====================================================== WARNING: possible circular locking dependency detected 4.16.0-rc5+ #351 Not tainted ------------------------------------------------------ syz-executor1/8074 is trying to acquire lock: (&sb->s_type->i_mutex_key#11){++++}, at: [<000000000d370239>] inode_lock include/linux/fs.h:713 [inline] (&sb->s_type->i_mutex_key#11){++++}, at: [<000000000d370239>] shmem_file_llseek+0xef/0x240 mm/shmem.c:2579 but task is already holding lock: (ashmem_mutex){+.+.}, at: [<00000000758b15e9>] ashmem_llseek+0x56/0x1f0 drivers/staging/android/ashmem.c:326 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (ashmem_mutex){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908 ashmem_mmap+0x53/0x410 drivers/staging/android/ashmem.c:362 call_mmap include/linux/fs.h:1786 [inline] mmap_region+0xa99/0x15a0 mm/mmap.c:1705 do_mmap+0x6c0/0xe00 mm/mmap.c:1483 do_mmap_pgoff include/linux/mm.h:2223 [inline] vm_mmap_pgoff+0x1de/0x280 mm/util.c:355 SYSC_mmap_pgoff mm/mmap.c:1533 [inline] SyS_mmap_pgoff+0x462/0x5f0 mm/mmap.c:1491 SYSC_mmap arch/x86/kernel/sys_x86_64.c:100 [inline] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:91 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 -> #1 (&mm->mmap_sem){++++}: __might_fault+0x13a/0x1d0 mm/memory.c:4571 _copy_to_user+0x2c/0xc0 lib/usercopy.c:25 copy_to_user include/linux/uaccess.h:155 [inline] filldir+0x1a7/0x320 fs/readdir.c:196 dir_emit_dot include/linux/fs.h:3370 [inline] dir_emit_dots include/linux/fs.h:3381 [inline] dcache_readdir+0x12d/0x5e0 fs/libfs.c:192 iterate_dir+0x1ca/0x530 fs/readdir.c:51 SYSC_getdents fs/readdir.c:231 [inline] SyS_getdents+0x225/0x450 fs/readdir.c:212 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 -> #0 (&sb->s_type->i_mutex_key#11){++++}: lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920 down_write+0x87/0x120 kernel/locking/rwsem.c:70 inode_lock include/linux/fs.h:713 [inline] shmem_file_llseek+0xef/0x240 mm/shmem.c:2579 vfs_llseek+0xa2/0xd0 fs/read_write.c:300 ashmem_llseek+0xe7/0x1f0 drivers/staging/android/ashmem.c:338 vfs_llseek fs/read_write.c:300 [inline] SYSC_lseek fs/read_write.c:313 [inline] SyS_lseek+0xeb/0x170 fs/read_write.c:304 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 other info that might help us debug this: Chain exists of: &sb->s_type->i_mutex_key#11 --> &mm->mmap_sem --> ashmem_mutex Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(ashmem_mutex); lock(&mm->mmap_sem); lock(ashmem_mutex); lock(&sb->s_type->i_mutex_key#11); *** DEADLOCK *** 1 lock held by syz-executor1/8074: #0: (ashmem_mutex){+.+.}, at: [<00000000758b15e9>] ashmem_llseek+0x56/0x1f0 drivers/staging/android/ashmem.c:326 stack backtrace: CPU: 1 PID: 8074 Comm: syz-executor1 Not tainted 4.16.0-rc5+ #351 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x24d lib/dump_stack.c:53 print_circular_bug.isra.38+0x2cd/0x2dc kernel/locking/lockdep.c:1223 check_prev_add kernel/locking/lockdep.c:1863 [inline] check_prevs_add kernel/locking/lockdep.c:1976 [inline] validate_chain kernel/locking/lockdep.c:2417 [inline] __lock_acquire+0x30a8/0x3e00 kernel/locking/lockdep.c:3431 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920 down_write+0x87/0x120 kernel/locking/rwsem.c:70 inode_lock include/linux/fs.h:713 [inline] shmem_file_llseek+0xef/0x240 mm/shmem.c:2579 vfs_llseek+0xa2/0xd0 fs/read_write.c:300 ashmem_llseek+0xe7/0x1f0 drivers/staging/android/ashmem.c:338 vfs_llseek fs/read_write.c:300 [inline] SYSC_lseek fs/read_write.c:313 [inline] SyS_lseek+0xeb/0x170 fs/read_write.c:304 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x453e69 RSP: 002b:00007fe6bd77fc68 EFLAGS: 00000246 ORIG_RAX: 0000000000000008 RAX: ffffffffffffffda RBX: 00007fe6bd7806d4 RCX: 0000000000453e69 RDX: 0000000000000003 RSI: fffffffffffffffe RDI: 0000000000000013 RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000000003da R14: 00000000006f5d10 R15: 0000000000000000 kernel msg: ebtables bug: please report to author: entries_size too small binder: 8334:8351 BC_REQUEST_DEATH_NOTIFICATION death notification already set binder: 8334:8351 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: 8334:8367 BC_REQUEST_DEATH_NOTIFICATION death notification already set FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 1 CPU: 0 PID: 8476 Comm: syz-executor0 Not tainted 4.16.0-rc5+ #351 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x24d lib/dump_stack.c:53 fail_dump lib/fault-inject.c:51 [inline] should_fail+0x8c0/0xa40 lib/fault-inject.c:149 should_failslab+0xec/0x120 mm/failslab.c:32 slab_pre_alloc_hook mm/slab.h:422 [inline] slab_alloc mm/slab.c:3365 [inline] kmem_cache_alloc+0x47/0x760 mm/slab.c:3539 kmem_cache_zalloc include/linux/slab.h:691 [inline] avc_alloc_node+0x27/0x4d0 security/selinux/avc.c:549 avc_insert security/selinux/avc.c:668 [inline] avc_compute_av+0x22a/0x710 security/selinux/avc.c:974 avc_has_perm_noaudit security/selinux/avc.c:1110 [inline] avc_has_perm+0x4be/0x680 security/selinux/avc.c:1144 sock_has_perm+0x299/0x420 security/selinux/hooks.c:4352 selinux_socket_sendmsg+0x36/0x40 security/selinux/hooks.c:4607 security_socket_sendmsg+0x7d/0xb0 security/security.c:1370 sock_sendmsg+0x43/0x110 net/socket.c:637 ___sys_sendmsg+0x767/0x8b0 net/socket.c:2046 __sys_sendmsg+0xe5/0x210 net/socket.c:2080 SYSC_sendmsg net/socket.c:2091 [inline] SyS_sendmsg+0x2d/0x50 net/socket.c:2087 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x453e69 RSP: 002b:00007fac47247c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007fac472486d4 RCX: 0000000000453e69 RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000013 RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000014 R13: 00000000000004c6 R14: 00000000006f7330 R15: 0000000000000000 kauditd_printk_skb: 960 callbacks suppressed audit: type=1400 audit(1520886094.712:3457): avc: denied { net_admin } for pid=4287 comm="syz-executor5" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1520886094.715:3458): avc: denied { net_admin } for pid=4288 comm="syz-executor6" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1520886094.724:3459): avc: denied { map } for pid=9007 comm="modprobe" path="/bin/kmod" dev="sda1" ino=1440 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 audit: type=1400 audit(1520886094.732:3460): avc: denied { net_admin } for pid=4285 comm="syz-executor0" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1520886094.750:3461): avc: denied { net_admin } for pid=4280 comm="syz-executor2" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1520886094.750:3462): avc: denied { net_admin } for pid=4280 comm="syz-executor2" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1520886095.188:3463): avc: denied { net_admin } for pid=4286 comm="syz-executor1" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1520886095.191:3464): avc: denied { net_admin } for pid=4286 comm="syz-executor1" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1520886095.246:3465): avc: denied { net_admin } for pid=4285 comm="syz-executor0" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 audit: type=1400 audit(1520886095.248:3466): avc: denied { net_admin } for pid=4287 comm="syz-executor5" capability=12 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1