====================================================== [ INFO: possible circular locking dependency detected ] 4.4.174+ #4 Not tainted ------------------------------------------------------- syz-executor.5/18784 is trying to acquire lock: (&pipe->mutex/1){+.+.+.}, at: [] __pipe_lock fs/pipe.c:86 [inline] (&pipe->mutex/1){+.+.+.}, at: [] fifo_open+0x15d/0xa00 fs/pipe.c:896 but task is already holding lock: (&sig->cred_guard_mutex){+.+.+.}, at: [] prepare_bprm_creds+0x55/0x120 fs/exec.c:1225 which lock already depends on the new lock. audit: type=1400 audit(1575147014.279:1720): avc: denied { set_context_mgr } for pid=18783 comm="syz-executor.1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=0 binder: 18783:18786 ioctl 40046207 0 returned -13 binder: 18783:18786 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 18783:18786 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 18783:18786 Release 1 refcount change on invalid ref 0 ret -22 audit: type=1400 audit(1575147014.319:1721): avc: denied { set_context_mgr } for pid=18783 comm="syz-executor.1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=0 binder: 18783:18789 ioctl 40046207 0 returned -13 binder: 18783:18791 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 18783:18791 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 18783:18791 Release 1 refcount change on invalid ref 0 ret -22 the existing dependency chain (in reverse order) is: [] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592 [] __mutex_lock_common kernel/locking/mutex.c:521 [inline] [] mutex_lock_interruptible_nested+0xd2/0xce0 kernel/locking/mutex.c:650 [] proc_pid_attr_write+0x1a8/0x2a0 fs/proc/base.c:2524 [] __vfs_write+0x116/0x3d0 fs/read_write.c:491 [] __kernel_write+0x112/0x370 fs/read_write.c:513 [] write_pipe_buf+0x15d/0x1f0 fs/splice.c:1074 [] splice_from_pipe_feed fs/splice.c:776 [inline] [] __splice_from_pipe+0x37e/0x7a0 fs/splice.c:901 [] splice_from_pipe+0x108/0x170 fs/splice.c:936 [] default_file_splice_write+0x3c/0x80 fs/splice.c:1086 [] do_splice_from fs/splice.c:1128 [inline] [] do_splice fs/splice.c:1404 [inline] [] SYSC_splice fs/splice.c:1707 [inline] [] SyS_splice+0xd71/0x13a0 fs/splice.c:1690 [] entry_SYSCALL_64_fastpath+0x1e/0x9a [] check_prev_add kernel/locking/lockdep.c:1853 [inline] [] check_prevs_add kernel/locking/lockdep.c:1958 [inline] [] validate_chain kernel/locking/lockdep.c:2144 [inline] [] __lock_acquire+0x37d6/0x4f50 kernel/locking/lockdep.c:3213 [] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592 [] __mutex_lock_common kernel/locking/mutex.c:521 [inline] [] mutex_lock_nested+0xc1/0xb80 kernel/locking/mutex.c:621 [] __pipe_lock fs/pipe.c:86 [inline] [] fifo_open+0x15d/0xa00 fs/pipe.c:896 [] do_dentry_open+0x38f/0xbd0 fs/open.c:749 [] vfs_open+0x10b/0x210 fs/open.c:862 [] do_last fs/namei.c:3269 [inline] [] path_openat+0x136f/0x4470 fs/namei.c:3406 [] do_filp_open+0x1a1/0x270 fs/namei.c:3440 [] do_open_execat+0x10c/0x6e0 fs/exec.c:805 [] do_execveat_common.isra.0+0x6f6/0x1e90 fs/exec.c:1577 [] do_execve fs/exec.c:1683 [inline] [] SYSC_execve fs/exec.c:1764 [inline] [] SyS_execve+0x42/0x50 fs/exec.c:1759 [] return_from_execve+0x0/0x23 other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&sig->cred_guard_mutex); lock(&pipe->mutex/1); lock([ 670.773896] audit: type=1400 audit(1575147014.589:1722): avc: denied { set_context_mgr } for pid=18795 comm="syz-executor.1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=0 binder: 18795:18796 ioctl 40046207 0 returned -13 binder: 18795:18796 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 18795:18796 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 18795:18796 Release 1 refcount change on invalid ref 0 ret -22 &sig->cred_guard_mutex); lock(&pipe->mutex/1); *** DEADLOCK *** 1 lock held by syz-executor.5/18784: #0: (&sig->cred_guard_mutex){+.+.+.}, at: [] prepare_bprm_creds+0x55/0x120 fs/exec.c:1225 stack backtrace: CPU: 0 PID: 18784 Comm: syz-executor.5 Not tainted 4.4.174+ #4 0000000000000000 dfdd2eac0c486de4 ffff88008c7bf530 ffffffff81aad1a1 ffffffff84057a80 ffff8801cfdadf00 ffffffff83abd610 ffffffff83ab6500 ffffffff83abd610 ffff88008c7bf580 ffffffff813abcda ffff88008c7bf660 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x120 lib/dump_stack.c:51 [] print_circular_bug.cold+0x2f7/0x44e kernel/locking/lockdep.c:1226 [] check_prev_add kernel/locking/lockdep.c:1853 [inline] [] check_prevs_add kernel/locking/lockdep.c:1958 [inline] [] validate_chain kernel/locking/lockdep.c:2144 [inline] [] __lock_acquire+0x37d6/0x4f50 kernel/locking/lockdep.c:3213 [] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592 [] __mutex_lock_common kernel/locking/mutex.c:521 [inline] [] mutex_lock_nested+0xc1/0xb80 kernel/locking/mutex.c:621 [] __pipe_lock fs/pipe.c:86 [inline] [] fifo_open+0x15d/0xa00 fs/pipe.c:896 [] do_dentry_open+0x38f/0xbd0 fs/open.c:749 [] vfs_open+0x10b/0x210 fs/open.c:862 [] do_last fs/namei.c:3269 [inline] [] path_openat+0x136f/0x4470 fs/namei.c:3406 [] do_filp_open+0x1a1/0x270 fs/namei.c:3440 audit: type=1400 audit(1575147014.969:1723): avc: denied { set_context_mgr } for pid=18797 comm="syz-executor.1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=0 binder: 18797:18799 ioctl 40046207 0 returned -13 binder: 18797:18799 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 18797:18799 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 18797:18799 Release 1 refcount change on invalid ref 0 ret -22 [] do_open_execat+0x10c/0x6e0 fs/exec.c:805 [] do_execveat_common.isra.0+0x6f6/0x1e90 fs/exec.c:1577 [] do_execve fs/exec.c:1683 [inline] [] SYSC_execve fs/exec.c:1764 [inline] [] SyS_execve+0x42/0x50 fs/exec.c:1759 [] stub_execve+0x5/0x5 arch/x86/entry/entry_64.S:440 binder: 18812:18814 ioctl 40046207 0 returned -13 binder: 18812:18814 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 18813:18815 ioctl 40046207 0 returned -13 binder: 18812:18814 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 18813:18815 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 18813:18815 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 18812:18814 Release 1 refcount change on invalid ref 0 ret -22 binder: 18813:18815 Release 1 refcount change on invalid ref 0 ret -22 binder: 18831:18833 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 18831:18833 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 18831:18833 Release 1 refcount change on invalid ref 0 ret -22 binder: 18830:18832 ioctl 40046207 0 returned -13 binder: 18830:18832 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 18830:18832 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 18830:18832 Release 1 refcount change on invalid ref 0 ret -22 audit_printk_skb: 12 callbacks suppressed audit: type=1400 audit(1575147017.399:1728): avc: denied { create } for pid=18841 comm="syz-executor.4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=0 binder: 18838:18839 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 18838:18839 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 18838:18839 Release 1 refcount change on invalid ref 0 ret -22 audit: type=1400 audit(1575147017.579:1729): avc: denied { set_context_mgr } for pid=18842 comm="syz-executor.2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=0 binder: 18842:18846 ioctl 40046207 0 returned -13 binder: 18842:18846 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 18842:18846 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 18842:18846 Release 1 refcount change on invalid ref 0 ret -22 audit: type=1400 audit(1575147017.819:1730): avc: denied { create } for pid=18841 comm="syz-executor.4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=0 audit: type=1400 audit(1575147018.119:1731): avc: denied { set_context_mgr } for pid=18865 comm="syz-executor.2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=0 binder: 18864:18867 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 18864:18867 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 18865:18868 ioctl 40046207 0 returned -13 binder: 18864:18867 Release 1 refcount change on invalid ref 0 ret -22 binder: 18871:18879 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 18871:18879 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 audit: type=1400 audit(1575147018.459:1732): avc: denied { create } for pid=18870 comm="syz-executor.4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=0 binder: 18871:18879 Release 1 refcount change on invalid ref 0 ret -22 binder: 18882:18885 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 18882:18885 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 18882:18885 Release 1 refcount change on invalid ref 0 ret -22 binder: 18894:18898 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 18894:18898 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 audit: type=1400 audit(1575147020.679:1733): avc: denied { create } for pid=18893 comm="syz-executor.4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=0 binder: 18894:18898 Release 1 refcount change on invalid ref 0 ret -22 binder: 18921:18922 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 18921:18922 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 18921:18922 Release 1 refcount change on invalid ref 0 ret -22 audit: type=1400 audit(1575147021.479:1734): avc: denied { set_context_mgr } for pid=18924 comm="syz-executor.2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=0 binder: 18924:18934 ioctl 40046207 0 returned -13 audit: type=1400 audit(1575147021.739:1735): avc: denied { create } for pid=18938 comm="syz-executor.4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=0 binder: 18942:18946 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 18944:18947 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 18944:18947 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 18942:18946 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 18944:18947 Release 1 refcount change on invalid ref 0 ret -22 binder: 18942:18946 Release 1 refcount change on invalid ref 0 ret -22 audit: type=1400 audit(1575147022.139:1736): avc: denied { set_context_mgr } for pid=18949 comm="syz-executor.2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=0 binder: 18953:18954 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 18949:18951 ioctl 40046207 0 returned -13 binder: 18953:18954 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 18953:18954 Release 1 refcount change on invalid ref 0 ret -22 binder: 18961:18965 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 18961:18965 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 18961:18965 Release 1 refcount change on invalid ref 0 ret -22 audit: type=1400 audit(1575147022.689:1737): avc: denied { create } for pid=18966 comm="syz-executor.4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=0 audit: type=1400 audit(1575147022.769:1738): avc: denied { set_context_mgr } for pid=18972 comm="syz-executor.2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=0 binder: 18972:18973 ioctl 40046207 0 returned -13 binder: 18978:18980 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 18978:18980 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 18978:18980 Release 1 refcount change on invalid ref 0 ret -22 binder: 18981:18983 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 18981:18983 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 18981:18983 Release 1 refcount change on invalid ref 0 ret -22 audit: type=1400 audit(1575147023.329:1739): avc: denied { set_context_mgr } for pid=18988 comm="syz-executor.2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=0 audit: type=1400 audit(1575147023.339:1740): avc: denied { create } for pid=18987 comm="syz-executor.4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=0 binder: 18989:18993 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 18989:18993 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 18989:18993 Release 1 refcount change on invalid ref 0 ret -22 binder: 18997:18999 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 18997:18999 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 18997:18999 Release 1 refcount change on invalid ref 0 ret -22 audit: type=1400 audit(1575147023.669:1741): avc: denied { create } for pid=19003 comm="syz-executor.4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=0 binder: 19004:19009 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 19004:19009 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 19004:19009 Release 1 refcount change on invalid ref 0 ret -22 binder: 18988:18991 ioctl 40046207 0 returned -13 binder: 19013:19015 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 19013:19015 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 19013:19015 Release 1 refcount change on invalid ref 0 ret -22 binder: 19020:19023 Acquire 1 refcount change on invalid ref 0 ret -22 binder: 19020:19023 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 19020:19023 Release 1 refcount change on invalid ref 0 ret -22