[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 38.518320] random: sshd: uninitialized urandom read (32 bytes read) [ 38.883207] audit: type=1400 audit(1538834399.317:6): avc: denied { map } for pid=1773 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 38.940250] random: sshd: uninitialized urandom read (32 bytes read) [ 39.424626] random: sshd: uninitialized urandom read (32 bytes read) [ 39.596127] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.49' (ECDSA) to the list of known hosts. [ 45.172380] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 45.261508] audit: type=1400 audit(1538834405.697:7): avc: denied { map } for pid=1791 comm="syz-executor870" path="/root/syz-executor870054548" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 45.292772] [ 45.294411] ====================================================== [ 45.300698] WARNING: possible circular locking dependency detected [ 45.308375] 4.14.74+ #17 Not tainted [ 45.312057] ------------------------------------------------------ [ 45.318358] syz-executor870/1791 is trying to acquire lock: [ 45.324034] (&pipe->mutex/1){+.+.}, at: [] fifo_open+0x156/0x9d0 [ 45.331810] [ 45.331810] but task is already holding lock: [ 45.337749] (&sig->cred_guard_mutex){+.+.}, at: [] prepare_bprm_creds+0x4e/0x110 [ 45.347023] [ 45.347023] which lock already depends on the new lock. [ 45.347023] [ 45.355388] [ 45.355388] the existing dependency chain (in reverse order) is: [ 45.363085] [ 45.363085] -> #1 (&sig->cred_guard_mutex){+.+.}: [ 45.369390] __mutex_lock+0xf5/0x1480 [ 45.373685] proc_pid_attr_write+0x16b/0x280 [ 45.378589] __vfs_write+0xf4/0x5c0 [ 45.382707] __kernel_write+0xf3/0x330 [ 45.387084] write_pipe_buf+0x192/0x250 [ 45.391575] __splice_from_pipe+0x324/0x740 [ 45.396388] splice_from_pipe+0xcf/0x130 [ 45.400940] default_file_splice_write+0x37/0x80 [ 45.406187] SyS_splice+0xd06/0x12a0 [ 45.410393] do_syscall_64+0x19b/0x4b0 [ 45.414772] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.420464] [ 45.420464] -> #0 (&pipe->mutex/1){+.+.}: [ 45.426071] lock_acquire+0x10f/0x380 [ 45.430379] __mutex_lock+0xf5/0x1480 [ 45.434670] fifo_open+0x156/0x9d0 [ 45.438700] do_dentry_open+0x426/0xda0 [ 45.443163] vfs_open+0x11c/0x210 [ 45.447106] path_openat+0x4eb/0x23a0 [ 45.451397] do_filp_open+0x197/0x270 [ 45.455691] do_open_execat+0x10d/0x5b0 [ 45.460158] do_execveat_common.isra.14+0x6cb/0x1d60 [ 45.465749] SyS_execve+0x34/0x40 [ 45.469695] do_syscall_64+0x19b/0x4b0 [ 45.474094] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.479772] [ 45.479772] other info that might help us debug this: [ 45.479772] [ 45.487880] Possible unsafe locking scenario: [ 45.487880] [ 45.493905] CPU0 CPU1 [ 45.498541] ---- ---- [ 45.503178] lock(&sig->cred_guard_mutex); [ 45.507477] lock(&pipe->mutex/1); [ 45.513591] lock(&sig->cred_guard_mutex); [ 45.520398] lock(&pipe->mutex/1); [ 45.523993] [ 45.523993] *** DEADLOCK *** [ 45.523993] [ 45.530025] 1 lock held by syz-executor870/1791: [ 45.534756] #0: (&sig->cred_guard_mutex){+.+.}, at: [] prepare_bprm_creds+0x4e/0x110 [ 45.544351] [ 45.544351] stack backtrace: [ 45.548819] CPU: 1 PID: 1791 Comm: syz-executor870 Not tainted 4.14.74+ #17 [ 45.555885] Call Trace: [ 45.558450] dump_stack+0xb9/0x11b [ 45.561963] print_circular_bug.isra.18.cold.43+0x2d3/0x40c [ 45.567645] ? save_trace+0xd6/0x250 [ 45.571331] __lock_acquire+0x2ff9/0x4320 [ 45.575452] ? check_preemption_disabled+0x34/0x160 [ 45.580444] ? trace_hardirqs_on+0x10/0x10 [ 45.584652] ? trace_hardirqs_on_caller+0x381/0x520 [ 45.589638] ? _raw_spin_unlock_irqrestore+0x41/0x70 [ 45.594716] ? __lock_acquire+0x619/0x4320 [ 45.598920] ? alloc_pipe_info+0x15b/0x370 [ 45.603122] ? fifo_open+0x1ef/0x9d0 [ 45.606806] ? do_dentry_open+0x426/0xda0 [ 45.610930] ? vfs_open+0x11c/0x210 [ 45.614543] ? path_openat+0x4eb/0x23a0 [ 45.618490] lock_acquire+0x10f/0x380 [ 45.622259] ? fifo_open+0x156/0x9d0 [ 45.625944] ? fifo_open+0x156/0x9d0 [ 45.629628] __mutex_lock+0xf5/0x1480 [ 45.633403] ? fifo_open+0x156/0x9d0 [ 45.637104] ? fifo_open+0x156/0x9d0 [ 45.640787] ? dput.part.6+0x3b3/0x710 [ 45.644646] ? __ww_mutex_wakeup_for_backoff+0x240/0x240 [ 45.650089] ? fs_reclaim_acquire+0x10/0x10 [ 45.654391] ? fifo_open+0x284/0x9d0 [ 45.658074] ? lock_downgrade+0x560/0x560 [ 45.662190] ? lock_acquire+0x10f/0x380 [ 45.666131] ? fifo_open+0x243/0x9d0 [ 45.669872] ? debug_mutex_init+0x28/0x53 [ 45.674004] ? fifo_open+0x156/0x9d0 [ 45.677723] fifo_open+0x156/0x9d0 [ 45.681239] do_dentry_open+0x426/0xda0 [ 45.685201] ? pipe_release+0x240/0x240 [ 45.689186] vfs_open+0x11c/0x210 [ 45.692615] path_openat+0x4eb/0x23a0 [ 45.696387] ? path_mountpoint+0x9a0/0x9a0 [ 45.700616] ? kasan_kmalloc.part.1+0xa9/0xd0 [ 45.705215] ? kasan_kmalloc.part.1+0x4f/0xd0 [ 45.709688] ? __kmalloc_track_caller+0x104/0x300 [ 45.714510] ? kmemdup+0x20/0x50 [ 45.717868] ? security_prepare_creds+0x7c/0xb0 [ 45.722509] ? prepare_creds+0x225/0x2a0 [ 45.726547] ? prepare_exec_creds+0xc/0xe0 [ 45.730761] ? prepare_bprm_creds+0x62/0x110 [ 45.735142] ? do_execveat_common.isra.14+0x2cd/0x1d60 [ 45.740389] ? SyS_execve+0x34/0x40 [ 45.743985] ? do_syscall_64+0x19b/0x4b0 [ 45.748034] do_filp_open+0x197/0x270 [ 45.751818] ? may_open_dev+0xd0/0xd0 [ 45.755600] ? trace_hardirqs_on+0x10/0x10 [ 45.759809] ? fs_reclaim_acquire+0x10/0x10 [ 45.764104] ? rcu_read_lock_sched_held+0x102/0x120 [ 45.769183] do_open_execat+0x10d/0x5b0 [ 45.773142] ? setup_arg_pages+0x720/0x720 [ 45.777349] ? do_execveat_common.isra.14+0x68d/0x1d60 [ 45.782602] ? lock_downgrade+0x560/0x560 [ 45.786766] ? lock_acquire+0x10f/0x380 [ 45.790728] ? check_preemption_disabled+0x34/0x160 [ 45.795718] do_execveat_common.isra.14+0x6cb/0x1d60 [ 45.800798] ? prepare_bprm_creds+0x110/0x110 [ 45.805264] ? getname_flags+0x222/0x540 [ 45.809294] SyS_execve+0x34/0x40 [ 45.812725] ? setup_new_exec+0x770/0x770 [ 45.816845] do_syscall_64+0x19b/0x4b0 [ 45.820714] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.826140] RIP: 0033:0x440119 [ 45.829310] RSP: 002b:00007ffd78c8d608 EFLAGS: 00000217 ORIG_RAX: 000000000000003b [ 45.836992] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 0000000000440119 [ 45.844233] RDX: 0000000020000640 RSI: 0000000020000380 RDI: 00000000200001c0 [ 45.851478] RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000 [ 45.858724] R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004019a0 [ 45.865969] R13: 0000000000401a30 R14: 0000000000000000 R15: 0000000000000000