[   11.190491] random: sshd: uninitialized urandom read (32 bytes read)
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   14.446672] random: sshd: uninitialized urandom read (32 bytes read)
[   14.607916] audit: type=1400 audit(1567999573.964:6): avc:  denied  { map } for  pid=1758 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   14.652258] random: sshd: uninitialized urandom read (32 bytes read)
[   15.145843] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.97' (ECDSA) to the list of known hosts.
[   20.856801] urandom_read: 1 callbacks suppressed
[   20.856806] random: sshd: uninitialized urandom read (32 bytes read)
[   20.953273] audit: type=1400 audit(1567999580.314:7): avc:  denied  { map } for  pid=1770 comm="syz-executor135" path="/root/syz-executor135046911" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   20.976403] hrtimer: interrupt took 34380 ns
[   20.985049] audit: type=1400 audit(1567999580.324:8): avc:  denied  { map } for  pid=1777 comm="syz-executor135" path="/dev/ashmem" dev="devtmpfs" ino=5461 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1
[   24.468545] 
[   24.470357] ======================================================
[   24.476676] WARNING: possible circular locking dependency detected
[   24.483128] 4.14.142+ #0 Not tainted
[   24.486967] ------------------------------------------------------
[   24.493284] syz-executor135/3291 is trying to acquire lock:
[   24.498990]  (cpu_hotplug_lock.rw_sem){++++}, at: [<        (ptrval)>] lru_add_drain_all+0xa/0x20
[   24.508022] 
[   24.508022] but task is already holding lock:
[   24.514203]  (&sb->s_type->i_mutex_key#10){+.+.}, at: [<        (ptrval)>] shmem_add_seals+0x12b/0x11b0
[   24.523755] 
[   24.523755] which lock already depends on the new lock.
[   24.523755] 
[   24.532188] 
[   24.532188] the existing dependency chain (in reverse order) is:
[   24.539943] 
[   24.539943] -> #5 (&sb->s_type->i_mutex_key#10){+.+.}:
[   24.546720]        down_write+0x34/0x90
[   24.550818]        shmem_fallocate+0x150/0xae0
[   24.555409]        ashmem_shrink_scan+0x1ca/0x4f0
[   24.560424]        ashmem_ioctl+0x2b4/0xd20
[   24.564841]        do_vfs_ioctl+0xabe/0x1040
[   24.569260]        SyS_ioctl+0x7f/0xb0
[   24.573159]        do_syscall_64+0x19b/0x520
[   24.577639]        entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   24.583351] 
[   24.583351] -> #4 (ashmem_mutex){+.+.}:
[   24.588927]        __mutex_lock+0xf7/0x13e0
[   24.593262]        ashmem_mmap+0x4c/0x450
[   24.597421]        mmap_region+0x7d9/0xfb0
[   24.601664]        do_mmap+0x548/0xb80
[   24.605562]        vm_mmap_pgoff+0x177/0x1c0
[   24.610105]        SyS_mmap_pgoff+0xf4/0x1b0
[   24.614614]        do_syscall_64+0x19b/0x520
[   24.619267]        entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   24.624979] 
[   24.624979] -> #3 (&mm->mmap_sem){++++}:
[   24.632019]        __might_fault+0x137/0x1b0
[   24.636841]        _copy_from_user+0x27/0x100
[   24.641343]        perf_ioctl+0x431/0x1bb0
[   24.645589]        do_vfs_ioctl+0xabe/0x1040
[   24.650006]        SyS_ioctl+0x7f/0xb0
[   24.653897]        do_syscall_64+0x19b/0x520
[   24.658699]        entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   24.664418] 
[   24.664418] -> #2 (&cpuctx_mutex){+.+.}:
[   24.670116]        __mutex_lock+0xf7/0x13e0
[   24.674453]        perf_event_init_cpu+0xa8/0x150
[   24.679309]        perf_event_init+0x289/0x2c5
[   24.684100]        start_kernel+0x583/0x890
[   24.689675]        secondary_startup_64+0xa5/0xb0
[   24.694686] 
[   24.694686] -> #1 (pmus_lock){+.+.}:
[   24.699904]        __mutex_lock+0xf7/0x13e0
[   24.704236]        perf_event_init_cpu+0x2c/0x150
[   24.709363]        cpuhp_invoke_callback+0x207/0x1a30
[   24.714559]        _cpu_up+0x20b/0x500
[   24.718552]        do_cpu_up+0x64/0x120
[   24.722536]        smp_init+0x142/0x154
[   24.726522]        kernel_init_freeable+0x196/0x3b0
[   24.731544]        kernel_init+0xd/0x164
[   24.735612]        ret_from_fork+0x3a/0x50
[   24.739853] 
[   24.739853] -> #0 (cpu_hotplug_lock.rw_sem){++++}:
[   24.746298]        lock_acquire+0x12b/0x360
[   24.750744]        cpus_read_lock+0x39/0xc0
[   24.755079]        lru_add_drain_all+0xa/0x20
[   24.759601]        shmem_add_seals+0x633/0x11b0
[   24.764413]        shmem_fcntl+0xea/0x120
[   24.768571]        do_fcntl+0x5c8/0xd20
[   24.772680]        SyS_fcntl+0xc6/0x100
[   24.776861]        do_syscall_64+0x19b/0x520
[   24.781289]        entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   24.787016] 
[   24.787016] other info that might help us debug this:
[   24.787016] 
[   24.795291] Chain exists of:
[   24.795291]   cpu_hotplug_lock.rw_sem --> ashmem_mutex --> &sb->s_type->i_mutex_key#10
[   24.795291] 
[   24.807727]  Possible unsafe locking scenario:
[   24.807727] 
[   24.813979]        CPU0                    CPU1
[   24.818741]        ----                    ----
[   24.823497]   lock(&sb->s_type->i_mutex_key#10);
[   24.828400]                                lock(ashmem_mutex);
[   24.834382]                                lock(&sb->s_type->i_mutex_key#10);
[   24.841763]   lock(cpu_hotplug_lock.rw_sem);
[   24.846179] 
[   24.846179]  *** DEADLOCK ***
[   24.846179] 
[   24.852245] 1 lock held by syz-executor135/3291:
[   24.857060]  #0:  (&sb->s_type->i_mutex_key#10){+.+.}, at: [<        (ptrval)>] shmem_add_seals+0x12b/0x11b0
[   24.867149] 
[   24.867149] stack backtrace:
[   24.871818] CPU: 1 PID: 3291 Comm: syz-executor135 Not tainted 4.14.142+ #0
[   24.878924] Call Trace:
[   24.881529]  dump_stack+0xca/0x134
[   24.885169]  print_circular_bug.isra.0.cold+0x2dc/0x425
[   24.890806]  __lock_acquire+0x2f5f/0x4320
[   24.895117]  ? __lock_acquire+0x5d7/0x4320
[   24.899380]  ? trace_hardirqs_on+0x10/0x10
[   24.903660]  ? put_pages_list+0x2a0/0x2a0
[   24.908232]  ? _raw_spin_unlock_irqrestore+0x54/0x70
[   24.913443]  lock_acquire+0x12b/0x360
[   24.917280]  ? lru_add_drain_all+0xa/0x20
[   24.921746]  cpus_read_lock+0x39/0xc0
[   24.925667]  ? lru_add_drain_all+0xa/0x20
[   24.929831]  lru_add_drain_all+0xa/0x20
[   24.933819]  shmem_add_seals+0x633/0x11b0
[   24.937987]  ? shmem_file_llseek+0x220/0x220
[   24.942499]  ? vfs_write+0x35d/0x4d0
[   24.946225]  ? check_preemption_disabled+0x35/0x1f0
[   24.951390]  shmem_fcntl+0xea/0x120
[   24.955324]  do_fcntl+0x5c8/0xd20
[   24.958886]  ? f_getown+0xa0/0xa0
[   24.962369]  ? vfs_write+0x319/0x4d0
[   24.966534]  ? selinux_file_fcntl+0x86/0x140
[   24.970960]  SyS_fcntl+0xc6/0x100
[   24.974423]  ? do_fcntl+0xd20/0xd20
[   24.978065]  do_syscall_64+0x19b/0x520
[   24.982060]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   24.987464] RIP: 0033:0x4414a9
[   24.990757] RSP: 002b:00007ffdbf069e78 EFLAGS: 00000246 ORIG_RAX: 0000000000000048
[   24.998474] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004414a9
[   25.005753] RDX: 0000000000000008 RSI: 0000000000000409 RDI: 0000000000000005
[   25.013367] RBP: 0000000000005f60 R08: 00000000004002c8 R09: 00000000004002c8
[   25.020650] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000402220
[   25.027968] R13: 00000000004022b0 R14: 0000000000000000 R15: 0000000000000000