======================================================
[ INFO: possible circular locking dependency detected ]
4.9.84-ga9d0273 #44 Not tainted
-------------------------------------------------------
syzkaller157188/3804 is trying to acquire lock:
(&mm->mmap_sem){++++++}, at: [<ffffffff814c2714>] __might_fault+0xe4/0x1d0 mm/memory.c:3993
but task is already holding lock:
(ashmem_mutex){+.+.+.}, at: [<ffffffff82d4aef1>] ashmem_pin_unpin drivers/staging/android/ashmem.c:714 [inline]
(ashmem_mutex){+.+.+.}, at: [<ffffffff82d4aef1>] ashmem_ioctl+0x371/0xfe0 drivers/staging/android/ashmem.c:791
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756
__mutex_lock_common kernel/locking/mutex.c:521 [inline]
mutex_lock_nested+0xbb/0x870 kernel/locking/mutex.c:621
ashmem_mmap+0x53/0x400 drivers/staging/android/ashmem.c:379
mmap_region+0x7dd/0xfd0 mm/mmap.c:1694
do_mmap+0x57b/0xbe0 mm/mmap.c:1473
do_mmap_pgoff include/linux/mm.h:2019 [inline]
vm_mmap_pgoff+0x16b/0x1b0 mm/util.c:329
SYSC_mmap_pgoff mm/mmap.c:1523 [inline]
SyS_mmap_pgoff+0x33f/0x560 mm/mmap.c:1481
SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline]
SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86
do_syscall_64+0x1a4/0x490 arch/x86/entry/common.c:282
entry_SYSCALL_64_after_swapgs+0x47/0xc5
check_prev_add kernel/locking/lockdep.c:1828 [inline]
check_prevs_add kernel/locking/lockdep.c:1938 [inline]
validate_chain kernel/locking/lockdep.c:2265 [inline]
__lock_acquire+0x2bf9/0x3640 kernel/locking/lockdep.c:3345
lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756
__might_fault+0x14a/0x1d0 mm/memory.c:3994
copy_from_user arch/x86/include/asm/uaccess.h:705 [inline]
ashmem_pin_unpin drivers/staging/android/ashmem.c:719 [inline]
ashmem_ioctl+0x3c0/0xfe0 drivers/staging/android/ashmem.c:791
vfs_ioctl fs/ioctl.c:43 [inline]
do_vfs_ioctl+0x1aa/0x1140 fs/ioctl.c:679
SYSC_ioctl fs/ioctl.c:694 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
do_syscall_64+0x1a4/0x490 arch/x86/entry/common.c:282
entry_SYSCALL_64_after_swapgs+0x47/0xc5
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(ashmem_mutex);
lock(&mm->mmap_sem);
lock(ashmem_mutex);
lock(&mm->mmap_sem);
*** DEADLOCK ***
1 lock held by syzkaller157188/3804:
#0: (ashmem_mutex){+.+.+.}, at: [<ffffffff82d4aef1>] ashmem_pin_unpin drivers/staging/android/ashmem.c:714 [inline]
#0: (ashmem_mutex){+.+.+.}, at: [<ffffffff82d4aef1>] ashmem_ioctl+0x371/0xfe0 drivers/staging/android/ashmem.c:791
stack backtrace:
CPU: 0 PID: 3804 Comm: syzkaller157188 Not tainted 4.9.84-ga9d0273 #44
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
ffff8801d7c47908 ffffffff81d956b9 ffffffff853a2cd0 ffffffff853a2cd0
ffffffff853c2f80 ffff8801d939a0d8 ffff8801d9399800 ffff8801d7c47950
ffffffff812387f1 ffff8801d939a0d8 00000000d939a0b0 ffff8801d939a0d8
Call Trace:
[<ffffffff81d956b9>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81d956b9>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff812387f1>] print_circular_bug+0x271/0x310 kernel/locking/lockdep.c:1202
[<ffffffff8123ec29>] check_prev_add kernel/locking/lockdep.c:1828 [inline]
[<ffffffff8123ec29>] check_prevs_add kernel/locking/lockdep.c:1938 [inline]
[<ffffffff8123ec29>] validate_chain kernel/locking/lockdep.c:2265 [inline]
[<ffffffff8123ec29>] __lock_acquire+0x2bf9/0x3640 kernel/locking/lockdep.c:3345
[<ffffffff812400ae>] lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756
[<ffffffff814c277a>] __might_fault+0x14a/0x1d0 mm/memory.c:3994
[<ffffffff82d4af40>] copy_from_user arch/x86/include/asm/uaccess.h:705 [inline]
[<ffffffff82d4af40>] ashmem_pin_unpin drivers/staging/android/ashmem.c:719 [inline]
[<ffffffff82d4af40>] ashmem_ioctl+0x3c0/0xfe0 drivers/staging/android/ashmem.c:791
[<ffffffff815ae88a>] vfs_ioctl fs/ioctl.c:43 [inline]
[<ffffffff815ae88a>] do_vfs_ioctl+0x1aa/0x1140 fs/ioctl.c:679
[<ffffffff815754a2>] ? fput+