[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   20.912598] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   22.451909] random: sshd: uninitialized urandom read (32 bytes read)
[   22.721680] random: sshd: uninitialized urandom read (32 bytes read)
[   23.257303] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.50' (ECDSA) to the list of known hosts.
[   28.883009] urandom_read: 1 callbacks suppressed
[   28.887989] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   28.980155] 
[   28.981806] ======================================================
[   28.988098] WARNING: possible circular locking dependency detected
[   28.994392] 4.18.0-rc8+ #185 Not tainted
[   28.998427] ------------------------------------------------------
[   29.004723] syz-executor261/4402 is trying to acquire lock:
[   29.010407] (____ptrval____) (sb_writers#3){.+.+}, at: vfs_fallocate+0x5be/0x8d0
[   29.017938] 
[   29.017938] but task is already holding lock:
[   29.023887] (____ptrval____) (ashmem_mutex){+.+.}, at: ashmem_shrink_scan+0xb4/0x580
[   29.031757] 
[   29.031757] which lock already depends on the new lock.
[   29.031757] 
[   29.040054] 
[   29.040054] the existing dependency chain (in reverse order) is:
[   29.047655] 
[   29.047655] -> #3 (ashmem_mutex){+.+.}:
[   29.053099]        __mutex_lock+0x176/0x1820
[   29.057495]        mutex_lock_nested+0x16/0x20
[   29.062060]        ashmem_mmap+0x53/0x4a0
[   29.066189]        mmap_region+0xc5c/0x16b0
[   29.070489]        do_mmap+0xa06/0x1320
[   29.074446]        vm_mmap_pgoff+0x213/0x2c0
[   29.078832]        ksys_mmap_pgoff+0x4da/0x660
[   29.083393]        __x64_sys_mmap+0xe9/0x1b0
[   29.087781]        do_syscall_64+0x1b9/0x820
[   29.092170]        entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   29.097856] 
[   29.097856] -> #2 (&mm->mmap_sem){++++}:
[   29.103411]        __might_fault+0x155/0x1e0
[   29.107810]        _copy_to_user+0x30/0x110
[   29.112112]        filldir+0x1ea/0x3a0
[   29.115977]        dcache_readdir+0x13a/0x620
[   29.120452]        iterate_dir+0x4b0/0x5d0
[   29.124678]        __x64_sys_getdents+0x29f/0x510
[   29.129500]        do_syscall_64+0x1b9/0x820
[   29.133892]        entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   29.139575] 
[   29.139575] -> #1 (&sb->s_type->i_mutex_key#10){++++}:
[   29.146322]        down_write+0x8f/0x130
[   29.150363]        generic_file_write_iter+0xed/0x870
[   29.155533]        __vfs_write+0x6c6/0x9f0
[   29.159747]        vfs_write+0x1f8/0x560
[   29.163785]        kernel_write+0xab/0x120
[   29.168000]        fork_usermode_blob+0x11c/0x1b0
[   29.172832]        load_umh+0x2b/0xbd
[   29.176615]        do_one_initcall+0x127/0x913
[   29.181182]        kernel_init_freeable+0x49b/0x58e
[   29.186206]        kernel_init+0x11/0x1b3
[   29.190337]        ret_from_fork+0x3a/0x50
[   29.194559] 
[   29.194559] -> #0 (sb_writers#3){.+.+}:
[   29.200008]        lock_acquire+0x1e4/0x540
[   29.204333]        __sb_start_write+0x1e9/0x300
[   29.208984]        vfs_fallocate+0x5be/0x8d0
[   29.213376]        ashmem_shrink_scan+0x1f9/0x580
[   29.218199]        ashmem_ioctl+0x3dd/0x13c0
[   29.222587]        do_vfs_ioctl+0x1de/0x1720
[   29.226973]        ksys_ioctl+0xa9/0xd0
[   29.230928]        __x64_sys_ioctl+0x73/0xb0
[   29.235321]        do_syscall_64+0x1b9/0x820
[   29.239714]        entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   29.245400] 
[   29.245400] other info that might help us debug this:
[   29.245400] 
[   29.253522] Chain exists of:
[   29.253522]   sb_writers#3 --> &mm->mmap_sem --> ashmem_mutex
[   29.253522] 
[   29.263744]  Possible unsafe locking scenario:
[   29.263744] 
[   29.269779]        CPU0                    CPU1
[   29.274420]        ----                    ----
[   29.279062]   lock(ashmem_mutex);
[   29.282492]                                lock(&mm->mmap_sem);
[   29.288545]                                lock(ashmem_mutex);
[   29.294491]   lock(sb_writers#3);
[   29.297925] 
[   29.297925]  *** DEADLOCK ***
[   29.297925] 
[   29.303964] 1 lock held by syz-executor261/4402:
[   29.308692]  #0: (____ptrval____) (ashmem_mutex){+.+.}, at: ashmem_shrink_scan+0xb4/0x580
[   29.317307] 
[   29.317307] stack backtrace:
[   29.321788] CPU: 1 PID: 4402 Comm: syz-executor261 Not tainted 4.18.0-rc8+ #185
[   29.329212] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   29.338542] Call Trace:
[   29.341114]  dump_stack+0x1c9/0x2b4
[   29.344727]  ? dump_stack_print_info.cold.2+0x52/0x52
[   29.349901]  ? vprintk_func+0x81/0xe7
[   29.353684]  print_circular_bug.isra.36.cold.57+0x1bd/0x27d
[   29.359395]  ? save_trace+0xe0/0x290
[   29.363092]  __lock_acquire+0x3449/0x5020
[   29.367227]  ? trace_hardirqs_on+0x10/0x10
[   29.371443]  ? lock_downgrade+0x8f0/0x8f0
[   29.375573]  ? mark_held_locks+0xc9/0x160
[   29.379720]  ? do_raw_spin_trylock+0x1c0/0x1c0
[   29.384287]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[   29.389375]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   29.394376]  ? trace_hardirqs_on+0xd/0x10
[   29.398507]  ? depot_save_stack+0x291/0x470
[   29.402812]  ? save_stack+0xa9/0xd0
[   29.406420]  ? save_stack+0x43/0xd0
[   29.410037]  ? graph_lock+0x170/0x170
[   29.413819]  ? range_alloc+0xa8/0x560
[   29.417597]  ? ashmem_ioctl+0x10ec/0x13c0
[   29.421727]  ? do_vfs_ioctl+0x1de/0x1720
[   29.425768]  ? ksys_ioctl+0xa9/0xd0
[   29.429376]  ? __x64_sys_ioctl+0x73/0xb0
[   29.433419]  ? graph_lock+0x170/0x170
[   29.437204]  ? find_held_lock+0x36/0x1c0
[   29.441245]  ? find_held_lock+0x36/0x1c0
[   29.445290]  lock_acquire+0x1e4/0x540
[   29.449072]  ? vfs_fallocate+0x5be/0x8d0
[   29.453131]  ? lock_release+0xa30/0xa30
[   29.457091]  ? check_same_owner+0x340/0x340
[   29.461395]  ? rcu_note_context_switch+0x730/0x730
[   29.466325]  __sb_start_write+0x1e9/0x300
[   29.470455]  ? vfs_fallocate+0x5be/0x8d0
[   29.474498]  ? shmem_setattr+0xda0/0xda0
[   29.478539]  vfs_fallocate+0x5be/0x8d0
[   29.482407]  ashmem_shrink_scan+0x1f9/0x580
[   29.486708]  ? cap_capable+0x1f9/0x260
[   29.490573]  ? range_alloc+0x560/0x560
[   29.494446]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   29.499963]  ? ns_capable_common+0x13f/0x170
[   29.504352]  ashmem_ioctl+0x3dd/0x13c0
[   29.508225]  ? ashmem_release+0x190/0x190
[   29.512354]  ? find_held_lock+0x36/0x1c0
[   29.516399]  ? ashmem_release+0x190/0x190
[   29.520528]  do_vfs_ioctl+0x1de/0x1720
[   29.524397]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   29.529915]  ? ioctl_preallocate+0x300/0x300
[   29.534305]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   29.539821]  ? __fget_light+0x2f7/0x440
[   29.543798]  ? __handle_mm_fault+0x4460/0x4460
[   29.548379]  ? fget_raw+0x20/0x20
[   29.551818]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   29.557338]  ? __do_page_fault+0x449/0xe50
[   29.561553]  ? mm_fault_error+0x380/0x380
[   29.565682]  ? security_file_ioctl+0x94/0xc0
[   29.570071]  ksys_ioctl+0xa9/0xd0
[   29.573504]  __x64_sys_ioctl+0x73/0xb0
[   29.577373]  do_syscall_64+0x1b9/0x820
[   29.581242]  ? syscall_return_slowpath+0x5e0/0x5e0
[   29.586157]  ? syscall_return_slowpath+0x31d/0x5e0
[   29.591070]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   29.596416]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   29.601242]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   29.606409] RIP: 0033:0x440099
[   29.609577] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 
[   29.628670] RSP: 002b:00007ffde1e19018 EFLAGS: 00