====================================================== [ INFO: possible circular locking dependency detected ] 4.4.120-gd63fdf6 #28 Not tainted ------------------------------------------------------- syz-executor7/15778 is trying to acquire lock: (&sb->s_type->i_mutex_key#10){+.+.+.}, at: [] shmem_file_llseek+0xf1/0x240 mm/shmem.c:1816 but task is already holding lock: (ashmem_mutex){+.+.+.}, at: [] ashmem_llseek+0x56/0x1f0 drivers/staging/android/ashmem.c:330 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: [] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592 [] __mutex_lock_common kernel/locking/mutex.c:521 [inline] [] mutex_lock_nested+0xbb/0x850 kernel/locking/mutex.c:621 [] ashmem_mmap+0x53/0x400 drivers/staging/android/ashmem.c:366 [] mmap_region+0x94f/0x1250 mm/mmap.c:1664 [] do_mmap+0x4fd/0x9d0 mm/mmap.c:1441 [] do_mmap_pgoff include/linux/mm.h:1915 [inline] [] vm_mmap_pgoff+0x16e/0x1c0 mm/util.c:296 [] SYSC_mmap_pgoff mm/mmap.c:1491 [inline] [] SyS_mmap_pgoff+0x33f/0x560 mm/mmap.c:1449 [] SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline] [] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86 [] entry_SYSCALL_64_fastpath+0x1c/0x98 [] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592 [] __might_fault+0x14a/0x1d0 mm/memory.c:3810 [] copy_to_user arch/x86/include/asm/uaccess.h:760 [inline] [] filldir+0x162/0x2d0 fs/readdir.c:180 [] dir_emit_dot include/linux/fs.h:3070 [inline] [] dir_emit_dots include/linux/fs.h:3081 [inline] [] dcache_readdir+0x11e/0x7b0 fs/libfs.c:150 [] iterate_dir+0x1c8/0x420 fs/readdir.c:42 [] SYSC_getdents fs/readdir.c:215 [inline] [] SyS_getdents+0x14a/0x270 fs/readdir.c:196 [] entry_SYSCALL_64_fastpath+0x1c/0x98 [] check_prev_add kernel/locking/lockdep.c:1853 [inline] [] check_prevs_add kernel/locking/lockdep.c:1958 [inline] [] validate_chain kernel/locking/lockdep.c:2144 [inline] [] __lock_acquire+0x371f/0x4b50 kernel/locking/lockdep.c:3213 [] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592 [] __mutex_lock_common kernel/locking/mutex.c:521 [inline] [] mutex_lock_nested+0xbb/0x850 kernel/locking/mutex.c:621 [] shmem_file_llseek+0xf1/0x240 mm/shmem.c:1816 [] vfs_llseek+0xa2/0xd0 fs/read_write.c:260 [] ashmem_llseek+0xe7/0x1f0 drivers/staging/android/ashmem.c:342 [] vfs_llseek fs/read_write.c:260 [inline] [] SYSC_lseek fs/read_write.c:285 [inline] [] SyS_lseek+0xeb/0x170 fs/read_write.c:276 [] entry_SYSCALL_64_fastpath+0x1c/0x98 other info that might help us debug this: Chain exists of: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(ashmem_mutex); lock(&mm->mmap_sem); lock(ashmem_mutex); lock(&sb->s_type->i_mutex_key#10); *** DEADLOCK *** 1 lock held by syz-executor7/15778: #0: (ashmem_mutex){+.+.+.}, at: [] ashmem_llseek+0x56/0x1f0 drivers/staging/android/ashmem.c:330 stack backtrace: CPU: 0 PID: 15778 Comm: syz-executor7 Not tainted 4.4.120-gd63fdf6 #28 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 2494898d66e8b63c ffff8801ce527ad8 ffffffff81d0408d ffffffff851a0010 ffffffff851a9d00 ffffffff851be7c0 ffff8801d21d08f8 ffff8801d21d0000 ffff8801ce527b20 ffffffff81233ba1 ffff8801d21d08f8 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] print_circular_bug+0x271/0x310 kernel/locking/lockdep.c:1226 [] check_prev_add kernel/locking/lockdep.c:1853 [inline] [] check_prevs_add kernel/locking/lockdep.c:1958 [inline] [] validate_chain kernel/locking/lockdep.c:2144 [inline] [] __lock_acquire+0x371f/0x4b50 kernel/locking/lockdep.c:3213 [] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592 [] __mutex_lock_common kernel/locking/mutex.c:521 [inline] [] mutex_lock_nested+0xbb/0x850 kernel/locking/mutex.c:621 [] shmem_file_llseek+0xf1/0x240 mm/shmem.c:1816 [] vfs_llseek+0xa2/0xd0 fs/read_write.c:260 [] ashmem_llseek+0xe7/0x1f0 drivers/staging/android/ashmem.c:342 [] vfs_llseek fs/read_write.c:260 [inline] [] SYSC_lseek fs/read_write.c:285 [inline] [] SyS_lseek+0xeb/0x170 fs/read_write.c:276 [] entry_SYSCALL_64_fastpath+0x1c/0x98 audit_printk_skb: 9 callbacks suppressed audit: type=1400 audit(1521820583.929:81): avc: denied { set_context_mgr } for pid=15832 comm="syz-executor7" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 audit: type=1400 audit(1521820583.979:82): avc: denied { set_context_mgr } for pid=15832 comm="syz-executor7" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 binder: 15867:15870 transaction failed 29189/-22, size 582-0 line 3005 binder: undelivered TRANSACTION_ERROR: 29189 audit: type=1400 audit(1521820584.699:83): avc: denied { create } for pid=15999 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1400 audit(1521820584.749:84): avc: denied { write } for pid=15999 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1400 audit(1521820584.809:85): avc: denied { create } for pid=15999 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1400 audit(1521820584.829:86): avc: denied { write } for pid=15999 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1400 audit(1521820585.049:87): avc: denied { create } for pid=16066 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_scsitransport_socket permissive=1 audit: type=1400 audit(1521820585.109:88): avc: denied { create } for pid=16066 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_scsitransport_socket permissive=1 TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. vmalloc: allocation failure: 0 bytes syz-executor2: page allocation failure: order:0, mode:0x24000c2 audit: type=1400 audit(1521820586.629:89): avc: denied { create } for pid=16424 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_crypto_socket permissive=1 CPU: 0 PID: 16428 Comm: syz-executor2 Not tainted 4.4.120-gd63fdf6 #28 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 c479b6603a55c1d8 ffff8801c708f938 ffffffff81d0408d 1ffff10038e11f2a ffff8801c5efc800 00000000024000c2 0000000000000000 0000000000000001 ffff8801c708fa48 ffffffff81431059 ffffffff838ac620 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] warn_alloc_failed+0x1d9/0x240 mm/page_alloc.c:2757 [] __vmalloc_node_range+0x41d/0x630 mm/vmalloc.c:1692 [] __vmalloc_node mm/vmalloc.c:1715 [inline] [] __vmalloc_node_flags mm/vmalloc.c:1729 [inline] [] vmalloc+0x5b/0x70 mm/vmalloc.c:1744 [] sel_write_load+0x130/0xff0 security/selinux/selinuxfs.c:527 [] __vfs_write+0x103/0x450 fs/read_write.c:489 [] vfs_write+0x18a/0x530 fs/read_write.c:538 [] SYSC_write fs/read_write.c:585 [inline] [] SyS_write+0xd9/0x1b0 fs/read_write.c:577 [] entry_SYSCALL_64_fastpath+0x1c/0x98 Mem-Info: active_anon:57638 inactive_anon:44 isolated_anon:0 active_file:3868 inactive_file:8547 isolated_file:0 unevictable:0 dirty:92 writeback:0 unstable:0 slab_reclaimable:6305 slab_unreclaimable:59055 mapped:24352 shmem:291 pagetables:681 bounce:0 free:1469942 free_pcp:506 free_cma:0 DMA free:15904kB min:160kB low:200kB high:240kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:15992kB managed:15904kB mlocked:0kB dirty:0kB writeback:0kB mapped:0kB shmem:0kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB unstable:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? yes lowmem_reserve[]: 0 2911 6411 6411 DMA32 free:2656240kB min:30608kB low:38260kB high:45912kB active_anon:102424kB inactive_anon:68kB active_file:7212kB inactive_file:20240kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:3129292kB managed:2982732kB mlocked:0kB dirty:168kB writeback:0kB mapped:47092kB shmem:1040kB slab_reclaimable:11924kB slab_unreclaimable:113724kB kernel_stack:1856kB pagetables:1160kB unstable:0kB bounce:0kB free_pcp:720kB local_pcp:380kB free_cma:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? no lowmem_reserve[]: 0 0 3500 3500 Normal free:3207624kB min:36808kB low:46008kB high:55212kB active_anon:128128kB inactive_anon:108kB active_file:8260kB inactive_file:13948kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:4718592kB managed:3584660kB mlocked:0kB dirty:200kB writeback:0kB mapped:50316kB shmem:124kB slab_reclaimable:13296kB slab_unreclaimable:122496kB kernel_stack:4288kB pagetables:1564kB unstable:0kB bounce:0kB free_pcp:1304kB local_pcp:640kB free_cma:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? no lowmem_reserve[]: 0 0 0 0 DMA: 0*4kB 0*8kB 0*16kB 1*32kB (U) 2*64kB (U) 1*128kB (U) 1*256kB (U) 0*512kB 1*1024kB (U) 1*2048kB (M) 3*4096kB (M) = 15904kB DMA32: 382*4kB (UME) 258*8kB (UME) 196*16kB (UME) 125*32kB (UME) 86*64kB (UME) 63*128kB (UM) 55*256kB (UM) 27*512kB (UME) 51*1024kB (UME) 2*2048kB (ME) 622*4096kB (UM) = 2656232kB Normal: 670*4kB (UME) 258*8kB (UME) 204*16kB (UME) 216*32kB (UME) 136*64kB (UM) 97*128kB (UME) 71*256kB (UME) 53*512kB (UM) 69*1024kB (UM) 2*2048kB (ME) 745*4096kB (UM) = 3207624kB Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB 12705 total pagecache pages 0 pages in swap cache Swap cache stats: add 0, delete 0, find 0/0 Free swap = 0kB Total swap = 0kB 1965969 pages RAM 0 pages HighMem/MovableOnly 320145 pages reserved audit: type=1400 audit(1521820586.629:90): avc: denied { dyntransition } for pid=16445 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0 tclass=process permissive=1 vmalloc: allocation failure: 0 bytes syz-executor2: page allocation failure: order:0, mode:0x24000c2 CPU: 0 PID: 16428 Comm: syz-executor2 Not tainted 4.4.120-gd63fdf6 #28 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 c479b6603a55c1d8 ffff8801c708f938 ffffffff81d0408d 1ffff10038e11f2a ffff8801c5efc800 00000000024000c2 0000000000000000 0000000000000001 ffff8801c708fa48 ffffffff81431059 ffffffff838ac620 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] warn_alloc_failed+0x1d9/0x240 mm/page_alloc.c:2757 [] __vmalloc_node_range+0x41d/0x630 mm/vmalloc.c:1692 [] __vmalloc_node mm/vmalloc.c:1715 [inline] [] __vmalloc_node_flags mm/vmalloc.c:1729 [inline] [] vmalloc+0x5b/0x70 mm/vmalloc.c:1744 [] sel_write_load+0x130/0xff0 security/selinux/selinuxfs.c:527 [] __vfs_write+0x103/0x450 fs/read_write.c:489 [] vfs_write+0x18a/0x530 fs/read_write.c:538 [] SYSC_write fs/read_write.c:585 [inline] [] SyS_write+0xd9/0x1b0 fs/read_write.c:577 [] entry_SYSCALL_64_fastpath+0x1c/0x98 Mem-Info: active_anon:58215 inactive_anon:44 isolated_anon:0 active_file:3868 inactive_file:8547 isolated_file:0 unevictable:0 dirty:92 writeback:0 unstable:0 slab_reclaimable:6305 slab_unreclaimable:59107 mapped:24352 shmem:291 pagetables:718 bounce:0 free:1469341 free_pcp:451 free_cma:0 DMA free:15904kB min:160kB low:200kB high:240kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:15992kB managed:15904kB mlocked:0kB dirty:0kB writeback:0kB mapped:0kB shmem:0kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB unstable:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? yes lowmem_reserve[]: 0 2911 6411 6411 DMA32 free:2656328kB min:30608kB low:38260kB high:45912kB active_anon:102416kB inactive_anon:68kB active_file:7212kB inactive_file:20240kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:3129292kB managed:2982732kB mlocked:0kB dirty:168kB writeback:0kB mapped:47092kB shmem:1040kB slab_reclaimable:11924kB slab_unreclaimable:113724kB kernel_stack:1856kB pagetables:1160kB unstable:0kB bounce:0kB free_pcp:992kB local_pcp:652kB free_cma:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? no lowmem_reserve[]: 0 0 3500 3500 Normal free:3205132kB min:36808kB low:46008kB high:55212kB active_anon:130444kB inactive_anon:108kB active_file:8260kB inactive_file:13948kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:4718592kB managed:3584660kB mlocked:0kB dirty:200kB writeback:0kB mapped:50316kB shmem:124kB slab_reclaimable:13296kB slab_unreclaimable:122704kB kernel_stack:4288kB pagetables:1712kB unstable:0kB bounce:0kB free_pcp:812kB local_pcp:148kB free_cma:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? no lowmem_reserve[]: 0 0 0 0 DMA: 0*4kB 0*8kB 0*16kB 1*32kB (U) 2*64kB (U) 1*128kB (U) 1*256kB (U) 0*512kB 1*1024kB (U) 1*2048kB (M) 3*4096kB (M) = 15904kB DMA32: 382*4kB (UME) 261*8kB (UME) 196*16kB (UME) 129*32kB (UME) 86*64kB (UME) 63*128kB (UM) 55*256kB (UM) 27*512kB (UME) 51*1024kB (UME) 2*2048kB (ME) 622*4096kB (UM) = 2656384kB Normal: 631*4kB (UME) 256*8kB (UME) 203*16kB (UME) 207*32kB (UME) 136*64kB (UM) 97*128kB (UME) 71*256kB (UME) 53*512kB (UM) 69*1024kB (UM) 1*2048kB (E) 745*4096kB (UM) = 3205100kB Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB 12705 total pagecache pages 0 pages in swap cache Swap cache stats: add 0, delete 0, find 0/0 Free swap = 0kB Total swap = 0kB 1965969 pages RAM 0 pages HighMem/MovableOnly 320145 pages reserved netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. binder: 16599:16605 ioctl c0306201 20008fd0 returned -14 binder: 16599:16620 ioctl c0306201 20008fd0 returned -14 IPVS: Creating netns size=2552 id=11 qtaguid: iface_stat: iface_check_stats_reset_and_adjust(lo): iface reset its stats unexpectedly audit_printk_skb: 27 callbacks suppressed audit: type=1400 audit(1521820589.769:100): avc: denied { create } for pid=16917 comm="syz-executor7" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 audit: type=1400 audit(1521820589.839:101): avc: denied { create } for pid=16917 comm="syz-executor7" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 audit: type=1401 audit(1521820590.279:102): op=security_bounded_transition seresult=denied oldcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 newcontext=system_u:object_r:crond_unit_file_t:s0 TCP: request_sock_TCP: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. audit: type=1400 audit(1521820590.629:103): avc: denied { set_context_mgr } for pid=17077 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 binder: BINDER_SET_CONTEXT_MGR already set binder: 17077:17090 ioctl 40046207 0 returned -16 audit: type=1400 audit(1521820590.799:104): avc: denied { create } for pid=17119 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 audit: type=1400 audit(1521820590.879:105): avc: denied { create } for pid=17119 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 audit: type=1400 audit(1521820590.909:106): avc: denied { getopt } for pid=17119 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 audit: type=1400 audit(1521820590.969:107): avc: denied { create } for pid=17146 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1400 audit(1521820591.039:108): avc: denied { create } for pid=17146 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1400 audit(1521820591.119:109): avc: denied { create } for pid=17177 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 binder: binder_mmap: 17222 20001000-20003000 bad vm_flags failed -1 binder: binder_mmap: 17222 20001000-20003000 bad vm_flags failed -1 netlink: 3 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor2'. TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters.