[....] Starting OpenBSD Secure Shell server: sshd[ 18.568282] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.577250] random: sshd: uninitialized urandom read (32 bytes read) [ 22.905073] sshd (4463) used greatest stack depth: 17000 bytes left [ 22.926710] random: sshd: uninitialized urandom read (32 bytes read) [ 23.612515] random: sshd: uninitialized urandom read (32 bytes read) [ 28.918571] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.17' (ECDSA) to the list of known hosts. [ 34.400463] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 34.494254] [ 34.495907] ====================================================== [ 34.502196] WARNING: possible circular locking dependency detected [ 34.508577] 4.17.0-rc2+ #23 Not tainted [ 34.512525] ------------------------------------------------------ [ 34.518815] syz-executor990/4481 is trying to acquire lock: [ 34.524516] (ptrval) (sk_lock-AF_INET){+.+.}, at: tcp_mmap+0x1c7/0x14f0 [ 34.531961] [ 34.531961] but task is already holding lock: [ 34.537907] (ptrval) (&mm->mmap_sem){++++}, at: vm_mmap_pgoff+0x1a1/0x2a0 [ 34.545520] [ 34.545520] which lock already depends on the new lock. [ 34.545520] [ 34.553809] [ 34.553809] the existing dependency chain (in reverse order) is: [ 34.561402] [ 34.561402] -> #1 (&mm->mmap_sem){++++}: [ 34.566937] __might_fault+0x155/0x1e0 [ 34.571339] _copy_from_iter_full+0x2fd/0xd10 [ 34.576339] tcp_sendmsg_locked+0x2f98/0x3e10 [ 34.581342] tcp_sendmsg+0x2f/0x50 [ 34.585384] inet_sendmsg+0x19f/0x690 [ 34.589685] sock_sendmsg+0xd5/0x120 [ 34.593898] sock_write_iter+0x35a/0x5a0 [ 34.598457] __vfs_write+0x64d/0x960 [ 34.602677] vfs_write+0x1f8/0x560 [ 34.606712] ksys_write+0xf9/0x250 [ 34.610749] __x64_sys_write+0x73/0xb0 [ 34.615143] do_syscall_64+0x1b1/0x800 [ 34.619534] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.625218] [ 34.625218] -> #0 (sk_lock-AF_INET){+.+.}: [ 34.630917] lock_acquire+0x1dc/0x520 [ 34.635220] lock_sock_nested+0xd0/0x120 [ 34.639782] tcp_mmap+0x1c7/0x14f0 [ 34.643824] sock_mmap+0x8e/0xc0 [ 34.647696] mmap_region+0xd13/0x1820 [ 34.651992] do_mmap+0xc79/0x11d0 [ 34.655947] vm_mmap_pgoff+0x1fb/0x2a0 [ 34.660343] ksys_mmap_pgoff+0x4c9/0x640 [ 34.664904] __x64_sys_mmap+0xe9/0x1b0 [ 34.669380] do_syscall_64+0x1b1/0x800 [ 34.673770] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.679460] [ 34.679460] other info that might help us debug this: [ 34.679460] [ 34.687846] Possible unsafe locking scenario: [ 34.687846] [ 34.693892] CPU0 CPU1 [ 34.698532] ---- ---- [ 34.703170] lock(&mm->mmap_sem); [ 34.706868] lock(sk_lock-AF_INET); [ 34.713080] lock(&mm->mmap_sem); [ 34.719113] lock(sk_lock-AF_INET); [ 34.722806] [ 34.722806] *** DEADLOCK *** [ 34.722806] [ 34.728849] 1 lock held by syz-executor990/4481: [ 34.733585] #0: (ptrval) (&mm->mmap_sem){++++}, at: vm_mmap_pgoff+0x1a1/0x2a0 [ 34.741635] [ 34.741635] stack backtrace: [ 34.746111] CPU: 0 PID: 4481 Comm: syz-executor990 Not tainted 4.17.0-rc2+ #23 [ 34.753447] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.762784] Call Trace: [ 34.765356] dump_stack+0x1b9/0x294 [ 34.768963] ? dump_stack_print_info.cold.2+0x52/0x52 [ 34.774132] ? print_lock+0xd1/0xd6 [ 34.777736] ? vprintk_func+0x81/0xe7 [ 34.781515] print_circular_bug.isra.36.cold.54+0x1bd/0x27d [ 34.787203] ? save_trace+0xe0/0x290 [ 34.790892] __lock_acquire+0x343e/0x5140 [ 34.795027] ? debug_check_no_locks_freed+0x310/0x310 [ 34.800201] ? find_held_lock+0x36/0x1c0 [ 34.804254] ? kasan_check_read+0x11/0x20 [ 34.808387] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 34.813560] ? graph_lock+0x170/0x170 [ 34.817339] ? kernel_text_address+0x79/0xf0 [ 34.821731] ? __unwind_start+0x166/0x330 [ 34.825864] ? __save_stack_trace+0x7e/0xd0 [ 34.830168] lock_acquire+0x1dc/0x520 [ 34.833949] ? tcp_mmap+0x1c7/0x14f0 [ 34.837640] ? lock_release+0xa10/0xa10 [ 34.841594] ? kasan_check_read+0x11/0x20 [ 34.845720] ? do_raw_spin_unlock+0x9e/0x2e0 [ 34.850106] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 34.854668] ? kasan_check_write+0x14/0x20 [ 34.858883] ? do_raw_spin_lock+0xc1/0x200 [ 34.863096] lock_sock_nested+0xd0/0x120 [ 34.867136] ? tcp_mmap+0x1c7/0x14f0 [ 34.870826] tcp_mmap+0x1c7/0x14f0 [ 34.874343] ? __lock_is_held+0xb5/0x140 [ 34.878391] ? tcp_splice_read+0xfc0/0xfc0 [ 34.882610] ? rcu_read_lock_sched_held+0x108/0x120 [ 34.887605] ? kmem_cache_alloc+0x5fa/0x760 [ 34.891912] sock_mmap+0x8e/0xc0 [ 34.895258] mmap_region+0xd13/0x1820 [ 34.899044] ? __x64_sys_brk+0x790/0x790 [ 34.903090] ? arch_get_unmapped_area+0x750/0x750 [ 34.907912] ? lock_acquire+0x1dc/0x520 [ 34.911864] ? vm_mmap_pgoff+0x1a1/0x2a0 [ 34.915905] ? cap_mmap_addr+0x52/0x130 [ 34.919862] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.925386] ? security_mmap_addr+0x80/0xa0 [ 34.929694] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 34.935208] ? get_unmapped_area+0x292/0x3b0 [ 34.939597] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 34.945109] do_mmap+0xc79/0x11d0 [ 34.948542] ? mmap_region+0x1820/0x1820 [ 34.952666] ? vm_mmap_pgoff+0x1a1/0x2a0 [ 34.956707] ? down_read_killable+0x1f0/0x1f0 [ 34.961183] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.966701] ? security_mmap_file+0x166/0x1b0 [ 34.971327] vm_mmap_pgoff+0x1fb/0x2a0 [ 34.975211] ? vma_is_stack_for_current+0xd0/0xd0 [ 34.980056] ? sock_release+0x1b0/0x1b0 [ 34.984036] ? get_unused_fd_flags+0x121/0x190 [ 34.988611] ? __alloc_fd+0x700/0x700 [ 34.992405] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 34.997405] ksys_mmap_pgoff+0x4c9/0x640 [ 35.001446] ? find_mergeable_anon_vma+0xd0/0xd0 [ 35.006191] ? move_addr_to_kernel+0x70/0x70 [ 35.010582] __x64_sys_mmap+0xe9/0x1b0 [ 35.014449] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 35.019449] do_syscall_64+0x1b1/0x800 [ 35.023316] ? syscall_return_slowpath+0x5c0/0x5c0 [ 35.028227] ? syscall_return_slowpath+0x30f/0x5c0 [ 35.033140] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 35.038483] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 35.043305] entry_SYSCALL_64_after_