[....] Starting OpenBSD Secure Shell server: sshd[ 11.892671] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 28.025766] random: sshd: uninitialized urandom read (32 bytes read) [ 28.448140] audit: type=1400 audit(1537774716.902:6): avc: denied { map } for pid=1771 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 28.492532] random: sshd: uninitialized urandom read (32 bytes read) [ 28.993133] random: sshd: uninitialized urandom read (32 bytes read) [ 29.154458] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.24' (ECDSA) to the list of known hosts. [ 34.904797] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 35.006480] audit: type=1400 audit(1537774723.462:7): avc: denied { map } for pid=1789 comm="syz-executor681" path="/root/syz-executor681287859" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 35.102685] [ 35.104441] ====================================================== [ 35.110842] WARNING: possible circular locking dependency detected [ 35.117137] 4.14.71+ #8 Not tainted [ 35.120738] ------------------------------------------------------ [ 35.127129] syz-executor681/1793 is trying to acquire lock: [ 35.132812] (&p->lock){+.+.}, at: [] seq_read+0xd4/0x11d0 [ 35.140024] [ 35.140024] but task is already holding lock: [ 35.145973] (&pipe->mutex/1){+.+.}, at: [] pipe_lock+0x58/0x70 [ 35.153576] [ 35.153576] which lock already depends on the new lock. [ 35.153576] [ 35.161865] [ 35.161865] the existing dependency chain (in reverse order) is: [ 35.169788] [ 35.169788] -> #2 (&pipe->mutex/1){+.+.}: [ 35.175407] __mutex_lock+0xf5/0x1480 [ 35.179716] fifo_open+0x156/0x9d0 [ 35.183895] do_dentry_open+0x426/0xda0 [ 35.188503] vfs_open+0x11c/0x210 [ 35.192457] path_openat+0x4eb/0x23a0 [ 35.196867] do_filp_open+0x197/0x270 [ 35.201172] do_open_execat+0x10d/0x5b0 [ 35.205645] do_execveat_common.isra.14+0x6cb/0x1d60 [ 35.211403] SyS_execve+0x34/0x40 [ 35.215464] do_syscall_64+0x19b/0x4b0 [ 35.219847] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 35.225528] [ 35.225528] -> #1 (&sig->cred_guard_mutex){+.+.}: [ 35.231828] __mutex_lock+0xf5/0x1480 [ 35.236134] do_io_accounting+0x1d7/0x770 [ 35.240779] proc_single_show+0xf1/0x160 [ 35.245458] seq_read+0x4e0/0x11d0 [ 35.249493] __vfs_read+0xf4/0x5b0 [ 35.253525] vfs_read+0x11e/0x330 [ 35.257474] SyS_pread64+0x136/0x160 [ 35.261682] do_syscall_64+0x19b/0x4b0 [ 35.266165] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 35.271845] [ 35.271845] -> #0 (&p->lock){+.+.}: [ 35.276972] lock_acquire+0x10f/0x380 [ 35.281281] __mutex_lock+0xf5/0x1480 [ 35.285675] seq_read+0xd4/0x11d0 [ 35.289630] proc_reg_read+0xef/0x170 [ 35.294023] do_iter_read+0x3cc/0x580 [ 35.298316] vfs_readv+0xe6/0x150 [ 35.302281] default_file_splice_read+0x495/0x860 [ 35.307617] do_splice_to+0x102/0x150 [ 35.311910] SyS_splice+0xf4d/0x12a0 [ 35.316120] do_syscall_64+0x19b/0x4b0 [ 35.320507] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 35.326203] [ 35.326203] other info that might help us debug this: [ 35.326203] [ 35.334316] Chain exists of: [ 35.334316] &p->lock --> &sig->cred_guard_mutex --> &pipe->mutex/1 [ 35.334316] [ 35.345154] Possible unsafe locking scenario: [ 35.345154] [ 35.351186] CPU0 CPU1 [ 35.355826] ---- ---- [ 35.360464] lock(&pipe->mutex/1); [ 35.364079] lock(&sig->cred_guard_mutex); [ 35.370888] lock(&pipe->mutex/1); [ 35.377002] lock(&p->lock); [ 35.380174] [ 35.380174] *** DEADLOCK *** [ 35.380174] [ 35.386332] 1 lock held by syz-executor681/1793: [ 35.391062] #0: (&pipe->mutex/1){+.+.}, at: [] pipe_lock+0x58/0x70 [ 35.399213] [ 35.399213] stack backtrace: [ 35.403683] CPU: 0 PID: 1793 Comm: syz-executor681 Not tainted 4.14.71+ #8 [ 35.411549] Call Trace: [ 35.414216] dump_stack+0xb9/0x11b [ 35.417847] print_circular_bug.isra.18.cold.43+0x2d3/0x40c [ 35.423537] ? save_trace+0xd6/0x250 [ 35.427274] __lock_acquire+0x2ff9/0x4320 [ 35.431402] ? unwind_next_frame+0xea9/0x1930 [ 35.435874] ? trace_hardirqs_on+0x10/0x10 [ 35.440124] ? __read_once_size_nocheck.constprop.4+0x10/0x10 [ 35.445991] ? __lock_acquire+0x619/0x4320 [ 35.450205] ? __bfs+0x1ab/0x540 [ 35.453547] ? __lock_acquire+0x619/0x4320 [ 35.457819] lock_acquire+0x10f/0x380 [ 35.461722] ? seq_read+0xd4/0x11d0 [ 35.465323] ? seq_read+0xd4/0x11d0 [ 35.468930] __mutex_lock+0xf5/0x1480 [ 35.472807] ? seq_read+0xd4/0x11d0 [ 35.476412] ? seq_read+0xd4/0x11d0 [ 35.480015] ? trace_hardirqs_on+0x10/0x10 [ 35.484233] ? __ww_mutex_wakeup_for_backoff+0x240/0x240 [ 35.489657] ? __is_insn_slot_addr+0x112/0x1f0 [ 35.494209] ? lock_downgrade+0x560/0x560 [ 35.498333] ? mark_held_locks+0xc2/0x130 [ 35.502459] ? get_page_from_freelist+0x756/0x1ea0 [ 35.507363] ? kasan_unpoison_shadow+0x30/0x40 [ 35.511927] ? get_page_from_freelist+0x113c/0x1ea0 [ 35.517021] ? seq_read+0xd4/0x11d0 [ 35.520620] seq_read+0xd4/0x11d0 [ 35.524052] ? __fsnotify_parent+0xb1/0x300 [ 35.528358] ? seq_lseek+0x3d0/0x3d0 [ 35.532061] ? __inode_security_revalidate+0xd5/0x120 [ 35.537227] ? avc_policy_seqno+0x5/0x10 [ 35.541265] ? seq_lseek+0x3d0/0x3d0 [ 35.545097] proc_reg_read+0xef/0x170 [ 35.548884] ? rw_verify_area+0xdd/0x280 [ 35.552920] do_iter_read+0x3cc/0x580 [ 35.556696] vfs_readv+0xe6/0x150 [ 35.560120] ? compat_rw_copy_check_uvector+0x320/0x320 [ 35.565457] ? kasan_unpoison_shadow+0x30/0x40 [ 35.570093] ? kasan_kmalloc+0x76/0xc0 [ 35.573965] ? iov_iter_get_pages+0xc80/0xc80 [ 35.578441] ? wake_up_q+0xed/0x150 [ 35.582051] default_file_splice_read+0x495/0x860 [ 35.586869] ? trace_hardirqs_on+0x10/0x10 [ 35.591080] ? do_splice_direct+0x220/0x220 [ 35.595386] ? __lock_acquire+0x619/0x4320 [ 35.599599] ? fsnotify+0x639/0x12d0 [ 35.603339] ? lock_acquire+0x10f/0x380 [ 35.607296] ? __fsnotify_parent+0xb1/0x300 [ 35.611597] ? __fsnotify_update_child_dentry_flags.part.0+0x2e0/0x2e0 [ 35.618263] ? __inode_security_revalidate+0xd5/0x120 [ 35.623448] ? avc_policy_seqno+0x5/0x10 [ 35.627487] ? security_file_permission+0x88/0x1e0 [ 35.632395] ? do_splice_direct+0x220/0x220 [ 35.636684] do_splice_to+0x102/0x150 [ 35.640523] SyS_splice+0xf4d/0x12a0 [ 35.644220] ? do_pipe_flags+0x150/0x150 [ 35.648408] ? compat_SyS_vmsplice+0x150/0x150 [ 35.653035] ? _raw_spin_unlock_irq+0x24/0x50 [ 35.657511] ? do_syscall_64+0x43/0x4b0 [ 35.661463] ? compat_SyS_vmsplice+0x150/0x150 [ 35.666027] do_syscall_64+0x19b/0x4b0 [ 35.669897] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 35.675062] RIP: 0033:0x4457a9 [ 35.678225] RSP: 002b:00007f53ea62fd08 EFLAGS: 00000216 ORIG_RAX: 0000000000000113 [ 35.685902] RAX: ffffffffffffffda RBX: 00000000006dac68 RCX: 00000000004457a9 [ 35.693344] RDX: 0000000000000005 RSI: 0000000020000240 RDI: 0000000000000006 [ 35.700588] RBP: 00000000006dac60 R08: 00000000000001ff R09: 0000000000000000 [ 35.707835] R10: 0000000000000000 R11: 0000000000000216 R12: 00000000006dac6c [ 35.715200] R13: 00007f53ea62fd20 R14: 65732f636f72702f R15: 00000000006dad4c