====================================================== WARNING: possible circular locking dependency detected 4.14.94+ #12 Not tainted ------------------------------------------------------ syz-executor2/8461 is trying to acquire lock: (&pipe->mutex/1){+.+.}, at: [] __pipe_lock fs/pipe.c:88 [inline] (&pipe->mutex/1){+.+.}, at: [] fifo_open+0x156/0x9b0 fs/pipe.c:921 but task is already holding lock: (&sig->cred_guard_mutex){+.+.}, at: [] prepare_bprm_creds+0x51/0x110 fs/exec.c:1389 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (&sig->cred_guard_mutex){+.+.}: -> #1 (&p->lock){+.+.}: binder_alloc: 8456: binder_alloc_buf, no vma -> #0 (&pipe->mutex/1){+.+.}: other info that might help us debug this: Chain exists of: &pipe->mutex/1 --> &p->lock --> &sig->cred_guard_mutex Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&sig->cred_guard_mutex binder: 8456:8479 transaction failed 29189/-3, size 24-8 line 3135 ); lock(&p->lock); lock(&sig->cred_guard_mutex); lock(&pipe->mutex/1); *** DEADLOCK *** 1 lock held by syz-executor2/8461: #0: (&sig->cred_guard_mutex){+.+.}, at: [] prepare_bprm_creds+0x51/0x110 fs/exec.c:1389 stack backtrace: CPU: 1 PID: 8461 Comm: syz-executor2 Not tainted 4.14.94+ #12 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0xb9/0x10e lib/dump_stack.c:53 print_circular_bug.isra.0.cold+0x2dc/0x425 kernel/locking/lockdep.c:1258 binder: 8456:8482 unknown command 262144 binder: 8456:8482 ioctl c0306201 200002c0 returned -22 binder: 8456:8479 Release 1 refcount change on invalid ref 1 ret -22 binder: 8456:8479 BC_ACQUIRE_DONE u0000000000000000 no match binder: 8456:8483 BC_ACQUIRE_DONE u0000000000000000 node 11 cookie mismatch 0000000000000002 != 0000000000000000 binder: 8456:8483 BC_CLEAR_DEATH_NOTIFICATION invalid ref 1 binder: 8456:8483 Release 1 refcount change on invalid ref 2 ret -22 binder: BINDER_SET_CONTEXT_MGR already set binder_alloc: 8456: binder_alloc_buf, no vma binder: 8456:8510 unknown command 262144 binder: 8483:8482 transaction failed 29189/-3, size 24-8 line 3135 binder: 8456:8510 ioctl c0306201 200002c0 returned -22 binder: 8456:8483 ioctl 40046207 0 returned -16 audit: type=1400 audit(1548174297.219:51): avc: denied { map } for pid=8515 comm="syz-executor0" path="socket:[24510]" dev="sockfs" ino=24510 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=rawip_socket permissive=1 binder: 8456:8522 Release 1 refcount change on invalid ref 1 ret -22 binder: 8483:8510 BC_ACQUIRE_DONE u0000000000000000 no match netlink: 4 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor3'. binder: 8970:8976 transaction failed 29189/-22, size 203-0 line 3012 binder: 8970:8976 transaction failed 29189/-22, size 203-0 line 3012 EXT4-fs (sda1): resizing filesystem from 524032 to 256 blocks binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 EXT4-fs warning (device sda1): ext4_resize_fs:1900: can't shrink FS - resize aborted EXT4-fs (sda1): resizing filesystem from 524032 to 256 blocks EXT4-fs warning (device sda1): ext4_resize_fs:1900: can't shrink FS - resize aborted nla_parse: 11 callbacks suppressed netlink: 4 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor4'. audit: type=1400 audit(1548174304.499:52): avc: denied { map } for pid=9357 comm="syz-executor1" path="/dev/net/tun" dev="devtmpfs" ino=1070 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tun_tap_device_t:s0 tclass=chr_file permissive=1