[....] Starting OpenBSD Secure Shell server: sshd[ 11.068536] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 34.757144] random: sshd: uninitialized urandom read (32 bytes read) [ 34.937561] audit: type=1400 audit(1540593754.375:6): avc: denied { map } for pid=1771 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 34.980819] random: sshd: uninitialized urandom read (32 bytes read) [ 35.447809] random: sshd: uninitialized urandom read (32 bytes read) [ 42.054671] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.115' (ECDSA) to the list of known hosts. [ 48.007280] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 48.101118] audit: type=1400 audit(1540593767.545:7): avc: denied { map } for pid=1789 comm="syz-executor421" path="/root/syz-executor421494026" dev="sda1" ino=16461 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 48.151703] [ 48.153394] ====================================================== [ 48.159690] WARNING: possible circular locking dependency detected [ 48.165985] 4.14.78+ #26 Not tainted [ 48.169669] ------------------------------------------------------ [ 48.176071] syz-executor421/1790 is trying to acquire lock: [ 48.181880] (&pipe->mutex/1){+.+.}, at: [] fifo_open+0x156/0x9d0 [ 48.189790] [ 48.189790] but task is already holding lock: [ 48.195837] (&sig->cred_guard_mutex){+.+.}, at: [] prepare_bprm_creds+0x4e/0x110 [ 48.205014] [ 48.205014] which lock already depends on the new lock. [ 48.205014] [ 48.213329] [ 48.213329] the existing dependency chain (in reverse order) is: [ 48.221069] [ 48.221069] -> #1 (&sig->cred_guard_mutex){+.+.}: [ 48.228613] __mutex_lock+0xf5/0x1480 [ 48.232920] proc_pid_attr_write+0x16b/0x280 [ 48.237827] __vfs_write+0xf4/0x5c0 [ 48.241951] __kernel_write+0xf3/0x330 [ 48.246346] write_pipe_buf+0x192/0x250 [ 48.250819] __splice_from_pipe+0x324/0x740 [ 48.255776] splice_from_pipe+0xcf/0x130 [ 48.260342] default_file_splice_write+0x37/0x80 [ 48.265677] SyS_splice+0xd06/0x12a0 [ 48.269956] do_syscall_64+0x19b/0x4b0 [ 48.274352] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 48.280045] [ 48.280045] -> #0 (&pipe->mutex/1){+.+.}: [ 48.285811] lock_acquire+0x10f/0x380 [ 48.290120] __mutex_lock+0xf5/0x1480 [ 48.294427] fifo_open+0x156/0x9d0 [ 48.298467] do_dentry_open+0x426/0xda0 [ 48.302957] vfs_open+0x11c/0x210 [ 48.307066] path_openat+0x4eb/0x23a0 [ 48.311432] do_filp_open+0x197/0x270 [ 48.315736] do_open_execat+0x10d/0x5b0 [ 48.320216] do_execveat_common.isra.14+0x6cb/0x1d60 [ 48.325813] SyS_execve+0x34/0x40 [ 48.329760] do_syscall_64+0x19b/0x4b0 [ 48.334146] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 48.339826] [ 48.339826] other info that might help us debug this: [ 48.339826] [ 48.347945] Possible unsafe locking scenario: [ 48.347945] [ 48.353977] CPU0 CPU1 [ 48.358720] ---- ---- [ 48.363359] lock(&sig->cred_guard_mutex); [ 48.367658] lock(&pipe->mutex/1); [ 48.375050] lock(&sig->cred_guard_mutex); [ 48.381862] lock(&pipe->mutex/1); [ 48.385464] [ 48.385464] *** DEADLOCK *** [ 48.385464] [ 48.391502] 1 lock held by syz-executor421/1790: [ 48.396235] #0: (&sig->cred_guard_mutex){+.+.}, at: [] prepare_bprm_creds+0x4e/0x110 [ 48.405924] [ 48.405924] stack backtrace: [ 48.410412] CPU: 0 PID: 1790 Comm: syz-executor421 Not tainted 4.14.78+ #26 [ 48.417493] Call Trace: [ 48.420072] dump_stack+0xb9/0x11b [ 48.423604] print_circular_bug.isra.18.cold.43+0x2d3/0x40c [ 48.429412] ? save_trace+0xd6/0x250 [ 48.433109] __lock_acquire+0x2ff9/0x4320 [ 48.437239] ? check_preemption_disabled+0x34/0x160 [ 48.442235] ? trace_hardirqs_on+0x10/0x10 [ 48.446446] ? trace_hardirqs_on_caller+0x381/0x520 [ 48.451438] ? _raw_spin_unlock_irqrestore+0x41/0x70 [ 48.456516] ? __lock_acquire+0x619/0x4320 [ 48.460725] ? alloc_pipe_info+0x15b/0x370 [ 48.464948] ? fifo_open+0x1ef/0x9d0 [ 48.468636] ? do_dentry_open+0x426/0xda0 [ 48.472762] ? vfs_open+0x11c/0x210 [ 48.476366] ? path_openat+0x4eb/0x23a0 [ 48.480318] lock_acquire+0x10f/0x380 [ 48.484097] ? fifo_open+0x156/0x9d0 [ 48.487782] ? fifo_open+0x156/0x9d0 [ 48.491473] __mutex_lock+0xf5/0x1480 [ 48.495249] ? fifo_open+0x156/0x9d0 [ 48.498936] ? fifo_open+0x156/0x9d0 [ 48.502626] ? dput.part.6+0x3b3/0x710 [ 48.506490] ? __ww_mutex_wakeup_for_backoff+0x240/0x240 [ 48.512029] ? fs_reclaim_acquire+0x10/0x10 [ 48.516330] ? fifo_open+0x284/0x9d0 [ 48.520025] ? lock_downgrade+0x560/0x560 [ 48.524158] ? lock_acquire+0x10f/0x380 [ 48.528109] ? fifo_open+0x243/0x9d0 [ 48.531799] ? debug_mutex_init+0x28/0x53 [ 48.535921] ? fifo_open+0x156/0x9d0 [ 48.539611] fifo_open+0x156/0x9d0 [ 48.543600] do_dentry_open+0x426/0xda0 [ 48.547546] ? pipe_release+0x240/0x240 [ 48.551571] vfs_open+0x11c/0x210 [ 48.555009] path_openat+0x4eb/0x23a0 [ 48.558794] ? path_mountpoint+0x9a0/0x9a0 [ 48.563006] ? kasan_kmalloc.part.1+0xa9/0xd0 [ 48.567474] ? kasan_kmalloc.part.1+0x4f/0xd0 [ 48.571946] ? __kmalloc_track_caller+0x104/0x300 [ 48.576766] ? kmemdup+0x20/0x50 [ 48.580112] ? security_prepare_creds+0x7c/0xb0 [ 48.584860] ? prepare_creds+0x225/0x2a0 [ 48.588897] ? prepare_exec_creds+0xc/0xe0 [ 48.593112] ? prepare_bprm_creds+0x62/0x110 [ 48.597512] ? do_execveat_common.isra.14+0x2cd/0x1d60 [ 48.602767] ? SyS_execve+0x34/0x40 [ 48.606372] ? do_syscall_64+0x19b/0x4b0 [ 48.610416] do_filp_open+0x197/0x270 [ 48.614193] ? may_open_dev+0xd0/0xd0 [ 48.617980] ? trace_hardirqs_on+0x10/0x10 [ 48.622281] ? fs_reclaim_acquire+0x10/0x10 [ 48.627027] ? rcu_read_lock_sched_held+0x102/0x120 [ 48.632025] do_open_execat+0x10d/0x5b0 [ 48.635981] ? setup_arg_pages+0x720/0x720 [ 48.640318] ? do_execveat_common.isra.14+0x68d/0x1d60 [ 48.645701] ? lock_downgrade+0x560/0x560 [ 48.649827] ? lock_acquire+0x10f/0x380 [ 48.653781] ? check_preemption_disabled+0x34/0x160 [ 48.659556] do_execveat_common.isra.14+0x6cb/0x1d60 [ 48.664640] ? prepare_bprm_creds+0x110/0x110 [ 48.670340] ? getname_flags+0x222/0x540 [ 48.674380] SyS_execve+0x34/0x40 [ 48.677811] ? setup_new_exec+0x770/0x770 [ 48.682160] do_syscall_64+0x19b/0x4b0 [ 48.686028] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 48.691191] RIP: 0033:0x445719 [ 48.694368] RSP: 002b:00007fd87f352da8 EFLAGS: 00000246 ORIG_RAX: 000000000000003b [ 48.702049] RAX: ffffffffffffff