[ 31.839685] audit: type=1800 audit(1571664409.795:33): pid=6867 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 31.867282] audit: type=1800 audit(1571664409.805:34): pid=6867 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 33.742786] random: sshd: uninitialized urandom read (32 bytes read) [ 34.035934] audit: type=1400 audit(1571664411.995:35): avc: denied { map } for pid=7039 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 34.087169] random: sshd: uninitialized urandom read (32 bytes read) [ 34.646174] random: sshd: uninitialized urandom read (32 bytes read) [ 34.835711] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.157' (ECDSA) to the list of known hosts. [ 40.397048] random: sshd: uninitialized urandom read (32 bytes read) [ 40.530830] audit: type=1400 audit(1571664418.495:36): avc: denied { map } for pid=7052 comm="syz-executor788" path="/root/syz-executor788157408" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 40.801178] IPVS: ftp: loaded support on port[0] = 21 [ 41.733336] chnl_net:caif_netlink_parms(): no params data found [ 41.766648] bridge0: port 1(bridge_slave_0) entered blocking state [ 41.774317] bridge0: port 1(bridge_slave_0) entered disabled state [ 41.782033] device bridge_slave_0 entered promiscuous mode [ 41.789242] bridge0: port 2(bridge_slave_1) entered blocking state [ 41.796860] bridge0: port 2(bridge_slave_1) entered disabled state [ 41.804336] device bridge_slave_1 entered promiscuous mode [ 41.819719] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 41.829103] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 41.845913] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 41.855554] team0: Port device team_slave_0 added [ 41.862814] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 41.870404] team0: Port device team_slave_1 added [ 41.876204] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 41.885121] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 41.963910] device hsr_slave_0 entered promiscuous mode [ 42.010594] device hsr_slave_1 entered promiscuous mode [ 42.060993] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 42.069228] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 42.084429] bridge0: port 2(bridge_slave_1) entered blocking state [ 42.091499] bridge0: port 2(bridge_slave_1) entered forwarding state [ 42.099265] bridge0: port 1(bridge_slave_0) entered blocking state [ 42.106150] bridge0: port 1(bridge_slave_0) entered forwarding state [ 42.136589] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 42.145255] 8021q: adding VLAN 0 to HW filter on device bond0 [ 42.154394] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 42.168948] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 42.188946] bridge0: port 1(bridge_slave_0) entered disabled state [ 42.199192] bridge0: port 2(bridge_slave_1) entered disabled state [ 42.211380] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 42.217756] 8021q: adding VLAN 0 to HW filter on device team0 [ 42.227437] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 42.236292] bridge0: port 1(bridge_slave_0) entered blocking state [ 42.242707] bridge0: port 1(bridge_slave_0) entered forwarding state [ 42.261875] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 42.271012] bridge0: port 2(bridge_slave_1) entered blocking state [ 42.278468] bridge0: port 2(bridge_slave_1) entered forwarding state [ 42.287805] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 42.297017] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 42.305770] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 42.315423] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 42.324898] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready executing program [ 42.336366] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 42.343481] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 42.358160] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 42.369044] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 42.402139] audit: type=1400 audit(1571664420.365:37): avc: denied { map } for pid=7053 comm="syz-executor788" path="/dev/usbmon0" dev="devtmpfs" ino=14731 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usbmon_device_t:s0 tclass=chr_file permissive=1 [ 42.483781] [ 42.485805] ====================================================== [ 42.492851] WARNING: possible circular locking dependency detected [ 42.499436] 4.14.150 #0 Not tainted [ 42.503221] ------------------------------------------------------ [ 42.509913] syz-executor788/7064 is trying to acquire lock: [ 42.516063] (&mm->mmap_sem){++++}, at: [] __might_fault+0xe0/0x1d0 [ 42.525510] [ 42.525510] but task is already holding lock: [ 42.533430] (&rp->fetch_lock){+.+.}, at: [] mon_bin_fetch+0x37/0x2e0 [ 42.542963] [ 42.542963] which lock already depends on the new lock. [ 42.542963] [ 42.552012] [ 42.552012] the existing dependency chain (in reverse order) is: [ 42.559801] [ 42.559801] -> #1 (&rp->fetch_lock){+.+.}: [ 42.565795] lock_acquire+0x16f/0x430 [ 42.570175] __mutex_lock+0xe8/0x1470 [ 42.574583] mutex_lock_nested+0x16/0x20 [ 42.579439] mon_bin_vma_fault+0x6f/0x280 [ 42.584377] __do_fault+0x104/0x390 [ 42.589137] __handle_mm_fault+0xde1/0x3470 [ 42.594292] handle_mm_fault+0x293/0x7c0 [ 42.599366] __do_page_fault+0x4c1/0xb80 [ 42.604068] do_page_fault+0x71/0x511 [ 42.608478] page_fault+0x45/0x50 [ 42.613453] [ 42.613453] -> #0 (&mm->mmap_sem){++++}: [ 42.619154] __lock_acquire+0x2cb3/0x4620 [ 42.623950] lock_acquire+0x16f/0x430 [ 42.628523] __might_fault+0x143/0x1d0 [ 42.633019] mon_bin_fetch+0x212/0x2e0 [ 42.637508] mon_bin_ioctl+0x1c5/0xb50 [ 42.642258] do_vfs_ioctl+0x7ae/0x1060 [ 42.646919] SyS_ioctl+0x8f/0xc0 [ 42.651151] do_syscall_64+0x1e8/0x640 [ 42.656340] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 42.662383] [ 42.662383] other info that might help us debug this: [ 42.662383] [ 42.671134] Possible unsafe locking scenario: [ 42.671134] [ 42.677529] CPU0 CPU1 [ 42.682617] ---- ---- [ 42.687754] lock(&rp->fetch_lock); [ 42.691462] lock(&mm->mmap_sem); [ 42.697743] lock(&rp->fetch_lock); [ 42.704842] lock(&mm->mmap_sem); [ 42.708579] [ 42.708579] *** DEADLOCK *** [ 42.708579] [ 42.716508] 1 lock held by syz-executor788/7064: [ 42.721663] #0: (&rp->fetch_lock){+.+.}, at: [] mon_bin_fetch+0x37/0x2e0 [ 42.730523] [ 42.730523] stack backtrace: [ 42.735235] CPU: 1 PID: 7064 Comm: syz-executor788 Not tainted 4.14.150 #0 [ 42.742527] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.752278] Call Trace: [ 42.754884] dump_stack+0x138/0x197 [ 42.758640] print_circular_bug.isra.0.cold+0x1cc/0x28f [ 42.764518] __lock_acquire+0x2cb3/0x4620 [ 42.769718] ? mark_held_locks+0xb1/0x100 [ 42.774245] ? trace_hardirqs_on+0x10/0x10 [ 42.779302] ? save_trace+0x290/0x290 [ 42.783601] ? mon_bin_wait_event.isra.0+0x2d7/0x4c0 [ 42.789153] lock_acquire+0x16f/0x430 [ 42.793263] ? __might_fault+0xe0/0x1d0 [ 42.797982] __might_fault+0x143/0x1d0 [ 42.801995] ? __might_fault+0xe0/0x1d0 [ 42.806058] mon_bin_fetch+0x212/0x2e0 [ 42.809945] mon_bin_ioctl+0x1c5/0xb50 [ 42.815075] ? mon_bin_read+0x5e0/0x5e0 [ 42.819097] ? mon_bin_read+0x5e0/0x5e0 [ 42.823658] do_vfs_ioctl+0x7ae/0x1060 [ 42.828114] ? selinux_file_mprotect+0x5d0/0x5d0 [ 42.833105] ? lock_downgrade+0x740/0x740 [ 42.837887] ? ioctl_preallocate+0x1c0/0x1c0 [ 42.842410] ? __fget+0x237/0x370 [ 42.846022] ? security_file_ioctl+0x7d/0xb0 [ 42.851164] ? security_file_ioctl+0x89/0xb0 [ 42.856237] SyS_ioctl+0x8f/0xc0 [ 42.859697] ? do_vfs_ioctl+0x1060/0x1060 [ 42.864112] do_syscall_64+0x1e8/0x640 [ 42.868404] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 42.875413] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 42.880692] RIP: 0033:0x44b0a9 [ 42.884252] RSP: 002b:00007f09f146fce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 42.892475] RAX: ffffffffffffffda RBX: 00000000006ddc38 RCX: 000000000044b0a9 [ 42.899857] RDX: 0000000020000140 RSI: 00000000c0109207 RDI: 0000000000000003 [ 42.907365] RBP: 00000000006ddc30 R08: 00007f09f1470700 R09: 0000000000000000 [ 42.915002] R10: 00007f09f1470700 R11: 0000000000000246 R12: 00000000006ddc3c [ 42.926006] R13: 00007ffe757f2fef R14: 00007f09f14709c0 R15: 000000000000002d [ 42.936311] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 42.938532] syz-executor788 (7053) used greatest stack depth: 24624 bytes left