[....] Starting OpenBSD Secure Shell server: sshd[   11.585843] random: sshd: uninitialized urandom read (32 bytes read)
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   26.770438] random: sshd: uninitialized urandom read (32 bytes read)
[   27.203310] audit: type=1400 audit(1544278828.665:6): avc:  denied  { map } for  pid=1765 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   27.253505] random: sshd: uninitialized urandom read (32 bytes read)
[   27.647621] random: sshd: uninitialized urandom read (32 bytes read)
[   27.799127] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.18' (ECDSA) to the list of known hosts.
[   33.416436] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   33.509574] audit: type=1400 audit(1544278834.965:7): avc:  denied  { map } for  pid=1783 comm="syz-executor582" path="/root/syz-executor582810847" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   33.523603] 
[   33.523620] ======================================================
[   33.523621] WARNING: possible circular locking dependency detected
[   33.523623] 4.14.87+ #19 Not tainted
[   33.523624] ------------------------------------------------------
[   33.523627] syz-executor582/1783 is trying to acquire lock:
[   33.523628]  (&pipe->mutex/1){+.+.}, at: [<ffffffff83979116>] fifo_open+0x156/0x9d0
[   33.523658] 
[   33.523658] but task is already holding lock:
[   33.523659]  (&sig->cred_guard_mutex){+.+.}, at: [<ffffffff8397355e>] prepare_bprm_creds+0x4e/0x110
[   33.523665] 
[   33.523665] which lock already depends on the new lock.
[   33.523665] 
[   33.523675] 
[   33.523675] the existing dependency chain (in reverse order) is:
[   33.523677] 
[   33.523677] -> #1 (&sig->cred_guard_mutex){+.+.}:
[   33.523686]        __mutex_lock+0xf5/0x1480
[   33.523707]        proc_pid_attr_write+0x16b/0x280
[   33.523711]        __vfs_write+0xf4/0x5c0
[   33.523714]        __kernel_write+0xf3/0x330
[   33.523719]        write_pipe_buf+0x192/0x250
[   33.523722]        __splice_from_pipe+0x324/0x740
[   33.523725]        splice_from_pipe+0xcf/0x130
[   33.523728]        default_file_splice_write+0x37/0x80
[   33.523731]        SyS_splice+0xd06/0x12a0
[   33.523735]        do_syscall_64+0x19b/0x4b0
[   33.523739]        entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   33.523739] 
[   33.523739] -> #0 (&pipe->mutex/1){+.+.}:
[   33.523748]        lock_acquire+0x10f/0x380
[   33.523750]        __mutex_lock+0xf5/0x1480
[   33.523753]        fifo_open+0x156/0x9d0
[   33.523758]        do_dentry_open+0x426/0xda0
[   33.523761]        vfs_open+0x11c/0x210
[   33.523765]        path_openat+0x5f9/0x2930
[   33.523768]        do_filp_open+0x197/0x270
[   33.523771]        do_open_execat+0x10d/0x5b0
[   33.523774]        do_execveat_common.isra.14+0x6cb/0x1d60
[   33.523776]        SyS_execve+0x34/0x40
[   33.523779]        do_syscall_64+0x19b/0x4b0
[   33.523782]        entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   33.523783] 
[   33.523783] other info that might help us debug this:
[   33.523783] 
[   33.523785]  Possible unsafe locking scenario:
[   33.523785] 
[   33.523786]        CPU0                    CPU1
[   33.523786]        ----                    ----
[   33.523787]   lock(&sig->cred_guard_mutex);
[   33.523789]                                lock(&pipe->mutex/1);
[   33.523791]                                lock(&sig->cred_guard_mutex);
[   33.523793]   lock(&pipe->mutex/1);
[   33.523796] 
[   33.523796]  *** DEADLOCK ***
[   33.523796] 
[   33.523798] 1 lock held by syz-executor582/1783:
[   33.523799]  #0:  (&sig->cred_guard_mutex){+.+.}, at: [<ffffffff8397355e>] prepare_bprm_creds+0x4e/0x110
[   33.523804] 
[   33.523804] stack backtrace:
[   33.523808] CPU: 0 PID: 1783 Comm: syz-executor582 Not tainted 4.14.87+ #19
[   33.523810] Call Trace:
[   33.523817]  dump_stack+0xb9/0x11b
[   33.523823]  print_circular_bug.isra.18.cold.43+0x2d3/0x40c
[   33.523827]  ? save_trace+0xd6/0x250
[   33.523830]  __lock_acquire+0x2ff9/0x4320
[   33.523838]  ? check_preemption_disabled+0x34/0x1e0
[   33.523843]  ? trace_hardirqs_on+0x10/0x10
[   33.523847]  ? trace_hardirqs_on_caller+0x381/0x520
[   33.523850]  ? _raw_spin_unlock_irqrestore+0x41/0x70
[   33.523857]  ? __kmalloc+0x153/0x340
[   33.523860]  ? alloc_pipe_info+0x15b/0x370
[   33.523863]  ? fifo_open+0x1ef/0x9d0
[   33.523866]  ? do_dentry_open+0x426/0xda0
[   33.523869]  ? vfs_open+0x11c/0x210
[   33.523872]  ? path_openat+0x5f9/0x2930
[   33.523875]  ? do_filp_open+0x197/0x270
[   33.523879]  lock_acquire+0x10f/0x380
[   33.523897]  ? fifo_open+0x156/0x9d0
[   33.523901]  ? fifo_open+0x156/0x9d0
[   33.523903]  __mutex_lock+0xf5/0x1480
[   33.523924]  ? fifo_open+0x156/0x9d0
[   33.523947]  ? fifo_open+0x156/0x9d0
[   33.523953]  ? fsnotify+0x773/0x1200
[   33.523973]  ? __ww_mutex_wakeup_for_backoff+0x240/0x240
[   33.523979]  ? fs_reclaim_acquire+0x10/0x10
[   33.523999]  ? fifo_open+0x284/0x9d0
[   33.524003]  ? lock_downgrade+0x560/0x560
[   33.524006]  ? lock_acquire+0x10f/0x380
[   33.524008]  ? fifo_open+0x243/0x9d0
[   33.524012]  ? debug_mutex_init+0x28/0x53
[   33.524016]  ? fifo_open+0x156/0x9d0
[   33.524019]  fifo_open+0x156/0x9d0
[   33.524023]  do_dentry_open+0x426/0xda0
[   33.524026]  ? pipe_release+0x240/0x240
[   33.524031]  vfs_open+0x11c/0x210
[   33.524035]  path_openat+0x5f9/0x2930
[   33.524040]  ? path_mountpoint+0x9a0/0x9a0
[   33.524047]  ? kasan_kmalloc.part.1+0xa9/0xd0
[   33.524051]  ? kasan_kmalloc.part.1+0x4f/0xd0
[   33.524054]  ? __kmalloc_track_caller+0x104/0x300
[   33.524060]  ? kmemdup+0x20/0x50
[   33.524065]  ? security_prepare_creds+0x7c/0xb0
[   33.524072]  ? prepare_creds+0x225/0x2a0
[   33.524076]  ? prepare_exec_creds+0xc/0xe0
[   33.524079]  ? prepare_bprm_creds+0x62/0x110
[   33.524082]  ? do_execveat_common.isra.14+0x2cd/0x1d60
[   33.524085]  ? SyS_execve+0x34/0x40
[   33.524088]  ? do_syscall_64+0x19b/0x4b0
[   33.524093]  do_filp_open+0x197/0x270
[   33.524097]  ? may_open_dev+0xd0/0xd0
[   33.524101]  ? trace_hardirqs_on+0x10/0x10
[   33.524105]  ? fs_reclaim_acquire+0x10/0x10
[   33.524113]  ? rcu_read_lock_sched_held+0x102/0x120
[   33.524117]  do_open_execat+0x10d/0x5b0
[   33.524121]  ? setup_arg_pages+0x720/0x720
[   33.524125]  ? do_execveat_common.isra.14+0x68d/0x1d60
[   33.524128]  ? lock_downgrade+0x560/0x560
[   33.524131]  ? lock_acquire+0x10f/0x380
[   33.524136]  ? check_preemption_disabled+0x34/0x1e0
[   33.524140]  do_execveat_common.isra.14+0x6cb/0x1d60
[   33.524145]  ? prepare_bprm_creds+0x110/0x110
[   33.524149]  ? getname_flags+0x222/0x540
[   33.524152]  SyS_execve+0x34/0x40
[   33.524155]  ? setup_new_exec+0x770/0x770
[   33.524158]  do_syscall_64+0x19b/0x4b0
[   33.524163]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   33.524167] RIP: 0033:0x440139
[   33.524170] RSP: 002b:00007ffd55abbef8 EFLAGS: 00000217 ORIG_RAX: 000000000000003b
[   33.524175] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 0000000000440139
[   33.524177] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000340
[   33.524179] RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000
[   33.524181] R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004019c0
[   33.524183] R13: 0000000000401a50 R14: 0000000000000000 R15: 0000000000000000