[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 13.608574] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 18.092845] random: sshd: uninitialized urandom read (32 bytes read) [ 18.382616] random: sshd: uninitialized urandom read (32 bytes read) [ 18.867158] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.3' (ECDSA) to the list of known hosts. [ 24.463432] urandom_read: 1 callbacks suppressed [ 24.463435] random: sshd: uninitialized urandom read (32 bytes read) [ 24.548005] [ 24.549658] ====================================================== [ 24.555964] [ INFO: possible circular locking dependency detected ] [ 24.562367] 4.9.119-g9dc978d #23 Not tainted [ 24.566757] ------------------------------------------------------- [ 24.573146] syz-executor762/3793 is trying to acquire lock: [ 24.578838] (&sb->s_type->i_mutex_key#10){++++++}, at: [] shmem_fallocate+0x13c/0xb40 [ 24.589229] but task is already holding lock: [ 24.594020] (ashmem_mutex){+.+.+.}, at: [] ashmem_shrink_scan+0x55/0x3a0 [ 24.602942] which lock already depends on the new lock. [ 24.602942] [ 24.609942] [ 24.609942] the existing dependency chain (in reverse order) is: [ 24.617547] -> #2 (ashmem_mutex){+.+.+.}: [ 24.622494] lock_acquire+0x130/0x3e0 [ 24.626808] mutex_lock_nested+0xc0/0x870 [ 24.631464] ashmem_mmap+0x53/0x3f0 [ 24.635598] mmap_region+0x893/0x1040 [ 24.639906] do_mmap+0x59c/0xcc0 [ 24.643777] vm_mmap_pgoff+0x168/0x1b0 [ 24.648175] SyS_mmap_pgoff+0x342/0x550 [ 24.652659] SyS_mmap+0x16/0x20 [ 24.656445] do_syscall_64+0x1a6/0x490 [ 24.660840] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 24.666446] -> #1 (&mm->mmap_sem){++++++}: [ 24.671372] lock_acquire+0x130/0x3e0 [ 24.675683] __might_fault+0x14a/0x1d0 [ 24.680076] filldir+0x1a4/0x370 [ 24.683949] dcache_readdir+0x130/0x5d0 [ 24.688431] iterate_dir+0x1ac/0x600 [ 24.692653] SyS_getdents+0x13c/0x2a0 [ 24.696964] do_syscall_64+0x1a6/0x490 [ 24.701502] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 24.707111] -> #0 (&sb->s_type->i_mutex_key#10){++++++}: [ 24.713510] __lock_acquire+0x3019/0x4070 [ 24.718168] lock_acquire+0x130/0x3e0 [ 24.722492] down_write+0x41/0xa0 [ 24.726582] shmem_fallocate+0x13c/0xb40 [ 24.731311] ashmem_shrink_scan+0x1bd/0x3a0 [ 24.736142] ashmem_ioctl+0x2c1/0xf20 [ 24.740450] do_vfs_ioctl+0x1ac/0x11a0 [ 24.744844] SyS_ioctl+0x8f/0xc0 [ 24.748718] do_syscall_64+0x1a6/0x490 [ 24.753199] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 24.758813] [ 24.758813] other info that might help us debug this: [ 24.758813] [ 24.766941] Chain exists of: &sb->s_type->i_mutex_key#10 --> &mm->mmap_sem --> ashmem_mutex [ 24.776922] Possible unsafe locking scenario: [ 24.776922] [ 24.782964] CPU0 CPU1 [ 24.787813] ---- ---- [ 24.792480] lock(ashmem_mutex); [ 24.796179] lock(&mm->mmap_sem); [ 24.802620] lock(ashmem_mutex); [ 24.808835] lock(&sb->s_type->i_mutex_key#10); [ 24.813959] [ 24.813959] *** DEADLOCK *** [ 24.813959] [ 24.820008] 1 lock held by syz-executor762/3793: [ 24.824822] #0: (ashmem_mutex){+.+.+.}, at: [] ashmem_shrink_scan+0x55/0x3a0 [ 24.834289] [ 24.834289] stack backtrace: [ 24.838852] CPU: 1 PID: 3793 Comm: syz-executor762 Not tainted 4.9.119-g9dc978d #23 [ 24.846635] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.855976] ffff8801b6b5f638 ffffffff81eb4be9 ffffffff855d09d0 ffffffff855ef330 [ 24.864101] ffffffff855d81a0 ffff8801b82138e8 ffff8801b8213000 ffff8801b6b5f680 [ 24.872236] ffffffff81426644 0000000000000001 00000000b8213000 0000000000000001 [ 24.880324] Call Trace: [ 24.882899] [] dump_stack+0xc1/0x128 [ 24.888254] [] print_circular_bug.cold.51+0x1bd/0x27d [ 24.895107] [] __lock_acquire+0x3019/0x4070 [ 24.901316] [] ? debug_check_no_locks_freed+0x210/0x210 [ 24.908324] [] ? __lock_is_held+0xa2/0xf0 [ 24.914288] [] lock_acquire+0x130/0x3e0 [ 24.919906] [] ? shmem_fallocate+0x13c/0xb40 [ 24.925969] [] down_write+0x41/0xa0 [ 24.931237] [] ? shmem_fallocate+0x13c/0xb40 [ 24.937301] [] shmem_fallocate+0x13c/0xb40 [ 24.943174] [] ? avc_has_perm_noaudit+0x2ad/0x450 [ 24.949885] [] ? avc_has_perm_noaudit+0xa3/0x450 [ 24.956300] [] ? shmem_setattr+0x9a0/0x9a0 [ 24.962176] [] ? debug_check_no_locks_freed+0x210/0x210 [ 24.969177] [] ? new_slab+0x303/0x3d0 [ 24.974616] [] ? range_alloc+0x36/0x240 [ 24.980225] [] ? cred_has_capability+0x14e/0x2e0 [ 24.986617] [] ? selinux_ipv4_output+0x40/0x40 [ 24.992837] [] ? mark_held_locks+0xc7/0x130 [ 24.998934] [] ? mutex_trylock+0x25a/0x3e0 [ 25.005024] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 25.011992] [] ? trace_hardirqs_on+0xd/0x10 [ 25.017959] [] ? ashmem_shrink_scan+0x55/0x3a0 [ 25.024176] [] ashmem_shrink_scan+0x1bd/0x3a0 [ 25.030326] [] ashmem_ioctl+0x2c1/0xf20 [ 25.036026] [] ? get_name+0x230/0x230 [ 25.041470] [] ? __might_sleep+0x95/0x1a0 [ 25.047260] [] ? get_name+0x230/0x230 [ 25.052720] [] do_vfs_ioctl+0x1ac/0x11a0 [ 25.058420] [] ? ioctl_preallocate+0x220/0x220 [ 25.064644] [] ? selinux_capable+0x40/0x40 [ 25.070529] [] ? __kmalloc+0x7a/0x300 [ 25.075969] [] ? __do_page_fault+0x5dd/0xd50 [ 25.082022] [] ? security_file_ioctl+0x8f/0xc0 [ 25.088365] [] SyS_ioctl+0x8f/0xc0 [ 25.093667] [] ? do_vfs_ioctl+0x11a0/0x11a0 [ 25.099