[....] Starting enhanced syslogd: rsyslogd[ 15.118707] audit: type=1400 audit(1553304775.923:4): avc: denied { syslog } for pid=1920 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.20' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 38.908539] [ 38.910174] ====================================================== [ 38.916561] [ INFO: possible circular locking dependency detected ] [ 38.922946] 4.4.174+ #4 Not tainted [ 38.926544] ------------------------------------------------------- [ 38.933021] syz-executor760/2078 is trying to acquire lock: [ 38.938741] (&pipe->mutex/1){+.+.+.}, at: [] fifo_open+0x15d/0xa00 [ 38.947304] [ 38.947304] but task is already holding lock: [ 38.953246] (&sig->cred_guard_mutex){+.+.+.}, at: [] prepare_bprm_creds+0x55/0x120 [ 38.963326] [ 38.963326] which lock already depends on the new lock. [ 38.963326] [ 38.971731] [ 38.971731] the existing dependency chain (in reverse order) is: [ 38.979328] -> #1 (&sig->cred_guard_mutex){+.+.+.}: [ 38.984998] [] lock_acquire+0x15e/0x450 [ 38.991486] [] mutex_lock_interruptible_nested+0xd2/0xce0 [ 38.999368] [] proc_pid_attr_write+0x1a8/0x2a0 [ 39.006330] [] __vfs_write+0x116/0x3d0 [ 39.012494] [] __kernel_write+0x112/0x370 [ 39.018948] [] write_pipe_buf+0x15d/0x1f0 [ 39.025370] [] __splice_from_pipe+0x37e/0x7a0 [ 39.032132] [] splice_from_pipe+0x108/0x170 [ 39.038719] [] default_file_splice_write+0x3c/0x80 [ 39.046080] [] SyS_splice+0xd71/0x13a0 [ 39.052376] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 39.059710] -> #0 (&pipe->mutex/1){+.+.+.}: [ 39.065048] [] __lock_acquire+0x37d6/0x4f50 [ 39.071646] [] lock_acquire+0x15e/0x450 [ 39.077985] [] mutex_lock_nested+0xc1/0xb80 [ 39.084804] [] fifo_open+0x15d/0xa00 [ 39.090803] [] do_dentry_open+0x38f/0xbd0 [ 39.097319] [] vfs_open+0x10b/0x210 [ 39.103298] [] path_openat+0x136f/0x4470 [ 39.109648] [] do_filp_open+0x1a1/0x270 [ 39.115905] [] do_open_execat+0x10c/0x6e0 [ 39.122457] [] do_execveat_common.isra.0+0x6f6/0x1e90 [ 39.130094] [] SyS_execve+0x42/0x50 [ 39.136032] [] return_from_execve+0x0/0x23 [ 39.142587] [ 39.142587] other info that might help us debug this: [ 39.142587] [ 39.150714] Possible unsafe locking scenario: [ 39.150714] [ 39.156876] CPU0 CPU1 [ 39.161556] ---- ---- [ 39.166354] lock(&sig->cred_guard_mutex); [ 39.171056] lock(&pipe->mutex/1); [ 39.177624] lock(&sig->cred_guard_mutex); [ 39.184773] lock(&pipe->mutex/1); [ 39.188751] [ 39.188751] *** DEADLOCK *** [ 39.188751] [ 39.194833] 1 lock held by syz-executor760/2078: [ 39.199654] #0: (&sig->cred_guard_mutex){+.+.+.}, at: [] prepare_bprm_creds+0x55/0x120 [ 39.210281] [ 39.210281] stack backtrace: [ 39.214878] CPU: 1 PID: 2078 Comm: syz-executor760 Not tainted 4.4.174+ #4 [ 39.221879] 0000000000000000 acee8f8a9f49a041 ffff8801d405f530 ffffffff81aad1a1 [ 39.229888] ffffffff84057a80 ffff8800b6c08000 ffffffff83abd100 ffffffff83ab66b0 [ 39.237971] ffffffff83abd100 ffff8801d405f580 ffffffff813abcda ffff8801d405f660 [ 39.245968] Call Trace: [ 39.248539] [] dump_stack+0xc1/0x120 [ 39.253888] [] print_circular_bug.cold+0x2f7/0x44e [ 39.260457] [] __lock_acquire+0x37d6/0x4f50 [ 39.266449] [] ? trace_hardirqs_on+0x10/0x10 [ 39.272505] [] ? do_filp_open+0x1a1/0x270 [ 39.278423] [] ? do_execveat_common.isra.0+0x6f6/0x1e90 [ 39.285450] [] ? SyS_execve+0x42/0x50 [ 39.290887] [] ? stub_execve+0x5/0x5 [ 39.296246] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 39.302987] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 39.309763] [] lock_acquire+0x15e/0x450 [ 39.315371] [] ? fifo_open+0x15d/0xa00 [ 39.320885] [] ? fifo_open+0x15d/0xa00 [ 39.326406] [] mutex_lock_nested+0xc1/0xb80 [ 39.332367] [] ? fifo_open+0x15d/0xa00 [ 39.337893] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 39.344633] [] ? mutex_trylock+0x500/0x500 [ 39.350537] [] ? fifo_open+0x24d/0xa00 [ 39.356059] [] ? fifo_open+0x28c/0xa00 [ 39.361843] [] fifo_open+0x15d/0xa00 [ 39.367194] [] do_dentry_open+0x38f/0xbd0 [ 39.372985] [] ? __inode_permission2+0x9e/0x250 [ 39.379281] [] ? pipe_release+0x250/0x250 [ 39.385178] [] vfs_open+0x10b/0x210 [ 39.390441] [] ? may_open.isra.0+0xe7/0x210 [ 39.396460] [] path_openat+0x136f/0x4470 [ 39.402158] [] ? depot_save_stack+0x1c3/0x5f0 [ 39.408363] [] ? may_open.isra.0+0x210/0x210 [ 39.414430] [] ? kmemdup+0x27/0x60 [ 39.419601] [] ? selinux_cred_prepare+0x43/0xa0 [ 39.425906] [] ? security_prepare_creds+0x83/0xc0 [ 39.432417] [] ? prepare_creds+0x228/0x2b0 [ 39.438283] [] ? prepare_exec_creds+0x12/0xf0 [ 39.444415] [] ? do_execveat_common.isra.0+0x2d6/0x1e90 [ 39.451406] [] ? stub_execve+0x5/0x5 [ 39.456744] [] ? kasan_kmalloc+0xb7/0xd0 [ 39.462429] [] ? kasan_slab_alloc+0xf/0x20 [ 39.468295] [] ? kmem_cache_alloc+0xdc/0x2c0 [ 39.474424] [] ? prepare_creds+0x28/0x2b0 [ 39.480235] [] ? prepare_exec_creds+0x12/0xf0 [ 39.486369] [] do_filp_open+0x1a1/0x270 [ 39.492143] [] ? save_stack_trace+0x26/0x50 [ 39.498105] [] ? user_path_mountpoint_at+0x50/0x50 [ 39.504666] [] ? SyS_execve+0x42/0x50 [ 39.510163] [] ? stub_execve+0x5/0x5 [ 39.515522] [] ? __lock_acquire+0xa4f/0x4f50 [ 39.521566] [] ? trace_hardirqs_on+0x10/0x10 [ 39.527609] [] ? rcu_read_lock_sched_held+0x10b/0x130 [ 39.534428] [] do_open_execat+0x10c/0x6e0 [ 39.540208] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 39.547118] [] ? setup_arg_pages+0x7b0/0x7b0 [ 39.553164] [] ? do_execveat_common.isra.0+0x6b8/0x1e90 [ 39.560165] [] do_execveat_common.isra.0+0x6f6/0x1e90 [ 39.567001] [] ? do_execveat_common.isra.0+0x422/0x1e90 [ 39.574007] [] ? __check_object_size+0x222/0x332 [ 39.580407] [] ? strncpy_from_user+0xd0/0x230 [ 39.586588] [] ? prepare_bprm_creds+0x120/0x120 [ 39.593100] [] ? getname_flags+0x232/0x550 [ 39.598961] [] SyS_execve+0x42/0x50 [ 39.604225] [] stub_execve+0x5/0x5 [ 39.609403] [] ? tracesys+0x88/0x8d