[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 20.912598] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.451909] random: sshd: uninitialized urandom read (32 bytes read) [ 22.721680] random: sshd: uninitialized urandom read (32 bytes read) [ 23.257303] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.50' (ECDSA) to the list of known hosts. [ 28.883009] urandom_read: 1 callbacks suppressed [ 28.887989] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 28.980155] [ 28.981806] ====================================================== [ 28.988098] WARNING: possible circular locking dependency detected [ 28.994392] 4.18.0-rc8+ #185 Not tainted [ 28.998427] ------------------------------------------------------ [ 29.004723] syz-executor261/4402 is trying to acquire lock: [ 29.010407] (____ptrval____) (sb_writers#3){.+.+}, at: vfs_fallocate+0x5be/0x8d0 [ 29.017938] [ 29.017938] but task is already holding lock: [ 29.023887] (____ptrval____) (ashmem_mutex){+.+.}, at: ashmem_shrink_scan+0xb4/0x580 [ 29.031757] [ 29.031757] which lock already depends on the new lock. [ 29.031757] [ 29.040054] [ 29.040054] the existing dependency chain (in reverse order) is: [ 29.047655] [ 29.047655] -> #3 (ashmem_mutex){+.+.}: [ 29.053099] __mutex_lock+0x176/0x1820 [ 29.057495] mutex_lock_nested+0x16/0x20 [ 29.062060] ashmem_mmap+0x53/0x4a0 [ 29.066189] mmap_region+0xc5c/0x16b0 [ 29.070489] do_mmap+0xa06/0x1320 [ 29.074446] vm_mmap_pgoff+0x213/0x2c0 [ 29.078832] ksys_mmap_pgoff+0x4da/0x660 [ 29.083393] __x64_sys_mmap+0xe9/0x1b0 [ 29.087781] do_syscall_64+0x1b9/0x820 [ 29.092170] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 29.097856] [ 29.097856] -> #2 (&mm->mmap_sem){++++}: [ 29.103411] __might_fault+0x155/0x1e0 [ 29.107810] _copy_to_user+0x30/0x110 [ 29.112112] filldir+0x1ea/0x3a0 [ 29.115977] dcache_readdir+0x13a/0x620 [ 29.120452] iterate_dir+0x4b0/0x5d0 [ 29.124678] __x64_sys_getdents+0x29f/0x510 [ 29.129500] do_syscall_64+0x1b9/0x820 [ 29.133892] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 29.139575] [ 29.139575] -> #1 (&sb->s_type->i_mutex_key#10){++++}: [ 29.146322] down_write+0x8f/0x130 [ 29.150363] generic_file_write_iter+0xed/0x870 [ 29.155533] __vfs_write+0x6c6/0x9f0 [ 29.159747] vfs_write+0x1f8/0x560 [ 29.163785] kernel_write+0xab/0x120 [ 29.168000] fork_usermode_blob+0x11c/0x1b0 [ 29.172832] load_umh+0x2b/0xbd [ 29.176615] do_one_initcall+0x127/0x913 [ 29.181182] kernel_init_freeable+0x49b/0x58e [ 29.186206] kernel_init+0x11/0x1b3 [ 29.190337] ret_from_fork+0x3a/0x50 [ 29.194559] [ 29.194559] -> #0 (sb_writers#3){.+.+}: [ 29.200008] lock_acquire+0x1e4/0x540 [ 29.204333] __sb_start_write+0x1e9/0x300 [ 29.208984] vfs_fallocate+0x5be/0x8d0 [ 29.213376] ashmem_shrink_scan+0x1f9/0x580 [ 29.218199] ashmem_ioctl+0x3dd/0x13c0 [ 29.222587] do_vfs_ioctl+0x1de/0x1720 [ 29.226973] ksys_ioctl+0xa9/0xd0 [ 29.230928] __x64_sys_ioctl+0x73/0xb0 [ 29.235321] do_syscall_64+0x1b9/0x820 [ 29.239714] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 29.245400] [ 29.245400] other info that might help us debug this: [ 29.245400] [ 29.253522] Chain exists of: [ 29.253522] sb_writers#3 --> &mm->mmap_sem --> ashmem_mutex [ 29.253522] [ 29.263744] Possible unsafe locking scenario: [ 29.263744] [ 29.269779] CPU0 CPU1 [ 29.274420] ---- ---- [ 29.279062] lock(ashmem_mutex); [ 29.282492] lock(&mm->mmap_sem); [ 29.288545] lock(ashmem_mutex); [ 29.294491] lock(sb_writers#3); [ 29.297925] [ 29.297925] *** DEADLOCK *** [ 29.297925] [ 29.303964] 1 lock held by syz-executor261/4402: [ 29.308692] #0: (____ptrval____) (ashmem_mutex){+.+.}, at: ashmem_shrink_scan+0xb4/0x580 [ 29.317307] [ 29.317307] stack backtrace: [ 29.321788] CPU: 1 PID: 4402 Comm: syz-executor261 Not tainted 4.18.0-rc8+ #185 [ 29.329212] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.338542] Call Trace: [ 29.341114] dump_stack+0x1c9/0x2b4 [ 29.344727] ? dump_stack_print_info.cold.2+0x52/0x52 [ 29.349901] ? vprintk_func+0x81/0xe7 [ 29.353684] print_circular_bug.isra.36.cold.57+0x1bd/0x27d [ 29.359395] ? save_trace+0xe0/0x290 [ 29.363092] __lock_acquire+0x3449/0x5020 [ 29.367227] ? trace_hardirqs_on+0x10/0x10 [ 29.371443] ? lock_downgrade+0x8f0/0x8f0 [ 29.375573] ? mark_held_locks+0xc9/0x160 [ 29.379720] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 29.384287] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 29.389375] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 29.394376] ? trace_hardirqs_on+0xd/0x10 [ 29.398507] ? depot_save_stack+0x291/0x470 [ 29.402812] ? save_stack+0xa9/0xd0 [ 29.406420] ? save_stack+0x43/0xd0 [ 29.410037] ? graph_lock+0x170/0x170 [ 29.413819] ? range_alloc+0xa8/0x560 [ 29.417597] ? ashmem_ioctl+0x10ec/0x13c0 [ 29.421727] ? do_vfs_ioctl+0x1de/0x1720 [ 29.425768] ? ksys_ioctl+0xa9/0xd0 [ 29.429376] ? __x64_sys_ioctl+0x73/0xb0 [ 29.433419] ? graph_lock+0x170/0x170 [ 29.437204] ? find_held_lock+0x36/0x1c0 [ 29.441245] ? find_held_lock+0x36/0x1c0 [ 29.445290] lock_acquire+0x1e4/0x540 [ 29.449072] ? vfs_fallocate+0x5be/0x8d0 [ 29.453131] ? lock_release+0xa30/0xa30 [ 29.457091] ? check_same_owner+0x340/0x340 [ 29.461395] ? rcu_note_context_switch+0x730/0x730 [ 29.466325] __sb_start_write+0x1e9/0x300 [ 29.470455] ? vfs_fallocate+0x5be/0x8d0 [ 29.474498] ? shmem_setattr+0xda0/0xda0 [ 29.478539] vfs_fallocate+0x5be/0x8d0 [ 29.482407] ashmem_shrink_scan+0x1f9/0x580 [ 29.486708] ? cap_capable+0x1f9/0x260 [ 29.490573] ? range_alloc+0x560/0x560 [ 29.494446] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.499963] ? ns_capable_common+0x13f/0x170 [ 29.504352] ashmem_ioctl+0x3dd/0x13c0 [ 29.508225] ? ashmem_release+0x190/0x190 [ 29.512354] ? find_held_lock+0x36/0x1c0 [ 29.516399] ? ashmem_release+0x190/0x190 [ 29.520528] do_vfs_ioctl+0x1de/0x1720 [ 29.524397] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 29.529915] ? ioctl_preallocate+0x300/0x300 [ 29.534305] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.539821] ? __fget_light+0x2f7/0x440 [ 29.543798] ? __handle_mm_fault+0x4460/0x4460 [ 29.548379] ? fget_raw+0x20/0x20 [ 29.551818] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 29.557338] ? __do_page_fault+0x449/0xe50 [ 29.561553] ? mm_fault_error+0x380/0x380 [ 29.565682] ? security_file_ioctl+0x94/0xc0 [ 29.570071] ksys_ioctl+0xa9/0xd0 [ 29.573504] __x64_sys_ioctl+0x73/0xb0 [ 29.577373] do_syscall_64+0x1b9/0x820 [ 29.581242] ? syscall_return_slowpath+0x5e0/0x5e0 [ 29.586157] ? syscall_return_slowpath+0x31d/0x5e0 [ 29.591070] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 29.596416] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 29.601242] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 29.606409] RIP: 0033:0x440099 [ 29.609577] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 29.628670] RSP: 002b:00007ffde1e19018 EFLAGS: 00