[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   38.518320] random: sshd: uninitialized urandom read (32 bytes read)
[   38.883207] audit: type=1400 audit(1538834399.317:6): avc:  denied  { map } for  pid=1773 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
[   38.940250] random: sshd: uninitialized urandom read (32 bytes read)
[   39.424626] random: sshd: uninitialized urandom read (32 bytes read)
[   39.596127] random: sshd: uninitialized urandom read (32 bytes read)
Warning: Permanently added '10.128.10.49' (ECDSA) to the list of known hosts.
[   45.172380] random: sshd: uninitialized urandom read (32 bytes read)
executing program
[   45.261508] audit: type=1400 audit(1538834405.697:7): avc:  denied  { map } for  pid=1791 comm="syz-executor870" path="/root/syz-executor870054548" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   45.292772] 
[   45.294411] ======================================================
[   45.300698] WARNING: possible circular locking dependency detected
[   45.308375] 4.14.74+ #17 Not tainted
[   45.312057] ------------------------------------------------------
[   45.318358] syz-executor870/1791 is trying to acquire lock:
[   45.324034]  (&pipe->mutex/1){+.+.}, at: [<ffffffff89f75c16>] fifo_open+0x156/0x9d0
[   45.331810] 
[   45.331810] but task is already holding lock:
[   45.337749]  (&sig->cred_guard_mutex){+.+.}, at: [<ffffffff89f7005e>] prepare_bprm_creds+0x4e/0x110
[   45.347023] 
[   45.347023] which lock already depends on the new lock.
[   45.347023] 
[   45.355388] 
[   45.355388] the existing dependency chain (in reverse order) is:
[   45.363085] 
[   45.363085] -> #1 (&sig->cred_guard_mutex){+.+.}:
[   45.369390]        __mutex_lock+0xf5/0x1480
[   45.373685]        proc_pid_attr_write+0x16b/0x280
[   45.378589]        __vfs_write+0xf4/0x5c0
[   45.382707]        __kernel_write+0xf3/0x330
[   45.387084]        write_pipe_buf+0x192/0x250
[   45.391575]        __splice_from_pipe+0x324/0x740
[   45.396388]        splice_from_pipe+0xcf/0x130
[   45.400940]        default_file_splice_write+0x37/0x80
[   45.406187]        SyS_splice+0xd06/0x12a0
[   45.410393]        do_syscall_64+0x19b/0x4b0
[   45.414772]        entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   45.420464] 
[   45.420464] -> #0 (&pipe->mutex/1){+.+.}:
[   45.426071]        lock_acquire+0x10f/0x380
[   45.430379]        __mutex_lock+0xf5/0x1480
[   45.434670]        fifo_open+0x156/0x9d0
[   45.438700]        do_dentry_open+0x426/0xda0
[   45.443163]        vfs_open+0x11c/0x210
[   45.447106]        path_openat+0x4eb/0x23a0
[   45.451397]        do_filp_open+0x197/0x270
[   45.455691]        do_open_execat+0x10d/0x5b0
[   45.460158]        do_execveat_common.isra.14+0x6cb/0x1d60
[   45.465749]        SyS_execve+0x34/0x40
[   45.469695]        do_syscall_64+0x19b/0x4b0
[   45.474094]        entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   45.479772] 
[   45.479772] other info that might help us debug this:
[   45.479772] 
[   45.487880]  Possible unsafe locking scenario:
[   45.487880] 
[   45.493905]        CPU0                    CPU1
[   45.498541]        ----                    ----
[   45.503178]   lock(&sig->cred_guard_mutex);
[   45.507477]                                lock(&pipe->mutex/1);
[   45.513591]                                lock(&sig->cred_guard_mutex);
[   45.520398]   lock(&pipe->mutex/1);
[   45.523993] 
[   45.523993]  *** DEADLOCK ***
[   45.523993] 
[   45.530025] 1 lock held by syz-executor870/1791:
[   45.534756]  #0:  (&sig->cred_guard_mutex){+.+.}, at: [<ffffffff89f7005e>] prepare_bprm_creds+0x4e/0x110
[   45.544351] 
[   45.544351] stack backtrace:
[   45.548819] CPU: 1 PID: 1791 Comm: syz-executor870 Not tainted 4.14.74+ #17
[   45.555885] Call Trace:
[   45.558450]  dump_stack+0xb9/0x11b
[   45.561963]  print_circular_bug.isra.18.cold.43+0x2d3/0x40c
[   45.567645]  ? save_trace+0xd6/0x250
[   45.571331]  __lock_acquire+0x2ff9/0x4320
[   45.575452]  ? check_preemption_disabled+0x34/0x160
[   45.580444]  ? trace_hardirqs_on+0x10/0x10
[   45.584652]  ? trace_hardirqs_on_caller+0x381/0x520
[   45.589638]  ? _raw_spin_unlock_irqrestore+0x41/0x70
[   45.594716]  ? __lock_acquire+0x619/0x4320
[   45.598920]  ? alloc_pipe_info+0x15b/0x370
[   45.603122]  ? fifo_open+0x1ef/0x9d0
[   45.606806]  ? do_dentry_open+0x426/0xda0
[   45.610930]  ? vfs_open+0x11c/0x210
[   45.614543]  ? path_openat+0x4eb/0x23a0
[   45.618490]  lock_acquire+0x10f/0x380
[   45.622259]  ? fifo_open+0x156/0x9d0
[   45.625944]  ? fifo_open+0x156/0x9d0
[   45.629628]  __mutex_lock+0xf5/0x1480
[   45.633403]  ? fifo_open+0x156/0x9d0
[   45.637104]  ? fifo_open+0x156/0x9d0
[   45.640787]  ? dput.part.6+0x3b3/0x710
[   45.644646]  ? __ww_mutex_wakeup_for_backoff+0x240/0x240
[   45.650089]  ? fs_reclaim_acquire+0x10/0x10
[   45.654391]  ? fifo_open+0x284/0x9d0
[   45.658074]  ? lock_downgrade+0x560/0x560
[   45.662190]  ? lock_acquire+0x10f/0x380
[   45.666131]  ? fifo_open+0x243/0x9d0
[   45.669872]  ? debug_mutex_init+0x28/0x53
[   45.674004]  ? fifo_open+0x156/0x9d0
[   45.677723]  fifo_open+0x156/0x9d0
[   45.681239]  do_dentry_open+0x426/0xda0
[   45.685201]  ? pipe_release+0x240/0x240
[   45.689186]  vfs_open+0x11c/0x210
[   45.692615]  path_openat+0x4eb/0x23a0
[   45.696387]  ? path_mountpoint+0x9a0/0x9a0
[   45.700616]  ? kasan_kmalloc.part.1+0xa9/0xd0
[   45.705215]  ? kasan_kmalloc.part.1+0x4f/0xd0
[   45.709688]  ? __kmalloc_track_caller+0x104/0x300
[   45.714510]  ? kmemdup+0x20/0x50
[   45.717868]  ? security_prepare_creds+0x7c/0xb0
[   45.722509]  ? prepare_creds+0x225/0x2a0
[   45.726547]  ? prepare_exec_creds+0xc/0xe0
[   45.730761]  ? prepare_bprm_creds+0x62/0x110
[   45.735142]  ? do_execveat_common.isra.14+0x2cd/0x1d60
[   45.740389]  ? SyS_execve+0x34/0x40
[   45.743985]  ? do_syscall_64+0x19b/0x4b0
[   45.748034]  do_filp_open+0x197/0x270
[   45.751818]  ? may_open_dev+0xd0/0xd0
[   45.755600]  ? trace_hardirqs_on+0x10/0x10
[   45.759809]  ? fs_reclaim_acquire+0x10/0x10
[   45.764104]  ? rcu_read_lock_sched_held+0x102/0x120
[   45.769183]  do_open_execat+0x10d/0x5b0
[   45.773142]  ? setup_arg_pages+0x720/0x720
[   45.777349]  ? do_execveat_common.isra.14+0x68d/0x1d60
[   45.782602]  ? lock_downgrade+0x560/0x560
[   45.786766]  ? lock_acquire+0x10f/0x380
[   45.790728]  ? check_preemption_disabled+0x34/0x160
[   45.795718]  do_execveat_common.isra.14+0x6cb/0x1d60
[   45.800798]  ? prepare_bprm_creds+0x110/0x110
[   45.805264]  ? getname_flags+0x222/0x540
[   45.809294]  SyS_execve+0x34/0x40
[   45.812725]  ? setup_new_exec+0x770/0x770
[   45.816845]  do_syscall_64+0x19b/0x4b0
[   45.820714]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   45.826140] RIP: 0033:0x440119
[   45.829310] RSP: 002b:00007ffd78c8d608 EFLAGS: 00000217 ORIG_RAX: 000000000000003b
[   45.836992] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 0000000000440119
[   45.844233] RDX: 0000000020000640 RSI: 0000000020000380 RDI: 00000000200001c0
[   45.851478] RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000
[   45.858724] R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004019a0
[   45.865969] R13: 0000000000401a30 R14: 0000000000000000 R15: 0000000000000000