[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 24.375225] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. [ 25.367248] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 25.657227] random: sshd: uninitialized urandom read (32 bytes read) [ 26.170927] random: sshd: uninitialized urandom read (32 bytes read) [ 26.360439] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.0' (ECDSA) to the list of known hosts. [ 32.070948] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 32.174120] [ 32.175764] ====================================================== [ 32.182076] WARNING: possible circular locking dependency detected [ 32.188393] 4.19.0-rc1+ #217 Not tainted [ 32.192434] ------------------------------------------------------ [ 32.198761] syz-executor275/4672 is trying to acquire lock: [ 32.204455] 0000000073b4270e (&rp->fetch_lock){+.+.}, at: mon_bin_vma_fault+0xdc/0x4a0 [ 32.212540] [ 32.212540] but task is already holding lock: [ 32.218493] 00000000985d1e8a (&mm->mmap_sem){++++}, at: __mm_populate+0x31a/0x4d0 [ 32.226109] [ 32.226109] which lock already depends on the new lock. [ 32.226109] [ 32.234404] [ 32.234404] the existing dependency chain (in reverse order) is: [ 32.242002] [ 32.242002] -> #1 (&mm->mmap_sem){++++}: [ 32.247539] __might_fault+0x155/0x1e0 [ 32.251933] _copy_to_user+0x30/0x110 [ 32.256238] mon_bin_read+0x334/0x650 [ 32.260544] __vfs_read+0x117/0x9b0 [ 32.264676] vfs_read+0x17f/0x3c0 [ 32.268632] ksys_pread64+0x181/0x1b0 [ 32.272939] __x64_sys_pread64+0x97/0xf0 [ 32.277507] do_syscall_64+0x1b9/0x820 [ 32.281898] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.287583] [ 32.287583] -> #0 (&rp->fetch_lock){+.+.}: [ 32.293290] lock_acquire+0x1e4/0x4f0 [ 32.297598] __mutex_lock+0x171/0x1700 [ 32.301987] mutex_lock_nested+0x16/0x20 [ 32.306555] mon_bin_vma_fault+0xdc/0x4a0 [ 32.311203] __do_fault+0xee/0x450 [ 32.315262] __handle_mm_fault+0x2b4a/0x4350 [ 32.320173] handle_mm_fault+0x53e/0xc80 [ 32.324738] __get_user_pages+0x823/0x1b50 [ 32.329494] populate_vma_page_range+0x2db/0x3d0 [ 32.334755] __mm_populate+0x286/0x4d0 [ 32.339148] vm_mmap_pgoff+0x27f/0x2c0 [ 32.343538] ksys_mmap_pgoff+0x4da/0x660 [ 32.348104] __x64_sys_mmap+0xe9/0x1b0 [ 32.352504] do_syscall_64+0x1b9/0x820 [ 32.356910] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.362594] [ 32.362594] other info that might help us debug this: [ 32.362594] [ 32.370714] Possible unsafe locking scenario: [ 32.370714] [ 32.376759] CPU0 CPU1 [ 32.381410] ---- ---- [ 32.386053] lock(&mm->mmap_sem); [ 32.389576] lock(&rp->fetch_lock); [ 32.395808] lock(&mm->mmap_sem); [ 32.401843] lock(&rp->fetch_lock); [ 32.405535] [ 32.405535] *** DEADLOCK *** [ 32.405535] [ 32.411577] 1 lock held by syz-executor275/4672: [ 32.416568] #0: 00000000985d1e8a (&mm->mmap_sem){++++}, at: __mm_populate+0x31a/0x4d0 [ 32.424619] [ 32.424619] stack backtrace: [ 32.429102] CPU: 1 PID: 4672 Comm: syz-executor275 Not tainted 4.19.0-rc1+ #217 [ 32.436533] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.445866] Call Trace: [ 32.448444] dump_stack+0x1c9/0x2b4 [ 32.452072] ? dump_stack_print_info.cold.2+0x52/0x52 [ 32.457259] ? vprintk_func+0x81/0x117 [ 32.461131] print_circular_bug.isra.34.cold.55+0x1bd/0x27d [ 32.466824] ? save_trace+0xe0/0x290 [ 32.470520] __lock_acquire+0x3449/0x5020 [ 32.474651] ? __isolate_free_page+0x690/0x690 [ 32.479217] ? mark_held_locks+0x160/0x160 [ 32.483451] ? print_usage_bug+0xc0/0xc0 [ 32.487493] ? __lock_acquire+0x7fc/0x5020 [ 32.491711] ? print_usage_bug+0xc0/0xc0 [ 32.495773] ? __lock_acquire+0x7fc/0x5020 [ 32.499999] ? mark_held_locks+0x160/0x160 [ 32.504221] ? mark_held_locks+0x160/0x160 [ 32.508451] ? graph_lock+0x170/0x170 [ 32.512249] ? mark_held_locks+0x160/0x160 [ 32.516475] ? print_usage_bug+0xc0/0xc0 [ 32.520540] lock_acquire+0x1e4/0x4f0 [ 32.524326] ? mon_bin_vma_fault+0xdc/0x4a0 [ 32.528654] ? lock_release+0x9f0/0x9f0 [ 32.532616] ? check_same_owner+0x340/0x340 [ 32.536922] ? rcu_note_context_switch+0x680/0x680 [ 32.541836] __mutex_lock+0x171/0x1700 [ 32.545706] ? mon_bin_vma_fault+0xdc/0x4a0 [ 32.550011] ? mon_bin_vma_fault+0xdc/0x4a0 [ 32.554345] ? mutex_trylock+0x2b0/0x2b0 [ 32.558390] ? mark_held_locks+0x160/0x160 [ 32.562606] ? lock_downgrade+0x8f0/0x8f0 [ 32.566738] ? trace_hardirqs_off+0xb8/0x2b0 [ 32.571129] ? kasan_check_read+0x11/0x20 [ 32.575259] ? print_usage_bug+0xc0/0xc0 [ 32.579302] ? trace_hardirqs_on+0x2c0/0x2c0 [ 32.583693] ? kasan_check_write+0x14/0x20 [ 32.587910] ? do_raw_spin_lock+0xc1/0x200 [ 32.592128] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 32.597215] ? print_usage_bug+0xc0/0xc0 [ 32.601257] ? graph_lock+0x170/0x170 [ 32.605045] ? print_usage_bug+0xc0/0xc0 [ 32.609087] ? __lock_acquire+0x7fc/0x5020 [ 32.613303] ? graph_lock+0x170/0x170 [ 32.617085] ? kasan_slab_free+0xe/0x10 [ 32.621047] ? print_usage_bug+0xc0/0xc0 [ 32.625110] ? __lock_acquire+0x7fc/0x5020 [ 32.629334] mutex_lock_nested+0x16/0x20 [ 32.633378] ? mutex_lock_nested+0x16/0x20 [ 32.637598] mon_bin_vma_fault+0xdc/0x4a0 [ 32.641730] ? kasan_check_read+0x11/0x20 [ 32.645861] ? mon_alloc_buff+0x200/0x200 [ 32.649994] ? rcu_cleanup_dead_rnp+0x200/0x200 [ 32.654648] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 32.659653] ? vma_compute_subtree_gap+0x160/0x240 [ 32.664565] ? vma_gap_callbacks_rotate+0x62/0x80 [ 32.669388] __do_fault+0xee/0x450 [ 32.672914] ? vma_compute_subtree_gap+0x240/0x240 [ 32.677826] ? pmd_devmap_trans_unstable+0x1d0/0x1d0 [ 32.682914] ? __save_stack_trace+0x8d/0xf0 [ 32.687221] ? pud_val+0x88/0x100 [ 32.690656] ? pmd_val+0x100/0x100 [ 32.694181] __handle_mm_fault+0x2b4a/0x4350 [ 32.698572] ? vmf_insert_mixed_mkwrite+0xa0/0xa0 [ 32.703397] ? graph_lock+0x170/0x170 [ 32.707186] ? lock_downgrade+0x8f0/0x8f0 [ 32.711313] ? handle_mm_fault+0x8c4/0xc80 [ 32.715529] ? handle_mm_fault+0x8c4/0xc80 [ 32.719746] ? kasan_check_read+0x11/0x20 [ 32.723877] ? rcu_is_watching+0x8c/0x150 [ 32.728007] ? __get_user_pages+0x823/0x1b50 [ 32.732403] ? rcu_cleanup_dead_rnp+0x200/0x200 [ 32.737058] handle_mm_fault+0x53e/0xc80 [ 32.741102] ? __handle_mm_fault+0x4350/0x4350 [ 32.745669] ? check_same_owner+0x340/0x340 [ 32.749973] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 32.754973] __get_user_pages+0x823/0x1b50 [ 32.759192] ? follow_page_mask+0x1e30/0x1e30 [ 32.763671] ? lock_acquire+0x1e4/0x4f0 [ 32.767629] ? __mm_populate+0x31a/0x4d0 [ 32.771677] ? lock_release+0x9f0/0x9f0 [ 32.775642] ? check_same_owner+0x340/0x340 [ 32.779958] ? rcu_note_context_switch+0x680/0x680 [ 32.784874] populate_vma_page_range+0x2db/0x3d0 [ 32.789615] ? get_user_pages_unlocked+0x5d0/0x5d0 [ 32.794528] ? find_vma+0x34/0x190 [ 32.798055] __mm_populate+0x286/0x4d0 [ 32.801926] ? populate_vma_page_range+0x3d0/0x3d0 [ 32.806839] ? down_read_killable+0x200/0x200 [ 32.811318] ? security_mmap_file+0x176/0x1c0 [ 32.815804] vm_mmap_pgoff+0x27f/0x2c0 [ 32.819690] ? vma_is_stack_for_current+0xd0/0xd0 [ 32.824529] ? sockfd_lookup_light+0xc5/0x160 [ 32.829012] ksys_mmap_pgoff+0x4da/0x660 [ 32.833065] ? do_syscall_64+0x9a/0x820 [ 32.837022] ? find_mergeable_anon_vma+0xd0/0xd0 [ 32.841768] ? trace_hardirqs_on+0xbd/0x2c0 [ 32.846076] ? filp_open+0x80/0x80 [ 32.849600] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.854944] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 32.860041] __x64_sys_mmap+0xe9/0x1b0 [ 32.863916] do_syscall_64+0x1b9/0x820 [ 32.867784] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 32.873135] ? syscall_return_slowpath+0x5e0/0x5e0 [ 32.878054] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.882877] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 32.887876] ? prepare_exit_to_usermode+0x291/0x3b0 [ 32.892878] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.897705] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.902872] RIP: 0033:0x443e29 [ 32.906053] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 32.924933] RSP: 002b:0000