[ 32.502849] audit: type=1800 audit(1579699349.611:33): pid=7106 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 32.531476] audit: type=1800 audit(1579699349.611:34): pid=7106 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 36.048538] random: sshd: uninitialized urandom read (32 bytes read) [ 36.437539] audit: type=1400 audit(1579699353.541:35): avc: denied { map } for pid=7277 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 36.487882] random: sshd: uninitialized urandom read (32 bytes read) [ 37.246721] random: sshd: uninitialized urandom read (32 bytes read) [ 37.431024] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.23' (ECDSA) to the list of known hosts. [ 42.994845] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 43.143266] audit: type=1400 audit(1579699360.251:36): avc: denied { map } for pid=7289 comm="syz-executor501" path="/root/syz-executor501326867" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 43.157873] [ 43.170953] audit: type=1400 audit(1579699360.261:37): avc: denied { associate } for pid=7289 comm="syz-executor501" name="f.le." scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 [ 43.171418] ====================================================== [ 43.200431] WARNING: possible circular locking dependency detected [ 43.206973] 4.14.166-syzkaller #0 Not tainted [ 43.211722] ------------------------------------------------------ [ 43.218024] syz-executor501/7289 is trying to acquire lock: [ 43.223857] (&sig->cred_guard_mutex){+.+.}, at: [] lock_trace+0x44/0xc0 [ 43.236302] [ 43.236302] but task is already holding lock: [ 43.242270] (&p->lock){+.+.}, at: [] seq_read+0xc1/0x1280 [ 43.249543] [ 43.249543] which lock already depends on the new lock. [ 43.249543] [ 43.257860] [ 43.257860] the existing dependency chain (in reverse order) is: [ 43.265474] [ 43.265474] -> #3 (&p->lock){+.+.}: [ 43.270581] lock_acquire+0x16f/0x430 [ 43.274981] __mutex_lock+0xe8/0x1470 [ 43.279394] mutex_lock_nested+0x16/0x20 [ 43.283972] seq_read+0xc1/0x1280 [ 43.287938] do_iter_read+0x3e2/0x5b0 [ 43.292249] vfs_readv+0xd3/0x130 [ 43.296259] default_file_splice_read+0x421/0x870 [ 43.301614] do_splice_to+0x105/0x170 [ 43.305930] splice_direct_to_actor+0x222/0x7b0 [ 43.311105] do_splice_direct+0x18d/0x230 [ 43.315777] do_sendfile+0x4db/0xbd0 [ 43.320280] SyS_sendfile64+0x102/0x110 [ 43.324888] do_syscall_64+0x1e8/0x640 [ 43.329401] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 43.335108] [ 43.335108] -> #2 (sb_writers#4){.+.+}: [ 43.340568] lock_acquire+0x16f/0x430 [ 43.344887] __sb_start_write+0x1ae/0x2f0 [ 43.349650] mnt_want_write+0x3f/0xb0 [ 43.353963] ovl_want_write+0x76/0xa0 [ 43.358264] ovl_do_remove+0x68/0xbd0 [ 43.362578] ovl_rmdir+0x1b/0x20 [ 43.366450] vfs_rmdir+0x218/0x420 [ 43.370612] do_rmdir+0x316/0x390 [ 43.374589] SyS_rmdir+0x1b/0x20 [ 43.378654] do_syscall_64+0x1e8/0x640 [ 43.383123] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 43.388974] [ 43.388974] -> #1 (&ovl_i_mutex_dir_key[depth]#2){++++}: [ 43.395909] lock_acquire+0x16f/0x430 [ 43.400261] down_read+0x3b/0xb0 [ 43.404146] path_openat+0x191c/0x3f70 [ 43.408546] do_filp_open+0x18e/0x250 [ 43.413510] do_open_execat+0xe7/0x4a0 [ 43.417965] do_execveat_common.isra.0+0x6d5/0x1dd0 [ 43.423614] SyS_execve+0x39/0x50 [ 43.427587] do_syscall_64+0x1e8/0x640 [ 43.432069] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 43.437917] [ 43.437917] -> #0 (&sig->cred_guard_mutex){+.+.}: [ 43.444267] __lock_acquire+0x2cb3/0x4620 [ 43.448948] lock_acquire+0x16f/0x430 [ 43.453264] __mutex_lock+0xe8/0x1470 [ 43.457568] mutex_lock_killable_nested+0x16/0x20 [ 43.463040] lock_trace+0x44/0xc0 [ 43.467122] proc_pid_stack+0x113/0x250 [ 43.471648] proc_single_show+0xf0/0x160 [ 43.476216] seq_read+0x51a/0x1280 [ 43.480273] do_iter_read+0x3e2/0x5b0 [ 43.484895] vfs_readv+0xd3/0x130 [ 43.491464] default_file_splice_read+0x421/0x870 [ 43.496820] do_splice_to+0x105/0x170 [ 43.501134] splice_direct_to_actor+0x222/0x7b0 [ 43.506340] do_splice_direct+0x18d/0x230 [ 43.511003] do_sendfile+0x4db/0xbd0 [ 43.515293] SyS_sendfile64+0x102/0x110 [ 43.519784] do_syscall_64+0x1e8/0x640 [ 43.524177] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 43.529870] [ 43.529870] other info that might help us debug this: [ 43.529870] [ 43.538359] Chain exists of: [ 43.538359] &sig->cred_guard_mutex --> sb_writers#4 --> &p->lock [ 43.538359] [ 43.549062] Possible unsafe locking scenario: [ 43.549062] [ 43.555200] CPU0 CPU1 [ 43.559864] ---- ---- [ 43.564819] lock(&p->lock); [ 43.567921] lock(sb_writers#4); [ 43.574101] lock(&p->lock); [ 43.579733] lock(&sig->cred_guard_mutex); [ 43.584048] [ 43.584048] *** DEADLOCK *** [ 43.584048] [ 43.590614] 2 locks held by syz-executor501/7289: [ 43.595438] #0: (sb_writers#4){.+.+}, at: [] do_sendfile+0x912/0xbd0 [ 43.603686] #1: (&p->lock){+.+.}, at: [] seq_read+0xc1/0x1280 [ 43.611418] [ 43.611418] stack backtrace: [ 43.615905] CPU: 1 PID: 7289 Comm: syz-executor501 Not tainted 4.14.166-syzkaller #0 [ 43.623893] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.633243] Call Trace: [ 43.636093] dump_stack+0x142/0x197 [ 43.639749] print_circular_bug.isra.0.cold+0x1cc/0x28f [ 43.645583] __lock_acquire+0x2cb3/0x4620 [ 43.649728] ? mark_held_locks+0xb1/0x100 [ 43.654088] ? trace_hardirqs_on+0x10/0x10 [ 43.658341] ? save_stack+0xa9/0xd0 [ 43.661965] lock_acquire+0x16f/0x430 [ 43.665877] ? lock_trace+0x44/0xc0 [ 43.669531] ? lock_trace+0x44/0xc0 [ 43.673149] __mutex_lock+0xe8/0x1470 [ 43.677101] ? lock_trace+0x44/0xc0 [ 43.680722] ? save_trace+0x290/0x290 [ 43.684620] ? lock_trace+0x44/0xc0 [ 43.688239] ? mutex_trylock+0x1c0/0x1c0 [ 43.692421] ? __lock_is_held+0xb6/0x140 [ 43.696575] ? check_preemption_disabled+0x3c/0x250 [ 43.701626] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 43.707062] ? proc_pid_stack+0xe0/0x250 [ 43.711301] ? rcu_read_lock_sched_held+0x110/0x130 [ 43.716308] ? kmem_cache_alloc_trace+0x623/0x790 [ 43.721151] mutex_lock_killable_nested+0x16/0x20 [ 43.726266] ? mutex_lock_killable_nested+0x16/0x20 [ 43.731324] lock_trace+0x44/0xc0 [ 43.734788] proc_pid_stack+0x113/0x250 [ 43.738839] ? lock_trace+0xc0/0xc0 [ 43.742448] proc_single_show+0xf0/0x160 [ 43.746500] seq_read+0x51a/0x1280 [ 43.750062] ? seq_lseek+0x3c0/0x3c0 [ 43.753779] ? security_file_permission+0x89/0x1f0 [ 43.758688] ? rw_verify_area+0xea/0x2b0 [ 43.762737] do_iter_read+0x3e2/0x5b0 [ 43.766617] vfs_readv+0xd3/0x130 [ 43.770066] ? compat_rw_copy_check_uvector+0x310/0x310 [ 43.775515] ? push_pipe+0x3e6/0x780 [ 43.779220] ? iov_iter_get_pages_alloc+0x2c9/0xef0 [ 43.784226] ? iov_iter_revert+0x9c0/0x9c0 [ 43.788443] ? iov_iter_pipe+0x9f/0x2c0 [ 43.792502] default_file_splice_read+0x421/0x870 [ 43.797448] ? __kmalloc+0x15d/0x7a0 [ 43.801153] ? alloc_pipe_info+0x15c/0x380 [ 43.805377] ? splice_direct_to_actor+0x5d2/0x7b0 [ 43.810215] ? do_splice_direct+0x18d/0x230 [ 43.814544] ? page_cache_pipe_buf_release+0x220/0x220 [ 43.819901] ? trace_hardirqs_on+0x10/0x10 [ 43.824191] ? save_trace+0x290/0x290 [ 43.827996] ? __fsnotify_update_child_dentry_flags.part.0+0x300/0x300 [ 43.834738] ? fsnotify+0x11e0/0x11e0 [ 43.838541] ? __inode_security_revalidate+0xd6/0x130 [ 43.843722] ? avc_policy_seqno+0x9/0x20 [ 43.847801] ? selinux_file_permission+0x85/0x480 [ 43.852820] ? security_file_permission+0x89/0x1f0 [ 43.858736] ? rw_verify_area+0xea/0x2b0 [ 43.862869] ? page_cache_pipe_buf_release+0x220/0x220 [ 43.868173] do_splice_to+0x105/0x170 [ 43.871999] splice_direct_to_actor+0x222/0x7b0 [ 43.876675] ? generic_pipe_buf_nosteal+0x10/0x10 [ 43.885607] ? do_splice_to+0x170/0x170 [ 43.890043] ? rw_verify_area+0xea/0x2b0 [ 43.894638] do_splice_direct+0x18d/0x230 [ 43.898770] ? splice_direct_to_actor+0x7b0/0x7b0 [ 43.903605] ? rcu_sync_lockdep_assert+0x6d/0xb0 [ 43.908352] ? __sb_start_write+0x153/0x2f0 [ 43.912657] do_sendfile+0x4db/0xbd0 [ 43.916387] ? do_compat_pwritev64+0x140/0x140 [ 43.921071] ? do_sys_open+0x221/0x430 [ 43.925061] SyS_sendfile64+0x102/0x110 [ 43.929037] ? SyS_sendfile+0x130/0x130 [ 43.932997] ? do_syscall_64+0x53/0x640 [ 43.937068] ? SyS_sendfile+0x130/0x130 [ 43.941024] do_syscall_64+0x1e8/0x640 [ 43.944918] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 43.950572] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 43.955758] RIP: 0033:0x4403c9 [ 43.958932] RSP: 002b:00007ffcaa3b1ef8 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 [ 43.966621] RAX: ffffffffffffffda RBX: 00007ffcaa3b1f00 RCX: 00000000004403c9 [ 43.973898] RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000000000000004 [ 43.981178] RBP: 00000000006ca018 R08: 65732f636f72702f R09: 65732f636f72702f [ 43.988638] R10: 0000000000000209 R11: 0000000000000246 R12: 0000000000401cb0 [ 43.995997]