======================================================
WARNING: possible circular locking dependency detected
4.14.94+ #12 Not tainted
------------------------------------------------------
syz-executor2/8461 is trying to acquire lock:
 (&pipe->mutex/1){+.+.}, at: [<ffffffffa4171f86>] __pipe_lock fs/pipe.c:88 [inline]
 (&pipe->mutex/1){+.+.}, at: [<ffffffffa4171f86>] fifo_open+0x156/0x9b0 fs/pipe.c:921

but task is already holding lock:
 (&sig->cred_guard_mutex){+.+.}, at: [<ffffffffa416c3a1>] prepare_bprm_creds+0x51/0x110 fs/exec.c:1389

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #2 (&sig->cred_guard_mutex){+.+.}:

-> #1 (&p->lock){+.+.}:
binder_alloc: 8456: binder_alloc_buf, no vma

-> #0 (&pipe->mutex/1){+.+.}:

other info that might help us debug this:

Chain exists of:
  &pipe->mutex/1 --> &p->lock --> &sig->cred_guard_mutex

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&sig->cred_guard_mutex
binder: 8456:8479 transaction failed 29189/-3, size 24-8 line 3135
);
                               lock(&p->lock);
                               lock(&sig->cred_guard_mutex);
  lock(&pipe->mutex/1);

 *** DEADLOCK ***

1 lock held by syz-executor2/8461:
 #0:  (&sig->cred_guard_mutex){+.+.}, at: [<ffffffffa416c3a1>] prepare_bprm_creds+0x51/0x110 fs/exec.c:1389

stack backtrace:
CPU: 1 PID: 8461 Comm: syz-executor2 Not tainted 4.14.94+ #12
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0xb9/0x10e lib/dump_stack.c:53
 print_circular_bug.isra.0.cold+0x2dc/0x425 kernel/locking/lockdep.c:1258
binder: 8456:8482 unknown command 262144
binder: 8456:8482 ioctl c0306201 200002c0 returned -22
binder: 8456:8479 Release 1 refcount change on invalid ref 1 ret -22
binder: 8456:8479 BC_ACQUIRE_DONE u0000000000000000 no match
binder: 8456:8483 BC_ACQUIRE_DONE u0000000000000000 node 11 cookie mismatch 0000000000000002 != 0000000000000000
binder: 8456:8483 BC_CLEAR_DEATH_NOTIFICATION invalid ref 1
binder: 8456:8483 Release 1 refcount change on invalid ref 2 ret -22
binder: BINDER_SET_CONTEXT_MGR already set
binder_alloc: 8456: binder_alloc_buf, no vma
binder: 8456:8510 unknown command 262144
binder: 8483:8482 transaction failed 29189/-3, size 24-8 line 3135
binder: 8456:8510 ioctl c0306201 200002c0 returned -22
binder: 8456:8483 ioctl 40046207 0 returned -16
audit: type=1400 audit(1548174297.219:51): avc:  denied  { map } for  pid=8515 comm="syz-executor0" path="socket:[24510]" dev="sockfs" ino=24510 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=rawip_socket permissive=1
binder: 8456:8522 Release 1 refcount change on invalid ref 1 ret -22
binder: 8483:8510 BC_ACQUIRE_DONE u0000000000000000 no match
netlink: 4 bytes leftover after parsing attributes in process `syz-executor3'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor3'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor3'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor3'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor3'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor3'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor3'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor3'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor3'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor3'.
binder: 8970:8976 transaction failed 29189/-22, size 203-0 line 3012
binder: 8970:8976 transaction failed 29189/-22, size 203-0 line 3012
EXT4-fs (sda1): resizing filesystem from 524032 to 256 blocks
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29189
EXT4-fs warning (device sda1): ext4_resize_fs:1900: can't shrink FS - resize aborted
EXT4-fs (sda1): resizing filesystem from 524032 to 256 blocks
EXT4-fs warning (device sda1): ext4_resize_fs:1900: can't shrink FS - resize aborted
nla_parse: 11 callbacks suppressed
netlink: 4 bytes leftover after parsing attributes in process `syz-executor4'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor4'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor4'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor4'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor4'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor4'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor4'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor4'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor4'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor4'.
audit: type=1400 audit(1548174304.499:52): avc:  denied  { map } for  pid=9357 comm="syz-executor1" path="/dev/net/tun" dev="devtmpfs" ino=1070 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tun_tap_device_t:s0 tclass=chr_file permissive=1