Warning: Permanently added '10.128.1.40' (ECDSA) to the list of known hosts. [ 39.902359] random: sshd: uninitialized urandom read (32 bytes read) [ 39.992140] audit: type=1400 audit(1570422625.373:7): avc: denied { map } for pid=1786 comm="syz-executor080" path="/root/syz-executor080881991" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 40.041888] audit: type=1400 audit(1570422625.423:8): avc: denied { map } for pid=1787 comm="syz-executor080" path="/dev/ashmem" dev="devtmpfs" ino=5461 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1 [ 40.042265] [ 40.068277] ====================================================== [ 40.081846] WARNING: possible circular locking dependency detected [ 40.088148] 4.14.147+ #0 Not tainted [ 40.091938] ------------------------------------------------------ [ 40.098240] syz-executor080/1790 is trying to acquire lock: [ 40.104899] (&sb->s_type->i_mutex_key#10){+.+.}, at: [< (ptrval)>] shmem_fallocate+0x150/0xae0 [ 40.114331] [ 40.114331] but task is already holding lock: [ 40.120276] (ashmem_mutex){+.+.}, at: [< (ptrval)>] ashmem_shrink_scan+0x53/0x4f0 [ 40.128573] [ 40.128573] which lock already depends on the new lock. [ 40.128573] [ 40.136862] [ 40.136862] the existing dependency chain (in reverse order) is: [ 40.144505] [ 40.144505] -> #2 (ashmem_mutex){+.+.}: [ 40.149938] __mutex_lock+0xf7/0x13e0 [ 40.154244] ashmem_mmap+0x4c/0x450 [ 40.158368] mmap_region+0x7d9/0xfb0 [ 40.162575] do_mmap+0x548/0xb80 [ 40.166433] vm_mmap_pgoff+0x177/0x1c0 [ 40.170817] SyS_mmap_pgoff+0xf4/0x1b0 [ 40.175200] do_syscall_64+0x19b/0x520 [ 40.180080] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 40.185830] [ 40.185830] -> #1 (&mm->mmap_sem){++++}: [ 40.191366] down_read+0x37/0xa0 [ 40.195230] __do_page_fault+0x8a4/0xbb0 [ 40.199809] page_fault+0x22/0x50 [ 40.204196] iov_iter_fault_in_readable+0x162/0x350 [ 40.209710] generic_perform_write+0x158/0x460 [ 40.214816] __generic_file_write_iter+0x32e/0x550 [ 40.220241] generic_file_write_iter+0x36f/0x650 [ 40.225594] __vfs_write+0x401/0x5a0 [ 40.229847] vfs_write+0x17f/0x4d0 [ 40.233888] SyS_pwrite64+0x136/0x160 [ 40.238223] do_syscall_64+0x19b/0x520 [ 40.242622] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 40.248316] [ 40.248316] -> #0 (&sb->s_type->i_mutex_key#10){+.+.}: [ 40.255147] lock_acquire+0x12b/0x360 [ 40.259500] down_write+0x34/0x90 [ 40.263503] shmem_fallocate+0x150/0xae0 [ 40.268076] ashmem_shrink_scan+0x1ca/0x4f0 [ 40.272899] ashmem_ioctl+0x2b4/0xd20 [ 40.277247] do_vfs_ioctl+0xabe/0x1040 [ 40.281633] SyS_ioctl+0x7f/0xb0 [ 40.285506] do_syscall_64+0x19b/0x520 [ 40.289889] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 40.295569] [ 40.295569] other info that might help us debug this: [ 40.295569] [ 40.303688] Chain exists of: [ 40.303688] &sb->s_type->i_mutex_key#10 --> &mm->mmap_sem --> ashmem_mutex [ 40.303688] [ 40.315196] Possible unsafe locking scenario: [ 40.315196] [ 40.321226] CPU0 CPU1 [ 40.325864] ---- ---- [ 40.330504] lock(ashmem_mutex); [ 40.334544] lock(&mm->mmap_sem); [ 40.340576] lock(ashmem_mutex); [ 40.346530] lock(&sb->s_type->i_mutex_key#10); [ 40.351262] [ 40.351262] *** DEADLOCK *** [ 40.351262] [ 40.357292] 1 lock held by syz-executor080/1790: [ 40.362017] #0: (ashmem_mutex){+.+.}, at: [< (ptrval)>] ashmem_shrink_scan+0x53/0x4f0 [ 40.370749] [ 40.370749] stack backtrace: [ 40.375221] CPU: 0 PID: 1790 Comm: syz-executor080 Not tainted 4.14.147+ #0 [ 40.382304] Call Trace: [ 40.384873] dump_stack+0xca/0x134 [ 40.388388] print_circular_bug.isra.0.cold+0x2dc/0x425 [ 40.393753] __lock_acquire+0x2f5f/0x4320 [ 40.397877] ? trace_hardirqs_on+0x10/0x10 [ 40.402089] ? finish_task_switch+0x204/0x660 [ 40.406558] ? finish_task_switch+0x1d9/0x660 [ 40.411030] ? trace_hardirqs_on+0x10/0x10 [ 40.415240] ? __sched_text_start+0x8/0x8 [ 40.419360] ? resched_curr+0xce/0x340 [ 40.423234] lock_acquire+0x12b/0x360 [ 40.427019] ? shmem_fallocate+0x150/0xae0 [ 40.431229] down_write+0x34/0x90 [ 40.434665] ? shmem_fallocate+0x150/0xae0 [ 40.438884] shmem_fallocate+0x150/0xae0 [ 40.442931] ? lock_acquire+0x12b/0x360 [ 40.446880] ? avc_has_perm_noaudit+0x8b/0x2d0 [ 40.451438] ? shmem_setattr+0x7a0/0x7a0 [ 40.455470] ? avc_has_extended_perms+0xc20/0xc20 [ 40.460288] ? migrate_swap_stop+0x810/0x810 [ 40.464683] ? avc_has_extended_perms+0x5e0/0xc20 [ 40.469499] ? lock_acquire+0x12b/0x360 [ 40.473449] ? ashmem_shrink_scan+0x53/0x4f0 [ 40.477842] ashmem_shrink_scan+0x1ca/0x4f0 [ 40.482141] ashmem_ioctl+0x2b4/0xd20 [ 40.485917] ? ashmem_shrink_scan+0x4f0/0x4f0 [ 40.490388] ? ashmem_shrink_scan+0x4f0/0x4f0 [ 40.494867] do_vfs_ioctl+0xabe/0x1040 [ 40.498731] ? selinux_file_ioctl+0x426/0x590 [ 40.503199] ? selinux_file_ioctl+0x116/0x590 [ 40.507667] ? ioctl_preallocate+0x1e0/0x1e0 [ 40.512050] ? selinux_socket_sock_rcv_skb+0x610/0x610 [ 40.517300] ? __fget+0x210/0x370 [ 40.520731] ? lock_downgrade+0x630/0x630 [ 40.524852] ? lock_acquire+0x12b/0x360 [ 40.528801] ? check_preemption_disabled+0x35/0x1f0 [ 40.533962] ? check_preemption_disabled+0x35/0x1f0 [ 40.538951] ? security_file_ioctl+0x7c/0xb0 [ 40.543333] SyS_ioctl+0x7f/0xb0 [ 40.546758] ? do_vfs_ioctl+0x1040/0x1040 [ 40.550880] do_syscall_64+0x19b/0x520 [ 40.554761] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 40.559933] RIP: 0033:0x44a869 [ 40.563107] RSP: 002b:00007f09881bfd98 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 40.570793] RAX: ffffffffffffffda RBX: 00000000006dbc38 RCX: 000000000044a869 [ 40.578040] RDX: 0000000000000000 RSI: 000000000000770a RDI: 0000000000000004 [ 40.585284] RBP: 00000000006dbc30 R08: 0000000000000000 R09: 0000000000000000 [ 40.592572] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc3c [ 40.599862] R13: 0000000000020001 R14: ed01040200746178 R15: 2e73666b6d903ceb