7/5271 is trying to acquire lock: (&sig->cred_guard_mutex){+.+.}, at: [<000000008cab5a85>] do_io_accounting+0x1c2/0xf50 fs/proc/base.c:2711 but task is already holding lock: (&p->lock){+.+.}, at: [<00000000645b626f>] seq_read+0xd5/0x13d0 fs/seq_file.c:165 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (&p->lock){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908 seq_read+0xd5/0x13d0 fs/seq_file.c:165 proc_reg_read+0xe8/0x160 fs/proc/inode.c:217 do_loop_readv_writev fs/read_write.c:673 [inline] do_iter_read+0x3d2/0x5a0 fs/read_write.c:897 vfs_readv+0x121/0x1c0 fs/read_write.c:959 kernel_readv fs/splice.c:361 [inline] default_file_splice_read+0x508/0xae0 fs/splice.c:416 do_splice_to+0x10a/0x160 fs/splice.c:880 do_splice fs/splice.c:1173 [inline] SYSC_splice fs/splice.c:1402 [inline] SyS_splice+0x1187/0x1610 fs/splice.c:1382 entry_SYSCALL_64_fastpath+0x1f/0x96 -> #1 (&pipe->mutex/1){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908 __pipe_lock fs/pipe.c:88 [inline] fifo_open+0x15c/0xa30 fs/pipe.c:916 do_dentry_open+0x667/0xd40 fs/open.c:752 vfs_open+0x107/0x220 fs/open.c:866 do_last fs/namei.c:3397 [inline] path_openat+0x1151/0x3530 fs/namei.c:3537 do_filp_open+0x25b/0x3b0 fs/namei.c:3572 do_open_execat+0x1b9/0x5c0 fs/exec.c:849 do_execveat_common.isra.30+0x90c/0x22a0 fs/exec.c:1736 do_execve fs/exec.c:1843 [inline] SYSC_execve fs/exec.c:1924 [inline] SyS_execve+0x39/0x50 fs/exec.c:1919 do_syscall_64+0x26c/0x920 arch/x86/entry/common.c:285 return_from_SYSCALL_64+0x0/0x75 -> #0 (&sig->cred_guard_mutex){+.+.}: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3914 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893 mutex_lock_killable_nested+0x16/0x20 kernel/locking/mutex.c:923 do_io_accounting+0x1c2/0xf50 fs/proc/base.c:2711 proc_tgid_io_accounting+0x22/0x30 fs/proc/base.c:2760 proc_single_show+0xf8/0x170 fs/proc/base.c:746 seq_read+0x385/0x13d0 fs/seq_file.c:234 __vfs_read+0xef/0xa00 fs/read_write.c:411 vfs_read+0x11e/0x350 fs/read_write.c:447 SYSC_read fs/read_write.c:573 [inline] SyS_read+0xef/0x220 fs/read_write.c:566 entry_SYSCALL_64_fastpath+0x1f/0x96 other info that might help us debug this: Chain exists of: &sig->cred_guard_mutex --> &pipe->mutex/1 --> &p->lock Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&p->lock); lock(&pipe->mutex/1); lock(&p->lock); lock(&sig->cred_guard_mutex); *** DEADLOCK *** 2 locks held by syz-executor7/5271: #0: (&f->f_pos_lock){+.+.}, at: [<00000000f8cafa08>] __fdget_pos+0x12b/0x190 fs/file.c:765 #1: (&p->lock){+.+.}, at: [<00000000645b626f>] seq_read+0xd5/0x13d0 fs/seq_file.c:165 stack backtrace: CPU: 0 PID: 5271 Comm: syz-executor7 Not tainted 4.15.0-rc4-mm1+ #49 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 print_circular_bug.isra.37+0x2cd/0x2dc kernel/locking/lockdep.c:1218 check_prev_add kernel/locking/lockdep.c:1858 [inline] check_prevs_add kernel/locking/lockdep.c:1971 [inline] validate_chain kernel/locking/lockdep.c:2412 [inline] __lock_acquire+0x30a8/0x3e00 kernel/locking/lockdep.c:3426 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3914 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893 mutex_lock_killable_nested+0x16/0x20 kernel/locking/mutex.c:923 do_io_accounting+0x1c2/0xf50 fs/proc/base.c:2711 proc_tgid_io_accounting+0x22/0x30 fs/proc/base.c:2760 proc_single_show+0xf8/0x170 fs/proc/base.c:746 seq_read+0x385/0x13d0 fs/seq_file.c:234 __vfs_read+0xef/0xa00 fs/read_write.c:411 vfs_read+0x11e/0x350 fs/read_write.c:447 SYSC_read fs/read_write.c:573 [inline] SyS_read+0xef/0x220 fs/read_write.c:566 entry_SYSCALL_64_fastpath+0x1f/0x96 RIP: 0033:0x452ac9 RSP: 002b:00007f53422d1c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000452ac9 RDX: 0000000000000000 RSI: 000000002079e000 RDI: 0000000000000016 RBP: 00000000000005bf R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f5a88 R13: 00000000ffffffff R14: 00007f53422d26d4 R15: 0000000000000000 QAT: Invalid ioctl QAT: Invalid ioctl device syz0 entered promiscuous mode device gre0 entered promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode binder: 5363:5374 ioctl 40046205 0 returned -22 binder: 5363:5402 ioctl 40046205 0 returned -22 kauditd_printk_skb: 69 callbacks suppressed audit: type=1326 audit(1514405450.890:315): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=5461 comm="syz-executor2" exe="/root/syz-executor2" sig=31 arch=c000003e syscall=202 compat=0 ip=0x452ac9 code=0x0 audit: type=1326 audit(1514405450.991:316): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=5461 comm="syz-executor2" exe="/root/syz-executor2" sig=31 arch=c000003e syscall=202 compat=0 ip=0x452ac9 code=0x0 audit: type=1400 audit(1514405451.144:317): avc: denied { map } for pid=5532 comm="syz-executor7" path="/dev/hwrng" dev="devtmpfs" ino=1109 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=1 audit: type=1326 audit(1514405451.201:318): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=5546 comm="syz-executor2" exe="/root/syz-executor2" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452ac9 code=0x7ffc0000 audit: type=1326 audit(1514405451.202:319): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=5546 comm="syz-executor2" exe="/root/syz-executor2" sig=0 arch=c000003e syscall=69 compat=0 ip=0x452ac9 code=0x7ffc0000 audit: type=1326 audit(1514405451.202:320): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=5546 comm="syz-executor2" exe="/root/syz-executor2" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452ac9 code=0x7ffc0000 audit: type=1326 audit(1514405451.202:321): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=5546 comm="syz-executor2" exe="/root/syz-executor2" sig=0 arch=c000003e syscall=9 compat=0 ip=0x452ac9 code=0x7ffc0000 audit: type=1326 audit(1514405451.203:322): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=5546 comm="syz-executor2" exe="/root/syz-executor2" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452ac9 code=0x7ffc0000 audit: type=1326 audit(1514405451.203:323): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=5546 comm="syz-executor2" exe="/root/syz-executor2" sig=0 arch=c000003e syscall=317 compat=0 ip=0x452ac9 code=0x7ffc0000 audit: type=1326 audit(1514405451.229:324): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=5546 comm="syz-executor2" exe="/root/syz-executor2" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452ac9 code=0x7ffc0000 mmap: syz-executor4 (5629) uses deprecated remap_file_pages() syscall. See Documentation/vm/remap_file_pages.txt. netlink: 5 bytes leftover after parsing attributes in process `syz-executor2'. device gre0 entered promiscuous mode netlink: 2 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor3'. RDS: rds_bind could not find a transport for 0.0.0.1, load rds_tcp or rds_rdma? RDS: rds_bind could not find a transport for 0.0.0.1, load rds_tcp or rds_rdma? QAT: Invalid ioctl capability: warning: `syz-executor4' uses deprecated v2 capabilities in a way that may be insecure QAT: Invalid ioctl device sit0 entered promiscuous mode QAT: Invalid ioctl QAT: Invalid ioctl device gre0 entered promiscuous mode QAT: Invalid ioctl ?: renamed from gre0 QAT: Invalid ioctl ?: renamed from gre0 netlink: 8 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor7'. semctl(GETNCNT/GETZCNT) is since 3.16 Single Unix Specification compliant. The task syz-executor4 (6329) triggered the difference, watch for misbehavior. RDS: rds_bind could not find a transport for 172.20.3.187, load rds_tcp or rds_rdma? device syz7 entered promiscuous mode sctp: [Deprecated]: syz-executor3 (pid 6474) Use of struct sctp_assoc_value in delayed_ack socket option. Use struct sctp_sack_info instead netlink: 1 bytes leftover after parsing attributes in process `syz-executor2'. sctp: [Deprecated]: syz-executor3 (pid 6474) Use of struct sctp_assoc_value in delayed_ack socket option. Use struct sctp_sack_info instead device gre0 entered promiscuous mode ICMPv6: NA: bb:bb:bb:bb:bb:04 advertised our address fe80::4aa on syz4! device gre0 entered promiscuous mode device gre0 entered promiscuous mode device eql entered promiscuous mode binder: 6675:6682 ERROR: BC_REGISTER_LOOPER called without request binder: 6682 RLIMIT_NICE not set binder: 6682 RLIMIT_NICE not set binder: 6675:6694 got reply transaction with bad transaction stack, transaction 18 has target 6675:0 binder: 6675:6694 transaction failed 29201/-71, size 32-8 line 2775 binder: 6675:6682 DecRefs 0 refcount change on invalid ref 1 ret -22 binder: 6675:6682 BC_INCREFS_DONE node 17 has no pending increfs request binder: release 6675:6682 transaction 18 in, still active binder: send failed reply for transaction 18 to 6675:6694 binder: 6675:6694 ERROR: BC_REGISTER_LOOPER called without request binder: 6694 RLIMIT_NICE not set binder: 6675:6694 got reply transaction with no transaction stack binder: 6675:6694 transaction failed 29201/-71, size 32-8 line 2760 binder_alloc: 6675: binder_alloc_buf, no vma binder: 6675:6682 transaction failed 29189/-3, size 0-0 line 2960 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 kauditd_printk_skb: 223 callbacks suppressed audit: type=1326 audit(1514405455.898:544): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=6805 comm="syz-executor5" exe="/root/syz-executor5" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452ac9 code=0x7ffc0000 audit: type=1326 audit(1514405455.898:545): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=6805 comm="syz-executor5" exe="/root/syz-executor5" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452ac9 code=0x7ffc0000 audit: type=1326 audit(1514405455.912:546): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=6805 comm="syz-executor5" exe="/root/syz-executor5" sig=0 arch=c000003e syscall=317 compat=0 ip=0x452ac9 code=0x7ffc0000 audit: type=1326 audit(1514405455.913:547): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=6805 comm="syz-executor5" exe="/root/syz-executor5" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452ac9 code=0x7ffc0000 audit: type=1326 audit(1514405455.913:548): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=6805 comm="syz-executor5" exe="/root/syz-executor5" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452ac9 code=0x7ffc0000 audit: type=1326 audit(1514405455.914:549): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=6805 comm="syz-executor5" exe="/root/syz-executor5" sig=0 arch=c000003e syscall=16 compat=0 ip=0x452ac9 code=0x7ffc0000 audit: type=1326 audit(1514405455.915:550): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=6805 comm="syz-executor5" exe="/root/syz-executor5" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452ac9 code=0x7ffc0000 audit: type=1326 audit(1514405455.915:551): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=6805 comm="syz-executor5" exe="/root/syz-executor5" sig=0 arch=c000003e syscall=202 compat=0 ip=0x452ac9 code=0x7ffc0000 netlink: 'syz-executor0': attribute type 2 has an invalid length. netlink: 'syz-executor0': attribute type 2 has an invalid length. binder: 6924:6930 ERROR: BC_REGISTER_LOOPER called without request binder: 6930 RLIMIT_NICE not set device lo entered promiscuous mode binder: 6930 RLIMIT_NICE not set binder: 6930 RLIMIT_NICE not set device lo left promiscuous mode binder: undelivered TRANSACTION_COMPLETE binder: 6924:6947 ERROR: BC_REGISTER_LOOPER called without request binder: 6947 RLIMIT_NICE not set binder: 6924:6947 got reply transaction with no transaction stack binder: 6924:6947 transaction failed 29201/-71, size 0-0 line 2760 binder: release 6924:6930 transaction 27 out, still active binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29201 binder: send failed reply for transaction 27, target dead FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 6977 Comm: syz-executor1 Not tainted 4.15.0-rc4-mm1+ #49 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 handle_userfault+0xbd9/0x2500 fs/userfaultfd.c:430 do_anonymous_page mm/memory.c:3131 [inline] handle_pte_fault mm/memory.c:3945 [inline] __handle_mm_fault+0x32a3/0x3ce0 mm/memory.c:4071 handle_mm_fault+0x38f/0x930 mm/memory.c:4108 __do_page_fault+0x5c9/0xc90 arch/x86/mm/fault.c:1429 do_page_fault+0xee/0x720 arch/x86/mm/fault.c:1504 page_fault+0x2c/0x60 arch/x86/entry/entry_64.S:1243 RIP: 0010:fault_in_pages_readable include/linux/pagemap.h:601 [inline] RIP: 0010:iov_iter_fault_in_readable+0x1a7/0x410 lib/iov_iter.c:421 RSP: 0018:ffff8801c853f928 EFLAGS: 00010246 RAX: 0000000000010000 RBX: 0000000020011fd2 RCX: ffffffff8251db91 RDX: 00000000000000c3 RSI: ffffc9000381d000 RDI: ffff8801c853fd28 RBP: ffff8801c853fa08 R08: 1ffff100383bad6a R09: 1ffff100390a7f22 R10: ffff8801c853f858 R11: ffffffff87a98008 R12: 1ffff100390a7f28 R13: ffff8801c853f9e0 R14: 0000000000000000 R15: ffff8801c853fd20 generic_perform_write+0x200/0x600 mm/filemap.c:3128 __generic_file_write_iter+0x366/0x5b0 mm/filemap.c:3263 generic_file_write_iter+0x399/0x790 mm/filemap.c:3291 call_write_iter include/linux/fs.h:1776 [inline] new_sync_write fs/read_write.c:469 [inline] __vfs_write+0x684/0x970 fs/read_write.c:482 vfs_write+0x189/0x510 fs/read_write.c:544 SYSC_write fs/read_write.c:589 [inline] SyS_write+0xef/0x220 fs/read_write.c:581 entry_SYSCALL_64_fastpath+0x1f/0x96 RIP: 0033:0x452ac9 RSP: 002b:00007f2ee225bc58 EFLAGS: 00000212 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000452ac9 RDX: 000000000000001c RSI: 0000000020011fd2 RDI: 0000000000000014 RBP: 0000000000000393 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f2668 R13: 00000000ffffffff R14: 00007f2ee225c6d4 R15: 0000000000000000 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=36142 sclass=netlink_route_socket pig=7052 comm=syz-executor6 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=36142 sclass=netlink_route_socket pig=7052 comm=syz-executor6 device gre0 entered promiscuous mode QAT: Invalid ioctl audit: type=1400 audit(1514405457.797:552): avc: denied { map } for pid=7238 comm="syz-executor0" path="/dev/usbmon0" dev="devtmpfs" ino=8874 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usbmon_device_t:s0 tclass=chr_file permissive=1 binder: 7279 RLIMIT_NICE not set binder: 7276:7279 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 7276:7292 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 7276:7300 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: 7276:7292 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: undelivered death notification, 0000000000000000 QAT: Invalid ioctl QAT: Invalid ioctl rfkill: input handler disabled rfkill: input handler enabled kvm: vcpu 0: requested 68374 ns lapic timer period limited to 500000 ns kvm: vcpu 0: requested 68374 ns lapic timer period limited to 500000 ns netlink: 4 bytes leftover after parsing attributes in process `syz-executor4'. binder: BINDER_SET_CONTEXT_MGR already set binder: 7467:7498 ioctl 40046207 0 returned -16 binder: release 7467:7477 transaction 32 out, still active binder: undelivered TRANSACTION_COMPLETE