[ 33.169712] audit: type=1800 audit(1560688208.401:33): pid=6932 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 33.196008] audit: type=1800 audit(1560688208.411:34): pid=6932 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 44.652397] random: sshd: uninitialized urandom read (32 bytes read) [ 44.979752] audit: type=1400 audit(1560688220.211:35): avc: denied { map } for pid=7105 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 45.047302] random: sshd: uninitialized urandom read (32 bytes read) [ 45.637988] random: sshd: uninitialized urandom read (32 bytes read) [ 45.842612] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.59' (ECDSA) to the list of known hosts. [ 51.341899] random: sshd: uninitialized urandom read (32 bytes read) [ 51.465012] audit: type=1400 audit(1560688226.701:36): avc: denied { map } for pid=7117 comm="syz-executor030" path="/root/syz-executor030477461" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 52.250214] IPVS: ftp: loaded support on port[0] = 21 executing program [ 52.561274] audit: type=1400 audit(1560688227.801:37): avc: denied { map } for pid=7118 comm="syz-executor030" path="/dev/usbmon0" dev="devtmpfs" ino=14095 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usbmon_device_t:s0 tclass=chr_file permissive=1 [ 52.563466] [ 52.591214] ====================================================== [ 52.599307] WARNING: possible circular locking dependency detected [ 52.606509] 4.14.126 #20 Not tainted [ 52.610222] ------------------------------------------------------ [ 52.616852] syz-executor030/7119 is trying to acquire lock: [ 52.622861] (&mm->mmap_sem){++++}, at: [] __might_fault+0xe0/0x1d0 [ 52.630843] [ 52.630843] but task is already holding lock: [ 52.636816] (&rp->fetch_lock){+.+.}, at: [] mon_bin_read+0x5d/0x5e0 [ 52.645176] [ 52.645176] which lock already depends on the new lock. [ 52.645176] [ 52.653484] [ 52.653484] the existing dependency chain (in reverse order) is: [ 52.661277] [ 52.661277] -> #1 (&rp->fetch_lock){+.+.}: [ 52.667528] lock_acquire+0x16f/0x430 [ 52.671847] __mutex_lock+0xe8/0x1470 [ 52.676159] mutex_lock_nested+0x16/0x20 [ 52.680844] mon_bin_vma_fault+0x6f/0x280 [ 52.685507] __do_fault+0x104/0x390 [ 52.689641] __handle_mm_fault+0xde1/0x3470 [ 52.694591] handle_mm_fault+0x293/0x7c0 [ 52.699269] __get_user_pages+0x465/0x1230 [ 52.704013] populate_vma_page_range+0x18e/0x230 [ 52.709366] __mm_populate+0x198/0x2c0 [ 52.713781] vm_mmap_pgoff+0x1be/0x1d0 [ 52.718182] SyS_mmap_pgoff+0x3ca/0x520 [ 52.722663] SyS_mmap+0x16/0x20 [ 52.726478] do_syscall_64+0x1e8/0x640 [ 52.730878] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 52.736852] [ 52.736852] -> #0 (&mm->mmap_sem){++++}: [ 52.742573] __lock_acquire+0x2c89/0x45e0 [ 52.747328] lock_acquire+0x16f/0x430 [ 52.751653] __might_fault+0x143/0x1d0 [ 52.756048] _copy_to_user+0x2c/0xd0 [ 52.760337] mon_bin_read+0x2fb/0x5e0 [ 52.764667] __vfs_read+0x105/0x6a0 [ 52.768811] vfs_read+0x137/0x350 [ 52.773057] SyS_read+0xfd/0x230 [ 52.777930] do_syscall_64+0x1e8/0x640 [ 52.782695] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 52.788920] [ 52.788920] other info that might help us debug this: [ 52.788920] [ 52.797079] Possible unsafe locking scenario: [ 52.797079] [ 52.803135] CPU0 CPU1 [ 52.807796] ---- ---- [ 52.812587] lock(&rp->fetch_lock); [ 52.816316] lock(&mm->mmap_sem); [ 52.824197] lock(&rp->fetch_lock); [ 52.830603] lock(&mm->mmap_sem); [ 52.834568] [ 52.834568] *** DEADLOCK *** [ 52.834568] [ 52.840795] 1 lock held by syz-executor030/7119: [ 52.845822] #0: (&rp->fetch_lock){+.+.}, at: [] mon_bin_read+0x5d/0x5e0 [ 52.854425] [ 52.854425] stack backtrace: [ 52.858927] CPU: 1 PID: 7119 Comm: syz-executor030 Not tainted 4.14.126 #20 [ 52.866199] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 52.875567] Call Trace: [ 52.878263] dump_stack+0x138/0x19c [ 52.881891] print_circular_bug.isra.0.cold+0x1cc/0x28f [ 52.887254] __lock_acquire+0x2c89/0x45e0 [ 52.891576] ? remove_wait_queue+0x10f/0x190 [ 52.896074] ? trace_hardirqs_on+0x10/0x10 [ 52.900331] ? save_trace+0x290/0x290 [ 52.904139] lock_acquire+0x16f/0x430 [ 52.908214] ? __might_fault+0xe0/0x1d0 [ 52.912401] __might_fault+0x143/0x1d0 [ 52.916728] ? __might_fault+0xe0/0x1d0 [ 52.920880] _copy_to_user+0x2c/0xd0 [ 52.924911] mon_bin_read+0x2fb/0x5e0 [ 52.930947] __vfs_read+0x105/0x6a0 [ 52.934855] ? __fsnotify_update_child_dentry_flags.part.0+0x300/0x300 [ 52.942918] ? mon_bin_fetch+0x2e0/0x2e0 [ 52.946988] ? vfs_copy_file_range+0xa40/0xa40 [ 52.951761] ? __inode_security_revalidate+0xd6/0x130 [ 52.957110] ? avc_policy_seqno+0x9/0x20 [ 52.961791] ? selinux_file_permission+0x85/0x480 [ 52.966670] ? security_file_permission+0x89/0x1f0 [ 52.971609] ? rw_verify_area+0xea/0x2b0 [ 52.975692] vfs_read+0x137/0x350 [ 52.979154] SyS_read+0xfd/0x230 [ 52.982523] ? kernel_write+0x120/0x120 [ 52.986501] ? do_syscall_64+0x53/0x640 [ 52.990470] ? kernel_write+0x120/0x120 [ 52.994443] do_syscall_64+0x1e8/0x640 [ 52.998325] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 53.003165] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 53.008351] RIP: 0033:0x449f19 [ 53.011528] RSP: 002b:00007f01480e9ce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 53.019232] RAX: ffffffffffffffda RBX: 00000000006dbc28 RCX: 0000000000449f19 [ 53.026589] RDX: 000000000000ffab RSI: 0000000000000000 RDI: 0000000000000003 [ 53.033950] RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000 [ 53.041360] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc2c [ 53.048649] R13: 00007ffce09da1cf R14: 00007f01480ea9c0 R15: 000000000000002d