[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 15.872237] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c. [ 16.984691] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 17.502129] random: sshd: uninitialized urandom read (32 bytes read) [ 18.030177] random: sshd: uninitialized urandom read (32 bytes read) [ 18.172140] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.54' (ECDSA) to the list of known hosts. [ 23.658024] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 23.742108] [ 23.743743] ====================================================== [ 23.750032] [ INFO: possible circular locking dependency detected ] [ 23.756426] 4.9.119-g92e8704 #22 Not tainted [ 23.760802] ------------------------------------------------------- [ 23.767180] syz-executor638/3798 is trying to acquire lock: [ 23.772856] (&sb->s_type->i_mutex_key#10){++++++}, at: [] shmem_fallocate+0x13c/0xb40 [ 23.782947] but task is already holding lock: [ 23.787601] (ashmem_mutex){+.+.+.}, at: [] ashmem_shrink_scan+0x55/0x3a0 [ 23.796448] which lock already depends on the new lock. [ 23.796448] [ 23.803432] [ 23.803432] the existing dependency chain (in reverse order) is: [ 23.811026] -> #2 (ashmem_mutex){+.+.+.}: [ 23.815829] lock_acquire+0x130/0x3e0 [ 23.820179] mutex_lock_nested+0xc0/0x870 [ 23.824839] ashmem_mmap+0x53/0x3f0 [ 23.828963] mmap_region+0x893/0x1040 [ 23.833254] do_mmap+0x59c/0xcc0 [ 23.837130] vm_mmap_pgoff+0x168/0x1b0 [ 23.841514] SyS_mmap_pgoff+0x342/0x550 [ 23.845985] SyS_mmap+0x16/0x20 [ 23.849758] do_syscall_64+0x1a6/0x490 [ 23.854137] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 23.859734] -> #1 (&mm->mmap_sem){++++++}: [ 23.864634] lock_acquire+0x130/0x3e0 [ 23.868930] __might_fault+0x14a/0x1d0 [ 23.873313] filldir+0x1a4/0x370 [ 23.877172] dcache_readdir+0x130/0x5d0 [ 23.881640] iterate_dir+0x1ac/0x600 [ 23.885852] SyS_getdents+0x13c/0x2a0 [ 23.890154] do_syscall_64+0x1a6/0x490 [ 23.894540] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 23.900136] -> #0 (&sb->s_type->i_mutex_key#10){++++++}: [ 23.906338] __lock_acquire+0x3019/0x4070 [ 23.910977] lock_acquire+0x130/0x3e0 [ 23.915273] down_write+0x41/0xa0 [ 23.919222] shmem_fallocate+0x13c/0xb40 [ 23.923779] ashmem_shrink_scan+0x1bd/0x3a0 [ 23.928594] ashmem_ioctl+0x2c1/0xf20 [ 23.932888] do_vfs_ioctl+0x1ac/0x11a0 [ 23.937270] SyS_ioctl+0x8f/0xc0 [ 23.941129] do_syscall_64+0x1a6/0x490 [ 23.945511] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 23.951106] [ 23.951106] other info that might help us debug this: [ 23.951106] [ 23.959239] Chain exists of: &sb->s_type->i_mutex_key#10 --> &mm->mmap_sem --> ashmem_mutex [ 23.968986] Possible unsafe locking scenario: [ 23.968986] [ 23.975014] CPU0 CPU1 [ 23.979668] ---- ---- [ 23.984317] lock(ashmem_mutex); [ 23.987999] lock(&mm->mmap_sem); [ 23.994275] lock(ashmem_mutex); [ 24.000811] lock(&sb->s_type->i_mutex_key#10); [ 24.005903] [ 24.005903] *** DEADLOCK *** [ 24.005903] [ 24.011962] 1 lock held by syz-executor638/3798: [ 24.016687] #0: (ashmem_mutex){+.+.+.}, at: [] ashmem_shrink_scan+0x55/0x3a0 [ 24.026067] [ 24.026067] stack backtrace: [ 24.030540] CPU: 0 PID: 3798 Comm: syz-executor638 Not tainted 4.9.119-g92e8704 #22 [ 24.038307] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 24.047651] ffff8801b6357638 ffffffff81eb4be9 ffffffff855d09d0 ffffffff855eec70 [ 24.055643] ffffffff855d81a0 ffff8801b79b50e8 ffff8801b79b4800 ffff8801b6357680 [ 24.063646] ffffffff81426644 0000000000000001 00000000b79b4800 0000000000000001 [ 24.071621] Call Trace: [ 24.074183] [] dump_stack+0xc1/0x128 [ 24.079521] [] print_circular_bug.cold.51+0x1bd/0x27d [ 24.086356] [] __lock_acquire+0x3019/0x4070 [ 24.092302] [] ? debug_check_no_locks_freed+0x210/0x210 [ 24.099289] [] ? __lock_is_held+0xa2/0xf0 [ 24.105057] [] lock_acquire+0x130/0x3e0 [ 24.110654] [] ? shmem_fallocate+0x13c/0xb40 [ 24.116687] [] down_write+0x41/0xa0 [ 24.121938] [] ? shmem_fallocate+0x13c/0xb40 [ 24.127970] [] shmem_fallocate+0x13c/0xb40 [ 24.133832] [] ? avc_has_perm_noaudit+0x2ad/0x450 [ 24.140297] [] ? avc_has_perm_noaudit+0xa3/0x450 [ 24.146679] [] ? shmem_setattr+0x9a0/0x9a0 [ 24.152560] [] ? debug_check_no_locks_freed+0x210/0x210 [ 24.159554] [] ? new_slab+0x303/0x3d0 [ 24.164981] [] ? range_alloc+0x36/0x240 [ 24.170580] [] ? cred_has_capability+0x14e/0x2e0 [ 24.176973] [] ? selinux_ipv4_output+0x40/0x40 [ 24.183178] [] ? mark_held_locks+0xc7/0x130 [ 24.189131] [] ? mutex_trylock+0x25a/0x3e0 [ 24.194996] [] ? trace_hardirqs_on_caller+0x38b/0x590 [ 24.201825] [] ? trace_hardirqs_on+0xd/0x10 [ 24.207773] [] ? ashmem_shrink_scan+0x55/0x3a0 [ 24.213978] [] ashmem_shrink_scan+0x1bd/0x3a0 [ 24.220099] [] ashmem_ioctl+0x2c1/0xf20 [ 24.225698] [] ? get_name+0x230/0x230 [ 24.231121] [] ? __might_sleep+0x95/0x1a0 [ 24.236891] [] ? get_name+0x230/0x230 [ 24.242312] [] do_vfs_ioctl+0x1ac/0x11a0 [ 24.247997] [] ? ioctl_preallocate+0x220/0x220 [ 24.254200] [] ? selinux_capable+0x40/0x40 [ 24.260061] [] ? __kmalloc+0x7a/0x300 [ 24.265486] [] ? __do_page_fault+0x5dd/0xd50 [ 24.271518] [] ? security_file_ioctl+0x8f/0xc0 [ 24.277730] [] SyS_ioctl+0x8f/0xc0 [ 24.282906] [] ? do_vfs_ioctl+0x11a0/0x11a0 [ 24.288854] [] do_syscall_64+0x1a6/0x490 [