[....] Starting OpenBSD Secure Shell server: sshd[ 10.093571] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 25.093936] random: sshd: uninitialized urandom read (32 bytes read) [ 25.445722] audit: type=1400 audit(1539585818.876:6): avc: denied { map } for pid=1764 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 25.489095] random: sshd: uninitialized urandom read (32 bytes read) [ 25.932870] random: sshd: uninitialized urandom read (32 bytes read) [ 28.508979] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.108' (ECDSA) to the list of known hosts. [ 34.197500] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 34.296396] audit: type=1400 audit(1539585827.726:7): avc: denied { map } for pid=1782 comm="syz-executor111" path="/root/syz-executor111458121" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 34.300495] [ 34.300498] ====================================================== [ 34.300499] WARNING: possible circular locking dependency detected [ 34.300503] 4.14.76+ #19 Not tainted [ 34.300505] ------------------------------------------------------ [ 34.300508] syz-executor111/1782 is trying to acquire lock: [ 34.300510] (&pipe->mutex/1){+.+.}, at: [] fifo_open+0x156/0x9d0 [ 34.300529] [ 34.300529] but task is already holding lock: [ 34.300530] (&sig->cred_guard_mutex){+.+.}, at: [] prepare_bprm_creds+0x4e/0x110 [ 34.300543] [ 34.300543] which lock already depends on the new lock. [ 34.300543] [ 34.300544] [ 34.300544] the existing dependency chain (in reverse order) is: [ 34.300546] [ 34.300546] -> #1 (&sig->cred_guard_mutex){+.+.}: [ 34.300561] __mutex_lock+0xf5/0x1480 [ 34.300571] proc_pid_attr_write+0x16b/0x280 [ 34.300576] __vfs_write+0xf4/0x5c0 [ 34.300581] __kernel_write+0xf3/0x330 [ 34.300588] write_pipe_buf+0x192/0x250 [ 34.300592] __splice_from_pipe+0x324/0x740 [ 34.300597] splice_from_pipe+0xcf/0x130 [ 34.300601] default_file_splice_write+0x37/0x80 [ 34.300606] SyS_splice+0xd06/0x12a0 [ 34.300612] do_syscall_64+0x19b/0x4b0 [ 34.300618] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 34.300619] [ 34.300619] -> #0 (&pipe->mutex/1){+.+.}: [ 34.300632] lock_acquire+0x10f/0x380 [ 34.300637] __mutex_lock+0xf5/0x1480 [ 34.300641] fifo_open+0x156/0x9d0 [ 34.300646] do_dentry_open+0x426/0xda0 [ 34.300651] vfs_open+0x11c/0x210 [ 34.300655] path_openat+0x4eb/0x23a0 [ 34.300660] do_filp_open+0x197/0x270 [ 34.300665] do_open_execat+0x10d/0x5b0 [ 34.300670] do_execveat_common.isra.14+0x6cb/0x1d60 [ 34.300674] SyS_execve+0x34/0x40 [ 34.300678] do_syscall_64+0x19b/0x4b0 [ 34.300683] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 34.300685] [ 34.300685] other info that might help us debug this: [ 34.300685] [ 34.300686] Possible unsafe locking scenario: [ 34.300686] [ 34.300687] CPU0 CPU1 [ 34.300689] ---- ---- [ 34.300689] lock(&sig->cred_guard_mutex); [ 34.300693] lock(&pipe->mutex/1); [ 34.300697] lock(&sig->cred_guard_mutex); [ 34.300700] lock(&pipe->mutex/1); [ 34.300704] [ 34.300704] *** DEADLOCK *** [ 34.300704] [ 34.300708] 1 lock held by syz-executor111/1782: [ 34.300709] #0: (&sig->cred_guard_mutex){+.+.}, at: [] prepare_bprm_creds+0x4e/0x110 [ 34.300719] [ 34.300719] stack backtrace: [ 34.300725] CPU: 0 PID: 1782 Comm: syz-executor111 Not tainted 4.14.76+ #19 [ 34.300728] Call Trace: [ 34.300736] dump_stack+0xb9/0x11b [ 34.300744] print_circular_bug.isra.18.cold.43+0x2d3/0x40c [ 34.300749] ? save_trace+0xd6/0x250 [ 34.300755] __lock_acquire+0x2ff9/0x4320 [ 34.300764] ? check_preemption_disabled+0x34/0x160 [ 34.300774] ? trace_hardirqs_on+0x10/0x10 [ 34.300780] ? trace_hardirqs_on_caller+0x381/0x520 [ 34.300785] ? _raw_spin_unlock_irqrestore+0x41/0x70 [ 34.300794] ? __lock_acquire+0x619/0x4320 [ 34.300799] ? alloc_pipe_info+0x15b/0x370 [ 34.300803] ? fifo_open+0x1ef/0x9d0 [ 34.300808] ? do_dentry_open+0x426/0xda0 [ 34.300813] ? vfs_open+0x11c/0x210 [ 34.300817] ? path_openat+0x4eb/0x23a0 [ 34.300824] lock_acquire+0x10f/0x380 [ 34.300828] ? fifo_open+0x156/0x9d0 [ 34.300835] ? fifo_open+0x156/0x9d0 [ 34.300840] __mutex_lock+0xf5/0x1480 [ 34.300844] ? fifo_open+0x156/0x9d0 [ 34.300849] ? fifo_open+0x156/0x9d0 [ 34.300854] ? dput.part.6+0x3b3/0x710 [ 34.300862] ? __ww_mutex_wakeup_for_backoff+0x240/0x240 [ 34.300871] ? fs_reclaim_acquire+0x10/0x10 [ 34.300878] ? fifo_open+0x284/0x9d0 [ 34.300884] ? lock_downgrade+0x560/0x560 [ 34.300888] ? lock_acquire+0x10f/0x380 [ 34.300893] ? fifo_open+0x243/0x9d0 [ 34.300898] ? debug_mutex_init+0x28/0x53 [ 34.300905] ? fifo_open+0x156/0x9d0 [ 34.300909] fifo_open+0x156/0x9d0 [ 34.300916] do_dentry_open+0x426/0xda0 [ 34.300921] ? pipe_release+0x240/0x240 [ 34.300929] vfs_open+0x11c/0x210 [ 34.300936] path_openat+0x4eb/0x23a0 [ 34.300943] ? path_mountpoint+0x9a0/0x9a0 [ 34.300953] ? kasan_kmalloc.part.1+0xa9/0xd0 [ 34.300959] ? kasan_kmalloc.part.1+0x4f/0xd0 [ 34.300964] ? __kmalloc_track_caller+0x104/0x300 [ 34.300971] ? kmemdup+0x20/0x50 [ 34.300979] ? security_prepare_creds+0x7c/0xb0 [ 34.300988] ? prepare_creds+0x225/0x2a0 [ 34.300993] ? prepare_exec_creds+0xc/0xe0 [ 34.300998] ? prepare_bprm_creds+0x62/0x110 [ 34.301004] ? do_execveat_common.isra.14+0x2cd/0x1d60 [ 34.301008] ? SyS_execve+0x34/0x40 [ 34.301013] ? do_syscall_64+0x19b/0x4b0 [ 34.301021] do_filp_open+0x197/0x270 [ 34.301027] ? may_open_dev+0xd0/0xd0 [ 34.301034] ? trace_hardirqs_on+0x10/0x10 [ 34.301040] ? fs_reclaim_acquire+0x10/0x10 [ 34.301052] ? rcu_read_lock_sched_held+0x102/0x120 [ 34.301059] do_open_execat+0x10d/0x5b0 [ 34.301066] ? setup_arg_pages+0x720/0x720 [ 34.301072] ? do_execveat_common.isra.14+0x68d/0x1d60 [ 34.301077] ? lock_downgrade+0x560/0x560 [ 34.301082] ? lock_acquire+0x10f/0x380 [ 34.301089] ? check_preemption_disabled+0x34/0x160 [ 34.301096] do_execveat_common.isra.14+0x6cb/0x1d60 [ 34.301105] ? prepare_bprm_creds+0x110/0x110 [ 34.301111] ? getname_flags+0x222/0x540 [ 34.301117] SyS_execve+0x34/0x40 [ 34.301122] ? setup_new_exec+0x770/0x770 [ 34.301127] do_syscall_64+0x19b/0x4b0 [ 34.301134] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 34.301138] RIP: 0033:0x440159 [ 34.301141] RSP: 002b:00007fffaf9fd6e8 EFLAGS: 00000217 ORIG_RAX: 000000000000003b [ 34.301148] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 0000000000440159 [ 34.301151] RDX: 00000000206fcff0 RSI: 0000000020000000 RDI: 0000000020000040 [ 34.301154] RBP: 00000000006cb018 R08: 0000000000000000 R09: 0000000000000000 [ 34.301157] R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004019e0 [ 34.301161] R13: 0000000000401a70 R14: 0000000000000000 R15: 0000000000000000