[ 33.384970] audit: type=1800 audit(1555883718.465:33): pid=6877 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 33.412719] audit: type=1800 audit(1555883718.465:34): pid=6877 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 35.465407] random: sshd: uninitialized urandom read (32 bytes read) [ 35.693743] audit: type=1400 audit(1555883720.775:35): avc: denied { map } for pid=7051 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 35.746655] random: sshd: uninitialized urandom read (32 bytes read) [ 36.339737] random: sshd: uninitialized urandom read (32 bytes read) [ 38.313695] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.125' (ECDSA) to the list of known hosts. [ 43.978492] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 44.106148] audit: type=1400 audit(1555883729.185:36): avc: denied { map } for pid=7063 comm="syz-executor418" path="/root/syz-executor418206897" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 44.134062] audit: type=1400 audit(1555883729.225:37): avc: denied { map } for pid=7063 comm="syz-executor418" path="/dev/usbmon0" dev="devtmpfs" ino=15374 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usbmon_device_t:s0 tclass=chr_file permissive=1 [ 44.137924] [ 44.161397] ====================================================== [ 44.167747] WARNING: possible circular locking dependency detected [ 44.174065] 4.14.113 #3 Not tainted [ 44.177776] ------------------------------------------------------ [ 44.184109] syz-executor418/7064 is trying to acquire lock: [ 44.189855] (&mm->mmap_sem){++++}, at: [] __might_fault+0xe0/0x1d0 [ 44.197848] [ 44.197848] but task is already holding lock: [ 44.203790] (&rp->fetch_lock){+.+.}, at: [] mon_bin_read+0x5d/0x5e0 [ 44.211844] [ 44.211844] which lock already depends on the new lock. [ 44.211844] [ 44.220237] [ 44.220237] the existing dependency chain (in reverse order) is: [ 44.227831] [ 44.227831] -> #1 (&rp->fetch_lock){+.+.}: [ 44.233553] lock_acquire+0x16f/0x430 [ 44.237869] __mutex_lock+0xe8/0x1470 [ 44.242165] mutex_lock_nested+0x16/0x20 [ 44.246720] mon_bin_vma_fault+0x6f/0x280 [ 44.251367] __do_fault+0x109/0x390 [ 44.255486] __handle_mm_fault+0xde6/0x3470 [ 44.260303] handle_mm_fault+0x293/0x7c0 [ 44.264958] __get_user_pages+0x465/0x1250 [ 44.269768] populate_vma_page_range+0x18e/0x230 [ 44.275025] __mm_populate+0x198/0x2c0 [ 44.279468] vm_mmap_pgoff+0x1be/0x1d0 [ 44.283863] SyS_mmap_pgoff+0x3ca/0x520 [ 44.288352] SyS_mmap+0x16/0x20 [ 44.292142] do_syscall_64+0x1eb/0x630 [ 44.296534] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.302225] [ 44.302225] -> #0 (&mm->mmap_sem){++++}: [ 44.307748] __lock_acquire+0x2c89/0x45e0 [ 44.312397] lock_acquire+0x16f/0x430 [ 44.316695] __might_fault+0x143/0x1d0 [ 44.321105] _copy_to_user+0x2c/0xd0 [ 44.325318] mon_bin_read+0x2fb/0x5e0 [ 44.329781] do_iter_read+0x3e7/0x5b0 [ 44.334085] vfs_readv+0xd3/0x130 [ 44.338040] do_preadv+0x15d/0x200 [ 44.342087] SyS_preadv+0x31/0x40 [ 44.346039] do_syscall_64+0x1eb/0x630 [ 44.350427] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.356112] [ 44.356112] other info that might help us debug this: [ 44.356112] [ 44.364245] Possible unsafe locking scenario: [ 44.364245] [ 44.370278] CPU0 CPU1 [ 44.374957] ---- ---- [ 44.379602] lock(&rp->fetch_lock); [ 44.383289] lock(&mm->mmap_sem); [ 44.389318] lock(&rp->fetch_lock); [ 44.395523] lock(&mm->mmap_sem); [ 44.399036] [ 44.399036] *** DEADLOCK *** [ 44.399036] [ 44.405081] 1 lock held by syz-executor418/7064: [ 44.409807] #0: (&rp->fetch_lock){+.+.}, at: [] mon_bin_read+0x5d/0x5e0 [ 44.418291] [ 44.418291] stack backtrace: [ 44.422769] CPU: 0 PID: 7064 Comm: syz-executor418 Not tainted 4.14.113 #3 [ 44.429758] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.439103] Call Trace: [ 44.441679] dump_stack+0x138/0x19c [ 44.445296] print_circular_bug.isra.0.cold+0x1cc/0x28f [ 44.450634] __lock_acquire+0x2c89/0x45e0 [ 44.454755] ? remove_wait_queue+0x10f/0x190 [ 44.459249] ? trace_hardirqs_on+0x10/0x10 [ 44.463469] lock_acquire+0x16f/0x430 [ 44.467318] ? __might_fault+0xe0/0x1d0 [ 44.471279] __might_fault+0x143/0x1d0 [ 44.475152] ? __might_fault+0xe0/0x1d0 [ 44.484445] _copy_to_user+0x2c/0xd0 [ 44.488139] mon_bin_read+0x2fb/0x5e0 [ 44.491915] do_iter_read+0x3e7/0x5b0 [ 44.495691] vfs_readv+0xd3/0x130 [ 44.499119] ? compat_rw_copy_check_uvector+0x310/0x310 [ 44.504464] ? __fget+0x237/0x370 [ 44.507903] ? __fget_light+0x172/0x1f0 [ 44.511857] do_preadv+0x15d/0x200 [ 44.515381] ? do_readv+0x220/0x220 [ 44.518986] ? SyS_writev+0x30/0x30 [ 44.522587] SyS_preadv+0x31/0x40 [ 44.526018] do_syscall_64+0x1eb/0x630 [ 44.529889] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 44.534713] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.540230] RIP: 0033:0x4497c9 [ 44.543394] RSP: 002b:00007f420b98cce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000127 [ 44.551080] RAX: ffffffffffffffda RBX: 00000000006dac28 RCX: 00000000004497c9