[ INFO: possible circular locking dependency detected ] 4.9.84-ga9d0273 #52 Not tainted ------------------------------------------------------- syz-executor7/5821 is trying to acquire lock: (&mm->mmap_sem){++++++}, at: [] __might_fault+0xe4/0x1d0 mm/memory.c:3993 but task is already holding lock: (ashmem_mutex){+.+.+.}, at: [] ashmem_pin_unpin drivers/staging/android/ashmem.c:714 [inline] (ashmem_mutex){+.+.+.}, at: [] ashmem_ioctl+0x371/0xfe0 drivers/staging/android/ashmem.c:791 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (ashmem_mutex){+.+.+.}: lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756 __mutex_lock_common kernel/locking/mutex.c:521 [inline] mutex_lock_nested+0xbb/0x870 kernel/locking/mutex.c:621 ashmem_mmap+0x53/0x400 drivers/staging/android/ashmem.c:379 mmap_region+0x7dd/0xfd0 mm/mmap.c:1694 do_mmap+0x57b/0xbe0 mm/mmap.c:1473 do_mmap_pgoff include/linux/mm.h:2019 [inline] vm_mmap_pgoff+0x16b/0x1b0 mm/util.c:329 SYSC_mmap_pgoff mm/mmap.c:1523 [inline] SyS_mmap_pgoff+0x33f/0x560 mm/mmap.c:1481 do_syscall_32_irqs_on arch/x86/entry/common.c:325 [inline] do_fast_syscall_32+0x2f5/0x870 arch/x86/entry/common.c:387 entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137 -> #0 (&mm->mmap_sem){++++++}: check_prev_add kernel/locking/lockdep.c:1828 [inline] check_prevs_add kernel/locking/lockdep.c:1938 [inline] validate_chain kernel/locking/lockdep.c:2265 [inline] __lock_acquire+0x2bf9/0x3640 kernel/locking/lockdep.c:3345 lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756 __might_fault+0x14a/0x1d0 mm/memory.c:3994 copy_from_user arch/x86/include/asm/uaccess.h:705 [inline] ashmem_pin_unpin drivers/staging/android/ashmem.c:719 [inline] ashmem_ioctl+0x3c0/0xfe0 drivers/staging/android/ashmem.c:791 compat_ashmem_ioctl+0x3e/0x50 drivers/staging/android/ashmem.c:822 C_SYSC_ioctl fs/compat_ioctl.c:1602 [inline] compat_SyS_ioctl+0x15f/0x2050 fs/compat_ioctl.c:1549 do_syscall_32_irqs_on arch/x86/entry/common.c:325 [inline] do_fast_syscall_32+0x2f5/0x870 arch/x86/entry/common.c:387 entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137 other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(ashmem_mutex); lock(&mm->mmap_sem); lock(ashmem_mutex); lock(&mm->mmap_sem); *** DEADLOCK *** 1 lock held by syz-executor7/5821: #0: (ashmem_mutex){+.+.+.}, at: [] ashmem_pin_unpin drivers/staging/android/ashmem.c:714 [inline] #0: (ashmem_mutex){+.+.+.}, at: [] ashmem_ioctl+0x371/0xfe0 drivers/staging/android/ashmem.c:791 stack backtrace: CPU: 1 PID: 5821 Comm: syz-executor7 Not tainted 4.9.84-ga9d0273 #52 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d98f7a38 ffffffff81d956b9 ffffffff853a3a50 ffffffff853a3a50 ffffffff853c32e0 ffff8801d84468d8 ffff8801d8446000 ffff8801d98f7a80 ffffffff812387f1 ffff8801d84468d8 00000000d84468b0 ffff8801d84468d8 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_circular_bug+0x271/0x310 kernel/locking/lockdep.c:1202 [] check_prev_add kernel/locking/lockdep.c:1828 [inline] [] check_prevs_add kernel/locking/lockdep.c:1938 [inline] [] validate_chain kernel/locking/lockdep.c:2265 [inline] [] __lock_acquire+0x2bf9/0x3640 kernel/locking/lockdep.c:3345 [] lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756 [] __might_fault+0x14a/0x1d0 mm/memory.c:3994 [] copy_from_user arch/x86/include/asm/uaccess.h:705 [inline] [] ashmem_pin_unpin drivers/staging/android/ashmem.c:719 [inline] [] ashmem_ioctl+0x3c0/0xfe0 drivers/staging/android/ashmem.c:791 [] compat_ashmem_ioctl+0x3e/0x50 drivers/staging/android/ashmem.c:822 [] C_SYSC_ioctl fs/compat_ioctl.c:1602 [inline] [] compat_SyS_ioctl+0x15f/0x2050 fs/compat_ioctl.c:1549 [] do_syscall_32_irqs_on arch/x86/entry/common.c:325 [inline] [] do_fast_syscall_32+0x2f5/0x870 arch/x86/entry/common.c:387 [] entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137 binder: 5834:5835 unknown command 1075077893 binder: 5834:5835 ioctl c0306201 20012000 returned -22 binder: 5834:5835 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 5834:5835 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: BINDER_SET_CONTEXT_MGR already set binder: 5812:5850 ioctl 40046207 0 returned -16 binder_alloc: 5812: binder_alloc_buf, no vma binder: 5812:5850 transaction failed 29189/-3, size 0-8 line 3127 binder_alloc: 5812: binder_alloc_buf, no vma binder: 5812:5831 transaction failed 29189/-3, size 0-0 line 3127 binder: 5834:5854 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 5834:5854 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: 5834:5862 unknown command 1075077893 binder: 5834:5862 ioctl c0306201 20012000 returned -22 binder: 5834:5862 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 5834:5854 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: 5834:5862 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 5812:5818 transaction failed 29201/-22, size 0-8 line 3190 binder: undelivered TRANSACTION_ERROR: 29189 binder: send failed reply for transaction 15 to 5812:5831 binder: undelivered TRANSACTION_COMPLETE binder: 5870:5879 got transaction with invalid offset (0, min 0 max 0) or object. binder: 5870:5879 transaction failed 29201/-22, size 0-8 line 3190 binder: undelivered TRANSACTION_ERROR: 29189 binder: BINDER_SET_CONTEXT_MGR already set binder: 5898:5903 ioctl 40046207 0 returned -16 binder_alloc: 5870: binder_alloc_buf, no vma binder: 5898:5903 transaction failed 29189/-3, size 0-8 line 3127 binder_alloc: 5870: binder_alloc_buf, no vma binder: 5898:5903 transaction failed 29189/-3, size 0-0 line 3127 binder: release 5870:5879 transaction 22 out, still active binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 binder: send failed reply for transaction 22, target dead netlink: 8 bytes leftover after parsing attributes in process `syz-executor0'. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=11034 sclass=netlink_route_socket pig=6002 comm=syz-executor3 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=770 sclass=netlink_route_socket pig=6245 comm=syz-executor6 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=770 sclass=netlink_route_socket pig=6272 comm=syz-executor6 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=770 sclass=netlink_route_socket pig=6301 comm=syz-executor6 audit_printk_skb: 3 callbacks suppressed audit: type=1400 audit(1519646161.439:16): avc: denied { create } for pid=6452 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_crypto_socket permissive=1 audit: type=1400 audit(1519646161.889:17): avc: denied { connect } for pid=6621 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1400 audit(1519646162.139:18): avc: denied { getopt } for pid=6726 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1400 audit(1519646162.169:19): avc: denied { getattr } for pid=6726 comm="syz-executor3" path="socket:[17581]" dev="sockfs" ino=17581 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=770 sclass=netlink_route_socket pig=6786 comm=syz-executor3 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=61023 sclass=netlink_route_socket pig=6794 comm=syz-executor3 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=770 sclass=netlink_route_socket pig=6794 comm=syz-executor3 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=61023 sclass=netlink_route_socket pig=6809 comm=syz-executor3 IPVS: Creating netns size=2536 id=9 audit: type=1400 audit(1519646163.029:20): avc: denied { setgid } for pid=7079 comm="syz-executor3" capability=6 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 capability: warning: `syz-executor0' uses deprecated v2 capabilities in a way that may be insecure audit: type=1400 audit(1519646163.249:21): avc: denied { read } for pid=7156 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1400 audit(1519646163.719:22): avc: denied { ioctl } for pid=7337 comm="syz-executor3" path="socket:[18284]" dev="sockfs" ino=18284 ioctlcmd=0x8904 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 SELinux: unrecognized netlink message: protocol=6 nlmsg_type=770 sclass=netlink_xfrm_socket pig=7427 comm=syz-executor3 SELinux: unrecognized netlink message: protocol=6 nlmsg_type=770 sclass=netlink_xfrm_socket pig=7433 comm=syz-executor3 audit: type=1400 audit(1519646164.399:23): avc: denied { setuid } for pid=7620 comm="syz-executor6" capability=7 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1519646164.779:24): avc: denied { create } for pid=7801 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_rdma_socket permissive=1 audit: type=1400 audit(1519646165.339:25): avc: denied { write } for pid=8044 comm="syz-executor2" name="net" dev="proc" ino=20158 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=dir permissive=1 SELinux: unrecognized netlink message: protocol=6 nlmsg_type=770 sclass=netlink_xfrm_socket pig=8427 comm=syz-executor5 audit_printk_skb: 12 callbacks suppressed audit: type=1400 audit(1519646166.509:30): avc: denied { create } for pid=8520 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_connector_socket permissive=1