[ 34.885275] audit: type=1800 audit(1562241901.563:33): pid=6917 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 34.912302] audit: type=1800 audit(1562241901.563:34): pid=6917 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 37.453236] random: sshd: uninitialized urandom read (32 bytes read) [ 37.781375] audit: type=1400 audit(1562241904.463:35): avc: denied { map } for pid=7089 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 37.825216] random: sshd: uninitialized urandom read (32 bytes read) [ 38.448864] random: sshd: uninitialized urandom read (32 bytes read) [ 38.654363] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.52' (ECDSA) to the list of known hosts. [ 44.230101] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 44.354996] audit: type=1400 audit(1562241911.033:36): avc: denied { map } for pid=7101 comm="syz-executor029" path="/root/syz-executor029709994" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 44.358013] [ 44.382941] ====================================================== [ 44.389233] WARNING: possible circular locking dependency detected [ 44.395534] 4.14.132 #26 Not tainted [ 44.399266] ------------------------------------------------------ [ 44.405581] syz-executor029/7101 is trying to acquire lock: [ 44.411269] (&bdev->bd_mutex){+.+.}, at: [] blkdev_reread_part+0x1f/0x40 [ 44.419750] [ 44.419750] but task is already holding lock: [ 44.425723] (&nbd->config_lock){+.+.}, at: [] nbd_ioctl+0x134/0xae0 [ 44.434412] [ 44.434412] which lock already depends on the new lock. [ 44.434412] [ 44.442709] [ 44.442709] the existing dependency chain (in reverse order) is: [ 44.450331] [ 44.450331] -> #2 (&nbd->config_lock){+.+.}: [ 44.456233] lock_acquire+0x16f/0x430 [ 44.460542] __mutex_lock+0xe8/0x1470 [ 44.464842] mutex_lock_nested+0x16/0x20 [ 44.469403] nbd_open+0xf2/0x1f0 [ 44.473274] __blkdev_get+0x2c7/0x1120 [ 44.477685] blkdev_get+0xa8/0x8e0 [ 44.481730] blkdev_open+0x1d1/0x260 [ 44.485946] do_dentry_open+0x73b/0xeb0 [ 44.490421] vfs_open+0x105/0x220 [ 44.494376] path_openat+0x8bd/0x3f70 [ 44.498676] do_filp_open+0x18e/0x250 [ 44.502977] do_sys_open+0x2c5/0x430 [ 44.507189] SyS_open+0x2d/0x40 [ 44.511012] do_syscall_64+0x1e8/0x640 [ 44.515478] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.521167] [ 44.521167] -> #1 (nbd_index_mutex){+.+.}: [ 44.526866] lock_acquire+0x16f/0x430 [ 44.531169] __mutex_lock+0xe8/0x1470 [ 44.535471] mutex_lock_nested+0x16/0x20 [ 44.540040] nbd_open+0x27/0x1f0 [ 44.543930] __blkdev_get+0x2c7/0x1120 [ 44.548326] blkdev_get+0xa8/0x8e0 [ 44.552385] blkdev_open+0x1d1/0x260 [ 44.556618] do_dentry_open+0x73b/0xeb0 [ 44.561094] vfs_open+0x105/0x220 [ 44.565046] path_openat+0x8bd/0x3f70 [ 44.569344] do_filp_open+0x18e/0x250 [ 44.573648] do_sys_open+0x2c5/0x430 [ 44.577860] SyS_open+0x2d/0x40 [ 44.581750] do_syscall_64+0x1e8/0x640 [ 44.586141] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.591848] [ 44.591848] -> #0 (&bdev->bd_mutex){+.+.}: [ 44.597552] __lock_acquire+0x2c89/0x45e0 [ 44.602203] lock_acquire+0x16f/0x430 [ 44.606506] __mutex_lock+0xe8/0x1470 [ 44.610810] mutex_lock_nested+0x16/0x20 [ 44.615392] blkdev_reread_part+0x1f/0x40 [ 44.620048] nbd_ioctl+0x801/0xae0 [ 44.624115] blkdev_ioctl+0x96b/0x1860 [ 44.628517] block_ioctl+0xde/0x120 [ 44.632652] do_vfs_ioctl+0x7ae/0x1060 [ 44.637040] SyS_ioctl+0x8f/0xc0 [ 44.640908] do_syscall_64+0x1e8/0x640 [ 44.645304] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.650990] [ 44.650990] other info that might help us debug this: [ 44.650990] [ 44.659124] Chain exists of: [ 44.659124] &bdev->bd_mutex --> nbd_index_mutex --> &nbd->config_lock [ 44.659124] [ 44.670207] Possible unsafe locking scenario: [ 44.670207] [ 44.676244] CPU0 CPU1 [ 44.680917] ---- ---- [ 44.685580] lock(&nbd->config_lock); [ 44.689450] lock(nbd_index_mutex); [ 44.695663] lock(&nbd->config_lock); [ 44.702057] lock(&bdev->bd_mutex); [ 44.705749] [ 44.705749] *** DEADLOCK *** [ 44.705749] [ 44.711819] 1 lock held by syz-executor029/7101: [ 44.716551] #0: (&nbd->config_lock){+.+.}, at: [] nbd_ioctl+0x134/0xae0 [ 44.725056] [ 44.725056] stack backtrace: [ 44.729538] CPU: 1 PID: 7101 Comm: syz-executor029 Not tainted 4.14.132 #26 [ 44.736623] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.745961] Call Trace: [ 44.748539] dump_stack+0x138/0x19c [ 44.752156] print_circular_bug.isra.0.cold+0x1cc/0x28f [ 44.757504] __lock_acquire+0x2c89/0x45e0 [ 44.761753] ? is_bpf_text_address+0xa6/0x120 [ 44.766235] ? kernel_text_address+0x73/0xf0 [ 44.770631] ? trace_hardirqs_on+0x10/0x10 [ 44.774851] lock_acquire+0x16f/0x430 [ 44.778633] ? blkdev_reread_part+0x1f/0x40 [ 44.782935] ? blkdev_reread_part+0x1f/0x40 [ 44.787257] __mutex_lock+0xe8/0x1470 [ 44.791043] ? blkdev_reread_part+0x1f/0x40 [ 44.795344] ? save_trace+0x290/0x290 [ 44.799139] ? blkdev_reread_part+0x1f/0x40 [ 44.803442] ? mutex_trylock+0x1c0/0x1c0 [ 44.807494] ? bd_set_size+0x89/0xb0 [ 44.811186] ? lock_downgrade+0x6e0/0x6e0 [ 44.815316] mutex_lock_nested+0x16/0x20 [ 44.819374] ? mutex_lock_nested+0x16/0x20 [ 44.823590] blkdev_reread_part+0x1f/0x40 [ 44.827740] nbd_ioctl+0x801/0xae0 [ 44.831266] ? kasan_slab_free+0x75/0xc0 [ 44.835334] ? nbd_add_socket+0x5e0/0x5e0 [ 44.839471] ? debug_check_no_obj_freed+0x2aa/0x7b7 [ 44.844497] ? nbd_add_socket+0x5e0/0x5e0 [ 44.848635] blkdev_ioctl+0x96b/0x1860 [ 44.852533] ? blkpg_ioctl+0x980/0x980 [ 44.856416] ? __might_sleep+0x93/0xb0 [ 44.860286] block_ioctl+0xde/0x120 [ 44.863895] ? blkdev_fallocate+0x3b0/0x3b0 [ 44.868197] do_vfs_ioctl+0x7ae/0x1060 [ 44.872086] ? selinux_file_mprotect+0x5d0/0x5d0 [ 44.876845] ? ioctl_preallocate+0x1c0/0x1c0 [ 44.881232] ? putname+0xe0/0x120 [ 44.884667] ? do_sys_open+0x221/0x430 [ 44.888530] ? security_file_ioctl+0x7d/0xb0 [ 44.892917] ? security_file_ioctl+0x89/0xb0 [ 44.897320] SyS_ioctl+0x8f/0xc0 [ 44.900682] ? do_vfs_ioctl+0x1060/0x1060 [ 44.904816] do_syscall_64+0x1e8/0x640 [ 44.908680] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 44.913509] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.918680] RIP: 0033:0x443df9 [ 44.921849] RSP: 002b:00007ffdd663b558 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 44.929559] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000443df9 [ 44.937083] RDX: 0000000000000000 RSI: 000000000000ab04 RDI: 0000000000000003 [ 44.944338] RBP: 00000000006ce018 R08: 0000000000000000 R09: 00000000004002e0 [ 44.951592] R10: 000000000000000f R11: 0000000000000246 R12: 000000