[ 24.602293] random: sshd: uninitialized urandom read (32 bytes read) [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 26.093789] random: sshd: uninitialized urandom read (32 bytes read) [ 26.360554] random: sshd: uninitialized urandom read (32 bytes read) [ 26.811316] random: sshd: uninitialized urandom read (32 bytes read) [ 34.232197] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.180' (ECDSA) to the list of known hosts. [ 39.739083] random: sshd: uninitialized urandom read (32 bytes read) [ 39.896158] kauditd_printk_skb: 5 callbacks suppressed [ 39.896164] audit: type=1400 audit(1566332104.963:36): avc: denied { map } for pid=6509 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2019/08/20 20:15:05 parsed 1 programs [ 40.577730] audit: type=1400 audit(1566332105.643:37): avc: denied { map } for pid=6509 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=19 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 41.103867] random: cc1: uninitialized urandom read (8 bytes read) 2019/08/20 20:15:07 executed programs: 0 [ 41.991620] audit: type=1400 audit(1566332107.063:38): avc: denied { map } for pid=6509 comm="syz-execprog" path="/root/syzkaller-shm271771027" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 42.250854] IPVS: ftp: loaded support on port[0] = 21 [ 43.066737] chnl_net:caif_netlink_parms(): no params data found [ 43.091542] bridge0: port 1(bridge_slave_0) entered blocking state [ 43.098023] bridge0: port 1(bridge_slave_0) entered disabled state [ 43.104798] device bridge_slave_0 entered promiscuous mode [ 43.111377] bridge0: port 2(bridge_slave_1) entered blocking state [ 43.117727] bridge0: port 2(bridge_slave_1) entered disabled state [ 43.124588] device bridge_slave_1 entered promiscuous mode [ 43.136808] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 43.145015] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 43.158091] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 43.165100] team0: Port device team_slave_0 added [ 43.170313] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 43.177717] team0: Port device team_slave_1 added [ 43.183097] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 43.190724] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 43.241424] device hsr_slave_0 entered promiscuous mode [ 43.290237] device hsr_slave_1 entered promiscuous mode [ 43.330421] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 43.337562] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 43.349808] bridge0: port 2(bridge_slave_1) entered blocking state [ 43.356593] bridge0: port 2(bridge_slave_1) entered forwarding state [ 43.363507] bridge0: port 1(bridge_slave_0) entered blocking state [ 43.369829] bridge0: port 1(bridge_slave_0) entered forwarding state [ 43.392804] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 43.398990] 8021q: adding VLAN 0 to HW filter on device bond0 [ 43.406859] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 43.414840] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 43.433040] bridge0: port 1(bridge_slave_0) entered disabled state [ 43.440121] bridge0: port 2(bridge_slave_1) entered disabled state [ 43.449065] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 43.455247] 8021q: adding VLAN 0 to HW filter on device team0 [ 43.462582] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 43.470340] bridge0: port 1(bridge_slave_0) entered blocking state [ 43.476655] bridge0: port 1(bridge_slave_0) entered forwarding state [ 43.490625] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 43.498520] bridge0: port 2(bridge_slave_1) entered blocking state [ 43.504859] bridge0: port 2(bridge_slave_1) entered forwarding state [ 43.511893] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 43.519361] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 43.526818] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 43.534484] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 43.542440] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 43.551356] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 43.557591] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 43.567829] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 43.577334] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 44.070806] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 44.991090] [ 44.992722] ====================================================== [ 44.999004] WARNING: possible circular locking dependency detected [ 45.005466] 4.14.139 #35 Not tainted [ 45.009144] ------------------------------------------------------ [ 45.015557] syz-executor.0/6539 is trying to acquire lock: [ 45.021146] (event_mutex){+.+.}, at: [] perf_trace_init+0x58/0xaa0 [ 45.029090] [ 45.029090] but task is already holding lock: [ 45.035024] (&cpuctx_mutex/1){+.+.}, at: [] perf_event_ctx_lock_nested+0x150/0x2c0 [ 45.044352] [ 45.044352] which lock already depends on the new lock. [ 45.044352] [ 45.052748] [ 45.052748] the existing dependency chain (in reverse order) is: [ 45.060335] [ 45.060335] -> #5 (&cpuctx_mutex/1){+.+.}: [ 45.066022] lock_acquire+0x16f/0x430 [ 45.070312] __mutex_lock+0xe8/0x1470 [ 45.074597] mutex_lock_nested+0x16/0x20 [ 45.079148] SYSC_perf_event_open+0x134c/0x2610 [ 45.084308] SyS_perf_event_open+0x34/0x40 [ 45.089276] do_syscall_64+0x1e8/0x640 [ 45.093656] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.099331] [ 45.099331] -> #4 (&cpuctx_mutex){+.+.}: [ 45.104840] lock_acquire+0x16f/0x430 [ 45.109247] __mutex_lock+0xe8/0x1470 [ 45.113535] mutex_lock_nested+0x16/0x20 [ 45.118084] perf_event_init_cpu+0xc2/0x170 [ 45.122895] perf_event_init+0x2d8/0x31a [ 45.127452] start_kernel+0x3b6/0x6fd [ 45.131742] x86_64_start_reservations+0x29/0x2b [ 45.136989] x86_64_start_kernel+0x77/0x7b [ 45.141855] secondary_startup_64+0xa5/0xb0 [ 45.146664] [ 45.146664] -> #3 (pmus_lock){+.+.}: [ 45.151825] lock_acquire+0x16f/0x430 [ 45.156226] __mutex_lock+0xe8/0x1470 [ 45.160521] mutex_lock_nested+0x16/0x20 [ 45.165069] perf_event_init_cpu+0x2f/0x170 [ 45.170014] cpuhp_invoke_callback+0x1ea/0x1ab0 [ 45.175173] _cpu_up+0x228/0x530 [ 45.179024] do_cpu_up+0x121/0x150 [ 45.183050] cpu_up+0x1b/0x20 [ 45.186647] smp_init+0x157/0x170 [ 45.190589] kernel_init_freeable+0x30b/0x532 [ 45.195569] kernel_init+0x12/0x162 [ 45.199681] ret_from_fork+0x24/0x30 [ 45.203881] [ 45.203881] -> #2 (cpu_hotplug_lock.rw_sem){++++}: [ 45.210257] lock_acquire+0x16f/0x430 [ 45.214543] cpus_read_lock+0x3d/0xc0 [ 45.218832] static_key_slow_inc+0x13/0x30 [ 45.223552] tracepoint_probe_register_prio+0x4d6/0x6d0 [ 45.229401] tracepoint_probe_register+0x2b/0x40 [ 45.234829] trace_event_reg+0x277/0x330 [ 45.239378] perf_trace_init+0x449/0xaa0 [ 45.243926] perf_tp_event_init+0x7d/0xf0 [ 45.248561] perf_try_init_event+0x164/0x200 [ 45.253454] perf_event_alloc.part.0+0xd90/0x25b0 [ 45.258780] SYSC_perf_event_open+0xad1/0x2610 [ 45.263957] SyS_perf_event_open+0x34/0x40 [ 45.268679] do_syscall_64+0x1e8/0x640 [ 45.273054] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.278730] [ 45.278730] -> #1 (tracepoints_mutex){+.+.}: [ 45.284585] lock_acquire+0x16f/0x430 [ 45.288870] __mutex_lock+0xe8/0x1470 [ 45.293158] mutex_lock_nested+0x16/0x20 [ 45.297706] tracepoint_probe_register_prio+0x36/0x6d0 [ 45.303470] tracepoint_probe_register+0x2b/0x40 [ 45.308713] trace_event_reg+0x277/0x330 [ 45.313270] perf_trace_init+0x449/0xaa0 [ 45.317826] perf_tp_event_init+0x7d/0xf0 [ 45.322463] perf_try_init_event+0x164/0x200 [ 45.327358] perf_event_alloc.part.0+0xd90/0x25b0 [ 45.332813] SYSC_perf_event_open+0xad1/0x2610 [ 45.337882] SyS_perf_event_open+0x34/0x40 [ 45.342605] do_syscall_64+0x1e8/0x640 [ 45.346979] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.352651] [ 45.352651] -> #0 (event_mutex){+.+.}: [ 45.358110] __lock_acquire+0x2cb3/0x4620 [ 45.362747] lock_acquire+0x16f/0x430 [ 45.367034] __mutex_lock+0xe8/0x1470 [ 45.371322] mutex_lock_nested+0x16/0x20 [ 45.376111] perf_trace_init+0x58/0xaa0 [ 45.380575] perf_tp_event_init+0x7d/0xf0 [ 45.385208] perf_try_init_event+0xe6/0x200 [ 45.390014] perf_event_alloc.part.0+0xd90/0x25b0 [ 45.395342] SYSC_perf_event_open+0xad1/0x2610 [ 45.400410] SyS_perf_event_open+0x34/0x40 [ 45.405137] do_syscall_64+0x1e8/0x640 [ 45.409513] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.415205] [ 45.415205] other info that might help us debug this: [ 45.415205] [ 45.423464] Chain exists of: [ 45.423464] event_mutex --> &cpuctx_mutex --> &cpuctx_mutex/1 [ 45.423464] [ 45.433837] Possible unsafe locking scenario: [ 45.433837] [ 45.439975] CPU0 CPU1 [ 45.444608] ---- ---- [ 45.449239] lock(&cpuctx_mutex/1); [ 45.452919] lock(&cpuctx_mutex); [ 45.458941] lock(&cpuctx_mutex/1); [ 45.465307] lock(event_mutex); [ 45.468650] [ 45.468650] *** DEADLOCK *** [ 45.468650] [ 45.474677] 2 locks held by syz-executor.0/6539: [ 45.479399] #0: (&pmus_srcu){....}, at: [] perf_event_alloc.part.0+0xbaa/0x25b0 [ 45.488559] #1: (&cpuctx_mutex/1){+.+.}, at: [] perf_event_ctx_lock_nested+0x150/0x2c0 [ 45.498323] [ 45.498323] stack backtrace: [ 45.502792] CPU: 1 PID: 6539 Comm: syz-executor.0 Not tainted 4.14.139 #35 [ 45.509772] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.519093] Call Trace: [ 45.521648] dump_stack+0x138/0x19c [ 45.525242] print_circular_bug.isra.0.cold+0x1cc/0x28f [ 45.530572] __lock_acquire+0x2cb3/0x4620 [ 45.534688] ? trace_hardirqs_on+0x10/0x10 [ 45.538891] ? trace_hardirqs_on+0x10/0x10 [ 45.543096] lock_acquire+0x16f/0x430 [ 45.546862] ? perf_trace_init+0x58/0xaa0 [ 45.550977] ? perf_trace_init+0x58/0xaa0 [ 45.555089] __mutex_lock+0xe8/0x1470 [ 45.558857] ? perf_trace_init+0x58/0xaa0 [ 45.562972] ? perf_event_ctx_lock_nested+0x150/0x2c0 [ 45.568127] ? perf_trace_init+0x58/0xaa0 [ 45.572242] ? __mutex_lock+0x36a/0x1470 [ 45.576269] ? trace_hardirqs_on+0x10/0x10 [ 45.580601] ? perf_try_init_event+0xf2/0x200 [ 45.585330] ? mutex_trylock+0x1c0/0x1c0 [ 45.589522] ? perf_event_ctx_lock_nested+0x150/0x2c0 [ 45.594696] ? perf_try_init_event+0xf2/0x200 [ 45.599158] ? mutex_trylock+0x1c0/0x1c0 [ 45.603184] ? find_held_lock+0x35/0x130 [ 45.607211] ? perf_event_ctx_lock_nested+0x119/0x2c0 [ 45.612368] mutex_lock_nested+0x16/0x20 [ 45.616395] ? lock_downgrade+0x6e0/0x6e0 [ 45.620509] ? mutex_lock_nested+0x16/0x20 [ 45.624711] perf_trace_init+0x58/0xaa0 [ 45.628774] ? mutex_lock_nested+0x16/0x20 [ 45.632978] perf_tp_event_init+0x7d/0xf0 [ 45.637094] perf_try_init_event+0xe6/0x200 [ 45.641381] perf_event_alloc.part.0+0xd90/0x25b0 [ 45.646190] SYSC_perf_event_open+0xad1/0x2610 [ 45.650743] ? perf_event_set_output+0x460/0x460 [ 45.655467] ? SyS_clock_gettime+0xf8/0x180 [ 45.659759] SyS_perf_event_open+0x34/0x40 [ 45.663960] ? perf_bp_event+0x170/0x170 [ 45.667988] do_syscall_64+0x1e8/0x640 [ 45.671841] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 45.676651] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.681810] RIP: 0033:0x459829 [ 45.684967] RSP: 002b:00007f2c7d17ec78 EFLAGS: 00000246 ORIG_RAX: 000000000000012a [ 45.692642] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000459829 [ 45.699882] RDX: 0000000000000000 RSI: ffffffffffffffff RDI: 0000000020000200 [ 45.707121] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 [ 45.714356] R10: 0000000000000003 R11: 0000000000000246 R12: 00007f2c7d17f6d4 [ 45.721716] R13: 00000000004c6684 R14: 00000000004db6b8 R15: 00000000ffffffff