[ 11.422733] random: sshd: uninitialized urandom read (32 bytes read) [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 16.290869] random: sshd: uninitialized urandom read (32 bytes read) [ 16.492753] audit: type=1400 audit(1537672729.900:6): avc: denied { map } for pid=1759 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 16.534459] random: sshd: uninitialized urandom read (32 bytes read) [ 16.983237] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.34' (ECDSA) to the list of known hosts. [ 22.648179] urandom_read: 1 callbacks suppressed [ 22.648183] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 22.740243] audit: type=1400 audit(1537672736.150:7): avc: denied { map } for pid=1777 comm="syz-executor580" path="/root/syz-executor580834810" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 22.839588] [ 22.841259] ====================================================== [ 22.847546] WARNING: possible circular locking dependency detected [ 22.853856] 4.14.71+ #8 Not tainted [ 22.857589] ------------------------------------------------------ [ 22.863980] syz-executor580/1780 is trying to acquire lock: [ 22.869672] (&p->lock){+.+.}, at: [] seq_read+0xd4/0x11d0 [ 22.876841] [ 22.876841] but task is already holding lock: [ 22.882785] (&pipe->mutex/1){+.+.}, at: [] pipe_lock+0x58/0x70 [ 22.890490] [ 22.890490] which lock already depends on the new lock. [ 22.890490] [ 22.898783] [ 22.898783] the existing dependency chain (in reverse order) is: [ 22.906393] [ 22.906393] -> #2 (&pipe->mutex/1){+.+.}: [ 22.912048] __mutex_lock+0xf5/0x1480 [ 22.916347] fifo_open+0x156/0x9d0 [ 22.920387] do_dentry_open+0x426/0xda0 [ 22.924859] vfs_open+0x11c/0x210 [ 22.928805] path_openat+0x4eb/0x23a0 [ 22.933166] do_filp_open+0x197/0x270 [ 22.937467] do_open_execat+0x10d/0x5b0 [ 22.941942] do_execveat_common.isra.14+0x6cb/0x1d60 [ 22.947543] SyS_execve+0x34/0x40 [ 22.951534] do_syscall_64+0x19b/0x4b0 [ 22.955923] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 22.961687] [ 22.961687] -> #1 (&sig->cred_guard_mutex){+.+.}: [ 22.967995] __mutex_lock+0xf5/0x1480 [ 22.972289] lock_trace+0x3f/0xc0 [ 22.976240] proc_pid_personality+0x17/0xc0 [ 22.981121] proc_single_show+0xf1/0x160 [ 22.985685] traverse+0x32b/0x8a0 [ 22.989631] seq_read+0xc94/0x11d0 [ 22.993661] do_iter_read+0x3cc/0x580 [ 22.997959] vfs_readv+0xe6/0x150 [ 23.001910] default_file_splice_read+0x495/0x860 [ 23.007246] do_splice_to+0x102/0x150 [ 23.011542] splice_direct_to_actor+0x21d/0x750 [ 23.016704] do_splice_direct+0x17b/0x220 [ 23.021465] do_sendfile+0x4a1/0xb50 [ 23.025674] SyS_sendfile64+0xab/0x140 [ 23.030055] do_syscall_64+0x19b/0x4b0 [ 23.034435] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 23.040115] [ 23.040115] -> #0 (&p->lock){+.+.}: [ 23.045197] lock_acquire+0x10f/0x380 [ 23.049491] __mutex_lock+0xf5/0x1480 [ 23.053787] seq_read+0xd4/0x11d0 [ 23.057747] proc_reg_read+0xef/0x170 [ 23.062039] do_iter_read+0x3cc/0x580 [ 23.066330] vfs_readv+0xe6/0x150 [ 23.070276] default_file_splice_read+0x495/0x860 [ 23.075611] do_splice_to+0x102/0x150 [ 23.079906] SyS_splice+0xf4d/0x12a0 [ 23.084115] do_syscall_64+0x19b/0x4b0 [ 23.088499] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 23.094176] [ 23.094176] other info that might help us debug this: [ 23.094176] [ 23.102291] Chain exists of: [ 23.102291] &p->lock --> &sig->cred_guard_mutex --> &pipe->mutex/1 [ 23.102291] [ 23.113234] Possible unsafe locking scenario: [ 23.113234] [ 23.119267] CPU0 CPU1 [ 23.123916] ---- ---- [ 23.128559] lock(&pipe->mutex/1); [ 23.132160] lock(&sig->cred_guard_mutex); [ 23.138969] lock(&pipe->mutex/1); [ 23.145085] lock(&p->lock); [ 23.148307] [ 23.148307] *** DEADLOCK *** [ 23.148307] [ 23.154339] 1 lock held by syz-executor580/1780: [ 23.159065] #0: (&pipe->mutex/1){+.+.}, at: [] pipe_lock+0x58/0x70 [ 23.167107] [ 23.167107] stack backtrace: [ 23.171580] CPU: 0 PID: 1780 Comm: syz-executor580 Not tainted 4.14.71+ #8 [ 23.178565] Call Trace: [ 23.181135] dump_stack+0xb9/0x11b [ 23.184655] print_circular_bug.isra.18.cold.43+0x2d3/0x40c [ 23.190340] ? save_trace+0xd6/0x250 [ 23.194026] __lock_acquire+0x2ff9/0x4320 [ 23.198148] ? trace_hardirqs_on+0x10/0x10 [ 23.202437] ? __read_once_size_nocheck.constprop.4+0x10/0x10 [ 23.208305] ? __lock_acquire+0x619/0x4320 [ 23.212516] ? __bfs+0x1ab/0x540 [ 23.215864] ? __lock_acquire+0x619/0x4320 [ 23.220077] lock_acquire+0x10f/0x380 [ 23.223856] ? seq_read+0xd4/0x11d0 [ 23.227457] ? seq_read+0xd4/0x11d0 [ 23.231056] __mutex_lock+0xf5/0x1480 [ 23.234830] ? seq_read+0xd4/0x11d0 [ 23.238430] ? seq_read+0xd4/0x11d0 [ 23.242033] ? trace_hardirqs_on+0x10/0x10 [ 23.246242] ? __ww_mutex_wakeup_for_backoff+0x240/0x240 [ 23.251669] ? __is_insn_slot_addr+0x112/0x1f0 [ 23.256228] ? lock_downgrade+0x560/0x560 [ 23.260404] ? mark_held_locks+0xc2/0x130 [ 23.264533] ? get_page_from_freelist+0x756/0x1ea0 [ 23.269500] ? kasan_unpoison_shadow+0x30/0x40 [ 23.274073] ? get_page_from_freelist+0x113c/0x1ea0 [ 23.279116] ? seq_read+0xd4/0x11d0 [ 23.282768] seq_read+0xd4/0x11d0 [ 23.286213] ? __fsnotify_parent+0xb1/0x300 [ 23.290607] ? seq_lseek+0x3d0/0x3d0 [ 23.294306] ? __inode_security_revalidate+0xd5/0x120 [ 23.299471] ? avc_policy_seqno+0x5/0x10 [ 23.303599] ? seq_lseek+0x3d0/0x3d0 [ 23.307290] proc_reg_read+0xef/0x170 [ 23.311116] ? rw_verify_area+0xdd/0x280 [ 23.315160] do_iter_read+0x3cc/0x580 [ 23.318939] vfs_readv+0xe6/0x150 [ 23.322366] ? compat_rw_copy_check_uvector+0x320/0x320 [ 23.327706] ? kasan_unpoison_shadow+0x30/0x40 [ 23.332264] ? kasan_kmalloc+0x76/0xc0 [ 23.336130] ? iov_iter_get_pages_alloc+0x2c8/0xe40 [ 23.341118] ? iov_iter_get_pages+0xc80/0xc80 [ 23.345586] ? wake_up_q+0xed/0x150 [ 23.349190] default_file_splice_read+0x495/0x860 [ 23.354007] ? trace_hardirqs_on+0x10/0x10 [ 23.358220] ? do_splice_direct+0x220/0x220 [ 23.362520] ? trace_hardirqs_on_caller+0x381/0x520 [ 23.367513] ? fsnotify+0x639/0x12d0 [ 23.371274] ? lock_acquire+0x10f/0x380 [ 23.375244] ? __fsnotify_parent+0xb1/0x300 [ 23.379573] ? __fsnotify_update_child_dentry_flags.part.0+0x2e0/0x2e0 [ 23.386220] ? __inode_security_revalidate+0xd5/0x120 [ 23.391386] ? avc_policy_seqno+0x5/0x10 [ 23.395419] ? security_file_permission+0x88/0x1e0 [ 23.400324] ? do_splice_direct+0x220/0x220 [ 23.404616] do_splice_to+0x102/0x150 [ 23.408391] SyS_splice+0xf4d/0x12a0 [ 23.412084] ? fput+0xa/0x130 [ 23.415164] ? compat_SyS_vmsplice+0x150/0x150 [ 23.419717] ? do_syscall_64+0x43/0x4b0 [ 23.423664] ? compat_SyS_vmsplice+0x150/0x150 [ 23.428222] do_syscall_64+0x19b/0x4b0 [ 23.432092] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 23.437254] RIP: 0033:0x4457e9 [ 23.440415] RSP: 002b:00007f7d6f0e3d08 EFLAGS: 00000216 ORIG_RAX: 0000000000000113 [ 23.448091] RAX: ffffffffffffffda RBX: 00000000006dac68 RCX: 00000000004457e9 [ 23.455331] RDX: 0000000000000005 RSI: 0000000000000000 RDI: 0000000000000004 [ 23.462574] RBP: 00000000006dac60 R08: 0000000000000200 R09: 0000000000000000 [ 23.469825] R10: 0000000000000000 R11: 0000000000000216 R12: 00000000006dac6c [ 23.477067] R13: 00007f7d6f0e3d20 R14: 706d67692f74656e R15: 00000000006dad4c