[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 44.768717] random: sshd: uninitialized urandom read (32 bytes read) [ 45.223718] audit: type=1400 audit(1540359018.690:6): avc: denied { map } for pid=1790 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 45.266890] random: sshd: uninitialized urandom read (32 bytes read) [ 45.684315] random: sshd: uninitialized urandom read (32 bytes read) [ 51.159547] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.3' (ECDSA) to the list of known hosts. [ 56.787707] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 56.880438] audit: type=1400 audit(1540359030.350:7): avc: denied { map } for pid=1808 comm="syz-executor844" path="/root/syz-executor844854867" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 56.882717] [ 56.882718] ====================================================== [ 56.882719] WARNING: possible circular locking dependency detected [ 56.882722] 4.14.78+ #24 Not tainted [ 56.882723] ------------------------------------------------------ [ 56.882725] syz-executor844/1808 is trying to acquire lock: [ 56.882726] (&pipe->mutex/1){+.+.}, at: [] fifo_open+0x156/0x9d0 [ 56.882738] [ 56.882738] but task is already holding lock: [ 56.882739] (&sig->cred_guard_mutex){+.+.}, at: [] prepare_bprm_creds+0x4e/0x110 [ 56.882747] [ 56.882747] which lock already depends on the new lock. [ 56.882747] [ 56.882748] [ 56.882748] the existing dependency chain (in reverse order) is: [ 56.882749] [ 56.882749] -> #1 (&sig->cred_guard_mutex){+.+.}: [ 56.882758] __mutex_lock+0xf5/0x1480 [ 56.882765] proc_pid_attr_write+0x16b/0x280 [ 56.882767] __vfs_write+0xf4/0x5c0 [ 56.882770] __kernel_write+0xf3/0x330 [ 56.882774] write_pipe_buf+0x192/0x250 [ 56.882777] __splice_from_pipe+0x324/0x740 [ 56.882780] splice_from_pipe+0xcf/0x130 [ 56.882783] default_file_splice_write+0x37/0x80 [ 56.882786] SyS_splice+0xd06/0x12a0 [ 56.882790] do_syscall_64+0x19b/0x4b0 [ 56.882794] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 56.882795] [ 56.882795] -> #0 (&pipe->mutex/1){+.+.}: [ 56.882802] lock_acquire+0x10f/0x380 [ 56.882805] __mutex_lock+0xf5/0x1480 [ 56.882808] fifo_open+0x156/0x9d0 [ 56.882812] do_dentry_open+0x426/0xda0 [ 56.882815] vfs_open+0x11c/0x210 [ 56.882818] path_openat+0x4eb/0x23a0 [ 56.882821] do_filp_open+0x197/0x270 [ 56.882825] do_open_execat+0x10d/0x5b0 [ 56.882828] do_execveat_common.isra.14+0x6cb/0x1d60 [ 56.882831] SyS_execve+0x34/0x40 [ 56.882833] do_syscall_64+0x19b/0x4b0 [ 56.882837] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 56.882838] [ 56.882838] other info that might help us debug this: [ 56.882838] [ 56.882839] Possible unsafe locking scenario: [ 56.882839] [ 56.882839] CPU0 CPU1 [ 56.882840] ---- ---- [ 56.882841] lock(&sig->cred_guard_mutex); [ 56.882843] lock(&pipe->mutex/1); [ 56.882846] lock(&sig->cred_guard_mutex); [ 56.882848] lock(&pipe->mutex/1); [ 56.882850] [ 56.882850] *** DEADLOCK *** [ 56.882850] [ 56.882853] 1 lock held by syz-executor844/1808: [ 56.882853] #0: (&sig->cred_guard_mutex){+.+.}, at: [] prepare_bprm_creds+0x4e/0x110 [ 56.882860] [ 56.882860] stack backtrace: [ 56.882864] CPU: 0 PID: 1808 Comm: syz-executor844 Not tainted 4.14.78+ #24 [ 56.882866] Call Trace: [ 56.882871] dump_stack+0xb9/0x11b [ 56.882876] print_circular_bug.isra.18.cold.43+0x2d3/0x40c [ 56.882879] ? save_trace+0xd6/0x250 [ 56.882883] __lock_acquire+0x2ff9/0x4320 [ 56.882889] ? check_preemption_disabled+0x34/0x160 [ 56.882906] ? trace_hardirqs_on+0x10/0x10 [ 56.882910] ? trace_hardirqs_on_caller+0x381/0x520 [ 56.882914] ? _raw_spin_unlock_irqrestore+0x41/0x70 [ 56.882919] ? __lock_acquire+0x619/0x4320 [ 56.882922] ? alloc_pipe_info+0x15b/0x370 [ 56.882925] ? fifo_open+0x1ef/0x9d0 [ 56.882928] ? do_dentry_open+0x426/0xda0 [ 56.882931] ? vfs_open+0x11c/0x210 [ 56.882934] ? path_openat+0x4eb/0x23a0 [ 56.882938] lock_acquire+0x10f/0x380 [ 56.882941] ? fifo_open+0x156/0x9d0 [ 56.882945] ? fifo_open+0x156/0x9d0 [ 56.882949] __mutex_lock+0xf5/0x1480 [ 56.882952] ? fifo_open+0x156/0x9d0 [ 56.882955] ? fifo_open+0x156/0x9d0 [ 56.882958] ? dput.part.6+0x3b3/0x710 [ 56.882963] ? __ww_mutex_wakeup_for_backoff+0x240/0x240 [ 56.882969] ? fs_reclaim_acquire+0x10/0x10 [ 56.882973] ? fifo_open+0x284/0x9d0 [ 56.882976] ? lock_downgrade+0x560/0x560 [ 56.882979] ? lock_acquire+0x10f/0x380 [ 56.882982] ? fifo_open+0x243/0x9d0 [ 56.882985] ? debug_mutex_init+0x28/0x53 [ 56.882989] ? fifo_open+0x156/0x9d0 [ 56.882992] fifo_open+0x156/0x9d0 [ 56.882996] do_dentry_open+0x426/0xda0 [ 56.882999] ? pipe_release+0x240/0x240 [ 56.883004] vfs_open+0x11c/0x210 [ 56.883008] path_openat+0x4eb/0x23a0 [ 56.883013] ? path_mountpoint+0x9a0/0x9a0 [ 56.883019] ? kasan_kmalloc.part.1+0xa9/0xd0 [ 56.883022] ? kasan_kmalloc.part.1+0x4f/0xd0 [ 56.883026] ? __kmalloc_track_caller+0x104/0x300 [ 56.883031] ? kmemdup+0x20/0x50 [ 56.883036] ? security_prepare_creds+0x7c/0xb0 [ 56.883040] ? prepare_creds+0x225/0x2a0 [ 56.883043] ? prepare_exec_creds+0xc/0xe0 [ 56.883047] ? prepare_bprm_creds+0x62/0x110 [ 56.883051] ? do_execveat_common.isra.14+0x2cd/0x1d60 [ 56.883054] ? SyS_execve+0x34/0x40 [ 56.883056] ? do_syscall_64+0x19b/0x4b0 [ 56.883061] do_filp_open+0x197/0x270 [ 56.883065] ? may_open_dev+0xd0/0xd0 [ 56.883070] ? trace_hardirqs_on+0x10/0x10 [ 56.883073] ? fs_reclaim_acquire+0x10/0x10 [ 56.883081] ? rcu_read_lock_sched_held+0x102/0x120 [ 56.883085] do_open_execat+0x10d/0x5b0 [ 56.883089] ? setup_arg_pages+0x720/0x720 [ 56.883093] ? do_execveat_common.isra.14+0x68d/0x1d60 [ 56.883096] ? lock_downgrade+0x560/0x560 [ 56.883100] ? lock_acquire+0x10f/0x380 [ 56.883104] ? check_preemption_disabled+0x34/0x160 [ 56.883109] do_execveat_common.isra.14+0x6cb/0x1d60 [ 56.883114] ? prepare_bprm_creds+0x110/0x110 [ 56.883118] ? getname_flags+0x222/0x540 [ 56.883122] SyS_execve+0x34/0x40 [ 56.883125] ? setup_new_exec+0x770/0x770 [ 56.883128] do_syscall_64+0x19b/0x4b0 [ 56.883133] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 56.883136] RIP: 0033:0x440119 [ 56.883137] RSP: 002b:00007fffcc5f29f8 EFLAGS: 00000217 ORIG_RAX: 000000000000003b [ 56.883142] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 0000000000440119 [ 56.883144] RDX: 0000000020000240 RSI: 0000000020000540 RDI: 0000000020000340 [ 56.883146] RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000 [ 56.883148] R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004019a0 [ 56.883150] R13: 0000000000401a30 R14: 0000000000000000 R15: 0000000000000000