[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 28.927545] random: sshd: uninitialized urandom read (32 bytes read) [ 29.159235] random: sshd: uninitialized urandom read (32 bytes read) [ 29.695170] random: sshd: uninitialized urandom read (32 bytes read) [ 29.871400] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.3' (ECDSA) to the list of known hosts. syzkaller login: [ 35.349366] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 35.459573] kauditd_printk_skb: 10 callbacks suppressed [ 35.459583] audit: type=1400 audit(1567372162.437:36): avc: denied { map } for pid=6864 comm="syz-executor644" path="/root/syz-executor644824604" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 35.462827] [ 35.465347] audit: type=1400 audit(1567372162.437:37): avc: denied { map } for pid=6864 comm="syz-executor644" path="/dev/ashmem" dev="devtmpfs" ino=15653 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1 [ 35.491171] ====================================================== [ 35.491173] WARNING: possible circular locking dependency detected [ 35.491178] 4.14.141 #37 Not tainted [ 35.491179] ------------------------------------------------------ [ 35.491182] syz-executor644/6864 is trying to acquire lock: [ 35.491184] (sb_writers#6){.+.+}, at: [] vfs_fallocate+0x5d1/0x7a0 [ 35.491206] [ 35.491206] but task is already holding lock: [ 35.491207] (ashmem_mutex){+.+.}, at: [] ashmem_shrink_scan+0x56/0x420 [ 35.491220] [ 35.491220] which lock already depends on the new lock. [ 35.491220] [ 35.491222] [ 35.491222] the existing dependency chain (in reverse order) is: [ 35.491224] [ 35.491224] -> #2 (ashmem_mutex){+.+.}: [ 35.491240] lock_acquire+0x16f/0x430 [ 35.593812] __mutex_lock+0xe8/0x1470 [ 35.598104] mutex_lock_nested+0x16/0x20 [ 35.602661] ashmem_mmap+0x55/0x490 [ 35.606783] mmap_region+0x852/0x1030 [ 35.611100] do_mmap+0x5b8/0xcd0 [ 35.614970] vm_mmap_pgoff+0x17a/0x1d0 [ 35.619347] SyS_mmap_pgoff+0x3ca/0x520 [ 35.623815] SyS_mmap+0x16/0x20 [ 35.627597] do_syscall_64+0x1e8/0x640 [ 35.631982] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 35.637662] [ 35.637662] -> #1 (&mm->mmap_sem){++++}: [ 35.643208] lock_acquire+0x16f/0x430 [ 35.647589] __might_fault+0x143/0x1d0 [ 35.651970] _copy_from_user+0x2c/0x110 [ 35.656463] setxattr+0x153/0x350 [ 35.660410] path_setxattr+0x11f/0x140 [ 35.664788] SyS_lsetxattr+0x38/0x50 [ 35.669001] do_syscall_64+0x1e8/0x640 [ 35.673407] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 35.679087] [ 35.679087] -> #0 (sb_writers#6){.+.+}: [ 35.684525] __lock_acquire+0x2cb3/0x4620 [ 35.689167] lock_acquire+0x16f/0x430 [ 35.693461] __sb_start_write+0x1ae/0x2f0 [ 35.698102] vfs_fallocate+0x5d1/0x7a0 [ 35.702485] ashmem_shrink_scan+0x181/0x420 [ 35.707314] ashmem_ioctl+0x28f/0xf10 [ 35.711612] do_vfs_ioctl+0x7ae/0x1060 [ 35.716012] SyS_ioctl+0x8f/0xc0 [ 35.719874] do_syscall_64+0x1e8/0x640 [ 35.724257] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 35.729953] [ 35.729953] other info that might help us debug this: [ 35.729953] [ 35.738066] Chain exists of: [ 35.738066] sb_writers#6 --> &mm->mmap_sem --> ashmem_mutex [ 35.738066] [ 35.748269] Possible unsafe locking scenario: [ 35.748269] [ 35.754311] CPU0 CPU1 [ 35.758963] ---- ---- [ 35.763600] lock(ashmem_mutex); [ 35.767042] lock(&mm->mmap_sem); [ 35.773071] lock(ashmem_mutex); [ 35.779027] lock(sb_writers#6); [ 35.782455] [ 35.782455] *** DEADLOCK *** [ 35.782455] [ 35.788496] 1 lock held by syz-executor644/6864: [ 35.793223] #0: (ashmem_mutex){+.+.}, at: [] ashmem_shrink_scan+0x56/0x420 [ 35.801957] [ 35.801957] stack backtrace: [ 35.806429] CPU: 1 PID: 6864 Comm: syz-executor644 Not tainted 4.14.141 #37 [ 35.813497] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.822835] Call Trace: [ 35.825400] dump_stack+0x138/0x197 [ 35.829010] print_circular_bug.isra.0.cold+0x1cc/0x28f [ 35.834347] __lock_acquire+0x2cb3/0x4620 [ 35.838483] ? trace_hardirqs_on+0x10/0x10 [ 35.842694] ? inode_has_perm.isra.0+0x15c/0x1e0 [ 35.847435] lock_acquire+0x16f/0x430 [ 35.851227] ? vfs_fallocate+0x5d1/0x7a0 [ 35.855261] __sb_start_write+0x1ae/0x2f0 [ 35.859385] ? vfs_fallocate+0x5d1/0x7a0 [ 35.863417] ? shmem_setattr+0xb80/0xb80 [ 35.867454] vfs_fallocate+0x5d1/0x7a0 [ 35.871317] ashmem_shrink_scan+0x181/0x420 [ 35.875610] ashmem_ioctl+0x28f/0xf10 [ 35.879381] ? ashmem_shrink_scan+0x420/0x420 [ 35.883850] ? __might_sleep+0x93/0xb0 [ 35.887708] ? ashmem_shrink_scan+0x420/0x420 [ 35.892179] do_vfs_ioctl+0x7ae/0x1060 [ 35.896041] ? selinux_file_mprotect+0x5d0/0x5d0 [ 35.900771] ? ioctl_preallocate+0x1c0/0x1c0 [ 35.905153] ? fput+0xd4/0x150 [ 35.908320] ? security_file_ioctl+0x7d/0xb0 [ 35.912701] ? security_file_ioctl+0x89/0xb0 [ 35.917084] SyS_ioctl+0x8f/0xc0 [ 35.920427] ? do_vfs_ioctl+0x1060/0x1060 [ 35.924550] do_syscall_64+0x1e8/0x640 [ 35.928411] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 35.933236] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 35.938408] RIP: 0033:0x4401c9 [ 35.941589] RSP: 002b:00007ffe59831b98 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 35.949282] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004401c9 [ 35.956527] RDX: 0000000000000000 RSI: 000000000000770a RD