[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 12.077786] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 17.366044] random: sshd: uninitialized urandom read (32 bytes read) [ 17.689555] audit: type=1400 audit(1538262583.083:6): avc: denied { map } for pid=1758 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 17.732365] random: sshd: uninitialized urandom read (32 bytes read) [ 18.204488] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.13' (ECDSA) to the list of known hosts. [ 23.811942] urandom_read: 1 callbacks suppressed [ 23.811946] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 23.912334] audit: type=1400 audit(1538262589.313:7): avc: denied { map } for pid=1776 comm="syz-executor390" path="/root/syz-executor390186967" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 23.924228] [ 23.924231] ====================================================== [ 23.924232] WARNING: possible circular locking dependency detected [ 23.924237] 4.14.73+ #12 Not tainted [ 23.924238] ------------------------------------------------------ [ 23.924242] syz-executor390/1776 is trying to acquire lock: [ 23.924243] (&pipe->mutex/1){+.+.}, at: [] fifo_open+0x156/0x9d0 [ 23.924263] [ 23.924263] but task is already holding lock: [ 23.924264] (&sig->cred_guard_mutex){+.+.}, at: [] prepare_bprm_creds+0x4e/0x110 [ 23.924279] [ 23.924279] which lock already depends on the new lock. [ 23.924279] [ 23.924281] [ 23.924281] the existing dependency chain (in reverse order) is: [ 23.924282] [ 23.924282] -> #1 (&sig->cred_guard_mutex){+.+.}: [ 23.924298] __mutex_lock+0xf5/0x1480 [ 23.924308] proc_pid_attr_write+0x16b/0x280 [ 23.924314] __vfs_write+0xf4/0x5c0 [ 23.924318] __kernel_write+0xf3/0x330 [ 23.924326] write_pipe_buf+0x192/0x250 [ 23.924331] __splice_from_pipe+0x324/0x740 [ 23.924336] splice_from_pipe+0xcf/0x130 [ 23.924342] default_file_splice_write+0x37/0x80 [ 23.924347] SyS_splice+0xd06/0x12a0 [ 23.924353] do_syscall_64+0x19b/0x4b0 [ 23.924360] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 23.924361] [ 23.924361] -> #0 (&pipe->mutex/1){+.+.}: [ 23.924375] lock_acquire+0x10f/0x380 [ 23.924381] __mutex_lock+0xf5/0x1480 [ 23.924385] fifo_open+0x156/0x9d0 [ 23.924393] do_dentry_open+0x426/0xda0 [ 23.924399] vfs_open+0x11c/0x210 [ 23.924406] path_openat+0x4eb/0x23a0 [ 23.924411] do_filp_open+0x197/0x270 [ 23.924417] do_open_execat+0x10d/0x5b0 [ 23.924423] do_execveat_common.isra.14+0x6cb/0x1d60 [ 23.924428] SyS_execve+0x34/0x40 [ 23.924432] do_syscall_64+0x19b/0x4b0 [ 23.924438] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 23.924440] [ 23.924440] other info that might help us debug this: [ 23.924440] [ 23.924442] Possible unsafe locking scenario: [ 23.924442] [ 23.924443] CPU0 CPU1 [ 23.924444] ---- ---- [ 23.924445] lock(&sig->cred_guard_mutex); [ 23.924449] lock(&pipe->mutex/1); [ 23.924454] lock(&sig->cred_guard_mutex); [ 23.924458] lock(&pipe->mutex/1); [ 23.924463] [ 23.924463] *** DEADLOCK *** [ 23.924463] [ 23.924467] 1 lock held by syz-executor390/1776: [ 23.924468] #0: (&sig->cred_guard_mutex){+.+.}, at: [] prepare_bprm_creds+0x4e/0x110 [ 23.924480] [ 23.924480] stack backtrace: [ 23.924487] CPU: 0 PID: 1776 Comm: syz-executor390 Not tainted 4.14.73+ #12 [ 23.924489] Call Trace: [ 23.924498] dump_stack+0xb9/0x11b [ 23.924508] print_circular_bug.isra.18.cold.43+0x2d3/0x40c [ 23.924514] ? save_trace+0xd6/0x250 [ 23.924521] __lock_acquire+0x2ff9/0x4320 [ 23.924531] ? check_preemption_disabled+0x34/0x160 [ 23.924542] ? trace_hardirqs_on+0x10/0x10 [ 23.924548] ? trace_hardirqs_on_caller+0x381/0x520 [ 23.924555] ? _raw_spin_unlock_irqrestore+0x41/0x70 [ 23.924565] ? __lock_acquire+0x619/0x4320 [ 23.924570] ? alloc_pipe_info+0x15b/0x370 [ 23.924575] ? fifo_open+0x1ef/0x9d0 [ 23.924581] ? do_dentry_open+0x426/0xda0 [ 23.924587] ? vfs_open+0x11c/0x210 [ 23.924593] ? path_openat+0x4eb/0x23a0 [ 23.924600] lock_acquire+0x10f/0x380 [ 23.924605] ? fifo_open+0x156/0x9d0 [ 23.924612] ? fifo_open+0x156/0x9d0 [ 23.924619] __mutex_lock+0xf5/0x1480 [ 23.924624] ? fifo_open+0x156/0x9d0 [ 23.924629] ? fifo_open+0x156/0x9d0 [ 23.924635] ? dput.part.6+0x3b3/0x710 [ 23.924641] ? alloc_pipe_info+0xad/0x370 [ 23.924649] ? __ww_mutex_wakeup_for_backoff+0x240/0x240 [ 23.924659] ? fs_reclaim_acquire+0x10/0x10 [ 23.924667] ? fifo_open+0x284/0x9d0 [ 23.924673] ? lock_downgrade+0x560/0x560 [ 23.924678] ? lock_acquire+0x10f/0x380 [ 23.924683] ? fifo_open+0x243/0x9d0 [ 23.924689] ? debug_mutex_init+0x28/0x53 [ 23.924696] ? fifo_open+0x156/0x9d0 [ 23.924701] fifo_open+0x156/0x9d0 [ 23.924709] do_dentry_open+0x426/0xda0 [ 23.924714] ? pipe_release+0x240/0x240 [ 23.924723] vfs_open+0x11c/0x210 [ 23.924731] path_openat+0x4eb/0x23a0 [ 23.924740] ? path_mountpoint+0x9a0/0x9a0 [ 23.924750] ? kasan_kmalloc.part.1+0xa9/0xd0 [ 23.924756] ? kasan_kmalloc.part.1+0x4f/0xd0 [ 23.924762] ? __kmalloc_track_caller+0x104/0x300 [ 23.924769] ? kmemdup+0x20/0x50 [ 23.924776] ? security_prepare_creds+0x7c/0xb0 [ 23.924783] ? prepare_creds+0x225/0x2a0 [ 23.924789] ? prepare_exec_creds+0xc/0xe0 [ 23.924796] ? prepare_bprm_creds+0x62/0x110 [ 23.924812] ? do_execveat_common.isra.14+0x2cd/0x1d60 [ 23.924817] ? SyS_execve+0x34/0x40 [ 23.924822] ? do_syscall_64+0x19b/0x4b0 [ 23.924831] do_filp_open+0x197/0x270 [ 23.924838] ? may_open_dev+0xd0/0xd0 [ 23.924858] ? trace_hardirqs_on+0x10/0x10 [ 23.924865] ? fs_reclaim_acquire+0x10/0x10 [ 23.924878] ? rcu_read_lock_sched_held+0x102/0x120 [ 23.924886] do_open_execat+0x10d/0x5b0 [ 23.924893] ? setup_arg_pages+0x720/0x720 [ 23.924901] ? do_execveat_common.isra.14+0x68d/0x1d60 [ 23.924907] ? lock_downgrade+0x560/0x560 [ 23.924913] ? lock_acquire+0x10f/0x380 [ 23.924920] ? check_preemption_disabled+0x34/0x160 [ 23.924929] do_execveat_common.isra.14+0x6cb/0x1d60 [ 23.924939] ? prepare_bprm_creds+0x110/0x110 [ 23.924946] ? getname_flags+0x222/0x540 [ 23.924953] SyS_execve+0x34/0x40 [ 23.924958] ? setup_new_exec+0x770/0x770 [ 23.924964] do_syscall_64+0x19b/0x4b0 [ 23.924972] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 23.924977] RIP: 0033:0x440149 [ 23.924980] RSP: 002b:00007ffcaca5c828 EFLAGS: 00000217 ORIG_RAX: 000000000000003b [ 23.924987] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 0000000000440149 [ 23.924991] RDX: 0000000020000500 RSI: 00000000200000c0 RDI: 00000000200003c0 [ 23.924995] RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000 [ 23.924999] R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004019d0 [ 23.925003] R13: 0000000000401a60 R14: 0000000000000000 R15: 0000000000000000