[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 23.192364] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 26.174614] random: sshd: uninitialized urandom read (32 bytes read) [ 26.868723] random: sshd: uninitialized urandom read (32 bytes read) [ 27.418923] random: sshd: uninitialized urandom read (32 bytes read) [ 27.591686] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.24' (ECDSA) to the list of known hosts. [ 33.098963] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 33.194637] [ 33.196320] ====================================================== [ 33.202620] WARNING: possible circular locking dependency detected [ 33.209016] 4.18.0-rc8+ #182 Not tainted [ 33.213055] ------------------------------------------------------ [ 33.219356] syz-executor529/4475 is trying to acquire lock: [ 33.225049] (____ptrval____) (sb_writers#3){.+.+}, at: vfs_fallocate+0x5be/0x8d0 [ 33.232583] [ 33.232583] but task is already holding lock: [ 33.238533] (____ptrval____) (ashmem_mutex){+.+.}, at: ashmem_shrink_scan+0xb4/0x580 [ 33.246405] [ 33.246405] which lock already depends on the new lock. [ 33.246405] [ 33.254704] [ 33.254704] the existing dependency chain (in reverse order) is: [ 33.262301] [ 33.262301] -> #3 (ashmem_mutex){+.+.}: [ 33.267792] __mutex_lock+0x176/0x1820 [ 33.272188] mutex_lock_nested+0x16/0x20 [ 33.276752] ashmem_mmap+0x53/0x4a0 [ 33.280884] mmap_region+0xc5c/0x16b0 [ 33.285232] do_mmap+0xa06/0x1320 [ 33.289196] vm_mmap_pgoff+0x213/0x2c0 [ 33.293597] ksys_mmap_pgoff+0x4da/0x660 [ 33.298167] __x64_sys_mmap+0xe9/0x1b0 [ 33.302562] do_syscall_64+0x1b9/0x820 [ 33.306957] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.312644] [ 33.312644] -> #2 (&mm->mmap_sem){++++}: [ 33.318179] __might_fault+0x155/0x1e0 [ 33.322617] _copy_to_user+0x30/0x110 [ 33.326931] filldir+0x1ea/0x3a0 [ 33.330860] dcache_readdir+0x13a/0x620 [ 33.335341] iterate_dir+0x4b0/0x5d0 [ 33.339562] __x64_sys_getdents+0x29f/0x510 [ 33.344398] do_syscall_64+0x1b9/0x820 [ 33.348804] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.354532] [ 33.354532] -> #1 (&sb->s_type->i_mutex_key#10){++++}: [ 33.361296] down_write+0x8f/0x130 [ 33.365340] generic_file_write_iter+0xed/0x870 [ 33.370514] __vfs_write+0x6c6/0x9f0 [ 33.374731] vfs_write+0x1f8/0x560 [ 33.378773] kernel_write+0xab/0x120 [ 33.383004] fork_usermode_blob+0x11c/0x1b0 [ 33.387842] load_umh+0x2b/0xbd [ 33.391664] do_one_initcall+0x127/0x913 [ 33.396236] kernel_init_freeable+0x49b/0x58e [ 33.401237] kernel_init+0x11/0x1b3 [ 33.405369] ret_from_fork+0x3a/0x50 [ 33.409578] [ 33.409578] -> #0 (sb_writers#3){.+.+}: [ 33.415166] lock_acquire+0x1e4/0x540 [ 33.419475] __sb_start_write+0x1e9/0x300 [ 33.424131] vfs_fallocate+0x5be/0x8d0 [ 33.428521] ashmem_shrink_scan+0x1f9/0x580 [ 33.433349] ashmem_ioctl+0x3dd/0x13c0 [ 33.437741] do_vfs_ioctl+0x1de/0x1720 [ 33.442133] ksys_ioctl+0xa9/0xd0 [ 33.446090] __x64_sys_ioctl+0x73/0xb0 [ 33.450482] do_syscall_64+0x1b9/0x820 [ 33.454874] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.460601] [ 33.460601] other info that might help us debug this: [ 33.460601] [ 33.468784] Chain exists of: [ 33.468784] sb_writers#3 --> &mm->mmap_sem --> ashmem_mutex [ 33.468784] [ 33.479011] Possible unsafe locking scenario: [ 33.479011] [ 33.485104] CPU0 CPU1 [ 33.489754] ---- ---- [ 33.494399] lock(ashmem_mutex); [ 33.497873] lock(&mm->mmap_sem); [ 33.503923] lock(ashmem_mutex); [ 33.509929] lock(sb_writers#3); [ 33.513368] [ 33.513368] *** DEADLOCK *** [ 33.513368] [ 33.519415] 1 lock held by syz-executor529/4475: [ 33.524144] #0: (____ptrval____) (ashmem_mutex){+.+.}, at: ashmem_shrink_scan+0xb4/0x580 [ 33.532457] [ 33.532457] stack backtrace: [ 33.536953] CPU: 1 PID: 4475 Comm: syz-executor529 Not tainted 4.18.0-rc8+ #182 [ 33.544378] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.553710] Call Trace: [ 33.556354] dump_stack+0x1c9/0x2b4 [ 33.559977] ? dump_stack_print_info.cold.2+0x52/0x52 [ 33.565155] ? vprintk_func+0x81/0xe7 [ 33.568940] print_circular_bug.isra.36.cold.57+0x1bd/0x27d [ 33.574641] ? save_trace+0xe0/0x290 [ 33.578356] __lock_acquire+0x3449/0x5020 [ 33.582496] ? trace_hardirqs_on+0x10/0x10 [ 33.586821] ? lock_downgrade+0x8f0/0x8f0 [ 33.591009] ? mark_held_locks+0xc9/0x160 [ 33.595146] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 33.599775] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 33.604868] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 33.609869] ? trace_hardirqs_on+0xd/0x10 [ 33.614017] ? depot_save_stack+0x291/0x470 [ 33.618323] ? save_stack+0xa9/0xd0 [ 33.621929] ? save_stack+0x43/0xd0 [ 33.625538] ? graph_lock+0x170/0x170 [ 33.629318] ? range_alloc+0xa8/0x560 [ 33.633104] ? ashmem_ioctl+0x10ec/0x13c0 [ 33.637233] ? do_vfs_ioctl+0x1de/0x1720 [ 33.641279] ? ksys_ioctl+0xa9/0xd0 [ 33.644887] ? __x64_sys_ioctl+0x73/0xb0 [ 33.648931] ? graph_lock+0x170/0x170 [ 33.652713] ? find_held_lock+0x36/0x1c0 [ 33.656758] ? find_held_lock+0x36/0x1c0 [ 33.660817] lock_acquire+0x1e4/0x540 [ 33.664661] ? vfs_fallocate+0x5be/0x8d0 [ 33.668718] ? lock_release+0xa30/0xa30 [ 33.672676] ? check_same_owner+0x340/0x340 [ 33.676980] ? rcu_note_context_switch+0x730/0x730 [ 33.681896] __sb_start_write+0x1e9/0x300 [ 33.686027] ? vfs_fallocate+0x5be/0x8d0 [ 33.690079] ? shmem_setattr+0xda0/0xda0 [ 33.694133] vfs_fallocate+0x5be/0x8d0 [ 33.698015] ashmem_shrink_scan+0x1f9/0x580 [ 33.702329] ? cap_capable+0x1f9/0x260 [ 33.706198] ? range_alloc+0x560/0x560 [ 33.710068] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.715652] ? ns_capable_common+0x13f/0x170 [ 33.720051] ashmem_ioctl+0x3dd/0x13c0 [ 33.723922] ? ashmem_release+0x190/0x190 [ 33.728054] ? find_held_lock+0x36/0x1c0 [ 33.732105] ? ashmem_release+0x190/0x190 [ 33.736319] do_vfs_ioctl+0x1de/0x1720 [ 33.740190] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 33.745772] ? ioctl_preallocate+0x300/0x300 [ 33.750231] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.755755] ? __fget_light+0x2f7/0x440 [ 33.760041] ? __handle_mm_fault+0x4460/0x4460 [ 33.764610] ? fget_raw+0x20/0x20 [ 33.768050] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.773567] ? __do_page_fault+0x449/0xe50 [ 33.777789] ? mm_fault_error+0x380/0x380 [ 33.781930] ? security_file_ioctl+0x94/0xc0 [ 33.786316] ksys_ioctl+0xa9/0xd0 [ 33.789752] __x64_sys_ioctl+0x73/0xb0 [ 33.793619] do_syscall_64+0x1b9/0x820 [ 33.797487] ? syscall_return_slowpath+0x5e0/0x5e0 [ 33.802405] ? syscall_return_slowpath+0x31d/0x5e0 [ 33.807339] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 33.812687] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 33.817564] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.822743] RIP: 0033:0x4400a9 [ 33.825914] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 33.845019] RSP: 002b:000