[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.185825] random: sshd: uninitialized urandom read (32 bytes read) [ 22.532385] audit: type=1400 audit(1546208637.904:6): avc: denied { map } for pid=1764 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 22.566501] random: sshd: uninitialized urandom read (32 bytes read) [ 23.087272] random: sshd: uninitialized urandom read (32 bytes read) [ 23.242675] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.92' (ECDSA) to the list of known hosts. [ 28.759063] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 28.850314] audit: type=1400 audit(1546208644.224:7): avc: denied { map } for pid=1776 comm="syz-executor225" path="/root/syz-executor225115656" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 28.899940] [ 28.901607] ====================================================== [ 28.907901] WARNING: possible circular locking dependency detected [ 28.914297] 4.14.91+ #30 Not tainted [ 28.917985] ------------------------------------------------------ [ 28.924291] syz-executor225/1778 is trying to acquire lock: [ 28.929998] (&pipe->mutex/1){+.+.}, at: [] fifo_open+0x156/0x9d0 [ 28.937780] [ 28.937780] but task is already holding lock: [ 28.943729] (&sig->cred_guard_mutex){+.+.}, at: [] prepare_bprm_creds+0x4e/0x110 [ 28.952905] [ 28.952905] which lock already depends on the new lock. [ 28.952905] [ 28.961204] [ 28.961204] the existing dependency chain (in reverse order) is: [ 28.968802] [ 28.968802] -> #1 (&sig->cred_guard_mutex){+.+.}: [ 28.975116] __mutex_lock+0xf5/0x1480 [ 28.979417] proc_pid_attr_write+0x16b/0x280 [ 28.984425] __vfs_write+0xf4/0x5c0 [ 28.988549] __kernel_write+0xf3/0x330 [ 28.992933] write_pipe_buf+0x192/0x250 [ 28.997534] __splice_from_pipe+0x324/0x740 [ 29.002359] splice_from_pipe+0xcf/0x130 [ 29.006925] default_file_splice_write+0x37/0x80 [ 29.012178] SyS_splice+0xd06/0x12a0 [ 29.016530] do_syscall_64+0x19b/0x4b0 [ 29.020920] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 29.026708] [ 29.026708] -> #0 (&pipe->mutex/1){+.+.}: [ 29.032330] lock_acquire+0x10f/0x380 [ 29.036630] __mutex_lock+0xf5/0x1480 [ 29.040988] fifo_open+0x156/0x9d0 [ 29.045036] do_dentry_open+0x426/0xda0 [ 29.049580] vfs_open+0x11c/0x210 [ 29.053543] path_openat+0x5f9/0x2930 [ 29.057851] do_filp_open+0x197/0x270 [ 29.062153] do_open_execat+0x10d/0x5b0 [ 29.066757] do_execveat_common.isra.14+0x6cb/0x1d60 [ 29.072363] SyS_execve+0x34/0x40 [ 29.076314] do_syscall_64+0x19b/0x4b0 [ 29.080707] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 29.086518] [ 29.086518] other info that might help us debug this: [ 29.086518] [ 29.094647] Possible unsafe locking scenario: [ 29.094647] [ 29.100794] CPU0 CPU1 [ 29.105435] ---- ---- [ 29.110078] lock(&sig->cred_guard_mutex); [ 29.114373] lock(&pipe->mutex/1); [ 29.120493] lock(&sig->cred_guard_mutex); [ 29.127416] lock(&pipe->mutex/1); [ 29.131021] [ 29.131021] *** DEADLOCK *** [ 29.131021] [ 29.137195] 1 lock held by syz-executor225/1778: [ 29.141932] #0: (&sig->cred_guard_mutex){+.+.}, at: [] prepare_bprm_creds+0x4e/0x110 [ 29.151739] [ 29.151739] stack backtrace: [ 29.156215] CPU: 1 PID: 1778 Comm: syz-executor225 Not tainted 4.14.91+ #30 [ 29.163289] Call Trace: [ 29.165888] dump_stack+0xb9/0x11b [ 29.169423] print_circular_bug.isra.18.cold.43+0x2d3/0x40c [ 29.175110] ? save_trace+0xd6/0x250 [ 29.178804] __lock_acquire+0x2ff9/0x4320 [ 29.182932] ? check_preemption_disabled+0x34/0x1e0 [ 29.187936] ? trace_hardirqs_on+0x10/0x10 [ 29.192147] ? trace_hardirqs_on_caller+0x381/0x520 [ 29.197141] ? _raw_spin_unlock_irqrestore+0x41/0x70 [ 29.202230] ? __kmalloc+0x153/0x340 [ 29.205938] ? alloc_pipe_info+0x15b/0x370 [ 29.210148] ? fifo_open+0x1ef/0x9d0 [ 29.213922] ? do_dentry_open+0x426/0xda0 [ 29.218058] ? vfs_open+0x11c/0x210 [ 29.221711] ? path_openat+0x5f9/0x2930 [ 29.225676] ? do_filp_open+0x197/0x270 [ 29.229630] lock_acquire+0x10f/0x380 [ 29.233410] ? fifo_open+0x156/0x9d0 [ 29.237207] ? fifo_open+0x156/0x9d0 [ 29.240898] __mutex_lock+0xf5/0x1480 [ 29.244676] ? fifo_open+0x156/0x9d0 [ 29.248369] ? fifo_open+0x156/0x9d0 [ 29.252060] ? fsnotify+0x773/0x1200 [ 29.255755] ? __ww_mutex_wakeup_for_backoff+0x240/0x240 [ 29.261183] ? fs_reclaim_acquire+0x10/0x10 [ 29.265488] ? fifo_open+0x284/0x9d0 [ 29.269176] ? lock_downgrade+0x560/0x560 [ 29.273323] ? lock_acquire+0x10f/0x380 [ 29.277279] ? fifo_open+0x243/0x9d0 [ 29.280969] ? debug_mutex_init+0x28/0x53 [ 29.285091] ? fifo_open+0x156/0x9d0 [ 29.288780] fifo_open+0x156/0x9d0 [ 29.292329] do_dentry_open+0x426/0xda0 [ 29.296385] ? pipe_release+0x240/0x240 [ 29.300454] vfs_open+0x11c/0x210 [ 29.303890] path_openat+0x5f9/0x2930 [ 29.307672] ? path_mountpoint+0x9a0/0x9a0 [ 29.311884] ? kasan_kmalloc.part.1+0xa9/0xd0 [ 29.316363] ? kasan_kmalloc.part.1+0x4f/0xd0 [ 29.320837] ? __kmalloc_track_caller+0x104/0x300 [ 29.325664] ? kmemdup+0x20/0x50 [ 29.329011] ? security_prepare_creds+0x7c/0xb0 [ 29.333808] ? prepare_creds+0x225/0x2a0 [ 29.337966] ? prepare_exec_creds+0xc/0xe0 [ 29.342178] ? prepare_bprm_creds+0x62/0x110 [ 29.346560] ? do_execveat_common.isra.14+0x2cd/0x1d60 [ 29.351978] ? SyS_execve+0x34/0x40 [ 29.355588] ? do_syscall_64+0x19b/0x4b0 [ 29.359836] do_filp_open+0x197/0x270 [ 29.363619] ? may_open_dev+0xd0/0xd0 [ 29.367403] ? trace_hardirqs_on+0x10/0x10 [ 29.371762] ? fs_reclaim_acquire+0x10/0x10 [ 29.376076] ? rcu_read_lock_sched_held+0x102/0x120 [ 29.381075] do_open_execat+0x10d/0x5b0 [ 29.385032] ? setup_arg_pages+0x720/0x720 [ 29.389244] ? do_execveat_common.isra.14+0x68d/0x1d60 [ 29.394498] ? lock_downgrade+0x560/0x560 [ 29.398623] ? lock_acquire+0x10f/0x380 [ 29.402572] ? check_preemption_disabled+0x34/0x1e0 [ 29.407565] do_execveat_common.isra.14+0x6cb/0x1d60 [ 29.412664] ? prepare_bprm_creds+0x110/0x110 [ 29.417262] ? getname_flags+0x222/0x540 [ 29.421314] SyS_execve+0x34/0x40 [ 29.424740] ? setup_new_exec+0x770/0x770 [ 29.428887] do_syscall_64+0x19b/0x4b0 [ 29.432758] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 29.437922] RIP: 0033:0x445709 [ 29.441087] RSP: 002b:00007fcfa1e00da8 EFLAGS: 00000246 ORIG_RAX: 000000000000003b [ 29.449002] RAX: ffffffffffffffda RBX: 000000000