[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 51.243611] random: sshd: uninitialized urandom read (32 bytes read) [ 51.677282] audit: type=1400 audit(1541159776.085:6): avc: denied { map } for pid=1786 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 51.720365] random: sshd: uninitialized urandom read (32 bytes read) [ 52.176616] random: sshd: uninitialized urandom read (32 bytes read) [ 52.335072] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.110' (ECDSA) to the list of known hosts. [ 57.809381] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 57.903213] audit: type=1400 audit(1541159782.315:7): avc: denied { map } for pid=1799 comm="syz-executor618" path="/root/syz-executor618887805" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 58.001344] [ 58.003044] ====================================================== [ 58.009417] WARNING: possible circular locking dependency detected [ 58.015724] 4.14.78+ #26 Not tainted [ 58.019419] ------------------------------------------------------ [ 58.025724] syz-executor618/1803 is trying to acquire lock: [ 58.031562] (&sig->cred_guard_mutex){+.+.}, at: [] proc_pid_attr_write+0x16b/0x280 [ 58.040919] [ 58.040919] but task is already holding lock: [ 58.046877] (&pipe->mutex/1){+.+.}, at: [] pipe_wait+0x185/0x1b0 [ 58.054716] [ 58.054716] which lock already depends on the new lock. [ 58.054716] [ 58.063068] [ 58.063068] the existing dependency chain (in reverse order) is: [ 58.070750] [ 58.070750] -> #1 (&pipe->mutex/1){+.+.}: [ 58.076435] __mutex_lock+0xf5/0x1480 [ 58.080751] fifo_open+0x156/0x9d0 [ 58.084931] do_dentry_open+0x426/0xda0 [ 58.089424] vfs_open+0x11c/0x210 [ 58.093392] path_openat+0x4eb/0x23a0 [ 58.097701] do_filp_open+0x197/0x270 [ 58.102029] do_open_execat+0x10d/0x5b0 [ 58.106523] do_execveat_common.isra.14+0x6cb/0x1d60 [ 58.112138] SyS_execve+0x34/0x40 [ 58.116098] do_syscall_64+0x19b/0x4b0 [ 58.120509] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 58.126198] [ 58.126198] -> #0 (&sig->cred_guard_mutex){+.+.}: [ 58.132537] lock_acquire+0x10f/0x380 [ 58.136845] __mutex_lock+0xf5/0x1480 [ 58.141158] proc_pid_attr_write+0x16b/0x280 [ 58.146072] __vfs_write+0xf4/0x5c0 [ 58.150274] __kernel_write+0xf3/0x330 [ 58.154681] write_pipe_buf+0x192/0x250 [ 58.159156] __splice_from_pipe+0x324/0x740 [ 58.164038] splice_from_pipe+0xcf/0x130 [ 58.168606] default_file_splice_write+0x37/0x80 [ 58.173864] SyS_splice+0xd06/0x12a0 [ 58.178079] do_syscall_64+0x19b/0x4b0 [ 58.182582] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 58.188332] [ 58.188332] other info that might help us debug this: [ 58.188332] [ 58.196460] Possible unsafe locking scenario: [ 58.196460] [ 58.202501] CPU0 CPU1 [ 58.207148] ---- ---- [ 58.211800] lock(&pipe->mutex/1); [ 58.215405] lock(&sig->cred_guard_mutex); [ 58.222222] lock(&pipe->mutex/1); [ 58.228457] lock(&sig->cred_guard_mutex); [ 58.232763] [ 58.232763] *** DEADLOCK *** [ 58.232763] [ 58.238849] 2 locks held by syz-executor618/1803: [ 58.243797] #0: (sb_writers#7){.+.+}, at: [] SyS_splice+0xeac/0x12a0 [ 58.252027] #1: (&pipe->mutex/1){+.+.}, at: [] pipe_wait+0x185/0x1b0 [ 58.260291] [ 58.260291] stack backtrace: [ 58.264772] CPU: 0 PID: 1803 Comm: syz-executor618 Not tainted 4.14.78+ #26 [ 58.271845] Call Trace: [ 58.274427] dump_stack+0xb9/0x11b [ 58.277964] print_circular_bug.isra.18.cold.43+0x2d3/0x40c [ 58.283661] ? save_trace+0xd6/0x250 [ 58.287356] __lock_acquire+0x2ff9/0x4320 [ 58.291487] ? __free_insn_slot+0x490/0x490 [ 58.295829] ? check_preemption_disabled+0x34/0x160 [ 58.301059] ? trace_hardirqs_on+0x10/0x10 [ 58.305482] ? trace_hardirqs_on_caller+0x381/0x520 [ 58.310676] ? depot_save_stack+0x20a/0x428 [ 58.315001] ? kasan_kmalloc.part.1+0xa9/0xd0 [ 58.319485] ? kasan_kmalloc.part.1+0x4f/0xd0 [ 58.323960] ? __kmalloc_track_caller+0x104/0x300 [ 58.328785] ? memdup_user+0x28/0x90 [ 58.332577] ? proc_pid_attr_write+0xfc/0x280 [ 58.337157] ? __vfs_write+0xf4/0x5c0 [ 58.341093] lock_acquire+0x10f/0x380 [ 58.344878] ? proc_pid_attr_write+0x16b/0x280 [ 58.349439] ? proc_pid_attr_write+0x16b/0x280 [ 58.354007] __mutex_lock+0xf5/0x1480 [ 58.357850] ? proc_pid_attr_write+0x16b/0x280 [ 58.362420] ? proc_pid_attr_write+0x16b/0x280 [ 58.366980] ? __ww_mutex_wakeup_for_backoff+0x240/0x240 [ 58.372410] ? fs_reclaim_acquire+0x10/0x10 [ 58.376707] ? check_stack_object+0x80/0xa0 [ 58.381006] ? __might_fault+0xf/0x1b0 [ 58.384876] ? _copy_from_user+0x94/0x100 [ 58.389010] ? proc_pid_attr_write+0x16b/0x280 [ 58.393577] proc_pid_attr_write+0x16b/0x280 [ 58.398004] __vfs_write+0xf4/0x5c0 [ 58.401631] ? proc_pid_wchan+0x120/0x120 [ 58.405838] ? kernel_read+0x110/0x110 [ 58.409717] ? __schedule+0x731/0x1ed0 [ 58.413584] ? __sched_text_start+0x8/0x8 [ 58.417711] ? wait_for_completion_io+0x10/0x10 [ 58.422358] __kernel_write+0xf3/0x330 [ 58.426224] write_pipe_buf+0x192/0x250 [ 58.430173] ? default_file_splice_read+0x860/0x860 [ 58.435169] ? splice_from_pipe_next.part.2+0x21d/0x2e0 [ 58.440516] __splice_from_pipe+0x324/0x740 [ 58.444818] ? default_file_splice_read+0x860/0x860 [ 58.449808] splice_from_pipe+0xcf/0x130 [ 58.453853] ? default_file_splice_read+0x860/0x860 [ 58.458845] ? splice_shrink_spd+0xb0/0xb0 [ 58.463058] default_file_splice_write+0x37/0x80 [ 58.467792] ? generic_splice_sendpage+0x40/0x40 [ 58.472525] SyS_splice+0xd06/0x12a0 [ 58.476219] ? do_pipe_flags+0x150/0x150 [ 58.480257] ? compat_SyS_vmsplice+0x150/0x150 [ 58.484813] ? _raw_spin_unlock_irq+0x24/0x50 [ 58.489307] ? do_syscall_64+0x43/0x4b0 [ 58.493270] ? compat_SyS_vmsplice+0x150/0x150 [ 58.497830] do_syscall_64+0x19b/0x4b0 [ 58.501699] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 58.506862] RIP: 0033:0x446389 [ 58.510069] RSP: 002b:00007fa9c038ad98 EFLAGS: 00000212 ORIG_RAX: 0000000000000113 [ 58.517854] RAX: ffffffffffffffda RBX: 00000000006dbc58 RCX: 0000000000446389 [ 58.525105] RDX: 0000000000000005 RSI: 0000000000000000 RDI: 0000000000000003 [ 58.532356] RBP: 00000000006dbc50 R08: 0000000000008ec0 R09: 0000000000000001 [ 58.539602] R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006dbc5c [ 58.546846] R13: 6c65732d64616572 R14: 68742f636f72702f R15: 00000000006dbd4c executing program executing program