====================================================== [ INFO: possible circular locking dependency detected ] 4.9.84-ga9d0273 #44 Not tainted ------------------------------------------------------- syz-executor7/11835 is trying to acquire lock: (&mm->mmap_sem){++++++}, at: [] __might_fault+0xe4/0x1d0 mm/memory.c:3993 but task is already holding lock: (ashmem_mutex){+.+.+.}, at: [] ashmem_pin_unpin drivers/staging/android/ashmem.c:714 [inline] (ashmem_mutex){+.+.+.}, at: [] ashmem_ioctl+0x371/0xfe0 drivers/staging/android/ashmem.c:791 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756 __mutex_lock_common kernel/locking/mutex.c:521 [inline] mutex_lock_nested+0xbb/0x870 kernel/locking/mutex.c:621 ashmem_mmap+0x53/0x400 drivers/staging/android/ashmem.c:379 mmap_region+0x7dd/0xfd0 mm/mmap.c:1694 do_mmap+0x57b/0xbe0 mm/mmap.c:1473 do_mmap_pgoff include/linux/mm.h:2019 [inline] vm_mmap_pgoff+0x16b/0x1b0 mm/util.c:329 SYSC_mmap_pgoff mm/mmap.c:1523 [inline] SyS_mmap_pgoff+0x33f/0x560 mm/mmap.c:1481 SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86 do_syscall_64+0x1a4/0x490 arch/x86/entry/common.c:282 entry_SYSCALL_64_after_swapgs+0x47/0xc5 check_prev_add kernel/locking/lockdep.c:1828 [inline] check_prevs_add kernel/locking/lockdep.c:1938 [inline] validate_chain kernel/locking/lockdep.c:2265 [inline] __lock_acquire+0x2bf9/0x3640 kernel/locking/lockdep.c:3345 lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756 __might_fault+0x14a/0x1d0 mm/memory.c:3994 copy_from_user arch/x86/include/asm/uaccess.h:705 [inline] ashmem_pin_unpin drivers/staging/android/ashmem.c:719 [inline] ashmem_ioctl+0x3c0/0xfe0 drivers/staging/android/ashmem.c:791 vfs_ioctl fs/ioctl.c:43 [inline] do_vfs_ioctl+0x1aa/0x1140 fs/ioctl.c:679 SYSC_ioctl fs/ioctl.c:694 [inline] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 do_syscall_64+0x1a4/0x490 arch/x86/entry/common.c:282 entry_SYSCALL_64_after_swapgs+0x47/0xc5 other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(ashmem_mutex); lock(&mm->mmap_sem); lock(ashmem_mutex); lock(&mm->mmap_sem); *** DEADLOCK *** 1 lock held by syz-executor7/11835: #0: (ashmem_mutex){+.+.+.}, at: [] ashmem_pin_unpin drivers/staging/android/ashmem.c:714 [inline] #0: (ashmem_mutex){+.+.+.}, at: [] ashmem_ioctl+0x371/0xfe0 drivers/staging/android/ashmem.c:791 stack backtrace: CPU: 1 PID: 11835 Comm: syz-executor7 Not tainted 4.9.84-ga9d0273 #44 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801b431f908 ffffffff81d956b9 ffffffff853a3db0 ffffffff853a3db0 ffffffff853c2f80 ffff8801b40cd0d8 ffff8801b40cc800 ffff8801b431f950 ffffffff812387f1 ffff8801b40cd0d8 00000000b40cd0b0 ffff8801b40cd0d8 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_circular_bug+0x271/0x310 kernel/locking/lockdep.c:1202 [] check_prev_add kernel/locking/lockdep.c:1828 [inline] [] check_prevs_add kernel/locking/lockdep.c:1938 [inline] [] validate_chain kernel/locking/lockdep.c:2265 [inline] [] __lock_acquire+0x2bf9/0x3640 kernel/locking/lockdep.c:3345 [] lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756 [] __might_fault+0x14a/0x1d0 mm/memory.c:3994 [] copy_from_user arch/x86/include/asm/uaccess.h:705 [inline] [] ashmem_pin_unpin drivers/staging/android/ashmem.c:719 [inline] [] ashmem_ioctl+0x3c0/0xfe0 drivers/staging/android/ashmem.c:791 [] vfs_ioctl fs/ioctl.c:43 [inline] [] do_vfs_ioctl+0x1aa/0x1140 fs/ioctl.c:679 [] SYSC_ioctl fs/ioctl.c:694 [inline] [] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 [] do_syscall_64+0x1a4/0x490 arch/x86/entry/common.c:282 [] entry_SYSCALL_64_after_swapgs+0x47/0xc5 TCP: request_sock_TCPv6: Possible SYN flooding on port 20010. Sending cookies. Check SNMP counters. audit: type=1400 audit(1519640258.941:37): avc: denied { setpcap } for pid=11885 comm="syz-executor1" capability=8 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 TCP: request_sock_TCPv6: Possible SYN flooding on port 20010. Sending cookies. Check SNMP counters. TCP: request_sock_TCPv6: Possible SYN flooding on port 20010. Sending cookies. Check SNMP counters. TCP: request_sock_TCPv6: Possible SYN flooding on port 20010. Sending cookies. Check SNMP counters. IPVS: Creating netns size=2536 id=15 IPVS: Creating netns size=2536 id=16 TCP: request_sock_TCP: Possible SYN flooding on port 20010. Sending cookies. Check SNMP counters. TCP: request_sock_TCP: Possible SYN flooding on port 20010. Sending cookies. Check SNMP counters. TCP: request_sock_TCP: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. TCP: request_sock_TCP: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. TCP: request_sock_TCP: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. TCP: request_sock_TCP: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. IPVS: Creating netns size=2536 id=17 IPVS: Creating netns size=2536 id=18 TCP: request_sock_TCP: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. TCP: request_sock_TCP: Possible SYN flooding on port 20006. Sending cookies. Check SNMP counters. pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads TCP: request_sock_TCP: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. TCP: request_sock_TCP: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. audit: type=1400 audit(1519640262.291:38): avc: denied { net_admin } for pid=5659 comm="syz-executor4" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1519640262.291:39): avc: denied { dac_override } for pid=12510 comm="syz-executor1" capability=1 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1519640262.371:40): avc: denied { dac_override } for pid=12510 comm="syz-executor1" capability=1 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1519640262.481:41): avc: denied { net_admin } for pid=3882 comm="syz-executor1" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1519640262.561:42): avc: denied { dac_override } for pid=12562 comm="syz-executor3" capability=1 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1519640262.561:43): avc: denied { net_admin } for pid=7528 comm="syz-executor3" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1519640262.691:44): avc: denied { net_admin } for pid=6075 comm="syz-executor2" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1519640262.691:45): avc: denied { dac_override } for pid=12611 comm="syz-executor4" capability=1 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1519640263.131:46): avc: denied { create } for pid=12796 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=50543 sclass=netlink_route_socket pig=12876 comm=syz-executor2 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=50543 sclass=netlink_route_socket pig=12876 comm=syz-executor2 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=12965 comm=syz-executor2 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=12965 comm=syz-executor2 capability: warning: `syz-executor5' uses deprecated v2 capabilities in a way that may be insecure TCP: request_sock_TCP: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. TCP: request_sock_TCP: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. TCP: request_sock_TCP: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. audit_printk_skb: 9 callbacks suppressed audit: type=1400 audit(1519640264.221:50): avc: denied { write } for pid=13226 comm="syz-executor2" name="net" dev="proc" ino=30824 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=dir permissive=1 TCP: request_sock_TCP: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. audit: type=1400 audit(1519640264.281:51): avc: denied { add_name } for pid=13226 comm="syz-executor2" name="pfkey" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=dir permissive=1 audit: type=1400 audit(1519640264.301:52): avc: denied { create } for pid=13226 comm="syz-executor2" name="pfkey" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:insmod_t:s0 tclass=file permissive=1 TCP: request_sock_TCP: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. TCP: request_sock_TCP: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. audit: type=1400 audit(1519640265.861:53): avc: denied { setattr } for pid=13973 comm="syz-executor1" name="smaps" dev="proc" ino=32501 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=file permissive=1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=7243 sclass=netlink_route_socket pig=14216 comm=syz-executor2 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=26982 sclass=netlink_route_socket pig=14216 comm=syz-executor2 audit: type=1400 audit(1519640266.521:54): avc: denied { sys_chroot } for pid=14333 comm="syz-executor5" capability=18 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1519640266.571:55): avc: denied { setgid } for pid=14367 comm="syz-executor2" capability=6 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 : renamed from gre0 : renamed from gre0 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=17686 sclass=netlink_route_socket pig=14887 comm=syz-executor2 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=17686 sclass=netlink_route_socket pig=14887 comm=syz-executor2 TCP: request_sock_TCP: Possible SYN flooding on port 20010. Sending cookies. Check SNMP counters. TCP: request_sock_TCP: Possible SYN flooding on port 20010. Sending cookies. Check SNMP counters. audit: type=1400 audit(1519640268.121:56): avc: denied { create } for pid=15145 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 device eql entered promiscuous mode TCP: request_sock_TCP: Possible SYN flooding on port 20010. Sending cookies. Check SNMP counters. TCP: request_sock_TCP: Possible SYN flooding on port 20010. Sending cookies. Check SNMP counters. audit: type=1400 audit(1519640268.341:57): avc: denied { write } for pid=15224 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1400 audit(1519640268.371:58): avc: denied { getopt } for pid=15224 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1