[ 35.986921] audit: type=1800 audit(1555389494.360:33): pid=6854 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 36.009982] audit: type=1800 audit(1555389494.370:34): pid=6854 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 47.590964] random: sshd: uninitialized urandom read (32 bytes read) [ 48.025140] audit: type=1400 audit(1555389506.400:35): avc: denied { map } for pid=7026 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 48.074543] random: sshd: uninitialized urandom read (32 bytes read) [ 48.714137] random: sshd: uninitialized urandom read (32 bytes read) [ 48.912131] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.241' (ECDSA) to the list of known hosts. [ 54.524933] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 54.655178] audit: type=1400 audit(1555389513.030:36): avc: denied { map } for pid=7038 comm="syz-executor206" path="/root/syz-executor206977612" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 54.662397] FAULT_INJECTION: forcing a failure. [ 54.662397] name failslab, interval 1, probability 0, space 0, times 1 [ 54.692587] CPU: 1 PID: 7038 Comm: syz-executor206 Not tainted 4.14.111 #1 [ 54.699575] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.708905] Call Trace: [ 54.711471] dump_stack+0x138/0x19c [ 54.715082] should_fail.cold+0x10f/0x159 [ 54.719203] should_failslab+0xdb/0x130 [ 54.723154] __kmalloc+0x71/0x7a0 [ 54.726588] ? __lock_is_held+0xb6/0x140 [ 54.730628] ? __tty_buffer_request_room+0x1a4/0x500 [ 54.735707] __tty_buffer_request_room+0x1a4/0x500 [ 54.740632] tty_insert_flip_string_fixed_flag+0x8a/0x1c0 [ 54.746155] pty_write+0x113/0x1d0 [ 54.749793] tty_put_char+0x113/0x140 [ 54.753566] ? dev_match_devt+0x90/0x90 [ 54.757531] ? pty_write_room+0xae/0xd0 [ 54.761476] ? pty_stop+0x1a0/0x1a0 [ 54.765093] __process_echoes+0x2ce/0x8a0 [ 54.769215] n_tty_receive_buf_common+0x998/0x2410 [ 54.774129] ? n_tty_receive_buf2+0x40/0x40 [ 54.778450] n_tty_receive_buf+0x31/0x3b [ 54.782484] tty_ioctl+0xe0e/0x1340 [ 54.786089] ? get_pid_task+0xbf/0x140 [ 54.789949] ? tty_vhangup+0x30/0x30 [ 54.793658] ? __might_sleep+0x93/0xb0 [ 54.797521] ? tty_vhangup+0x30/0x30 [ 54.801211] do_vfs_ioctl+0x7b9/0x1070 [ 54.805072] ? selinux_file_mprotect+0x5d0/0x5d0 [ 54.809801] ? ioctl_preallocate+0x1c0/0x1c0 [ 54.814186] ? vfs_write+0x104/0x500 [ 54.817874] ? security_file_ioctl+0x83/0xc0 [ 54.822254] ? security_file_ioctl+0x8f/0xc0 [ 54.826638] SyS_ioctl+0x8f/0xc0 [ 54.830028] ? do_vfs_ioctl+0x1070/0x1070 [ 54.834158] do_syscall_64+0x1eb/0x630 [ 54.838018] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 54.842841] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 54.848008] RIP: 0033:0x440679 [ 54.851173] RSP: 002b:00007ffdc3243ad8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 54.858851] RAX: ffffffffffffffda RBX: 00007ffdc3243af0 RCX: 0000000000440679 [ 54.866093] RDX: 0000000020000040 RSI: 0000000000005412 RDI: 0000000000000004 [ 54.873333] RBP: 0000000000000005 R08: 0000000000000001 R09: 00000000000000c2 [ 54.880577] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401f40 [ 54.887835] R13: 0000000000401fd0 R14: 0000000000000000 R15: 0000000000000000 [ 54.895093] [ 54.895095] ====================================================== [ 54.895097] WARNING: possible circular locking dependency detected [ 54.895098] 4.14.111 #1 Not tainted [ 54.895100] ------------------------------------------------------ [ 54.895101] syz-executor206/7038 is trying to acquire lock: [ 54.895102] (console_owner){-...}, at: [] vprintk_emit+0x2f1/0x600 [ 54.895107] [ 54.895108] but task is already holding lock: [ 54.895109] (&(&port->lock)->rlock){-.-.}, at: [] pty_write+0xe0/0x1d0 [ 54.895113] [ 54.895114] which lock already depends on the new lock. [ 54.895115] [ 54.895116] [ 54.895117] the existing dependency chain (in reverse order) is: [ 54.895118] [ 54.895119] -> #2 (&(&port->lock)->rlock){-.-.}: [ 54.895123] lock_acquire+0x16f/0x430 [ 54.895125] _raw_spin_lock_irqsave+0x95/0xcd [ 54.895126] tty_port_tty_get+0x22/0x80 [ 54.895127] tty_port_default_wakeup+0x16/0x40 [ 54.895128] tty_port_tty_wakeup+0x5d/0x70 [ 54.895130] uart_write_wakeup+0x46/0x70 [ 54.895131] serial8250_tx_chars+0x41c/0xa30 [ 54.895132] serial8250_handle_irq.part.0+0x198/0x220 [ 54.895134] serial8250_default_handle_irq+0xa6/0x120 [ 54.895135] serial8250_interrupt+0xef/0x1a0 [ 54.895136] __handle_irq_event_percpu+0x127/0x800 [ 54.895138] handle_irq_event_percpu+0x65/0x130 [ 54.895139] handle_irq_event+0xa7/0x134 [ 54.895140] handle_edge_irq+0x231/0x850 [ 54.895141] handle_irq+0x252/0x34c [ 54.895142] do_IRQ+0x99/0x1e0 [ 54.895143] ret_from_intr+0x0/0x1e [ 54.895145] native_safe_halt+0x2/0x10 [ 54.895146] arch_cpu_idle+0x10/0x20 [ 54.895147] default_idle_call+0x36/0x90 [ 54.895148] do_idle+0x262/0x3d0 [ 54.895149] cpu_startup_entry+0x1b/0x20 [ 54.895150] rest_init+0xf1/0xf6 [ 54.895152] start_kernel+0x6e2/0x700 [ 54.895153] x86_64_start_reservations+0x29/0x2b [ 54.895154] x86_64_start_kernel+0x77/0x7b [ 54.895156] secondary_startup_64+0xa5/0xb0 [ 54.895156] [ 54.895157] -> #1 (&port_lock_key){-.-.}: [ 54.895161] lock_acquire+0x16f/0x430 [ 54.895162] _raw_spin_lock_irqsave+0x95/0xcd [ 54.895164] serial8250_console_write+0x72c/0x950 [ 54.895165] univ8250_console_write+0x5f/0x70 [ 54.895166] console_unlock+0x9c1/0xed0 [ 54.895168] vprintk_emit+0x1f9/0x600 [ 54.895169] vprintk_default+0x28/0x30 [ 54.895170] vprintk_func+0x5d/0x159 [ 54.895171] printk+0x9e/0xbc [ 54.895172] register_console+0x61c/0x9f0 [ 54.895173] univ8250_console_init+0x33/0x3f [ 54.895175] console_init+0x54/0x60 [ 54.895176] start_kernel+0x43f/0x700 [ 54.895177] x86_64_start_reservations+0x29/0x2b [ 54.895178] x86_64_start_kernel+0x77/0x7b [ 54.895180] secondary_startup_64+0xa5/0xb0 [ 54.895180] [ 54.895181] -> #0 (console_owner){-...}: [ 54.895185] __lock_acquire+0x2c89/0x45e0 [ 54.895186] lock_acquire+0x16f/0x430 [ 54.895188] vprintk_emit+0x32e/0x600 [ 54.895189] vprintk_default+0x28/0x30 [ 54.895190] vprintk_func+0x5d/0x159 [ 54.895207] printk+0x9e/0xbc [ 54.895209] should_fail.cold+0xe4/0x159 [ 54.895210] should_failslab+0xdb/0x130 [ 54.895211] __kmalloc+0x71/0x7a0 [ 54.895213] __tty_buffer_request_room+0x1a4/0x500 [ 54.895214] tty_insert_flip_string_fixed_flag+0x8a/0x1c0 [ 54.895216] pty_write+0x113/0x1d0 [ 54.895217] tty_put_char+0x113/0x140 [ 54.895218] __process_echoes+0x2ce/0x8a0 [ 54.895220] n_tty_receive_buf_common+0x998/0x2410 [ 54.895221] n_tty_receive_buf+0x31/0x3b [ 54.895222] tty_ioctl+0xe0e/0x1340 [ 54.895224] do_vfs_ioctl+0x7b9/0x1070 [ 54.895225] SyS_ioctl+0x8f/0xc0 [ 54.895226] do_syscall_64+0x1eb/0x630 [ 54.895227] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 54.895228] [ 54.895230] other info that might help us debug this: [ 54.895230] [ 54.895231] Chain exists of: [ 54.895232] console_owner --> &port_lock_key --> &(&port->lock)->rlock [ 54.895238] [ 54.895239] Possible unsafe locking scenario: [ 54.895240] [ 54.895241] CPU0 CPU1 [ 54.895242] ---- ---- [ 54.895243] lock(&(&port->lock)->rlock); [ 54.895246] lock(&port_lock_key); [ 54.895249] lock(&(&port->lock)->rlock); [ 54.895252] lock(console_owner); [ 54.895254] [ 54.895255] *** DEADLOCK *** [ 54.895256] [ 54.895257] 4 locks held by syz-executor206/7038: [ 54.895258] #0: (&tty->ldisc_sem){++++}, at: [] ldsem_down_read+0x33/0x40 [ 54.895262] #1: (&o_tty->termios_rwsem/1){++++}, at: [] n_tty_receive_buf_common+0x92/0x2410 [ 54.895268] #2: (&ldata->output_lock){+.+.}, at: [] n_tty_receive_buf_common+0x958/0x2410 [ 54.895273] #3: (&(&port->lock)->rlock){-.-.}, at: [] pty_write+0xe0/0x1d0 [ 54.895278] [ 54.895279] stack backtrace: [ 54.895281] CPU: 1 PID: 7038 Comm: syz-executor206 Not tainted 4.14.111 #1 [ 54.895283] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.895284] Call Trace: [ 54.895285] dump_stack+0x138/0x19c [ 54.895286] print_circular_bug.isra.0.cold+0x1cc/0x28f [ 54.895288] __lock_acquire+0x2c89/0x45e0 [ 54.895289] ? trace_hardirqs_on+0x10/0x10 [ 54.895290] ? save_trace+0x290/0x290 [ 54.895291] ? vprintk_emit+0x309/0x600 [ 54.895292] lock_acquire+0x16f/0x430 [ 54.895294] ? vprintk_emit+0x2f1/0x600 [ 54.895295] vprintk_emit+0x32e/0x600 [ 54.895296] ? vprintk_emit+0x2f1/0x600 [ 54.895297] vprintk_default+0x28/0x30 [ 54.895298] vprintk_func+0x5d/0x159 [ 54.895299] printk+0x9e/0xbc [ 54.895301] ? show_regs_print_info+0x63/0x63 [ 54.895302] ? ___ratelimit+0x55/0x537 [ 54.895303] should_fail.cold+0xe4/0x159 [ 54.895304] should_failslab+0xdb/0x130 [ 54.895306] __kmalloc+0x71/0x7a0 [ 54.895307] ? __lock_is_held+0xb6/0x140 [ 54.895308] ? __tty_buffer_request_room+0x1a4/0x500 [ 54.895310] __tty_buffer_request_room+0x1a4/0x500 [ 54.895311] tty_insert_flip_string_fixed_flag+0x8a/0x1c0 [ 54.895312] pty_write+0x113/0x1d0 [ 54.895313] tty_put_char+0x113/0x140 [ 54.895315] ? dev_match_devt+0x90/0x90 [ 54.895316] ? pty_write_room+0xae/0xd0 [ 54.895317] ? pty_stop+0x1a0/0x1a0 [ 54.895318] __process_echoes+0x2ce/0x8a0 [ 54.895320] n_tty_receive_buf_common+0x998/0x2410 [ 54.895321] ? n_tty_receive_buf2+0x40/0x40 [ 54.895322] n_tty_receive_buf+0x31/0x3b [ 54.895323] tty_ioctl+0xe0e/0x1340 [ 54.895324] ? get_pid_task+0xbf/0x140 [ 54.895326] ? tty_vhangup+0x30/0x30 [ 54.895327] ? __might_sleep+0x93/0xb0 [ 54.895328] ? tty_vhangup+0x30/0x30 [ 54.895329] do_vfs_ioctl+0x7b9/0x1070 [ 54.895330] ? selinux_file_mprotect+0x5d0/0x5d0 [ 54.895332] ? ioctl_preallocate+0x1c0/0x1c0 [ 54.895333] ? vfs_write+0x104/0x500 [ 54.895334] ? security_file_ioctl+0x83/0xc0 [ 54.895335] ? security_file_ioctl+0x8f/0xc0 [ 54.895337] SyS_ioctl+0x8f/0xc0 [ 54.895338] ? do_vfs_ioctl+0x1070/0x1070 [ 54.895339] do_syscall_64+0x1eb/0x630 [ 54.895341] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 54.895342] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 54.895343] RIP: 0033:0x440679 [ 54.895345] RSP: 002b:00007ffdc3243ad8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 5