======================================================
[ INFO: possible circular locking dependency detected ]
4.4.120-gd63fdf6 #29 Not tainted
-------------------------------------------------------
syz-executor5/10661 is trying to acquire lock:
 (&sb->s_type->i_mutex_key#10){+.+.+.}, at: [<ffffffff81463361>] shmem_file_llseek+0xf1/0x240 mm/shmem.c:1816

but task is already holding lock:
 (ashmem_mutex){+.+.+.}, at: [<ffffffff82c62016>] ashmem_llseek+0x56/0x1f0 drivers/staging/android/ashmem.c:330

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

       [<ffffffff8123d7ce>] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592
       [<ffffffff8376a39b>] __mutex_lock_common kernel/locking/mutex.c:521 [inline]
       [<ffffffff8376a39b>] mutex_lock_nested+0xbb/0x850 kernel/locking/mutex.c:621
       [<ffffffff82c61463>] ashmem_mmap+0x53/0x400 drivers/staging/android/ashmem.c:366
       [<ffffffff814b0e4f>] mmap_region+0x94f/0x1250 mm/mmap.c:1664
       [<ffffffff814b1c4d>] do_mmap+0x4fd/0x9d0 mm/mmap.c:1441
       [<ffffffff814700ce>] do_mmap_pgoff include/linux/mm.h:1915 [inline]
       [<ffffffff814700ce>] vm_mmap_pgoff+0x16e/0x1c0 mm/util.c:296
       [<ffffffff814afe1f>] SYSC_mmap_pgoff mm/mmap.c:1491 [inline]
       [<ffffffff814afe1f>] SyS_mmap_pgoff+0x33f/0x560 mm/mmap.c:1449
       [<ffffffff81006d91>] do_syscall_32_irqs_on arch/x86/entry/common.c:392 [inline]
       [<ffffffff81006d91>] do_fast_syscall_32+0x321/0x8a0 arch/x86/entry/common.c:459
       [<ffffffff837752ea>] sysenter_flags_fixed+0xd/0x17

       [<ffffffff8123d7ce>] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592
       [<ffffffff814956ea>] __might_fault+0x14a/0x1d0 mm/memory.c:3810
       [<ffffffff8155ab22>] copy_to_user arch/x86/include/asm/uaccess.h:760 [inline]
       [<ffffffff8155ab22>] filldir+0x162/0x2d0 fs/readdir.c:180
       [<ffffffff8159820e>] dir_emit_dot include/linux/fs.h:3070 [inline]
       [<ffffffff8159820e>] dir_emit_dots include/linux/fs.h:3081 [inline]
       [<ffffffff8159820e>] dcache_readdir+0x11e/0x7b0 fs/libfs.c:150
       [<ffffffff8155a768>] iterate_dir+0x1c8/0x420 fs/readdir.c:42
       [<ffffffff8155b45a>] SYSC_getdents fs/readdir.c:215 [inline]
       [<ffffffff8155b45a>] SyS_getdents+0x14a/0x270 fs/readdir.c:196
       [<ffffffff8377395f>] entry_SYSCALL_64_fastpath+0x1c/0x98

       [<ffffffff8123ab2f>] check_prev_add kernel/locking/lockdep.c:1853 [inline]
       [<ffffffff8123ab2f>] check_prevs_add kernel/locking/lockdep.c:1958 [inline]
       [<ffffffff8123ab2f>] validate_chain kernel/locking/lockdep.c:2144 [inline]
       [<ffffffff8123ab2f>] __lock_acquire+0x371f/0x4b50 kernel/locking/lockdep.c:3213
       [<ffffffff8123d7ce>] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592
       [<ffffffff8376a39b>] __mutex_lock_common kernel/locking/mutex.c:521 [inline]
       [<ffffffff8376a39b>] mutex_lock_nested+0xbb/0x850 kernel/locking/mutex.c:621
       [<ffffffff81463361>] shmem_file_llseek+0xf1/0x240 mm/shmem.c:1816
       [<ffffffff8151c762>] vfs_llseek+0xa2/0xd0 fs/read_write.c:260
       [<ffffffff82c620a7>] ashmem_llseek+0xe7/0x1f0 drivers/staging/android/ashmem.c:342
       [<ffffffff8151e6db>] vfs_llseek fs/read_write.c:260 [inline]
       [<ffffffff8151e6db>] SYSC_lseek fs/read_write.c:285 [inline]
       [<ffffffff8151e6db>] SyS_lseek fs/read_write.c:276 [inline]
       [<ffffffff8151e6db>] C_SYSC_lseek fs/read_write.c:297 [inline]
       [<ffffffff8151e6db>] compat_SyS_lseek+0xeb/0x170 fs/read_write.c:295
       [<ffffffff81006d91>] do_syscall_32_irqs_on arch/x86/entry/common.c:392 [inline]
       [<ffffffff81006d91>] do_fast_syscall_32+0x321/0x8a0 arch/x86/entry/common.c:459
       [<ffffffff837752ea>] sysenter_flags_fixed+0xd/0x17

other info that might help us debug this:

Chain exists of:
 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(ashmem_mutex);
                               lock(&mm->mmap_sem);
                               lock(ashmem_mutex);
  lock(&sb->s_type->i_mutex_key#10);

 *** DEADLOCK ***

1 lock held by syz-executor5/10661:
 #0:  (ashmem_mutex){+.+.+.}, at: [<ffffffff82c62016>] ashmem_llseek+0x56/0x1f0 drivers/staging/android/ashmem.c:330

stack backtrace:
CPU: 0 PID: 10661 Comm: syz-executor5 Not tainted 4.4.120-gd63fdf6 #29
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 d4febed91f40609d ffff8801cad0fa58 ffffffff81d0408d
 ffffffff8519fcb0 ffffffff851a9640 ffffffff851be610 ffff8800b67020f8
 ffff8800b6701800 ffff8801cad0faa0 ffffffff81233ba1 ffff8800b67020f8
Call Trace:
 [<ffffffff81d0408d>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d0408d>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
 [<ffffffff81233ba1>] print_circular_bug+0x271/0x310 kernel/locking/lockdep.c:1226
 [<ffffffff8123ab2f>] check_prev_add kernel/locking/lockdep.c:1853 [inline]
 [<ffffffff8123ab2f>] check_prevs_add kernel/locking/lockdep.c:1958 [inline]
 [<ffffffff8123ab2f>] validate_chain kernel/locking/lockdep.c:2144 [inline]
 [<ffffffff8123ab2f>] __lock_acquire+0x371f/0x4b50 kernel/locking/lockdep.c:3213
 [<ffffffff8123d7ce>] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592
 [<ffffffff8376a39b>] __mutex_lock_common kernel/locking/mutex.c:521 [inline]
 [<ffffffff8376a39b>] mutex_lock_nested+0xbb/0x850 kernel/locking/mutex.c:621
 [<ffffffff81463361>] shmem_file_llseek+0xf1/0x240 mm/shmem.c:1816
 [<ffffffff8151c762>] vfs_llseek+0xa2/0xd0 fs/read_write.c:260
 [<ffffffff82c620a7>] ashmem_llseek+0xe7/0x1f0 drivers/staging/android/ashmem.c:342
 [<ffffffff8151e6db>] vfs_llseek fs/read_write.c:260 [inline]
 [<ffffffff8151e6db>] SYSC_lseek fs/read_write.c:285 [inline]
 [<ffffffff8151e6db>] SyS_lseek fs/read_write.c:276 [inline]
 [<ffffffff8151e6db>] C_SYSC_lseek fs/read_write.c:297 [inline]
 [<ffffffff8151e6db>] compat_SyS_lseek+0xeb/0x170 fs/read_write.c:295
 [<ffffffff81006d91>] do_syscall_32_irqs_on arch/x86/entry/common.c:392 [inline]
 [<ffffffff81006d91>] do_fast_syscall_32+0x321/0x8a0 arch/x86/entry/common.c:459
 [<ffffffff837752ea>] sysenter_flags_fixed+0xd/0x17
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=21248 sclass=netlink_route_socket
capability: warning: `syz-executor3' uses deprecated v2 capabilities in a way that may be insecure
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=21248 sclass=netlink_route_socket
IPVS: Unknown mcast interface: 
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
device syz_tun entered promiscuous mode
device syz_tun left promiscuous mode
device syz_tun entered promiscuous mode
device syz_tun left promiscuous mode
sd 0:0:1:0: [sg0] tag#184 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK
sd 0:0:1:0: [sg0] tag#184 CDB: Test Unit Ready
sd 0:0:1:0: [sg0] tag#184 CDB[00]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#184 CDB[10]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#184 CDB[20]: 00 00 00
binder: 11615:11616 BC_FREE_BUFFER u0000000000000000 no match
binder: 11615:11616 BC_FREE_BUFFER u0000000000000000 no match
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=58396 sclass=netlink_route_socket
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=281 sclass=netlink_route_socket
audit: type=1401 audit(1521704725.824:36): op=setxattr invalid_context=73797374656D5F753A6F626A6563745F723A73087374656D5F64627573645F7661725F6C69625F743A633072D89AEABF5E7E0FB7F60F9726CCB77DE27671800AFF8319BDCA0F0D6FA462B0AED2109C7BC32FE9122804C0EA1B41AF2DD8C0CCAC30B15DA729E15810C882B751325261537E46400D2464E09A686CB2B79D8AE875C677719CE3A5FB37267E95F8B171DB6EB6D8A7FEB835
SELinux: unrecognized netlink message: protocol=6 nlmsg_type=57687 sclass=netlink_xfrm_socket
keychord: invalid keycode count 0
keychord: invalid keycode count 0
qtaguid: iface_stat: create6(lo): no inet dev
audit: type=1400 audit(1521704727.754:37): avc:  denied  { setopt } for  pid=12241 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_fib_lookup_socket permissive=1
audit: type=1400 audit(1521704727.774:38): avc:  denied  { bind } for  pid=12241 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_fib_lookup_socket permissive=1
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
device bridge0 entered promiscuous mode
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=1 sclass=netlink_route_socket
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=1 sclass=netlink_route_socket