[ INFO: possible circular locking dependency detected ] 4.4.118-g5f7f76a #24 Not tainted ------------------------------------------------------- syz-executor6/18576 is trying to acquire lock: (&mm->mmap_sem){++++++}, at: [] __might_fault+0xe4/0x1d0 mm/memory.c:3809 but task is already holding lock: (ashmem_mutex){+.+.+.}, at: [] ashmem_pin_unpin drivers/staging/android/ashmem.c:701 [inline] (ashmem_mutex){+.+.+.}, at: [] ashmem_ioctl+0x367/0xfa0 drivers/staging/android/ashmem.c:778 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (ashmem_mutex){+.+.+.}: [] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592 [] __mutex_lock_common kernel/locking/mutex.c:521 [inline] [] mutex_lock_nested+0xbb/0x850 kernel/locking/mutex.c:621 [] ashmem_mmap+0x53/0x400 drivers/staging/android/ashmem.c:366 [] mmap_region+0x94f/0x1250 mm/mmap.c:1664 [] do_mmap+0x4fd/0x9d0 mm/mmap.c:1441 [] do_mmap_pgoff include/linux/mm.h:1915 [inline] [] vm_mmap_pgoff+0x16e/0x1c0 mm/util.c:296 [] SYSC_mmap_pgoff mm/mmap.c:1491 [inline] [] SyS_mmap_pgoff+0x33f/0x560 mm/mmap.c:1449 [] SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline] [] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86 [] entry_SYSCALL_64_fastpath+0x1c/0x98 -> #0 (&mm->mmap_sem){++++++}: [] check_prev_add kernel/locking/lockdep.c:1853 [inline] [] check_prevs_add kernel/locking/lockdep.c:1958 [inline] [] validate_chain kernel/locking/lockdep.c:2144 [inline] [] __lock_acquire+0x371f/0x4b50 kernel/locking/lockdep.c:3213 [] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592 [] __might_fault+0x14a/0x1d0 mm/memory.c:3810 [] copy_from_user arch/x86/include/asm/uaccess.h:724 [inline] [] ashmem_pin_unpin drivers/staging/android/ashmem.c:706 [inline] [] ashmem_ioctl+0x3b4/0xfa0 drivers/staging/android/ashmem.c:778 [] vfs_ioctl fs/ioctl.c:43 [inline] [] do_vfs_ioctl+0x7aa/0xee0 fs/ioctl.c:607 [] SYSC_ioctl fs/ioctl.c:622 [inline] [] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:613 [] entry_SYSCALL_64_fastpath+0x1c/0x98 other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(ashmem_mutex); lock(&mm->mmap_sem); lock(ashmem_mutex); lock(&mm->mmap_sem); *** DEADLOCK *** 1 lock held by syz-executor6/18576: #0: (ashmem_mutex){+.+.+.}, at: [] ashmem_pin_unpin drivers/staging/android/ashmem.c:701 [inline] #0: (ashmem_mutex){+.+.+.}, at: [] ashmem_ioctl+0x367/0xfa0 drivers/staging/android/ashmem.c:778 stack backtrace: CPU: 0 PID: 18576 Comm: syz-executor6 Not tainted 4.4.118-g5f7f76a #24 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 3029e2d3fefe35b9 ffff8800a81879b8 ffffffff81d0402d ffffffff851a0010 ffffffff851a0010 ffffffff851bee80 ffff8801d73320f8 ffff8801d7331800 ffff8800a8187a00 ffffffff81233ba1 ffff8801d73320f8 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] print_circular_bug+0x271/0x310 kernel/locking/lockdep.c:1226 [] check_prev_add kernel/locking/lockdep.c:1853 [inline] [] check_prevs_add kernel/locking/lockdep.c:1958 [inline] [] validate_chain kernel/locking/lockdep.c:2144 [inline] [] __lock_acquire+0x371f/0x4b50 kernel/locking/lockdep.c:3213 [] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592 [] __might_fault+0x14a/0x1d0 mm/memory.c:3810 [] copy_from_user arch/x86/include/asm/uaccess.h:724 [inline] [] ashmem_pin_unpin drivers/staging/android/ashmem.c:706 [inline] [] ashmem_ioctl+0x3b4/0xfa0 drivers/staging/android/ashmem.c:778 [] vfs_ioctl fs/ioctl.c:43 [inline] [] do_vfs_ioctl+0x7aa/0xee0 fs/ioctl.c:607 [] SYSC_ioctl fs/ioctl.c:622 [inline] [] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:613 [] entry_SYSCALL_64_fastpath+0x1c/0x98 binder: 18541:18550 ioctl c0306201 20008fd0 returned -22 binder: 18940:18943 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 18940:18943 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 Option 'Ü¿Ò „ãÞ' to dns_resolver key: bad/missing value IPv4: Oversized IP packet from 172.20.3.13 Option 'Ü¿Ò „ãÞ' to dns_resolver key: bad/missing value audit: type=1400 audit(1519669626.761:70): avc: denied { create } for pid=19077 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_var_run_t:s0 tclass=key permissive=1 audit: type=1400 audit(1519669626.781:71): avc: denied { write } for pid=19077 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_var_run_t:s0 tclass=key permissive=1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=26846 sclass=netlink_route_socket IPv4: Oversized IP packet from 172.20.3.13 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=26846 sclass=netlink_route_socket IPv4: Oversized IP packet from 172.20.3.13 IPv4: Oversized IP packet from 172.20.3.13 binder: 19701:19702 unknown command -419430391 binder: 19701:19702 ioctl c0306201 20012000 returned -22 binder: 19701:19702 Release 1 refcount change on invalid ref 0 ret -22 binder: 19701:19702 unknown command -419430391 binder: 19701:19702 ioctl c0306201 20012000 returned -22 tmpfs: Bad mount option GóÈáæó Q…_›Àí&ÍÄº’xäWÛ^Õ\Ä ¸3Ó$ùö“ŽøFº„*Ž7äl«9KEIÎéüvS99Ðº¸‹žÀ[Ìm '