[ 33.477210] audit: type=1800 audit(1555861063.944:33): pid=6983 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 33.498553] audit: type=1800 audit(1555861063.944:34): pid=6983 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 [ 34.082985] random: sshd: uninitialized urandom read (32 bytes read) [ 34.450616] audit: type=1400 audit(1555861064.924:35): avc: denied { map } for pid=7156 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 34.496634] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 35.052893] random: sshd: uninitialized urandom read (32 bytes read) [ 35.256498] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.190' (ECDSA) to the list of known hosts. [ 40.889379] random: sshd: uninitialized urandom read (32 bytes read) [ 41.015144] audit: type=1400 audit(1555861071.484:36): avc: denied { map } for pid=7169 comm="syz-executor974" path="/root/syz-executor974282694" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 41.018628] executing program [ 41.041923] audit: type=1400 audit(1555861071.484:37): avc: denied { map } for pid=7169 comm="syz-executor974" path="/dev/ashmem" dev="devtmpfs" ino=15231 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1 [ 41.043053] ====================================================== [ 41.074262] WARNING: possible circular locking dependency detected [ 41.080700] 4.14.113 #3 Not tainted [ 41.084333] ------------------------------------------------------ [ 41.096827] syz-executor974/7169 is trying to acquire lock: [ 41.102666] (sb_writers#6){.+.+}, at: [] vfs_fallocate+0x5d3/0x7a0 [ 41.110876] [ 41.110876] but task is already holding lock: [ 41.117130] (ashmem_mutex){+.+.}, at: [] ashmem_shrink_scan+0x56/0x420 [ 41.126623] [ 41.126623] which lock already depends on the new lock. [ 41.126623] [ 41.135738] [ 41.135738] the existing dependency chain (in reverse order) is: [ 41.145239] [ 41.145239] -> #2 (ashmem_mutex){+.+.}: [ 41.151811] lock_acquire+0x16f/0x430 [ 41.156177] __mutex_lock+0xe8/0x1470 [ 41.161307] mutex_lock_nested+0x16/0x20 [ 41.165897] ashmem_mmap+0x55/0x490 [ 41.170034] mmap_region+0x858/0x1030 [ 41.174336] do_mmap+0x5b8/0xcd0 [ 41.178206] vm_mmap_pgoff+0x17a/0x1d0 [ 41.182596] SyS_mmap_pgoff+0x3ca/0x520 [ 41.187080] SyS_mmap+0x16/0x20 [ 41.190865] do_syscall_64+0x1eb/0x630 [ 41.195256] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 41.200942] [ 41.200942] -> #1 (&mm->mmap_sem){++++}: [ 41.206468] lock_acquire+0x16f/0x430 [ 41.210771] __might_fault+0x143/0x1d0 [ 41.215152] _copy_from_user+0x2c/0x110 [ 41.219618] setxattr+0x153/0x350 [ 41.223570] path_setxattr+0x11f/0x140 [ 41.227950] SyS_lsetxattr+0x38/0x50 [ 41.232163] do_syscall_64+0x1eb/0x630 [ 41.236550] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 41.242237] [ 41.242237] -> #0 (sb_writers#6){.+.+}: [ 41.247676] __lock_acquire+0x2c89/0x45e0 [ 41.252336] lock_acquire+0x16f/0x430 [ 41.256646] __sb_start_write+0x1ae/0x2f0 [ 41.261294] vfs_fallocate+0x5d3/0x7a0 [ 41.265678] ashmem_shrink_scan+0x181/0x420 [ 41.270495] ashmem_ioctl+0x28f/0xf10 [ 41.274793] do_vfs_ioctl+0x7b9/0x1070 [ 41.279181] SyS_ioctl+0x8f/0xc0 [ 41.283048] do_syscall_64+0x1eb/0x630 [ 41.287441] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 41.293128] [ 41.293128] other info that might help us debug this: [ 41.293128] [ 41.301250] Chain exists of: [ 41.301250] sb_writers#6 --> &mm->mmap_sem --> ashmem_mutex [ 41.301250] [ 41.311481] Possible unsafe locking scenario: [ 41.311481] [ 41.317540] CPU0 CPU1 [ 41.322198] ---- ---- [ 41.326838] lock(ashmem_mutex); [ 41.330266] lock(&mm->mmap_sem); [ 41.336309] lock(ashmem_mutex); [ 41.342268] lock(sb_writers#6); [ 41.345714] [ 41.345714] *** DEADLOCK *** [ 41.345714] [ 41.351762] 1 lock held by syz-executor974/7169: [ 41.356515] #0: (ashmem_mutex){+.+.}, at: [] ashmem_shrink_scan+0x56/0x420 [ 41.365256] [ 41.365256] stack backtrace: [ 41.369752] CPU: 0 PID: 7169 Comm: syz-executor974 Not tainted 4.14.113 #3 [ 41.376743] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.386077] Call Trace: [ 41.388650] dump_stack+0x138/0x19c [ 41.392261] print_circular_bug.isra.0.cold+0x1cc/0x28f [ 41.397618] __lock_acquire+0x2c89/0x45e0 [ 41.401924] ? trace_hardirqs_on+0x10/0x10 [ 41.406135] ? inode_has_perm.isra.0+0x15c/0x1e0 [ 41.410871] lock_acquire+0x16f/0x430 [ 41.414659] ? vfs_fallocate+0x5d3/0x7a0 [ 41.418702] __sb_start_write+0x1ae/0x2f0 [ 41.422828] ? vfs_fallocate+0x5d3/0x7a0 [ 41.426870] ? shmem_setattr+0xb80/0xb80 [ 41.430913] vfs_fallocate+0x5d3/0x7a0 [ 41.434794] ashmem_shrink_scan+0x181/0x420 [ 41.439104] ashmem_ioctl+0x28f/0xf10 [ 41.442889] ? ashmem_shrink_scan+0x420/0x420 [ 41.447364] ? __might_sleep+0x93/0xb0 [ 41.451239] ? ashmem_shrink_scan+0x420/0x420 [ 41.455712] do_vfs_ioctl+0x7b9/0x1070 [ 41.459582] ? selinux_file_mprotect+0x5d0/0x5d0 [ 41.464317] ? ioctl_preallocate+0x1c0/0x1c0 [ 41.468714] ? fput+0xd4/0x150 [ 41.471893] ? security_file_ioctl+0x83/0xc0 [ 41.476292] ? security_file_ioctl+0x8f/0xc0 [ 41.480684] SyS_ioctl+0x8f/0xc0 [ 41.484032] ? do_vfs_ioctl+0x1070/0x1070 [ 41.488158] do_syscall_64+0x1eb/0x630 [ 41.492024] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 41.496879] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 41.502049] RIP: 0033:0x4401c9 [ 41.505226] RSP: 002b:00007fff190b9688 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 41.512930] RAX: ffffffffffffffda RBX: 000000000