[....] Starting enhanced syslogd: rsyslogd[ 13.613596] audit: type=1400 audit(1546275473.691:4): avc: denied { syslog } for pid=1921 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.98' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 41.037087] [ 41.038849] ====================================================== [ 41.045138] [ INFO: possible circular locking dependency detected ] [ 41.051515] 4.4.169+ #1 Not tainted [ 41.055112] ------------------------------------------------------- [ 41.061486] syz-executor240/2081 is trying to acquire lock: [ 41.067164] (&pipe->mutex/1){+.+.+.}, at: [] fifo_open+0x15d/0xa00 [ 41.075714] [ 41.075714] but task is already holding lock: [ 41.081656] (&sig->cred_guard_mutex){+.+.+.}, at: [] prepare_bprm_creds+0x55/0x120 [ 41.091479] [ 41.091479] which lock already depends on the new lock. [ 41.091479] [ 41.099801] [ 41.099801] the existing dependency chain (in reverse order) is: [ 41.107401] -> #1 (&sig->cred_guard_mutex){+.+.+.}: [ 41.113039] [] lock_acquire+0x15e/0x450 [ 41.119278] [] mutex_lock_interruptible_nested+0xd2/0xce0 [ 41.127080] [] proc_pid_attr_write+0x1a8/0x2a0 [ 41.133929] [] __vfs_write+0x116/0x3d0 [ 41.140086] [] __kernel_write+0x112/0x370 [ 41.146519] [] write_pipe_buf+0x15d/0x1f0 [ 41.152985] [] __splice_from_pipe+0x37e/0x7a0 [ 41.159764] [] splice_from_pipe+0x108/0x170 [ 41.166384] [] default_file_splice_write+0x3c/0x80 [ 41.173590] [] SyS_splice+0xd71/0x13a0 [ 41.179745] [] do_fast_syscall_32+0x32d/0xa90 [ 41.186510] [] sysenter_flags_fixed+0xd/0x1a [ 41.193234] -> #0 (&pipe->mutex/1){+.+.+.}: [ 41.198318] [] __lock_acquire+0x37d6/0x4f50 [ 41.204919] [] lock_acquire+0x15e/0x450 [ 41.211161] [] mutex_lock_nested+0xc1/0xb80 [ 41.217743] [] fifo_open+0x15d/0xa00 [ 41.223730] [] do_dentry_open+0x38f/0xbd0 [ 41.230159] [] vfs_open+0x10b/0x210 [ 41.236187] [] path_openat+0x136f/0x4470 [ 41.242525] [] do_filp_open+0x1a1/0x270 [ 41.248768] [] do_open_execat+0x10c/0x6e0 [ 41.255197] [] do_execveat_common.isra.0+0x6f6/0x1e90 [ 41.262651] [] compat_SyS_execve+0x48/0x60 [ 41.269161] [] do_fast_syscall_32+0x32d/0xa90 [ 41.275945] [] sysenter_flags_fixed+0xd/0x1a [ 41.282616] [ 41.282616] other info that might help us debug this: [ 41.282616] [ 41.290727] Possible unsafe locking scenario: [ 41.290727] [ 41.296768] CPU0 CPU1 [ 41.301426] ---- ---- [ 41.306061] lock(&sig->cred_guard_mutex); [ 41.310598] lock(&pipe->mutex/1); [ 41.317083] lock(&sig->cred_guard_mutex); [ 41.324140] lock(&pipe->mutex/1); [ 41.328114] [ 41.328114] *** DEADLOCK *** [ 41.328114] [ 41.334147] 1 lock held by syz-executor240/2081: [ 41.338874] #0: (&sig->cred_guard_mutex){+.+.+.}, at: [] prepare_bprm_creds+0x55/0x120 [ 41.349291] [ 41.349291] stack backtrace: [ 41.353805] CPU: 1 PID: 2081 Comm: syz-executor240 Not tainted 4.4.169+ #1 [ 41.360786] 0000000000000000 deecd4e5285aeb86 ffff8801cf76f4c0 ffffffff81aab9c1 [ 41.368819] ffffffff84055ac0 ffff8800b76aaf80 ffffffff83abb610 ffffffff83ab4860 [ 41.376824] ffffffff83abb610 ffff8801cf76f510 ffffffff813abaf4 ffff8801cf76f5f0 [ 41.384827] Call Trace: [ 41.387404] [] dump_stack+0xc1/0x120 [ 41.392742] [] print_circular_bug.cold+0x2f7/0x44e [ 41.399309] [] __lock_acquire+0x37d6/0x4f50 [ 41.405255] [] ? trace_hardirqs_on+0x10/0x10 [ 41.411285] [] ? do_filp_open+0x1a1/0x270 [ 41.417058] [] ? do_execveat_common.isra.0+0x6f6/0x1e90 [ 41.424045] [] ? compat_SyS_execve+0x48/0x60 [ 41.430076] [] ? do_fast_syscall_32+0x32d/0xa90 [ 41.436367] [] ? sysenter_flags_fixed+0xd/0x1a [ 41.442589] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 41.449314] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 41.456053] [] lock_acquire+0x15e/0x450 [ 41.461675] [] ? fifo_open+0x15d/0xa00 [ 41.467209] [] ? fifo_open+0x15d/0xa00 [ 41.472719] [] mutex_lock_nested+0xc1/0xb80 [ 41.478695] [] ? fifo_open+0x15d/0xa00 [ 41.484205] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 41.490943] [] ? mutex_trylock+0x500/0x500 [ 41.496800] [] ? fifo_open+0x24d/0xa00 [ 41.502309] [] ? fifo_open+0x28c/0xa00 [ 41.507817] [] fifo_open+0x15d/0xa00 [ 41.513153] [] do_dentry_open+0x38f/0xbd0 [ 41.518943] [] ? __inode_permission2+0x9e/0x250 [ 41.525235] [] ? pipe_release+0x250/0x250 [ 41.531008] [] vfs_open+0x10b/0x210 [ 41.536258] [] ? may_open.isra.0+0xe7/0x210 [ 41.542203] [] path_openat+0x136f/0x4470 [ 41.547893] [] ? depot_save_stack+0x1c3/0x5f0 [ 41.554014] [] ? may_open.isra.0+0x210/0x210 [ 41.560058] [] ? kmemdup+0x27/0x60 [ 41.565222] [] ? selinux_cred_prepare+0x43/0xa0 [ 41.571529] [] ? security_prepare_creds+0x83/0xc0 [ 41.577994] [] ? prepare_creds+0x228/0x2b0 [ 41.583852] [] ? prepare_exec_creds+0x12/0xf0 [ 41.589985] [] ? do_execveat_common.isra.0+0x2d6/0x1e90 [ 41.596972] [] ? do_fast_syscall_32+0x32d/0xa90 [ 41.603264] [] ? kasan_kmalloc+0xb7/0xd0 [ 41.608947] [] ? kasan_slab_alloc+0xf/0x20 [ 41.614802] [] ? kmem_cache_alloc+0xdc/0x2c0 [ 41.620833] [] ? prepare_creds+0x28/0x2b0 [ 41.626603] [] ? prepare_exec_creds+0x12/0xf0 [ 41.632718] [] do_filp_open+0x1a1/0x270 [ 41.638326] [] ? save_stack_trace+0x26/0x50 [ 41.644268] [] ? user_path_mountpoint_at+0x50/0x50 [ 41.650817] [] ? compat_SyS_execve+0x48/0x60 [ 41.656859] [] ? do_fast_syscall_32+0x32d/0xa90 [ 41.663151] [] ? sysenter_flags_fixed+0xd/0x1a [ 41.669380] [] ? __lock_acquire+0xa4f/0x4f50 [ 41.675429] [] ? trace_hardirqs_on+0x10/0x10 [ 41.681457] [] ? rcu_read_lock_sched_held+0x10b/0x130 [ 41.688269] [] do_open_execat+0x10c/0x6e0 [ 41.694039] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 41.700785] [] ? setup_arg_pages+0x7b0/0x7b0 [ 41.706819] [] ? do_execveat_common.isra.0+0x6b8/0x1e90 [ 41.713806] [] do_execveat_common.isra.0+0x6f6/0x1e90 [ 41.720649] [] ? do_execveat_common.isra.0+0x422/0x1e90 [ 41.727637] [] ? __check_object_size+0x222/0x332 [ 41.734016] [] ? strncpy_from_user+0xe1/0x230