[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[   23.351003] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   27.949277] random: sshd: uninitialized urandom read (32 bytes read)
[   28.159445] random: sshd: uninitialized urandom read (32 bytes read)
[   28.704696] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.2' (ECDSA) to the list of known hosts.
[   34.434490] urandom_read: 1 callbacks suppressed
[   34.434495] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   34.595072] 
[   34.596726] ======================================================
[   34.603030] WARNING: possible circular locking dependency detected
[   34.609321] 4.18.0+ #198 Not tainted
[   34.613008] ------------------------------------------------------
[   34.619303] syz-executor125/4459 is trying to acquire lock:
[   34.624984] 00000000d8370180 (&sb->s_type->i_mutex_key#10){++++}, at: shmem_fallocate+0x18b/0x12e0
[   34.634072] 
[   34.634072] but task is already holding lock:
[   34.640016] 000000006476edd0 (ashmem_mutex){+.+.}, at: ashmem_shrink_scan+0xb4/0x630
[   34.647885] 
[   34.647885] which lock already depends on the new lock.
[   34.647885] 
[   34.656180] 
[   34.656180] the existing dependency chain (in reverse order) is:
[   34.663775] 
[   34.663775] -> #2 (ashmem_mutex){+.+.}:
[   34.669220]        __mutex_lock+0x171/0x1700
[   34.673608]        mutex_lock_nested+0x16/0x20
[   34.678166]        ashmem_mmap+0x55/0x520
[   34.682294]        mmap_region+0xf27/0x1c50
[   34.686605]        do_mmap+0xa06/0x1320
[   34.690590]        vm_mmap_pgoff+0x213/0x2c0
[   34.694980]        ksys_mmap_pgoff+0x4da/0x660
[   34.699561]        __x64_sys_mmap+0xe9/0x1b0
[   34.703972]        do_syscall_64+0x1b9/0x820
[   34.708365]        entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   34.714048] 
[   34.714048] -> #1 (&mm->mmap_sem){++++}:
[   34.719586]        __might_fault+0x155/0x1e0
[   34.723977]        _copy_to_user+0x30/0x110
[   34.728296]        filldir+0x1ea/0x3a0
[   34.732175]        dcache_readdir+0x13a/0x620
[   34.736649]        iterate_dir+0x4b0/0x5d0
[   34.740869]        __x64_sys_getdents+0x29f/0x510
[   34.745705]        do_syscall_64+0x1b9/0x820
[   34.750095]        entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   34.755778] 
[   34.755778] -> #0 (&sb->s_type->i_mutex_key#10){++++}:
[   34.762521]        lock_acquire+0x1e4/0x540
[   34.766819]        down_write+0x8f/0x130
[   34.770878]        shmem_fallocate+0x18b/0x12e0
[   34.775540]        ashmem_shrink_scan+0x236/0x630
[   34.780362]        ashmem_ioctl+0x3b6/0x13b0
[   34.784747]        do_vfs_ioctl+0x1de/0x1720
[   34.789152]        ksys_ioctl+0xa9/0xd0
[   34.793112]        __x64_sys_ioctl+0x73/0xb0
[   34.797511]        do_syscall_64+0x1b9/0x820
[   34.801902]        entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   34.807591] 
[   34.807591] other info that might help us debug this:
[   34.807591] 
[   34.815708] Chain exists of:
[   34.815708]   &sb->s_type->i_mutex_key#10 --> &mm->mmap_sem --> ashmem_mutex
[   34.815708] 
[   34.827238]  Possible unsafe locking scenario:
[   34.827238] 
[   34.833270]        CPU0                    CPU1
[   34.837912]        ----                    ----
[   34.842564]   lock(ashmem_mutex);
[   34.846004]                                lock(&mm->mmap_sem);
[   34.852058]                                lock(ashmem_mutex);
[   34.858017]   lock(&sb->s_type->i_mutex_key#10);
[   34.862754] 
[   34.862754]  *** DEADLOCK ***
[   34.862754] 
[   34.868792] 1 lock held by syz-executor125/4459:
[   34.873518]  #0: 000000006476edd0 (ashmem_mutex){+.+.}, at: ashmem_shrink_scan+0xb4/0x630
[   34.881827] 
[   34.881827] stack backtrace:
[   34.886341] CPU: 0 PID: 4459 Comm: syz-executor125 Not tainted 4.18.0+ #198
[   34.893428] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   34.902755] Call Trace:
[   34.905323]  dump_stack+0x1c9/0x2b4
[   34.908933]  ? dump_stack_print_info.cold.2+0x52/0x52
[   34.914116]  ? vprintk_func+0x81/0x117
[   34.917991]  print_circular_bug.isra.37.cold.58+0x1bd/0x27d
[   34.923682]  ? save_trace+0xe0/0x290
[   34.927381]  __lock_acquire+0x3449/0x5020
[   34.931514]  ? __switch_to_asm+0x40/0x70
[   34.935555]  ? __switch_to_asm+0x34/0x70
[   34.939614]  ? __switch_to_asm+0x40/0x70
[   34.943665]  ? __switch_to_asm+0x34/0x70
[   34.947729]  ? trace_hardirqs_on+0x10/0x10
[   34.951947]  ? print_usage_bug+0xc0/0xc0
[   34.956000]  ? graph_lock+0x170/0x170
[   34.959782]  ? check_same_owner+0x340/0x340
[   34.964094]  ? do_raw_spin_unlock+0xa7/0x2f0
[   34.968492]  ? rcu_note_context_switch+0x730/0x730
[   34.973429]  lock_acquire+0x1e4/0x540
[   34.977214]  ? shmem_fallocate+0x18b/0x12e0
[   34.981544]  ? lock_release+0xa30/0xa30
[   34.985495]  ? check_same_owner+0x340/0x340
[   34.989806]  ? trace_hardirqs_on+0x10/0x10
[   34.994019]  ? rcu_note_context_switch+0x730/0x730
[   34.998929]  down_write+0x8f/0x130
[   35.002447]  ? shmem_fallocate+0x18b/0x12e0
[   35.006747]  ? down_read+0x1d0/0x1d0
[   35.010452]  ? __lock_acquire+0x7fc/0x5020
[   35.014665]  shmem_fallocate+0x18b/0x12e0
[   35.018794]  ? futex_wait+0x5d2/0xa20
[   35.022582]  ? trace_hardirqs_on+0x10/0x10
[   35.026807]  ? shmem_setattr+0xda0/0xda0
[   35.030860]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[   35.036396]  ? drop_futex_key_refs.isra.14+0x6d/0xe0
[   35.041483]  ? futex_wake+0x304/0x760
[   35.045266]  ? lock_acquire+0x1e4/0x540
[   35.049224]  ? ashmem_shrink_scan+0xb4/0x630
[   35.053612]  ? lock_release+0xa30/0xa30
[   35.057567]  ? graph_lock+0x170/0x170
[   35.061357]  ? do_futex+0x249/0x27d0
[   35.065051]  ? rcu_cleanup_dead_rnp+0x200/0x200
[   35.069700]  ? rcu_cleanup_dead_rnp+0x200/0x200
[   35.074372]  ? mutex_trylock+0x24c/0x2b0
[   35.078435]  ? ashmem_shrink_scan+0xb4/0x630
[   35.082824]  ? __mutex_add_waiter+0x2a0/0x2a0
[   35.087311]  ashmem_shrink_scan+0x236/0x630
[   35.091614]  ? cap_capable+0x1f9/0x260
[   35.095484]  ? ashmem_release+0x190/0x190
[   35.099615]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   35.105137]  ? ns_capable_common+0x13f/0x170
[   35.109547]  ashmem_ioctl+0x3b6/0x13b0
[   35.113424]  ? __fget+0x4d5/0x740
[   35.116861]  ? ashmem_shrink_scan+0x630/0x630
[   35.121338]  ? ksys_dup3+0x690/0x690
[   35.125038]  ? kasan_check_write+0x14/0x20
[   35.129253]  ? do_raw_spin_lock+0xc1/0x200
[   35.133495]  ? _raw_spin_unlock_irqrestore+0x63/0xc0
[   35.138586]  ? ashmem_shrink_scan+0x630/0x630
[   35.143069]  do_vfs_ioctl+0x1de/0x1720
[   35.146949]  ? rcu_is_watching+0x8c/0x150
[   35.151080]  ? rcu_pm_notify+0xc0/0xc0
[   35.154964]  ? ioctl_preallocate+0x300/0x300
[   35.159359]  ? __fget_light+0x2f7/0x440
[   35.163313]  ? fget_raw+0x20/0x20
[   35.166747]  ? kmem_cache_free+0x25c/0x2d0
[   35.170967]  ? __x64_sys_futex+0x47f/0x6a0
[   35.175182]  ? do_futex+0x27d0/0x27d0
[   35.178965]  ? security_file_ioctl+0x94/0xc0
[   35.183356]  ksys_ioctl+0xa9/0xd0
[   35.186792]  __x64_sys_ioctl+0x73/0xb0
[   35.190662]  do_syscall_64+0x1b9/0x820
[   35.194534]  ? syscall_return_slowpath+0x5e0/0x5e0
[   35.199443]  ? syscall_return_slowpath+0x31d/0x5e0
[   35.204357]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
[   35.209704]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   35.214529]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   35.219696] RIP: 0033:0x446079
[   35.222870] Code: e8 6c b6 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 12 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   35.241757] RSP: 002b:00007f968c195da8 EFLAGS: 00000297 ORIG_RAX: 00