[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   21.205499] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   24.324890] random: sshd: uninitialized urandom read (32 bytes read)
[   24.657179] random: sshd: uninitialized urandom read (32 bytes read)
[   25.180950] random: sshd: uninitialized urandom read (32 bytes read)
[   26.299164] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.3' (ECDSA) to the list of known hosts.
[   31.804146] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   31.904285] 
[   31.905941] ======================================================
[   31.912240] WARNING: possible circular locking dependency detected
[   31.918556] 4.18.0-rc8+ #182 Not tainted
[   31.922594] ------------------------------------------------------
[   31.928889] syz-executor286/4431 is trying to acquire lock:
[   31.934578] (____ptrval____) (sb_writers#3){.+.+}, at: vfs_fallocate+0x5be/0x8d0
[   31.942121] 
[   31.942121] but task is already holding lock:
[   31.948080] (____ptrval____) (ashmem_mutex){+.+.}, at: ashmem_shrink_scan+0xb4/0x580
[   31.955964] 
[   31.955964] which lock already depends on the new lock.
[   31.955964] 
[   31.964258] 
[   31.964258] the existing dependency chain (in reverse order) is:
[   31.971860] 
[   31.971860] -> #3 (ashmem_mutex){+.+.}:
[   31.977314]        __mutex_lock+0x176/0x1820
[   31.981727]        mutex_lock_nested+0x16/0x20
[   31.986303]        ashmem_mmap+0x53/0x4a0
[   31.990448]        mmap_region+0xc5c/0x16b0
[   31.994780]        do_mmap+0xa06/0x1320
[   31.998738]        vm_mmap_pgoff+0x213/0x2c0
[   32.003134]        ksys_mmap_pgoff+0x4da/0x660
[   32.007718]        __x64_sys_mmap+0xe9/0x1b0
[   32.012107]        do_syscall_64+0x1b9/0x820
[   32.016493]        entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   32.022209] 
[   32.022209] -> #2 (&mm->mmap_sem){++++}:
[   32.027739]        __might_fault+0x155/0x1e0
[   32.032129]        _copy_to_user+0x30/0x110
[   32.036431]        filldir+0x1ea/0x3a0
[   32.040304]        dcache_readdir+0x13a/0x620
[   32.044776]        iterate_dir+0x4b0/0x5d0
[   32.049011]        __x64_sys_getdents+0x29f/0x510
[   32.053835]        do_syscall_64+0x1b9/0x820
[   32.058243]        entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   32.063940] 
[   32.063940] -> #1 (&sb->s_type->i_mutex_key#10){++++}:
[   32.070706]        down_write+0x8f/0x130
[   32.074752]        generic_file_write_iter+0xed/0x870
[   32.079926]        __vfs_write+0x6c6/0x9f0
[   32.084155]        vfs_write+0x1f8/0x560
[   32.088215]        kernel_write+0xab/0x120
[   32.092437]        fork_usermode_blob+0x11c/0x1b0
[   32.097261]        load_umh+0x2b/0xbd
[   32.101043]        do_one_initcall+0x127/0x913
[   32.105620]        kernel_init_freeable+0x49b/0x58e
[   32.110630]        kernel_init+0x11/0x1b3
[   32.114759]        ret_from_fork+0x3a/0x50
[   32.118973] 
[   32.118973] -> #0 (sb_writers#3){.+.+}:
[   32.124423]        lock_acquire+0x1e4/0x540
[   32.128725]        __sb_start_write+0x1e9/0x300
[   32.133377]        vfs_fallocate+0x5be/0x8d0
[   32.137764]        ashmem_shrink_scan+0x1f9/0x580
[   32.142584]        ashmem_ioctl+0x3dd/0x13c0
[   32.146974]        do_vfs_ioctl+0x1de/0x1720
[   32.151362]        ksys_ioctl+0xa9/0xd0
[   32.155331]        __x64_sys_ioctl+0x73/0xb0
[   32.159724]        do_syscall_64+0x1b9/0x820
[   32.164112]        entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   32.169811] 
[   32.169811] other info that might help us debug this:
[   32.169811] 
[   32.177960] Chain exists of:
[   32.177960]   sb_writers#3 --> &mm->mmap_sem --> ashmem_mutex
[   32.177960] 
[   32.188175]  Possible unsafe locking scenario:
[   32.188175] 
[   32.194225]        CPU0                    CPU1
[   32.198865]        ----                    ----
[   32.203503]   lock(ashmem_mutex);
[   32.206932]                                lock(&mm->mmap_sem);
[   32.212970]                                lock(ashmem_mutex);
[   32.218921]   lock(sb_writers#3);
[   32.222354] 
[   32.222354]  *** DEADLOCK ***
[   32.222354] 
[   32.228395] 1 lock held by syz-executor286/4431:
[   32.233126]  #0: (____ptrval____) (ashmem_mutex){+.+.}, at: ashmem_shrink_scan+0xb4/0x580
[   32.241437] 
[   32.241437] stack backtrace:
[   32.245915] CPU: 1 PID: 4431 Comm: syz-executor286 Not tainted 4.18.0-rc8+ #182
[   32.253338] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   32.262668] Call Trace:
[   32.265242]  dump_stack+0x1c9/0x2b4
[   32.268854]  ? dump_stack_print_info.cold.2+0x52/0x52
[   32.274035]  ? vprintk_func+0x81/0xe7
[   32.277825]  print_circular_bug.isra.36.cold.57+0x1bd/0x27d
[   32.283519]  ? save_trace+0xe0/0x290
[   32.287217]  __lock_acquire+0x3449/0x5020
[   32.291349]  ? trace_hardirqs_on+0x10/0x10
[   32.295565]  ? lock_downgrade+0x8f0/0x8f0
[   32.299699]  ? mark_held_locks+0xc9/0x160
[   32.303843]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   32.308410]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   32.313494]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   32.318494]  ? trace_hardirqs_on+0xd/0x10
[   32.322816]  ? depot_save_stack+0x291/0x470
[   32.327123]  ? save_stack+0xa9/0xd0
[   32.330743]  ? save_stack+0x43/0xd0
[   32.334363]  ? graph_lock+0x170/0x170
[   32.338178]  ? range_alloc+0xa8/0x560
[   32.341977]  ? ashmem_ioctl+0x10ec/0x13c0
[   32.346131]  ? do_vfs_ioctl+0x1de/0x1720
[   32.350185]  ? ksys_ioctl+0xa9/0xd0
[   32.353800]  ? __x64_sys_ioctl+0x73/0xb0
[   32.357844]  ? graph_lock+0x170/0x170
[   32.361638]  ? find_held_lock+0x36/0x1c0
[   32.365711]  ? find_held_lock+0x36/0x1c0
[   32.369762]  lock_acquire+0x1e4/0x540
[   32.373550]  ? vfs_fallocate+0x5be/0x8d0
[   32.377608]  ? lock_release+0xa30/0xa30
[   32.381566]  ? check_same_owner+0x340/0x340
[   32.385868]  ? rcu_note_context_switch+0x730/0x730
[   32.390784]  __sb_start_write+0x1e9/0x300
[   32.394939]  ? vfs_fallocate+0x5be/0x8d0
[   32.398998]  ? shmem_setattr+0xda0/0xda0
[   32.403052]  vfs_fallocate+0x5be/0x8d0
[   32.406925]  ashmem_shrink_scan+0x1f9/0x580
[   32.411228]  ? cap_capable+0x1f9/0x260
[   32.415096]  ? range_alloc+0x560/0x560
[   32.418977]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.424494]  ? ns_capable_common+0x13f/0x170
[   32.428902]  ashmem_ioctl+0x3dd/0x13c0
[   32.432785]  ? ashmem_release+0x190/0x190
[   32.436917]  ? find_held_lock+0x36/0x1c0
[   32.440987]  ? ashmem_release+0x190/0x190
[   32.445135]  do_vfs_ioctl+0x1de/0x1720
[   32.449009]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   32.454541]  ? ioctl_preallocate+0x300/0x300
[   32.458944]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.464482]  ? __fget_light+0x2f7/0x440
[   32.468440]  ? __handle_mm_fault+0x4460/0x4460
[   32.473003]  ? fget_raw+0x20/0x20
[   32.476464]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   32.481980]  ? __do_page_fault+0x449/0xe50
[   32.486198]  ? mm_fault_error+0x380/0x380
[   32.490329]  ? security_file_ioctl+0x94/0xc0
[   32.494731]  ksys_ioctl+0xa9/0xd0
[   32.498165]  __x64_sys_ioctl+0x73/0xb0
[   32.502043]  do_syscall_64+0x1b9/0x820
[   32.505918]  ? syscall_return_slowpath+0x5e0/0x5e0
[   32.510844]  ? syscall_return_slowpath+0x31d/0x5e0
[   32.515759]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   32.521103]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   32.525942]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   32.531144] RIP: 0033:0x440099
[   32.534309] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   32.553397] RSP: 002b:00007ffc92ae7228 EFL