====================================================== WARNING: possible circular locking dependency detected 4.16.0-rc4+ #347 Not tainted ------------------------------------------------------ syz-executor7/6381 is trying to acquire lock: (&sb->s_type->i_mutex_key#11){++++}, at: [<00000000ee2bd6cb>] inode_lock include/linux/fs.h:713 [inline] (&sb->s_type->i_mutex_key#11){++++}, at: [<00000000ee2bd6cb>] shmem_file_llseek+0xef/0x240 mm/shmem.c:2579 but task is already holding lock: (ashmem_mutex){+.+.}, at: [<0000000092d6baf3>] ashmem_llseek+0x56/0x1f0 drivers/staging/android/ashmem.c:326 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (ashmem_mutex){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908 ashmem_mmap+0x53/0x410 drivers/staging/android/ashmem.c:362 call_mmap include/linux/fs.h:1786 [inline] mmap_region+0xa99/0x15a0 mm/mmap.c:1705 do_mmap+0x6c0/0xe00 mm/mmap.c:1483 do_mmap_pgoff include/linux/mm.h:2223 [inline] vm_mmap_pgoff+0x1de/0x280 mm/util.c:355 SYSC_mmap_pgoff mm/mmap.c:1533 [inline] SyS_mmap_pgoff+0x462/0x5f0 mm/mmap.c:1491 SYSC_mmap arch/x86/kernel/sys_x86_64.c:100 [inline] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:91 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 -> #1 (&mm->mmap_sem){++++}: __might_fault+0x13a/0x1d0 mm/memory.c:4571 _copy_to_user+0x2c/0xc0 lib/usercopy.c:25 copy_to_user include/linux/uaccess.h:155 [inline] filldir+0x1a7/0x320 fs/readdir.c:196 dir_emit_dot include/linux/fs.h:3370 [inline] dir_emit_dots include/linux/fs.h:3381 [inline] dcache_readdir+0x12d/0x5e0 fs/libfs.c:192 iterate_dir+0x1ca/0x530 fs/readdir.c:51 SYSC_getdents fs/readdir.c:231 [inline] SyS_getdents+0x225/0x450 fs/readdir.c:212 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 -> #0 (&sb->s_type->i_mutex_key#11){++++}: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920 down_write+0x87/0x120 kernel/locking/rwsem.c:70 inode_lock include/linux/fs.h:713 [inline] shmem_file_llseek+0xef/0x240 mm/shmem.c:2579 vfs_llseek+0xa2/0xd0 fs/read_write.c:300 ashmem_llseek+0xe7/0x1f0 drivers/staging/android/ashmem.c:338 vfs_llseek fs/read_write.c:300 [inline] SYSC_lseek fs/read_write.c:313 [inline] SyS_lseek+0xeb/0x170 fs/read_write.c:304 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 other info that might help us debug this: Chain exists of: &sb->s_type->i_mutex_key#11 --> &mm->mmap_sem --> ashmem_mutex Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(ashmem_mutex); lock(&mm->mmap_sem); lock(ashmem_mutex); lock(&sb->s_type->i_mutex_key#11); *** DEADLOCK *** 1 lock held by syz-executor7/6381: #0: (ashmem_mutex){+.+.}, at: [<0000000092d6baf3>] ashmem_llseek+0x56/0x1f0 drivers/staging/android/ashmem.c:326 stack backtrace: CPU: 0 PID: 6381 Comm: syz-executor7 Not tainted 4.16.0-rc4+ #347 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x24d lib/dump_stack.c:53 print_circular_bug.isra.38+0x2cd/0x2dc kernel/locking/lockdep.c:1223 check_prev_add kernel/locking/lockdep.c:1863 [inline] check_prevs_add kernel/locking/lockdep.c:1976 [inline] validate_chain kernel/locking/lockdep.c:2417 [inline] __lock_acquire+0x30a8/0x3e00 kernel/locking/lockdep.c:3431 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920 down_write+0x87/0x120 kernel/locking/rwsem.c:70 inode_lock include/linux/fs.h:713 [inline] shmem_file_llseek+0xef/0x240 mm/shmem.c:2579 vfs_llseek+0xa2/0xd0 fs/read_write.c:300 ashmem_llseek+0xe7/0x1f0 drivers/staging/android/ashmem.c:338 vfs_llseek fs/read_write.c:300 [inline] SYSC_lseek fs/read_write.c:313 [inline] SyS_lseek+0xeb/0x170 fs/read_write.c:304 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x453e69 RSP: 002b:00007f3864c19c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000008 RAX: ffffffffffffffda RBX: 00007f3864c1a6d4 RCX: 0000000000453e69 RDX: 0000200000000004 RSI: 0000000000000004 RDI: 0000000000000014 RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000000003da R14: 00000000006f5d10 R15: 0000000000000000 syz-executor0 (6401): attempted to duplicate a private mapping with mremap. This is not supported. IPv4: Oversized IP packet from 127.0.0.1 IPv4: Oversized IP packet from 127.0.0.1 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 1 CPU: 0 PID: 6775 Comm: syz-executor5 Not tainted 4.16.0-rc4+ #347 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x24d lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:422 [inline] slab_alloc mm/slab.c:3365 [inline] kmem_cache_alloc_trace+0x4b/0x740 mm/slab.c:3605 kmalloc include/linux/slab.h:512 [inline] kzalloc include/linux/slab.h:701 [inline] perf_event_alloc+0x200/0x2b00 kernel/events/core.c:9428 SYSC_perf_event_open+0x84e/0x2e00 kernel/events/core.c:9997 SyS_perf_event_open+0x39/0x50 kernel/events/core.c:9883 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x453e69 RSP: 002b:00007f9520043c68 EFLAGS: 00000246 ORIG_RAX: 000000000000012a RAX: ffffffffffffffda RBX: 00007f95200446d4 RCX: 0000000000453e69 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020014f88 RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffffffffffff R11: 0000000000000246 R12: 0000000000000013 R13: 0000000000000447 R14: 00000000006f6748 R15: 0000000000000000 FAULT_INJECTION: forcing a failure. name fail_page_alloc, interval 1, probability 0, space 0, times 1 CPU: 0 PID: 6807 Comm: syz-executor5 Not tainted 4.16.0-rc4+ #347 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x24d lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_fail_alloc_page mm/page_alloc.c:2959 [inline] prepare_alloc_pages mm/page_alloc.c:4198 [inline] __alloc_pages_nodemask+0x327/0xdd0 mm/page_alloc.c:4237 __alloc_pages include/linux/gfp.h:456 [inline] __alloc_pages_node include/linux/gfp.h:469 [inline] kmem_getpages mm/slab.c:1410 [inline] cache_grow_begin+0x72/0x640 mm/slab.c:2665 cache_alloc_refill mm/slab.c:3032 [inline] ____cache_alloc mm/slab.c:3114 [inline] __do_cache_alloc mm/slab.c:3336 [inline] slab_alloc mm/slab.c:3371 [inline] kmem_cache_alloc_trace+0x3f1/0x740 mm/slab.c:3605 kmalloc include/linux/slab.h:512 [inline] kzalloc include/linux/slab.h:701 [inline] perf_event_alloc+0x200/0x2b00 kernel/events/core.c:9428 SYSC_perf_event_open+0x84e/0x2e00 kernel/events/core.c:9997 SyS_perf_event_open+0x39/0x50 kernel/events/core.c:9883 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x453e69 RSP: 002b:00007f9520043c68 EFLAGS: 00000246 ORIG_RAX: 000000000000012a RAX: ffffffffffffffda RBX: 00007f95200446d4 RCX: 0000000000453e69 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020014f88 RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffffffffffff R11: 0000000000000246 R12: 0000000000000013 R13: 0000000000000447 R14: 00000000006f6748 R15: 0000000000000001 kauditd_printk_skb: 21 callbacks suppressed audit: type=1400 audit(1520638415.633:43): avc: denied { map } for pid=6844 comm="syz-executor3" path="socket:[18568]" dev="sockfs" ino=18568 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=socket permissive=1 QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl audit: type=1400 audit(1520638420.237:44): avc: denied { setgid } for pid=7518 comm="syz-executor0" capability=6 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1