====================================================== [ INFO: possible circular locking dependency detected ] 4.9.81-ga25ea24 #36 Not tainted ------------------------------------------------------- syz-executor3/5271 is trying to acquire lock: (&sb->s_type->i_mutex_key#10){++++++} but task is already holding lock: (ashmem_mutex){+.+.+.}, at: [] ashmem_llseek+0x56/0x1f0 drivers/staging/android/ashmem.c:343 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (ashmem_mutex){+.+.+.}: __mutex_lock_common kernel/locking/mutex.c:521 [inline] mutex_lock_nested+0xbb/0x870 kernel/locking/mutex.c:621 ashmem_mmap+0x53/0x400 drivers/staging/android/ashmem.c:379 mmap_region+0x7dd/0xfd0 mm/mmap.c:1694 do_mmap+0x57b/0xbe0 mm/mmap.c:1473 do_mmap_pgoff include/linux/mm.h:2019 [inline] vm_mmap_pgoff+0x16b/0x1b0 mm/util.c:305 SYSC_mmap_pgoff mm/mmap.c:1523 [inline] SyS_mmap_pgoff+0x33f/0x560 mm/mmap.c:1481 SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86 do_syscall_64+0x1a5/0x490 arch/x86/entry/common.c:282 entry_SYSCALL_64_after_swapgs+0x47/0xc5 -> #1 (&mm->mmap_sem){++++++}: __might_fault+0x14a/0x1d0 mm/memory.c:3994 copy_to_user arch/x86/include/asm/uaccess.h:727 [inline] filldir+0x1aa/0x340 fs/readdir.c:195 dir_emit_dot include/linux/fs.h:3203 [inline] dir_emit_dots include/linux/fs.h:3214 [inline] dcache_readdir+0x12d/0x5e0 fs/libfs.c:191 iterate_dir+0x4a6/0x5d0 fs/readdir.c:50 SYSC_getdents fs/readdir.c:230 [inline] SyS_getdents+0x14a/0x2a0 fs/readdir.c:211 do_syscall_64+0x1a5/0x490 arch/x86/entry/common.c:282 entry_SYSCALL_64_after_swapgs+0x47/0xc5 -> #0 (&sb->s_type->i_mutex_key#10){++++++}: lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756 down_write+0x41/0xa0 kernel/locking/rwsem.c:52 inode_lock include/linux/fs.h:746 [inline] shmem_file_llseek+0xef/0x240 mm/shmem.c:2403 vfs_llseek+0xa2/0xd0 fs/read_write.c:301 ashmem_llseek+0xe7/0x1f0 drivers/staging/android/ashmem.c:355 vfs_llseek fs/read_write.c:301 [inline] SYSC_lseek fs/read_write.c:314 [inline] SyS_lseek+0xeb/0x170 fs/read_write.c:305 do_syscall_64+0x1a5/0x490 arch/x86/entry/common.c:282 entry_SYSCALL_64_after_swapgs+0x47/0xc5 other info that might help us debug this: Chain exists of: &sb->s_type->i_mutex_key#10 --> &mm->mmap_sem --> ashmem_mutex CPU0 CPU1 ---- ---- lock( ashmem_mutex); &mm->mmap_sem); ashmem_mutex); &sb->s_type->i_mutex_key#10); *** DEADLOCK *** 1 lock held by syz-executor3/5271: #0: (ashmem_mutex){+.+.+.}, at: [] ashmem_llseek+0x56/0x1f0 drivers/staging/android/ashmem.c:343 stack backtrace: CPU: 0 PID: 5271 Comm: syz-executor3 Not tainted 4.9.81-ga25ea24 #36 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801b8e37b38 ffffffff81d94de9 ffffffff853a2b20 ffffffff853ac810 ffffffff853c3130 ffff8801b613e8d8 ffff8801b613e000 ffff8801b8e37b80 ffffffff81238741 ffff8801b613e8d8 00000000b613e8b0 ffff8801b613e8d8Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_circular_bug+0x271/0x310 kernel/locking/lockdep.c:1202 [] check_prev_add kernel/locking/lockdep.c:1828 [inline] [] check_prevs_add kernel/locking/lockdep.c:1938 [inline] [] validate_chain kernel/locking/lockdep.c:2265 [inline] [] __lock_acquire+0x2bf9/0x3640 kernel/locking/lockdep.c:3345 [] lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756 [] down_write+0x41/0xa0 kernel/locking/rwsem.c:52 [] inode_lock include/linux/fs.h:746 [inline] [] shmem_file_llseek+0xef/0x240 mm/shmem.c:2403 [] vfs_llseek+0xa2/0xd0 fs/read_write.c:301 [] ashmem_llseek+0xe7/0x1f0 drivers/staging/android/ashmem.c:355 [] vfs_llseek fs/read_write.c:301 [inline] [] SYSC_lseek fs/read_write.c:314 [inline] [] SyS_lseek+0xeb/0x170 fs/read_write.c:305 [] do_syscall_64+0x1a5/0x490 arch/x86/entry/common.c:282 [] entry_SYSCALL_64_after_swapgs+0x47/0xc5 audit: type=1400 audit(1518849840.244:13): avc: denied { setgid } for pid=5288 comm="syz-executor0" capability=6 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 keychord: invalid keycode count 0 keychord: invalid keycode count 0 IPVS: Creating netns size=2536 id=9 audit: type=1400 audit(1518849844.274:14): avc: denied { create } for pid=5625 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 audit: type=1400 audit(1518849844.304:15): avc: denied { write } for pid=5625 comm="syz-executor3" path="socket:[14879]" dev="sockfs" ino=14879 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 audit: type=1400 audit(1518849844.304:16): avc: denied { getopt } for pid=5625 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 capability: warning: `syz-executor4' uses 32-bit capabilities (legacy support in use) audit: type=1400 audit(1518849849.414:17): avc: denied { create } for pid=5828 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_crypto_socket permissive=1 device lo entered promiscuous mode device eql entered promiscuous mode