[ 10.312264] random: sshd: uninitialized urandom read (32 bytes read) [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.524847] random: sshd: uninitialized urandom read (32 bytes read) [ 22.840518] audit: type=1400 audit(1537724548.330:6): avc: denied { map } for pid=1771 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 22.877300] random: sshd: uninitialized urandom read (32 bytes read) [ 23.369609] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.104' (ECDSA) to the list of known hosts. [ 29.078421] urandom_read: 1 callbacks suppressed [ 29.078425] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 29.172750] audit: type=1400 audit(1537724554.660:7): avc: denied { map } for pid=1783 comm="syz-executor051" path="/root/syz-executor051166624" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 29.176685] [ 29.176687] ====================================================== [ 29.176689] WARNING: possible circular locking dependency detected [ 29.176693] 4.14.71+ #8 Not tainted [ 29.176695] ------------------------------------------------------ [ 29.176699] syz-executor051/1783 is trying to acquire lock: [ 29.176701] (&pipe->mutex/1){+.+.}, at: [] fifo_open+0x156/0x9d0 [ 29.176718] [ 29.176718] but task is already holding lock: [ 29.176719] (&sig->cred_guard_mutex){+.+.}, at: [] prepare_bprm_creds+0x4e/0x110 [ 29.176732] [ 29.176732] which lock already depends on the new lock. [ 29.176732] [ 29.176733] [ 29.176733] the existing dependency chain (in reverse order) is: [ 29.176735] [ 29.176735] -> #2 (&sig->cred_guard_mutex){+.+.}: [ 29.176748] __mutex_lock+0xf5/0x1480 [ 29.176756] lock_trace+0x3f/0xc0 [ 29.176762] proc_pid_personality+0x17/0xc0 [ 29.176767] proc_single_show+0xf1/0x160 [ 29.176773] seq_read+0x4e0/0x11d0 [ 29.176778] __vfs_read+0xf4/0x5b0 [ 29.176782] vfs_read+0x11e/0x330 [ 29.176787] SyS_read+0xc2/0x1a0 [ 29.176792] do_syscall_64+0x19b/0x4b0 [ 29.176798] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 29.176800] [ 29.176800] -> #1 (&p->lock){+.+.}: [ 29.176809] __mutex_lock+0xf5/0x1480 [ 29.176814] seq_read+0xd4/0x11d0 [ 29.176819] proc_reg_read+0xef/0x170 [ 29.176824] do_iter_read+0x3cc/0x580 [ 29.176828] vfs_readv+0xe6/0x150 [ 29.176835] default_file_splice_read+0x495/0x860 [ 29.176855] do_splice_to+0x102/0x150 [ 29.176859] SyS_splice+0xf4d/0x12a0 [ 29.176864] do_syscall_64+0x19b/0x4b0 [ 29.176869] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 29.176870] [ 29.176870] -> #0 (&pipe->mutex/1){+.+.}: [ 29.176882] lock_acquire+0x10f/0x380 [ 29.176887] __mutex_lock+0xf5/0x1480 [ 29.176891] fifo_open+0x156/0x9d0 [ 29.176897] do_dentry_open+0x426/0xda0 [ 29.176902] vfs_open+0x11c/0x210 [ 29.176907] path_openat+0x4eb/0x23a0 [ 29.176912] do_filp_open+0x197/0x270 [ 29.176917] do_open_execat+0x10d/0x5b0 [ 29.176923] do_execveat_common.isra.14+0x6cb/0x1d60 [ 29.176927] SyS_execve+0x34/0x40 [ 29.176932] do_syscall_64+0x19b/0x4b0 [ 29.176937] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 29.176938] [ 29.176938] other info that might help us debug this: [ 29.176938] [ 29.176940] Chain exists of: [ 29.176940] &pipe->mutex/1 --> &p->lock --> &sig->cred_guard_mutex [ 29.176940] [ 29.176949] Possible unsafe locking scenario: [ 29.176949] [ 29.176951] CPU0 CPU1 [ 29.176952] ---- ---- [ 29.176953] lock(&sig->cred_guard_mutex); [ 29.176957] lock(&p->lock); [ 29.176960] lock(&sig->cred_guard_mutex); [ 29.176963] lock(&pipe->mutex/1); [ 29.176968] [ 29.176968] *** DEADLOCK *** [ 29.176968] [ 29.176972] 1 lock held by syz-executor051/1783: [ 29.176973] #0: (&sig->cred_guard_mutex){+.+.}, at: [] prepare_bprm_creds+0x4e/0x110 [ 29.176985] [ 29.176985] stack backtrace: [ 29.177006] CPU: 0 PID: 1783 Comm: syz-executor051 Not tainted 4.14.71+ #8 [ 29.177008] Call Trace: [ 29.177016] dump_stack+0xb9/0x11b [ 29.177024] print_circular_bug.isra.18.cold.43+0x2d3/0x40c [ 29.177030] ? save_trace+0xd6/0x250 [ 29.177037] __lock_acquire+0x2ff9/0x4320 [ 29.177054] ? check_preemption_disabled+0x34/0x160 [ 29.177065] ? trace_hardirqs_on+0x10/0x10 [ 29.177072] ? trace_hardirqs_on_caller+0x381/0x520 [ 29.177078] ? _raw_spin_unlock_irqrestore+0x41/0x70 [ 29.177088] ? __lock_acquire+0x619/0x4320 [ 29.177093] ? alloc_pipe_info+0x15b/0x370 [ 29.177098] ? fifo_open+0x1ef/0x9d0 [ 29.177104] ? do_dentry_open+0x426/0xda0 [ 29.177109] ? vfs_open+0x11c/0x210 [ 29.177115] ? path_openat+0x4eb/0x23a0 [ 29.177122] lock_acquire+0x10f/0x380 [ 29.177127] ? fifo_open+0x156/0x9d0 [ 29.177134] ? fifo_open+0x156/0x9d0 [ 29.177140] __mutex_lock+0xf5/0x1480 [ 29.177145] ? fifo_open+0x156/0x9d0 [ 29.177150] ? fifo_open+0x156/0x9d0 [ 29.177156] ? dput.part.6+0x3b3/0x710 [ 29.177164] ? __ww_mutex_wakeup_for_backoff+0x240/0x240 [ 29.177172] ? fs_reclaim_acquire+0x10/0x10 [ 29.177180] ? fifo_open+0x284/0x9d0 [ 29.177186] ? lock_downgrade+0x560/0x560 [ 29.177191] ? lock_acquire+0x10f/0x380 [ 29.177196] ? fifo_open+0x243/0x9d0 [ 29.177201] ? debug_mutex_init+0x28/0x53 [ 29.177208] ? fifo_open+0x156/0x9d0 [ 29.177213] fifo_open+0x156/0x9d0 [ 29.177221] do_dentry_open+0x426/0xda0 [ 29.177226] ? pipe_release+0x240/0x240 [ 29.177235] vfs_open+0x11c/0x210 [ 29.177243] path_openat+0x4eb/0x23a0 [ 29.177251] ? path_mountpoint+0x9a0/0x9a0 [ 29.177260] ? kasan_kmalloc.part.1+0xa9/0xd0 [ 29.177267] ? kasan_kmalloc.part.1+0x4f/0xd0 [ 29.177273] ? __kmalloc_track_caller+0x104/0x300 [ 29.177280] ? kmemdup+0x20/0x50 [ 29.177288] ? security_prepare_creds+0x7c/0xb0 [ 29.177296] ? prepare_creds+0x225/0x2a0 [ 29.177302] ? prepare_exec_creds+0xc/0xe0 [ 29.177308] ? prepare_bprm_creds+0x62/0x110 [ 29.177315] ? do_execveat_common.isra.14+0x2cd/0x1d60 [ 29.177320] ? SyS_execve+0x34/0x40 [ 29.177325] ? do_syscall_64+0x19b/0x4b0 [ 29.177334] do_filp_open+0x197/0x270 [ 29.177340] ? may_open_dev+0xd0/0xd0 [ 29.177349] ? trace_hardirqs_on+0x10/0x10 [ 29.177355] ? fs_reclaim_acquire+0x10/0x10 [ 29.177378] ? rcu_read_lock_sched_held+0x102/0x120 [ 29.177385] do_open_execat+0x10d/0x5b0 [ 29.177393] ? setup_arg_pages+0x720/0x720 [ 29.177400] ? do_execveat_common.isra.14+0x68d/0x1d60 [ 29.177406] ? lock_downgrade+0x560/0x560 [ 29.177412] ? lock_acquire+0x10f/0x380 [ 29.177419] ? check_preemption_disabled+0x34/0x160 [ 29.177428] do_execveat_common.isra.14+0x6cb/0x1d60 [ 29.177438] ? prepare_bprm_creds+0x110/0x110 [ 29.177445] ? getname_flags+0x222/0x540 [ 29.177451] SyS_execve+0x34/0x40 [ 29.177457] ? setup_new_exec+0x770/0x770 [ 29.177462] do_syscall_64+0x19b/0x4b0 [ 29.177471] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 29.177475] RIP: 0033:0x4401a9 [ 29.177478] RSP: 002b:00007ffee9331d68 EFLAGS: 00000217 ORIG_RAX: 000000000000003b [ 29.177485] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 00000000004401a9 [ 29.177489] RDX: 0000000020000800 RSI: 0000000020000840 RDI: 00000000200003c0 [ 29.177493] RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000 [ 29.177496] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000401a90 [ 29.177500] R13: 0000000000401b20 R14: 0000000000000000 R15: 0000000000000000