[....] Starting enhanced syslogd: rsyslogd[ 13.411780] audit: type=1400 audit(1546390076.389:4): avc: denied { syslog } for pid=1916 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.10' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 38.561197] [ 38.563025] ====================================================== [ 38.569318] [ INFO: possible circular locking dependency detected ] [ 38.575695] 4.4.169+ #1 Not tainted [ 38.579291] ------------------------------------------------------- [ 38.585673] syz-executor464/2075 is trying to acquire lock: [ 38.591356] (&pipe->mutex/1){+.+.+.}, at: [] fifo_open+0x15d/0xa00 [ 38.599904] [ 38.599904] but task is already holding lock: [ 38.605895] (&sig->cred_guard_mutex){+.+.+.}, at: [] prepare_bprm_creds+0x55/0x120 [ 38.615760] [ 38.615760] which lock already depends on the new lock. [ 38.615760] [ 38.624049] [ 38.624049] the existing dependency chain (in reverse order) is: [ 38.631641] -> #1 (&sig->cred_guard_mutex){+.+.+.}: [ 38.637302] [] lock_acquire+0x15e/0x450 [ 38.643554] [] mutex_lock_interruptible_nested+0xd2/0xce0 [ 38.651355] [] proc_pid_attr_write+0x1a8/0x2a0 [ 38.658204] [] __vfs_write+0x116/0x3d0 [ 38.664353] [] __kernel_write+0x112/0x370 [ 38.670790] [] write_pipe_buf+0x15d/0x1f0 [ 38.677200] [] __splice_from_pipe+0x37e/0x7a0 [ 38.683958] [] splice_from_pipe+0x108/0x170 [ 38.690554] [] default_file_splice_write+0x3c/0x80 [ 38.697798] [] SyS_splice+0xd71/0x13a0 [ 38.703955] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 38.711182] -> #0 (&pipe->mutex/1){+.+.+.}: [ 38.716297] [] __lock_acquire+0x37d6/0x4f50 [ 38.722905] [] lock_acquire+0x15e/0x450 [ 38.729152] [] mutex_lock_nested+0xc1/0xb80 [ 38.735763] [] fifo_open+0x15d/0xa00 [ 38.741738] [] do_dentry_open+0x38f/0xbd0 [ 38.748158] [] vfs_open+0x10b/0x210 [ 38.754052] [] path_openat+0x136f/0x4470 [ 38.760391] [] do_filp_open+0x1a1/0x270 [ 38.766677] [] do_open_execat+0x10c/0x6e0 [ 38.773102] [] do_execveat_common.isra.0+0x6f6/0x1e90 [ 38.780682] [] SyS_execve+0x42/0x50 [ 38.786617] [] return_from_execve+0x0/0x23 [ 38.793117] [ 38.793117] other info that might help us debug this: [ 38.793117] [ 38.801242] Possible unsafe locking scenario: [ 38.801242] [ 38.807270] CPU0 CPU1 [ 38.811911] ---- ---- [ 38.816549] lock(&sig->cred_guard_mutex); [ 38.821089] lock(&pipe->mutex/1); [ 38.827574] lock(&sig->cred_guard_mutex); [ 38.834632] lock(&pipe->mutex/1); [ 38.838617] [ 38.838617] *** DEADLOCK *** [ 38.838617] [ 38.844651] 1 lock held by syz-executor464/2075: [ 38.849390] #0: (&sig->cred_guard_mutex){+.+.+.}, at: [] prepare_bprm_creds+0x55/0x120 [ 38.859776] [ 38.859776] stack backtrace: [ 38.864245] CPU: 0 PID: 2075 Comm: syz-executor464 Not tainted 4.4.169+ #1 [ 38.871228] 0000000000000000 914fcddce397bfd1 ffff8800b6a97530 ffffffff81aab9c1 [ 38.879227] ffffffff84055ac0 ffff8801d5af17c0 ffffffff83abb460 ffffffff83ab4500 [ 38.887237] ffffffff83abb460 ffff8800b6a97580 ffffffff813abaf4 ffff8800b6a97660 [ 38.895252] Call Trace: [ 38.897814] [] dump_stack+0xc1/0x120 [ 38.903176] [] print_circular_bug.cold+0x2f7/0x44e [ 38.909729] [] __lock_acquire+0x37d6/0x4f50 [ 38.915676] [] ? trace_hardirqs_on+0x10/0x10 [ 38.921723] [] ? do_filp_open+0x1a1/0x270 [ 38.927514] [] ? do_execveat_common.isra.0+0x6f6/0x1e90 [ 38.934502] [] ? SyS_execve+0x42/0x50 [ 38.939927] [] ? stub_execve+0x5/0x5 [ 38.945283] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 38.952116] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 38.958851] [] lock_acquire+0x15e/0x450 [ 38.964451] [] ? fifo_open+0x15d/0xa00 [ 38.969964] [] ? fifo_open+0x15d/0xa00 [ 38.975474] [] mutex_lock_nested+0xc1/0xb80 [ 38.981418] [] ? fifo_open+0x15d/0xa00 [ 38.986950] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 38.993708] [] ? mutex_trylock+0x500/0x500 [ 38.999584] [] ? fifo_open+0x24d/0xa00 [ 39.005097] [] ? fifo_open+0x28c/0xa00 [ 39.010620] [] fifo_open+0x15d/0xa00 [ 39.015961] [] do_dentry_open+0x38f/0xbd0 [ 39.021734] [] ? __inode_permission2+0x9e/0x250 [ 39.028034] [] ? pipe_release+0x250/0x250 [ 39.033807] [] vfs_open+0x10b/0x210 [ 39.039080] [] ? may_open.isra.0+0xe7/0x210 [ 39.045057] [] path_openat+0x136f/0x4470 [ 39.050760] [] ? depot_save_stack+0x1c3/0x5f0 [ 39.056898] [] ? may_open.isra.0+0x210/0x210 [ 39.062933] [] ? kmemdup+0x27/0x60 [ 39.068159] [] ? selinux_cred_prepare+0x43/0xa0 [ 39.074455] [] ? security_prepare_creds+0x83/0xc0 [ 39.080919] [] ? prepare_creds+0x228/0x2b0 [ 39.086781] [] ? prepare_exec_creds+0x12/0xf0 [ 39.092934] [] ? do_execveat_common.isra.0+0x2d6/0x1e90 [ 39.099920] [] ? stub_execve+0x5/0x5 [ 39.105270] [] ? kasan_kmalloc+0xb7/0xd0 [ 39.110971] [] ? kasan_slab_alloc+0xf/0x20 [ 39.116833] [] ? kmem_cache_alloc+0xdc/0x2c0 [ 39.122865] [] ? prepare_creds+0x28/0x2b0 [ 39.128636] [] ? prepare_exec_creds+0x12/0xf0 [ 39.134759] [] do_filp_open+0x1a1/0x270 [ 39.140368] [] ? save_stack_trace+0x26/0x50 [ 39.146314] [] ? user_path_mountpoint_at+0x50/0x50 [ 39.152869] [] ? SyS_execve+0x42/0x50 [ 39.158291] [] ? stub_execve+0x5/0x5 [ 39.163634] [] ? __lock_acquire+0xa4f/0x4f50 [ 39.169665] [] ? trace_hardirqs_on+0x10/0x10 [ 39.175695] [] ? rcu_read_lock_sched_held+0x10b/0x130 [ 39.182510] [] do_open_execat+0x10c/0x6e0 [ 39.188283] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 39.195010] [] ? setup_arg_pages+0x7b0/0x7b0 [ 39.201055] [] ? do_execveat_common.isra.0+0x6b8/0x1e90 [ 39.208044] [] do_execveat_common.isra.0+0x6f6/0x1e90 [ 39.214861] [] ? do_execveat_common.isra.0+0x422/0x1e90 [ 39.221851] [] ? __check_object_size+0x222/0x332 [ 39.228233] [] ? strncpy_from_user+0xe0/0x230 [ 39.234355] [] ? prepare_bprm_creds+0x120/0x120 [ 39.240653] [] ? getname_flags+0x232/0x550 [ 39.246514] [] SyS_execve+0x42/0x50 [ 39.251763] [] stub_execve+0x5/0x5 [ 39.256952] [] ? tracesys+0x88/0x8d