[....] Starting OpenBSD Secure Shell server: sshd[ 11.112412] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.490764] random: sshd: uninitialized urandom read (32 bytes read) [ 22.943831] audit: type=1400 audit(1544941157.384:6): avc: denied { map } for pid=1763 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 22.978839] random: sshd: uninitialized urandom read (32 bytes read) [ 23.485615] random: sshd: uninitialized urandom read (32 bytes read) [ 23.643370] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.113' (ECDSA) to the list of known hosts. [ 29.173049] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 29.260194] audit: type=1400 audit(1544941163.694:7): avc: denied { map } for pid=1775 comm="syz-executor195" path="/root/syz-executor195330336" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 29.289865] [ 29.291488] ====================================================== [ 29.297776] WARNING: possible circular locking dependency detected [ 29.304064] 4.14.88+ #23 Not tainted [ 29.307763] ------------------------------------------------------ [ 29.314121] syz-executor195/1775 is trying to acquire lock: [ 29.319804] (&pipe->mutex/1){+.+.}, at: [] fifo_open+0x156/0x9d0 [ 29.327582] [ 29.327582] but task is already holding lock: [ 29.333522] (&sig->cred_guard_mutex){+.+.}, at: [] prepare_bprm_creds+0x4e/0x110 [ 29.342685] [ 29.342685] which lock already depends on the new lock. [ 29.342685] [ 29.350972] [ 29.350972] the existing dependency chain (in reverse order) is: [ 29.358633] [ 29.358633] -> #2 (&sig->cred_guard_mutex){+.+.}: [ 29.364984] __mutex_lock+0xf5/0x1480 [ 29.369289] lock_trace+0x3f/0xc0 [ 29.373236] proc_pid_syscall+0xa2/0x240 [ 29.377793] proc_single_show+0xf1/0x160 [ 29.382708] seq_read+0x4e0/0x11d0 [ 29.386745] do_iter_read+0x3cc/0x580 [ 29.391040] vfs_readv+0xe6/0x150 [ 29.394987] do_preadv+0x187/0x230 [ 29.399018] do_syscall_64+0x19b/0x4b0 [ 29.403410] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 29.409092] [ 29.409092] -> #1 (&p->lock){+.+.}: [ 29.414179] __mutex_lock+0xf5/0x1480 [ 29.418483] seq_read+0xd4/0x11d0 [ 29.422433] proc_reg_read+0xef/0x170 [ 29.426728] do_iter_read+0x3cc/0x580 [ 29.431128] vfs_readv+0xe6/0x150 [ 29.435077] default_file_splice_read+0x495/0x860 [ 29.440424] do_splice_to+0x102/0x150 [ 29.444720] SyS_splice+0xf4d/0x12a0 [ 29.448927] do_syscall_64+0x19b/0x4b0 [ 29.453312] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 29.458994] [ 29.458994] -> #0 (&pipe->mutex/1){+.+.}: [ 29.464598] lock_acquire+0x10f/0x380 [ 29.468893] __mutex_lock+0xf5/0x1480 [ 29.473188] fifo_open+0x156/0x9d0 [ 29.477222] do_dentry_open+0x426/0xda0 [ 29.481690] vfs_open+0x11c/0x210 [ 29.485635] path_openat+0x5f9/0x2930 [ 29.489925] do_filp_open+0x197/0x270 [ 29.494222] do_open_execat+0x10d/0x5b0 [ 29.498691] do_execveat_common.isra.14+0x6cb/0x1d60 [ 29.504290] SyS_execve+0x34/0x40 [ 29.508238] do_syscall_64+0x19b/0x4b0 [ 29.512622] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 29.518306] [ 29.518306] other info that might help us debug this: [ 29.518306] [ 29.526426] Chain exists of: [ 29.526426] &pipe->mutex/1 --> &p->lock --> &sig->cred_guard_mutex [ 29.526426] [ 29.537242] Possible unsafe locking scenario: [ 29.537242] [ 29.543311] CPU0 CPU1 [ 29.547957] ---- ---- [ 29.552595] lock(&sig->cred_guard_mutex); [ 29.556892] lock(&p->lock); [ 29.562488] lock(&sig->cred_guard_mutex); [ 29.569297] lock(&pipe->mutex/1); [ 29.572937] [ 29.572937] *** DEADLOCK *** [ 29.572937] [ 29.578977] 1 lock held by syz-executor195/1775: [ 29.583744] #0: (&sig->cred_guard_mutex){+.+.}, at: [] prepare_bprm_creds+0x4e/0x110 [ 29.593356] [ 29.593356] stack backtrace: [ 29.597831] CPU: 0 PID: 1775 Comm: syz-executor195 Not tainted 4.14.88+ #23 [ 29.604904] Call Trace: [ 29.607469] dump_stack+0xb9/0x11b [ 29.610988] print_circular_bug.isra.18.cold.43+0x2d3/0x40c [ 29.616676] ? save_trace+0xd6/0x250 [ 29.620365] __lock_acquire+0x2ff9/0x4320 [ 29.624488] ? check_preemption_disabled+0x34/0x1e0 [ 29.629483] ? trace_hardirqs_on+0x10/0x10 [ 29.633689] ? trace_hardirqs_on_caller+0x381/0x520 [ 29.638680] ? _raw_spin_unlock_irqrestore+0x41/0x70 [ 29.643763] ? __kmalloc+0x153/0x340 [ 29.647450] ? alloc_pipe_info+0x15b/0x370 [ 29.651658] ? fifo_open+0x1ef/0x9d0 [ 29.655347] ? do_dentry_open+0x426/0xda0 [ 29.659469] ? vfs_open+0x11c/0x210 [ 29.663071] ? path_openat+0x5f9/0x2930 [ 29.667019] ? do_filp_open+0x197/0x270 [ 29.670968] lock_acquire+0x10f/0x380 [ 29.674741] ? fifo_open+0x156/0x9d0 [ 29.678432] ? fifo_open+0x156/0x9d0 [ 29.682124] __mutex_lock+0xf5/0x1480 [ 29.685899] ? fifo_open+0x156/0x9d0 [ 29.689582] ? fifo_open+0x156/0x9d0 [ 29.693277] ? fsnotify+0x773/0x1200 [ 29.696969] ? __ww_mutex_wakeup_for_backoff+0x240/0x240 [ 29.702394] ? fs_reclaim_acquire+0x10/0x10 [ 29.706697] ? fifo_open+0x284/0x9d0 [ 29.710391] ? lock_downgrade+0x560/0x560 [ 29.714520] ? lock_acquire+0x10f/0x380 [ 29.718467] ? fifo_open+0x243/0x9d0 [ 29.722154] ? debug_mutex_init+0x28/0x53 [ 29.726275] ? fifo_open+0x156/0x9d0 [ 29.729959] fifo_open+0x156/0x9d0 [ 29.733478] do_dentry_open+0x426/0xda0 [ 29.737498] ? pipe_release+0x240/0x240 [ 29.741459] vfs_open+0x11c/0x210 [ 29.744886] path_openat+0x5f9/0x2930 [ 29.748662] ? path_mountpoint+0x9a0/0x9a0 [ 29.752874] ? kasan_kmalloc.part.1+0xa9/0xd0 [ 29.757341] ? kasan_kmalloc.part.1+0x4f/0xd0 [ 29.761812] ? __kmalloc_track_caller+0x104/0x300 [ 29.766630] ? kmemdup+0x20/0x50 [ 29.769969] ? security_prepare_creds+0x7c/0xb0 [ 29.774612] ? prepare_creds+0x225/0x2a0 [ 29.778643] ? prepare_exec_creds+0xc/0xe0 [ 29.782853] ? prepare_bprm_creds+0x62/0x110 [ 29.787241] ? do_execveat_common.isra.14+0x2cd/0x1d60 [ 29.792491] ? SyS_execve+0x34/0x40 [ 29.796092] ? do_syscall_64+0x19b/0x4b0 [ 29.800129] do_filp_open+0x197/0x270 [ 29.803904] ? may_open_dev+0xd0/0xd0 [ 29.807684] ? trace_hardirqs_on+0x10/0x10 [ 29.811900] ? fs_reclaim_acquire+0x10/0x10 [ 29.816200] ? rcu_read_lock_sched_held+0x102/0x120 [ 29.821192] do_open_execat+0x10d/0x5b0 [ 29.825141] ? setup_arg_pages+0x720/0x720 [ 29.829345] ? do_execveat_common.isra.14+0x68d/0x1d60 [ 29.834595] ? lock_downgrade+0x560/0x560 [ 29.838720] ? lock_acquire+0x10f/0x380 [ 29.842681] ? check_preemption_disabled+0x34/0x1e0 [ 29.847723] do_execveat_common.isra.14+0x6cb/0x1d60 [ 29.852812] ? prepare_bprm_creds+0x110/0x110 [ 29.857280] ? getname_flags+0x222/0x540 [ 29.861318] SyS_execve+0x34/0x40 [ 29.864745] ? setup_new_exec+0x770/0x770 [ 29.868867] do_syscall_64+0x19b/0x4b0 [ 29.872733] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 29.877901] RIP: 0033:0x4401b9 [ 29.881069] RSP: 002b:00007ffc66697818 EFLAGS: 00000217 ORIG_RAX: 000000000000003b [ 29.888800] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 00000000004401b9 [ 29.896113] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000340 [ 29.903366] RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000 [ 29.910613] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000401aa0 [ 29.917860] R13: 0000000000401b30 R14: 0000000000000000 R15: 0000000000000000