[....] Starting enhanced syslogd: rsyslogd[ 15.096212] audit: type=1400 audit(1551987760.176:4): avc: denied { syslog } for pid=1928 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.45' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 32.930593] [ 32.932272] ====================================================== [ 32.938571] [ INFO: possible circular locking dependency detected ] [ 32.944947] 4.4.174+ #4 Not tainted [ 32.948544] ------------------------------------------------------- [ 32.954923] syz-executor565/2080 is trying to acquire lock: [ 32.960719] (&pipe->mutex/1){+.+.+.}, at: [] fifo_open+0x15d/0xa00 [ 32.969277] [ 32.969277] but task is already holding lock: [ 32.975218] (&sig->cred_guard_mutex){+.+.+.}, at: [] prepare_bprm_creds+0x55/0x120 [ 32.985032] [ 32.985032] which lock already depends on the new lock. [ 32.985032] [ 32.993319] [ 32.993319] the existing dependency chain (in reverse order) is: [ 33.000909] -> #1 (&sig->cred_guard_mutex){+.+.+.}: [ 33.006548] [] lock_acquire+0x15e/0x450 [ 33.012786] [] mutex_lock_interruptible_nested+0xd2/0xce0 [ 33.020604] [] proc_pid_attr_write+0x1a8/0x2a0 [ 33.027545] [] __vfs_write+0x116/0x3d0 [ 33.033701] [] __kernel_write+0x112/0x370 [ 33.040111] [] write_pipe_buf+0x15d/0x1f0 [ 33.046520] [] __splice_from_pipe+0x37e/0x7a0 [ 33.053280] [] splice_from_pipe+0x108/0x170 [ 33.059866] [] default_file_splice_write+0x3c/0x80 [ 33.067065] [] SyS_splice+0xd71/0x13a0 [ 33.073216] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 33.080409] -> #0 (&pipe->mutex/1){+.+.+.}: [ 33.085465] [] __lock_acquire+0x37d6/0x4f50 [ 33.092261] [] lock_acquire+0x15e/0x450 [ 33.098498] [] mutex_lock_nested+0xc1/0xb80 [ 33.105084] [] fifo_open+0x15d/0xa00 [ 33.111080] [] do_dentry_open+0x38f/0xbd0 [ 33.117509] [] vfs_open+0x10b/0x210 [ 33.123401] [] path_openat+0x136f/0x4470 [ 33.129727] [] do_filp_open+0x1a1/0x270 [ 33.135980] [] do_open_execat+0x10c/0x6e0 [ 33.142394] [] do_execveat_common.isra.0+0x6f6/0x1e90 [ 33.149845] [] SyS_execve+0x42/0x50 [ 33.155736] [] return_from_execve+0x0/0x23 [ 33.162235] [ 33.162235] other info that might help us debug this: [ 33.162235] [ 33.170349] Possible unsafe locking scenario: [ 33.170349] [ 33.176380] CPU0 CPU1 [ 33.181031] ---- ---- [ 33.185672] lock(&sig->cred_guard_mutex); [ 33.190216] lock(&pipe->mutex/1); [ 33.196693] lock(&sig->cred_guard_mutex); [ 33.203740] lock(&pipe->mutex/1); [ 33.207691] [ 33.207691] *** DEADLOCK *** [ 33.207691] [ 33.213726] 1 lock held by syz-executor565/2080: [ 33.218475] #0: (&sig->cred_guard_mutex){+.+.+.}, at: [] prepare_bprm_creds+0x55/0x120 [ 33.228870] [ 33.228870] stack backtrace: [ 33.233342] CPU: 0 PID: 2080 Comm: syz-executor565 Not tainted 4.4.174+ #4 [ 33.240336] 0000000000000000 fa1c9c23cab71bc7 ffff8801d3c07530 ffffffff81aad1a1 [ 33.248344] ffffffff84057a80 ffff8801d562df00 ffffffff83abd2b0 ffffffff83ab6860 [ 33.256341] ffffffff83abd2b0 ffff8801d3c07580 ffffffff813abcda ffff8801d3c07660 [ 33.264323] Call Trace: [ 33.266886] [] dump_stack+0xc1/0x120 [ 33.272225] [] print_circular_bug.cold+0x2f7/0x44e [ 33.278790] [] __lock_acquire+0x37d6/0x4f50 [ 33.284740] [] ? trace_hardirqs_on+0x10/0x10 [ 33.290773] [] ? do_filp_open+0x1a1/0x270 [ 33.296544] [] ? do_execveat_common.isra.0+0x6f6/0x1e90 [ 33.303531] [] ? SyS_execve+0x42/0x50 [ 33.308955] [] ? stub_execve+0x5/0x5 [ 33.314295] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 33.321019] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 33.327745] [] lock_acquire+0x15e/0x450 [ 33.333343] [] ? fifo_open+0x15d/0xa00 [ 33.338855] [] ? fifo_open+0x15d/0xa00 [ 33.344370] [] mutex_lock_nested+0xc1/0xb80 [ 33.350314] [] ? fifo_open+0x15d/0xa00 [ 33.355826] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 33.362553] [] ? mutex_trylock+0x500/0x500 [ 33.368407] [] ? fifo_open+0x24d/0xa00 [ 33.373915] [] ? fifo_open+0x28c/0xa00 [ 33.379424] [] fifo_open+0x15d/0xa00 [ 33.384763] [] do_dentry_open+0x38f/0xbd0 [ 33.390535] [] ? __inode_permission2+0x9e/0x250 [ 33.396830] [] ? pipe_release+0x250/0x250 [ 33.402621] [] vfs_open+0x10b/0x210 [ 33.407887] [] ? may_open.isra.0+0xe7/0x210 [ 33.413836] [] path_openat+0x136f/0x4470 [ 33.419527] [] ? depot_save_stack+0x1c3/0x5f0 [ 33.425650] [] ? may_open.isra.0+0x210/0x210 [ 33.431695] [] ? kmemdup+0x27/0x60 [ 33.436857] [] ? selinux_cred_prepare+0x43/0xa0 [ 33.443149] [] ? security_prepare_creds+0x83/0xc0 [ 33.449615] [] ? prepare_creds+0x228/0x2b0 [ 33.455471] [] ? prepare_exec_creds+0x12/0xf0 [ 33.461596] [] ? do_execveat_common.isra.0+0x2d6/0x1e90 [ 33.468586] [] ? stub_execve+0x5/0x5 [ 33.473937] [] ? kasan_kmalloc+0xb7/0xd0 [ 33.479620] [] ? kasan_slab_alloc+0xf/0x20 [ 33.485479] [] ? kmem_cache_alloc+0xdc/0x2c0 [ 33.491512] [] ? prepare_creds+0x28/0x2b0 [ 33.497286] [] ? prepare_exec_creds+0x12/0xf0 [ 33.503407] [] do_filp_open+0x1a1/0x270 [ 33.509008] [] ? save_stack_trace+0x26/0x50 [ 33.514969] [] ? user_path_mountpoint_at+0x50/0x50 [ 33.521521] [] ? SyS_execve+0x42/0x50 [ 33.526956] [] ? stub_execve+0x5/0x5 [ 33.532298] [] ? __lock_acquire+0xa4f/0x4f50 [ 33.538329] [] ? trace_hardirqs_on+0x10/0x10 [ 33.544364] [] ? rcu_read_lock_sched_held+0x10b/0x130 [ 33.551180] [] do_open_execat+0x10c/0x6e0 [ 33.556955] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 33.563686] [] ? setup_arg_pages+0x7b0/0x7b0 [ 33.569720] [] ? do_execveat_common.isra.0+0x6b8/0x1e90 [ 33.576712] [] do_execveat_common.isra.0+0x6f6/0x1e90 [ 33.583528] [] ? do_execveat_common.isra.0+0x422/0x1e90 [ 33.590531] [] ? __check_object_size+0x222/0x332 [ 33.596913] [] ? strncpy_from_user+0xd0/0x230 [ 33.603033] [] ? prepare_bprm_creds+0x120/0x120 [ 33.609355] [] ? getname_flags+0x232/0x550 [ 33.615227] [] SyS_execve+0x42/0x50 [ 33.620477] [] stub_execve+0x5/0x5 [ 33.625642] [] ? tracesys+0x88/0x8d