[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 21.205499] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 24.324890] random: sshd: uninitialized urandom read (32 bytes read) [ 24.657179] random: sshd: uninitialized urandom read (32 bytes read) [ 25.180950] random: sshd: uninitialized urandom read (32 bytes read) [ 26.299164] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.3' (ECDSA) to the list of known hosts. [ 31.804146] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 31.904285] [ 31.905941] ====================================================== [ 31.912240] WARNING: possible circular locking dependency detected [ 31.918556] 4.18.0-rc8+ #182 Not tainted [ 31.922594] ------------------------------------------------------ [ 31.928889] syz-executor286/4431 is trying to acquire lock: [ 31.934578] (____ptrval____) (sb_writers#3){.+.+}, at: vfs_fallocate+0x5be/0x8d0 [ 31.942121] [ 31.942121] but task is already holding lock: [ 31.948080] (____ptrval____) (ashmem_mutex){+.+.}, at: ashmem_shrink_scan+0xb4/0x580 [ 31.955964] [ 31.955964] which lock already depends on the new lock. [ 31.955964] [ 31.964258] [ 31.964258] the existing dependency chain (in reverse order) is: [ 31.971860] [ 31.971860] -> #3 (ashmem_mutex){+.+.}: [ 31.977314] __mutex_lock+0x176/0x1820 [ 31.981727] mutex_lock_nested+0x16/0x20 [ 31.986303] ashmem_mmap+0x53/0x4a0 [ 31.990448] mmap_region+0xc5c/0x16b0 [ 31.994780] do_mmap+0xa06/0x1320 [ 31.998738] vm_mmap_pgoff+0x213/0x2c0 [ 32.003134] ksys_mmap_pgoff+0x4da/0x660 [ 32.007718] __x64_sys_mmap+0xe9/0x1b0 [ 32.012107] do_syscall_64+0x1b9/0x820 [ 32.016493] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.022209] [ 32.022209] -> #2 (&mm->mmap_sem){++++}: [ 32.027739] __might_fault+0x155/0x1e0 [ 32.032129] _copy_to_user+0x30/0x110 [ 32.036431] filldir+0x1ea/0x3a0 [ 32.040304] dcache_readdir+0x13a/0x620 [ 32.044776] iterate_dir+0x4b0/0x5d0 [ 32.049011] __x64_sys_getdents+0x29f/0x510 [ 32.053835] do_syscall_64+0x1b9/0x820 [ 32.058243] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.063940] [ 32.063940] -> #1 (&sb->s_type->i_mutex_key#10){++++}: [ 32.070706] down_write+0x8f/0x130 [ 32.074752] generic_file_write_iter+0xed/0x870 [ 32.079926] __vfs_write+0x6c6/0x9f0 [ 32.084155] vfs_write+0x1f8/0x560 [ 32.088215] kernel_write+0xab/0x120 [ 32.092437] fork_usermode_blob+0x11c/0x1b0 [ 32.097261] load_umh+0x2b/0xbd [ 32.101043] do_one_initcall+0x127/0x913 [ 32.105620] kernel_init_freeable+0x49b/0x58e [ 32.110630] kernel_init+0x11/0x1b3 [ 32.114759] ret_from_fork+0x3a/0x50 [ 32.118973] [ 32.118973] -> #0 (sb_writers#3){.+.+}: [ 32.124423] lock_acquire+0x1e4/0x540 [ 32.128725] __sb_start_write+0x1e9/0x300 [ 32.133377] vfs_fallocate+0x5be/0x8d0 [ 32.137764] ashmem_shrink_scan+0x1f9/0x580 [ 32.142584] ashmem_ioctl+0x3dd/0x13c0 [ 32.146974] do_vfs_ioctl+0x1de/0x1720 [ 32.151362] ksys_ioctl+0xa9/0xd0 [ 32.155331] __x64_sys_ioctl+0x73/0xb0 [ 32.159724] do_syscall_64+0x1b9/0x820 [ 32.164112] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.169811] [ 32.169811] other info that might help us debug this: [ 32.169811] [ 32.177960] Chain exists of: [ 32.177960] sb_writers#3 --> &mm->mmap_sem --> ashmem_mutex [ 32.177960] [ 32.188175] Possible unsafe locking scenario: [ 32.188175] [ 32.194225] CPU0 CPU1 [ 32.198865] ---- ---- [ 32.203503] lock(ashmem_mutex); [ 32.206932] lock(&mm->mmap_sem); [ 32.212970] lock(ashmem_mutex); [ 32.218921] lock(sb_writers#3); [ 32.222354] [ 32.222354] *** DEADLOCK *** [ 32.222354] [ 32.228395] 1 lock held by syz-executor286/4431: [ 32.233126] #0: (____ptrval____) (ashmem_mutex){+.+.}, at: ashmem_shrink_scan+0xb4/0x580 [ 32.241437] [ 32.241437] stack backtrace: [ 32.245915] CPU: 1 PID: 4431 Comm: syz-executor286 Not tainted 4.18.0-rc8+ #182 [ 32.253338] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.262668] Call Trace: [ 32.265242] dump_stack+0x1c9/0x2b4 [ 32.268854] ? dump_stack_print_info.cold.2+0x52/0x52 [ 32.274035] ? vprintk_func+0x81/0xe7 [ 32.277825] print_circular_bug.isra.36.cold.57+0x1bd/0x27d [ 32.283519] ? save_trace+0xe0/0x290 [ 32.287217] __lock_acquire+0x3449/0x5020 [ 32.291349] ? trace_hardirqs_on+0x10/0x10 [ 32.295565] ? lock_downgrade+0x8f0/0x8f0 [ 32.299699] ? mark_held_locks+0xc9/0x160 [ 32.303843] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 32.308410] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 32.313494] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 32.318494] ? trace_hardirqs_on+0xd/0x10 [ 32.322816] ? depot_save_stack+0x291/0x470 [ 32.327123] ? save_stack+0xa9/0xd0 [ 32.330743] ? save_stack+0x43/0xd0 [ 32.334363] ? graph_lock+0x170/0x170 [ 32.338178] ? range_alloc+0xa8/0x560 [ 32.341977] ? ashmem_ioctl+0x10ec/0x13c0 [ 32.346131] ? do_vfs_ioctl+0x1de/0x1720 [ 32.350185] ? ksys_ioctl+0xa9/0xd0 [ 32.353800] ? __x64_sys_ioctl+0x73/0xb0 [ 32.357844] ? graph_lock+0x170/0x170 [ 32.361638] ? find_held_lock+0x36/0x1c0 [ 32.365711] ? find_held_lock+0x36/0x1c0 [ 32.369762] lock_acquire+0x1e4/0x540 [ 32.373550] ? vfs_fallocate+0x5be/0x8d0 [ 32.377608] ? lock_release+0xa30/0xa30 [ 32.381566] ? check_same_owner+0x340/0x340 [ 32.385868] ? rcu_note_context_switch+0x730/0x730 [ 32.390784] __sb_start_write+0x1e9/0x300 [ 32.394939] ? vfs_fallocate+0x5be/0x8d0 [ 32.398998] ? shmem_setattr+0xda0/0xda0 [ 32.403052] vfs_fallocate+0x5be/0x8d0 [ 32.406925] ashmem_shrink_scan+0x1f9/0x580 [ 32.411228] ? cap_capable+0x1f9/0x260 [ 32.415096] ? range_alloc+0x560/0x560 [ 32.418977] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.424494] ? ns_capable_common+0x13f/0x170 [ 32.428902] ashmem_ioctl+0x3dd/0x13c0 [ 32.432785] ? ashmem_release+0x190/0x190 [ 32.436917] ? find_held_lock+0x36/0x1c0 [ 32.440987] ? ashmem_release+0x190/0x190 [ 32.445135] do_vfs_ioctl+0x1de/0x1720 [ 32.449009] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 32.454541] ? ioctl_preallocate+0x300/0x300 [ 32.458944] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.464482] ? __fget_light+0x2f7/0x440 [ 32.468440] ? __handle_mm_fault+0x4460/0x4460 [ 32.473003] ? fget_raw+0x20/0x20 [ 32.476464] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.481980] ? __do_page_fault+0x449/0xe50 [ 32.486198] ? mm_fault_error+0x380/0x380 [ 32.490329] ? security_file_ioctl+0x94/0xc0 [ 32.494731] ksys_ioctl+0xa9/0xd0 [ 32.498165] __x64_sys_ioctl+0x73/0xb0 [ 32.502043] do_syscall_64+0x1b9/0x820 [ 32.505918] ? syscall_return_slowpath+0x5e0/0x5e0 [ 32.510844] ? syscall_return_slowpath+0x31d/0x5e0 [ 32.515759] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 32.521103] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.525942] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.531144] RIP: 0033:0x440099 [ 32.534309] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 32.553397] RSP: 002b:00007ffc92ae7228 EFL