[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   24.241188] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   26.427216] random: sshd: uninitialized urandom read (32 bytes read)
[   26.756627] random: sshd: uninitialized urandom read (32 bytes read)
[   27.352922] random: sshd: uninitialized urandom read (32 bytes read)
[   27.537053] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.34' (ECDSA) to the list of known hosts.
[   33.338000] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   33.443142] 
[   33.444790] ======================================================
[   33.451088] WARNING: possible circular locking dependency detected
[   33.457442] 4.19.0-rc1-next-20180831+ #53 Not tainted
[   33.462614] ------------------------------------------------------
[   33.468913] syz-executor970/4643 is trying to acquire lock:
[   33.474610] 0000000086366e4d (&rp->fetch_lock){+.+.}, at: mon_bin_vma_fault+0xdc/0x4a0
[   33.482696] 
[   33.482696] but task is already holding lock:
[   33.488648] 00000000c9e869c0 (&mm->mmap_sem){++++}, at: __mm_populate+0x31a/0x4d0
[   33.496274] 
[   33.496274] which lock already depends on the new lock.
[   33.496274] 
[   33.504571] 
[   33.504571] the existing dependency chain (in reverse order) is:
[   33.512194] 
[   33.512194] -> #1 (&mm->mmap_sem){++++}:
[   33.517737]        __might_fault+0x155/0x1e0
[   33.522133]        _copy_to_user+0x30/0x110
[   33.526441]        mon_bin_read+0x334/0x650
[   33.530753]        __vfs_read+0x117/0x9b0
[   33.534889]        vfs_read+0x17f/0x3c0
[   33.538860]        ksys_pread64+0x181/0x1b0
[   33.543169]        __x64_sys_pread64+0x97/0xf0
[   33.547745]        do_syscall_64+0x1b9/0x820
[   33.552160]        entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   33.557854] 
[   33.557854] -> #0 (&rp->fetch_lock){+.+.}:
[   33.563563]        lock_acquire+0x1e4/0x4f0
[   33.567871]        __mutex_lock+0x171/0x1700
[   33.572264]        mutex_lock_nested+0x16/0x20
[   33.576833]        mon_bin_vma_fault+0xdc/0x4a0
[   33.581496]        __do_fault+0xee/0x450
[   33.585859]        __handle_mm_fault+0x2b4a/0x4350
[   33.590773]        handle_mm_fault+0x53e/0xc80
[   33.595361]        __get_user_pages+0x823/0x1b50
[   33.600103]        populate_vma_page_range+0x2db/0x3d0
[   33.605365]        __mm_populate+0x286/0x4d0
[   33.609776]        vm_mmap_pgoff+0x27f/0x2c0
[   33.614169]        ksys_mmap_pgoff+0x4da/0x660
[   33.618772]        __x64_sys_mmap+0xe9/0x1b0
[   33.623168]        do_syscall_64+0x1b9/0x820
[   33.627571]        entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   33.633256] 
[   33.633256] other info that might help us debug this:
[   33.633256] 
[   33.641383]  Possible unsafe locking scenario:
[   33.641383] 
[   33.647420]        CPU0                    CPU1
[   33.652082]        ----                    ----
[   33.656752]   lock(&mm->mmap_sem);
[   33.660291]                                lock(&rp->fetch_lock);
[   33.666511]                                lock(&mm->mmap_sem);
[   33.672557]   lock(&rp->fetch_lock);
[   33.676255] 
[   33.676255]  *** DEADLOCK ***
[   33.676255] 
[   33.682301] 1 lock held by syz-executor970/4643:
[   33.687034]  #0: 00000000c9e869c0 (&mm->mmap_sem){++++}, at: __mm_populate+0x31a/0x4d0
[   33.695091] 
[   33.695091] stack backtrace:
[   33.699572] CPU: 1 PID: 4643 Comm: syz-executor970 Not tainted 4.19.0-rc1-next-20180831+ #53
[   33.708128] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   33.717468] Call Trace:
[   33.720060]  dump_stack+0x1c9/0x2b4
[   33.723690]  ? dump_stack_print_info.cold.2+0x52/0x52
[   33.728870]  ? vprintk_func+0x81/0x117
[   33.732752]  print_circular_bug.isra.34.cold.55+0x1bd/0x27d
[   33.738453]  ? save_trace+0xe0/0x290
[   33.742159]  __lock_acquire+0x3449/0x5020
[   33.746300]  ? __isolate_free_page+0x690/0x690
[   33.750870]  ? mark_held_locks+0x160/0x160
[   33.755094]  ? print_usage_bug+0xc0/0xc0
[   33.759175]  ? free_unref_page_list+0xbca/0x11a0
[   33.763926]  ? __lock_acquire+0x7fc/0x5020
[   33.768147]  ? print_usage_bug+0xc0/0xc0
[   33.772250]  ? mark_held_locks+0x160/0x160
[   33.776474]  ? __lock_acquire+0x7fc/0x5020
[   33.780721]  ? mark_held_locks+0x160/0x160
[   33.784952]  ? mark_held_locks+0x160/0x160
[   33.789193]  ? graph_lock+0x170/0x170
[   33.792988]  ? mark_held_locks+0x160/0x160
[   33.797203]  ? print_usage_bug+0xc0/0xc0
[   33.801252]  lock_acquire+0x1e4/0x4f0
[   33.805055]  ? mon_bin_vma_fault+0xdc/0x4a0
[   33.809360]  ? lock_release+0x9f0/0x9f0
[   33.813319]  ? check_same_owner+0x340/0x340
[   33.817625]  ? rcu_note_context_switch+0x680/0x680
[   33.822557]  __mutex_lock+0x171/0x1700
[   33.826430]  ? mon_bin_vma_fault+0xdc/0x4a0
[   33.830738]  ? mon_bin_vma_fault+0xdc/0x4a0
[   33.835051]  ? mutex_trylock+0x2b0/0x2b0
[   33.839103]  ? mark_held_locks+0x160/0x160
[   33.843328]  ? lock_downgrade+0x8f0/0x8f0
[   33.847462]  ? trace_hardirqs_off+0xb8/0x2b0
[   33.851864]  ? kasan_check_read+0x11/0x20
[   33.856010]  ? print_usage_bug+0xc0/0xc0
[   33.860071]  ? trace_hardirqs_on+0x2c0/0x2c0
[   33.864464]  ? kasan_check_write+0x14/0x20
[   33.868694]  ? do_raw_spin_lock+0xc1/0x200
[   33.872919]  ? _raw_spin_unlock_irqrestore+0x63/0xc0
[   33.878022]  ? print_usage_bug+0xc0/0xc0
[   33.882068]  ? graph_lock+0x170/0x170
[   33.885849]  ? print_usage_bug+0xc0/0xc0
[   33.889893]  ? __lock_acquire+0x7fc/0x5020
[   33.894108]  ? graph_lock+0x170/0x170
[   33.897891]  ? kasan_slab_free+0xe/0x10
[   33.901866]  ? print_usage_bug+0xc0/0xc0
[   33.905911]  ? __lock_acquire+0x7fc/0x5020
[   33.910132]  mutex_lock_nested+0x16/0x20
[   33.914175]  ? mutex_lock_nested+0x16/0x20
[   33.918402]  mon_bin_vma_fault+0xdc/0x4a0
[   33.922554]  ? kasan_check_read+0x11/0x20
[   33.926688]  ? mon_alloc_buff+0x200/0x200
[   33.930820]  ? rcu_cleanup_dead_rnp+0x200/0x200
[   33.935482]  ? __sanitizer_cov_trace_cmp8+0x18/0x20
[   33.940504]  ? vma_compute_subtree_gap+0x160/0x240
[   33.945425]  ? vma_gap_callbacks_rotate+0x62/0x80
[   33.950253]  __do_fault+0xee/0x450
[   33.953778]  ? vma_compute_subtree_gap+0x240/0x240
[   33.958694]  ? pmd_devmap_trans_unstable+0x1d0/0x1d0
[   33.963785]  ? __save_stack_trace+0x8d/0xf0
[   33.968087]  ? pud_val+0x88/0x100
[   33.971524]  ? pmd_val+0x100/0x100
[   33.975048]  __handle_mm_fault+0x2b4a/0x4350
[   33.979455]  ? vmf_insert_mixed_mkwrite+0xa0/0xa0
[   33.984281]  ? graph_lock+0x170/0x170
[   33.988070]  ? lock_downgrade+0x8f0/0x8f0
[   33.992209]  ? handle_mm_fault+0x8c4/0xc80
[   33.996442]  ? handle_mm_fault+0x8c4/0xc80
[   34.000666]  ? kasan_check_read+0x11/0x20
[   34.004802]  ? rcu_is_watching+0x8c/0x150
[   34.008938]  ? __get_user_pages+0x823/0x1b50
[   34.013348]  ? rcu_cleanup_dead_rnp+0x200/0x200
[   34.018005]  handle_mm_fault+0x53e/0xc80
[   34.022226]  ? __handle_mm_fault+0x4350/0x4350
[   34.026795]  ? check_same_owner+0x340/0x340
[   34.031105]  ? __sanitizer_cov_trace_cmp8+0x18/0x20
[   34.036109]  __get_user_pages+0x823/0x1b50
[   34.040332]  ? follow_page_mask+0x1e30/0x1e30
[   34.044815]  ? lock_acquire+0x1e4/0x4f0
[   34.048773]  ? __mm_populate+0x31a/0x4d0
[   34.052819]  ? lock_release+0x9f0/0x9f0
[   34.056777]  ? check_same_owner+0x340/0x340
[   34.061083]  ? rcu_note_context_switch+0x680/0x680
[   34.066002]  populate_vma_page_range+0x2db/0x3d0
[   34.070751]  ? get_user_pages_unlocked+0x5d0/0x5d0
[   34.075665]  ? find_vma+0x34/0x190
[   34.079196]  __mm_populate+0x286/0x4d0
[   34.083068]  ? populate_vma_page_range+0x3d0/0x3d0
[   34.087982]  ? down_read_killable+0x200/0x200
[   34.092477]  ? security_mmap_file+0x176/0x1c0
[   34.096969]  vm_mmap_pgoff+0x27f/0x2c0
[   34.100844]  ? vma_is_stack_for_current+0xd0/0xd0
[   34.105670]  ? putname+0xf2/0x130
[   34.109111]  ? rcu_read_lock_sched_held+0x108/0x120
[   34.114116]  ksys_mmap_pgoff+0x4da/0x660
[   34.118164]  ? do_syscall_64+0x9a/0x820
[   34.122131]  ? find_mergeable_anon_vma+0xd0/0xd0
[   34.126868]  ? trace_hardirqs_on+0xbd/0x2c0
[   34.131174]  ? filp_open+0x80/0x80
[   34.134706]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   34.140056]  ? trace_hardirqs_off_caller+0x2b0/0x2b0
[   34.145149]  __x64_sys_mmap+0xe9/0x1b0
[   34.149025]  do_syscall_64+0x1b9/0x820
[   34.152904]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[   34.158257]  ? syscall_return_slowpath+0x5e0/0x5e0
[   34.163171]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   34.168006]  ? trace_hardirqs_on_caller+0x2b0/0x2b0
[   34.173009]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   34.178012]  ? prepare_exit_to_usermode+0x291/0x3b0
[   34.183034]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   34.187868]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   34.193040] RIP: 0033:0x443df9
[   34.196219] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[   34.215138] RSP: 002b:00007ffd46b12508 EFLAGS: 00000216 ORIG_RAX: 0000000000000009
[   34.222835] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000443df9
[   34.230088] RDX: 0000000001fffffd RSI: 0000000000001000 RDI: 0000000020aba000
[   34.237343] RBP: 00000000006ce018 R08: 0000000000000005 R09: 0000000000000000
[   34.244593] R10: 00000