[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   13.076887] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   19.883411] random: sshd: uninitialized urandom read (32 bytes read)
[   20.340424] random: sshd: uninitialized urandom read (32 bytes read)
[   20.813288] random: sshd: uninitialized urandom read (32 bytes read)
[   20.961496] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.35' (ECDSA) to the list of known hosts.
[   26.506821] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   26.594890] 
[   26.596548] ======================================================
[   26.602904] WARNING: possible circular locking dependency detected
[   26.609196] 4.14.67+ #1 Not tainted
[   26.612807] ------------------------------------------------------
[   26.619100] syz-executor947/1975 is trying to acquire lock:
[   26.624779]  (&sb->s_type->i_mutex_key#11){++++}, at: [<ffffffffb688a759>] shmem_fallocate+0x149/0xb20
[   26.634209] 
[   26.634209] but task is already holding lock:
[   26.640152]  (ashmem_mutex){+.+.}, at: [<ffffffffb75ec9b2>] ashmem_shrink_scan+0x52/0x4e0
[   26.648449] 
[   26.648449] which lock already depends on the new lock.
[   26.648449] 
[   26.656740] 
[   26.656740] the existing dependency chain (in reverse order) is:
[   26.664331] 
[   26.664331] -> #2 (ashmem_mutex){+.+.}:
[   26.669767]        __mutex_lock+0xf5/0x1480
[   26.674067]        ashmem_mmap+0x4c/0x3b0
[   26.678191]        mmap_region+0x836/0xfb0
[   26.682401]        do_mmap+0x551/0xb80
[   26.686333]        vm_mmap_pgoff+0x180/0x1d0
[   26.690720]        SyS_mmap_pgoff+0xf8/0x1a0
[   26.695103]        do_syscall_64+0x19b/0x4b0
[   26.699485]        entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   26.705162] 
[   26.705162] -> #1 (&mm->mmap_sem){++++}:
[   26.710679]        __might_fault+0x137/0x1b0
[   26.715109]        _copy_to_user+0x27/0xc0
[   26.719329]        filldir+0x192/0x340
[   26.723195]        dcache_readdir+0x12f/0x5d0
[   26.727776]        iterate_dir+0x19f/0x5e0
[   26.731988]        SyS_getdents+0x146/0x270
[   26.736282]        do_syscall_64+0x19b/0x4b0
[   26.740775]        entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   26.746455] 
[   26.746455] -> #0 (&sb->s_type->i_mutex_key#11){++++}:
[   26.753192]        lock_acquire+0x10f/0x380
[   26.757486]        down_write+0x34/0x90
[   26.761435]        shmem_fallocate+0x149/0xb20
[   26.765988]        ashmem_shrink_scan+0x1b6/0x4e0
[   26.770801]        ashmem_ioctl+0x2cc/0xe20
[   26.775181]        do_vfs_ioctl+0x1a0/0x1030
[   26.779641]        SyS_ioctl+0x7e/0xb0
[   26.783517]        do_syscall_64+0x19b/0x4b0
[   26.787898]        entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   26.793576] 
[   26.793576] other info that might help us debug this:
[   26.793576] 
[   26.801754] Chain exists of:
[   26.801754]   &sb->s_type->i_mutex_key#11 --> &mm->mmap_sem --> ashmem_mutex
[   26.801754] 
[   26.813271]  Possible unsafe locking scenario:
[   26.813271] 
[   26.819303]        CPU0                    CPU1
[   26.823944]        ----                    ----
[   26.828586]   lock(ashmem_mutex);
[   26.832014]                                lock(&mm->mmap_sem);
[   26.838044]                                lock(ashmem_mutex);
[   26.843988]   lock(&sb->s_type->i_mutex_key#11);
[   26.848715] 
[   26.848715]  *** DEADLOCK ***
[   26.848715] 
[   26.854747] 1 lock held by syz-executor947/1975:
[   26.859470]  #0:  (ashmem_mutex){+.+.}, at: [<ffffffffb75ec9b2>] ashmem_shrink_scan+0x52/0x4e0
[   26.868199] 
[   26.868199] stack backtrace:
[   26.872885] CPU: 0 PID: 1975 Comm: syz-executor947 Not tainted 4.14.67+ #1
[   26.879867] Call Trace:
[   26.882436]  dump_stack+0xb9/0x11b
[   26.885962]  print_circular_bug.isra.18.cold.43+0x2d3/0x40c
[   26.891660]  ? save_trace+0xd6/0x250
[   26.895350]  __lock_acquire+0x2ff9/0x4320
[   26.899471]  ? trace_hardirqs_on+0x10/0x10
[   26.903682]  ? __lock_acquire+0x619/0x4320
[   26.907889]  ? lock_downgrade+0x560/0x560
[   26.912008]  ? lock_acquire+0x10f/0x380
[   26.915958]  ? trace_hardirqs_on+0x10/0x10
[   26.920266]  ? depot_save_stack+0x20a/0x428
[   26.924674]  lock_acquire+0x10f/0x380
[   26.928453]  ? shmem_fallocate+0x149/0xb20
[   26.932670]  down_write+0x34/0x90
[   26.936228]  ? shmem_fallocate+0x149/0xb20
[   26.940547]  shmem_fallocate+0x149/0xb20
[   26.944586]  ? avc_has_perm_noaudit+0x17c/0x300
[   26.949231]  ? shmem_setattr+0x790/0x790
[   26.953269]  ? avc_has_perm_noaudit+0x1a3/0x300
[   26.957927]  ? avc_has_extended_perms+0xd50/0xd50
[   26.962750]  ? new_slab+0x25f/0x470
[   26.966352]  ? lock_acquire+0x10f/0x380
[   26.970304]  ? ashmem_shrink_scan+0x52/0x4e0
[   26.974689]  ? mutex_trylock+0x15c/0x1a0
[   26.978737]  ashmem_shrink_scan+0x1b6/0x4e0
[   26.983032]  ashmem_ioctl+0x2cc/0xe20
[   26.986808]  ? ashmem_shrink_scan+0x4e0/0x4e0
[   26.991393]  ? __lru_cache_add+0x174/0x250
[   26.995603]  ? __handle_mm_fault+0x657/0x23a0
[   27.000073]  ? ashmem_shrink_scan+0x4e0/0x4e0
[   27.004665]  do_vfs_ioctl+0x1a0/0x1030
[   27.008533]  ? ioctl_preallocate+0x1d0/0x1d0
[   27.012917]  ? selinux_parse_skb.constprop.42+0x1a90/0x1a90
[   27.018636]  ? __do_page_fault+0x485/0xb60
[   27.022867]  ? lock_downgrade+0x4fb/0x560
[   27.026989]  ? security_file_ioctl+0x7c/0xb0
[   27.031376]  SyS_ioctl+0x7e/0xb0
[   27.034717]  ? do_vfs_ioctl+0x1030/0x1030
[   27.038910]  do_syscall_64+0x19b/0x4b0
[   27.042783]  entry_SYSCALL_64_after_hwframe+0