[ 33.579077] audit: type=1800 audit(1555444064.741:33): pid=6947 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 33.606071] audit: type=1800 audit(1555444064.751:34): pid=6947 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 41.679699] random: sshd: uninitialized urandom read (32 bytes read) [ 42.127989] audit: type=1400 audit(1555444073.291:35): avc: denied { map } for pid=7121 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 42.172752] random: sshd: uninitialized urandom read (32 bytes read) [ 42.740164] random: sshd: uninitialized urandom read (32 bytes read) [ 42.936149] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.27' (ECDSA) to the list of known hosts. [ 48.549824] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 48.677364] audit: type=1400 audit(1555444079.841:36): avc: denied { map } for pid=7133 comm="syz-executor336" path="/root/syz-executor336535684" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 48.705430] audit: type=1400 audit(1555444079.871:37): avc: denied { map } for pid=7133 comm="syz-executor336" path="/dev/usbmon0" dev="devtmpfs" ino=14007 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usbmon_device_t:s0 tclass=chr_file permissive=1 [ 48.708932] [ 48.732877] ====================================================== [ 48.739194] WARNING: possible circular locking dependency detected [ 48.745613] 4.14.111 #1 Not tainted [ 48.749268] ------------------------------------------------------ [ 48.755661] syz-executor336/7134 is trying to acquire lock: [ 48.761348] (&mm->mmap_sem){++++}, at: [] __might_fault+0xe0/0x1d0 [ 48.769347] [ 48.769347] but task is already holding lock: [ 48.775307] (&rp->fetch_lock){+.+.}, at: [] mon_bin_get_event+0x3c/0x430 [ 48.784008] [ 48.784008] which lock already depends on the new lock. [ 48.784008] [ 48.792394] [ 48.792394] the existing dependency chain (in reverse order) is: [ 48.800121] [ 48.800121] -> #1 (&rp->fetch_lock){+.+.}: [ 48.805862] lock_acquire+0x16f/0x430 [ 48.810177] __mutex_lock+0xe8/0x1470 [ 48.814524] mutex_lock_nested+0x16/0x20 [ 48.819149] mon_bin_vma_fault+0x6f/0x280 [ 48.823836] __do_fault+0x109/0x390 [ 48.828123] __handle_mm_fault+0xde6/0x3470 [ 48.833034] handle_mm_fault+0x293/0x7c0 [ 48.837594] __get_user_pages+0x465/0x1250 [ 48.842410] populate_vma_page_range+0x18e/0x230 [ 48.847680] __mm_populate+0x198/0x2c0 [ 48.852200] vm_mmap_pgoff+0x1be/0x1d0 [ 48.856593] SyS_mmap_pgoff+0x3ca/0x520 [ 48.861068] SyS_mmap+0x16/0x20 [ 48.864870] do_syscall_64+0x1eb/0x630 [ 48.869267] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 48.874953] [ 48.874953] -> #0 (&mm->mmap_sem){++++}: [ 48.880487] __lock_acquire+0x2c89/0x45e0 [ 48.885154] lock_acquire+0x16f/0x430 [ 48.889546] __might_fault+0x143/0x1d0 [ 48.893937] _copy_to_user+0x2c/0xd0 [ 48.898162] mon_bin_get_event+0x10a/0x430 [ 48.902902] mon_bin_ioctl+0x9b4/0xb50 [ 48.907290] do_vfs_ioctl+0x7b9/0x1070 [ 48.911685] SyS_ioctl+0x8f/0xc0 [ 48.915557] do_syscall_64+0x1eb/0x630 [ 48.920041] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 48.925730] [ 48.925730] other info that might help us debug this: [ 48.925730] [ 48.933853] Possible unsafe locking scenario: [ 48.933853] [ 48.939926] CPU0 CPU1 [ 48.944932] ---- ---- [ 48.949578] lock(&rp->fetch_lock); [ 48.953315] lock(&mm->mmap_sem); [ 48.959839] lock(&rp->fetch_lock); [ 48.966052] lock(&mm->mmap_sem); [ 48.969610] [ 48.969610] *** DEADLOCK *** [ 48.969610] [ 48.975656] 1 lock held by syz-executor336/7134: [ 48.980659] #0: (&rp->fetch_lock){+.+.}, at: [] mon_bin_get_event+0x3c/0x430 [ 48.989612] [ 48.989612] stack backtrace: [ 48.994156] CPU: 0 PID: 7134 Comm: syz-executor336 Not tainted 4.14.111 #1 [ 49.001161] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.010500] Call Trace: [ 49.013346] dump_stack+0x138/0x19c [ 49.016967] print_circular_bug.isra.0.cold+0x1cc/0x28f [ 49.022326] __lock_acquire+0x2c89/0x45e0 [ 49.026463] ? remove_wait_queue+0x10f/0x190 [ 49.030950] ? trace_hardirqs_on+0x10/0x10 [ 49.035223] lock_acquire+0x16f/0x430 [ 49.039012] ? __might_fault+0xe0/0x1d0 [ 49.042976] __might_fault+0x143/0x1d0 [ 49.046893] ? __might_fault+0xe0/0x1d0 [ 49.050915] _copy_to_user+0x2c/0xd0 [ 49.054679] mon_bin_get_event+0x10a/0x430 [ 49.059060] mon_bin_ioctl+0x9b4/0xb50 [ 49.063044] ? mon_bin_read+0x5e0/0x5e0 [ 49.066998] ? __might_sleep+0x93/0xb0 [ 49.070949] ? __fget+0x210/0x370 [ 49.074393] ? mon_bin_read+0x5e0/0x5e0 [ 49.078351] do_vfs_ioctl+0x7b9/0x1070 [ 49.082220] ? selinux_file_mprotect+0x5d0/0x5d0 [ 49.086966] ? lock_downgrade+0x6e0/0x6e0 [ 49.091097] ? ioctl_preallocate+0x1c0/0x1c0 [ 49.095497] ? __fget+0x237/0x370 [ 49.098941] ? security_file_ioctl+0x83/0xc0 [ 49.103338] ? security_file_ioctl+0x8f/0xc0 [ 49.107814] SyS_ioctl+0x8f/0xc0 [ 49.111169] ? do_vfs_ioctl+0x1070/0x1070 [ 49.115306] do_syscall_64+0x1eb/0x630 [ 49.119184] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 49.124013] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [