[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   51.243611] random: sshd: uninitialized urandom read (32 bytes read)
[   51.677282] audit: type=1400 audit(1541159776.085:6): avc:  denied  { map } for  pid=1786 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   51.720365] random: sshd: uninitialized urandom read (32 bytes read)
[   52.176616] random: sshd: uninitialized urandom read (32 bytes read)
[   52.335072] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.0.110' (ECDSA) to the list of known hosts.
[   57.809381] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   57.903213] audit: type=1400 audit(1541159782.315:7): avc:  denied  { map } for  pid=1799 comm="syz-executor618" path="/root/syz-executor618887805" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   58.001344] 
[   58.003044] ======================================================
[   58.009417] WARNING: possible circular locking dependency detected
[   58.015724] 4.14.78+ #26 Not tainted
[   58.019419] ------------------------------------------------------
[   58.025724] syz-executor618/1803 is trying to acquire lock:
[   58.031562]  (&sig->cred_guard_mutex){+.+.}, at: [<ffffffff890a106b>] proc_pid_attr_write+0x16b/0x280
[   58.040919] 
[   58.040919] but task is already holding lock:
[   58.046877]  (&pipe->mutex/1){+.+.}, at: [<ffffffff88f73b85>] pipe_wait+0x185/0x1b0
[   58.054716] 
[   58.054716] which lock already depends on the new lock.
[   58.054716] 
[   58.063068] 
[   58.063068] the existing dependency chain (in reverse order) is:
[   58.070750] 
[   58.070750] -> #1 (&pipe->mutex/1){+.+.}:
[   58.076435]        __mutex_lock+0xf5/0x1480
[   58.080751]        fifo_open+0x156/0x9d0
[   58.084931]        do_dentry_open+0x426/0xda0
[   58.089424]        vfs_open+0x11c/0x210
[   58.093392]        path_openat+0x4eb/0x23a0
[   58.097701]        do_filp_open+0x197/0x270
[   58.102029]        do_open_execat+0x10d/0x5b0
[   58.106523]        do_execveat_common.isra.14+0x6cb/0x1d60
[   58.112138]        SyS_execve+0x34/0x40
[   58.116098]        do_syscall_64+0x19b/0x4b0
[   58.120509]        entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   58.126198] 
[   58.126198] -> #0 (&sig->cred_guard_mutex){+.+.}:
[   58.132537]        lock_acquire+0x10f/0x380
[   58.136845]        __mutex_lock+0xf5/0x1480
[   58.141158]        proc_pid_attr_write+0x16b/0x280
[   58.146072]        __vfs_write+0xf4/0x5c0
[   58.150274]        __kernel_write+0xf3/0x330
[   58.154681]        write_pipe_buf+0x192/0x250
[   58.159156]        __splice_from_pipe+0x324/0x740
[   58.164038]        splice_from_pipe+0xcf/0x130
[   58.168606]        default_file_splice_write+0x37/0x80
[   58.173864]        SyS_splice+0xd06/0x12a0
[   58.178079]        do_syscall_64+0x19b/0x4b0
[   58.182582]        entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   58.188332] 
[   58.188332] other info that might help us debug this:
[   58.188332] 
[   58.196460]  Possible unsafe locking scenario:
[   58.196460] 
[   58.202501]        CPU0                    CPU1
[   58.207148]        ----                    ----
[   58.211800]   lock(&pipe->mutex/1);
[   58.215405]                                lock(&sig->cred_guard_mutex);
[   58.222222]                                lock(&pipe->mutex/1);
[   58.228457]   lock(&sig->cred_guard_mutex);
[   58.232763] 
[   58.232763]  *** DEADLOCK ***
[   58.232763] 
[   58.238849] 2 locks held by syz-executor618/1803:
[   58.243797]  #0:  (sb_writers#7){.+.+}, at: [<ffffffff88ffe5cc>] SyS_splice+0xeac/0x12a0
[   58.252027]  #1:  (&pipe->mutex/1){+.+.}, at: [<ffffffff88f73b85>] pipe_wait+0x185/0x1b0
[   58.260291] 
[   58.260291] stack backtrace:
[   58.264772] CPU: 0 PID: 1803 Comm: syz-executor618 Not tainted 4.14.78+ #26
[   58.271845] Call Trace:
[   58.274427]  dump_stack+0xb9/0x11b
[   58.277964]  print_circular_bug.isra.18.cold.43+0x2d3/0x40c
[   58.283661]  ? save_trace+0xd6/0x250
[   58.287356]  __lock_acquire+0x2ff9/0x4320
[   58.291487]  ? __free_insn_slot+0x490/0x490
[   58.295829]  ? check_preemption_disabled+0x34/0x160
[   58.301059]  ? trace_hardirqs_on+0x10/0x10
[   58.305482]  ? trace_hardirqs_on_caller+0x381/0x520
[   58.310676]  ? depot_save_stack+0x20a/0x428
[   58.315001]  ? kasan_kmalloc.part.1+0xa9/0xd0
[   58.319485]  ? kasan_kmalloc.part.1+0x4f/0xd0
[   58.323960]  ? __kmalloc_track_caller+0x104/0x300
[   58.328785]  ? memdup_user+0x28/0x90
[   58.332577]  ? proc_pid_attr_write+0xfc/0x280
[   58.337157]  ? __vfs_write+0xf4/0x5c0
[   58.341093]  lock_acquire+0x10f/0x380
[   58.344878]  ? proc_pid_attr_write+0x16b/0x280
[   58.349439]  ? proc_pid_attr_write+0x16b/0x280
[   58.354007]  __mutex_lock+0xf5/0x1480
[   58.357850]  ? proc_pid_attr_write+0x16b/0x280
[   58.362420]  ? proc_pid_attr_write+0x16b/0x280
[   58.366980]  ? __ww_mutex_wakeup_for_backoff+0x240/0x240
[   58.372410]  ? fs_reclaim_acquire+0x10/0x10
[   58.376707]  ? check_stack_object+0x80/0xa0
[   58.381006]  ? __might_fault+0xf/0x1b0
[   58.384876]  ? _copy_from_user+0x94/0x100
[   58.389010]  ? proc_pid_attr_write+0x16b/0x280
[   58.393577]  proc_pid_attr_write+0x16b/0x280
[   58.398004]  __vfs_write+0xf4/0x5c0
[   58.401631]  ? proc_pid_wchan+0x120/0x120
[   58.405838]  ? kernel_read+0x110/0x110
[   58.409717]  ? __schedule+0x731/0x1ed0
[   58.413584]  ? __sched_text_start+0x8/0x8
[   58.417711]  ? wait_for_completion_io+0x10/0x10
[   58.422358]  __kernel_write+0xf3/0x330
[   58.426224]  write_pipe_buf+0x192/0x250
[   58.430173]  ? default_file_splice_read+0x860/0x860
[   58.435169]  ? splice_from_pipe_next.part.2+0x21d/0x2e0
[   58.440516]  __splice_from_pipe+0x324/0x740
[   58.444818]  ? default_file_splice_read+0x860/0x860
[   58.449808]  splice_from_pipe+0xcf/0x130
[   58.453853]  ? default_file_splice_read+0x860/0x860
[   58.458845]  ? splice_shrink_spd+0xb0/0xb0
[   58.463058]  default_file_splice_write+0x37/0x80
[   58.467792]  ? generic_splice_sendpage+0x40/0x40
[   58.472525]  SyS_splice+0xd06/0x12a0
[   58.476219]  ? do_pipe_flags+0x150/0x150
[   58.480257]  ? compat_SyS_vmsplice+0x150/0x150
[   58.484813]  ? _raw_spin_unlock_irq+0x24/0x50
[   58.489307]  ? do_syscall_64+0x43/0x4b0
[   58.493270]  ? compat_SyS_vmsplice+0x150/0x150
[   58.497830]  do_syscall_64+0x19b/0x4b0
[   58.501699]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   58.506862] RIP: 0033:0x446389
[   58.510069] RSP: 002b:00007fa9c038ad98 EFLAGS: 00000212 ORIG_RAX: 0000000000000113
[   58.517854] RAX: ffffffffffffffda RBX: 00000000006dbc58 RCX: 0000000000446389
[   58.525105] RDX: 0000000000000005 RSI: 0000000000000000 RDI: 0000000000000003
[   58.532356] RBP: 00000000006dbc50 R08: 0000000000008ec0 R09: 0000000000000001
[   58.539602] R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006dbc5c
[   58.546846] R13: 6c65732d64616572 R14: 68742f636f72702f R15: 00000000006dbd4c
executing program
executing program