[....] Starting enhanced syslogd: rsyslogd[ 17.529007] audit: type=1400 audit(1517604234.724:5): avc: denied { syslog } for pid=4025 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 23.304813] audit: type=1400 audit(1517604240.500:6): avc: denied { map } for pid=4165 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.19' (ECDSA) to the list of known hosts. executing program [ 32.831366] audit: type=1400 audit(1517604250.027:7): avc: denied { map } for pid=4180 comm="syzkaller398624" path="/root/syzkaller398624885" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 32.833997] [ 32.857272] audit: type=1400 audit(1517604250.029:8): avc: denied { map } for pid=4180 comm="syzkaller398624" path="/dev/ashmem" dev="devtmpfs" ino=9042 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1 [ 32.858853] ====================================================== [ 32.858854] WARNING: possible circular locking dependency detected [ 32.858858] 4.15.0+ #203 Not tainted [ 32.858859] ------------------------------------------------------ [ 32.858861] syzkaller398624/4180 is trying to acquire lock: [ 32.858866] (&sb->s_type->i_mutex_key#11){++++}, at: [<000000007171dbbf>] shmem_file_llseek+0xef/0x240 [ 32.921278] [ 32.921278] but task is already holding lock: [ 32.927213] (ashmem_mutex){+.+.}, at: [<000000005e3636d0>] ashmem_llseek+0x56/0x1f0 [ 32.935065] [ 32.935065] which lock already depends on the new lock. [ 32.935065] [ 32.943355] [ 32.943355] the existing dependency chain (in reverse order) is: [ 32.951030] [ 32.951030] -> #2 (ashmem_mutex){+.+.}: [ 32.956463] __mutex_lock+0x16f/0x1a80 [ 32.960838] mutex_lock_nested+0x16/0x20 [ 32.965389] ashmem_mmap+0x53/0x410 [ 32.969504] mmap_region+0xa99/0x15a0 [ 32.973789] do_mmap+0x6c0/0xe00 [ 32.977738] vm_mmap_pgoff+0x1de/0x280 [ 32.982113] SyS_mmap_pgoff+0x462/0x5f0 [ 32.986573] do_fast_syscall_32+0x3ee/0xf9d [ 32.991394] entry_SYSENTER_compat+0x54/0x63 [ 32.996288] [ 32.996288] -> #1 (&mm->mmap_sem){++++}: [ 33.001799] __might_fault+0x13a/0x1d0 [ 33.006175] _copy_to_user+0x2c/0xc0 [ 33.010378] filldir+0x1a7/0x320 [ 33.014232] dcache_readdir+0x12d/0x5e0 [ 33.018700] iterate_dir+0x1ca/0x530 [ 33.022903] SyS_getdents+0x225/0x450 [ 33.027207] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 33.032448] [ 33.032448] -> #0 (&sb->s_type->i_mutex_key#11){++++}: [ 33.039182] lock_acquire+0x1d5/0x580 [ 33.043468] down_write+0x87/0x120 [ 33.047499] shmem_file_llseek+0xef/0x240 [ 33.052133] vfs_llseek+0xa2/0xd0 [ 33.056084] ashmem_llseek+0xe7/0x1f0 [ 33.060371] compat_SyS_lseek+0xeb/0x170 [ 33.064923] do_fast_syscall_32+0x3ee/0xf9d [ 33.069731] entry_SYSENTER_compat+0x54/0x63 [ 33.074626] [ 33.074626] other info that might help us debug this: [ 33.074626] [ 33.082734] Chain exists of: [ 33.082734] &sb->s_type->i_mutex_key#11 --> &mm->mmap_sem --> ashmem_mutex [ 33.082734] [ 33.094234] Possible unsafe locking scenario: [ 33.094234] [ 33.100255] CPU0 CPU1 [ 33.104888] ---- ---- [ 33.109518] lock(ashmem_mutex); [ 33.112936] lock(&mm->mmap_sem); [ 33.118961] lock(ashmem_mutex); [ 33.124896] lock(&sb->s_type->i_mutex_key#11); [ 33.129619] [ 33.129619] *** DEADLOCK *** [ 33.129619] [ 33.135642] 1 lock held by syzkaller398624/4180: [ 33.140363] #0: (ashmem_mutex){+.+.}, at: [<000000005e3636d0>] ashmem_llseek+0x56/0x1f0 [ 33.148649] [ 33.148649] stack backtrace: [ 33.153112] CPU: 0 PID: 4180 Comm: syzkaller398624 Not tainted 4.15.0+ #203 [ 33.163397] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.172720] Call Trace: [ 33.175279] dump_stack+0x194/0x257 [ 33.178882] ? arch_local_irq_restore+0x53/0x53 [ 33.183520] print_circular_bug.isra.38+0x2cd/0x2dc [ 33.188501] ? save_trace+0xe0/0x2b0 [ 33.192182] __lock_acquire+0x30a8/0x3e00 [ 33.196299] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 33.201457] ? ashmem_llseek+0x56/0x1f0 [ 33.205401] ? lock_release+0xa40/0xa40 [ 33.209342] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 33.215193] ? rcu_note_context_switch+0x710/0x710 [ 33.220087] ? vma_set_page_prot+0x16b/0x230 [ 33.224470] ? __might_sleep+0x95/0x190 [ 33.228419] ? ashmem_llseek+0x56/0x1f0 [ 33.232362] ? __mutex_lock+0x16f/0x1a80 [ 33.236391] ? ashmem_llseek+0x56/0x1f0 [ 33.240331] ? mmap_region+0x52e/0x15a0 [ 33.244280] ? ashmem_llseek+0x56/0x1f0 [ 33.248222] ? mutex_lock_io_nested+0x1900/0x1900 [ 33.253048] ? find_held_lock+0x35/0x1d0 [ 33.257093] ? lock_downgrade+0x980/0x980 [ 33.261210] lock_acquire+0x1d5/0x580 [ 33.264975] ? lock_acquire+0x1d5/0x580 [ 33.268914] ? shmem_file_llseek+0xef/0x240 [ 33.273203] ? lock_release+0xa40/0xa40 [ 33.277145] ? trace_event_raw_event_sched_switch+0x800/0x800 [ 33.282996] ? security_mmap_file+0x143/0x180 [ 33.287462] ? rcu_note_context_switch+0x710/0x710 [ 33.292358] ? __fget_light+0x297/0x380 [ 33.296299] ? __might_sleep+0x95/0x190 [ 33.300239] down_write+0x87/0x120 [ 33.303748] ? shmem_file_llseek+0xef/0x240 [ 33.308037] ? down_read+0x150/0x150 [ 33.311717] ? kmem_cache_free+0x267/0x2a0 [ 33.315922] shmem_file_llseek+0xef/0x240 [ 33.320036] ? shmem_free_swap+0x80/0x80 [ 33.324078] vfs_llseek+0xa2/0xd0 [ 33.327497] ashmem_llseek+0xe7/0x1f0 [ 33.331265] ? ashmem_read_iter+0x230/0x230 [ 33.335562] compat_SyS_lseek+0xeb/0x170 [ 33.339591] ? SyS_lseek+0x170/0x170 [ 33.343274] do_fast_syscall_32+0x3ee/0xf9d [ 33.347572] ? do_int80_syscall_32+0x9d0/0x9d0 [ 33.352122] ? kasan_check_read+0x11/0x20 [ 33.356236] ? syscall_return_slowpath+0x550/0x550 [ 33.361132] ? SyS_rt_sigaction+0x94/0x1b0 [ 33.365333] ? SyS_sigprocmask+0x4b0/0x4b0 [ 33.369554] ? SyS_read+0x184/0x220 [ 33.373150] ? sysret32_from_system_call+0x5/0x3b [ 33.377962] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 33.382793] entry_SYSENTER_compat+0x54/0x63 [ 33.387171] RIP: 0023:0xf7fc3c79 [ 33.390502] RSP: 002b:00000000ffe612bc EFLAGS: 00000286 ORIG_RAX: 0000000000000013 [ 33.398183] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000000 [ 33.405420] RDX: 0000000000000003 RSI: 00000000080ea00c RDI: 000000000000003f [ 33.412666] RBP: 0000000000001000 R08: 0000000000000000 R09: 0000000000000000 [ 33.419903] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 33.427142] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000