====================================================== [ INFO: possible circular locking dependency detected ] 4.9.81-gd2c57b6 #34 Not tainted ------------------------------------------------------- syz-executor3/13115 is trying to acquire lock: (&sb->s_type->i_mutex_key but task is already holding lock: (ashmem_mutex){+.+.+.}, at: [] ashmem_llseek+0x56/0x1f0 drivers/staging/android/ashmem.c:343 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (ashmem_mutex){+.+.+.}: __mutex_lock_common kernel/locking/mutex.c:521 [inline] mutex_lock_nested+0xbb/0x870 kernel/locking/mutex.c:621 ashmem_mmap+0x53/0x400 drivers/staging/android/ashmem.c:379 mmap_region+0x7dd/0xfd0 mm/mmap.c:1694 do_mmap+0x57b/0xbe0 mm/mmap.c:1473 do_mmap_pgoff include/linux/mm.h:2019 [inline] vm_mmap_pgoff+0x16b/0x1b0 mm/util.c:305 SYSC_mmap_pgoff mm/mmap.c:1523 [inline] SyS_mmap_pgoff+0x33f/0x560 mm/mmap.c:1481 SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86 do_syscall_64+0x1a5/0x490 arch/x86/entry/common.c:282 entry_SYSCALL_64_after_swapgs+0x47/0xc5 -> #1 (&mm->mmap_sem){++++++}: __might_fault+0x14a/0x1d0 mm/memory.c:3994 copy_to_user arch/x86/include/asm/uaccess.h:727 [inline] filldir+0x1aa/0x340 fs/readdir.c:195 dir_emit_dot include/linux/fs.h:3203 [inline] dir_emit_dots include/linux/fs.h:3214 [inline] dcache_readdir+0x12d/0x5e0 fs/libfs.c:191 iterate_dir+0x4a6/0x5d0 fs/readdir.c:50 SYSC_getdents fs/readdir.c:230 [inline] SyS_getdents+0x14a/0x2a0 fs/readdir.c:211 do_syscall_64+0x1a5/0x490 arch/x86/entry/common.c:282 entry_SYSCALL_64_after_swapgs+0x47/0xc5 -> #0 (&sb->s_type->i_mutex_key#10){++++++}: lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756 down_write+0x41/0xa0 kernel/locking/rwsem.c:52 inode_lock include/linux/fs.h:746 [inline] shmem_file_llseek+0xef/0x240 mm/shmem.c:2403 vfs_llseek+0xa2/0xd0 fs/read_write.c:301 ashmem_llseek+0xe7/0x1f0 drivers/staging/android/ashmem.c:355 vfs_llseek fs/read_write.c:301 [inline] SYSC_lseek fs/read_write.c:314 [inline] SyS_lseek+0xeb/0x170 fs/read_write.c:305 do_syscall_64+0x1a5/0x490 arch/x86/entry/common.c:282 entry_SYSCALL_64_after_swapgs+0x47/0xc5 other info that might help us debug this: Chain exists of: &sb->s_type->i_mutex_key#10 --> &mm->mmap_sem --> ashmem_mutex CPU0 CPU1 ---- ---- lock( ashmem_mutex); &mm->mmap_sem); ashmem_mutex); &sb->s_type->i_mutex_key#10); *** DEADLOCK *** 1 lock held by syz-executor3/13115: #0: (ashmem_mutex){+.+.+.}, at: [] ashmem_llseek+0x56/0x1f0 drivers/staging/android/ashmem.c:343 stack backtrace: CPU: 1 PID: 13115 Comm: syz-executor3 Not tainted 4.9.81-gd2c57b6 #34 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c87e7b38 ffffffff81d94de9 ffffffff853a2cd0 ffffffff853ac9c0 ffffffff853c2f80 ffff8801b553b8d8 ffff8801b553b000 ffff8801c87e7b80 ffffffff81238741 ffff8801b553b8d8 00000000b553b8b0 ffff8801b553b8d8Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_circular_bug+0x271/0x310 kernel/locking/lockdep.c:1202 [] check_prev_add kernel/locking/lockdep.c:1828 [inline] [] check_prevs_add kernel/locking/lockdep.c:1938 [inline] [] validate_chain kernel/locking/lockdep.c:2265 [inline] [] __lock_acquire+0x2bf9/0x3640 kernel/locking/lockdep.c:3345 [] lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756 [] down_write+0x41/0xa0 kernel/locking/rwsem.c:52 [] inode_lock include/linux/fs.h:746 [inline] [] shmem_file_llseek+0xef/0x240 mm/shmem.c:2403 [] vfs_llseek+0xa2/0xd0 fs/read_write.c:301 [] ashmem_llseek+0xe7/0x1f0 drivers/staging/android/ashmem.c:355 [] vfs_llseek fs/read_write.c:301 [inline] [] SYSC_lseek fs/read_write.c:314 [inline] [] SyS_lseek+0xeb/0x170 fs/read_write.c:305 [] do_syscall_64+0x1a5/0x490 arch/x86/entry/common.c:282 [] entry_SYSCALL_64_after_swapgs+0x47/0xc5 audit: type=1400 audit(1518688044.901:45): avc: denied { read } for pid=13204 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 binder: 13233:13240 ERROR: BC_REGISTER_LOOPER called without request binder: undelivered TRANSACTION_COMPLETE binder: undelivered transaction 88, process died. binder: 13233:13240 ERROR: BC_REGISTER_LOOPER called without request binder: 13233:13240 got reply transaction with no transaction stack binder: 13233:13240 transaction failed 29201/-71, size 32-8 line 2920 binder: release 13233:13256 transaction 92 out, still active binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 92, target dead IPVS: Creating netns size=2536 id=16 pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads netlink: 17 bytes leftover after parsing attributes in process `syz-executor2'. binder: 13350:13354 ERROR: BC_REGISTER_LOOPER called without request netlink: 17 bytes leftover after parsing attributes in process `syz-executor2'. binder: BINDER_SET_CONTEXT_MGR already set binder: 13350:13364 ioctl 40046207 0 returned -16 binder: 13350:13354 ERROR: BC_REGISTER_LOOPER called without request binder_alloc: 13350: binder_alloc_buf, no vma binder: 13350:13374 transaction failed 29189/-3, size 0-0 line 3127 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_COMPLETE binder: undelivered transaction 96, process died. binder: undelivered TRANSACTION_ERROR: 29189 binder: 13450:13461 ioctl c018620b 20e8cbdc returned -14 binder: 13450:13474 ioctl c018620b 20e8cbdc returned -14 IPVS: Creating netns size=2536 id=17 pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads IPv6: ADDRCONF(NETDEV_CHANGE): syz1: link becomes ready binder: 13797:13808 BC_INCREFS_DONE u0000000000000000 no match binder: 13797:13828 BC_INCREFS_DONE u0000000000000000 no match binder_alloc: binder_alloc_mmap_handler: 13866 20000000-20002000 already mapped failed -16 device syz3 entered promiscuous mode FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 13903 Comm: syz-executor1 Not tainted 4.9.81-gd2c57b6 #34 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801b42a7930 ffffffff81d94de9 ffff8801b42a7c10 0000000000000000 ffff8801cc895310 ffff8801b42a7b00 ffff8801cc895200 ffff8801b42a7b28 ffffffff8166261a 0000000000000000 ffff8801b42a7a80 00000001d058e067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa3a/0x1310 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1407 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1470 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:939 [] do_syscall_64+0x1a5/0x490 arch/x86/entry/common.c:282 [] entry_SYSCALL_64_after_swapgs+0x47/0xc5 FAULT_FLAG_ALLOW_RETRY missing 30 device syz3 left promiscuous mode CPU: 0 PID: 13914 Comm: syz-executor1 Not tainted 4.9.81-gd2c57b6 #34 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801adc97930 ffffffff81d94de9 ffff8801adc97c10 0000000000000000 ffff8801cc895490 ffff8801adc97b00 ffff8801cc895380 ffff8801adc97b28 ffffffff8166261a 0000000000000000 ffff8801adc97a80 00000001bf453067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa3a/0x1310 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1407 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1470 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:939 [] do_syscall_64+0x1a5/0x490 arch/x86/entry/common.c:282 [] entry_SYSCALL_64_after_swapgs+0x47/0xc5 device lo entered promiscuous mode device lo left promiscuous mode device syz6 entered promiscuous mode device syz6 left promiscuous mode audit: type=1400 audit(1518688048.831:46): avc: denied { listen } for pid=14123 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 IPv4: Oversized IP packet from 127.0.0.1 binder: send failed reply for transaction 99 to 14308:14330 binder: 14308:14311 ioctl c0306201 204f9fd0 returned -14 binder: BINDER_SET_CONTEXT_MGR already set binder: 14308:14330 ioctl 40046207 0 returned -16 binder_alloc: 14308: binder_alloc_buf, no vma binder: 14308:14330 transaction failed 29189/-3, size 0-0 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29201 device gre0 entered promiscuous mode FAULT_FLAG_ALLOW_RETRY missing 30 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 14462 Comm: syz-executor2 Not tainted 4.9.81-gd2c57b6 #34 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c286f8d0 ffffffff81d94de9 ffff8801c286fbb0 0000000000000000 ffff8801cd494d10 ffff8801c286faa0 ffff8801cd494c00 ffff8801c286fac8 ffffffff8166261a ffff8801b1a4e000 ffff8801c286fa20 00000001bb958067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa3a/0x1310 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1407 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1470 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:939 [] do_syscall_64+0x1a5/0x490 arch/x86/entry/common.c:282 [] entry_SYSCALL_64_after_swapgs+0x47/0xc5 CPU: 0 PID: 14472 Comm: syz-executor2 Not tainted 4.9.81-gd2c57b6 #34 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d7e57960 ffffffff81d94de9 ffff8801d7e57c40 0000000000000000 ffff8801cd494d10 ffff8801d7e57b30 ffff8801cd494c00 ffff8801d7e57b58 ffffffff8166261a ffffffff8123bf80 ffff8801d7e57ab0 00000001bb958067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa3a/0x1310 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1407 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1470 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:939 [] SYSC_keyctl security/keys/keyctl.c:1604 [inline] [] SyS_keyctl+0x1fb/0x230 security/keys/keyctl.c:1592 [] do_syscall_64+0x1a5/0x490 arch/x86/entry/common.c:282 [] entry_SYSCALL_64_after_swapgs+0x47/0xc5 binder: 14588:14591 transaction failed 29189/-22, size 0-8 line 3004 binder: undelivered TRANSACTION_ERROR: 29189 audit: type=1400 audit(1518688050.931:47): avc: denied { net_bind_service } for pid=14618 comm="syz-executor5" capability=10 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 x_tables: arp_tables: CLASSIFY target: used from hooks INPUT, but only usable from FORWARD/OUTPUT x_tables: arp_tables: CLASSIFY target: used from hooks INPUT, but only usable from FORWARD/OUTPUT FAULT_FLAG_ALLOW_RETRY missing 30 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 15170 Comm: syz-executor2 Not tainted 4.9.81-gd2c57b6 #34 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d070f7f0 ffffffff81d94de9 ffff8801d070fad0 0000000000000000 ffff8801cd494b90 ffff8801d070f9c0 ffff8801cd494a80 ffff8801d070f9e8 ffffffff8166261a ffff8801db321b80 ffff8801d070f940 00000001d3fff067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa3a/0x1310 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1407 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1470 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:939 [] getname_flags+0x10e/0x580 fs/namei.c:148 [] getname+0x19/0x20 fs/namei.c:208 [] do_sys_open+0x22d/0x620 fs/open.c:1066 [] SYSC_openat fs/open.c:1099 [inline] [] SyS_openat+0x30/0x40 fs/open.c:1093 [] do_syscall_64+0x1a5/0x490 arch/x86/entry/common.c:282 [] entry_SYSCALL_64_after_swapgs+0x47/0xc5 CPU: 0 PID: 15178 Comm: syz-executor2 Not tainted 4.9.81-gd2c57b6 #34 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d41b7870 ffffffff81d94de9 ffff8801d41b7b50 0000000000000000 ffff8801cd494b90 ffff8801d41b7a40 ffff8801cd494a80 ffff8801d41b7a68 ffffffff8166261a 00fff1003a836f24 ffff8801d41b79c0 00000001d3fff067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa3a/0x1310 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1407 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1470 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:939 [] do_syscall_64+0x1a5/0x490 arch/x86/entry/common.c:282 [] entry_SYSCALL_64_after_swapgs+0x47/0xc5 device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 15301 Comm: syz-executor2 Not tainted 4.9.81-gd2c57b6 #34 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d022f7f0 ffffffff81d94de9 ffff8801d022fad0 0000000000000000 ffff8801cc894110 ffff8801d022f9c0 ffff8801cc894000 ffff8801d022f9e8 ffffffff8166261a ffff8801db221b80 ffff8801d022f940 00000001c1358067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa3a/0x1310 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1407 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1470 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:939 [] do_syscall_64+0x1a5/0x490 arch/x86/entry/common.c:282 [] entry_SYSCALL_64_after_swapgs+0x47/0xc5 device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode SELinux: ebitmap: truncated map SELinux: ebitmap: truncated map binder: 15489:15492 transaction failed 29189/-22, size 56-0 line 3004 device lo entered promiscuous mode device lo left promiscuous mode binder_alloc: binder_alloc_mmap_handler: 15489 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 15489:15501 transaction failed 29189/-22, size 56-0 line 3004 binder: 15489:15492 ioctl 40046207 0 returned -16 binder: undelivered TRANSACTION_ERROR: 29189 device lo entered promiscuous mode binder: undelivered TRANSACTION_ERROR: 29189 device lo left promiscuous mode device lo entered promiscuous mode qtaguid: iface_stat: iface_check_stats_reset_and_adjust(lo): iface reset its stats unexpectedly device lo left promiscuous mode