[ 42.943324] audit: type=1800 audit(1556068042.212:29): pid=7658 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2447 res=0 [ 42.973322] audit: type=1800 audit(1556068042.212:30): pid=7658 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2490 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.15.197' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 52.177141] kauditd_printk_skb: 5 callbacks suppressed [ 52.177156] audit: type=1400 audit(1556068051.442:36): avc: denied { map } for pid=7842 comm="syz-executor383" path="/root/syz-executor383642336" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 52.195124] [ 52.209553] audit: type=1400 audit(1556068051.462:37): avc: denied { map } for pid=7842 comm="syz-executor383" path="/dev/usbmon0" dev="devtmpfs" ino=16565 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usbmon_device_t:s0 tclass=chr_file permissive=1 [ 52.210673] ====================================================== [ 52.242569] WARNING: possible circular locking dependency detected [ 52.248885] 4.19.36 #4 Not tainted [ 52.252402] ------------------------------------------------------ [ 52.258739] syz-executor383/7843 is trying to acquire lock: [ 52.264462] 00000000213b1139 (&mm->mmap_sem){++++}, at: __might_fault+0xfb/0x1e0 [ 52.280682] [ 52.280682] but task is already holding lock: [ 52.286644] 000000000ce618cf (&rp->fetch_lock){+.+.}, at: mon_bin_get_event+0x3c/0x450 [ 52.294711] [ 52.294711] which lock already depends on the new lock. [ 52.294711] [ 52.303020] [ 52.303020] the existing dependency chain (in reverse order) is: [ 52.314708] [ 52.314708] -> #1 (&rp->fetch_lock){+.+.}: [ 52.320640] __mutex_lock+0xf7/0x1300 [ 52.324946] mutex_lock_nested+0x16/0x20 [ 52.329530] mon_bin_vma_fault+0x73/0x2d0 [ 52.334185] __do_fault+0x116/0x480 [ 52.338343] __handle_mm_fault+0xf72/0x3f80 [ 52.343173] handle_mm_fault+0x43f/0xb30 [ 52.347751] __get_user_pages+0x609/0x1770 [ 52.352510] populate_vma_page_range+0x20d/0x2a0 [ 52.357791] __mm_populate+0x204/0x380 [ 52.362288] vm_mmap_pgoff+0x213/0x230 [ 52.366694] ksys_mmap_pgoff+0x4aa/0x630 [ 52.371266] __x64_sys_mmap+0xe9/0x1b0 [ 52.375658] do_syscall_64+0x103/0x610 [ 52.380086] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.385777] [ 52.385777] -> #0 (&mm->mmap_sem){++++}: [ 52.391315] lock_acquire+0x16f/0x3f0 [ 52.395618] __might_fault+0x15e/0x1e0 [ 52.400014] _copy_to_user+0x30/0x120 [ 52.404319] mon_bin_get_event+0x117/0x450 [ 52.409058] mon_bin_ioctl+0xacf/0xc80 [ 52.413454] do_vfs_ioctl+0xd6e/0x1390 [ 52.417848] ksys_ioctl+0xab/0xd0 [ 52.421810] __x64_sys_ioctl+0x73/0xb0 [ 52.426208] do_syscall_64+0x103/0x610 [ 52.430688] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.436379] [ 52.436379] other info that might help us debug this: [ 52.436379] [ 52.444522] Possible unsafe locking scenario: [ 52.444522] [ 52.450561] CPU0 CPU1 [ 52.455221] ---- ---- [ 52.459870] lock(&rp->fetch_lock); [ 52.463564] lock(&mm->mmap_sem); [ 52.469770] lock(&rp->fetch_lock); [ 52.475983] lock(&mm->mmap_sem); [ 52.479512] [ 52.479512] *** DEADLOCK *** [ 52.479512] [ 52.485558] 1 lock held by syz-executor383/7843: [ 52.490464] #0: 000000000ce618cf (&rp->fetch_lock){+.+.}, at: mon_bin_get_event+0x3c/0x450 [ 52.498966] [ 52.498966] stack backtrace: [ 52.503452] CPU: 1 PID: 7843 Comm: syz-executor383 Not tainted 4.19.36 #4 [ 52.510985] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 52.521094] Call Trace: [ 52.523702] dump_stack+0x172/0x1f0 [ 52.527320] print_circular_bug.isra.0.cold+0x1cc/0x28f [ 52.532693] __lock_acquire+0x2e6d/0x48f0 [ 52.536831] ? mark_held_locks+0x100/0x100 [ 52.541054] ? _raw_spin_unlock_irqrestore+0xa4/0xe0 [ 52.546170] ? __lock_is_held+0xb6/0x140 [ 52.550249] lock_acquire+0x16f/0x3f0 [ 52.554057] ? __might_fault+0xfb/0x1e0 [ 52.558018] __might_fault+0x15e/0x1e0 [ 52.561909] ? __might_fault+0xfb/0x1e0 [ 52.565871] _copy_to_user+0x30/0x120 [ 52.569682] mon_bin_get_event+0x117/0x450 [ 52.573930] mon_bin_ioctl+0xacf/0xc80 [ 52.577804] ? debug_check_no_obj_freed+0x200/0x464 [ 52.582807] ? mon_bin_get_event+0x450/0x450 [ 52.587218] ? __fget+0x340/0x540 [ 52.590676] ? __might_sleep+0x95/0x190 [ 52.594820] ? mon_bin_get_event+0x450/0x450 [ 52.599319] do_vfs_ioctl+0xd6e/0x1390 [ 52.603347] ? selinux_file_ioctl+0x46f/0x5e0 [ 52.607842] ? selinux_file_ioctl+0x125/0x5e0 [ 52.612343] ? ioctl_preallocate+0x210/0x210 [ 52.616741] ? selinux_file_mprotect+0x620/0x620 [ 52.621636] ? iterate_fd+0x360/0x360 [ 52.625535] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 52.631067] ? security_file_ioctl+0x93/0xc0 [ 52.635508] ksys_ioctl+0xab/0xd0 [ 52.638973] __x64_sys_ioctl+0x73/0xb0 [ 52.642866] do_syscall_64+0x103/0x610 [ 52.646749] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.651937] RIP: 0033:0x449749 [ 52.655120] Code: e8 ec b9 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab d6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 52.674185] RSP: 002b:00007f6fe9090ce8 EFLAGS: 00000246 ORIG_RAX: 0000000000