======================================================
WARNING: possible circular locking dependency detected
4.16.0-rc4+ #346 Not tainted
------------------------------------------------------
syz-executor1/20756 is trying to acquire lock:
 (&mm->mmap_sem){++++}, at: [<00000000f2954853>] __might_fault+0xe0/0x1d0 mm/memory.c:4570

but task is already holding lock:
 (ashmem_mutex){+.+.}, at: [<00000000c893b034>] ashmem_pin_unpin drivers/staging/android/ashmem.c:705 [inline]
 (ashmem_mutex){+.+.}, at: [<00000000c893b034>] ashmem_ioctl+0x3db/0x11b0 drivers/staging/android/ashmem.c:782

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 (ashmem_mutex){+.+.}:
       __mutex_lock_common kernel/locking/mutex.c:756 [inline]
       __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893
       mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908
       ashmem_mmap+0x53/0x410 drivers/staging/android/ashmem.c:362
       call_mmap include/linux/fs.h:1786 [inline]
       mmap_region+0xa99/0x15a0 mm/mmap.c:1705
       do_mmap+0x6c0/0xe00 mm/mmap.c:1483
       do_mmap_pgoff include/linux/mm.h:2223 [inline]
       vm_mmap_pgoff+0x1de/0x280 mm/util.c:355
       SYSC_mmap_pgoff mm/mmap.c:1533 [inline]
       SyS_mmap_pgoff+0x462/0x5f0 mm/mmap.c:1491
       SYSC_mmap arch/x86/kernel/sys_x86_64.c:100 [inline]
       SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:91
       do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x42/0xb7

-> #0 (&mm->mmap_sem){++++}:
       lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920
       __might_fault+0x13a/0x1d0 mm/memory.c:4571
       _copy_from_user+0x2c/0x110 lib/usercopy.c:10
       copy_from_user include/linux/uaccess.h:147 [inline]
       ashmem_pin_unpin drivers/staging/android/ashmem.c:710 [inline]
       ashmem_ioctl+0x438/0x11b0 drivers/staging/android/ashmem.c:782
       vfs_ioctl fs/ioctl.c:46 [inline]
       do_vfs_ioctl+0x1b1/0x1520 fs/ioctl.c:686
       SYSC_ioctl fs/ioctl.c:701 [inline]
       SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
       do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x42/0xb7

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(ashmem_mutex);
                               lock(&mm->mmap_sem);
                               lock(ashmem_mutex);
  lock(&mm->mmap_sem);

 *** DEADLOCK ***

1 lock held by syz-executor1/20756:
 #0:  (ashmem_mutex){+.+.}, at: [<00000000c893b034>] ashmem_pin_unpin drivers/staging/android/ashmem.c:705 [inline]
 #0:  (ashmem_mutex){+.+.}, at: [<00000000c893b034>] ashmem_ioctl+0x3db/0x11b0 drivers/staging/android/ashmem.c:782

stack backtrace:
CPU: 1 PID: 20756 Comm: syz-executor1 Not tainted 4.16.0-rc4+ #346
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x24d lib/dump_stack.c:53
 print_circular_bug.isra.38+0x2cd/0x2dc kernel/locking/lockdep.c:1223
 check_prev_add kernel/locking/lockdep.c:1863 [inline]
 check_prevs_add kernel/locking/lockdep.c:1976 [inline]
 validate_chain kernel/locking/lockdep.c:2417 [inline]
 __lock_acquire+0x30a8/0x3e00 kernel/locking/lockdep.c:3431
 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920
 __might_fault+0x13a/0x1d0 mm/memory.c:4571
 _copy_from_user+0x2c/0x110 lib/usercopy.c:10
 copy_from_user include/linux/uaccess.h:147 [inline]
 ashmem_pin_unpin drivers/staging/android/ashmem.c:710 [inline]
 ashmem_ioctl+0x438/0x11b0 drivers/staging/android/ashmem.c:782
 vfs_ioctl fs/ioctl.c:46 [inline]
 do_vfs_ioctl+0x1b1/0x1520 fs/ioctl.c:686
 SYSC_ioctl fs/ioctl.c:701 [inline]
 SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x453e69
RSP: 002b:00007fd502b17c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fd502b186d4 RCX: 0000000000453e69
RDX: 00000000006e8000 RSI: 0000000040087707 RDI: 0000000000000013
RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 0000000000000189 R14: 00000000006f2578 R15: 0000000000000000
kernel msg: ebtables bug: please report to author: Total nentries is wrong
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=21163 comm=syz-executor1
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=21177 comm=syz-executor1
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=21200 comm=syz-executor1
netlink: 'syz-executor1': attribute type 10 has an invalid length.
netlink: 'syz-executor1': attribute type 10 has an invalid length.
netlink: 'syz-executor1': attribute type 10 has an invalid length.
netlink: 'syz-executor1': attribute type 10 has an invalid length.
netlink: 'syz-executor1': attribute type 10 has an invalid length.
netlink: 'syz-executor1': attribute type 10 has an invalid length.