[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 31.901140] random: sshd: uninitialized urandom read (32 bytes read) [ 32.203059] kauditd_printk_skb: 9 callbacks suppressed [ 32.203068] audit: type=1400 audit(1566895760.371:35): avc: denied { map } for pid=6931 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 32.260744] random: sshd: uninitialized urandom read (32 bytes read) [ 32.812395] random: sshd: uninitialized urandom read (32 bytes read) [ 32.998968] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.61' (ECDSA) to the list of known hosts. [ 38.496307] random: sshd: uninitialized urandom read (32 bytes read) [ 38.612534] audit: type=1400 audit(1566895766.781:36): avc: denied { map } for pid=6944 comm="syz-executor614" path="/root/syz-executor614932211" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 38.617209] executing program [ 38.639106] audit: type=1400 audit(1566895766.781:37): avc: denied { map } for pid=6944 comm="syz-executor614" path="/dev/ashmem" dev="devtmpfs" ino=14678 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1 [ 38.640574] ====================================================== [ 38.640576] WARNING: possible circular locking dependency detected [ 38.640581] 4.14.140 #36 Not tainted [ 38.640582] ------------------------------------------------------ [ 38.640585] syz-executor614/6944 is trying to acquire lock: [ 38.640587] (sb_writers#6){.+.+}, at: [] vfs_fallocate+0x5d1/0x7a0 [ 38.640613] [ 38.640613] but task is already holding lock: [ 38.708062] (ashmem_mutex){+.+.}, at: [] ashmem_shrink_scan+0x56/0x420 [ 38.716389] [ 38.716389] which lock already depends on the new lock. [ 38.716389] [ 38.724692] [ 38.724692] the existing dependency chain (in reverse order) is: [ 38.732289] [ 38.732289] -> #2 (ashmem_mutex){+.+.}: [ 38.737832] lock_acquire+0x16f/0x430 [ 38.742140] __mutex_lock+0xe8/0x1470 [ 38.746454] mutex_lock_nested+0x16/0x20 [ 38.751014] ashmem_mmap+0x55/0x490 [ 38.755137] mmap_region+0x852/0x1030 [ 38.759430] do_mmap+0x5b8/0xcd0 [ 38.763380] vm_mmap_pgoff+0x17a/0x1d0 [ 38.767790] SyS_mmap_pgoff+0x3ca/0x520 [ 38.772274] SyS_mmap+0x16/0x20 [ 38.776048] do_syscall_64+0x1e8/0x640 [ 38.780434] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 38.786123] [ 38.786123] -> #1 (&mm->mmap_sem){++++}: [ 38.791646] lock_acquire+0x16f/0x430 [ 38.795945] __might_fault+0x143/0x1d0 [ 38.800356] _copy_from_user+0x2c/0x110 [ 38.804827] setxattr+0x153/0x350 [ 38.808772] path_setxattr+0x11f/0x140 [ 38.813438] SyS_lsetxattr+0x38/0x50 [ 38.817673] do_syscall_64+0x1e8/0x640 [ 38.822095] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 38.827785] [ 38.827785] -> #0 (sb_writers#6){.+.+}: [ 38.833222] __lock_acquire+0x2cb3/0x4620 [ 38.837870] lock_acquire+0x16f/0x430 [ 38.842168] __sb_start_write+0x1ae/0x2f0 [ 38.846813] vfs_fallocate+0x5d1/0x7a0 [ 38.851199] ashmem_shrink_scan+0x181/0x420 [ 38.856012] ashmem_ioctl+0x28f/0xf10 [ 38.860312] do_vfs_ioctl+0x7ae/0x1060 [ 38.864692] SyS_ioctl+0x8f/0xc0 [ 38.868557] do_syscall_64+0x1e8/0x640 [ 38.872942] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 38.878636] [ 38.878636] other info that might help us debug this: [ 38.878636] [ 38.886769] Chain exists of: [ 38.886769] sb_writers#6 --> &mm->mmap_sem --> ashmem_mutex [ 38.886769] [ 38.896996] Possible unsafe locking scenario: [ 38.896996] [ 38.903029] CPU0 CPU1 [ 38.907669] ---- ---- [ 38.912307] lock(ashmem_mutex); [ 38.915733] lock(&mm->mmap_sem); [ 38.921781] lock(ashmem_mutex); [ 38.927757] lock(sb_writers#6); [ 38.931190] [ 38.931190] *** DEADLOCK *** [ 38.931190] [ 38.937224] 1 lock held by syz-executor614/6944: [ 38.942023] #0: (ashmem_mutex){+.+.}, at: [] ashmem_shrink_scan+0x56/0x420 [ 38.950766] [ 38.950766] stack backtrace: [ 38.955253] CPU: 0 PID: 6944 Comm: syz-executor614 Not tainted 4.14.140 #36 [ 38.962326] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.971680] Call Trace: [ 38.974349] dump_stack+0x138/0x197 [ 38.978133] print_circular_bug.isra.0.cold+0x1cc/0x28f [ 38.983480] __lock_acquire+0x2cb3/0x4620 [ 38.987604] ? trace_hardirqs_on+0x10/0x10 [ 38.991827] ? inode_has_perm.isra.0+0x15c/0x1e0 [ 38.996558] lock_acquire+0x16f/0x430 [ 39.000338] ? vfs_fallocate+0x5d1/0x7a0 [ 39.004374] __sb_start_write+0x1ae/0x2f0 [ 39.008496] ? vfs_fallocate+0x5d1/0x7a0 [ 39.012531] ? shmem_setattr+0xb80/0xb80 [ 39.016565] vfs_fallocate+0x5d1/0x7a0 [ 39.020430] ashmem_shrink_scan+0x181/0x420 [ 39.024731] ashmem_ioctl+0x28f/0xf10 [ 39.028517] ? ashmem_shrink_scan+0x420/0x420 [ 39.033006] ? __might_sleep+0x93/0xb0 [ 39.036892] ? ashmem_shrink_scan+0x420/0x420 [ 39.041402] do_vfs_ioctl+0x7ae/0x1060 [ 39.052397] ? selinux_file_mprotect+0x5d0/0x5d0 [ 39.057149] ? ioctl_preallocate+0x1c0/0x1c0 [ 39.061541] ? fput+0xd4/0x150 [ 39.064712] ? security_file_ioctl+0x7d/0xb0 [ 39.069111] ? security_file_ioctl+0x89/0xb0 [ 39.073506] SyS_ioctl+0x8f/0xc0 [ 39.076855] ? do_vfs_ioctl+0x1060/0x1060 [ 39.080987] do_syscall_64+0x1e8/0x640 [ 39.084854] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 39.089692] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 39.094982] RIP: 0033:0x4401c9 [ 39.098159] RSP: 002b:00007ffd5a4bfc28 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 39.105844] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004401c9 [ 39.113100] RDX: 0