[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 38.816752] random: sshd: uninitialized urandom read (32 bytes read) [ 39.051948] kauditd_printk_skb: 9 callbacks suppressed [ 39.051957] audit: type=1400 audit(1555739884.943:35): avc: denied { map } for pid=7328 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 39.107848] random: sshd: uninitialized urandom read (32 bytes read) [ 39.685986] random: sshd: uninitialized urandom read (32 bytes read) [ 39.895604] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.1.37' (ECDSA) to the list of known hosts. [ 45.435424] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 45.557119] audit: type=1400 audit(1555739891.443:36): avc: denied { map } for pid=7342 comm="syz-executor080" path="/root/syz-executor080901305" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 45.585327] audit: type=1400 audit(1555739891.473:37): avc: denied { map } for pid=7342 comm="syz-executor080" path="/dev/usbmon0" dev="devtmpfs" ino=15245 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usbmon_device_t:s0 tclass=chr_file permissive=1 [ 45.588995] [ 45.612561] ====================================================== [ 45.618865] WARNING: possible circular locking dependency detected [ 45.625159] 4.14.112 #2 Not tainted [ 45.628771] ------------------------------------------------------ [ 45.635062] syz-executor080/7343 is trying to acquire lock: [ 45.640744] (&mm->mmap_sem){++++}, at: [] __might_fault+0xe0/0x1d0 [ 45.648757] [ 45.648757] but task is already holding lock: [ 45.654702] (&rp->fetch_lock){+.+.}, at: [] mon_bin_read+0x5d/0x5e0 [ 45.662759] [ 45.662759] which lock already depends on the new lock. [ 45.662759] [ 45.671063] [ 45.671063] the existing dependency chain (in reverse order) is: [ 45.678656] [ 45.678656] -> #1 (&rp->fetch_lock){+.+.}: [ 45.684370] lock_acquire+0x16f/0x430 [ 45.688705] __mutex_lock+0xe8/0x1470 [ 45.693004] mutex_lock_nested+0x16/0x20 [ 45.697567] mon_bin_vma_fault+0x6f/0x280 [ 45.702211] __do_fault+0x109/0x390 [ 45.706331] __handle_mm_fault+0xde6/0x3470 [ 45.711148] handle_mm_fault+0x293/0x7c0 [ 45.715702] __get_user_pages+0x465/0x1250 [ 45.720451] populate_vma_page_range+0x18e/0x230 [ 45.725714] __mm_populate+0x198/0x2c0 [ 45.730113] vm_mmap_pgoff+0x1be/0x1d0 [ 45.734498] SyS_mmap_pgoff+0x3ca/0x520 [ 45.738972] SyS_mmap+0x16/0x20 [ 45.742758] do_syscall_64+0x1eb/0x630 [ 45.747150] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.752862] [ 45.752862] -> #0 (&mm->mmap_sem){++++}: [ 45.758384] __lock_acquire+0x2c89/0x45e0 [ 45.763034] lock_acquire+0x16f/0x430 [ 45.767332] __might_fault+0x143/0x1d0 [ 45.771735] _copy_to_user+0x2c/0xd0 [ 45.775944] mon_bin_read+0x2fb/0x5e0 [ 45.780248] __vfs_read+0x107/0x6b0 [ 45.784371] vfs_read+0x137/0x350 [ 45.788318] SyS_read+0xb8/0x180 [ 45.792184] do_syscall_64+0x1eb/0x630 [ 45.796583] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.802266] [ 45.802266] other info that might help us debug this: [ 45.802266] [ 45.810398] Possible unsafe locking scenario: [ 45.810398] [ 45.816435] CPU0 CPU1 [ 45.821073] ---- ---- [ 45.825710] lock(&rp->fetch_lock); [ 45.829398] lock(&mm->mmap_sem); [ 45.835444] lock(&rp->fetch_lock); [ 45.841649] lock(&mm->mmap_sem); [ 45.845163] [ 45.845163] *** DEADLOCK *** [ 45.845163] [ 45.851200] 1 lock held by syz-executor080/7343: [ 45.855926] #0: (&rp->fetch_lock){+.+.}, at: [] mon_bin_read+0x5d/0x5e0 [ 45.864397] [ 45.864397] stack backtrace: [ 45.868880] CPU: 1 PID: 7343 Comm: syz-executor080 Not tainted 4.14.112 #2 [ 45.875887] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.885238] Call Trace: [ 45.887808] dump_stack+0x138/0x19c [ 45.891418] print_circular_bug.isra.0.cold+0x1cc/0x28f [ 45.896772] __lock_acquire+0x2c89/0x45e0 [ 45.900917] ? remove_wait_queue+0x10f/0x190 [ 45.905306] ? trace_hardirqs_on+0x10/0x10 [ 45.909533] ? save_trace+0x290/0x290 [ 45.913312] lock_acquire+0x16f/0x430 [ 45.917090] ? __might_fault+0xe0/0x1d0 [ 45.921056] __might_fault+0x143/0x1d0 [ 45.924920] ? __might_fault+0xe0/0x1d0 [ 45.928885] _copy_to_user+0x2c/0xd0 [ 45.932587] mon_bin_read+0x2fb/0x5e0 [ 45.936363] __vfs_read+0x107/0x6b0 [ 45.939976] ? __fsnotify_update_child_dentry_flags.part.0+0x300/0x300 [ 45.946640] ? mon_bin_fetch+0x2e0/0x2e0 [ 45.950681] ? vfs_copy_file_range+0xa40/0xa40 [ 45.955264] ? __inode_security_revalidate+0xd6/0x130 [ 45.960531] ? avc_policy_seqno+0x9/0x20 [ 45.964580] ? selinux_file_permission+0x85/0x480 [ 45.969397] ? security_file_permission+0x8f/0x1f0 [ 45.974306] ? rw_verify_area+0xea/0x2b0 [ 45.978349] vfs_read+0x137/0x350 [ 45.981792] SyS_read+0xb8/0x180 [ 45.985151] ? kernel_write+0x120/0x120 [ 45.989101] ? do_syscall_64+0x53/0x630 [ 45.993068] ? kernel_write+0x120/0x120 [ 45.997040] do_syscall_64+0x1eb/0x630 [ 46.000921] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 46.005755] entry_SYSCALL_64_after_