[<0000000091d6262e>] vfs_write+0x185/0x520 fs/read_write.c:559 [<00000000b7596ffe>] SYSC_write fs/read_write.c:607 [inline] [<00000000b7596ffe>] SyS_write+0x121/0x270 fs/read_write.c:599 [<00000000ca2ce3f9>] do_syscall_64+0x1ad/0x5c0 arch/x86/entry/common.c:288 [<00000000a58b5206>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb ====================================================== [ INFO: possible circular locking dependency detected ] 4.9.205-syzkaller #0 Not tainted ------------------------------------------------------- syz-executor.4/30425 is trying to acquire lock: (&mm->mmap_sem){++++++}, at: [<0000000097054cf8>] __do_page_fault+0x7bd/0xa60 arch/x86/mm/fault.c:1337 but task is already holding lock: (&sb->s_type->i_mutex_key#10){+.+.+.}, at: [<000000005a2925bc>] inode_lock include/linux/fs.h:771 [inline] (&sb->s_type->i_mutex_key#10){+.+.+.}, at: [<000000005a2925bc>] generic_file_write_iter+0x9a/0x630 mm/filemap.c:3090 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: lock_acquire+0x133/0x3d0 kernel/locking/lockdep.c:3759 down_write+0x41/0xa0 kernel/locking/rwsem.c:52 inode_lock include/linux/fs.h:771 [inline] shmem_fallocate+0x143/0xab0 mm/shmem.c:2683 ashmem_shrink_scan drivers/staging/android/ashmem.c:462 [inline] ashmem_shrink_scan+0x1c3/0x4c0 drivers/staging/android/ashmem.c:446 ashmem_ioctl+0x29b/0xdd0 drivers/staging/android/ashmem.c:804 vfs_ioctl fs/ioctl.c:43 [inline] file_ioctl fs/ioctl.c:493 [inline] do_vfs_ioctl+0xb87/0x11d0 fs/ioctl.c:677 SYSC_ioctl fs/ioctl.c:694 [inline] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 do_syscall_64+0x1ad/0x5c0 arch/x86/entry/common.c:288 entry_SYSCALL_64_after_swapgs+0x5d/0xdb lock_acquire+0x133/0x3d0 kernel/locking/lockdep.c:3759 __mutex_lock_common kernel/locking/mutex.c:521 [inline] mutex_lock_nested+0xc7/0x920 kernel/locking/mutex.c:621 ashmem_mmap+0x53/0x470 drivers/staging/android/ashmem.c:378 mmap_region+0x7e7/0xfa0 mm/mmap.c:1726 do_mmap+0x539/0xbc0 mm/mmap.c:1505 do_mmap_pgoff include/linux/mm.h:2066 [inline] vm_mmap_pgoff+0x179/0x1c0 mm/util.c:329 SYSC_mmap_pgoff mm/mmap.c:1555 [inline] SyS_mmap_pgoff+0xfa/0x1b0 mm/mmap.c:1513 SYSC_mmap arch/x86/kernel/sys_x86_64.c:96 [inline] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:87 do_syscall_64+0x1ad/0x5c0 arch/x86/entry/common.c:288 entry_SYSCALL_64_after_swapgs+0x5d/0xdb check_prev_add kernel/locking/lockdep.c:1828 [inline] check_prevs_add kernel/locking/lockdep.c:1938 [inline] validate_chain kernel/locking/lockdep.c:2265 [inline] __lock_acquire+0x2d22/0x4390 kernel/locking/lockdep.c:3345 lock_acquire+0x133/0x3d0 kernel/locking/lockdep.c:3759 down_read+0x44/0xb0 kernel/locking/rwsem.c:22 __do_page_fault+0x7bd/0xa60 arch/x86/mm/fault.c:1337 do_page_fault+0x28/0x30 arch/x86/mm/fault.c:1464 page_fault+0x25/0x30 arch/x86/entry/entry_64.S:956 generic_perform_write+0x1b6/0x500 mm/filemap.c:2930 __generic_file_write_iter+0x340/0x530 mm/filemap.c:3065 generic_file_write_iter+0x38a/0x630 mm/filemap.c:3093 new_sync_write fs/read_write.c:498 [inline] __vfs_write+0x3c1/0x560 fs/read_write.c:511 vfs_write+0x185/0x520 fs/read_write.c:559 SYSC_write fs/read_write.c:607 [inline] SyS_write+0x121/0x270 fs/read_write.c:599 do_syscall_64+0x1ad/0x5c0 arch/x86/entry/common.c:288 entry_SYSCALL_64_after_swapgs+0x5d/0xdb other info that might help us debug this: Chain exists of: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&sb->s_type->i_mutex_key#10); lock(ashmem_mutex); lock([ 707.187217] Mem-Info: active_anon:108620 inactive_anon:1741 isolated_anon:0 active_file:10082 inactive_file:11586 isolated_file:0 unevictable:0 dirty:204 writeback:0 unstable:0 slab_reclaimable:8384 slab_unreclaimable:70892 mapped:59372 shmem:1748 pagetables:20820 bounce:0 free:1344703 free_pcp:283 free_cma:0 Node 0 active_anon:434480kB inactive_anon:6964kB active_file:40328kB inactive_file:46344kB unevictable:0kB isolated(anon):0kB isolated(file):0kB mapped:237488kB dirty:816kB writeback:0kB shmem:6992kB writeback_tmp:0kB unstable:0kB pages_scanned:0 all_unreclaimable? no DMA32 free:3019420kB min:4696kB low:7712kB high:10728kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:3145324kB managed:3020096kB mlocked:0kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:676kB local_pcp:32kB free_cma:0kB lowmem_reserve[]: 0 3505 3505 Normal free:2359392kB min:5580kB low:9168kB high:12756kB active_anon:434480kB inactive_anon:6964kB active_file:40328kB inactive_file:46344kB unevictable:0kB writepending:816kB present:4718592kB managed:3589320kB mlocked:0kB slab_reclaimable:33536kB slab_unreclaimable:283568kB kernel_stack:30144kB pagetables:83280kB bounce:0kB free_pcp:456kB local_pcp:164kB free_cma:0kB lowmem_reserve[]: 0 0 0 DMA32: 3*4kB (UM) 2*8kB (M) 2*16kB (M) 3*32kB (UM) 4*64kB (UM) 4*128kB (UM) 3*256kB (UM) 2*512kB (M) 2*1024kB (UM) 2*2048kB (UM) 735*4096kB (M) = 3019420kB Normal: 736*4kB (UME) 524*8kB (UE) 300*16kB (UME) 22*32kB (E) 70*64kB (UME) 23*128kB (ME) 10*256kB (UME) 6*512kB (ME) 3*1024kB (M) 4*2048kB (ME) 567*4096kB (M) = 2359392kB 23424 total pagecache pages 0 pages in swap cache Swap cache stats: add 0, delete 0, find 0/0 Free swap = 0kB Total swap = 0kB 1965979 pages RAM 0 pages HighMem/MovableOnly 313625 pages reserved SELinux: policydb string S,'*F does not match my string SE Linux SELinux: policydb string S,'*F does not match my string SE Linux &sb->s_type->i_mutex_key #10); lock(&mm->mmap_sem); *** DEADLOCK *** 2 locks held by syz-executor.4/30425: #0: (sb_writers#6){.+.+.+}, at: [<0000000013a60474>] file_start_write include/linux/fs.h:2645 [inline] #0: (sb_writers#6){.+.+.+}, at: [<0000000013a60474>] vfs_write+0x3e9/0x520 fs/read_write.c:558 #1: (&sb->s_type->i_mutex_key#10){+.+.+.}, at: [<000000005a2925bc>] inode_lock include/linux/fs.h:771 [inline] #1: (&sb->s_type->i_mutex_key#10){+.+.+.}, at: [<000000005a2925bc>] generic_file_write_iter+0x9a/0x630 mm/filemap.c:3090 stack backtrace: CPU: 1 PID: 30425 Comm: syz-executor.4 Not tainted 4.9.205-syzkaller #0 ffff8801959cf5d8 ffffffff81b55e6b ffffffff83cae9d0 ffffffff83cb81b0 ffffffff83cf52c0 ffffffff8424ff40 ffff880195c897c0 ffff8801959cf630 ffffffff81406e9a dffffc0000000000 ffffffff84064d40 ffff880195c8a0c0 Call Trace: [<00000000d031f6a8>] __dump_stack lib/dump_stack.c:15 [inline] [<00000000d031f6a8>] dump_stack+0xcb/0x130 lib/dump_stack.c:56 [<00000000329fd764>] print_circular_bug.cold+0x2f6/0x454 kernel/locking/lockdep.c:1202 [<000000000b9204e3>] check_prev_add kernel/locking/lockdep.c:1828 [inline] [<000000000b9204e3>] check_prevs_add kernel/locking/lockdep.c:1938 [inline] [<000000000b9204e3>] validate_chain kernel/locking/lockdep.c:2265 [inline] [<000000000b9204e3>] __lock_acquire+0x2d22/0x4390 kernel/locking/lockdep.c:3345 [<000000000b9f1429>] lock_acquire+0x133/0x3d0 kernel/locking/lockdep.c:3759 [<000000007d5dc34d>] down_read+0x44/0xb0 kernel/locking/rwsem.c:22 [<0000000097054cf8>] __do_page_fault+0x7bd/0xa60 arch/x86/mm/fault.c:1337 [<000000001ef57d66>] do_page_fault+0x28/0x30 arch/x86/mm/fault.c:1464 [<0000000037a99923>] page_fault+0x25/0x30 arch/x86/entry/entry_64.S:956 [<0000000044be79f8>] generic_perform_write+0x1b6/0x500 mm/filemap.c:2930 [<00000000bfdc7ae7>] __generic_file_write_iter+0x340/0x530 mm/filemap.c:3065 [<00000000b76c8624>] generic_file_write_iter+0x38a/0x630 mm/filemap.c:3093 [<0000000096c2da5d>] new_sync_write fs/read_write.c:498 [inline] [<0000000096c2da5d>] __vfs_write+0x3c1/0x560 fs/read_write.c:511 [<0000000091d6262e>] vfs_write+0x185/0x520 fs/read_write.c:559 [<00000000b7596ffe>] SYSC_write fs/read_write.c:607 [inline] [<00000000b7596ffe>] SyS_write+0x121/0x270 fs/read_write.c:599 [<00000000ca2ce3f9>] do_syscall_64+0x1ad/0x5c0 arch/x86/entry/common.c:288 [<00000000a58b5206>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb SELinux: policydb string S,'*F does not match my string SE Linux syz-executor.3: vmalloc: allocation failure: 0 bytes, mode:0x24000c2(GFP_KERNEL|__GFP_HIGHMEM) CPU: 1 PID: 30459 Comm: syz-executor.3 Not tainted 4.9.205-syzkaller #0 ffff88019315f968 ffffffff81b55e6b 1ffff1003262bf2f ffff8801a196af80 ffffffff82aab3e0 0000000000000001 0000000000400000 ffff88019315fa90 ffffffff81507f6c 0000000041b58ab3 ffffffff82e3a438 ffffffff81431e20 Call Trace: [<00000000d031f6a8>] __dump_stack lib/dump_stack.c:15 [inline] [<00000000d031f6a8>] dump_stack+0xcb/0x130 lib/dump_stack.c:56 [<000000004194b9c7>] warn_alloc.cold+0x76/0x93 mm/page_alloc.c:3069 [<00000000508e4d42>] __vmalloc_node_range+0x368/0x610 mm/vmalloc.c:1733 [<0000000033db4740>] __vmalloc_node mm/vmalloc.c:1755 [inline] [<0000000033db4740>] __vmalloc_node_flags mm/vmalloc.c:1769 [inline] [<0000000033db4740>] vmalloc+0x5c/0x70 mm/vmalloc.c:1784 [<0000000050983555>] sel_write_load+0x119/0xf60 security/selinux/selinuxfs.c:514 [<00000000cb41ae46>] __vfs_write+0x116/0x560 fs/read_write.c:509 [<0000000091d6262e>] vfs_write+0x185/0x520 fs/read_write.c:559 [<00000000b7596ffe>] SYSC_write fs/read_write.c:607 [inline] [<00000000b7596ffe>] SyS_write+0x121/0x270 fs/read_write.c:599 [<00000000ca2ce3f9>] do_syscall_64+0x1ad/0x5c0 arch/x86/entry/common.c:288 [<00000000a58b5206>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb Mem-Info: active_anon:111213 inactive_anon:70 isolated_anon:0 active_file:10083 inactive_file:11589 isolated_file:0 unevictable:0 dirty:209 writeback:0 unstable:0 slab_reclaimable:8388 slab_unreclaimable:70659 mapped:59377 shmem:53 pagetables:20827 bounce:0 free:1343962 free_pcp:429 free_cma:0 Node 0 active_anon:444852kB inactive_anon:280kB active_file:40332kB inactive_file:46356kB unevictable:0kB isolated(anon):0kB isolated(file):0kB mapped:237508kB dirty:836kB writeback:0kB shmem:212kB writeback_tmp:0kB unstable:0kB pages_scanned:0 all_unreclaimable? no DMA32 free:3019420kB min:4696kB low:7712kB high:10728kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:3145324kB managed:3020096kB mlocked:0kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:676kB local_pcp:644kB free_cma:0kB lowmem_reserve[]: 0 3505 3505 Normal free:2356428kB min:5580kB low:9168kB high:12756kB active_anon:444852kB inactive_anon:280kB active_file:40332kB inactive_file:46356kB unevictable:0kB writepending:836kB present:4718592kB managed:3589320kB mlocked:0kB slab_reclaimable:33552kB slab_unreclaimable:282636kB kernel_stack:29984kB pagetables:83308kB bounce:0kB free_pcp:1020kB local_pcp:312kB free_cma:0kB lowmem_reserve[]: 0 0 0 DMA32: 3*4kB (UM) 2*8kB (M) 2*16kB (M) 3*32kB (UM) 4*64kB (UM) 4*128kB (UM) 3*256kB (UM) 2*512kB (M) 2*1024kB (UM) 2*2048kB (UM) 735*4096kB (M) = 3019420kB Normal: 768*4kB (UME) 529*8kB (UME) 299*16kB (UME) 185*32kB (UME) 66*64kB (UME) 21*128kB (ME) 8*256kB (UME) 2*512kB (ME) 0*1024kB 3*2048kB (ME) 567*4096kB (M) = 2356568kB 21747 total pagecache pages 0 pages in swap cache Swap cache stats: add 0, delete 0, find 0/0 Free swap = 0kB Total swap = 0kB 1965979 pages RAM 0 pages HighMem/MovableOnly 313625 pages reserved SELinux: policydb string S,'*F does not match my string SE Linux SELinux: policydb string S,'*F does not match my string SE Linux SELinux: policydb string S,'*F does not match my string SE Linux SELinux: policydb string S,'*F does not match my string SE Linux SELinux: policydb string S,'*F does not match my string SE Linux SELinux: policydb string S,'*F does not match my string SE Linux SELinux: policydb string S,'*F does not match my string SE Linux SELinux: policydb string S,'*F does not match my string SE Linux SELinux: policydb string S,'*F does not match my string SE Linux SELinux: policydb string S,'*F does not match my string SE Linux SELinux: policydb string S,'*F does not match my string SE Linux SELinux: policydb string S,'*F does not match my string SE Linux SELinux: policydb string S,'*F does not match my string SE Linux SELinux: policydb string S,'*F does not match my string SE Linux SELinux: policydb string S,'*F does not match my string SE Linux SELinux: policydb string S,'*F does not match my string SE Linux SELinux: policydb string S,'*F does not match my string SE Linux SELinux: policydb string S,'*F does not match my string SE Linux SELinux: policydb string S,'*F does not match my string SE Linux SELinux: policydb string S,'*F does not match my string SE Linux SELinux: policydb string S,'*F does not match my string SE Linux