[....] Starting OpenBSD Secure Shell server: sshd[ 11.286127] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 21.056627] random: sshd: uninitialized urandom read (32 bytes read) [ 21.320887] audit: type=1400 audit(1545706370.725:6): avc: denied { map } for pid=1756 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 21.356976] random: sshd: uninitialized urandom read (32 bytes read) [ 21.859841] random: sshd: uninitialized urandom read (32 bytes read) [ 22.871045] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.54' (ECDSA) to the list of known hosts. [ 28.484728] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 28.581277] audit: type=1400 audit(1545706377.985:7): avc: denied { map } for pid=1774 comm="syz-executor517" path="/root/syz-executor517617566" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 28.593406] [ 28.609174] ====================================================== [ 28.615461] WARNING: possible circular locking dependency detected [ 28.621753] 4.14.90+ #29 Not tainted [ 28.625440] ------------------------------------------------------ [ 28.631729] syz-executor517/1774 is trying to acquire lock: [ 28.637411] (&pipe->mutex/1){+.+.}, at: [] fifo_open+0x156/0x9d0 [ 28.645192] [ 28.645192] but task is already holding lock: [ 28.651134] (&sig->cred_guard_mutex){+.+.}, at: [] prepare_bprm_creds+0x4e/0x110 [ 28.660296] [ 28.660296] which lock already depends on the new lock. [ 28.660296] [ 28.668720] [ 28.668720] the existing dependency chain (in reverse order) is: [ 28.676311] [ 28.676311] -> #2 (&sig->cred_guard_mutex){+.+.}: [ 28.682613] __mutex_lock+0xf5/0x1480 [ 28.686910] lock_trace+0x3f/0xc0 [ 28.690854] proc_pid_personality+0x17/0xc0 [ 28.695718] proc_single_show+0xf1/0x160 [ 28.700285] seq_read+0x4e0/0x11d0 [ 28.704320] do_iter_read+0x3cc/0x580 [ 28.708617] vfs_readv+0xe6/0x150 [ 28.712575] default_file_splice_read+0x495/0x860 [ 28.717918] do_splice_to+0x102/0x150 [ 28.722212] splice_direct_to_actor+0x21d/0x750 [ 28.727374] do_splice_direct+0x17b/0x220 [ 28.732034] do_sendfile+0x4a1/0xb50 [ 28.736244] SyS_sendfile64+0x11f/0x140 [ 28.740793] do_syscall_64+0x19b/0x4b0 [ 28.745183] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 28.750867] [ 28.750867] -> #1 (&p->lock){+.+.}: [ 28.755948] __mutex_lock+0xf5/0x1480 [ 28.760246] seq_read+0xd4/0x11d0 [ 28.764201] proc_reg_read+0xef/0x170 [ 28.768498] do_iter_read+0x3cc/0x580 [ 28.772791] vfs_readv+0xe6/0x150 [ 28.776739] default_file_splice_read+0x495/0x860 [ 28.782075] do_splice_to+0x102/0x150 [ 28.786368] SyS_splice+0xf4d/0x12a0 [ 28.790574] do_syscall_64+0x19b/0x4b0 [ 28.794954] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 28.800675] [ 28.800675] -> #0 (&pipe->mutex/1){+.+.}: [ 28.806292] lock_acquire+0x10f/0x380 [ 28.810587] __mutex_lock+0xf5/0x1480 [ 28.814885] fifo_open+0x156/0x9d0 [ 28.818974] do_dentry_open+0x426/0xda0 [ 28.823451] vfs_open+0x11c/0x210 [ 28.827550] path_openat+0x5f9/0x2930 [ 28.831853] do_filp_open+0x197/0x270 [ 28.836159] do_open_execat+0x10d/0x5b0 [ 28.840632] do_execveat_common.isra.14+0x6cb/0x1d60 [ 28.846229] SyS_execve+0x34/0x40 [ 28.850174] do_syscall_64+0x19b/0x4b0 [ 28.854557] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 28.860236] [ 28.860236] other info that might help us debug this: [ 28.860236] [ 28.868346] Chain exists of: [ 28.868346] &pipe->mutex/1 --> &p->lock --> &sig->cred_guard_mutex [ 28.868346] [ 28.879158] Possible unsafe locking scenario: [ 28.879158] [ 28.885183] CPU0 CPU1 [ 28.889819] ---- ---- [ 28.894457] lock(&sig->cred_guard_mutex); [ 28.898750] lock(&p->lock); [ 28.904344] lock(&sig->cred_guard_mutex); [ 28.911153] lock(&pipe->mutex/1); [ 28.914751] [ 28.914751] *** DEADLOCK *** [ 28.914751] [ 28.920781] 1 lock held by syz-executor517/1774: [ 28.925504] #0: (&sig->cred_guard_mutex){+.+.}, at: [] prepare_bprm_creds+0x4e/0x110 [ 28.935106] [ 28.935106] stack backtrace: [ 28.939575] CPU: 0 PID: 1774 Comm: syz-executor517 Not tainted 4.14.90+ #29 [ 28.946640] Call Trace: [ 28.949207] dump_stack+0xb9/0x11b [ 28.952792] print_circular_bug.isra.18.cold.43+0x2d3/0x40c [ 28.958490] ? save_trace+0xd6/0x250 [ 28.962183] __lock_acquire+0x2ff9/0x4320 [ 28.966324] ? check_preemption_disabled+0x34/0x1e0 [ 28.971922] ? trace_hardirqs_on+0x10/0x10 [ 28.978029] ? trace_hardirqs_on_caller+0x381/0x520 [ 28.983039] ? _raw_spin_unlock_irqrestore+0x41/0x70 [ 28.988119] ? __kmalloc+0x153/0x340 [ 28.991808] ? alloc_pipe_info+0x15b/0x370 [ 28.996012] ? fifo_open+0x1ef/0x9d0 [ 28.999704] ? do_dentry_open+0x426/0xda0 [ 29.003828] ? vfs_open+0x11c/0x210 [ 29.007424] ? path_openat+0x5f9/0x2930 [ 29.011374] ? do_filp_open+0x197/0x270 [ 29.015323] lock_acquire+0x10f/0x380 [ 29.019100] ? fifo_open+0x156/0x9d0 [ 29.022788] ? fifo_open+0x156/0x9d0 [ 29.026554] __mutex_lock+0xf5/0x1480 [ 29.030340] ? fifo_open+0x156/0x9d0 [ 29.034028] ? fifo_open+0x156/0x9d0 [ 29.037714] ? fsnotify+0x773/0x1200 [ 29.041404] ? __ww_mutex_wakeup_for_backoff+0x240/0x240 [ 29.046846] ? fs_reclaim_acquire+0x10/0x10 [ 29.051140] ? fifo_open+0x284/0x9d0 [ 29.054839] ? lock_downgrade+0x560/0x560 [ 29.058969] ? lock_acquire+0x10f/0x380 [ 29.062921] ? fifo_open+0x243/0x9d0 [ 29.066607] ? debug_mutex_init+0x28/0x53 [ 29.070728] ? fifo_open+0x156/0x9d0 [ 29.074412] fifo_open+0x156/0x9d0 [ 29.077930] do_dentry_open+0x426/0xda0 [ 29.081880] ? pipe_release+0x240/0x240 [ 29.085830] vfs_open+0x11c/0x210 [ 29.089263] path_openat+0x5f9/0x2930 [ 29.093037] ? path_mountpoint+0x9a0/0x9a0 [ 29.097473] ? kasan_kmalloc.part.1+0xa9/0xd0 [ 29.102042] ? kasan_kmalloc.part.1+0x4f/0xd0 [ 29.106516] ? __kmalloc_track_caller+0x104/0x300 [ 29.111343] ? kmemdup+0x20/0x50 [ 29.114682] ? security_prepare_creds+0x7c/0xb0 [ 29.119322] ? prepare_creds+0x225/0x2a0 [ 29.123357] ? prepare_exec_creds+0xc/0xe0 [ 29.127565] ? prepare_bprm_creds+0x62/0x110 [ 29.131943] ? do_execveat_common.isra.14+0x2cd/0x1d60 [ 29.137192] ? SyS_execve+0x34/0x40 [ 29.140793] ? do_syscall_64+0x19b/0x4b0 [ 29.144935] do_filp_open+0x197/0x270 [ 29.148712] ? may_open_dev+0xd0/0xd0 [ 29.152493] ? trace_hardirqs_on+0x10/0x10 [ 29.156700] ? fs_reclaim_acquire+0x10/0x10 [ 29.160997] ? rcu_read_lock_sched_held+0x102/0x120 [ 29.165991] do_open_execat+0x10d/0x5b0 [ 29.169947] ? setup_arg_pages+0x720/0x720 [ 29.174152] ? do_execveat_common.isra.14+0x68d/0x1d60 [ 29.179401] ? lock_downgrade+0x560/0x560 [ 29.183523] ? lock_acquire+0x10f/0x380 [ 29.187479] ? check_preemption_disabled+0x34/0x1e0 [ 29.192478] do_execveat_common.isra.14+0x6cb/0x1d60 [ 29.197556] ? prepare_bprm_creds+0x110/0x110 [ 29.202028] ? getname_flags+0x222/0x540 [ 29.206070] SyS_execve+0x34/0x40 [ 29.209498] ? setup_new_exec+0x770/0x770 [ 29.213707] do_syscall_64+0x19b/0x4b0 [ 29.217585] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 29.222751] RIP: 0033:0x4401a9 [ 29.225913] RSP: 002b:00007ffd30ed10a8 EFLAGS: 00000217 ORIG_RAX: 000000000000003b [ 29.233791] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 00000000004401a9 [ 29.241036] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000340 [ 29.248282] RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000 [ 29.255527] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000401a90 [ 29.262782] R13: 0000000000401b20 R14: 0000000000000000 R15: 0000000000000000