[....] Starting OpenBSD Secure Shell server: sshd[ 11.453434] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 31.593251] random: sshd: uninitialized urandom read (32 bytes read) [ 32.011168] audit: type=1400 audit(1539269184.489:6): avc: denied { map } for pid=1775 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 32.044367] random: sshd: uninitialized urandom read (32 bytes read) [ 32.528715] random: sshd: uninitialized urandom read (32 bytes read) [ 32.684998] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.12' (ECDSA) to the list of known hosts. [ 38.343045] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 38.430456] audit: type=1400 audit(1539269190.909:7): avc: denied { map } for pid=1787 comm="syz-executor465" path="/root/syz-executor465372359" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 38.444743] [ 38.444746] ====================================================== [ 38.444748] WARNING: possible circular locking dependency detected [ 38.444752] 4.14.75+ #18 Not tainted [ 38.444754] ------------------------------------------------------ [ 38.444758] syz-executor465/1787 is trying to acquire lock: [ 38.444760] (&pipe->mutex/1){+.+.}, at: [] fifo_open+0x156/0x9d0 [ 38.444780] [ 38.444780] but task is already holding lock: [ 38.444781] (&sig->cred_guard_mutex){+.+.}, at: [] prepare_bprm_creds+0x4e/0x110 [ 38.444796] [ 38.444796] which lock already depends on the new lock. [ 38.444796] [ 38.444807] [ 38.444807] the existing dependency chain (in reverse order) is: [ 38.444809] [ 38.444809] -> #1 (&sig->cred_guard_mutex){+.+.}: [ 38.444825] __mutex_lock+0xf5/0x1480 [ 38.444834] proc_pid_attr_write+0x16b/0x280 [ 38.444839] __vfs_write+0xf4/0x5c0 [ 38.444844] __kernel_write+0xf3/0x330 [ 38.444851] write_pipe_buf+0x192/0x250 [ 38.444856] __splice_from_pipe+0x324/0x740 [ 38.444861] splice_from_pipe+0xcf/0x130 [ 38.444867] default_file_splice_write+0x37/0x80 [ 38.444872] SyS_splice+0xd06/0x12a0 [ 38.444878] do_syscall_64+0x19b/0x4b0 [ 38.444883] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 38.444885] [ 38.444885] -> #0 (&pipe->mutex/1){+.+.}: [ 38.444899] lock_acquire+0x10f/0x380 [ 38.444904] __mutex_lock+0xf5/0x1480 [ 38.444909] fifo_open+0x156/0x9d0 [ 38.444917] do_dentry_open+0x426/0xda0 [ 38.444922] vfs_open+0x11c/0x210 [ 38.444928] path_openat+0x4eb/0x23a0 [ 38.444934] do_filp_open+0x197/0x270 [ 38.444939] do_open_execat+0x10d/0x5b0 [ 38.444945] do_execveat_common.isra.14+0x6cb/0x1d60 [ 38.444950] SyS_execve+0x34/0x40 [ 38.444954] do_syscall_64+0x19b/0x4b0 [ 38.444960] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 38.444962] [ 38.444962] other info that might help us debug this: [ 38.444962] [ 38.444964] Possible unsafe locking scenario: [ 38.444964] [ 38.444965] CPU0 CPU1 [ 38.444967] ---- ---- [ 38.444967] lock(&sig->cred_guard_mutex); [ 38.444971] lock(&pipe->mutex/1); [ 38.444976] lock(&sig->cred_guard_mutex); [ 38.444980] lock(&pipe->mutex/1); [ 38.444985] [ 38.444985] *** DEADLOCK *** [ 38.444985] [ 38.444989] 1 lock held by syz-executor465/1787: [ 38.444990] #0: (&sig->cred_guard_mutex){+.+.}, at: [] prepare_bprm_creds+0x4e/0x110 [ 38.445002] [ 38.445002] stack backtrace: [ 38.445009] CPU: 0 PID: 1787 Comm: syz-executor465 Not tainted 4.14.75+ #18 [ 38.445011] Call Trace: [ 38.445020] dump_stack+0xb9/0x11b [ 38.445029] print_circular_bug.isra.18.cold.43+0x2d3/0x40c [ 38.445035] ? save_trace+0xd6/0x250 [ 38.445042] __lock_acquire+0x2ff9/0x4320 [ 38.445051] ? check_preemption_disabled+0x34/0x160 [ 38.445061] ? trace_hardirqs_on+0x10/0x10 [ 38.445068] ? trace_hardirqs_on_caller+0x381/0x520 [ 38.445074] ? _raw_spin_unlock_irqrestore+0x41/0x70 [ 38.445083] ? __lock_acquire+0x619/0x4320 [ 38.445089] ? alloc_pipe_info+0x15b/0x370 [ 38.445093] ? fifo_open+0x1ef/0x9d0 [ 38.445099] ? do_dentry_open+0x426/0xda0 [ 38.445104] ? vfs_open+0x11c/0x210 [ 38.445109] ? path_openat+0x4eb/0x23a0 [ 38.445116] lock_acquire+0x10f/0x380 [ 38.445121] ? fifo_open+0x156/0x9d0 [ 38.445129] ? fifo_open+0x156/0x9d0 [ 38.445134] __mutex_lock+0xf5/0x1480 [ 38.445139] ? fifo_open+0x156/0x9d0 [ 38.445145] ? fifo_open+0x156/0x9d0 [ 38.445150] ? dput.part.6+0x3b3/0x710 [ 38.445159] ? __ww_mutex_wakeup_for_backoff+0x240/0x240 [ 38.445180] ? fs_reclaim_acquire+0x10/0x10 [ 38.445188] ? fifo_open+0x284/0x9d0 [ 38.445194] ? lock_downgrade+0x560/0x560 [ 38.445199] ? lock_acquire+0x10f/0x380 [ 38.445204] ? fifo_open+0x243/0x9d0 [ 38.445210] ? debug_mutex_init+0x28/0x53 [ 38.445216] ? fifo_open+0x156/0x9d0 [ 38.445221] fifo_open+0x156/0x9d0 [ 38.445229] do_dentry_open+0x426/0xda0 [ 38.445234] ? pipe_release+0x240/0x240 [ 38.445243] vfs_open+0x11c/0x210 [ 38.445250] path_openat+0x4eb/0x23a0 [ 38.445259] ? path_mountpoint+0x9a0/0x9a0 [ 38.445269] ? kasan_kmalloc.part.1+0xa9/0xd0 [ 38.445276] ? kasan_kmalloc.part.1+0x4f/0xd0 [ 38.445281] ? __kmalloc_track_caller+0x104/0x300 [ 38.445291] ? kmemdup+0x20/0x50 [ 38.445300] ? security_prepare_creds+0x7c/0xb0 [ 38.445309] ? prepare_creds+0x225/0x2a0 [ 38.445315] ? prepare_exec_creds+0xc/0xe0 [ 38.445321] ? prepare_bprm_creds+0x62/0x110 [ 38.445327] ? do_execveat_common.isra.14+0x2cd/0x1d60 [ 38.445332] ? SyS_execve+0x34/0x40 [ 38.445337] ? do_syscall_64+0x19b/0x4b0 [ 38.445346] do_filp_open+0x197/0x270 [ 38.445352] ? may_open_dev+0xd0/0xd0 [ 38.445361] ? trace_hardirqs_on+0x10/0x10 [ 38.445367] ? fs_reclaim_acquire+0x10/0x10 [ 38.445381] ? rcu_read_lock_sched_held+0x102/0x120 [ 38.445388] do_open_execat+0x10d/0x5b0 [ 38.445396] ? setup_arg_pages+0x720/0x720 [ 38.445402] ? do_execveat_common.isra.14+0x68d/0x1d60 [ 38.445408] ? lock_downgrade+0x560/0x560 [ 38.445414] ? lock_acquire+0x10f/0x380 [ 38.445421] ? check_preemption_disabled+0x34/0x160 [ 38.445430] do_execveat_common.isra.14+0x6cb/0x1d60 [ 38.445439] ? prepare_bprm_creds+0x110/0x110 [ 38.445447] ? getname_flags+0x222/0x540 [ 38.445453] SyS_execve+0x34/0x40 [ 38.445459] ? setup_new_exec+0x770/0x770 [ 38.445464] do_syscall_64+0x19b/0x4b0 [ 38.445472] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 38.445477] RIP: 0033:0x440129 [ 38.445480] RSP: 002b:00007ffe1cda91d8 EFLAGS: 00000217 ORIG_RAX: 000000000000003b [ 38.445487] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 0000000000440129 [ 38.445491] RDX: 0000000020000480 RSI: 0000000020000300 RDI: 0000000020000340 [ 38.445494] RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000 [ 38.445498] R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004019b0 [ 38.445501] R13: 0000000000401a40 R14: 0000000000000000 R15: 0000000000000000