[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 23.844920] random: sshd: uninitialized urandom read (32 bytes read) [ 24.252324] audit: type=1400 audit(1539010794.520:6): avc: denied { map } for pid=1766 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 24.304949] random: sshd: uninitialized urandom read (32 bytes read) [ 24.744910] random: sshd: uninitialized urandom read (32 bytes read) [ 24.905022] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.88' (ECDSA) to the list of known hosts. [ 30.570202] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 30.659045] audit: type=1400 audit(1539010800.920:7): avc: denied { map } for pid=1778 comm="syz-executor137" path="/root/syz-executor137139717" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 30.662668] [ 30.662671] ====================================================== [ 30.662672] WARNING: possible circular locking dependency detected [ 30.662676] 4.14.74+ #17 Not tainted [ 30.662678] ------------------------------------------------------ [ 30.662680] syz-executor137/1778 is trying to acquire lock: [ 30.662682] (&pipe->mutex/1){+.+.}, at: [] fifo_open+0x156/0x9d0 [ 30.662698] [ 30.662698] but task is already holding lock: [ 30.662699] (&sig->cred_guard_mutex){+.+.}, at: [] prepare_bprm_creds+0x4e/0x110 [ 30.662712] [ 30.662712] which lock already depends on the new lock. [ 30.662712] [ 30.662713] [ 30.662713] the existing dependency chain (in reverse order) is: [ 30.662714] [ 30.662714] -> #1 (&sig->cred_guard_mutex){+.+.}: [ 30.662727] __mutex_lock+0xf5/0x1480 [ 30.662735] proc_pid_attr_write+0x16b/0x280 [ 30.662740] __vfs_write+0xf4/0x5c0 [ 30.662744] __kernel_write+0xf3/0x330 [ 30.662750] write_pipe_buf+0x192/0x250 [ 30.662755] __splice_from_pipe+0x324/0x740 [ 30.662759] splice_from_pipe+0xcf/0x130 [ 30.662764] default_file_splice_write+0x37/0x80 [ 30.662769] SyS_splice+0xd06/0x12a0 [ 30.662775] do_syscall_64+0x19b/0x4b0 [ 30.662780] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 30.662782] [ 30.662782] -> #0 (&pipe->mutex/1){+.+.}: [ 30.662793] lock_acquire+0x10f/0x380 [ 30.662798] __mutex_lock+0xf5/0x1480 [ 30.662802] fifo_open+0x156/0x9d0 [ 30.662809] do_dentry_open+0x426/0xda0 [ 30.662814] vfs_open+0x11c/0x210 [ 30.662819] path_openat+0x4eb/0x23a0 [ 30.662823] do_filp_open+0x197/0x270 [ 30.662828] do_open_execat+0x10d/0x5b0 [ 30.662834] do_execveat_common.isra.14+0x6cb/0x1d60 [ 30.662838] SyS_execve+0x34/0x40 [ 30.662842] do_syscall_64+0x19b/0x4b0 [ 30.662847] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 30.662849] [ 30.662849] other info that might help us debug this: [ 30.662849] [ 30.662850] Possible unsafe locking scenario: [ 30.662850] [ 30.662851] CPU0 CPU1 [ 30.662853] ---- ---- [ 30.662854] lock(&sig->cred_guard_mutex); [ 30.662857] lock(&pipe->mutex/1); [ 30.662861] lock(&sig->cred_guard_mutex); [ 30.662864] lock(&pipe->mutex/1); [ 30.662869] [ 30.662869] *** DEADLOCK *** [ 30.662869] [ 30.662872] 1 lock held by syz-executor137/1778: [ 30.662873] #0: (&sig->cred_guard_mutex){+.+.}, at: [] prepare_bprm_creds+0x4e/0x110 [ 30.662884] [ 30.662884] stack backtrace: [ 30.662889] CPU: 0 PID: 1778 Comm: syz-executor137 Not tainted 4.14.74+ #17 [ 30.662891] Call Trace: [ 30.662899] dump_stack+0xb9/0x11b [ 30.662906] print_circular_bug.isra.18.cold.43+0x2d3/0x40c [ 30.662912] ? save_trace+0xd6/0x250 [ 30.662918] __lock_acquire+0x2ff9/0x4320 [ 30.662925] ? check_preemption_disabled+0x34/0x160 [ 30.662935] ? trace_hardirqs_on+0x10/0x10 [ 30.662941] ? trace_hardirqs_on_caller+0x381/0x520 [ 30.662947] ? _raw_spin_unlock_irqrestore+0x41/0x70 [ 30.662956] ? __lock_acquire+0x619/0x4320 [ 30.662960] ? alloc_pipe_info+0x15b/0x370 [ 30.662964] ? fifo_open+0x1ef/0x9d0 [ 30.662969] ? do_dentry_open+0x426/0xda0 [ 30.662980] ? vfs_open+0x11c/0x210 [ 30.662985] ? path_openat+0x4eb/0x23a0 [ 30.662992] lock_acquire+0x10f/0x380 [ 30.662996] ? fifo_open+0x156/0x9d0 [ 30.663013] ? fifo_open+0x156/0x9d0 [ 30.663018] __mutex_lock+0xf5/0x1480 [ 30.663023] ? fifo_open+0x156/0x9d0 [ 30.663028] ? fifo_open+0x156/0x9d0 [ 30.663033] ? dput.part.6+0x3b3/0x710 [ 30.663040] ? __ww_mutex_wakeup_for_backoff+0x240/0x240 [ 30.663049] ? fs_reclaim_acquire+0x10/0x10 [ 30.663056] ? fifo_open+0x284/0x9d0 [ 30.663061] ? lock_downgrade+0x560/0x560 [ 30.663066] ? lock_acquire+0x10f/0x380 [ 30.663071] ? fifo_open+0x243/0x9d0 [ 30.663076] ? debug_mutex_init+0x28/0x53 [ 30.663082] ? fifo_open+0x156/0x9d0 [ 30.663086] fifo_open+0x156/0x9d0 [ 30.663093] do_dentry_open+0x426/0xda0 [ 30.663098] ? pipe_release+0x240/0x240 [ 30.663106] vfs_open+0x11c/0x210 [ 30.663113] path_openat+0x4eb/0x23a0 [ 30.663121] ? path_mountpoint+0x9a0/0x9a0 [ 30.663129] ? kasan_kmalloc.part.1+0xa9/0xd0 [ 30.663136] ? kasan_kmalloc.part.1+0x4f/0xd0 [ 30.663141] ? __kmalloc_track_caller+0x104/0x300 [ 30.663147] ? kmemdup+0x20/0x50 [ 30.663154] ? security_prepare_creds+0x7c/0xb0 [ 30.663161] ? prepare_creds+0x225/0x2a0 [ 30.663166] ? prepare_exec_creds+0xc/0xe0 [ 30.663172] ? prepare_bprm_creds+0x62/0x110 [ 30.663178] ? do_execveat_common.isra.14+0x2cd/0x1d60 [ 30.663182] ? SyS_execve+0x34/0x40 [ 30.663186] ? do_syscall_64+0x19b/0x4b0 [ 30.663194] do_filp_open+0x197/0x270 [ 30.663201] ? may_open_dev+0xd0/0xd0 [ 30.663208] ? trace_hardirqs_on+0x10/0x10 [ 30.663214] ? fs_reclaim_acquire+0x10/0x10 [ 30.663225] ? rcu_read_lock_sched_held+0x102/0x120 [ 30.663231] do_open_execat+0x10d/0x5b0 [ 30.663238] ? setup_arg_pages+0x720/0x720 [ 30.663244] ? do_execveat_common.isra.14+0x68d/0x1d60 [ 30.663250] ? lock_downgrade+0x560/0x560 [ 30.663255] ? lock_acquire+0x10f/0x380 [ 30.663261] ? check_preemption_disabled+0x34/0x160 [ 30.663269] do_execveat_common.isra.14+0x6cb/0x1d60 [ 30.663278] ? prepare_bprm_creds+0x110/0x110 [ 30.663284] ? getname_flags+0x222/0x540 [ 30.663290] SyS_execve+0x34/0x40 [ 30.663296] ? setup_new_exec+0x770/0x770 [ 30.663300] do_syscall_64+0x19b/0x4b0 [ 30.663308] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 30.663312] RIP: 0033:0x440129 [ 30.663315] RSP: 002b:00007fffb26785f8 EFLAGS: 00000217 ORIG_RAX: 000000000000003b [ 30.663321] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 0000000000440129 [ 30.663324] RDX: 0000000020000500 RSI: 0000000020578fe8 RDI: 0000000020ee6ff8 [ 30.663328] RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000 [ 30.663331] R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004019b0 [ 30.663334] R13: 0000000000401a40 R14: 0000000000000000 R15: 0000000000000000 [ 31.270159] audit: type=1400 audit(1539010800.920:8): avc: denied { create } for pid=1778 comm="syz-executor137" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=key permissive=1