[ 24.602293] random: sshd: uninitialized urandom read (32 bytes read)
[....] Starting file context maintaining daemon: restorecond�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Debian GNU/Linux 7 syzkaller ttyS0
syzkaller login: [ 26.093789] random: sshd: uninitialized urandom read (32 bytes read)
[ 26.360554] random: sshd: uninitialized urandom read (32 bytes read)
[ 26.811316] random: sshd: uninitialized urandom read (32 bytes read)
[ 34.232197] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.180' (ECDSA) to the list of known hosts.
[ 39.739083] random: sshd: uninitialized urandom read (32 bytes read)
[ 39.896158] kauditd_printk_skb: 5 callbacks suppressed
[ 39.896164] audit: type=1400 audit(1566332104.963:36): avc: denied { map } for pid=6509 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
2019/08/20 20:15:05 parsed 1 programs
[ 40.577730] audit: type=1400 audit(1566332105.643:37): avc: denied { map } for pid=6509 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=19 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
[ 41.103867] random: cc1: uninitialized urandom read (8 bytes read)
2019/08/20 20:15:07 executed programs: 0
[ 41.991620] audit: type=1400 audit(1566332107.063:38): avc: denied { map } for pid=6509 comm="syz-execprog" path="/root/syzkaller-shm271771027" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1
[ 42.250854] IPVS: ftp: loaded support on port[0] = 21
[ 43.066737] chnl_net:caif_netlink_parms(): no params data found
[ 43.091542] bridge0: port 1(bridge_slave_0) entered blocking state
[ 43.098023] bridge0: port 1(bridge_slave_0) entered disabled state
[ 43.104798] device bridge_slave_0 entered promiscuous mode
[ 43.111377] bridge0: port 2(bridge_slave_1) entered blocking state
[ 43.117727] bridge0: port 2(bridge_slave_1) entered disabled state
[ 43.124588] device bridge_slave_1 entered promiscuous mode
[ 43.136808] bond0: Enslaving bond_slave_0 as an active interface with an up link
[ 43.145015] bond0: Enslaving bond_slave_1 as an active interface with an up link
[ 43.158091] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[ 43.165100] team0: Port device team_slave_0 added
[ 43.170313] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[ 43.177717] team0: Port device team_slave_1 added
[ 43.183097] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready
[ 43.190724] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready
[ 43.241424] device hsr_slave_0 entered promiscuous mode
[ 43.290237] device hsr_slave_1 entered promiscuous mode
[ 43.330421] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready
[ 43.337562] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready
[ 43.349808] bridge0: port 2(bridge_slave_1) entered blocking state
[ 43.356593] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 43.363507] bridge0: port 1(bridge_slave_0) entered blocking state
[ 43.369829] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 43.392804] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[ 43.398990] 8021q: adding VLAN 0 to HW filter on device bond0
[ 43.406859] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[ 43.414840] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 43.433040] bridge0: port 1(bridge_slave_0) entered disabled state
[ 43.440121] bridge0: port 2(bridge_slave_1) entered disabled state
[ 43.449065] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready
[ 43.455247] 8021q: adding VLAN 0 to HW filter on device team0
[ 43.462582] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 43.470340] bridge0: port 1(bridge_slave_0) entered blocking state
[ 43.476655] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 43.490625] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 43.498520] bridge0: port 2(bridge_slave_1) entered blocking state
[ 43.504859] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 43.511893] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[ 43.519361] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[ 43.526818] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 43.534484] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[ 43.542440] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 43.551356] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready
[ 43.557591] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[ 43.567829] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready
[ 43.577334] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 44.070806] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[ 44.991090]
[ 44.992722] ======================================================
[ 44.999004] WARNING: possible circular locking dependency detected
[ 45.005466] 4.14.139 #35 Not tainted
[ 45.009144] ------------------------------------------------------
[ 45.015557] syz-executor.0/6539 is trying to acquire lock:
[ 45.021146] (event_mutex){+.+.}, at: [<ffffffff8162b4c8>] perf_trace_init+0x58/0xaa0
[ 45.029090]
[ 45.029090] but task is already holding lock:
[ 45.035024] (&cpuctx_mutex/1){+.+.}, at: [<ffffffff816bb420>] perf_event_ctx_lock_nested+0x150/0x2c0
[ 45.044352]
[ 45.044352] which lock already depends on the new lock.
[ 45.044352]
[ 45.052748]
[ 45.052748] the existing dependency chain (in reverse order) is:
[ 45.060335]
[ 45.060335] -> #5 (&cpuctx_mutex/1){+.+.}:
[ 45.066022] lock_acquire+0x16f/0x430
[ 45.070312] __mutex_lock+0xe8/0x1470
[ 45.074597] mutex_lock_nested+0x16/0x20
[ 45.079148] SYSC_perf_event_open+0x134c/0x2610
[ 45.084308] SyS_perf_event_open+0x34/0x40
[ 45.089276] do_syscall_64+0x1e8/0x640
[ 45.093656] entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 45.099331]
[ 45.099331] -> #4 (&cpuctx_mutex){+.+.}:
[ 45.104840] lock_acquire+0x16f/0x430
[ 45.109247] __mutex_lock+0xe8/0x1470
[ 45.113535] mutex_lock_nested+0x16/0x20
[ 45.118084] perf_event_init_cpu+0xc2/0x170
[ 45.122895] perf_event_init+0x2d8/0x31a
[ 45.127452] start_kernel+0x3b6/0x6fd
[ 45.131742] x86_64_start_reservations+0x29/0x2b
[ 45.136989] x86_64_start_kernel+0x77/0x7b
[ 45.141855] secondary_startup_64+0xa5/0xb0
[ 45.146664]
[ 45.146664] -> #3 (pmus_lock){+.+.}:
[ 45.151825] lock_acquire+0x16f/0x430
[ 45.156226] __mutex_lock+0xe8/0x1470
[ 45.160521] mutex_lock_nested+0x16/0x20
[ 45.165069] perf_event_init_cpu+0x2f/0x170
[ 45.170014] cpuhp_invoke_callback+0x1ea/0x1ab0
[ 45.175173] _cpu_up+0x228/0x530
[ 45.179024] do_cpu_up+0x121/0x150
[ 45.183050] cpu_up+0x1b/0x20
[ 45.186647] smp_init+0x157/0x170
[ 45.190589] kernel_init_freeable+0x30b/0x532
[ 45.195569] kernel_init+0x12/0x162
[ 45.199681] ret_from_fork+0x24/0x30
[ 45.203881]
[ 45.203881] -> #2 (cpu_hotplug_lock.rw_sem){++++}:
[ 45.210257] lock_acquire+0x16f/0x430
[ 45.214543] cpus_read_lock+0x3d/0xc0
[ 45.218832] static_key_slow_inc+0x13/0x30
[ 45.223552] tracepoint_probe_register_prio+0x4d6/0x6d0
[ 45.229401] tracepoint_probe_register+0x2b/0x40
[ 45.234829] trace_event_reg+0x277/0x330
[ 45.239378] perf_trace_init+0x449/0xaa0
[ 45.243926] perf_tp_event_init+0x7d/0xf0
[ 45.248561] perf_try_init_event+0x164/0x200
[ 45.253454] perf_event_alloc.part.0+0xd90/0x25b0
[ 45.258780] SYSC_perf_event_open+0xad1/0x2610
[ 45.263957] SyS_perf_event_open+0x34/0x40
[ 45.268679] do_syscall_64+0x1e8/0x640
[ 45.273054] entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 45.278730]
[ 45.278730] -> #1 (tracepoints_mutex){+.+.}:
[ 45.284585] lock_acquire+0x16f/0x430
[ 45.288870] __mutex_lock+0xe8/0x1470
[ 45.293158] mutex_lock_nested+0x16/0x20
[ 45.297706] tracepoint_probe_register_prio+0x36/0x6d0
[ 45.303470] tracepoint_probe_register+0x2b/0x40
[ 45.308713] trace_event_reg+0x277/0x330
[ 45.313270] perf_trace_init+0x449/0xaa0
[ 45.317826] perf_tp_event_init+0x7d/0xf0
[ 45.322463] perf_try_init_event+0x164/0x200
[ 45.327358] perf_event_alloc.part.0+0xd90/0x25b0
[ 45.332813] SYSC_perf_event_open+0xad1/0x2610
[ 45.337882] SyS_perf_event_open+0x34/0x40
[ 45.342605] do_syscall_64+0x1e8/0x640
[ 45.346979] entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 45.352651]
[ 45.352651] -> #0 (event_mutex){+.+.}:
[ 45.358110] __lock_acquire+0x2cb3/0x4620
[ 45.362747] lock_acquire+0x16f/0x430
[ 45.367034] __mutex_lock+0xe8/0x1470
[ 45.371322] mutex_lock_nested+0x16/0x20
[ 45.376111] perf_trace_init+0x58/0xaa0
[ 45.380575] perf_tp_event_init+0x7d/0xf0
[ 45.385208] perf_try_init_event+0xe6/0x200
[ 45.390014] perf_event_alloc.part.0+0xd90/0x25b0
[ 45.395342] SYSC_perf_event_open+0xad1/0x2610
[ 45.400410] SyS_perf_event_open+0x34/0x40
[ 45.405137] do_syscall_64+0x1e8/0x640
[ 45.409513] entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 45.415205]
[ 45.415205] other info that might help us debug this:
[ 45.415205]
[ 45.423464] Chain exists of:
[ 45.423464] event_mutex --> &cpuctx_mutex --> &cpuctx_mutex/1
[ 45.423464]
[ 45.433837] Possible unsafe locking scenario:
[ 45.433837]
[ 45.439975] CPU0 CPU1
[ 45.444608] ---- ----
[ 45.449239] lock(&cpuctx_mutex/1);
[ 45.452919] lock(&cpuctx_mutex);
[ 45.458941] lock(&cpuctx_mutex/1);
[ 45.465307] lock(event_mutex);
[ 45.468650]
[ 45.468650] *** DEADLOCK ***
[ 45.468650]
[ 45.474677] 2 locks held by syz-executor.0/6539:
[ 45.479399] #0: (&pmus_srcu){....}, at: [<ffffffff816bf9ea>] perf_event_alloc.part.0+0xbaa/0x25b0
[ 45.488559] #1: (&cpuctx_mutex/1){+.+.}, at: [<ffffffff816bb420>] perf_event_ctx_lock_nested+0x150/0x2c0
[ 45.498323]
[ 45.498323] stack backtrace:
[ 45.502792] CPU: 1 PID: 6539 Comm: syz-executor.0 Not tainted 4.14.139 #35
[ 45.509772] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 45.519093] Call Trace:
[ 45.521648] dump_stack+0x138/0x19c
[ 45.525242] print_circular_bug.isra.0.cold+0x1cc/0x28f
[ 45.530572] __lock_acquire+0x2cb3/0x4620
[ 45.534688] ? trace_hardirqs_on+0x10/0x10
[ 45.538891] ? trace_hardirqs_on+0x10/0x10
[ 45.543096] lock_acquire+0x16f/0x430
[ 45.546862] ? perf_trace_init+0x58/0xaa0
[ 45.550977] ? perf_trace_init+0x58/0xaa0
[ 45.555089] __mutex_lock+0xe8/0x1470
[ 45.558857] ? perf_trace_init+0x58/0xaa0
[ 45.562972] ? perf_event_ctx_lock_nested+0x150/0x2c0
[ 45.568127] ? perf_trace_init+0x58/0xaa0
[ 45.572242] ? __mutex_lock+0x36a/0x1470
[ 45.576269] ? trace_hardirqs_on+0x10/0x10
[ 45.580601] ? perf_try_init_event+0xf2/0x200
[ 45.585330] ? mutex_trylock+0x1c0/0x1c0
[ 45.589522] ? perf_event_ctx_lock_nested+0x150/0x2c0
[ 45.594696] ? perf_try_init_event+0xf2/0x200
[ 45.599158] ? mutex_trylock+0x1c0/0x1c0
[ 45.603184] ? find_held_lock+0x35/0x130
[ 45.607211] ? perf_event_ctx_lock_nested+0x119/0x2c0
[ 45.612368] mutex_lock_nested+0x16/0x20
[ 45.616395] ? lock_downgrade+0x6e0/0x6e0
[ 45.620509] ? mutex_lock_nested+0x16/0x20
[ 45.624711] perf_trace_init+0x58/0xaa0
[ 45.628774] ? mutex_lock_nested+0x16/0x20
[ 45.632978] perf_tp_event_init+0x7d/0xf0
[ 45.637094] perf_try_init_event+0xe6/0x200
[ 45.641381] perf_event_alloc.part.0+0xd90/0x25b0
[ 45.646190] SYSC_perf_event_open+0xad1/0x2610
[ 45.650743] ? perf_event_set_output+0x460/0x460
[ 45.655467] ? SyS_clock_gettime+0xf8/0x180
[ 45.659759] SyS_perf_event_open+0x34/0x40
[ 45.663960] ? perf_bp_event+0x170/0x170
[ 45.667988] do_syscall_64+0x1e8/0x640
[ 45.671841] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 45.676651] entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 45.681810] RIP: 0033:0x459829
[ 45.684967] RSP: 002b:00007f2c7d17ec78 EFLAGS: 00000246 ORIG_RAX: 000000000000012a
[ 45.692642] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000459829
[ 45.699882] RDX: 0000000000000000 RSI: ffffffffffffffff RDI: 0000000020000200
[ 45.707121] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
[ 45.714356] R10: 0000000000000003 R11: 0000000000000246 R12: 00007f2c7d17f6d4
[ 45.721716] R13: 00000000004c6684 R14: 00000000004db6b8 R15: 00000000ffffffff