[ 11.529418] random: sshd: uninitialized urandom read (32 bytes read) [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 25.886482] random: sshd: uninitialized urandom read (32 bytes read) [ 26.212276] audit: type=1400 audit(1542144219.618:6): avc: denied { map } for pid=1761 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 26.251844] random: sshd: uninitialized urandom read (32 bytes read) [ 26.654218] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.34' (ECDSA) to the list of known hosts. [ 32.339436] urandom_read: 1 callbacks suppressed [ 32.339440] random: sshd: uninitialized urandom read (32 bytes read) [ 32.440777] audit: type=1400 audit(1542144225.848:7): avc: denied { map } for pid=1779 comm="syz-executor316" path="/root/syz-executor316239602" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 32.467569] audit: type=1400 audit(1542144225.868:8): avc: denied { map } for pid=1779 comm="syz-executor316" path="/dev/ashmem" dev="devtmpfs" ino=1082 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1 [ 32.468860] [ 32.468862] ====================================================== [ 32.468863] WARNING: possible circular locking dependency detected [ 32.468866] 4.14.80+ #5 Not tainted [ 32.468867] ------------------------------------------------------ [ 32.468869] syz-executor316/1779 is trying to acquire lock: [ 32.468870] (cpu_hotplug_lock.rw_sem){++++}, at: [] lru_add_drain_all+0xa/0x20 [ 32.468882] [ 32.468882] but task is already holding lock: [ 32.468882] (&sb->s_type->i_mutex_key#10){+.+.}, at: [] shmem_add_seals+0x132/0x1230 [ 32.468890] [ 32.468890] which lock already depends on the new lock. [ 32.468890] [ 32.468892] [ 32.468892] the existing dependency chain (in reverse order) is: [ 32.468892] [ 32.468892] -> #5 (&sb->s_type->i_mutex_key#10){+.+.}: [ 32.468901] down_write+0x34/0x90 [ 32.468905] shmem_fallocate+0x149/0xb20 [ 32.468909] ashmem_shrink_scan+0x1b6/0x4e0 [ 32.468911] ashmem_ioctl+0x2cc/0xe20 [ 32.468916] do_vfs_ioctl+0x1a0/0x1030 [ 32.468919] SyS_ioctl+0x7e/0xb0 [ 32.468923] do_syscall_64+0x19b/0x4b0 [ 32.468927] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 32.468928] [ 32.468928] -> #4 (ashmem_mutex){+.+.}: [ 32.468933] __mutex_lock+0xf5/0x1480 [ 32.468936] ashmem_mmap+0x4c/0x430 [ 32.468941] mmap_region+0x836/0xfb0 [ 32.468944] do_mmap+0x551/0xb80 [ 32.468947] vm_mmap_pgoff+0x180/0x1d0 [ 32.468950] SyS_mmap_pgoff+0xf8/0x1a0 [ 32.468953] do_syscall_64+0x19b/0x4b0 [ 32.468956] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 32.468957] [ 32.468957] -> #3 (&mm->mmap_sem){++++}: [ 32.468963] __might_fault+0x137/0x1b0 [ 32.468967] _copy_from_user+0x27/0x100 [ 32.468970] memdup_user+0x50/0x90 [ 32.468973] strndup_user+0x5b/0xf0 [ 32.468977] perf_ioctl+0x961/0x1bb0 [ 32.468980] do_vfs_ioctl+0x1a0/0x1030 [ 32.468984] SyS_ioctl+0x7e/0xb0 [ 32.468986] do_syscall_64+0x19b/0x4b0 [ 32.468990] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 32.468990] [ 32.468990] -> #2 (&cpuctx_mutex){+.+.}: [ 32.468996] __mutex_lock+0xf5/0x1480 [ 32.468999] perf_event_init_cpu+0xab/0x150 [ 32.469005] perf_event_init+0x295/0x2d4 [ 32.469008] start_kernel+0x441/0x739 [ 32.469013] secondary_startup_64+0xa5/0xb0 [ 32.469014] [ 32.469014] -> #1 (pmus_lock){+.+.}: [ 32.469019] __mutex_lock+0xf5/0x1480 [ 32.469022] perf_event_init_cpu+0x2c/0x150 [ 32.469027] cpuhp_invoke_callback+0x1b5/0x1960 [ 32.469030] _cpu_up+0x22c/0x520 [ 32.469033] do_cpu_up+0x13f/0x180 [ 32.469036] smp_init+0x137/0x14b [ 32.469038] kernel_init_freeable+0x186/0x39f [ 32.469043] kernel_init+0xc/0x157 [ 32.469046] ret_from_fork+0x3a/0x50 [ 32.469046] [ 32.469046] -> #0 (cpu_hotplug_lock.rw_sem){++++}: [ 32.469053] lock_acquire+0x10f/0x380 [ 32.469056] cpus_read_lock+0x39/0xb0 [ 32.469059] lru_add_drain_all+0xa/0x20 [ 32.469062] shmem_add_seals+0x4db/0x1230 [ 32.469065] shmem_fcntl+0xea/0x120 [ 32.469068] do_fcntl+0x966/0xea0 [ 32.469071] SyS_fcntl+0xc7/0x100 [ 32.469074] do_syscall_64+0x19b/0x4b0 [ 32.469089] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 32.469090] [ 32.469090] other info that might help us debug this: [ 32.469090] [ 32.469091] Chain exists of: [ 32.469091] cpu_hotplug_lock.rw_sem --> ashmem_mutex --> &sb->s_type->i_mutex_key#10 [ 32.469091] [ 32.469097] Possible unsafe locking scenario: [ 32.469097] [ 32.469098] CPU0 CPU1 [ 32.469099] ---- ---- [ 32.469100] lock(&sb->s_type->i_mutex_key#10); [ 32.469103] lock(ashmem_mutex); [ 32.469105] lock(&sb->s_type->i_mutex_key#10); [ 32.469107] lock(cpu_hotplug_lock.rw_sem); [ 32.469110] [ 32.469110] *** DEADLOCK *** [ 32.469110] [ 32.469112] 1 lock held by syz-executor316/1779: [ 32.469113] #0: (&sb->s_type->i_mutex_key#10){+.+.}, at: [] shmem_add_seals+0x132/0x1230 [ 32.469121] [ 32.469121] stack backtrace: [ 32.469124] CPU: 1 PID: 1779 Comm: syz-executor316 Not tainted 4.14.80+ #5 [ 32.469126] Call Trace: [ 32.469132] dump_stack+0xb9/0x11b [ 32.469137] print_circular_bug.isra.18.cold.43+0x2d3/0x40c [ 32.469141] ? save_trace+0xd6/0x250 [ 32.469145] __lock_acquire+0x2ff9/0x4320 [ 32.469148] ? __lock_acquire+0x619/0x4320 [ 32.469154] ? trace_hardirqs_on+0x10/0x10 [ 32.469158] ? pagevec_lru_move_fn+0x140/0x210 [ 32.469163] ? _raw_spin_unlock_irqrestore+0x54/0x70 [ 32.469169] lock_acquire+0x10f/0x380 [ 32.469172] ? lru_add_drain_all+0xa/0x20 [ 32.469176] cpus_read_lock+0x39/0xb0 [ 32.469180] ? lru_add_drain_all+0xa/0x20 [ 32.469182] lru_add_drain_all+0xa/0x20 [ 32.469186] shmem_add_seals+0x4db/0x1230 [ 32.469191] ? shmem_file_llseek+0x230/0x230 [ 32.469196] ? do_sendfile+0x1d1/0xb50 [ 32.469200] shmem_fcntl+0xea/0x120 [ 32.469204] do_fcntl+0x966/0xea0 [ 32.469208] ? f_getown+0xa0/0xa0 [ 32.469213] ? __might_fault+0x177/0x1b0 [ 32.469218] ? selinux_file_fcntl+0xfa/0x160 [ 32.469223] SyS_fcntl+0xc7/0x100 [ 32.469226] ? do_fcntl+0xea0/0xea0 [ 32.469230] do_syscall_64+0x19b/0x4b0 [ 32.469235] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 32.469237] RIP: 0033:0x43ff79 [ 32.469239] RSP: 002b:00007ffd95b61058 EFLAGS: 00000207 ORIG_RAX: 0000000000000048 [ 32.469249] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ff79 [ 32.469251] RDX: 0000000000000008 RSI: 0000000000000409 RDI: 0000000000000007 [ 32.469253] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 32.469256] R10