[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 41.866865] audit: type=1800 audit(1546907825.042:25): pid=7997 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 41.886813] audit: type=1800 audit(1546907825.042:26): pid=7997 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 41.907068] audit: type=1800 audit(1546907825.042:27): pid=7997 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.67' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 52.980842] [ 52.982486] ====================================================== [ 52.988776] WARNING: possible circular locking dependency detected [ 52.995074] 5.0.0-rc1+ #14 Not tainted [ 52.998933] ------------------------------------------------------ [ 53.005227] syz-executor214/8149 is trying to acquire lock: [ 53.010928] 0000000003c49985 (&pipe->mutex/1){+.+.}, at: fifo_open+0x159/0xb00 [ 53.018293] [ 53.018293] but task is already holding lock: [ 53.024237] 00000000a827f4f3 (&sig->cred_guard_mutex){+.+.}, at: __do_execve_file.isra.0+0x45d/0x2700 [ 53.033579] [ 53.033579] which lock already depends on the new lock. [ 53.033579] [ 53.041871] [ 53.041871] the existing dependency chain (in reverse order) is: [ 53.049474] [ 53.049474] -> #1 (&sig->cred_guard_mutex){+.+.}: [ 53.055779] __mutex_lock+0x12f/0x1670 [ 53.060172] mutex_lock_interruptible_nested+0x16/0x20 [ 53.065954] proc_pid_attr_write+0x1fa/0x530 [ 53.070867] __vfs_write+0x116/0xb40 [ 53.075099] __kernel_write+0x110/0x3b0 [ 53.079581] write_pipe_buf+0x180/0x240 [ 53.084062] __splice_from_pipe+0x39a/0x7e0 [ 53.088888] splice_from_pipe+0x1ea/0x310 [ 53.093541] default_file_splice_write+0x3c/0x90 [ 53.098797] do_splice+0x64b/0x1410 [ 53.102926] __x64_sys_splice+0x2c6/0x330 [ 53.107576] do_syscall_64+0x1a3/0x800 [ 53.111965] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.117650] [ 53.117650] -> #0 (&pipe->mutex/1){+.+.}: [ 53.123262] lock_acquire+0x1db/0x570 [ 53.127564] __mutex_lock+0x12f/0x1670 [ 53.131953] mutex_lock_nested+0x16/0x20 [ 53.136533] fifo_open+0x159/0xb00 [ 53.140588] do_dentry_open+0x48a/0x1210 [ 53.145153] vfs_open+0xa0/0xd0 [ 53.148932] path_openat+0x144f/0x5650 [ 53.153316] do_filp_open+0x26f/0x370 [ 53.157619] do_open_execat+0x20e/0x930 [ 53.162093] __do_execve_file.isra.0+0x1966/0x2700 [ 53.167521] __x64_sys_execve+0x8f/0xc0 [ 53.171995] do_syscall_64+0x1a3/0x800 [ 53.176382] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.182064] [ 53.182064] other info that might help us debug this: [ 53.182064] [ 53.190177] Possible unsafe locking scenario: [ 53.190177] [ 53.196206] CPU0 CPU1 [ 53.200847] ---- ---- [ 53.205488] lock(&sig->cred_guard_mutex); [ 53.209881] lock(&pipe->mutex/1); [ 53.216002] lock(&sig->cred_guard_mutex); [ 53.222814] lock(&pipe->mutex/1); [ 53.226415] [ 53.226415] *** DEADLOCK *** [ 53.226415] [ 53.232449] 1 lock held by syz-executor214/8149: [ 53.237178] #0: 00000000a827f4f3 (&sig->cred_guard_mutex){+.+.}, at: __do_execve_file.isra.0+0x45d/0x2700 [ 53.246954] [ 53.246954] stack backtrace: [ 53.251427] CPU: 0 PID: 8149 Comm: syz-executor214 Not tainted 5.0.0-rc1+ #14 [ 53.258673] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.268002] Call Trace: [ 53.270569] dump_stack+0x1db/0x2d0 [ 53.274219] ? dump_stack_print_info.cold+0x20/0x20 [ 53.279221] ? print_stack_trace+0x77/0xb0 [ 53.283436] ? vprintk_func+0x86/0x189 [ 53.287305] print_circular_bug.isra.0.cold+0x1cc/0x28f [ 53.292650] __lock_acquire+0x3014/0x4a30 [ 53.296775] ? add_lock_to_list.isra.0+0x450/0x450 [ 53.301683] ? mark_held_locks+0x100/0x100 [ 53.305909] ? mark_held_locks+0xb1/0x100 [ 53.310039] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 53.315138] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 53.320219] ? lockdep_hardirqs_on+0x415/0x5d0 [ 53.324785] ? trace_hardirqs_off_caller+0x300/0x300 [ 53.329870] ? do_raw_spin_trylock+0x270/0x270 [ 53.334435] ? add_lock_to_list.isra.0+0x450/0x450 [ 53.339354] ? print_usage_bug+0xd0/0xd0 [ 53.343395] ? _raw_spin_unlock_irqrestore+0xa4/0xe0 [ 53.348477] ? __lock_is_held+0xb6/0x140 [ 53.352516] lock_acquire+0x1db/0x570 [ 53.356301] ? fifo_open+0x159/0xb00 [ 53.360017] ? ___might_sleep+0x1e7/0x310 [ 53.364146] ? lock_release+0xc40/0xc40 [ 53.368100] ? fifo_open+0x159/0xb00 [ 53.371797] ? fifo_open+0x159/0xb00 [ 53.375490] __mutex_lock+0x12f/0x1670 [ 53.379361] ? fifo_open+0x159/0xb00 [ 53.383054] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 53.388569] ? fifo_open+0x159/0xb00 [ 53.392293] ? check_preemption_disabled+0x48/0x290 [ 53.397291] ? lockdep_init_map+0x10c/0x5b0 [ 53.401592] ? mutex_trylock+0x2d0/0x2d0 [ 53.405651] ? add_lock_to_list.isra.0+0x450/0x450 [ 53.410562] ? __mutex_init+0x1f6/0x2a0 [ 53.414519] ? psi_task_change.cold+0x1ec/0x1ec [ 53.419169] ? fifo_open+0x2b5/0xb00 [ 53.422859] ? find_held_lock+0x35/0x120 [ 53.426899] ? fifo_open+0x2b5/0xb00 [ 53.430592] ? lock_acquire+0x1db/0x570 [ 53.434549] ? kasan_check_read+0x11/0x20 [ 53.438690] ? do_raw_spin_unlock+0xa0/0x330 [ 53.443093] ? do_raw_spin_trylock+0x270/0x270 [ 53.447665] mutex_lock_nested+0x16/0x20 [ 53.451702] ? _raw_spin_unlock+0x2d/0x50 [ 53.455826] ? mutex_lock_nested+0x16/0x20 [ 53.460047] fifo_open+0x159/0xb00 [ 53.463565] do_dentry_open+0x48a/0x1210 [ 53.467611] ? pipe_release+0x280/0x280 [ 53.471562] ? chown_common+0x740/0x740 [ 53.475535] ? security_inode_permission+0xd5/0x110 [ 53.480533] ? inode_permission+0xb4/0x570 [ 53.484747] vfs_open+0xa0/0xd0 [ 53.488008] path_openat+0x144f/0x5650 [ 53.491878] ? is_bpf_text_address+0xd3/0x170 [ 53.496363] ? path_lookupat.isra.0+0xba0/0xba0 [ 53.501029] ? __lock_acquire+0x572/0x4a30 [ 53.505245] ? kmem_cache_alloc+0x12d/0x710 [ 53.509550] ? __do_execve_file.isra.0+0x47a/0x2700 [ 53.514543] ? __x64_sys_execve+0x8f/0xc0 [ 53.518670] ? do_syscall_64+0x1a3/0x800 [ 53.522715] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.528063] ? add_lock_to_list.isra.0+0x450/0x450 [ 53.532986] do_filp_open+0x26f/0x370 [ 53.536769] ? may_open_dev+0x100/0x100 [ 53.540724] ? refcount_add_not_zero_checked+0x330/0x330 [ 53.546154] ? prepare_creds+0xa4/0x4e0 [ 53.550111] ? add_lock_to_list.isra.0+0x450/0x450 [ 53.555019] ? add_lock_to_list.isra.0+0x450/0x450 [ 53.559929] ? __do_execve_file.isra.0+0x901/0x2700 [ 53.564926] do_open_execat+0x20e/0x930 [ 53.568880] ? unregister_binfmt+0x2b0/0x2b0 [ 53.573270] ? kasan_check_read+0x11/0x20 [ 53.577403] ? do_raw_spin_trylock+0x270/0x270 [ 53.581968] ? __phys_addr_symbol+0x30/0x70 [ 53.586271] __do_execve_file.isra.0+0x1966/0x2700 [ 53.591185] ? copy_strings_kernel+0x110/0x110 [ 53.595747] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 53.601263] ? strncpy_from_user+0x3aa/0x4e0 [ 53.605650] ? digsig_verify.cold+0x32/0x32 [ 53.609952] ? kmem_cache_alloc+0x341/0x710 [ 53.614253] ? do_syscall_64+0x8c/0x800 [ 53.618210] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 53.623726] ? getname_flags+0x277/0x5b0 [ 53.627769] ? trace_hardirqs_off_caller+0x300/0x300 [ 53.632853] __x64_sys_execve+0x8f/0xc0 [ 53.636819] do_syscall_64+0x1a3/0x800 [ 53.640684] ? syscall_return_slowpath+0x5f0/0x5f0 [ 53.645591] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 53.650591] ? __switch_to_asm+0x34/0x70 [ 53.654634] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 53.659457] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.664623] RIP: 0033:0x445709 [ 53.667796] Code: e8 ec b8 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 8b 12 fc ff