====================================================== [ INFO: possible circular locking dependency detected ] 4.9.84-ga9d0273 #44 Not tainted ------------------------------------------------------- syz-executor2/25285 is trying to acquire lock: (&mm->mmap_sem){++++++}, at: [] __might_fault+0xe4/0x1d0 mm/memory.c:3993 but task is already holding lock: (ashmem_mutex){+.+.+.}, at: [] ashmem_pin_unpin drivers/staging/android/ashmem.c:714 [inline] (ashmem_mutex){+.+.+.}, at: [] ashmem_ioctl+0x371/0xfe0 drivers/staging/android/ashmem.c:791 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756 __mutex_lock_common kernel/locking/mutex.c:521 [inline] mutex_lock_nested+0xbb/0x870 kernel/locking/mutex.c:621 ashmem_mmap+0x53/0x400 drivers/staging/android/ashmem.c:379 mmap_region+0x7dd/0xfd0 mm/mmap.c:1694 do_mmap+0x57b/0xbe0 mm/mmap.c:1473 do_mmap_pgoff include/linux/mm.h:2019 [inline] vm_mmap_pgoff+0x16b/0x1b0 mm/util.c:329 SYSC_mmap_pgoff mm/mmap.c:1523 [inline] SyS_mmap_pgoff+0x33f/0x560 mm/mmap.c:1481 SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86 do_syscall_64+0x1a4/0x490 arch/x86/entry/common.c:282 entry_SYSCALL_64_after_swapgs+0x47/0xc5 check_prev_add kernel/locking/lockdep.c:1828 [inline] check_prevs_add kernel/locking/lockdep.c:1938 [inline] validate_chain kernel/locking/lockdep.c:2265 [inline] __lock_acquire+0x2bf9/0x3640 kernel/locking/lockdep.c:3345 lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756 __might_fault+0x14a/0x1d0 mm/memory.c:3994 copy_from_user arch/x86/include/asm/uaccess.h:705 [inline] ashmem_pin_unpin drivers/staging/android/ashmem.c:719 [inline] ashmem_ioctl+0x3c0/0xfe0 drivers/staging/android/ashmem.c:791 vfs_ioctl fs/ioctl.c:43 [inline] do_vfs_ioctl+0x1aa/0x1140 fs/ioctl.c:679 SYSC_ioctl fs/ioctl.c:694 [inline] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 do_syscall_64+0x1a4/0x490 arch/x86/entry/common.c:282 entry_SYSCALL_64_after_swapgs+0x47/0xc5 other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(ashmem_mutex); lock(&mm->mmap_sem); lock(ashmem_mutex); lock(&mm->mmap_sem); *** DEADLOCK *** 1 lock held by syz-executor2/25285: #0: (ashmem_mutex){+.+.+.}, at: [] ashmem_pin_unpin drivers/staging/android/ashmem.c:714 [inline] #0: (ashmem_mutex){+.+.+.}, at: [] ashmem_ioctl+0x371/0xfe0 drivers/staging/android/ashmem.c:791 stack backtrace: CPU: 1 PID: 25285 Comm: syz-executor2 Not tainted 4.9.84-ga9d0273 #44 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cdb6f908 ffffffff81d956b9 ffffffff853a2cd0 ffffffff853a2cd0 ffffffff853c32e0 ffff8801cbf4b8d8 ffff8801cbf4b000 ffff8801cdb6f950 ffffffff812387f1 ffff8801cbf4b8d8 00000000cbf4b8b0 ffff8801cbf4b8d8 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_circular_bug+0x271/0x310 kernel/locking/lockdep.c:1202 [] check_prev_add kernel/locking/lockdep.c:1828 [inline] [] check_prevs_add kernel/locking/lockdep.c:1938 [inline] [] validate_chain kernel/locking/lockdep.c:2265 [inline] [] __lock_acquire+0x2bf9/0x3640 kernel/locking/lockdep.c:3345 [] lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756 [] __might_fault+0x14a/0x1d0 mm/memory.c:3994 [] copy_from_user arch/x86/include/asm/uaccess.h:705 [inline] [] ashmem_pin_unpin drivers/staging/android/ashmem.c:719 [inline] [] ashmem_ioctl+0x3c0/0xfe0 drivers/staging/android/ashmem.c:791 [] vfs_ioctl fs/ioctl.c:43 [inline] [] do_vfs_ioctl+0x1aa/0x1140 fs/ioctl.c:679 [] SYSC_ioctl fs/ioctl.c:694 [inline] [] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 [] do_syscall_64+0x1a4/0x490 arch/x86/entry/common.c:282 [] entry_SYSCALL_64_after_swapgs+0x47/0xc5 net_ratelimit: 173 callbacks suppressed IPv4: Oversized IP packet from 127.0.0.1 IPv4: Oversized IP packet from 127.0.0.1 IPv4: Oversized IP packet from 127.0.0.1 IPv4: Oversized IP packet from 127.0.0.1 IPv4: Oversized IP packet from 127.0.0.1 IPv4: Oversized IP packet from 127.0.0.1 IPv4: Oversized IP packet from 127.0.0.1 IPv4: Oversized IP packet from 127.0.0.1 IPv4: Oversized IP packet from 127.0.0.1 IPv4: Oversized IP packet from 127.0.0.1 audit_printk_skb: 5 callbacks suppressed audit: type=1400 audit(1519637603.342:58): avc: denied { write } for pid=27131 comm="syz-executor4" name="net" dev="proc" ino=64806 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=dir permissive=1 audit: type=1400 audit(1519637603.382:59): avc: denied { add_name } for pid=27131 comm="syz-executor4" name="pfkey" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=dir permissive=1 audit: type=1400 audit(1519637603.402:60): avc: denied { create } for pid=27131 comm="syz-executor4" name="pfkey" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:insmod_t:s0 tclass=file permissive=1 audit: type=1400 audit(1519637603.922:61): avc: denied { setgid } for pid=27349 comm="syz-executor7" capability=6 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 net_ratelimit: 118 callbacks suppressed IPv4: Oversized IP packet from 127.0.0.1 IPv4: Oversized IP packet from 127.0.0.1 IPv4: Oversized IP packet from 127.0.0.1 IPv4: Oversized IP packet from 127.0.0.1 IPv4: Oversized IP packet from 127.0.0.1 IPv4: Oversized IP packet from 127.0.0.1 IPv4: Oversized IP packet from 127.0.0.1 IPv4: Oversized IP packet from 127.0.0.1 IPv4: Oversized IP packet from 127.0.0.1 IPv4: Oversized IP packet from 127.0.0.1