====================================================== [ INFO: possible circular locking dependency detected ] 4.9.86-gb324a70 #50 Not tainted ------------------------------------------------------- syz-executor7/15556 is trying to acquire lock: (&mm->mmap_sem but task is already holding lock: (ashmem_mutex){+.+.+.}, at: [] ashmem_pin_unpin drivers/staging/android/ashmem.c:714 [inline] (ashmem_mutex){+.+.+.}, at: [] ashmem_ioctl+0x371/0xfe0 drivers/staging/android/ashmem.c:791 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (ashmem_mutex){+.+.+.}: __mutex_lock_common kernel/locking/mutex.c:521 [inline] mutex_lock_nested+0xbb/0x870 kernel/locking/mutex.c:621 ashmem_mmap+0x53/0x400 drivers/staging/android/ashmem.c:379 mmap_region+0x7dd/0xfd0 mm/mmap.c:1694 do_mmap+0x57b/0xbe0 mm/mmap.c:1473 do_mmap_pgoff include/linux/mm.h:2032 [inline] vm_mmap_pgoff+0x16b/0x1b0 mm/util.c:329 SYSC_mmap_pgoff mm/mmap.c:1523 [inline] SyS_mmap_pgoff+0x33f/0x560 mm/mmap.c:1481 SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86 do_syscall_64+0x1a4/0x490 arch/x86/entry/common.c:282 entry_SYSCALL_64_after_swapgs+0x5d/0xdb -> #0 (&mm->mmap_sem){++++++}: lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756 __might_fault+0x14a/0x1d0 mm/memory.c:4014 copy_from_user arch/x86/include/asm/uaccess.h:705 [inline] ashmem_pin_unpin drivers/staging/android/ashmem.c:719 [inline] ashmem_ioctl+0x3c0/0xfe0 drivers/staging/android/ashmem.c:791 vfs_ioctl fs/ioctl.c:43 [inline] do_vfs_ioctl+0x1aa/0x1140 fs/ioctl.c:679 SYSC_ioctl fs/ioctl.c:694 [inline] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 do_syscall_64+0x1a4/0x490 arch/x86/entry/common.c:282 entry_SYSCALL_64_after_swapgs+0x5d/0xdb other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock( ashmem_mutex); &mm->mmap_sem); ashmem_mutex); &mm->mmap_sem); *** DEADLOCK *** 1 lock held by syz-executor7/15556: #0: (ashmem_mutex){+.+.+.}, at: [] ashmem_pin_unpin drivers/staging/android/ashmem.c:714 [inline] (ashmem_mutex){+.+.+.}, at: [] ashmem_ioctl+0x371/0xfe0 drivers/staging/android/ashmem.c:791 stack backtrace: CPU: 1 PID: 15556 Comm: syz-executor7 Not tainted 4.9.86-gb324a70 #50 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801b27e7908 ffffffff81d956f9 ffffffff853a5db0 ffffffff853a5db0 ffffffff853c4f80 ffff8801cba7a0d8 ffff8801cba79800 ffff8801b27e7950 ffffffff812387f1 ffff8801cba7a0d8 00000000cba7a0b0 ffff8801cba7a0d8Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_circular_bug+0x271/0x310 kernel/locking/lockdep.c:1202 [] check_prev_add kernel/locking/lockdep.c:1828 [inline] [] check_prevs_add kernel/locking/lockdep.c:1938 [inline] [] validate_chain kernel/locking/lockdep.c:2265 [inline] [] __lock_acquire+0x2bf9/0x3640 kernel/locking/lockdep.c:3345 [] lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756 [] __might_fault+0x14a/0x1d0 mm/memory.c:4014 [] copy_from_user arch/x86/include/asm/uaccess.h:705 [inline] [] ashmem_pin_unpin drivers/staging/android/ashmem.c:719 [inline] [] ashmem_ioctl+0x3c0/0xfe0 drivers/staging/android/ashmem.c:791 [] vfs_ioctl fs/ioctl.c:43 [inline] [] do_vfs_ioctl+0x1aa/0x1140 fs/ioctl.c:679 [] SYSC_ioctl fs/ioctl.c:694 [inline] [] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 [] do_syscall_64+0x1a4/0x490 arch/x86/entry/common.c:282 [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb audit_printk_skb: 4362 callbacks suppressed audit: type=1400 audit(1520338562.881:14831): avc: denied { net_admin } for pid=15607 comm="syz-executor1" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1520338562.881:14832): avc: denied { dac_override } for pid=15603 comm="syz-executor0" capability=1 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1520338562.891:14833): avc: denied { net_admin } for pid=15622 comm="syz-executor3" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1520338562.891:14834): avc: denied { net_admin } for pid=15622 comm="syz-executor3" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1520338562.921:14835): avc: denied { net_admin } for pid=3767 comm="syz-executor5" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1520338562.921:14836): avc: denied { net_admin } for pid=3770 comm="syz-executor0" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1520338562.921:14837): avc: denied { net_admin } for pid=3770 comm="syz-executor0" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1520338562.921:14838): avc: denied { net_admin } for pid=3770 comm="syz-executor0" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1520338562.921:14839): avc: denied { net_admin } for pid=3770 comm="syz-executor0" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1520338562.921:14840): avc: denied { net_admin } for pid=3770 comm="syz-executor0" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 netlink: 36 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 36 bytes leftover after parsing attributes in process `syz-executor3'. keychord: Insufficient bytes present for keycount 2 keychord: Insufficient bytes present for keycount 2 binder: BINDER_SET_CONTEXT_MGR already set binder: 15829:15837 ioctl 40046207 0 returned -16 netlink: 100 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 100 bytes leftover after parsing attributes in process `syz-executor0'. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=15873 comm=syz-executor5 l2tp_ppp: tunl 4: get L2TP stats binder: BINDER_SET_CONTEXT_MGR already set binder: 16269:16271 ioctl 40046207 0 returned -16 binder: 16269:16271 BC_FREE_BUFFER u0000000000000000 no match binder: BINDER_SET_CONTEXT_MGR already set binder: 16269:16271 ioctl 40046207 0 returned -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 16269:16274 ioctl 40046207 0 returned -16 TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. IPVS: Creating netns size=2536 id=16 IPVS: Creating netns size=2536 id=17 TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. netlink: 25 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 25 bytes leftover after parsing attributes in process `syz-executor3'. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=25666 sclass=netlink_route_socket pig=16397 comm=syz-executor7 netlink: 180 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 180 bytes leftover after parsing attributes in process `syz-executor4'. IPv6: Can't replace route, no match found IPv6: Can't replace route, no match found SELinux: unrecognized netlink message: protocol=0 nlmsg_type=1121 sclass=netlink_route_socket pig=16501 comm=syz-executor3 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=1121 sclass=netlink_route_socket pig=16511 comm=syz-executor3 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=35 sclass=netlink_route_socket pig=16508 comm=syz-executor4 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=35 sclass=netlink_route_socket pig=16508 comm=syz-executor4 binder: 16546:16565 unknown command -767270143 binder: 16546:16565 ioctl c0306201 2000a000 returned -22 binder_alloc: binder_alloc_mmap_handler: 16546 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 16546:16581 ioctl 40046207 0 returned -16 binder_alloc: 16546: binder_alloc_buf, no vma binder: 16546:16581 transaction failed 29189/-3, size 0-0 line 3127 binder: 16546:16592 unknown command -767270143 binder: 16546:16592 ioctl c0306201 2000a000 returned -22 audit_printk_skb: 3608 callbacks suppressed audit: type=1400 audit(1520338567.901:16044): avc: denied { net_admin } for pid=11490 comm="syz-executor3" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1520338567.941:16045): avc: denied { net_admin } for pid=11490 comm="syz-executor3" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 binder: release 16546:16553 transaction 87 out, still active audit: type=1400 audit(1520338567.971:16046): avc: denied { net_admin } for pid=11490 comm="syz-executor3" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1520338568.001:16047): avc: denied { net_admin } for pid=11490 comm="syz-executor3" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 binder: undelivered TRANSACTION_COMPLETE binder: release 16546:16565 transaction 87 in, still active binder: send failed reply for transaction 87, target dead audit: type=1400 audit(1520338568.031:16048): avc: denied { net_admin } for pid=16594 comm="syz-executor5" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1520338568.031:16049): avc: denied { sys_admin } for pid=16597 comm="syz-executor0" capability=21 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1520338568.041:16050): avc: denied { net_admin } for pid=16594 comm="syz-executor5" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1520338568.041:16051): avc: denied { dac_override } for pid=16599 comm="syz-executor6" capability=1 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1520338568.051:16052): avc: denied { net_admin } for pid=3749 comm="syz-executor4" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1520338568.051:16053): avc: denied { net_admin } for pid=3749 comm="syz-executor4" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=55294 sclass=netlink_route_socket pig=16645 comm=syz-executor3 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=55294 sclass=netlink_route_socket pig=16650 comm=syz-executor3 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=29184 sclass=netlink_route_socket pig=16660 comm=syz-executor1 SELinux: unrecognized netlink message: protocol=4 nlmsg_type=35 sclass=netlink_tcpdiag_socket pig=16691 comm=syz-executor7 binder: 16694:16713 got transaction with invalid data ptr binder: 16694:16713 transaction failed 29201/-14, size 40-8 line 3146 binder_alloc: binder_alloc_mmap_handler: 16694 20ffb000-20ffe000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 16694:16713 ioctl 40046207 0 returned -16 binder_alloc: 16694: binder_alloc_buf, no vma binder: 16694:16718 transaction failed 29189/-3, size 40-8 line 3127 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 16694:16697 transaction 91 out, still active binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29201 binder: send failed reply for transaction 91, target dead binder: BINDER_SET_CONTEXT_MGR already set binder: 16946:16947 ioctl 40046207 0 returned -16 binder: tried to use weak ref as strong ref binder: 16946:16947 Release 1 refcount change on invalid ref 0 ret -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 16946:16947 ioctl 40046207 0 returned -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 16946:16964 ioctl 40046207 0 returned -16 syz-executor6: vmalloc: allocation failure: 0 bytes, mode:0x24000c2(GFP_KERNEL|__GFP_HIGHMEM) CPU: 0 PID: 16970 Comm: syz-executor6 Not tainted 4.9.86-gb324a70 #50 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801b0e178f0 ffffffff81d956f9 1ffff100361c2f21 ffff8801c4eac800 ffffffff83ab9520 0000000000000001 0000000000400000 ffff8801b0e17a00 ffffffff81451c92 024000c2b0e17970 0000000041b58ab3 ffffffff84195b35 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] warn_alloc+0x212/0x240 mm/page_alloc.c:3056 [] __vmalloc_node_range+0x3f5/0x5f0 mm/vmalloc.c:1722 [] __vmalloc_node mm/vmalloc.c:1744 [inline] [] __vmalloc_node_flags mm/vmalloc.c:1758 [inline] [] vmalloc+0x5b/0x70 mm/vmalloc.c:1773 [] sel_write_load+0x130/0xfd0 security/selinux/selinuxfs.c:514 [] __vfs_write+0x103/0x680 fs/read_write.c:507 [] vfs_write+0x189/0x530 fs/read_write.c:557 [] SYSC_pwrite64 fs/read_write.c:646 [inline] [] SyS_pwrite64+0x13f/0x170 fs/read_write.c:633 [] do_syscall_64+0x1a4/0x490 arch/x86/entry/common.c:282 [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb Mem-Info: active_anon:55818 inactive_anon:43 isolated_anon:0 active_file:3675 inactive_file:8592 isolated_file:0 unevictable:0 dirty:98 writeback:0 unstable:0 slab_reclaimable:6390 slab_unreclaimable:59212 mapped:24316 shmem:50 pagetables:635 bounce:0 free:1473347 free_pcp:551 free_cma:0 Node 0 active_anon:223272kB inactive_anon:172kB active_file:14700kB inactive_file:34368kB unevictable:0kB isolated(anon):0kB isolated(file):0kB mapped:97264kB dirty:392kB writeback:0kB shmem:200kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 122880kB writeback_tmp:0kB unstable:0kB pages_scanned:0 all_unreclaimable? no DMA free:15908kB min:160kB low:200kB high:240kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:15992kB managed:15908kB mlocked:0kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB DMA32 free:2979944kB min:30592kB low:38240kB high:45888kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:3129292kB managed:2980716kB mlocked:0kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:772kB local_pcp:48kB free_cma:0kB Normal free:2897536kB min:36824kB low:46028kB high:55232kB active_anon:223272kB inactive_anon:172kB active_file:14700kB inactive_file:34368kB unevictable:0kB writepending:392kB present:4718592kB managed:3585212kB mlocked:0kB slab_reclaimable:25560kB slab_unreclaimable:236848kB kernel_stack:5632kB pagetables:2540kB bounce:0kB free_pcp:1432kB local_pcp:716kB free_cma:0kB DMA: 1*4kB (U) 0*8kB 0*16kB 1*32kB (U) 2*64kB (U) 1*128kB (U) 1*256kB (U) 0*512kB 1*1024kB (U) 1*2048kB (M) 3*4096kB (M) = 15908kB Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB 12316 total pagecache pages 0 pages in swap cache Swap cache stats: add 0, delete 0, find 0/0 Free swap = 0kB Total swap = 0kB 1965969 pages RAM 0 pages HighMem/MovableOnly 320510 pages reserved SELinux: unrecognized netlink message: protocol=6 nlmsg_type=788 sclass=netlink_xfrm_socket pig=17197 comm=syz-executor1 SELinux: unrecognized netlink message: protocol=6 nlmsg_type=788 sclass=netlink_xfrm_socket pig=17197 comm=syz-executor1 binder: 17236:17241 transaction failed 29189/-22, size 0-0 line 3004 netlink: 37 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 37 bytes leftover after parsing attributes in process `syz-executor6'. binder: undelivered TRANSACTION_ERROR: 29189 sg_write: data in/out 36083/1 bytes for SCSI command 0xe2-- guessing data in; program syz-executor5 not setting count and/or reply_len properly binder: 17249:17257 DecRefs 0 refcount change on invalid ref 0 ret -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 17249:17259 ioctl 40046207 0 returned -16 binder: 17249:17259 DecRefs 0 refcount change on invalid ref 0 ret -22 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=700 sclass=netlink_route_socket pig=17262 comm=syz-executor6 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=700 sclass=netlink_route_socket pig=17262 comm=syz-executor6 sg_write: data in/out 36083/1 bytes for SCSI command 0xe2-- guessing data in; program syz-executor5 not setting count and/or reply_len properly SELinux: unrecognized netlink message: protocol=0 nlmsg_type=22254 sclass=netlink_route_socket pig=17398 comm=syz-executor2