[....] Starting enhanced syslogd: rsyslogd[ 13.712109] audit: type=1400 audit(1552755250.894:4): avc: denied { syslog } for pid=1915 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.15.198' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 36.463106] [ 36.464767] ====================================================== [ 36.471057] [ INFO: possible circular locking dependency detected ] [ 36.477434] 4.4.174+ #4 Not tainted [ 36.481028] ------------------------------------------------------- [ 36.487410] syz-executor493/2073 is trying to acquire lock: [ 36.493152] (&pipe->mutex/1){+.+.+.}, at: [] fifo_open+0x15d/0xa00 [ 36.501731] [ 36.501731] but task is already holding lock: [ 36.507674] (&sig->cred_guard_mutex){+.+.+.}, at: [] prepare_bprm_creds+0x55/0x120 [ 36.517538] [ 36.517538] which lock already depends on the new lock. [ 36.517538] [ 36.525828] [ 36.525828] the existing dependency chain (in reverse order) is: [ 36.533455] -> #1 (&sig->cred_guard_mutex){+.+.+.}: [ 36.539137] [] lock_acquire+0x15e/0x450 [ 36.545377] [] mutex_lock_interruptible_nested+0xd2/0xce0 [ 36.553181] [] proc_pid_attr_write+0x1a8/0x2a0 [ 36.560101] [] __vfs_write+0x116/0x3d0 [ 36.566261] [] __kernel_write+0x112/0x370 [ 36.572671] [] write_pipe_buf+0x15d/0x1f0 [ 36.579086] [] __splice_from_pipe+0x37e/0x7a0 [ 36.585894] [] splice_from_pipe+0x108/0x170 [ 36.592482] [] default_file_splice_write+0x3c/0x80 [ 36.599768] [] SyS_splice+0xd71/0x13a0 [ 36.605923] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 36.613299] -> #0 (&pipe->mutex/1){+.+.+.}: [ 36.618385] [] __lock_acquire+0x37d6/0x4f50 [ 36.624980] [] lock_acquire+0x15e/0x450 [ 36.631239] [] mutex_lock_nested+0xc1/0xb80 [ 36.637835] [] fifo_open+0x15d/0xa00 [ 36.643815] [] do_dentry_open+0x38f/0xbd0 [ 36.650233] [] vfs_open+0x10b/0x210 [ 36.656149] [] path_openat+0x136f/0x4470 [ 36.662480] [] do_filp_open+0x1a1/0x270 [ 36.668726] [] do_open_execat+0x10c/0x6e0 [ 36.675147] [] do_execveat_common.isra.0+0x6f6/0x1e90 [ 36.682716] [] SyS_execve+0x42/0x50 [ 36.688656] [] return_from_execve+0x0/0x23 [ 36.695206] [ 36.695206] other info that might help us debug this: [ 36.695206] [ 36.703324] Possible unsafe locking scenario: [ 36.703324] [ 36.709365] CPU0 CPU1 [ 36.714007] ---- ---- [ 36.718682] lock(&sig->cred_guard_mutex); [ 36.723222] lock(&pipe->mutex/1); [ 36.729802] lock(&sig->cred_guard_mutex); [ 36.736855] lock(&pipe->mutex/1); [ 36.740811] [ 36.740811] *** DEADLOCK *** [ 36.740811] [ 36.746847] 1 lock held by syz-executor493/2073: [ 36.751572] #0: (&sig->cred_guard_mutex){+.+.+.}, at: [] prepare_bprm_creds+0x55/0x120 [ 36.762079] [ 36.762079] stack backtrace: [ 36.766550] CPU: 0 PID: 2073 Comm: syz-executor493 Not tainted 4.4.174+ #4 [ 36.773539] 0000000000000000 f9396b1606f906d3 ffff8800b69c7530 ffffffff81aad1a1 [ 36.781581] ffffffff84057a80 ffff8801d4490000 ffffffff83abd610 ffffffff83ab6860 [ 36.789567] ffffffff83abd610 ffff8800b69c7580 ffffffff813abcda ffff8800b69c7660 [ 36.797562] Call Trace: [ 36.800143] [] dump_stack+0xc1/0x120 [ 36.805480] [] print_circular_bug.cold+0x2f7/0x44e [ 36.812028] [] __lock_acquire+0x37d6/0x4f50 [ 36.817979] [] ? trace_hardirqs_on+0x10/0x10 [ 36.824029] [] ? do_filp_open+0x1a1/0x270 [ 36.829806] [] ? do_execveat_common.isra.0+0x6f6/0x1e90 [ 36.836795] [] ? SyS_execve+0x42/0x50 [ 36.842226] [] ? stub_execve+0x5/0x5 [ 36.847575] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 36.854321] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 36.861050] [] lock_acquire+0x15e/0x450 [ 36.866655] [] ? fifo_open+0x15d/0xa00 [ 36.872165] [] ? fifo_open+0x15d/0xa00 [ 36.877769] [] mutex_lock_nested+0xc1/0xb80 [ 36.883722] [] ? fifo_open+0x15d/0xa00 [ 36.889251] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 36.895979] [] ? mutex_trylock+0x500/0x500 [ 36.901835] [] ? fifo_open+0x24d/0xa00 [ 36.907341] [] ? fifo_open+0x28c/0xa00 [ 36.912848] [] fifo_open+0x15d/0xa00 [ 36.918188] [] do_dentry_open+0x38f/0xbd0 [ 36.923959] [] ? __inode_permission2+0x9e/0x250 [ 36.930255] [] ? pipe_release+0x250/0x250 [ 36.936045] [] vfs_open+0x10b/0x210 [ 36.941343] [] ? may_open.isra.0+0xe7/0x210 [ 36.947402] [] path_openat+0x136f/0x4470 [ 36.953096] [] ? depot_save_stack+0x1c3/0x5f0 [ 36.959221] [] ? may_open.isra.0+0x210/0x210 [ 36.965296] [] ? kmemdup+0x27/0x60 [ 36.970488] [] ? selinux_cred_prepare+0x43/0xa0 [ 36.976841] [] ? security_prepare_creds+0x83/0xc0 [ 36.983398] [] ? prepare_creds+0x228/0x2b0 [ 36.989261] [] ? prepare_exec_creds+0x12/0xf0 [ 36.995380] [] ? do_execveat_common.isra.0+0x2d6/0x1e90 [ 37.002369] [] ? stub_execve+0x5/0x5 [ 37.007758] [] ? kasan_kmalloc+0xb7/0xd0 [ 37.013447] [] ? kasan_slab_alloc+0xf/0x20 [ 37.019319] [] ? kmem_cache_alloc+0xdc/0x2c0 [ 37.025349] [] ? prepare_creds+0x28/0x2b0 [ 37.031124] [] ? prepare_exec_creds+0x12/0xf0 [ 37.037304] [] do_filp_open+0x1a1/0x270 [ 37.042911] [] ? save_stack_trace+0x26/0x50 [ 37.048866] [] ? user_path_mountpoint_at+0x50/0x50 [ 37.055464] [] ? SyS_execve+0x42/0x50 [ 37.060893] [] ? stub_execve+0x5/0x5 [ 37.066231] [] ? __lock_acquire+0xa4f/0x4f50 [ 37.072336] [] ? trace_hardirqs_on+0x10/0x10 [ 37.078379] [] ? rcu_read_lock_sched_held+0x10b/0x130 [ 37.085196] [] do_open_execat+0x10c/0x6e0 [ 37.091048] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 37.097824] [] ? setup_arg_pages+0x7b0/0x7b0 [ 37.103862] [] ? do_execveat_common.isra.0+0x6b8/0x1e90 [ 37.110851] [] do_execveat_common.isra.0+0x6f6/0x1e90 [ 37.117663] [] ? do_execveat_common.isra.0+0x422/0x1e90 [ 37.124653] [] ? __check_object_size+0x222/0x332 [ 37.131155] [] ? strncpy_from_user+0xd0/0x230 [ 37.137284] [] ? prepare_bprm_creds+0x120/0x120 [ 37.143592] [] ? getname_flags+0x232/0x550 [ 37.149455] [] SyS_execve+0x42/0x50 [ 37.154713] [] stub_execve+0x5/0x5 [ 37.159890] [] ? tracesys+0x88/0x8d