[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   23.844920] random: sshd: uninitialized urandom read (32 bytes read)
[   24.252324] audit: type=1400 audit(1539010794.520:6): avc:  denied  { map } for  pid=1766 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   24.304949] random: sshd: uninitialized urandom read (32 bytes read)
[   24.744910] random: sshd: uninitialized urandom read (32 bytes read)
[   24.905022] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.88' (ECDSA) to the list of known hosts.
[   30.570202] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   30.659045] audit: type=1400 audit(1539010800.920:7): avc:  denied  { map } for  pid=1778 comm="syz-executor137" path="/root/syz-executor137139717" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   30.662668] 
[   30.662671] ======================================================
[   30.662672] WARNING: possible circular locking dependency detected
[   30.662676] 4.14.74+ #17 Not tainted
[   30.662678] ------------------------------------------------------
[   30.662680] syz-executor137/1778 is trying to acquire lock:
[   30.662682]  (&pipe->mutex/1){+.+.}, at: [<ffffffffb8175c16>] fifo_open+0x156/0x9d0
[   30.662698] 
[   30.662698] but task is already holding lock:
[   30.662699]  (&sig->cred_guard_mutex){+.+.}, at: [<ffffffffb817005e>] prepare_bprm_creds+0x4e/0x110
[   30.662712] 
[   30.662712] which lock already depends on the new lock.
[   30.662712] 
[   30.662713] 
[   30.662713] the existing dependency chain (in reverse order) is:
[   30.662714] 
[   30.662714] -> #1 (&sig->cred_guard_mutex){+.+.}:
[   30.662727]        __mutex_lock+0xf5/0x1480
[   30.662735]        proc_pid_attr_write+0x16b/0x280
[   30.662740]        __vfs_write+0xf4/0x5c0
[   30.662744]        __kernel_write+0xf3/0x330
[   30.662750]        write_pipe_buf+0x192/0x250
[   30.662755]        __splice_from_pipe+0x324/0x740
[   30.662759]        splice_from_pipe+0xcf/0x130
[   30.662764]        default_file_splice_write+0x37/0x80
[   30.662769]        SyS_splice+0xd06/0x12a0
[   30.662775]        do_syscall_64+0x19b/0x4b0
[   30.662780]        entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   30.662782] 
[   30.662782] -> #0 (&pipe->mutex/1){+.+.}:
[   30.662793]        lock_acquire+0x10f/0x380
[   30.662798]        __mutex_lock+0xf5/0x1480
[   30.662802]        fifo_open+0x156/0x9d0
[   30.662809]        do_dentry_open+0x426/0xda0
[   30.662814]        vfs_open+0x11c/0x210
[   30.662819]        path_openat+0x4eb/0x23a0
[   30.662823]        do_filp_open+0x197/0x270
[   30.662828]        do_open_execat+0x10d/0x5b0
[   30.662834]        do_execveat_common.isra.14+0x6cb/0x1d60
[   30.662838]        SyS_execve+0x34/0x40
[   30.662842]        do_syscall_64+0x19b/0x4b0
[   30.662847]        entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   30.662849] 
[   30.662849] other info that might help us debug this:
[   30.662849] 
[   30.662850]  Possible unsafe locking scenario:
[   30.662850] 
[   30.662851]        CPU0                    CPU1
[   30.662853]        ----                    ----
[   30.662854]   lock(&sig->cred_guard_mutex);
[   30.662857]                                lock(&pipe->mutex/1);
[   30.662861]                                lock(&sig->cred_guard_mutex);
[   30.662864]   lock(&pipe->mutex/1);
[   30.662869] 
[   30.662869]  *** DEADLOCK ***
[   30.662869] 
[   30.662872] 1 lock held by syz-executor137/1778:
[   30.662873]  #0:  (&sig->cred_guard_mutex){+.+.}, at: [<ffffffffb817005e>] prepare_bprm_creds+0x4e/0x110
[   30.662884] 
[   30.662884] stack backtrace:
[   30.662889] CPU: 0 PID: 1778 Comm: syz-executor137 Not tainted 4.14.74+ #17
[   30.662891] Call Trace:
[   30.662899]  dump_stack+0xb9/0x11b
[   30.662906]  print_circular_bug.isra.18.cold.43+0x2d3/0x40c
[   30.662912]  ? save_trace+0xd6/0x250
[   30.662918]  __lock_acquire+0x2ff9/0x4320
[   30.662925]  ? check_preemption_disabled+0x34/0x160
[   30.662935]  ? trace_hardirqs_on+0x10/0x10
[   30.662941]  ? trace_hardirqs_on_caller+0x381/0x520
[   30.662947]  ? _raw_spin_unlock_irqrestore+0x41/0x70
[   30.662956]  ? __lock_acquire+0x619/0x4320
[   30.662960]  ? alloc_pipe_info+0x15b/0x370
[   30.662964]  ? fifo_open+0x1ef/0x9d0
[   30.662969]  ? do_dentry_open+0x426/0xda0
[   30.662980]  ? vfs_open+0x11c/0x210
[   30.662985]  ? path_openat+0x4eb/0x23a0
[   30.662992]  lock_acquire+0x10f/0x380
[   30.662996]  ? fifo_open+0x156/0x9d0
[   30.663013]  ? fifo_open+0x156/0x9d0
[   30.663018]  __mutex_lock+0xf5/0x1480
[   30.663023]  ? fifo_open+0x156/0x9d0
[   30.663028]  ? fifo_open+0x156/0x9d0
[   30.663033]  ? dput.part.6+0x3b3/0x710
[   30.663040]  ? __ww_mutex_wakeup_for_backoff+0x240/0x240
[   30.663049]  ? fs_reclaim_acquire+0x10/0x10
[   30.663056]  ? fifo_open+0x284/0x9d0
[   30.663061]  ? lock_downgrade+0x560/0x560
[   30.663066]  ? lock_acquire+0x10f/0x380
[   30.663071]  ? fifo_open+0x243/0x9d0
[   30.663076]  ? debug_mutex_init+0x28/0x53
[   30.663082]  ? fifo_open+0x156/0x9d0
[   30.663086]  fifo_open+0x156/0x9d0
[   30.663093]  do_dentry_open+0x426/0xda0
[   30.663098]  ? pipe_release+0x240/0x240
[   30.663106]  vfs_open+0x11c/0x210
[   30.663113]  path_openat+0x4eb/0x23a0
[   30.663121]  ? path_mountpoint+0x9a0/0x9a0
[   30.663129]  ? kasan_kmalloc.part.1+0xa9/0xd0
[   30.663136]  ? kasan_kmalloc.part.1+0x4f/0xd0
[   30.663141]  ? __kmalloc_track_caller+0x104/0x300
[   30.663147]  ? kmemdup+0x20/0x50
[   30.663154]  ? security_prepare_creds+0x7c/0xb0
[   30.663161]  ? prepare_creds+0x225/0x2a0
[   30.663166]  ? prepare_exec_creds+0xc/0xe0
[   30.663172]  ? prepare_bprm_creds+0x62/0x110
[   30.663178]  ? do_execveat_common.isra.14+0x2cd/0x1d60
[   30.663182]  ? SyS_execve+0x34/0x40
[   30.663186]  ? do_syscall_64+0x19b/0x4b0
[   30.663194]  do_filp_open+0x197/0x270
[   30.663201]  ? may_open_dev+0xd0/0xd0
[   30.663208]  ? trace_hardirqs_on+0x10/0x10
[   30.663214]  ? fs_reclaim_acquire+0x10/0x10
[   30.663225]  ? rcu_read_lock_sched_held+0x102/0x120
[   30.663231]  do_open_execat+0x10d/0x5b0
[   30.663238]  ? setup_arg_pages+0x720/0x720
[   30.663244]  ? do_execveat_common.isra.14+0x68d/0x1d60
[   30.663250]  ? lock_downgrade+0x560/0x560
[   30.663255]  ? lock_acquire+0x10f/0x380
[   30.663261]  ? check_preemption_disabled+0x34/0x160
[   30.663269]  do_execveat_common.isra.14+0x6cb/0x1d60
[   30.663278]  ? prepare_bprm_creds+0x110/0x110
[   30.663284]  ? getname_flags+0x222/0x540
[   30.663290]  SyS_execve+0x34/0x40
[   30.663296]  ? setup_new_exec+0x770/0x770
[   30.663300]  do_syscall_64+0x19b/0x4b0
[   30.663308]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   30.663312] RIP: 0033:0x440129
[   30.663315] RSP: 002b:00007fffb26785f8 EFLAGS: 00000217 ORIG_RAX: 000000000000003b
[   30.663321] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 0000000000440129
[   30.663324] RDX: 0000000020000500 RSI: 0000000020578fe8 RDI: 0000000020ee6ff8
[   30.663328] RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000
[   30.663331] R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004019b0
[   30.663334] R13: 0000000000401a40 R14: 0000000000000000 R15: 0000000000000000
[   31.270159] audit: type=1400 audit(1539010800.920:8): avc:  denied  { create } for  pid=1778 comm="syz-executor137" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=key permissive=1