[....] Starting OpenBSD Secure Shell server: sshd[   11.892671] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   28.025766] random: sshd: uninitialized urandom read (32 bytes read)
[   28.448140] audit: type=1400 audit(1537774716.902:6): avc:  denied  { map } for  pid=1771 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   28.492532] random: sshd: uninitialized urandom read (32 bytes read)
[   28.993133] random: sshd: uninitialized urandom read (32 bytes read)
[   29.154458] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.24' (ECDSA) to the list of known hosts.
[   34.904797] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   35.006480] audit: type=1400 audit(1537774723.462:7): avc:  denied  { map } for  pid=1789 comm="syz-executor681" path="/root/syz-executor681287859" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   35.102685] 
[   35.104441] ======================================================
[   35.110842] WARNING: possible circular locking dependency detected
[   35.117137] 4.14.71+ #8 Not tainted
[   35.120738] ------------------------------------------------------
[   35.127129] syz-executor681/1793 is trying to acquire lock:
[   35.132812]  (&p->lock){+.+.}, at: [<ffffffff9a5d06c4>] seq_read+0xd4/0x11d0
[   35.140024] 
[   35.140024] but task is already holding lock:
[   35.145973]  (&pipe->mutex/1){+.+.}, at: [<ffffffff9a5726d8>] pipe_lock+0x58/0x70
[   35.153576] 
[   35.153576] which lock already depends on the new lock.
[   35.153576] 
[   35.161865] 
[   35.161865] the existing dependency chain (in reverse order) is:
[   35.169788] 
[   35.169788] -> #2 (&pipe->mutex/1){+.+.}:
[   35.175407]        __mutex_lock+0xf5/0x1480
[   35.179716]        fifo_open+0x156/0x9d0
[   35.183895]        do_dentry_open+0x426/0xda0
[   35.188503]        vfs_open+0x11c/0x210
[   35.192457]        path_openat+0x4eb/0x23a0
[   35.196867]        do_filp_open+0x197/0x270
[   35.201172]        do_open_execat+0x10d/0x5b0
[   35.205645]        do_execveat_common.isra.14+0x6cb/0x1d60
[   35.211403]        SyS_execve+0x34/0x40
[   35.215464]        do_syscall_64+0x19b/0x4b0
[   35.219847]        entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   35.225528] 
[   35.225528] -> #1 (&sig->cred_guard_mutex){+.+.}:
[   35.231828]        __mutex_lock+0xf5/0x1480
[   35.236134]        do_io_accounting+0x1d7/0x770
[   35.240779]        proc_single_show+0xf1/0x160
[   35.245458]        seq_read+0x4e0/0x11d0
[   35.249493]        __vfs_read+0xf4/0x5b0
[   35.253525]        vfs_read+0x11e/0x330
[   35.257474]        SyS_pread64+0x136/0x160
[   35.261682]        do_syscall_64+0x19b/0x4b0
[   35.266165]        entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   35.271845] 
[   35.271845] -> #0 (&p->lock){+.+.}:
[   35.276972]        lock_acquire+0x10f/0x380
[   35.281281]        __mutex_lock+0xf5/0x1480
[   35.285675]        seq_read+0xd4/0x11d0
[   35.289630]        proc_reg_read+0xef/0x170
[   35.294023]        do_iter_read+0x3cc/0x580
[   35.298316]        vfs_readv+0xe6/0x150
[   35.302281]        default_file_splice_read+0x495/0x860
[   35.307617]        do_splice_to+0x102/0x150
[   35.311910]        SyS_splice+0xf4d/0x12a0
[   35.316120]        do_syscall_64+0x19b/0x4b0
[   35.320507]        entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   35.326203] 
[   35.326203] other info that might help us debug this:
[   35.326203] 
[   35.334316] Chain exists of:
[   35.334316]   &p->lock --> &sig->cred_guard_mutex --> &pipe->mutex/1
[   35.334316] 
[   35.345154]  Possible unsafe locking scenario:
[   35.345154] 
[   35.351186]        CPU0                    CPU1
[   35.355826]        ----                    ----
[   35.360464]   lock(&pipe->mutex/1);
[   35.364079]                                lock(&sig->cred_guard_mutex);
[   35.370888]                                lock(&pipe->mutex/1);
[   35.377002]   lock(&p->lock);
[   35.380174] 
[   35.380174]  *** DEADLOCK ***
[   35.380174] 
[   35.386332] 1 lock held by syz-executor681/1793:
[   35.391062]  #0:  (&pipe->mutex/1){+.+.}, at: [<ffffffff9a5726d8>] pipe_lock+0x58/0x70
[   35.399213] 
[   35.399213] stack backtrace:
[   35.403683] CPU: 0 PID: 1793 Comm: syz-executor681 Not tainted 4.14.71+ #8
[   35.411549] Call Trace:
[   35.414216]  dump_stack+0xb9/0x11b
[   35.417847]  print_circular_bug.isra.18.cold.43+0x2d3/0x40c
[   35.423537]  ? save_trace+0xd6/0x250
[   35.427274]  __lock_acquire+0x2ff9/0x4320
[   35.431402]  ? unwind_next_frame+0xea9/0x1930
[   35.435874]  ? trace_hardirqs_on+0x10/0x10
[   35.440124]  ? __read_once_size_nocheck.constprop.4+0x10/0x10
[   35.445991]  ? __lock_acquire+0x619/0x4320
[   35.450205]  ? __bfs+0x1ab/0x540
[   35.453547]  ? __lock_acquire+0x619/0x4320
[   35.457819]  lock_acquire+0x10f/0x380
[   35.461722]  ? seq_read+0xd4/0x11d0
[   35.465323]  ? seq_read+0xd4/0x11d0
[   35.468930]  __mutex_lock+0xf5/0x1480
[   35.472807]  ? seq_read+0xd4/0x11d0
[   35.476412]  ? seq_read+0xd4/0x11d0
[   35.480015]  ? trace_hardirqs_on+0x10/0x10
[   35.484233]  ? __ww_mutex_wakeup_for_backoff+0x240/0x240
[   35.489657]  ? __is_insn_slot_addr+0x112/0x1f0
[   35.494209]  ? lock_downgrade+0x560/0x560
[   35.498333]  ? mark_held_locks+0xc2/0x130
[   35.502459]  ? get_page_from_freelist+0x756/0x1ea0
[   35.507363]  ? kasan_unpoison_shadow+0x30/0x40
[   35.511927]  ? get_page_from_freelist+0x113c/0x1ea0
[   35.517021]  ? seq_read+0xd4/0x11d0
[   35.520620]  seq_read+0xd4/0x11d0
[   35.524052]  ? __fsnotify_parent+0xb1/0x300
[   35.528358]  ? seq_lseek+0x3d0/0x3d0
[   35.532061]  ? __inode_security_revalidate+0xd5/0x120
[   35.537227]  ? avc_policy_seqno+0x5/0x10
[   35.541265]  ? seq_lseek+0x3d0/0x3d0
[   35.545097]  proc_reg_read+0xef/0x170
[   35.548884]  ? rw_verify_area+0xdd/0x280
[   35.552920]  do_iter_read+0x3cc/0x580
[   35.556696]  vfs_readv+0xe6/0x150
[   35.560120]  ? compat_rw_copy_check_uvector+0x320/0x320
[   35.565457]  ? kasan_unpoison_shadow+0x30/0x40
[   35.570093]  ? kasan_kmalloc+0x76/0xc0
[   35.573965]  ? iov_iter_get_pages+0xc80/0xc80
[   35.578441]  ? wake_up_q+0xed/0x150
[   35.582051]  default_file_splice_read+0x495/0x860
[   35.586869]  ? trace_hardirqs_on+0x10/0x10
[   35.591080]  ? do_splice_direct+0x220/0x220
[   35.595386]  ? __lock_acquire+0x619/0x4320
[   35.599599]  ? fsnotify+0x639/0x12d0
[   35.603339]  ? lock_acquire+0x10f/0x380
[   35.607296]  ? __fsnotify_parent+0xb1/0x300
[   35.611597]  ? __fsnotify_update_child_dentry_flags.part.0+0x2e0/0x2e0
[   35.618263]  ? __inode_security_revalidate+0xd5/0x120
[   35.623448]  ? avc_policy_seqno+0x5/0x10
[   35.627487]  ? security_file_permission+0x88/0x1e0
[   35.632395]  ? do_splice_direct+0x220/0x220
[   35.636684]  do_splice_to+0x102/0x150
[   35.640523]  SyS_splice+0xf4d/0x12a0
[   35.644220]  ? do_pipe_flags+0x150/0x150
[   35.648408]  ? compat_SyS_vmsplice+0x150/0x150
[   35.653035]  ? _raw_spin_unlock_irq+0x24/0x50
[   35.657511]  ? do_syscall_64+0x43/0x4b0
[   35.661463]  ? compat_SyS_vmsplice+0x150/0x150
[   35.666027]  do_syscall_64+0x19b/0x4b0
[   35.669897]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   35.675062] RIP: 0033:0x4457a9
[   35.678225] RSP: 002b:00007f53ea62fd08 EFLAGS: 00000216 ORIG_RAX: 0000000000000113
[   35.685902] RAX: ffffffffffffffda RBX: 00000000006dac68 RCX: 00000000004457a9
[   35.693344] RDX: 0000000000000005 RSI: 0000000020000240 RDI: 0000000000000006
[   35.700588] RBP: 00000000006dac60 R08: 00000000000001ff R09: 0000000000000000
[   35.707835] R10: 0000000000000000 R11: 0000000000000216 R12: 00000000006dac6c
[   35.715200] R13: 00007f53ea62fd20 R14: 65732f636f72702f R15: 00000000006dad4c