[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 29.123534] random: sshd: uninitialized urandom read (32 bytes read) [ 29.395506] audit: type=1400 audit(1545617071.788:6): avc: denied { map } for pid=1762 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 29.438318] random: sshd: uninitialized urandom read (32 bytes read) [ 29.923690] random: sshd: uninitialized urandom read (32 bytes read) [ 37.456946] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.115' (ECDSA) to the list of known hosts. [ 43.186476] random: sshd: uninitialized urandom read (32 bytes read) [ 43.288777] audit: type=1400 audit(1545617085.678:7): avc: denied { map } for pid=1786 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 2018/12/24 02:04:46 parsed 1 programs [ 43.907405] audit: type=1400 audit(1545617086.298:8): avc: denied { map } for pid=1786 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=4999 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1 [ 44.416321] random: cc1: uninitialized urandom read (8 bytes read) 2018/12/24 02:04:48 executed programs: 0 [ 45.670116] audit: type=1400 audit(1545617088.058:9): avc: denied { map } for pid=1786 comm="syz-execprog" path="/root/syzkaller-shm596211432" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 2018/12/24 02:04:55 executed programs: 6 2018/12/24 02:05:00 executed programs: 346 2018/12/24 02:05:05 executed programs: 719 2018/12/24 02:05:10 executed programs: 1086 2018/12/24 02:05:15 executed programs: 1461 2018/12/24 02:05:20 executed programs: 1834 2018/12/24 02:05:25 executed programs: 2188 2018/12/24 02:05:30 executed programs: 2552 2018/12/24 02:05:35 executed programs: 2916 2018/12/24 02:05:40 executed programs: 3306 [ 101.623795] [ 101.625518] ====================================================== [ 101.631813] WARNING: possible circular locking dependency detected [ 101.638110] 4.14.90+ #29 Not tainted [ 101.641799] ------------------------------------------------------ [ 101.648109] syz-executor2/14878 is trying to acquire lock: [ 101.653708] (&sig->cred_guard_mutex){+.+.}, at: [] proc_pid_attr_write+0x16b/0x280 [ 101.663054] [ 101.663054] but task is already holding lock: [ 101.669004] (&pipe->mutex/1){+.+.}, at: [] pipe_lock+0x58/0x70 [ 101.676610] [ 101.676610] which lock already depends on the new lock. [ 101.676610] [ 101.684902] [ 101.684902] the existing dependency chain (in reverse order) is: [ 101.692501] [ 101.692501] -> #1 (&pipe->mutex/1){+.+.}: [ 101.698111] __mutex_lock+0xf5/0x1480 [ 101.702409] fifo_open+0x156/0x9d0 [ 101.706467] do_dentry_open+0x426/0xda0 [ 101.710943] vfs_open+0x11c/0x210 [ 101.714899] path_openat+0x5f9/0x2930 [ 101.719199] do_filp_open+0x197/0x270 [ 101.723505] do_open_execat+0x10d/0x5b0 [ 101.727983] do_execveat_common.isra.14+0x6cb/0x1d60 [ 101.733585] SyS_execve+0x34/0x40 [ 101.737540] do_syscall_64+0x19b/0x4b0 [ 101.741927] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 101.747614] [ 101.747614] -> #0 (&sig->cred_guard_mutex){+.+.}: [ 101.753917] lock_acquire+0x10f/0x380 [ 101.758216] __mutex_lock+0xf5/0x1480 [ 101.762518] proc_pid_attr_write+0x16b/0x280 [ 101.767427] __vfs_write+0xf4/0x5c0 [ 101.771572] __kernel_write+0xf3/0x330 [ 101.775965] write_pipe_buf+0x192/0x250 [ 101.780466] __splice_from_pipe+0x324/0x740 [ 101.785295] splice_from_pipe+0xcf/0x130 [ 101.789856] default_file_splice_write+0x37/0x80 [ 101.795112] SyS_splice+0xd06/0x12a0 [ 101.799327] do_syscall_64+0x19b/0x4b0 [ 101.803713] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 101.809398] [ 101.809398] other info that might help us debug this: [ 101.809398] [ 101.817519] Possible unsafe locking scenario: [ 101.817519] [ 101.823557] CPU0 CPU1 [ 101.828199] ---- ---- [ 101.832841] lock(&pipe->mutex/1); [ 101.836463] lock(&sig->cred_guard_mutex); [ 101.843283] lock(&pipe->mutex/1); [ 101.849436] lock(&sig->cred_guard_mutex); [ 101.853752] [ 101.853752] *** DEADLOCK *** [ 101.853752] [ 101.859788] 2 locks held by syz-executor2/14878: [ 101.864521] #0: (sb_writers#7){.+.+}, at: [] SyS_splice+0xeac/0x12a0 [ 101.872733] #1: (&pipe->mutex/1){+.+.}, at: [] pipe_lock+0x58/0x70 [ 101.880772] [ 101.880772] stack backtrace: [ 101.885247] CPU: 0 PID: 14878 Comm: syz-executor2 Not tainted 4.14.90+ #29 [ 101.892236] Call Trace: [ 101.894804] dump_stack+0xb9/0x11b [ 101.898326] print_circular_bug.isra.18.cold.43+0x2d3/0x40c [ 101.904047] ? save_trace+0xd6/0x250 [ 101.907744] __lock_acquire+0x2ff9/0x4320 [ 101.911922] ? __free_insn_slot+0x490/0x490 [ 101.916227] ? check_preemption_disabled+0x34/0x1e0 [ 101.921228] ? trace_hardirqs_on+0x10/0x10 [ 101.925443] ? trace_hardirqs_on_caller+0x381/0x520 [ 101.930509] ? depot_save_stack+0x20a/0x428 [ 101.934817] ? kasan_kmalloc.part.1+0xa9/0xd0 [ 101.939293] ? kasan_kmalloc.part.1+0x4f/0xd0 [ 101.943767] ? __kmalloc_track_caller+0x104/0x300 [ 101.948593] ? memdup_user+0x28/0x90 [ 101.952316] ? proc_pid_attr_write+0xfc/0x280 [ 101.956791] ? __vfs_write+0xf4/0x5c0 [ 101.960571] lock_acquire+0x10f/0x380 [ 101.964353] ? proc_pid_attr_write+0x16b/0x280 [ 101.968917] ? proc_pid_attr_write+0x16b/0x280 [ 101.973486] __mutex_lock+0xf5/0x1480 [ 101.977267] ? proc_pid_attr_write+0x16b/0x280 [ 101.981858] ? proc_pid_attr_write+0x16b/0x280 [ 101.986420] ? __ww_mutex_wakeup_for_backoff+0x240/0x240 [ 101.991854] ? fs_reclaim_acquire+0x10/0x10 [ 101.996157] ? check_stack_object+0x80/0xa0 [ 102.000475] ? __might_fault+0xf/0x1b0 [ 102.004343] ? _copy_from_user+0x94/0x100 [ 102.008490] ? proc_pid_attr_write+0x16b/0x280 [ 102.013051] proc_pid_attr_write+0x16b/0x280 [ 102.017440] __vfs_write+0xf4/0x5c0 [ 102.021066] ? proc_pid_wchan+0x120/0x120 [ 102.025224] ? kernel_read+0x110/0x110 [ 102.029092] ? futex_wake+0x141/0x420 [ 102.032874] ? lock_acquire+0x10f/0x380 [ 102.036831] ? pipe_lock+0x58/0x70 [ 102.040353] __kernel_write+0xf3/0x330 [ 102.044221] write_pipe_buf+0x192/0x250 [ 102.048206] ? default_file_splice_read+0x860/0x860 [ 102.053202] ? splice_from_pipe_next.part.2+0x21d/0x2e0 [ 102.058548] __splice_from_pipe+0x324/0x740 [ 102.062851] ? default_file_splice_read+0x860/0x860 [ 102.067861] splice_from_pipe+0xcf/0x130 [ 102.071902] ? default_file_splice_read+0x860/0x860 [ 102.076900] ? splice_shrink_spd+0xb0/0xb0 [ 102.081117] default_file_splice_write+0x37/0x80 [ 102.085883] ? generic_splice_sendpage+0x40/0x40 [ 102.090724] SyS_splice+0xd06/0x12a0 [ 102.094423] ? do_clock_gettime+0x30/0xb0 [ 102.098553] ? compat_SyS_vmsplice+0x150/0x150 [ 102.103114] ? do_clock_gettime+0xb0/0xb0 [ 102.107241] ? do_syscall_64+0x43/0x4b0 [ 102.111198] ? compat_SyS_vmsplice+0x150/0x150 [ 102.115791] do_syscall_64+0x19b/0x4b0 [ 102.119661] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 102.124832] RIP: 0033:0x457669 [ 102.128016] RSP: 002b:00007fc8fb65bc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000113 [ 102.135701] RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 0000000000457669 [ 102.142950] RDX: 000000000000000a RSI: 0000000000000000 RDI: 0000000000000008 [ 102.150236] RBP: 000000000072c0e0 R08: 0000000000010005 R09: 0000000000000000 [ 102.157495] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc8fb65c6d4 [ 102.164745] R13: 00000000004c5ae3 R14: 00000000004d97b0 R15: 00000000ffffffff [ 102.175383] audit: type=1400 audit(1545617144.568:10): avc: denied { create } for pid=14827 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=key permissive=1