[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 15.512110] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [ 16.080960] random: sshd: uninitialized urandom read (32 bytes read) [ 16.248627] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 16.767972] random: sshd: uninitialized urandom read (32 bytes read) [ 16.904746] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.24' (ECDSA) to the list of known hosts. [ 22.820443] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 22.903122] [ 22.904780] ====================================================== [ 22.911068] [ INFO: possible circular locking dependency detected ] [ 22.917444] 4.9.122-g54068d6 #26 Not tainted [ 22.921831] ------------------------------------------------------- [ 22.928205] syz-executor876/3779 is trying to acquire lock: [ 22.933884] (&sb->s_type->i_mutex_key#10){++++++}, at: [] shmem_fallocate+0x13c/0xb40 [ 22.943958] but task is already holding lock: [ 22.948596] (ashmem_mutex){+.+.+.}, at: [] ashmem_shrink_scan+0x55/0x3a0 [ 22.957422] which lock already depends on the new lock. [ 22.957422] [ 22.964406] [ 22.964406] the existing dependency chain (in reverse order) is: [ 22.971996] -> #2 (ashmem_mutex){+.+.+.}: [ 22.976791] lock_acquire+0x130/0x3e0 [ 22.981086] mutex_lock_nested+0xc0/0x870 [ 22.985726] ashmem_mmap+0x53/0x3f0 [ 22.989844] mmap_region+0x893/0x1040 [ 22.994156] do_mmap+0x59c/0xcc0 [ 22.998016] vm_mmap_pgoff+0x168/0x1b0 [ 23.002397] SyS_mmap_pgoff+0x342/0x550 [ 23.006864] SyS_mmap+0x16/0x20 [ 23.010727] do_syscall_64+0x1a6/0x490 [ 23.015119] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 23.020711] -> #1 (&mm->mmap_sem){++++++}: [ 23.025615] lock_acquire+0x130/0x3e0 [ 23.029908] __might_fault+0x14a/0x1d0 [ 23.034301] filldir+0x1a4/0x370 [ 23.038158] dcache_readdir+0x130/0x5d0 [ 23.042635] iterate_dir+0x1ac/0x600 [ 23.046840] SyS_getdents+0x13c/0x2a0 [ 23.051133] do_syscall_64+0x1a6/0x490 [ 23.055515] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 23.061106] -> #0 (&sb->s_type->i_mutex_key#10){++++++}: [ 23.067320] __lock_acquire+0x3019/0x4070 [ 23.071963] lock_acquire+0x130/0x3e0 [ 23.076271] down_write+0x41/0xa0 [ 23.080229] shmem_fallocate+0x13c/0xb40 [ 23.084783] ashmem_shrink_scan+0x1bd/0x3a0 [ 23.089618] ashmem_ioctl+0x2c1/0xf20 [ 23.093913] do_vfs_ioctl+0x1ac/0x11a0 [ 23.098293] SyS_ioctl+0x8f/0xc0 [ 23.102154] do_syscall_64+0x1a6/0x490 [ 23.106535] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 23.112129] [ 23.112129] other info that might help us debug this: [ 23.112129] [ 23.120240] Chain exists of: &sb->s_type->i_mutex_key#10 --> &mm->mmap_sem --> ashmem_mutex [ 23.129972] Possible unsafe locking scenario: [ 23.129972] [ 23.135999] CPU0 CPU1 [ 23.140635] ---- ---- [ 23.145285] lock(ashmem_mutex); [ 23.148975] lock(&mm->mmap_sem); [ 23.155257] lock(ashmem_mutex); [ 23.161455] lock(&sb->s_type->i_mutex_key#10); [ 23.166584] [ 23.166584] *** DEADLOCK *** [ 23.166584] [ 23.172616] 1 lock held by syz-executor876/3779: [ 23.177356] #0: (ashmem_mutex){+.+.+.}, at: [] ashmem_shrink_scan+0x55/0x3a0 [ 23.186772] [ 23.186772] stack backtrace: [ 23.191240] CPU: 0 PID: 3779 Comm: syz-executor876 Not tainted 4.9.122-g54068d6 #26 [ 23.199348] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 23.208682] ffff8801b6387638 ffffffff81eb8829 ffffffff855d3a70 ffffffff855f0a80 [ 23.216683] ffffffff855da4c0 ffff8801ba55b8e8 ffff8801ba55b000 ffff8801b6387680 [ 23.224673] ffffffff814288e5 0000000000000001 00000000ba55b000 0000000000000001 [ 23.232658] Call Trace: [ 23.235223] [] dump_stack+0xc1/0x128 [ 23.240561] [] print_circular_bug.cold.51+0x1bd/0x27d [ 23.247462] [] __lock_acquire+0x3019/0x4070 [ 23.253410] [] ? debug_check_no_locks_freed+0x210/0x210 [ 23.260397] [] ? __lock_is_held+0xa2/0xf0 [ 23.266272] [] lock_acquire+0x130/0x3e0 [ 23.271874] [] ? shmem_fallocate+0x13c/0xb40 [ 23.277910] [] down_write+0x41/0xa0 [ 23.283162] [] ? shmem_fallocate+0x13c/0xb40 [ 23.289192] [] shmem_fallocate+0x13c/0xb40 [ 23.295073] [] ? avc_has_perm_noaudit+0x2ad/0x450 [ 23.301556] [] ? avc_has_perm_noaudit+0xa3/0x450 [ 23.307939] [] ? shmem_setattr+0x9a0/0x9a0 [ 23.313797] [] ? debug_check_no_locks_freed+0x210/0x210 [ 23.320786] [] ? new_slab+0x303/0x3d0 [ 23.326213] [] ? range_alloc+0x36/0x240 [ 23.331814] [] ? cred_has_capability+0x14e/0x2e0 [ 23.338193] [] ? selinux_ipv4_output+0x40/0x40 [ 23.344399] [] ? mark_held_locks+0xc7/0x130 [ 23.350343] [] ? mutex_trylock+0x25a/0x3e0 [ 23.356201] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 23.363013] [] ? trace_hardirqs_on+0xd/0x10 [ 23.368956] [] ? ashmem_shrink_scan+0x55/0x3a0 [ 23.375161] [] ashmem_shrink_scan+0x1bd/0x3a0 [ 23.381309] [] ashmem_ioctl+0x2c1/0xf20 [ 23.386909] [] ? get_name+0x230/0x230 [ 23.392333] [] ? __might_sleep+0x95/0x1a0 [ 23.398105] [] ? get_name+0x230/0x230 [ 23.403529] [] do_vfs_ioctl+0x1ac/0x11a0 [ 23.409230] [] ? ioctl_preallocate+0x220/0x220 [ 23.415439] [] ? selinux_capable+0x40/0x40 [ 23.421304] [] ? ctor_show+0xa/0x30 [ 23.426605] [] ? __do_page_fault+0x5dd/0xd50 [ 23.432636] [] ? security_file_ioctl+0x8f/0xc0 [ 23.438842] [] SyS_ioctl+0x8f/0xc0 [ 23.444005] [] ? do_vfs_ioctl+0x11a0/0x11a0 [ 23.449951] [] do_syscall_64+0x1a6/0x490 [