====================================================== [ INFO: possible circular locking dependency detected ] 4.4.120-gd63fdf6 #29 Not tainted ------------------------------------------------------- syz-executor6/6741 is trying to acquire lock: (&sb->s_type->i_mutex_key#10){+.+.+.}, at: [] shmem_file_llseek+0xf1/0x240 mm/shmem.c:1816 but task is already holding lock: (ashmem_mutex){+.+.+.}, at: [] ashmem_llseek+0x56/0x1f0 drivers/staging/android/ashmem.c:330 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: [] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592 [] __mutex_lock_common kernel/locking/mutex.c:521 [inline] [] mutex_lock_nested+0xbb/0x850 kernel/locking/mutex.c:621 [] ashmem_mmap+0x53/0x400 drivers/staging/android/ashmem.c:366 [] mmap_region+0x94f/0x1250 mm/mmap.c:1664 [] do_mmap+0x4fd/0x9d0 mm/mmap.c:1441 [] do_mmap_pgoff include/linux/mm.h:1915 [inline] [] vm_mmap_pgoff+0x16e/0x1c0 mm/util.c:296 [] SYSC_mmap_pgoff mm/mmap.c:1491 [inline] [] SyS_mmap_pgoff+0x33f/0x560 mm/mmap.c:1449 [] do_syscall_32_irqs_on arch/x86/entry/common.c:392 [inline] [] do_fast_syscall_32+0x321/0x8a0 arch/x86/entry/common.c:459 [] sysenter_flags_fixed+0xd/0x17 [] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592 [] __might_fault+0x14a/0x1d0 mm/memory.c:3810 [] copy_to_user arch/x86/include/asm/uaccess.h:760 [inline] [] filldir+0x162/0x2d0 fs/readdir.c:180 [] dir_emit_dot include/linux/fs.h:3070 [inline] [] dir_emit_dots include/linux/fs.h:3081 [inline] [] dcache_readdir+0x11e/0x7b0 fs/libfs.c:150 [] iterate_dir+0x1c8/0x420 fs/readdir.c:42 [] SYSC_getdents fs/readdir.c:215 [inline] [] SyS_getdents+0x14a/0x270 fs/readdir.c:196 [] entry_SYSCALL_64_fastpath+0x1c/0x98 [] check_prev_add kernel/locking/lockdep.c:1853 [inline] [] check_prevs_add kernel/locking/lockdep.c:1958 [inline] [] validate_chain kernel/locking/lockdep.c:2144 [inline] [] __lock_acquire+0x371f/0x4b50 kernel/locking/lockdep.c:3213 [] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592 [] __mutex_lock_common kernel/locking/mutex.c:521 [inline] [] mutex_lock_nested+0xbb/0x850 kernel/locking/mutex.c:621 [] shmem_file_llseek+0xf1/0x240 mm/shmem.c:1816 [] vfs_llseek+0xa2/0xd0 fs/read_write.c:260 [] ashmem_llseek+0xe7/0x1f0 drivers/staging/android/ashmem.c:342 [] vfs_llseek fs/read_write.c:260 [inline] [] SYSC_lseek fs/read_write.c:285 [inline] [] SyS_lseek fs/read_write.c:276 [inline] [] C_SYSC_lseek fs/read_write.c:297 [inline] [] compat_SyS_lseek+0xeb/0x170 fs/read_write.c:295 [] do_syscall_32_irqs_on arch/x86/entry/common.c:392 [inline] [] do_fast_syscall_32+0x321/0x8a0 arch/x86/entry/common.c:459 [] sysenter_flags_fixed+0xd/0x17 other info that might help us debug this: Chain exists of: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(ashmem_mutex); lock(&mm->mmap_sem); lock(ashmem_mutex); lock(&sb->s_type->i_mutex_key#10); *** DEADLOCK *** 1 lock held by syz-executor6/6741: #0: (ashmem_mutex){+.+.+.}, at: [] ashmem_llseek+0x56/0x1f0 drivers/staging/android/ashmem.c:330 stack backtrace: CPU: 0 PID: 6741 Comm: syz-executor6 Not tainted 4.4.120-gd63fdf6 #29 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 4a07c60d6c83e828 ffff8801c4f77a58 ffffffff81d0408d ffffffff851a0010 ffffffff851a9d00 ffffffff851be970 ffff8801c3a068f8 ffff8801c3a06000 ffff8801c4f77aa0 ffffffff81233ba1 ffff8801c3a068f8 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] print_circular_bug+0x271/0x310 kernel/locking/lockdep.c:1226 [] check_prev_add kernel/locking/lockdep.c:1853 [inline] [] check_prevs_add kernel/locking/lockdep.c:1958 [inline] [] validate_chain kernel/locking/lockdep.c:2144 [inline] [] __lock_acquire+0x371f/0x4b50 kernel/locking/lockdep.c:3213 [] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592 [] __mutex_lock_common kernel/locking/mutex.c:521 [inline] [] mutex_lock_nested+0xbb/0x850 kernel/locking/mutex.c:621 [] shmem_file_llseek+0xf1/0x240 mm/shmem.c:1816 [] vfs_llseek+0xa2/0xd0 fs/read_write.c:260 [] ashmem_llseek+0xe7/0x1f0 drivers/staging/android/ashmem.c:342 [] vfs_llseek fs/read_write.c:260 [inline] [] SYSC_lseek fs/read_write.c:285 [inline] [] SyS_lseek fs/read_write.c:276 [inline] [] C_SYSC_lseek fs/read_write.c:297 [inline] [] compat_SyS_lseek+0xeb/0x170 fs/read_write.c:295 [] do_syscall_32_irqs_on arch/x86/entry/common.c:392 [inline] [] do_fast_syscall_32+0x321/0x8a0 arch/x86/entry/common.c:459 [] sysenter_flags_fixed+0xd/0x17 audit: type=1400 audit(1521436603.166:20): avc: denied { call } for pid=6799 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 audit: type=1400 audit(1521436603.186:21): avc: denied { transfer } for pid=6799 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 binder: BINDER_SET_CONTEXT_MGR already set binder: 6809:6815 ioctl 40046207 0 returned -16 binder: 6809:6815 got transaction with invalid offsets ptr binder: 6809:6815 transaction failed 29201/-14, size 40-8 line 3156 binder: 6809:6815 BC_INCREFS_DONE u0000000000000000 no match binder_alloc: binder_alloc_mmap_handler: 6809 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 6809:6815 ioctl 40046207 0 returned -16 binder: 6809:6815 got transaction with invalid offsets ptr binder: 6809:6815 transaction failed 29201/-14, size 40-8 line 3156 binder: 6799:6817 ioctl c0306201 20a94fd0 returned -14 binder: 6799:6817 ioctl 4c08 4dff returned -22 binder_alloc: binder_alloc_mmap_handler: 6799 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 6799:6817 ioctl 40046207 0 returned -16 binder_alloc: 6799: binder_alloc_buf, no vma binder: 6799:6818 transaction failed 29189/-3, size 40-8 line 3128 binder: 6799:6818 ioctl c0306201 20a94fd0 returned -14 binder: 6799:6818 ioctl 4c08 4dff returned -22 binder: release 6799:6810 transaction 6 out, still active binder: unexpected work type, 4, not freed binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 6, target dead binder: 6824:6850 ioctl c0306201 20004000 returned -14 binder: BINDER_SET_CONTEXT_MGR already set binder: 6824:6830 ioctl 40046207 0 returned -16 binder_alloc: 6824: binder_alloc_buf, no vma binder: 6824:6830 transaction failed 29189/-3, size 0-0 line 3128 binder: undelivered TRANSACTION_ERROR: 29189 binder: release 6824:6830 transaction 13 in, still active binder: send failed reply for transaction 13 to 6824:6850 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 sock: process `syz-executor5' is using obsolete setsockopt SO_BSDCOMPAT BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor2/6877 caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 CPU: 0 PID: 6877 Comm: syz-executor2 Not tainted 4.4.120-gd63fdf6 #29 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 fad8adf9b4861c72 ffff8800b9437648 ffffffff81d0408d 0000000000000000 ffffffff839fe5a0 ffffffff83d0be20 ffff8800b92d6000 0000000000000003 ffff8800b9437688 ffffffff81d63fe4 ffff8800b94376a0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46 [] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 [] ipcomp_alloc_tfms net/xfrm/xfrm_ipcomp.c:286 [inline] [] ipcomp_init_state+0x188/0x980 net/xfrm/xfrm_ipcomp.c:363 [] ipcomp4_init_state+0xb0/0x7d0 net/ipv4/ipcomp.c:137 [] __xfrm_init_state+0x3e7/0xb30 net/xfrm/xfrm_state.c:2058 [] xfrm_init_state+0x1a/0x20 net/xfrm/xfrm_state.c:2084 [] pfkey_msg2xfrm_state net/key/af_key.c:1289 [inline] [] pfkey_add+0x1fbb/0x3490 net/key/af_key.c:1506 binder: 6914:6915 BC_INCREFS_DONE u0000000000000000 no match binder: 6914:6915 got reply transaction with no transaction stack binder: 6914:6915 transaction failed 29201/-71, size 0-0 line 2921 binder: 6914:6915 BC_INCREFS_DONE u0000000000000000 no match binder: 6914:6915 got reply transaction with no transaction stack binder: 6914:6915 transaction failed 29201/-71, size 0-0 line 2921 binder: 6914:6917 BC_DEAD_BINDER_DONE 0000000000000000 not found binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29201 [] pfkey_process+0x68b/0x750 net/key/af_key.c:2834 [] pfkey_sendmsg+0x3a9/0x760 net/key/af_key.c:3678 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:635 [] ___sys_sendmsg+0x6c1/0x7c0 net/socket.c:1962 [] __sys_sendmsg+0xd3/0x190 net/socket.c:1996 [] C_SYSC_sendmsg net/compat.c:720 [inline] [] compat_SyS_sendmsg+0x2a/0x40 net/compat.c:718 [] do_syscall_32_irqs_on arch/x86/entry/common.c:392 [inline] [] do_fast_syscall_32+0x321/0x8a0 arch/x86/entry/common.c:459 [] sysenter_flags_fixed+0xd/0x17 device syz_tun entered promiscuous mode device syz_tun left promiscuous mode vmalloc: allocation failure: 0 bytes syz-executor1: page allocation failure: order:0, mode:0x24000c2 CPU: 0 PID: 6984 Comm: syz-executor1 Not tainted 4.4.120-gd63fdf6 #29 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 399ca44d3e166001 ffff8801c4fcf8c0 ffffffff81d0408d 1ffff100389f9f1b ffff8800b8403000 00000000024000c2 0000000000000000 0000000000000001 ffff8801c4fcf9d0 ffffffff81431059 ffffffff838ac620 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] warn_alloc_failed+0x1d9/0x240 mm/page_alloc.c:2757 [] __vmalloc_node_range+0x41d/0x630 mm/vmalloc.c:1692 [] __vmalloc_node mm/vmalloc.c:1715 [inline] [] __vmalloc_node_flags mm/vmalloc.c:1729 [inline] [] vmalloc+0x5b/0x70 mm/vmalloc.c:1744 [] sel_write_load+0x130/0xff0 security/selinux/selinuxfs.c:527 [] __vfs_write+0x103/0x450 fs/read_write.c:489 [] vfs_write+0x18a/0x530 fs/read_write.c:538 [] SYSC_write fs/read_write.c:585 [inline] [] SyS_write+0xd9/0x1b0 fs/read_write.c:577 [] do_syscall_32_irqs_on arch/x86/entry/common.c:392 [inline] [] do_fast_syscall_32+0x321/0x8a0 arch/x86/entry/common.c:459 [] sysenter_flags_fixed+0xd/0x17 Mem-Info: active_anon:53667 inactive_anon:45 isolated_anon:0 active_file:3552 inactive_file:8415 isolated_file:0 unevictable:0 dirty:118 writeback:0 unstable:0 slab_reclaimable:5800 slab_unreclaimable:59332 mapped:23801 shmem:68 pagetables:621 bounce:0 free:1474186 free_pcp:483 free_cma:0 DMA free:15904kB min:160kB low:200kB high:240kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:15992kB managed:15904kB mlocked:0kB dirty:0kB writeback:0kB mapped:0kB shmem:0kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB unstable:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? yes lowmem_reserve[]: 0 2911 6411 6411 DMA32 free:2668640kB min:30608kB low:38260kB high:45912kB active_anon:96428kB inactive_anon:68kB active_file:7608kB inactive_file:15544kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:3129292kB managed:2982732kB mlocked:0kB dirty:192kB writeback:0kB mapped:44556kB shmem:88kB slab_reclaimable:11448kB slab_unreclaimable:107328kB kernel_stack:2752kB pagetables:1052kB unstable:0kB bounce:0kB free_pcp:1036kB local_pcp:320kB free_cma:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? no lowmem_reserve[]: 0 0 3500 3500 Normal free:3212580kB min:36808kB low:46008kB high:55212kB active_anon:118152kB inactive_anon:112kB active_file:6600kB inactive_file:18116kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:4718592kB managed:3584660kB mlocked:0kB dirty:280kB writeback:0kB mapped:50604kB shmem:116kB slab_reclaimable:11780kB slab_unreclaimable:130024kB kernel_stack:2976kB pagetables:1384kB unstable:0kB bounce:0kB free_pcp:992kB local_pcp:368kB free_cma:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? no lowmem_reserve[]: 0 0 0 0 DMA: 0*4kB 0*8kB 0*16kB 1*32kB (U) 2*64kB (U) 1*128kB (U) 1*256kB (U) 0*512kB 1*1024kB (U) 1*2048kB (M) 3*4096kB (M) = 15904kB DMA32: 508*4kB (UME) 119*8kB (UME) 139*16kB (UM) 127*32kB (UM) 61*64kB (UME) 36*128kB (UM) 21*256kB (UM) 9*512kB (ME) 29*1024kB (M) 3*2048kB (UM) 636*4096kB (M) = 2668664kB Normal: 641*4kB (UME) 326*8kB (UM) 171*16kB (UM) 86*32kB (UME) 72*64kB (UM) 45*128kB (UME) 25*256kB (M) 13*512kB (M) 26*1024kB (M) 3*2048kB (UM) 768*4096kB (M) = 3212580kB Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB 12019 total pagecache pages 0 pages in swap cache Swap cache stats: add 0, delete 0, find 0/0 Free swap = 0kB Total swap = 0kB 1965969 pages RAM 0 pages HighMem/MovableOnly 320145 pages reserved audit: type=1400 audit(1521436605.516:22): avc: denied { create } for pid=7110 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_iscsi_socket permissive=1 keychord: invalid keycode count 0 keychord: invalid keycode count 0 netlink: 3 bytes leftover after parsing attributes in process `syz-executor4'. audit: type=1400 audit(1521436606.296:23): avc: denied { getopt } for pid=7378 comm=AC scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 netlink: 3 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor4'. binder_alloc: binder_alloc_mmap_handler: 7378 20001000-20003000 already mapped failed -16 proc: unrecognized mount option "" or missing value proc: unrecognized mount option "" or missing value binder: 7577:7579 unknown command -1016899195 binder: 7577:7579 ioctl c0306201 200001c0 returned -22 binder: 7577:7597 unknown command -1016899195 binder: 7577:7597 ioctl c0306201 200001c0 returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 7577:7579 ioctl 40046207 0 returned -16 mmap: syz-executor4 (7615) uses deprecated remap_file_pages() syscall. See Documentation/vm/remap_file_pages.txt. netlink: 20 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 20 bytes leftover after parsing attributes in process `syz-executor1'. IPVS: set_ctl: invalid protocol: 13703 39.52.93.236:60696 Ɓtpm`x/.HݼބDBC+] [] __xfrm_policy_check2 include/net/xfrm.h:1070 [inline] RIP: 0010:[] [] xfrm_policy_check include/net/xfrm.h:1076 [inline] RIP: 0010:[] [] xfrm4_policy_check include/net/xfrm.h:1081 [inline] RIP: 0010:[] [] udp_queue_rcv_skb+0x191/0x1560 net/ipv4/udp.c:1517 RSP: 0018:ffff8801d49df8b0 EFLAGS: 00010206 RAX: dffffc0000000000 RBX: ffff8801d2b48000 RCX: ffffffff831aa228 RDX: 000000000000000c RSI: ffffc90001e23000 RDI: 0000000000000060 RBP: ffff8801d49df8f0 R08: 0000000000000000 R09: 0000000000000001 R10: 0000000000000000 R11: 1ffff1003a93bee8 R12: ffff8800a7a218c0 R13: 0000000000000001 R14: 0000000000000000 R15: ffff8800a7a21918 FS: 0000000000000000(0000) GS:ffff8801db200000(0063) knlGS:00000000f6feab40 CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 CR2: 0000000008133324 CR3: 00000000b5b10000 CR4: 0000000000160670 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Stack: ffff8801d2b48088 ffff880100000001 ffff8801d2b48088 dffffc0000000000 ffff8801d2b48000 0000000000000000 ffffed003a569086 ffff8800a7a218c0 ffff8801d49df960 ffffffff82df8cb6 ffff8801d2b48188 ffff8801d2b48190 Call Trace: [] sk_backlog_rcv include/net/sock.h:871 [inline] [] __release_sock net/core/sock.c:2023 [inline] [] release_sock+0x176/0x510 net/core/sock.c:2473 [] udp_sendmsg+0x15c4/0x1c30 net/ipv4/udp.c:1105 [] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:635 [] SYSC_sendto+0x2c8/0x340 net/socket.c:1665 [] SyS_sendto+0x40/0x50 net/socket.c:1633 [] do_syscall_32_irqs_on arch/x86/entry/common.c:392 [inline] [] do_fast_syscall_32+0x321/0x8a0 arch/x86/entry/common.c:459 [] sysenter_flags_fixed+0xd/0x17 Code: 74 24 58 41 f6 c6 01 0f 85 7f 07 00 00 e8 28 6b 1b fe 49 83 e6 fe 48 b8 00 00 00 00 00 fc ff df 49 8d 7e 60 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 01 0f 8e 9f 0b 00 00 41 f6 46 60 04 RIP [] __xfrm_policy_check2 include/net/xfrm.h:1070 [inline] RIP [] xfrm_policy_check include/net/xfrm.h:1076 [inline] RIP [] xfrm4_policy_check include/net/xfrm.h:1081 [inline] RIP [] udp_queue_rcv_skb+0x191/0x1560 net/ipv4/udp.c:1517 RSP ---[ end trace 8916098ac5dd016d ]---