[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   23.192364] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   26.174614] random: sshd: uninitialized urandom read (32 bytes read)
[   26.868723] random: sshd: uninitialized urandom read (32 bytes read)
[   27.418923] random: sshd: uninitialized urandom read (32 bytes read)
[   27.591686] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.24' (ECDSA) to the list of known hosts.
[   33.098963] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   33.194637] 
[   33.196320] ======================================================
[   33.202620] WARNING: possible circular locking dependency detected
[   33.209016] 4.18.0-rc8+ #182 Not tainted
[   33.213055] ------------------------------------------------------
[   33.219356] syz-executor529/4475 is trying to acquire lock:
[   33.225049] (____ptrval____) (sb_writers#3){.+.+}, at: vfs_fallocate+0x5be/0x8d0
[   33.232583] 
[   33.232583] but task is already holding lock:
[   33.238533] (____ptrval____) (ashmem_mutex){+.+.}, at: ashmem_shrink_scan+0xb4/0x580
[   33.246405] 
[   33.246405] which lock already depends on the new lock.
[   33.246405] 
[   33.254704] 
[   33.254704] the existing dependency chain (in reverse order) is:
[   33.262301] 
[   33.262301] -> #3 (ashmem_mutex){+.+.}:
[   33.267792]        __mutex_lock+0x176/0x1820
[   33.272188]        mutex_lock_nested+0x16/0x20
[   33.276752]        ashmem_mmap+0x53/0x4a0
[   33.280884]        mmap_region+0xc5c/0x16b0
[   33.285232]        do_mmap+0xa06/0x1320
[   33.289196]        vm_mmap_pgoff+0x213/0x2c0
[   33.293597]        ksys_mmap_pgoff+0x4da/0x660
[   33.298167]        __x64_sys_mmap+0xe9/0x1b0
[   33.302562]        do_syscall_64+0x1b9/0x820
[   33.306957]        entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   33.312644] 
[   33.312644] -> #2 (&mm->mmap_sem){++++}:
[   33.318179]        __might_fault+0x155/0x1e0
[   33.322617]        _copy_to_user+0x30/0x110
[   33.326931]        filldir+0x1ea/0x3a0
[   33.330860]        dcache_readdir+0x13a/0x620
[   33.335341]        iterate_dir+0x4b0/0x5d0
[   33.339562]        __x64_sys_getdents+0x29f/0x510
[   33.344398]        do_syscall_64+0x1b9/0x820
[   33.348804]        entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   33.354532] 
[   33.354532] -> #1 (&sb->s_type->i_mutex_key#10){++++}:
[   33.361296]        down_write+0x8f/0x130
[   33.365340]        generic_file_write_iter+0xed/0x870
[   33.370514]        __vfs_write+0x6c6/0x9f0
[   33.374731]        vfs_write+0x1f8/0x560
[   33.378773]        kernel_write+0xab/0x120
[   33.383004]        fork_usermode_blob+0x11c/0x1b0
[   33.387842]        load_umh+0x2b/0xbd
[   33.391664]        do_one_initcall+0x127/0x913
[   33.396236]        kernel_init_freeable+0x49b/0x58e
[   33.401237]        kernel_init+0x11/0x1b3
[   33.405369]        ret_from_fork+0x3a/0x50
[   33.409578] 
[   33.409578] -> #0 (sb_writers#3){.+.+}:
[   33.415166]        lock_acquire+0x1e4/0x540
[   33.419475]        __sb_start_write+0x1e9/0x300
[   33.424131]        vfs_fallocate+0x5be/0x8d0
[   33.428521]        ashmem_shrink_scan+0x1f9/0x580
[   33.433349]        ashmem_ioctl+0x3dd/0x13c0
[   33.437741]        do_vfs_ioctl+0x1de/0x1720
[   33.442133]        ksys_ioctl+0xa9/0xd0
[   33.446090]        __x64_sys_ioctl+0x73/0xb0
[   33.450482]        do_syscall_64+0x1b9/0x820
[   33.454874]        entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   33.460601] 
[   33.460601] other info that might help us debug this:
[   33.460601] 
[   33.468784] Chain exists of:
[   33.468784]   sb_writers#3 --> &mm->mmap_sem --> ashmem_mutex
[   33.468784] 
[   33.479011]  Possible unsafe locking scenario:
[   33.479011] 
[   33.485104]        CPU0                    CPU1
[   33.489754]        ----                    ----
[   33.494399]   lock(ashmem_mutex);
[   33.497873]                                lock(&mm->mmap_sem);
[   33.503923]                                lock(ashmem_mutex);
[   33.509929]   lock(sb_writers#3);
[   33.513368] 
[   33.513368]  *** DEADLOCK ***
[   33.513368] 
[   33.519415] 1 lock held by syz-executor529/4475:
[   33.524144]  #0: (____ptrval____) (ashmem_mutex){+.+.}, at: ashmem_shrink_scan+0xb4/0x580
[   33.532457] 
[   33.532457] stack backtrace:
[   33.536953] CPU: 1 PID: 4475 Comm: syz-executor529 Not tainted 4.18.0-rc8+ #182
[   33.544378] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   33.553710] Call Trace:
[   33.556354]  dump_stack+0x1c9/0x2b4
[   33.559977]  ? dump_stack_print_info.cold.2+0x52/0x52
[   33.565155]  ? vprintk_func+0x81/0xe7
[   33.568940]  print_circular_bug.isra.36.cold.57+0x1bd/0x27d
[   33.574641]  ? save_trace+0xe0/0x290
[   33.578356]  __lock_acquire+0x3449/0x5020
[   33.582496]  ? trace_hardirqs_on+0x10/0x10
[   33.586821]  ? lock_downgrade+0x8f0/0x8f0
[   33.591009]  ? mark_held_locks+0xc9/0x160
[   33.595146]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   33.599775]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   33.604868]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   33.609869]  ? trace_hardirqs_on+0xd/0x10
[   33.614017]  ? depot_save_stack+0x291/0x470
[   33.618323]  ? save_stack+0xa9/0xd0
[   33.621929]  ? save_stack+0x43/0xd0
[   33.625538]  ? graph_lock+0x170/0x170
[   33.629318]  ? range_alloc+0xa8/0x560
[   33.633104]  ? ashmem_ioctl+0x10ec/0x13c0
[   33.637233]  ? do_vfs_ioctl+0x1de/0x1720
[   33.641279]  ? ksys_ioctl+0xa9/0xd0
[   33.644887]  ? __x64_sys_ioctl+0x73/0xb0
[   33.648931]  ? graph_lock+0x170/0x170
[   33.652713]  ? find_held_lock+0x36/0x1c0
[   33.656758]  ? find_held_lock+0x36/0x1c0
[   33.660817]  lock_acquire+0x1e4/0x540
[   33.664661]  ? vfs_fallocate+0x5be/0x8d0
[   33.668718]  ? lock_release+0xa30/0xa30
[   33.672676]  ? check_same_owner+0x340/0x340
[   33.676980]  ? rcu_note_context_switch+0x730/0x730
[   33.681896]  __sb_start_write+0x1e9/0x300
[   33.686027]  ? vfs_fallocate+0x5be/0x8d0
[   33.690079]  ? shmem_setattr+0xda0/0xda0
[   33.694133]  vfs_fallocate+0x5be/0x8d0
[   33.698015]  ashmem_shrink_scan+0x1f9/0x580
[   33.702329]  ? cap_capable+0x1f9/0x260
[   33.706198]  ? range_alloc+0x560/0x560
[   33.710068]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   33.715652]  ? ns_capable_common+0x13f/0x170
[   33.720051]  ashmem_ioctl+0x3dd/0x13c0
[   33.723922]  ? ashmem_release+0x190/0x190
[   33.728054]  ? find_held_lock+0x36/0x1c0
[   33.732105]  ? ashmem_release+0x190/0x190
[   33.736319]  do_vfs_ioctl+0x1de/0x1720
[   33.740190]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   33.745772]  ? ioctl_preallocate+0x300/0x300
[   33.750231]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   33.755755]  ? __fget_light+0x2f7/0x440
[   33.760041]  ? __handle_mm_fault+0x4460/0x4460
[   33.764610]  ? fget_raw+0x20/0x20
[   33.768050]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   33.773567]  ? __do_page_fault+0x449/0xe50
[   33.777789]  ? mm_fault_error+0x380/0x380
[   33.781930]  ? security_file_ioctl+0x94/0xc0
[   33.786316]  ksys_ioctl+0xa9/0xd0
[   33.789752]  __x64_sys_ioctl+0x73/0xb0
[   33.793619]  do_syscall_64+0x1b9/0x820
[   33.797487]  ? syscall_return_slowpath+0x5e0/0x5e0
[   33.802405]  ? syscall_return_slowpath+0x31d/0x5e0
[   33.807339]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   33.812687]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   33.817564]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   33.822743] RIP: 0033:0x4400a9
[   33.825914] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   33.845019] RSP: 002b:000