[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 21.866703] random: sshd: uninitialized urandom read (32 bytes read) [ 22.280611] audit: type=1400 audit(1537761031.599:6): avc: denied { map } for pid=1770 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 22.329615] random: sshd: uninitialized urandom read (32 bytes read) [ 22.778617] random: sshd: uninitialized urandom read (32 bytes read) [ 22.929218] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.79' (ECDSA) to the list of known hosts. [ 28.591031] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 28.680964] audit: type=1400 audit(1537761037.999:7): avc: denied { map } for pid=1782 comm="syz-executor700" path="/root/syz-executor700743110" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 28.776583] [ 28.778221] ====================================================== [ 28.784523] WARNING: possible circular locking dependency detected [ 28.790814] 4.14.71+ #8 Not tainted [ 28.794413] ------------------------------------------------------ [ 28.800786] syz-executor700/1785 is trying to acquire lock: [ 28.806472] (&p->lock){+.+.}, at: [] seq_read+0xd4/0x11d0 [ 28.813640] [ 28.813640] but task is already holding lock: [ 28.819579] (&pipe->mutex/1){+.+.}, at: [] pipe_lock+0x58/0x70 [ 28.827179] [ 28.827179] which lock already depends on the new lock. [ 28.827179] [ 28.835528] [ 28.835528] the existing dependency chain (in reverse order) is: [ 28.843129] [ 28.843129] -> #2 (&pipe->mutex/1){+.+.}: [ 28.848745] __mutex_lock+0xf5/0x1480 [ 28.853046] fifo_open+0x156/0x9d0 [ 28.857086] do_dentry_open+0x426/0xda0 [ 28.861555] vfs_open+0x11c/0x210 [ 28.865503] path_openat+0x4eb/0x23a0 [ 28.869806] do_filp_open+0x197/0x270 [ 28.874104] do_open_execat+0x10d/0x5b0 [ 28.878583] do_execveat_common.isra.14+0x6cb/0x1d60 [ 28.884178] SyS_execve+0x34/0x40 [ 28.888125] do_syscall_64+0x19b/0x4b0 [ 28.892504] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 28.898248] [ 28.898248] -> #1 (&sig->cred_guard_mutex){+.+.}: [ 28.904557] __mutex_lock+0xf5/0x1480 [ 28.908853] lock_trace+0x3f/0xc0 [ 28.912800] proc_pid_stack+0xcd/0x200 [ 28.917180] proc_single_show+0xf1/0x160 [ 28.921735] traverse+0x32b/0x8a0 [ 28.925681] seq_read+0xc94/0x11d0 [ 28.929712] do_iter_read+0x3cc/0x580 [ 28.934005] vfs_readv+0xe6/0x150 [ 28.937950] default_file_splice_read+0x495/0x860 [ 28.943284] do_splice_to+0x102/0x150 [ 28.947575] splice_direct_to_actor+0x21d/0x750 [ 28.952736] do_splice_direct+0x17b/0x220 [ 28.957386] do_sendfile+0x4a1/0xb50 [ 28.961597] SyS_sendfile64+0xab/0x140 [ 28.965978] do_syscall_64+0x19b/0x4b0 [ 28.970378] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 28.976060] [ 28.976060] -> #0 (&p->lock){+.+.}: [ 28.981146] lock_acquire+0x10f/0x380 [ 28.985441] __mutex_lock+0xf5/0x1480 [ 28.989742] seq_read+0xd4/0x11d0 [ 28.993692] proc_reg_read+0xef/0x170 [ 28.997992] do_iter_read+0x3cc/0x580 [ 29.002286] vfs_readv+0xe6/0x150 [ 29.006240] default_file_splice_read+0x495/0x860 [ 29.011579] do_splice_to+0x102/0x150 [ 29.015877] SyS_splice+0xf4d/0x12a0 [ 29.020086] do_syscall_64+0x19b/0x4b0 [ 29.024467] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 29.030149] [ 29.030149] other info that might help us debug this: [ 29.030149] [ 29.038293] Chain exists of: [ 29.038293] &p->lock --> &sig->cred_guard_mutex --> &pipe->mutex/1 [ 29.038293] [ 29.049120] Possible unsafe locking scenario: [ 29.049120] [ 29.055159] CPU0 CPU1 [ 29.059808] ---- ---- [ 29.064451] lock(&pipe->mutex/1); [ 29.068049] lock(&sig->cred_guard_mutex); [ 29.074868] lock(&pipe->mutex/1); [ 29.080993] lock(&p->lock); [ 29.084073] [ 29.084073] *** DEADLOCK *** [ 29.084073] [ 29.090102] 1 lock held by syz-executor700/1785: [ 29.094824] #0: (&pipe->mutex/1){+.+.}, at: [] pipe_lock+0x58/0x70 [ 29.102864] [ 29.102864] stack backtrace: [ 29.107341] CPU: 0 PID: 1785 Comm: syz-executor700 Not tainted 4.14.71+ #8 [ 29.114324] Call Trace: [ 29.116891] dump_stack+0xb9/0x11b [ 29.120408] print_circular_bug.isra.18.cold.43+0x2d3/0x40c [ 29.126093] ? save_trace+0xd6/0x250 [ 29.129780] __lock_acquire+0x2ff9/0x4320 [ 29.133902] ? unwind_next_frame+0xea9/0x1930 [ 29.138371] ? trace_hardirqs_on+0x10/0x10 [ 29.142624] ? __read_once_size_nocheck.constprop.4+0x10/0x10 [ 29.148493] ? __lock_acquire+0x619/0x4320 [ 29.152716] ? __lock_acquire+0x619/0x4320 [ 29.156924] ? __lock_acquire+0x619/0x4320 [ 29.161135] lock_acquire+0x10f/0x380 [ 29.164914] ? seq_read+0xd4/0x11d0 [ 29.168513] ? seq_read+0xd4/0x11d0 [ 29.172139] __mutex_lock+0xf5/0x1480 [ 29.175935] ? seq_read+0xd4/0x11d0 [ 29.179536] ? seq_read+0xd4/0x11d0 [ 29.183143] ? trace_hardirqs_on+0x10/0x10 [ 29.187350] ? __ww_mutex_wakeup_for_backoff+0x240/0x240 [ 29.192777] ? __is_insn_slot_addr+0x112/0x1f0 [ 29.197332] ? lock_downgrade+0x560/0x560 [ 29.201451] ? mark_held_locks+0xc2/0x130 [ 29.205578] ? get_page_from_freelist+0x756/0x1ea0 [ 29.210485] ? kasan_unpoison_shadow+0x30/0x40 [ 29.215050] ? get_page_from_freelist+0x113c/0x1ea0 [ 29.220037] ? seq_read+0xd4/0x11d0 [ 29.223638] seq_read+0xd4/0x11d0 [ 29.227069] ? __fsnotify_parent+0xb1/0x300 [ 29.231362] ? seq_lseek+0x3d0/0x3d0 [ 29.235050] ? __inode_security_revalidate+0xd5/0x120 [ 29.240215] ? avc_policy_seqno+0x5/0x10 [ 29.244247] ? seq_lseek+0x3d0/0x3d0 [ 29.247934] proc_reg_read+0xef/0x170 [ 29.251819] ? rw_verify_area+0xdd/0x280 [ 29.255892] do_iter_read+0x3cc/0x580 [ 29.259673] vfs_readv+0xe6/0x150 [ 29.263104] ? compat_rw_copy_check_uvector+0x320/0x320 [ 29.268440] ? kasan_unpoison_shadow+0x30/0x40 [ 29.272995] ? kasan_kmalloc+0x76/0xc0 [ 29.276872] ? iov_iter_get_pages+0xc80/0xc80 [ 29.281345] ? wake_up_q+0xed/0x150 [ 29.284944] default_file_splice_read+0x495/0x860 [ 29.289768] ? trace_hardirqs_on+0x10/0x10 [ 29.293996] ? do_splice_direct+0x220/0x220 [ 29.298420] ? __lock_acquire+0x619/0x4320 [ 29.302634] ? fsnotify+0x639/0x12d0 [ 29.306331] ? lock_acquire+0x10f/0x380 [ 29.310280] ? __fsnotify_parent+0xb1/0x300 [ 29.314622] ? __fsnotify_update_child_dentry_flags.part.0+0x2e0/0x2e0 [ 29.321258] ? __inode_security_revalidate+0xd5/0x120 [ 29.326419] ? avc_policy_seqno+0x5/0x10 [ 29.330452] ? security_file_permission+0x88/0x1e0 [ 29.335353] ? do_splice_direct+0x220/0x220 [ 29.339661] do_splice_to+0x102/0x150 [ 29.343435] SyS_splice+0xf4d/0x12a0 [ 29.347125] ? do_pipe_flags+0x150/0x150 [ 29.351170] ? compat_SyS_vmsplice+0x150/0x150 [ 29.355835] ? _raw_spin_unlock_irq+0x24/0x50 [ 29.360308] ? do_syscall_64+0x43/0x4b0 [ 29.364261] ? compat_SyS_vmsplice+0x150/0x150 [ 29.368888] do_syscall_64+0x19b/0x4b0 [ 29.372836] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 29.378008] RIP: 0033:0x4457a9 [ 29.381242] RSP: 002b:00007fd42aa0dd08 EFLAGS: 00000216 ORIG_RAX: 0000000000000113 [ 29.388998] RAX: ffffffffffffffda RBX: 00000000006dac68 RCX: 00000000004457a9 [ 29.396247] RDX: 0000000000000005 RSI: 0000000020000240 RDI: 0000000000000006 [ 29.403492] RBP: 00000000006dac60 R08: 00000000000001ff R09: 0000000000000000 [ 29.410802] R10: 0000000000000000 R11: 0000000000000216 R12: 00000000006dac6c [ 29.418062] R13: 00007fd42aa0dd20 R14: 65732f636f72702f R15: 00000000006dad4c