[ 31.261564] audit: type=1800 audit(1565462455.851:33): pid=6820 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 31.289099] audit: type=1800 audit(1565462455.851:34): pid=6820 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 38.478959] random: sshd: uninitialized urandom read (32 bytes read) [ 38.831905] audit: type=1400 audit(1565462463.421:35): avc: denied { map } for pid=6993 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 38.883529] random: sshd: uninitialized urandom read (32 bytes read) [ 39.444537] random: sshd: uninitialized urandom read (32 bytes read) [ 63.222684] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.250' (ECDSA) to the list of known hosts. [ 68.804302] random: sshd: uninitialized urandom read (32 bytes read) [ 68.991047] audit: type=1400 audit(1565462493.581:36): avc: denied { map } for pid=7005 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2019/08/10 18:41:34 parsed 1 programs [ 69.877086] audit: type=1400 audit(1565462494.461:37): avc: denied { map } for pid=7005 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=22 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 70.699595] random: cc1: uninitialized urandom read (8 bytes read) 2019/08/10 18:41:36 executed programs: 0 [ 71.591012] audit: type=1400 audit(1565462496.181:38): avc: denied { map } for pid=7005 comm="syz-execprog" path="/root/syzkaller-shm282689441" dev="sda1" ino=2233 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 71.900952] IPVS: ftp: loaded support on port[0] = 21 [ 72.697777] chnl_net:caif_netlink_parms(): no params data found [ 72.729812] bridge0: port 1(bridge_slave_0) entered blocking state [ 72.736743] bridge0: port 1(bridge_slave_0) entered disabled state [ 72.743880] device bridge_slave_0 entered promiscuous mode [ 72.751247] bridge0: port 2(bridge_slave_1) entered blocking state [ 72.757649] bridge0: port 2(bridge_slave_1) entered disabled state [ 72.765207] device bridge_slave_1 entered promiscuous mode [ 72.779445] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 72.788820] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 72.805162] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 72.812749] team0: Port device team_slave_0 added [ 72.818166] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 72.825452] team0: Port device team_slave_1 added [ 72.830667] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 72.837989] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 72.892186] device hsr_slave_0 entered promiscuous mode [ 72.930349] device hsr_slave_1 entered promiscuous mode [ 72.970527] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 72.977523] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 72.990635] bridge0: port 2(bridge_slave_1) entered blocking state [ 72.997033] bridge0: port 2(bridge_slave_1) entered forwarding state [ 73.003942] bridge0: port 1(bridge_slave_0) entered blocking state [ 73.010354] bridge0: port 1(bridge_slave_0) entered forwarding state [ 73.037547] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 73.044749] 8021q: adding VLAN 0 to HW filter on device bond0 [ 73.053039] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 73.061851] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 73.080589] bridge0: port 1(bridge_slave_0) entered disabled state [ 73.087535] bridge0: port 2(bridge_slave_1) entered disabled state [ 73.098676] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 73.104992] 8021q: adding VLAN 0 to HW filter on device team0 [ 73.113146] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 73.121197] bridge0: port 1(bridge_slave_0) entered blocking state [ 73.127547] bridge0: port 1(bridge_slave_0) entered forwarding state [ 73.136607] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 73.144678] bridge0: port 2(bridge_slave_1) entered blocking state [ 73.151059] bridge0: port 2(bridge_slave_1) entered forwarding state [ 73.166965] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 73.175166] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 73.188026] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 73.198017] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 73.209041] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 73.215948] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 73.223684] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 73.231434] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 73.238875] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 73.249673] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 73.259800] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 73.690814] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 74.408689] audit: type=1804 audit(1565462498.991:39): pid=7035 uid=0 auid=4294967295 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 op="invalid_pcr" cause="open_writers" comm="syz-executor.0" name="/root/syzkaller-testdir585308795/syzkaller.6XKpgs/0/file0/file0" dev="sda1" ino=16499 res=1 [ 74.408690] [ 74.408697] ====================================================== [ 74.444085] WARNING: possible circular locking dependency detected [ 74.450383] 4.14.138 #34 Not tainted [ 74.454075] ------------------------------------------------------ [ 74.460373] syz-executor.0/7035 is trying to acquire lock: [ 74.466215] (sb_writers#4){.+.+}, at: [] mnt_want_write+0x3f/0xb0 [ 74.474104] [ 74.474104] but task is already holding lock: [ 74.480062] (&iint->mutex){+.+.}, at: [] process_measurement+0x2ae/0xb80 [ 74.488565] [ 74.488565] which lock already depends on the new lock. [ 74.488565] [ 74.496869] [ 74.496869] the existing dependency chain (in reverse order) is: [ 74.505771] [ 74.505771] -> #1 (&iint->mutex){+.+.}: [ 74.511389] lock_acquire+0x16f/0x430 [ 74.515701] __mutex_lock+0xe8/0x1470 [ 74.520099] mutex_lock_nested+0x16/0x20 [ 74.524664] process_measurement+0x2ae/0xb80 [ 74.529680] ima_file_check+0x30/0x40 [ 74.534009] path_openat+0x1626/0x3f70 [ 74.538405] do_filp_open+0x18e/0x250 [ 74.542731] do_sys_open+0x2c5/0x430 [ 74.546956] SyS_open+0x2d/0x40 [ 74.550833] do_syscall_64+0x1e8/0x640 [ 74.555272] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 74.560967] [ 74.560967] -> #0 (sb_writers#4){.+.+}: [ 74.566409] __lock_acquire+0x2cb3/0x4620 [ 74.571061] lock_acquire+0x16f/0x430 [ 74.575364] __sb_start_write+0x1ae/0x2f0 [ 74.580019] mnt_want_write+0x3f/0xb0 [ 74.584334] ovl_want_write+0x76/0xa0 [ 74.588697] ovl_open_maybe_copy_up+0xd5/0x130 [ 74.593837] ovl_d_real+0xce/0x360 [ 74.598209] vfs_open+0x19e/0x220 [ 74.602262] dentry_open+0xac/0x220 [ 74.606395] ima_calc_file_hash+0x563/0x820 [ 74.611292] ima_collect_measurement+0x3c1/0x450 [ 74.616558] process_measurement+0x7dd/0xb80 [ 74.621479] ima_file_check+0x30/0x40 [ 74.625835] path_openat+0x1626/0x3f70 [ 74.630228] do_filp_open+0x18e/0x250 [ 74.634539] do_sys_open+0x2c5/0x430 [ 74.638754] SyS_open+0x2d/0x40 [ 74.642676] do_syscall_64+0x1e8/0x640 [ 74.647092] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 74.652836] [ 74.652836] other info that might help us debug this: [ 74.652836] [ 74.661094] Possible unsafe locking scenario: [ 74.661094] [ 74.667136] CPU0 CPU1 [ 74.671784] ---- ---- [ 74.676472] lock(&iint->mutex); [ 74.679910] lock(sb_writers#4); [ 74.685866] lock(&iint->mutex); [ 74.691816] lock(sb_writers#4); [ 74.695421] [ 74.695421] *** DEADLOCK *** [ 74.695421] [ 74.701459] 1 lock held by syz-executor.0/7035: [ 74.706103] #0: (&iint->mutex){+.+.}, at: [] process_measurement+0x2ae/0xb80 [ 74.715185] [ 74.715185] stack backtrace: [ 74.719670] CPU: 1 PID: 7035 Comm: syz-executor.0 Not tainted 4.14.138 #34 [ 74.726660] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 74.735995] Call Trace: [ 74.738567] dump_stack+0x138/0x19c [ 74.742181] print_circular_bug.isra.0.cold+0x1cc/0x28f [ 74.747529] __lock_acquire+0x2cb3/0x4620 [ 74.751656] ? save_stack+0x45/0xd0 [ 74.755267] ? kasan_kmalloc+0xce/0xf0 [ 74.759139] ? kasan_slab_alloc+0xf/0x20 [ 74.763183] ? kmem_cache_alloc+0x12e/0x780 [ 74.767524] ? selinux_file_alloc_security+0xb4/0x190 [ 74.772760] ? trace_hardirqs_on+0x10/0x10 [ 74.777028] ? do_sys_open+0x2c5/0x430 [ 74.781047] ? save_trace+0x290/0x290 [ 74.784836] ? save_trace+0x290/0x290 [ 74.788619] lock_acquire+0x16f/0x430 [ 74.792404] ? mnt_want_write+0x3f/0xb0 [ 74.796364] __sb_start_write+0x1ae/0x2f0 [ 74.801014] ? mnt_want_write+0x3f/0xb0 [ 74.804968] mnt_want_write+0x3f/0xb0 [ 74.808747] ovl_want_write+0x76/0xa0 [ 74.812565] ovl_open_maybe_copy_up+0xd5/0x130 [ 74.817136] ovl_d_real+0xce/0x360 [ 74.820656] vfs_open+0x19e/0x220 [ 74.824189] dentry_open+0xac/0x220 [ 74.827803] ima_calc_file_hash+0x563/0x820 [ 74.832106] ima_collect_measurement+0x3c1/0x450 [ 74.836910] ? ima_get_action+0x80/0x80 [ 74.840871] ? ima_get_cache_status+0x180/0x180 [ 74.845561] process_measurement+0x7dd/0xb80 [ 74.850001] ? ima_rdwr_violation_check+0x3f0/0x3f0 [ 74.855012] ? dput.part.0+0x170/0x750 [ 74.858883] ? dquot_file_open+0x60/0xa0 [ 74.862933] ? ext4_file_open+0x2da/0x850 [ 74.867071] ? ext4_release_file+0x2e0/0x2e0 [ 74.871464] ? inode_has_perm.isra.0+0x1e0/0x1e0 [ 74.876321] ? lock_downgrade+0x5fc/0x6e0 [ 74.880469] ? security_file_open+0x89/0x190 [ 74.884868] ? file_ra_state_init+0xc9/0x1e0 [ 74.889260] ? do_dentry_open+0x452/0xeb0 [ 74.893396] ? ovl_dentry_upper+0xd/0x70 [ 74.897445] ? ext4_release_file+0x2e0/0x2e0 [ 74.901842] ima_file_check+0x30/0x40 [ 74.905632] path_openat+0x1626/0x3f70 [ 74.909513] ? trace_hardirqs_on+0x10/0x10 [ 74.913769] ? path_lookupat.isra.0+0x7b0/0x7b0 [ 74.918427] ? find_held_lock+0x35/0x130 [ 74.922468] ? __alloc_fd+0x1d4/0x4a0 [ 74.926247] do_filp_open+0x18e/0x250 [ 74.930042] ? may_open_dev+0xe0/0xe0 [ 74.933842] ? _raw_spin_unlock+0x2d/0x50 [ 74.937973] ? __alloc_fd+0x1d4/0x4a0 [ 74.941757] do_sys_open+0x2c5/0x430 [ 74.945451] ? filp_open+0x70/0x70 [ 74.948976] ? SyS_clock_gettime+0xf8/0x180 [ 74.953279] SyS_open+0x2d/0x40 [ 74.956537] ? do_sys_open+0x430/0x430 [ 74.960413] do_syscall_64+0x1e8/0x640 [ 74.964344] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 74.969220] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 74.974402] RIP: 0033:0x459829 [ 74.977581] RSP: 002b:00007ffdeb95bf58 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 74.985325] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459829 [ 74.992590] RDX: 0000000000000008 RSI: 0000000000000003 RDI: 0000000020000800 [ 74.999848] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 [ 75.007251] R10: 0000000000000000 R11: 00000