[ 34.945322] audit: type=1800 audit(1561065131.414:33): pid=6951 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 34.967375] audit: type=1800 audit(1561065131.414:34): pid=6951 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 47.811471] random: sshd: uninitialized urandom read (32 bytes read) [ 48.262237] audit: type=1400 audit(1561065144.734:35): avc: denied { map } for pid=7122 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 48.345578] random: sshd: uninitialized urandom read (32 bytes read) [ 48.922044] random: sshd: uninitialized urandom read (32 bytes read) [ 49.118548] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.202' (ECDSA) to the list of known hosts. [ 54.641479] random: sshd: uninitialized urandom read (32 bytes read) [ 54.828955] audit: type=1400 audit(1561065151.294:36): avc: denied { map } for pid=7134 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2019/06/20 21:12:32 parsed 1 programs [ 55.682591] audit: type=1400 audit(1561065152.154:37): avc: denied { map } for pid=7134 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=13803 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 56.281519] random: cc1: uninitialized urandom read (8 bytes read) 2019/06/20 21:12:33 executed programs: 0 [ 57.375578] audit: type=1400 audit(1561065153.844:38): avc: denied { map } for pid=7134 comm="syz-execprog" path="/root/syzkaller-shm401693915" dev="sda1" ino=16485 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 58.130255] IPVS: ftp: loaded support on port[0] = 21 [ 58.440383] chnl_net:caif_netlink_parms(): no params data found [ 58.471408] bridge0: port 1(bridge_slave_0) entered blocking state [ 58.478029] bridge0: port 1(bridge_slave_0) entered disabled state [ 58.485181] device bridge_slave_0 entered promiscuous mode [ 58.492446] bridge0: port 2(bridge_slave_1) entered blocking state [ 58.498821] bridge0: port 2(bridge_slave_1) entered disabled state [ 58.505978] device bridge_slave_1 entered promiscuous mode [ 58.520299] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 58.528874] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 58.545308] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 58.552935] team0: Port device team_slave_0 added [ 58.558296] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 58.565479] team0: Port device team_slave_1 added [ 58.570694] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 58.577826] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 58.642305] device hsr_slave_0 entered promiscuous mode [ 58.690375] device hsr_slave_1 entered promiscuous mode [ 58.760578] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 58.767530] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 58.781205] bridge0: port 2(bridge_slave_1) entered blocking state [ 58.787619] bridge0: port 2(bridge_slave_1) entered forwarding state [ 58.794579] bridge0: port 1(bridge_slave_0) entered blocking state [ 58.800979] bridge0: port 1(bridge_slave_0) entered forwarding state [ 58.828610] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 58.835456] 8021q: adding VLAN 0 to HW filter on device bond0 [ 58.843773] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 58.853535] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 58.872307] bridge0: port 1(bridge_slave_0) entered disabled state [ 58.879346] bridge0: port 2(bridge_slave_1) entered disabled state [ 58.889096] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 58.895341] 8021q: adding VLAN 0 to HW filter on device team0 [ 58.903553] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 58.911672] bridge0: port 1(bridge_slave_0) entered blocking state [ 58.918017] bridge0: port 1(bridge_slave_0) entered forwarding state [ 58.937752] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 58.947732] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 58.958803] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 58.965574] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 58.973677] bridge0: port 2(bridge_slave_1) entered blocking state [ 58.980091] bridge0: port 2(bridge_slave_1) entered forwarding state [ 58.987527] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 58.995289] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 59.002831] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 59.010591] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 59.018029] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 59.024926] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 59.037002] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 59.047346] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 59.431236] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 60.237081] [ 60.238639] audit: type=1804 audit(1561065156.704:39): pid=7163 uid=0 auid=4294967295 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 op="invalid_pcr" cause="open_writers" comm="syz-executor.0" name="/root/syzkaller-testdir296250821/syzkaller.0scJmJ/0/file0/file0" dev="sda1" ino=16497 res=1 [ 60.238790] ====================================================== [ 60.272621] WARNING: possible circular locking dependency detected [ 60.278923] 4.14.128 #22 Not tainted [ 60.282697] ------------------------------------------------------ [ 60.289007] syz-executor.0/7163 is trying to acquire lock: [ 60.294627] (sb_writers#4){.+.+}, at: [] mnt_want_write+0x3f/0xb0 [ 60.302526] [ 60.302526] but task is already holding lock: [ 60.308478] (&iint->mutex){+.+.}, at: [] process_measurement+0x2ae/0xb80 [ 60.316965] [ 60.316965] which lock already depends on the new lock. [ 60.316965] [ 60.325398] [ 60.325398] the existing dependency chain (in reverse order) is: [ 60.342381] [ 60.342381] -> #1 (&iint->mutex){+.+.}: [ 60.347848] lock_acquire+0x16f/0x430 [ 60.352161] __mutex_lock+0xe8/0x1470 [ 60.356474] mutex_lock_nested+0x16/0x20 [ 60.361072] process_measurement+0x2ae/0xb80 [ 60.365987] ima_file_check+0x30/0x40 [ 60.370290] path_openat+0x1626/0x3f70 [ 60.374710] do_filp_open+0x18e/0x250 [ 60.379103] do_sys_open+0x2c5/0x430 [ 60.383321] SyS_open+0x2d/0x40 [ 60.387103] do_syscall_64+0x1e8/0x640 [ 60.391498] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 60.397203] [ 60.397203] -> #0 (sb_writers#4){.+.+}: [ 60.402651] __lock_acquire+0x2c89/0x45e0 [ 60.407305] lock_acquire+0x16f/0x430 [ 60.411606] __sb_start_write+0x1ae/0x2f0 [ 60.416260] mnt_want_write+0x3f/0xb0 [ 60.420569] ovl_want_write+0x76/0xa0 [ 60.424878] ovl_open_maybe_copy_up+0xd5/0x130 [ 60.429962] ovl_d_real+0xce/0x360 [ 60.434036] vfs_open+0x19e/0x220 [ 60.438028] dentry_open+0xac/0x220 [ 60.442200] ima_calc_file_hash+0x563/0x820 [ 60.447030] ima_collect_measurement+0x3c1/0x450 [ 60.452289] process_measurement+0x7dd/0xb80 [ 60.457371] ima_file_check+0x30/0x40 [ 60.461678] path_openat+0x1626/0x3f70 [ 60.466069] do_filp_open+0x18e/0x250 [ 60.470380] do_sys_open+0x2c5/0x430 [ 60.474632] SyS_open+0x2d/0x40 [ 60.478443] do_syscall_64+0x1e8/0x640 [ 60.482841] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 60.488526] [ 60.488526] other info that might help us debug this: [ 60.488526] [ 60.496649] Possible unsafe locking scenario: [ 60.496649] [ 60.502689] CPU0 CPU1 [ 60.507333] ---- ---- [ 60.511976] lock(&iint->mutex); [ 60.515407] lock(sb_writers#4); [ 60.521360] lock(&iint->mutex); [ 60.527307] lock(sb_writers#4); [ 60.530740] [ 60.530740] *** DEADLOCK *** [ 60.530740] [ 60.536791] 1 lock held by syz-executor.0/7163: [ 60.541454] #0: (&iint->mutex){+.+.}, at: [] process_measurement+0x2ae/0xb80 [ 60.550383] [ 60.550383] stack backtrace: [ 60.554875] CPU: 0 PID: 7163 Comm: syz-executor.0 Not tainted 4.14.128 #22 [ 60.561868] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.571220] Call Trace: [ 60.573794] dump_stack+0x138/0x19c [ 60.577417] print_circular_bug.isra.0.cold+0x1cc/0x28f [ 60.582768] __lock_acquire+0x2c89/0x45e0 [ 60.586897] ? save_stack+0x45/0xd0 [ 60.590593] ? kasan_kmalloc+0xce/0xf0 [ 60.594458] ? kasan_slab_alloc+0xf/0x20 [ 60.598498] ? kmem_cache_alloc+0x12e/0x780 [ 60.602806] ? selinux_file_alloc_security+0xb4/0x190 [ 60.608074] ? trace_hardirqs_on+0x10/0x10 [ 60.612290] ? do_sys_open+0x2c5/0x430 [ 60.616193] ? save_trace+0x290/0x290 [ 60.619978] ? save_trace+0x290/0x290 [ 60.623761] lock_acquire+0x16f/0x430 [ 60.627566] ? mnt_want_write+0x3f/0xb0 [ 60.631523] __sb_start_write+0x1ae/0x2f0 [ 60.635739] ? mnt_want_write+0x3f/0xb0 [ 60.639689] mnt_want_write+0x3f/0xb0 [ 60.643497] ovl_want_write+0x76/0xa0 [ 60.647283] ovl_open_maybe_copy_up+0xd5/0x130 [ 60.651864] ovl_d_real+0xce/0x360 [ 60.655390] vfs_open+0x19e/0x220 [ 60.658824] dentry_open+0xac/0x220 [ 60.662437] ima_calc_file_hash+0x563/0x820 [ 60.666757] ima_collect_measurement+0x3c1/0x450 [ 60.671495] ? ima_get_action+0x80/0x80 [ 60.675467] ? ima_get_cache_status+0x180/0x180 [ 60.680122] process_measurement+0x7dd/0xb80 [ 60.684657] ? ima_rdwr_violation_check+0x3f0/0x3f0 [ 60.689663] ? dput.part.0+0x170/0x750 [ 60.693606] ? dquot_file_open+0x60/0xa0 [ 60.697659] ? ext4_file_open+0x2da/0x850 [ 60.701797] ? ext4_release_file+0x2e0/0x2e0 [ 60.706186] ? inode_has_perm.isra.0+0x1e0/0x1e0 [ 60.710926] ? lock_downgrade+0x62c/0x6e0 [ 60.715075] ? security_file_open+0x89/0x190 [ 60.719480] ? file_ra_state_init+0xc9/0x1e0 [ 60.723981] ? do_dentry_open+0x452/0xeb0 [ 60.728110] ? ovl_dentry_upper+0xd/0x70 [ 60.732168] ? ext4_release_file+0x2e0/0x2e0 [ 60.736562] ima_file_check+0x30/0x40 [ 60.740353] path_openat+0x1626/0x3f70 [ 60.744232] ? trace_hardirqs_on+0x10/0x10 [ 60.748444] ? path_lookupat.isra.0+0x7b0/0x7b0 [ 60.753120] ? find_held_lock+0x35/0x130 [ 60.757196] ? __alloc_fd+0x1d4/0x4a0 [ 60.760978] do_filp_open+0x18e/0x250 [ 60.764759] ? may_open_dev+0xe0/0xe0 [ 60.768566] ? _raw_spin_unlock+0x2d/0x50 [ 60.772716] ? __alloc_fd+0x1d4/0x4a0 [ 60.776504] do_sys_open+0x2c5/0x430 [ 60.780216] ? filp_open+0x70/0x70 [ 60.783749] ? SyS_clock_gettime+0xf8/0x180 [ 60.788056] SyS_open+0x2d/0x40 [ 60.791318] ? do_sys_open+0x430/0x430 [ 60.795191] do_syscall_64+0x1e8/0x640 [ 60.799081] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 60.803910] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 60.809079] RIP: 0033:0x4592c9 [ 60.812249] RSP: 002b:00007ffe7131f048 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 60.819963] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004592c9 [ 60.827305] RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000000020000200 [ 60.834556] RBP: 000000000075bf20 R08: 0000000000000000 R0