[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 23.351003] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 27.949277] random: sshd: uninitialized urandom read (32 bytes read) [ 28.159445] random: sshd: uninitialized urandom read (32 bytes read) [ 28.704696] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.2' (ECDSA) to the list of known hosts. [ 34.434490] urandom_read: 1 callbacks suppressed [ 34.434495] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 34.595072] [ 34.596726] ====================================================== [ 34.603030] WARNING: possible circular locking dependency detected [ 34.609321] 4.18.0+ #198 Not tainted [ 34.613008] ------------------------------------------------------ [ 34.619303] syz-executor125/4459 is trying to acquire lock: [ 34.624984] 00000000d8370180 (&sb->s_type->i_mutex_key#10){++++}, at: shmem_fallocate+0x18b/0x12e0 [ 34.634072] [ 34.634072] but task is already holding lock: [ 34.640016] 000000006476edd0 (ashmem_mutex){+.+.}, at: ashmem_shrink_scan+0xb4/0x630 [ 34.647885] [ 34.647885] which lock already depends on the new lock. [ 34.647885] [ 34.656180] [ 34.656180] the existing dependency chain (in reverse order) is: [ 34.663775] [ 34.663775] -> #2 (ashmem_mutex){+.+.}: [ 34.669220] __mutex_lock+0x171/0x1700 [ 34.673608] mutex_lock_nested+0x16/0x20 [ 34.678166] ashmem_mmap+0x55/0x520 [ 34.682294] mmap_region+0xf27/0x1c50 [ 34.686605] do_mmap+0xa06/0x1320 [ 34.690590] vm_mmap_pgoff+0x213/0x2c0 [ 34.694980] ksys_mmap_pgoff+0x4da/0x660 [ 34.699561] __x64_sys_mmap+0xe9/0x1b0 [ 34.703972] do_syscall_64+0x1b9/0x820 [ 34.708365] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.714048] [ 34.714048] -> #1 (&mm->mmap_sem){++++}: [ 34.719586] __might_fault+0x155/0x1e0 [ 34.723977] _copy_to_user+0x30/0x110 [ 34.728296] filldir+0x1ea/0x3a0 [ 34.732175] dcache_readdir+0x13a/0x620 [ 34.736649] iterate_dir+0x4b0/0x5d0 [ 34.740869] __x64_sys_getdents+0x29f/0x510 [ 34.745705] do_syscall_64+0x1b9/0x820 [ 34.750095] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.755778] [ 34.755778] -> #0 (&sb->s_type->i_mutex_key#10){++++}: [ 34.762521] lock_acquire+0x1e4/0x540 [ 34.766819] down_write+0x8f/0x130 [ 34.770878] shmem_fallocate+0x18b/0x12e0 [ 34.775540] ashmem_shrink_scan+0x236/0x630 [ 34.780362] ashmem_ioctl+0x3b6/0x13b0 [ 34.784747] do_vfs_ioctl+0x1de/0x1720 [ 34.789152] ksys_ioctl+0xa9/0xd0 [ 34.793112] __x64_sys_ioctl+0x73/0xb0 [ 34.797511] do_syscall_64+0x1b9/0x820 [ 34.801902] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.807591] [ 34.807591] other info that might help us debug this: [ 34.807591] [ 34.815708] Chain exists of: [ 34.815708] &sb->s_type->i_mutex_key#10 --> &mm->mmap_sem --> ashmem_mutex [ 34.815708] [ 34.827238] Possible unsafe locking scenario: [ 34.827238] [ 34.833270] CPU0 CPU1 [ 34.837912] ---- ---- [ 34.842564] lock(ashmem_mutex); [ 34.846004] lock(&mm->mmap_sem); [ 34.852058] lock(ashmem_mutex); [ 34.858017] lock(&sb->s_type->i_mutex_key#10); [ 34.862754] [ 34.862754] *** DEADLOCK *** [ 34.862754] [ 34.868792] 1 lock held by syz-executor125/4459: [ 34.873518] #0: 000000006476edd0 (ashmem_mutex){+.+.}, at: ashmem_shrink_scan+0xb4/0x630 [ 34.881827] [ 34.881827] stack backtrace: [ 34.886341] CPU: 0 PID: 4459 Comm: syz-executor125 Not tainted 4.18.0+ #198 [ 34.893428] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.902755] Call Trace: [ 34.905323] dump_stack+0x1c9/0x2b4 [ 34.908933] ? dump_stack_print_info.cold.2+0x52/0x52 [ 34.914116] ? vprintk_func+0x81/0x117 [ 34.917991] print_circular_bug.isra.37.cold.58+0x1bd/0x27d [ 34.923682] ? save_trace+0xe0/0x290 [ 34.927381] __lock_acquire+0x3449/0x5020 [ 34.931514] ? __switch_to_asm+0x40/0x70 [ 34.935555] ? __switch_to_asm+0x34/0x70 [ 34.939614] ? __switch_to_asm+0x40/0x70 [ 34.943665] ? __switch_to_asm+0x34/0x70 [ 34.947729] ? trace_hardirqs_on+0x10/0x10 [ 34.951947] ? print_usage_bug+0xc0/0xc0 [ 34.956000] ? graph_lock+0x170/0x170 [ 34.959782] ? check_same_owner+0x340/0x340 [ 34.964094] ? do_raw_spin_unlock+0xa7/0x2f0 [ 34.968492] ? rcu_note_context_switch+0x730/0x730 [ 34.973429] lock_acquire+0x1e4/0x540 [ 34.977214] ? shmem_fallocate+0x18b/0x12e0 [ 34.981544] ? lock_release+0xa30/0xa30 [ 34.985495] ? check_same_owner+0x340/0x340 [ 34.989806] ? trace_hardirqs_on+0x10/0x10 [ 34.994019] ? rcu_note_context_switch+0x730/0x730 [ 34.998929] down_write+0x8f/0x130 [ 35.002447] ? shmem_fallocate+0x18b/0x12e0 [ 35.006747] ? down_read+0x1d0/0x1d0 [ 35.010452] ? __lock_acquire+0x7fc/0x5020 [ 35.014665] shmem_fallocate+0x18b/0x12e0 [ 35.018794] ? futex_wait+0x5d2/0xa20 [ 35.022582] ? trace_hardirqs_on+0x10/0x10 [ 35.026807] ? shmem_setattr+0xda0/0xda0 [ 35.030860] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 35.036396] ? drop_futex_key_refs.isra.14+0x6d/0xe0 [ 35.041483] ? futex_wake+0x304/0x760 [ 35.045266] ? lock_acquire+0x1e4/0x540 [ 35.049224] ? ashmem_shrink_scan+0xb4/0x630 [ 35.053612] ? lock_release+0xa30/0xa30 [ 35.057567] ? graph_lock+0x170/0x170 [ 35.061357] ? do_futex+0x249/0x27d0 [ 35.065051] ? rcu_cleanup_dead_rnp+0x200/0x200 [ 35.069700] ? rcu_cleanup_dead_rnp+0x200/0x200 [ 35.074372] ? mutex_trylock+0x24c/0x2b0 [ 35.078435] ? ashmem_shrink_scan+0xb4/0x630 [ 35.082824] ? __mutex_add_waiter+0x2a0/0x2a0 [ 35.087311] ashmem_shrink_scan+0x236/0x630 [ 35.091614] ? cap_capable+0x1f9/0x260 [ 35.095484] ? ashmem_release+0x190/0x190 [ 35.099615] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.105137] ? ns_capable_common+0x13f/0x170 [ 35.109547] ashmem_ioctl+0x3b6/0x13b0 [ 35.113424] ? __fget+0x4d5/0x740 [ 35.116861] ? ashmem_shrink_scan+0x630/0x630 [ 35.121338] ? ksys_dup3+0x690/0x690 [ 35.125038] ? kasan_check_write+0x14/0x20 [ 35.129253] ? do_raw_spin_lock+0xc1/0x200 [ 35.133495] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 35.138586] ? ashmem_shrink_scan+0x630/0x630 [ 35.143069] do_vfs_ioctl+0x1de/0x1720 [ 35.146949] ? rcu_is_watching+0x8c/0x150 [ 35.151080] ? rcu_pm_notify+0xc0/0xc0 [ 35.154964] ? ioctl_preallocate+0x300/0x300 [ 35.159359] ? __fget_light+0x2f7/0x440 [ 35.163313] ? fget_raw+0x20/0x20 [ 35.166747] ? kmem_cache_free+0x25c/0x2d0 [ 35.170967] ? __x64_sys_futex+0x47f/0x6a0 [ 35.175182] ? do_futex+0x27d0/0x27d0 [ 35.178965] ? security_file_ioctl+0x94/0xc0 [ 35.183356] ksys_ioctl+0xa9/0xd0 [ 35.186792] __x64_sys_ioctl+0x73/0xb0 [ 35.190662] do_syscall_64+0x1b9/0x820 [ 35.194534] ? syscall_return_slowpath+0x5e0/0x5e0 [ 35.199443] ? syscall_return_slowpath+0x31d/0x5e0 [ 35.204357] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 35.209704] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 35.214529] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.219696] RIP: 0033:0x446079 [ 35.222870] Code: e8 6c b6 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 12 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 35.241757] RSP: 002b:00007f968c195da8 EFLAGS: 00000297 ORIG_RAX: 00