[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 10.559610] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 28.019705] random: sshd: uninitialized urandom read (32 bytes read) [ 28.300833] audit: type=1400 audit(1539755734.762:6): avc: denied { map } for pid=1764 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 28.347265] random: sshd: uninitialized urandom read (32 bytes read) [ 28.800144] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.44' (ECDSA) to the list of known hosts. [ 34.644148] urandom_read: 1 callbacks suppressed [ 34.644152] random: sshd: uninitialized urandom read (32 bytes read) [ 34.737877] audit: type=1400 audit(1539755741.192:7): avc: denied { map } for pid=1782 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2018/10/17 05:55:41 parsed 1 programs [ 35.257862] audit: type=1400 audit(1539755741.712:8): avc: denied { map } for pid=1782 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=4999 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 35.720081] random: cc1: uninitialized urandom read (8 bytes read) 2018/10/17 05:55:42 executed programs: 0 [ 36.529774] audit: type=1400 audit(1539755742.982:9): avc: denied { map } for pid=1782 comm="syz-execprog" path="/root/syzkaller-shm269258202" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 43.317909] audit: type=1400 audit(1539755749.772:10): avc: denied { create } for pid=4438 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 43.341861] audit: type=1400 audit(1539755749.772:11): avc: denied { write } for pid=4438 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 43.366087] audit: type=1400 audit(1539755749.782:12): avc: denied { read } for pid=4438 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 43.474428] audit: type=1400 audit(1539755749.932:13): avc: denied { map } for pid=4438 comm="syz-executor0" path="/dev/loop-control" dev="devtmpfs" ino=1058 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1 [ 43.500574] [ 43.502199] ====================================================== [ 43.508495] WARNING: possible circular locking dependency detected [ 43.514828] 4.14.76+ #20 Not tainted [ 43.518517] ------------------------------------------------------ [ 43.524812] kworker/1:1/68 is trying to acquire lock: [ 43.530012] (&sb->s_type->i_mutex_key#9){+.+.}, at: [] __generic_file_fsync+0x9e/0x1a0 [ 43.539723] [ 43.539723] but task is already holding lock: [ 43.545667] ((&dio->complete_work)){+.+.}, at: [] process_one_work+0x7bf/0x15c0 [ 43.554746] [ 43.554746] which lock already depends on the new lock. [ 43.554746] [ 43.563035] [ 43.563035] the existing dependency chain (in reverse order) is: [ 43.570629] [ 43.570629] -> #2 ((&dio->complete_work)){+.+.}: [ 43.576843] process_one_work+0x813/0x15c0 [ 43.581571] worker_thread+0xdc/0x1000 [ 43.585951] kthread+0x348/0x420 [ 43.589814] ret_from_fork+0x3a/0x50 [ 43.594019] [ 43.594019] -> #1 ("dio/%s"sb->s_id){+.+.}: [ 43.599794] flush_workqueue+0xfc/0x1390 [ 43.604350] drain_workqueue+0x17b/0x3f0 [ 43.608915] destroy_workqueue+0x23/0x600 [ 43.613559] sb_init_dio_done_wq+0x5e/0x70 [ 43.618288] __blockdev_direct_IO+0x29e2/0xc4e0 [ 43.623454] ext4_direct_IO+0x905/0x27f0 [ 43.628010] generic_file_direct_write+0x225/0x430 [ 43.633433] __generic_file_write_iter+0x213/0x540 [ 43.638874] ext4_file_write_iter+0x4f6/0xe20 [ 43.643871] aio_write+0x2f2/0x510 [ 43.647907] do_io_submit+0xef4/0x12a0 [ 43.652300] do_syscall_64+0x19b/0x4b0 [ 43.656700] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 43.662384] [ 43.662384] -> #0 (&sb->s_type->i_mutex_key#9){+.+.}: [ 43.669032] lock_acquire+0x10f/0x380 [ 43.673326] down_write+0x34/0x90 [ 43.677275] __generic_file_fsync+0x9e/0x1a0 [ 43.682198] ext4_sync_file+0x39e/0x1050 [ 43.686761] vfs_fsync_range+0x105/0x260 [ 43.691318] dio_complete+0x621/0x800 [ 43.695612] process_one_work+0x86e/0x15c0 [ 43.700340] worker_thread+0xdc/0x1000 [ 43.704728] kthread+0x348/0x420 [ 43.708588] ret_from_fork+0x3a/0x50 [ 43.712797] [ 43.712797] other info that might help us debug this: [ 43.712797] [ 43.720915] Chain exists of: [ 43.720915] &sb->s_type->i_mutex_key#9 --> "dio/%s"sb->s_id --> (&dio->complete_work) [ 43.720915] [ 43.733378] Possible unsafe locking scenario: [ 43.733378] [ 43.739409] CPU0 CPU1 [ 43.744049] ---- ---- [ 43.748688] lock((&dio->complete_work)); [ 43.752892] lock("dio/%s"sb->s_id); [ 43.759181] lock((&dio->complete_work)); [ 43.766246] lock(&sb->s_type->i_mutex_key#9); [ 43.770894] [ 43.770894] *** DEADLOCK *** [ 43.770894] [ 43.777039] 2 locks held by kworker/1:1/68: [ 43.781329] #0: ("dio/%s"sb->s_id){+.+.}, at: [] process_one_work+0x787/0x15c0 [ 43.790415] #1: ((&dio->complete_work)){+.+.}, at: [] process_one_work+0x7bf/0x15c0 [ 43.799924] [ 43.799924] stack backtrace: [ 43.804402] CPU: 1 PID: 68 Comm: kworker/1:1 Not tainted 4.14.76+ #20 [ 43.810965] Workqueue: dio/sda1 dio_aio_complete_work [ 43.816142] Call Trace: [ 43.818711] dump_stack+0xb9/0x11b [ 43.822230] print_circular_bug.isra.18.cold.43+0x2d3/0x40c [ 43.827926] ? save_trace+0xd6/0x250 [ 43.831618] __lock_acquire+0x2ff9/0x4320 [ 43.835741] ? trace_hardirqs_on_caller+0x381/0x520 [ 43.840747] ? trace_hardirqs_on+0x10/0x10 [ 43.844956] ? dio_complete+0x1c5/0x800 [ 43.848903] ? worker_thread+0xdc/0x1000 [ 43.852937] ? kthread+0x348/0x420 [ 43.856466] ? ret_from_fork+0x3a/0x50 [ 43.860350] ? mark_held_locks+0xc2/0x130 [ 43.864655] ? _raw_spin_unlock_irqrestore+0x54/0x70 [ 43.869732] ? trace_hardirqs_on_caller+0x381/0x520 [ 43.874737] ? _raw_spin_unlock_irqrestore+0x41/0x70 [ 43.879831] lock_acquire+0x10f/0x380 [ 43.883612] ? __generic_file_fsync+0x9e/0x1a0 [ 43.888170] down_write+0x34/0x90 [ 43.891601] ? __generic_file_fsync+0x9e/0x1a0 [ 43.896166] __generic_file_fsync+0x9e/0x1a0 [ 43.900567] ext4_sync_file+0x39e/0x1050 [ 43.904608] ? ext4_getfsmap+0x890/0x890 [ 43.908659] vfs_fsync_range+0x105/0x260 [ 43.912711] dio_complete+0x621/0x800 [ 43.916492] ? ext4_update_bh_state+0xe0/0xe0 [ 43.920962] process_one_work+0x86e/0x15c0 [ 43.925171] ? pwq_dec_nr_in_flight+0x2b0/0x2b0 [ 43.929826] worker_thread+0xdc/0x1000 [ 43.933695] ? process_one_work+0x15c0/0x15c0 [ 43.938166] ? process_one_work+0x15c0/0x15c0 [ 43.942636] kthread+0x348/0x420 [ 43.945977] ? kthread_create_on_node+0xe0/0xe0 [ 43.950620] ret_from_fork+0x3a/0x50 2018/10/17 05:55:50 executed programs: 6 [ 44.450022] hrtimer: interrupt took 15813 ns 2018/10/17 05:55:55 executed programs: 56