[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 28.913431] kauditd_printk_skb: 7 callbacks suppressed [ 28.913458] audit: type=1800 audit(1544819404.976:29): pid=5894 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 28.938472] audit: type=1800 audit(1544819404.986:30): pid=5894 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 33.445082] sshd (6033) used greatest stack depth: 15744 bytes left Warning: Permanently added '10.128.10.27' (ECDSA) to the list of known hosts. 2018/12/14 20:31:10 parsed 1 programs 2018/12/14 20:31:12 executed programs: 0 [ 96.160632] IPVS: ftp: loaded support on port[0] = 21 [ 96.413759] bridge0: port 1(bridge_slave_0) entered blocking state [ 96.420825] bridge0: port 1(bridge_slave_0) entered disabled state [ 96.428179] device bridge_slave_0 entered promiscuous mode [ 96.447289] bridge0: port 2(bridge_slave_1) entered blocking state [ 96.453967] bridge0: port 2(bridge_slave_1) entered disabled state [ 96.461182] device bridge_slave_1 entered promiscuous mode [ 96.480493] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 96.498403] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 96.550569] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 96.572556] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 96.650413] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 96.658244] team0: Port device team_slave_0 added [ 96.675407] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 96.682871] team0: Port device team_slave_1 added [ 96.700270] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 96.720589] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 96.740410] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 96.760998] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 96.904140] bridge0: port 2(bridge_slave_1) entered blocking state [ 96.910706] bridge0: port 2(bridge_slave_1) entered forwarding state [ 96.917883] bridge0: port 1(bridge_slave_0) entered blocking state [ 96.924304] bridge0: port 1(bridge_slave_0) entered forwarding state [ 97.435364] 8021q: adding VLAN 0 to HW filter on device bond0 [ 97.485388] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 97.536706] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 97.542986] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 97.550500] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 97.596628] 8021q: adding VLAN 0 to HW filter on device team0 [ 97.952730] hrtimer: interrupt took 26967 ns [ 98.711041] [ 98.712738] ====================================================== [ 98.719042] WARNING: possible circular locking dependency detected [ 98.725381] 4.20.0-rc6+ #373 Not tainted [ 98.729425] ------------------------------------------------------ [ 98.735730] syz-executor0/6321 is trying to acquire lock: [ 98.741248] 00000000f666e14c (&mm->mmap_sem){++++}, at: __do_page_fault+0xbc9/0xe60 [ 98.749086] [ 98.749086] but task is already holding lock: [ 98.755046] 00000000036e8e69 (&sb->s_type->i_mutex_key#12){+.+.}, at: generic_file_write_iter+0xe4/0x6b0 [ 98.764682] [ 98.764682] which lock already depends on the new lock. [ 98.764682] [ 98.773617] [ 98.773617] the existing dependency chain (in reverse order) is: [ 98.781242] [ 98.781242] -> #2 (&sb->s_type->i_mutex_key#12){+.+.}: [ 98.788007] down_write+0x8a/0x130 [ 98.792104] shmem_fallocate+0x18b/0x12c0 [ 98.796785] ashmem_shrink_scan+0x238/0x660 [ 98.801621] ashmem_ioctl+0x3ae/0x13a0 [ 98.806020] do_vfs_ioctl+0x1de/0x1790 [ 98.810442] ksys_ioctl+0xa9/0xd0 [ 98.814426] __x64_sys_ioctl+0x73/0xb0 [ 98.818827] do_syscall_64+0x1b9/0x820 [ 98.823227] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 98.828921] [ 98.828921] -> #1 (ashmem_mutex){+.+.}: [ 98.834381] __mutex_lock+0x166/0x16f0 [ 98.838797] mutex_lock_nested+0x16/0x20 [ 98.843372] ashmem_mmap+0x55/0x520 [ 98.847526] mmap_region+0xe85/0x1cd0 [ 98.851860] do_mmap+0xa22/0x1230 [ 98.855853] vm_mmap_pgoff+0x213/0x2c0 [ 98.860257] ksys_mmap_pgoff+0x4da/0x660 [ 98.864830] __x64_sys_mmap+0xe9/0x1b0 [ 98.869234] do_syscall_64+0x1b9/0x820 [ 98.873640] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 98.879338] [ 98.879338] -> #0 (&mm->mmap_sem){++++}: [ 98.884884] lock_acquire+0x1ed/0x520 [ 98.889202] down_read+0x8d/0x120 [ 98.893179] __do_page_fault+0xbc9/0xe60 [ 98.897760] do_page_fault+0xf2/0x7e0 [ 98.902103] page_fault+0x1e/0x30 [ 98.906113] iov_iter_fault_in_readable+0x1b4/0x450 [ 98.911647] generic_perform_write+0x216/0x6a0 [ 98.916745] __generic_file_write_iter+0x26e/0x630 [ 98.922192] generic_file_write_iter+0x34d/0x6b0 [ 98.927559] __vfs_write+0x6b8/0x9f0 [ 98.931786] vfs_write+0x1fc/0x560 [ 98.935845] ksys_write+0x101/0x260 [ 98.939987] __x64_sys_write+0x73/0xb0 [ 98.944407] do_syscall_64+0x1b9/0x820 [ 98.948827] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 98.954528] [ 98.954528] other info that might help us debug this: [ 98.954528] [ 98.962677] Chain exists of: [ 98.962677] &mm->mmap_sem --> ashmem_mutex --> &sb->s_type->i_mutex_key#12 [ 98.962677] [ 98.974214] Possible unsafe locking scenario: [ 98.974214] [ 98.980266] CPU0 CPU1 [ 98.984920] ---- ---- [ 98.989571] lock(&sb->s_type->i_mutex_key#12); [ 98.994323] lock(ashmem_mutex); [ 99.000285] lock(&sb->s_type->i_mutex_key#12); [ 99.007548] lock(&mm->mmap_sem); [ 99.011098] [ 99.011098] *** DEADLOCK *** [ 99.011098] [ 99.017159] 2 locks held by syz-executor0/6321: [ 99.021811] #0: 00000000c63288ec (sb_writers#5){.+.+}, at: vfs_write+0x42a/0x560 [ 99.029452] #1: 00000000036e8e69 (&sb->s_type->i_mutex_key#12){+.+.}, at: generic_file_write_iter+0xe4/0x6b0 [ 99.039527] [ 99.039527] stack backtrace: [ 99.044022] CPU: 0 PID: 6321 Comm: syz-executor0 Not tainted 4.20.0-rc6+ #373 [ 99.051310] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 99.060652] Call Trace: [ 99.063251] dump_stack+0x244/0x39d [ 99.066893] ? dump_stack_print_info.cold.1+0x20/0x20 [ 99.072095] ? vprintk_func+0x85/0x181 [ 99.075989] print_circular_bug.isra.35.cold.54+0x1bd/0x27d [ 99.081712] ? save_trace+0xe0/0x290 [ 99.085425] __lock_acquire+0x3399/0x4c20 [ 99.089573] ? mark_held_locks+0x130/0x130 [ 99.093825] ? do_raw_spin_trylock+0x270/0x270 [ 99.098403] ? lock_acquire+0x2a5/0x520 [ 99.102389] ? _raw_spin_unlock+0x2c/0x50 [ 99.106536] ? vmf_insert_mixed_mkwrite+0x40/0x40 [ 99.111375] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 99.116907] ? page_mapping+0x5a2/0xa50 [ 99.120907] ? print_usage_bug+0xc0/0xc0 [ 99.124959] ? __page_mapcount+0x580/0x580 [ 99.129212] ? __set_page_dirty_no_writeback+0x3c9/0x6c0 [ 99.134658] ? zap_class+0x640/0x640 [ 99.138386] ? zap_class+0x640/0x640 [ 99.142117] ? mark_held_locks+0xc7/0x130 [ 99.146277] ? __lock_is_held+0xb5/0x140 [ 99.150338] lock_acquire+0x1ed/0x520 [ 99.154135] ? __do_page_fault+0xbc9/0xe60 [ 99.158367] ? lock_release+0xa00/0xa00 [ 99.162335] ? perf_trace_sched_process_exec+0x860/0x860 [ 99.167798] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 99.172805] ? cmp_ex_search+0x8c/0xb0 [ 99.176690] down_read+0x8d/0x120 [ 99.180138] ? __do_page_fault+0xbc9/0xe60 [ 99.184371] ? __down_interruptible+0x700/0x700 [ 99.189032] ? __do_page_fault+0xbb2/0xe60 [ 99.193277] ? iov_iter_fault_in_readable+0x1b4/0x450 [ 99.198480] ? search_extable+0xa/0xb0 [ 99.202367] ? iov_iter_fault_in_readable+0x1b4/0x450 [ 99.207556] __do_page_fault+0xbc9/0xe60 [ 99.211616] ? balance_dirty_pages_ratelimited+0x1f7/0x2370 [ 99.217331] do_page_fault+0xf2/0x7e0 [ 99.221127] ? vmalloc_sync_all+0x30/0x30 [ 99.225271] ? error_entry+0x76/0xd0 [ 99.228980] ? trace_hardirqs_off_caller+0xbb/0x310 [ 99.234006] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 99.238862] ? trace_hardirqs_on_caller+0x310/0x310 [ 99.243876] ? write_comp_data+0x6c/0x70 [ 99.247937] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 99.252777] page_fault+0x1e/0x30 [ 99.256229] RIP: 0010:iov_iter_fault_in_readable+0x1b4/0x450 [ 99.262044] Code: fd 49 39 dc 76 17 eb 3c e8 89 f2 ee fd 49 81 c4 00 10 00 00 4c 39 a5 28 ff ff ff 72 2e e8 74 f2 ee fd 0f 1f 00 0f ae e8 31 db <41> 8a 04 24 0f 1f 00 31 ff 89 de 88 85 58 ff ff ff e8 66 f3 ee fd [ 99.280950] RSP: 0018:ffff8881bae677d8 EFLAGS: 00010246 [ 99.286307] RAX: ffff8881baf86040 RBX: 0000000000000000 RCX: ffffffff839091cd [ 99.293568] RDX: 0000000000000000 RSI: ffffffff839091fc RDI: 0000000000000005 [ 99.300829] RBP: ffff8881bae678b0 R08: ffff8881baf86040 R09: fffff94000d6834e [ 99.308095] R10: fffff94000d6834e R11: ffffea0006b41a77 R12: 0000000020ea3000 [ 99.315381] R13: 0000000000001000 R14: 0000000000001000 R15: ffff8881bae67bc8 [ 99.322675] ? iov_iter_fault_in_readable+0x17d/0x450 [ 99.327860] ? iov_iter_fault_in_readable+0x1ac/0x450 [ 99.333084] ? iov_iter_fault_in_readable+0x1ac/0x450 [ 99.338273] ? _copy_from_iter_flushcache+0xfc0/0xfc0 [ 99.343462] ? _copy_to_iter_mcsafe+0x1680/0x1680 [ 99.348307] ? shmem_write_begin+0x10a/0x1e0 [ 99.352717] ? shmem_write_begin+0x113/0x1e0 [ 99.357139] generic_perform_write+0x216/0x6a0 [ 99.361756] ? add_page_wait_queue+0x400/0x400 [ 99.366355] ? current_time+0x1b0/0x1b0 [ 99.370334] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 99.375362] ? generic_write_check_limits+0x28d/0x370 [ 99.380580] __generic_file_write_iter+0x26e/0x630 [ 99.385508] generic_file_write_iter+0x34d/0x6b0 [ 99.390261] ? __generic_file_write_iter+0x630/0x630 [ 99.395359] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 99.400893] ? iov_iter_init+0xe5/0x210 [ 99.404863] __vfs_write+0x6b8/0x9f0 [ 99.408574] ? kernel_read+0x120/0x120 [ 99.412464] ? __lock_is_held+0xb5/0x140 [ 99.416523] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 99.422065] ? __sb_start_write+0x1b2/0x370 [ 99.426423] vfs_write+0x1fc/0x560 [ 99.429963] ksys_write+0x101/0x260 [ 99.433586] ? __ia32_sys_read+0xb0/0xb0 [ 99.437662] ? trace_hardirqs_off_caller+0x310/0x310 [ 99.442760] __x64_sys_write+0x73/0xb0 [ 99.446647] do_syscall_64+0x1b9/0x820 [ 99.450530] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 99.455892] ? syscall_return_slowpath+0x5e0/0x5e0 [ 99.460815] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 99.465667] ? trace_hardirqs_on_caller+0x310/0x310 [ 99.470676] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 99.475692] ? prepare_exit_to_usermode+0x291/0x3b0 [ 99.480708] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 99.485546] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 99.490726] RIP: 0033:0x457659 [ 99.494394] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 99.513309] RSP: 002b:00007fec62d6bc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 99.521010] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457659 [ 99.528288] RDX: 00000000ffffff76 RSI: 0000000020000000 RDI: 0000000000000005 [ 99.535554] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000 [ 99.542817] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fec62d6c6d4 [ 99.550093] R13: 00000000004c61e5 R14: 00000000004dadd8 R15: 00000000ffffffff