syzbot

random: sshd: uninitialized urandom read (32 bytes read, 118 bits of entropy available)

======================================================
[ INFO: possible circular locking dependency detected ]
4.4.114-ga81d322 #4 Not tainted
-------------------------------------------------------
syzkaller539241/4046 is trying to acquire lock:
 (&sb->s_type->i_mutex_key#10){+.+.+.}, at: [<ffffffff81463491>] shmem_file_llseek+0xf1/0x240 mm/shmem.c:1816

but task is already holding lock:
 (ashmem_mutex){+.+.+.}, at: [<ffffffff82c61a56>] ashmem_llseek+0x56/0x1f0 drivers/staging/android/ashmem.c:330

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

       [<ffffffff8123d7be>] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592
       [<ffffffff8376a92b>] __mutex_lock_common kernel/locking/mutex.c:521 [inline]
       [<ffffffff8376a92b>] mutex_lock_nested+0xbb/0x850 kernel/locking/mutex.c:621
       [<ffffffff82c60ea3>] ashmem_mmap+0x53/0x400 drivers/staging/android/ashmem.c:366
       [<ffffffff814b0edf>] mmap_region+0x94f/0x1250 mm/mmap.c:1664
       [<ffffffff814b1cdd>] do_mmap+0x4fd/0x9d0 mm/mmap.c:1441
       [<ffffffff8147015e>] do_mmap_pgoff include/linux/mm.h:1915 [inline]
       [<ffffffff8147015e>] vm_mmap_pgoff+0x16e/0x1c0 mm/util.c:272
       [<ffffffff814afeaf>] SYSC_mmap_pgoff mm/mmap.c:1491 [inline]
       [<ffffffff814afeaf>] SyS_mmap_pgoff+0x33f/0x560 mm/mmap.c:1449
       [<ffffffff8101beb6>] SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline]
       [<ffffffff8101beb6>] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86
       [<ffffffff83773edf>] entry_SYSCALL_64_fastpath+0x1c/0x98

       [<ffffffff8123d7be>] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592
       [<ffffffff8149577a>] __might_fault+0x14a/0x1d0 mm/memory.c:3810
       [<ffffffff8155a7e2>] copy_to_user arch/x86/include/asm/uaccess.h:760 [inline]
       [<ffffffff8155a7e2>] filldir+0x162/0x2d0 fs/readdir.c:180
       [<ffffffff81597e2e>] dir_emit_dot include/linux/fs.h:3070 [inline]
       [<ffffffff81597e2e>] dir_emit_dots include/linux/fs.h:3081 [inline]
       [<ffffffff81597e2e>] dcache_readdir+0x11e/0x7b0 fs/libfs.c:150
       [<ffffffff8155a428>] iterate_dir+0x1c8/0x420 fs/readdir.c:42
       [<ffffffff8155b11a>] SYSC_getdents fs/readdir.c:215 [inline]
       [<ffffffff8155b11a>] SyS_getdents+0x14a/0x270 fs/readdir.c:196
       [<ffffffff83773edf>] entry_SYSCALL_64_fastpath+0x1c/0x98

       [<ffffffff8123ab1f>] check_prev_add kernel/locking/lockdep.c:1853 [inline]
       [<ffffffff8123ab1f>] check_prevs_add kernel/locking/lockdep.c:1958 [inline]
       [<ffffffff8123ab1f>] validate_chain kernel/locking/lockdep.c:2144 [inline]
       [<ffffffff8123ab1f>] __lock_acquire+0x371f/0x4b50 kernel/locking/lockdep.c:3213
       [<ffffffff8123d7be>] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592
       [<ffffffff8376a92b>] __mutex_lock_common kernel/locking/mutex.c:521 [inline]
       [<ffffffff8376a92b>] mutex_lock_nested+0xbb/0x850 kernel/locking/mutex.c:621
       [<ffffffff81463491>] shmem_file_llseek+0xf1/0x240 mm/shmem.c:1816
       [<ffffffff8151c642>] vfs_llseek+0xa2/0xd0 fs/read_write.c:260
       [<ffffffff82c61ae7>] ashmem_llseek+0xe7/0x1f0 drivers/staging/android/ashmem.c:342
       [<ffffffff8151e44b>] vfs_llseek fs/read_write.c:260 [inline]
       [<ffffffff8151e44b>] SYSC_lseek fs/read_write.c:285 [inline]
       [<ffffffff8151e44b>] SyS_lseek+0xeb/0x170 fs/read_write.c:276
       [<ffffffff83773edf>] entry_SYSCALL_64_fastpath+0x1c/0x98

other info that might help us debug this:

Chain exists of:
 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(ashmem_mutex);
                               lock(&mm->mmap_sem);
                               lock(ashmem_mutex);
  lock(&sb->s_type->i_mutex_key#10);

 *** DEADLOCK ***

1 lock held by syzkaller539241/4046:
 #0:  (ashmem_mutex){+.+.+.}, at: [<ffffffff82c61a56>] ashmem_llseek+0x56/0x1f0 drivers/staging/android/ashmem.c:330

stack backtrace:
CPU: 0 PID: 4046 Comm: syzkaller539241 Not tainted 4.4.114-ga81d322 #4
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 929849d1f523ab01 ffff8800b9777ad8 ffffffff81d0394d
 ffffffff851a0240 ffffffff851a9f30 ffffffff851be9f0 ffff8801d729e8f8
 ffff8801d729e000 ffff8800b9777b20 ffffffff81233b91 ffff8801d729e8f8
Call Trace:
 [<ffffffff81d0394d>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d0394d>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
 [<ffffffff81233b91>] print_circular_bug+0x271/0x310 kernel/locking/lockdep.c:1226
 [<ffffffff8123ab1f>] check_prev_add kernel/locking/lockdep.c:1853 [inline]
 [<ffffffff8123ab1f>] check_prevs_add kernel/locking/lockdep.c:1958 [inline]
 [<ffffffff8123ab1f>] validate_chain kernel/locking/lockdep.c:2144 [inline]
 [<ffffffff8123ab1f>] __lock_acquire+0x371f/0x4b50 kernel/locking/lockdep.c:3213
 [<ffffffff8123d7be>] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592
 [<ffffffff8376a92b>] __mutex_lock_common kernel/locking/mutex.c:521 [inline]
 [<ffffffff8376a92b>] mutex_lock_nested+0xbb/0x850 kernel/locking/mutex.c:621