[....] Starting enhanced syslogd: rsyslogd[ 13.334829] audit: type=1400 audit(1552637507.227:4): avc: denied { syslog } for pid=1922 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.24' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 40.972823] [ 40.974481] ====================================================== [ 40.980863] [ INFO: possible circular locking dependency detected ] [ 40.987394] 4.4.174+ #4 Not tainted [ 40.991040] ------------------------------------------------------- [ 40.997501] syz-executor610/2082 is trying to acquire lock: [ 41.003369] (&pipe->mutex/1){+.+.+.}, at: [] fifo_open+0x15d/0xa00 [ 41.011946] [ 41.011946] but task is already holding lock: [ 41.017938] (&sig->cred_guard_mutex){+.+.+.}, at: [] prepare_bprm_creds+0x55/0x120 [ 41.027769] [ 41.027769] which lock already depends on the new lock. [ 41.027769] [ 41.036059] [ 41.036059] the existing dependency chain (in reverse order) is: [ 41.043900] -> #1 (&sig->cred_guard_mutex){+.+.+.}: [ 41.049582] [] lock_acquire+0x15e/0x450 [ 41.055856] [] mutex_lock_interruptible_nested+0xd2/0xce0 [ 41.063685] [] proc_pid_attr_write+0x1a8/0x2a0 [ 41.070634] [] __vfs_write+0x116/0x3d0 [ 41.076796] [] __kernel_write+0x112/0x370 [ 41.083319] [] write_pipe_buf+0x15d/0x1f0 [ 41.089768] [] __splice_from_pipe+0x37e/0x7a0 [ 41.096610] [] splice_from_pipe+0x108/0x170 [ 41.103364] [] default_file_splice_write+0x3c/0x80 [ 41.110667] [] SyS_splice+0xd71/0x13a0 [ 41.117030] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 41.124243] -> #0 (&pipe->mutex/1){+.+.+.}: [ 41.129508] [] __lock_acquire+0x37d6/0x4f50 [ 41.136123] [] lock_acquire+0x15e/0x450 [ 41.142544] [] mutex_lock_nested+0xc1/0xb80 [ 41.149212] [] fifo_open+0x15d/0xa00 [ 41.155245] [] do_dentry_open+0x38f/0xbd0 [ 41.161805] [] vfs_open+0x10b/0x210 [ 41.167723] [] path_openat+0x136f/0x4470 [ 41.174172] [] do_filp_open+0x1a1/0x270 [ 41.180421] [] do_open_execat+0x10c/0x6e0 [ 41.186846] [] do_execveat_common.isra.0+0x6f6/0x1e90 [ 41.194513] [] SyS_execve+0x42/0x50 [ 41.200592] [] return_from_execve+0x0/0x23 [ 41.207178] [ 41.207178] other info that might help us debug this: [ 41.207178] [ 41.215303] Possible unsafe locking scenario: [ 41.215303] [ 41.221430] CPU0 CPU1 [ 41.226368] ---- ---- [ 41.231011] lock(&sig->cred_guard_mutex); [ 41.235662] lock(&pipe->mutex/1); [ 41.242269] lock(&sig->cred_guard_mutex); [ 41.249419] lock(&pipe->mutex/1); [ 41.253399] [ 41.253399] *** DEADLOCK *** [ 41.253399] [ 41.259444] 1 lock held by syz-executor610/2082: [ 41.264229] #0: (&sig->cred_guard_mutex){+.+.+.}, at: [] prepare_bprm_creds+0x55/0x120 [ 41.274958] [ 41.274958] stack backtrace: [ 41.279556] CPU: 1 PID: 2082 Comm: syz-executor610 Not tainted 4.4.174+ #4 [ 41.286551] 0000000000000000 d58f4300d729680e ffff8801cec8f530 ffffffff81aad1a1 [ 41.294584] ffffffff84057a80 ffff8801d400af80 ffffffff83abd2b0 ffffffff83ab6860 [ 41.302609] ffffffff83abd2b0 ffff8801cec8f580 ffffffff813abcda ffff8801cec8f660 [ 41.310847] Call Trace: [ 41.313423] [] dump_stack+0xc1/0x120 [ 41.318771] [] print_circular_bug.cold+0x2f7/0x44e [ 41.325354] [] __lock_acquire+0x37d6/0x4f50 [ 41.331306] [] ? trace_hardirqs_on+0x10/0x10 [ 41.337361] [] ? do_filp_open+0x1a1/0x270 [ 41.343148] [] ? do_execveat_common.isra.0+0x6f6/0x1e90 [ 41.350249] [] ? SyS_execve+0x42/0x50 [ 41.355784] [] ? stub_execve+0x5/0x5 [ 41.361148] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 41.367889] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 41.374718] [] lock_acquire+0x15e/0x450 [ 41.380321] [] ? fifo_open+0x15d/0xa00 [ 41.385841] [] ? fifo_open+0x15d/0xa00 [ 41.391357] [] mutex_lock_nested+0xc1/0xb80 [ 41.397487] [] ? fifo_open+0x15d/0xa00 [ 41.403025] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 41.409904] [] ? mutex_trylock+0x500/0x500 [ 41.415870] [] ? fifo_open+0x24d/0xa00 [ 41.421514] [] ? fifo_open+0x28c/0xa00 [ 41.427041] [] fifo_open+0x15d/0xa00 [ 41.432397] [] do_dentry_open+0x38f/0xbd0 [ 41.438264] [] ? __inode_permission2+0x9e/0x250 [ 41.444751] [] ? pipe_release+0x250/0x250 [ 41.450633] [] vfs_open+0x10b/0x210 [ 41.455900] [] ? may_open.isra.0+0xe7/0x210 [ 41.461861] [] path_openat+0x136f/0x4470 [ 41.467647] [] ? depot_save_stack+0x1c3/0x5f0 [ 41.473981] [] ? may_open.isra.0+0x210/0x210 [ 41.480020] [] ? kmemdup+0x27/0x60 [ 41.485192] [] ? selinux_cred_prepare+0x43/0xa0 [ 41.491701] [] ? security_prepare_creds+0x83/0xc0 [ 41.498186] [] ? prepare_creds+0x228/0x2b0 [ 41.504170] [] ? prepare_exec_creds+0x12/0xf0 [ 41.510301] [] ? do_execveat_common.isra.0+0x2d6/0x1e90 [ 41.517414] [] ? stub_execve+0x5/0x5 [ 41.522866] [] ? kasan_kmalloc+0xb7/0xd0 [ 41.528561] [] ? kasan_slab_alloc+0xf/0x20 [ 41.534492] [] ? kmem_cache_alloc+0xdc/0x2c0 [ 41.540616] [] ? prepare_creds+0x28/0x2b0 [ 41.546399] [] ? prepare_exec_creds+0x12/0xf0 [ 41.552526] [] do_filp_open+0x1a1/0x270 [ 41.558239] [] ? save_stack_trace+0x26/0x50 [ 41.564274] [] ? user_path_mountpoint_at+0x50/0x50 [ 41.570838] [] ? SyS_execve+0x42/0x50 [ 41.576268] [] ? stub_execve+0x5/0x5 [ 41.581615] [] ? __lock_acquire+0xa4f/0x4f50 [ 41.587662] [] ? trace_hardirqs_on+0x10/0x10 [ 41.593706] [] ? rcu_read_lock_sched_held+0x10b/0x130 [ 41.600592] [] do_open_execat+0x10c/0x6e0 [ 41.606385] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 41.613243] [] ? setup_arg_pages+0x7b0/0x7b0 [ 41.619343] [] ? do_execveat_common.isra.0+0x6b8/0x1e90 [ 41.626340] [] do_execveat_common.isra.0+0x6f6/0x1e90 [ 41.633216] [] ? do_execveat_common.isra.0+0x422/0x1e90 [ 41.640345] [] ? __check_object_size+0x222/0x332 [ 41.646744] [] ? strncpy_from_user+0xd0/0x230 [ 41.652883] [] ? prepare_bprm_creds+0x120/0x120 [ 41.659185] [] ? getname_flags+0x232/0x550 [ 41.665044] [] SyS_execve+0x42/0x50 [ 41.670403] [] stub_execve+0x5/0x5 [ 41.675597] [] ? tracesys+0x88/0x8d