====================================================== [ INFO: possible circular locking dependency detected ] 4.9.141+ #1 Not tainted ------------------------------------------------------- syz-executor.5/23010 is trying to acquire lock: (&p->lock){+.+.+.}, at: [] seq_read+0xdd/0x12d0 fs/seq_file.c:178 but task is already holding lock: (&pipe->mutex/1){+.+.+.}, at: [] pipe_lock_nested fs/pipe.c:66 [inline] (&pipe->mutex/1){+.+.+.}, at: [] pipe_lock+0x5e/0x70 fs/pipe.c:74 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (&pipe->mutex/1){+.+.+.}: lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756 __mutex_lock_common kernel/locking/mutex.c:521 [inline] mutex_lock_nested+0xc0/0x900 kernel/locking/mutex.c:621 __pipe_lock fs/pipe.c:87 [inline] fifo_open+0x15c/0x9e0 fs/pipe.c:921 do_dentry_open+0x3ef/0xc90 fs/open.c:766 vfs_open+0x11c/0x210 fs/open.c:879 do_last fs/namei.c:3410 [inline] path_openat+0x542/0x2790 fs/namei.c:3534 do_filp_open+0x197/0x270 fs/namei.c:3568 do_open_execat+0x10f/0x640 fs/exec.c:844 do_execveat_common.isra.14+0x687/0x1ed0 fs/exec.c:1723 do_execve fs/exec.c:1829 [inline] SYSC_execve fs/exec.c:1910 [inline] SyS_execve+0x42/0x50 fs/exec.c:1905 do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285 entry_SYSCALL_64_after_swapgs+0x5d/0xdb -> #1 (&sig->cred_guard_mutex){+.+.+.}: lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756 __mutex_lock_common kernel/locking/mutex.c:521 [inline] mutex_lock_killable_nested+0xcc/0x9f0 kernel/locking/mutex.c:641 do_io_accounting+0x1fb/0x7e0 fs/proc/base.c:2690 proc_tgid_io_accounting+0x22/0x30 fs/proc/base.c:2739 proc_single_show+0xfd/0x170 fs/proc/base.c:785 seq_read+0x4b6/0x12d0 fs/seq_file.c:240 do_loop_readv_writev.part.1+0xd5/0x280 fs/read_write.c:718 do_loop_readv_writev fs/read_write.c:707 [inline] do_readv_writev+0x56e/0x7b0 fs/read_write.c:873 vfs_readv+0x84/0xc0 fs/read_write.c:897 kernel_readv fs/splice.c:363 [inline] default_file_splice_read+0x451/0x7f0 fs/splice.c:435 do_splice_to+0x10c/0x170 fs/splice.c:899 splice_direct_to_actor+0x23f/0x7e0 fs/splice.c:971 do_splice_direct+0x1a3/0x270 fs/splice.c:1080 do_sendfile+0x4f0/0xc30 fs/read_write.c:1393 SYSC_sendfile64 fs/read_write.c:1454 [inline] SyS_sendfile64+0x144/0x160 fs/read_write.c:1440 do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285 entry_SYSCALL_64_after_swapgs+0x5d/0xdb -> #0 (&p->lock){+.+.+.}: check_prev_add kernel/locking/lockdep.c:1828 [inline] check_prevs_add kernel/locking/lockdep.c:1938 [inline] validate_chain kernel/locking/lockdep.c:2265 [inline] __lock_acquire+0x3189/0x4a10 kernel/locking/lockdep.c:3345 lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756 __mutex_lock_common kernel/locking/mutex.c:521 [inline] mutex_lock_nested+0xc0/0x900 kernel/locking/mutex.c:621 seq_read+0xdd/0x12d0 fs/seq_file.c:178 do_loop_readv_writev.part.1+0xd5/0x280 fs/read_write.c:718 do_loop_readv_writev fs/read_write.c:707 [inline] do_readv_writev+0x56e/0x7b0 fs/read_write.c:873 vfs_readv+0x84/0xc0 fs/read_write.c:897 kernel_readv fs/splice.c:363 [inline] default_file_splice_read+0x451/0x7f0 fs/splice.c:435 do_splice_to+0x10c/0x170 fs/splice.c:899 do_splice fs/splice.c:1192 [inline] SYSC_splice fs/splice.c:1416 [inline] SyS_splice+0x10d2/0x14d0 fs/splice.c:1399 do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285 entry_SYSCALL_64_after_swapgs+0x5d/0xdb other info that might help us debug this: Chain exists of: &p->lock --> &sig->cred_guard_mutex --> &pipe->mutex/1 Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&pipe->mutex/1); lock(&sig->cred_guard_mutex); lock(&pipe->mutex/1); lock(&p->lock); *** DEADLOCK *** 1 lock held by syz-executor.5/23010: #0: (&pipe->mutex/1){+.+.+.}, at: [] pipe_lock_nested fs/pipe.c:66 [inline] #0: (&pipe->mutex/1){+.+.+.}, at: [] pipe_lock+0x5e/0x70 fs/pipe.c:74 stack backtrace: CPU: 1 PID: 23010 Comm: syz-executor.5 Not tainted 4.9.141+ #1 ffff8801816ff2c8 ffffffff81b42e79 ffffffff83ca2c70 ffffffff83caa290 ffffffff83ca4920 ffff8801ca5a5010 ffff8801ca5a4740 ffff8801816ff310 ffffffff813fee40 0000000000000001 00000000ca5a4ff0 0000000000000001 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_circular_bug.cold.36+0x2f7/0x432 kernel/locking/lockdep.c:1202 [] check_prev_add kernel/locking/lockdep.c:1828 [inline] [] check_prevs_add kernel/locking/lockdep.c:1938 [inline] [] validate_chain kernel/locking/lockdep.c:2265 [inline] [] __lock_acquire+0x3189/0x4a10 kernel/locking/lockdep.c:3345 [] lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756 [] __mutex_lock_common kernel/locking/mutex.c:521 [inline] [] mutex_lock_nested+0xc0/0x900 kernel/locking/mutex.c:621 [] seq_read+0xdd/0x12d0 fs/seq_file.c:178 [] do_loop_readv_writev.part.1+0xd5/0x280 fs/read_write.c:718 [] do_loop_readv_writev fs/read_write.c:707 [inline] [] do_readv_writev+0x56e/0x7b0 fs/read_write.c:873 [] vfs_readv+0x84/0xc0 fs/read_write.c:897 [] kernel_readv fs/splice.c:363 [inline] [] default_file_splice_read+0x451/0x7f0 fs/splice.c:435 [] do_splice_to+0x10c/0x170 fs/splice.c:899 [] do_splice fs/splice.c:1192 [inline] [] SYSC_splice fs/splice.c:1416 [inline] [] SyS_splice+0x10d2/0x14d0 fs/splice.c:1399 [] do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285 [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'. audit: type=1400 audit(1575371891.890:228): avc: denied { create } for pid=23066 comm="syz-executor.3" name="file0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:kvm_device_t:s0 tclass=file permissive=1 audit: type=1400 audit(1575371891.950:229): avc: denied { getattr } for pid=2081 comm="syz-executor.3" path="/1757/file0" dev="tmpfs" ino=193838 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:kvm_device_t:s0 tclass=file permissive=1 audit: type=1400 audit(1575371892.000:230): avc: denied { unlink } for pid=2081 comm="syz-executor.3" name="file0" dev="tmpfs" ino=193838 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:kvm_device_t:s0 tclass=file permissive=1 selinux_nlmsg_perm: 295 callbacks suppressed SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=23076 comm=syz-executor.3 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=23076 comm=syz-executor.3 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=23076 comm=syz-executor.3 device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready qtaguid: iface_stat: create6(lo): no inet dev IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready qtaguid: iface_stat: create6(lo): no inet dev device lo left promiscuous mode IPv6: ADDRCONF(NETDEV_UP): lo: link is not ready ip6_tunnel: l0 xmit: Local address not yet configured! ip6_tunnel: l0 xmit: Local address not yet configured! IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready qtaguid: iface_stat: create6(lo): no inet dev ip6_tunnel: l0 xmit: Local address not yet configured! ip6_tunnel: l0 xmit: Local address not yet configured! ip6_tunnel: l0 xmit: Local address not yet configured! SELinux: unrecognized netlink message: protocol=6 nlmsg_type=2405 sclass=netlink_xfrm_socket pig=23308 comm=syz-executor.1 SELinux: unrecognized netlink message: protocol=6 nlmsg_type=2405 sclass=netlink_xfrm_socket pig=23351 comm=syz-executor.1 SELinux: unrecognized netlink message: protocol=6 nlmsg_type=2405 sclass=netlink_xfrm_socket pig=23394 comm=syz-executor.1 ip6_tunnel: a xmit: Local address not yet configured! keychord: keycode 25647 out of range SELinux: unrecognized netlink message: protocol=6 nlmsg_type=2405 sclass=netlink_xfrm_socket pig=23431 comm=syz-executor.1