[....] Starting enhanced syslogd: rsyslogd[ 14.330721] audit: type=1400 audit(1547202020.295:4): avc: denied { syslog } for pid=1926 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.219' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 33.560575] [ 33.562271] ====================================================== [ 33.568560] [ INFO: possible circular locking dependency detected ] [ 33.574938] 4.4.169+ #3 Not tainted [ 33.578536] ------------------------------------------------------- [ 33.584914] syz-executor496/2078 is trying to acquire lock: [ 33.590600] (&pipe->mutex/1){+.+.+.}, at: [] fifo_open+0x15d/0xa00 [ 33.599182] [ 33.599182] but task is already holding lock: [ 33.605123] (&sig->cred_guard_mutex){+.+.+.}, at: [] prepare_bprm_creds+0x55/0x120 [ 33.614932] [ 33.614932] which lock already depends on the new lock. [ 33.614932] [ 33.623222] [ 33.623222] the existing dependency chain (in reverse order) is: [ 33.630816] -> #1 (&sig->cred_guard_mutex){+.+.+.}: [ 33.636514] [] lock_acquire+0x15e/0x450 [ 33.642760] [] mutex_lock_interruptible_nested+0xd2/0xce0 [ 33.650567] [] proc_pid_attr_write+0x1a8/0x2a0 [ 33.657428] [] __vfs_write+0x116/0x3d0 [ 33.663631] [] __kernel_write+0x112/0x370 [ 33.670042] [] write_pipe_buf+0x15d/0x1f0 [ 33.676471] [] __splice_from_pipe+0x37e/0x7a0 [ 33.683228] [] splice_from_pipe+0x108/0x170 [ 33.689831] [] default_file_splice_write+0x3c/0x80 [ 33.697027] [] SyS_splice+0xd71/0x13a0 [ 33.703178] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 33.710374] -> #0 (&pipe->mutex/1){+.+.+.}: [ 33.715463] [] __lock_acquire+0x37d6/0x4f50 [ 33.722064] [] lock_acquire+0x15e/0x450 [ 33.728301] [] mutex_lock_nested+0xc1/0xb80 [ 33.734888] [] fifo_open+0x15d/0xa00 [ 33.740868] [] do_dentry_open+0x38f/0xbd0 [ 33.747282] [] vfs_open+0x10b/0x210 [ 33.753203] [] path_openat+0x136f/0x4470 [ 33.759528] [] do_filp_open+0x1a1/0x270 [ 33.765889] [] do_open_execat+0x10c/0x6e0 [ 33.772306] [] do_execveat_common.isra.0+0x6f6/0x1e90 [ 33.779766] [] SyS_execve+0x42/0x50 [ 33.785657] [] return_from_execve+0x0/0x23 [ 33.792185] [ 33.792185] other info that might help us debug this: [ 33.792185] [ 33.800301] Possible unsafe locking scenario: [ 33.800301] [ 33.806349] CPU0 CPU1 [ 33.810992] ---- ---- [ 33.815638] lock(&sig->cred_guard_mutex); [ 33.820171] lock(&pipe->mutex/1); [ 33.826642] lock(&sig->cred_guard_mutex); [ 33.833693] lock(&pipe->mutex/1); [ 33.837649] [ 33.837649] *** DEADLOCK *** [ 33.837649] [ 33.843682] 1 lock held by syz-executor496/2078: [ 33.848410] #0: (&sig->cred_guard_mutex){+.+.+.}, at: [] prepare_bprm_creds+0x55/0x120 [ 33.858841] [ 33.858841] stack backtrace: [ 33.863322] CPU: 1 PID: 2078 Comm: syz-executor496 Not tainted 4.4.169+ #3 [ 33.870305] 0000000000000000 81623c8dfa25180d ffff8800b6a9f530 ffffffff81aad191 [ 33.878287] ffffffff84055a80 ffff8800b7720000 ffffffff83abb610 ffffffff83ab4860 [ 33.886271] ffffffff83abb610 ffff8800b6a9f580 ffffffff813abaf4 ffff8800b6a9f660 [ 33.894255] Call Trace: [ 33.896818] [] dump_stack+0xc1/0x120 [ 33.902159] [] print_circular_bug.cold+0x2f7/0x44e [ 33.908718] [] __lock_acquire+0x37d6/0x4f50 [ 33.914678] [] ? trace_hardirqs_on+0x10/0x10 [ 33.920716] [] ? do_filp_open+0x1a1/0x270 [ 33.926491] [] ? do_execveat_common.isra.0+0x6f6/0x1e90 [ 33.933490] [] ? SyS_execve+0x42/0x50 [ 33.938917] [] ? stub_execve+0x5/0x5 [ 33.944255] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 33.951002] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 33.957735] [] lock_acquire+0x15e/0x450 [ 33.963332] [] ? fifo_open+0x15d/0xa00 [ 33.968846] [] ? fifo_open+0x15d/0xa00 [ 33.974364] [] mutex_lock_nested+0xc1/0xb80 [ 33.980306] [] ? fifo_open+0x15d/0xa00 [ 33.985819] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 33.992548] [] ? mutex_trylock+0x500/0x500 [ 33.998403] [] ? fifo_open+0x24d/0xa00 [ 34.003915] [] ? fifo_open+0x28c/0xa00 [ 34.009423] [] fifo_open+0x15d/0xa00 [ 34.014761] [] do_dentry_open+0x38f/0xbd0 [ 34.020529] [] ? __inode_permission2+0x9e/0x250 [ 34.026837] [] ? pipe_release+0x250/0x250 [ 34.032614] [] vfs_open+0x10b/0x210 [ 34.037866] [] ? may_open.isra.0+0xe7/0x210 [ 34.043812] [] path_openat+0x136f/0x4470 [ 34.049500] [] ? depot_save_stack+0x1c3/0x5f0 [ 34.055621] [] ? may_open.isra.0+0x210/0x210 [ 34.061667] [] ? kmemdup+0x27/0x60 [ 34.066859] [] ? selinux_cred_prepare+0x43/0xa0 [ 34.073151] [] ? security_prepare_creds+0x83/0xc0 [ 34.079619] [] ? prepare_creds+0x228/0x2b0 [ 34.085475] [] ? prepare_exec_creds+0x12/0xf0 [ 34.091600] [] ? do_execveat_common.isra.0+0x2d6/0x1e90 [ 34.098592] [] ? stub_execve+0x5/0x5 [ 34.103934] [] ? kasan_kmalloc+0xb7/0xd0 [ 34.109626] [] ? kasan_slab_alloc+0xf/0x20 [ 34.115482] [] ? kmem_cache_alloc+0xdc/0x2c0 [ 34.121530] [] ? prepare_creds+0x28/0x2b0 [ 34.127299] [] ? prepare_exec_creds+0x12/0xf0 [ 34.133418] [] do_filp_open+0x1a1/0x270 [ 34.139017] [] ? save_stack_trace+0x26/0x50 [ 34.144965] [] ? user_path_mountpoint_at+0x50/0x50 [ 34.151519] [] ? SyS_execve+0x42/0x50 [ 34.156945] [] ? stub_execve+0x5/0x5 [ 34.162284] [] ? __lock_acquire+0xa4f/0x4f50 [ 34.168349] [] ? trace_hardirqs_on+0x10/0x10 [ 34.174382] [] ? rcu_read_lock_sched_held+0x10b/0x130 [ 34.181198] [] do_open_execat+0x10c/0x6e0 [ 34.186970] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 34.193705] [] ? setup_arg_pages+0x7b0/0x7b0 [ 34.199735] [] ? do_execveat_common.isra.0+0x6b8/0x1e90 [ 34.206719] [] do_execveat_common.isra.0+0x6f6/0x1e90 [ 34.213560] [] ? do_execveat_common.isra.0+0x422/0x1e90 [ 34.220550] [] ? __check_object_size+0x222/0x332 [ 34.226930] [] ? strncpy_from_user+0x110/0x230 [ 34.233152] [] ? prepare_bprm_creds+0x120/0x120 [ 34.239458] [] ? getname_flags+0x232/0x550 [ 34.245315] [] SyS_execve+0x42/0x50 [ 34.250566] [] stub_execve+0x5/0x5 [ 34.255734] [] ? tracesys+0x88/0x8d