====================================================== [ INFO: possible circular locking dependency detected ] 4.9.84-ga9d0273 #52 Not tainted ------------------------------------------------------- syz-executor5/10138 is trying to acquire lock: (&mm->mmap_sem){++++++}, at: [] __might_fault+0xe4/0x1d0 mm/memory.c:3993 but task is already holding lock: (ashmem_mutex){+.+.+.}, at: [] ashmem_pin_unpin drivers/staging/android/ashmem.c:714 [inline] (ashmem_mutex){+.+.+.}, at: [] ashmem_ioctl+0x371/0xfe0 drivers/staging/android/ashmem.c:791 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756 __mutex_lock_common kernel/locking/mutex.c:521 [inline] mutex_lock_nested+0xbb/0x870 kernel/locking/mutex.c:621 ashmem_mmap+0x53/0x400 drivers/staging/android/ashmem.c:379 mmap_region+0x7dd/0xfd0 mm/mmap.c:1694 do_mmap+0x57b/0xbe0 mm/mmap.c:1473 do_mmap_pgoff include/linux/mm.h:2019 [inline] vm_mmap_pgoff+0x16b/0x1b0 mm/util.c:329 SYSC_mmap_pgoff mm/mmap.c:1523 [inline] SyS_mmap_pgoff+0x33f/0x560 mm/mmap.c:1481 do_syscall_32_irqs_on arch/x86/entry/common.c:325 [inline] do_fast_syscall_32+0x2f5/0x870 arch/x86/entry/common.c:387 entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137 check_prev_add kernel/locking/lockdep.c:1828 [inline] check_prevs_add kernel/locking/lockdep.c:1938 [inline] validate_chain kernel/locking/lockdep.c:2265 [inline] __lock_acquire+0x2bf9/0x3640 kernel/locking/lockdep.c:3345 lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756 __might_fault+0x14a/0x1d0 mm/memory.c:3994 copy_from_user arch/x86/include/asm/uaccess.h:705 [inline] ashmem_pin_unpin drivers/staging/android/ashmem.c:719 [inline] ashmem_ioctl+0x3c0/0xfe0 drivers/staging/android/ashmem.c:791 compat_ashmem_ioctl+0x3e/0x50 drivers/staging/android/ashmem.c:822 C_SYSC_ioctl fs/compat_ioctl.c:1602 [inline] compat_SyS_ioctl+0x15f/0x2050 fs/compat_ioctl.c:1549 do_syscall_32_irqs_on arch/x86/entry/common.c:325 [inline] do_fast_syscall_32+0x2f5/0x870 arch/x86/entry/common.c:387 entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137 other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(ashmem_mutex); lock(&mm->mmap_sem); lock(ashmem_mutex); lock(&mm->mmap_sem); *** DEADLOCK *** 1 lock held by syz-executor5/10138: #0: (ashmem_mutex){+.+.+.}, at: [] ashmem_pin_unpin drivers/staging/android/ashmem.c:714 [inline] #0: (ashmem_mutex){+.+.+.}, at: [] ashmem_ioctl+0x371/0xfe0 drivers/staging/android/ashmem.c:791 stack backtrace: CPU: 0 PID: 10138 Comm: syz-executor5 Not tainted 4.9.84-ga9d0273 #52 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cafb7a38 ffffffff81d956b9 ffffffff853a2cd0 ffffffff853a2cd0 ffffffff853c2f80 ffff8801c12f38d8 ffff8801c12f3000 ffff8801cafb7a80 ffffffff812387f1 ffff8801c12f38d8 00000000c12f38b0 ffff8801c12f38d8 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_circular_bug+0x271/0x310 kernel/locking/lockdep.c:1202 [] check_prev_add kernel/locking/lockdep.c:1828 [inline] [] check_prevs_add kernel/locking/lockdep.c:1938 [inline] [] validate_chain kernel/locking/lockdep.c:2265 [inline] [] __lock_acquire+0x2bf9/0x3640 kernel/locking/lockdep.c:3345 [] lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756 [] __might_fault+0x14a/0x1d0 mm/memory.c:3994 [] copy_from_user arch/x86/include/asm/uaccess.h:705 [inline] [] ashmem_pin_unpin drivers/staging/android/ashmem.c:719 [inline] [] ashmem_ioctl+0x3c0/0xfe0 drivers/staging/android/ashmem.c:791 [] compat_ashmem_ioctl+0x3e/0x50 drivers/staging/android/ashmem.c:822 [] C_SYSC_ioctl fs/compat_ioctl.c:1602 [inline] [] compat_SyS_ioctl+0x15f/0x2050 fs/compat_ioctl.c:1549 [] do_syscall_32_irqs_on arch/x86/entry/common.c:325 [inline] [] do_fast_syscall_32+0x2f5/0x870 arch/x86/entry/common.c:387 [] entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137 IPv4: Oversized IP packet from 127.0.0.1 IPv4: Oversized IP packet from 127.0.0.1 IPv4: Oversized IP packet from 127.0.0.1 IPv4: Oversized IP packet from 127.0.0.1 IPv4: Oversized IP packet from 127.0.0.1 IPv4: Oversized IP packet from 127.0.0.1 IPv4: Oversized IP packet from 127.0.0.1 IPv4: Oversized IP packet from 127.0.0.1 TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. IPv4: Oversized IP packet from 127.0.0.1 device eql entered promiscuous mode device eql entered promiscuous mode device eql entered promiscuous mode device eql entered promiscuous mode device eql entered promiscuous mode binder: 11133:11138 unknown command 536907575 binder: 11133:11138 ioctl c0306201 20008fd0 returned -22 binder: 11133:11140 BC_CLEAR_DEATH_NOTIFICATION death notification not active binder: 11133:11140 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: undelivered death notification, 0000000000000000 device eql entered promiscuous mode device eql entered promiscuous mode device eql entered promiscuous mode binder: undelivered death notification, 0000000000000000 binder: undelivered death notification, 0000000000000000 binder: undelivered death notification, 0000000000000000 binder: undelivered death notification, 0000000000000000 binder: undelivered death notification, 0000000000000000 binder: undelivered death notification, 0000000000000000 binder: undelivered death notification, 0000000000000000 binder: undelivered death notification, 0000000000000000 binder: undelivered death notification, 0000000000000000 binder: undelivered death notification, 0000000000000000 binder: undelivered death notification, 0000000000000000 binder: undelivered death notification, 0000000000000000 binder: undelivered death notification, 0000000000000000 device eql entered promiscuous mode device eql entered promiscuous mode binder: undelivered death notification, 0000000000000000 TCP: request_sock_TCP: Possible SYN flooding on port 20006. Sending cookies. Check SNMP counters. TCP: request_sock_TCP: Possible SYN flooding on port 20006. Sending cookies. Check SNMP counters. TCP: request_sock_TCP: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. TCP: request_sock_TCP: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. TCP: request_sock_TCP: Possible SYN flooding on port 20006. Sending cookies. Check SNMP counters. TCP: request_sock_TCP: Possible SYN flooding on port 20018. Sending cookies. Check SNMP counters. TCP: request_sock_TCP: Possible SYN flooding on port 20018. Sending cookies. Check SNMP counters. audit: type=1400 audit(1519637122.895:45): avc: denied { setgid } for pid=11292 comm="syz-executor5" capability=6 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 TCP: request_sock_TCP: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 11310 Comm: syz-executor0 Not tainted 4.9.84-ga9d0273 #52 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801b9d07760 ffffffff81d956b9 ffff8801b9d07a40 0000000000000000 ffff8801ce6ea710 ffff8801b9d07930 ffff8801ce6ea600 ffff8801b9d07958 ffffffff816626da ffff8801c2b88000 ffff8801b9d078b0 00000001b5609067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa3a/0x1310 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1407 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1470 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:939 [] compat_get_timespec+0xc3/0xf0 kernel/compat.c:180 [] C_SYSC_rt_sigtimedwait+0x140/0x1f0 kernel/compat.c:1014 [] compat_SyS_rt_sigtimedwait+0x2d/0x40 kernel/compat.c:996 [] do_syscall_32_irqs_on arch/x86/entry/common.c:325 [inline] [] do_fast_syscall_32+0x2f5/0x870 arch/x86/entry/common.c:387 [] entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137 TCP: request_sock_TCP: Possible SYN flooding on port 20018. Sending cookies. Check SNMP counters. TCP: request_sock_TCP: Possible SYN flooding on port 20006. Sending cookies. Check SNMP counters. TCP: request_sock_TCPv6: Possible SYN flooding on port 20026. Sending cookies. Check SNMP counters. TCP: request_sock_TCPv6: Possible SYN flooding on port 20026. Sending cookies. Check SNMP counters. TCP: request_sock_TCPv6: Possible SYN flooding on port 20026. Sending cookies. Check SNMP counters. SELinux: unrecognized netlink message: protocol=6 nlmsg_type=771 sclass=netlink_xfrm_socket pig=11522 comm=syz-executor1 SELinux: unrecognized netlink message: protocol=6 nlmsg_type=771 sclass=netlink_xfrm_socket pig=11549 comm=syz-executor1 SELinux: unrecognized netlink message: protocol=6 nlmsg_type=771 sclass=netlink_xfrm_socket pig=11572 comm=syz-executor1 SELinux: unrecognized netlink message: protocol=6 nlmsg_type=771 sclass=netlink_xfrm_socket pig=11579 comm=syz-executor1