[ 11.098225] random: sshd: uninitialized urandom read (32 bytes read) [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 18.787499] random: sshd: uninitialized urandom read (32 bytes read) [ 19.185569] audit: type=1400 audit(1543209227.628:6): avc: denied { map } for pid=1765 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 19.222117] random: sshd: uninitialized urandom read (32 bytes read) [ 19.616076] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.45' (ECDSA) to the list of known hosts. [ 25.684528] urandom_read: 1 callbacks suppressed [ 25.684531] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 25.778035] audit: type=1400 audit(1543209234.218:7): avc: denied { map } for pid=1783 comm="syz-executor697" path="/root/syz-executor697362538" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 25.828249] [ 25.829985] ====================================================== [ 25.836286] WARNING: possible circular locking dependency detected [ 25.842572] 4.14.83+ #9 Not tainted [ 25.846167] ------------------------------------------------------ [ 25.852458] syz-executor697/1784 is trying to acquire lock: [ 25.858137] (&pipe->mutex/1){+.+.}, at: [] fifo_open+0x156/0x9d0 [ 25.865913] [ 25.865913] but task is already holding lock: [ 25.871874] (&sig->cred_guard_mutex){+.+.}, at: [] prepare_bprm_creds+0x4e/0x110 [ 25.881032] [ 25.881032] which lock already depends on the new lock. [ 25.881032] [ 25.889319] [ 25.889319] the existing dependency chain (in reverse order) is: [ 25.896908] [ 25.896908] -> #1 (&sig->cred_guard_mutex){+.+.}: [ 25.903203] __mutex_lock+0xf5/0x1480 [ 25.907695] proc_pid_attr_write+0x16b/0x280 [ 25.912675] __vfs_write+0xf4/0x5c0 [ 25.916809] __kernel_write+0xf3/0x330 [ 25.921213] write_pipe_buf+0x192/0x250 [ 25.925679] __splice_from_pipe+0x324/0x740 [ 25.930491] splice_from_pipe+0xcf/0x130 [ 25.935044] default_file_splice_write+0x37/0x80 [ 25.940293] SyS_splice+0xd06/0x12a0 [ 25.944500] do_syscall_64+0x19b/0x4b0 [ 25.948883] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 25.954567] [ 25.954567] -> #0 (&pipe->mutex/1){+.+.}: [ 25.960180] lock_acquire+0x10f/0x380 [ 25.964487] __mutex_lock+0xf5/0x1480 [ 25.968785] fifo_open+0x156/0x9d0 [ 25.972893] do_dentry_open+0x426/0xda0 [ 25.977374] vfs_open+0x11c/0x210 [ 25.981326] path_openat+0x4eb/0x23a0 [ 25.985619] do_filp_open+0x197/0x270 [ 25.990092] do_open_execat+0x10d/0x5b0 [ 25.994659] do_execveat_common.isra.14+0x6cb/0x1d60 [ 26.000257] SyS_execve+0x34/0x40 [ 26.004203] do_syscall_64+0x19b/0x4b0 [ 26.008583] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 26.014264] [ 26.014264] other info that might help us debug this: [ 26.014264] [ 26.022457] Possible unsafe locking scenario: [ 26.022457] [ 26.028487] CPU0 CPU1 [ 26.033126] ---- ---- [ 26.037763] lock(&sig->cred_guard_mutex); [ 26.042052] lock(&pipe->mutex/1); [ 26.048170] lock(&sig->cred_guard_mutex); [ 26.055052] lock(&pipe->mutex/1); [ 26.058819] [ 26.058819] *** DEADLOCK *** [ 26.058819] [ 26.064879] 1 lock held by syz-executor697/1784: [ 26.069636] #0: (&sig->cred_guard_mutex){+.+.}, at: [] prepare_bprm_creds+0x4e/0x110 [ 26.079418] [ 26.079418] stack backtrace: [ 26.084095] CPU: 0 PID: 1784 Comm: syz-executor697 Not tainted 4.14.83+ #9 [ 26.091078] Call Trace: [ 26.093659] dump_stack+0xb9/0x11b [ 26.097189] print_circular_bug.isra.18.cold.43+0x2d3/0x40c [ 26.102882] ? save_trace+0xd6/0x250 [ 26.106572] __lock_acquire+0x2ff9/0x4320 [ 26.110823] ? check_preemption_disabled+0x34/0x1e0 [ 26.115842] ? trace_hardirqs_on+0x10/0x10 [ 26.120203] ? trace_hardirqs_on_caller+0x381/0x520 [ 26.125195] ? _raw_spin_unlock_irqrestore+0x41/0x70 [ 26.130279] ? __lock_acquire+0x619/0x4320 [ 26.134493] ? alloc_pipe_info+0x15b/0x370 [ 26.138701] ? fifo_open+0x1ef/0x9d0 [ 26.142515] ? do_dentry_open+0x426/0xda0 [ 26.146740] ? vfs_open+0x11c/0x210 [ 26.150343] ? path_openat+0x4eb/0x23a0 [ 26.154298] lock_acquire+0x10f/0x380 [ 26.158068] ? fifo_open+0x156/0x9d0 [ 26.161757] ? fifo_open+0x156/0x9d0 [ 26.165615] __mutex_lock+0xf5/0x1480 [ 26.169394] ? fifo_open+0x156/0x9d0 [ 26.173080] ? fifo_open+0x156/0x9d0 [ 26.176783] ? dput.part.6+0x3b3/0x710 [ 26.180652] ? __ww_mutex_wakeup_for_backoff+0x240/0x240 [ 26.186077] ? fs_reclaim_acquire+0x10/0x10 [ 26.190372] ? fifo_open+0x284/0x9d0 [ 26.194056] ? lock_downgrade+0x560/0x560 [ 26.198174] ? lock_acquire+0x10f/0x380 [ 26.202245] ? fifo_open+0x243/0x9d0 [ 26.205931] ? debug_mutex_init+0x28/0x53 [ 26.210049] ? fifo_open+0x156/0x9d0 [ 26.213742] fifo_open+0x156/0x9d0 [ 26.217362] do_dentry_open+0x426/0xda0 [ 26.221315] ? pipe_release+0x240/0x240 [ 26.225262] vfs_open+0x11c/0x210 [ 26.228779] path_openat+0x4eb/0x23a0 [ 26.232552] ? path_mountpoint+0x9a0/0x9a0 [ 26.236759] ? kasan_kmalloc.part.1+0xa9/0xd0 [ 26.241227] ? kasan_kmalloc.part.1+0x4f/0xd0 [ 26.245715] ? __kmalloc_track_caller+0x104/0x300 [ 26.250544] ? kmemdup+0x20/0x50 [ 26.253888] ? security_prepare_creds+0x7c/0xb0 [ 26.258529] ? prepare_creds+0x225/0x2a0 [ 26.262562] ? prepare_exec_creds+0xc/0xe0 [ 26.266773] ? prepare_bprm_creds+0x62/0x110 [ 26.271157] ? do_execveat_common.isra.14+0x2cd/0x1d60 [ 26.276406] ? SyS_execve+0x34/0x40 [ 26.280005] ? do_syscall_64+0x19b/0x4b0 [ 26.284048] do_filp_open+0x197/0x270 [ 26.287841] ? may_open_dev+0xd0/0xd0 [ 26.291619] ? trace_hardirqs_on+0x10/0x10 [ 26.295832] ? fs_reclaim_acquire+0x10/0x10 [ 26.300432] ? rcu_read_lock_sched_held+0x102/0x120 [ 26.305441] do_open_execat+0x10d/0x5b0 [ 26.309403] ? setup_arg_pages+0x720/0x720 [ 26.313680] ? do_execveat_common.isra.14+0x68d/0x1d60 [ 26.318942] ? lock_downgrade+0x560/0x560 [ 26.323081] ? lock_acquire+0x10f/0x380 [ 26.327179] ? check_preemption_disabled+0x34/0x1e0 [ 26.332173] do_execveat_common.isra.14+0x6cb/0x1d60 [ 26.337256] ? prepare_bprm_creds+0x110/0x110 [ 26.341724] ? getname_flags+0x222/0x540 [ 26.345765] SyS_execve+0x34/0x40 [ 26.349206] ? setup_new_exec+0x770/0x770 [ 26.353327] do_syscall_64+0x19b/0x4b0 [ 26.357190] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 26.362351] RIP: 0033:0x445759 [ 26.365580] RSP: 002b:00007f6315636da8 EFLAGS: 00000246 ORIG_RAX: 000000000000003b [ 26.373267] RAX: ffffffffffffffda RBX: 00000000006dac48 RCX: 0000000000445759 [ 2