[....] Starting OpenBSD Secure Shell server: sshd[ 19.184858] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 21.909220] random: sshd: uninitialized urandom read (32 bytes read) [ 22.101526] sshd (4519) used greatest stack depth: 16648 bytes left [ 22.121977] random: sshd: uninitialized urandom read (32 bytes read) [ 22.826677] random: sshd: uninitialized urandom read (32 bytes read) [ 31.337668] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.8' (ECDSA) to the list of known hosts. [ 36.826443] random: sshd: uninitialized urandom read (32 bytes read) [ 36.913441] [ 36.915093] ====================================================== [ 36.921391] WARNING: possible circular locking dependency detected [ 36.927692] 4.17.0-rc2+ #19 Not tainted [ 36.931646] ------------------------------------------------------ [ 36.937937] syz-executor164/4538 is trying to acquire lock: [ 36.943626] (ptrval) (sk_lock-AF_INET){+.+.}, at: tcp_mmap+0x1c7/0x14f0 [ 36.951064] [ 36.951064] but task is already holding lock: [ 36.957009] (ptrval) (&mm->mmap_sem){++++}, at: vm_mmap_pgoff+0x1a1/0x2a0 [ 36.964646] [ 36.964646] which lock already depends on the new lock. [ 36.964646] [ 36.972942] [ 36.972942] the existing dependency chain (in reverse order) is: [ 36.980544] [ 36.980544] -> #1 (&mm->mmap_sem){++++}: [ 36.986102] __might_fault+0x155/0x1e0 [ 36.990500] _copy_from_iter_full+0x2fd/0xd10 [ 36.995505] tcp_sendmsg_locked+0x2f98/0x3e10 [ 37.000505] tcp_sendmsg+0x2f/0x50 [ 37.004545] inet_sendmsg+0x19f/0x690 [ 37.008847] sock_sendmsg+0xd5/0x120 [ 37.013059] sock_write_iter+0x35a/0x5a0 [ 37.017624] __vfs_write+0x64d/0x960 [ 37.021847] vfs_write+0x1f8/0x560 [ 37.025888] ksys_write+0xf9/0x250 [ 37.029936] __x64_sys_write+0x73/0xb0 [ 37.034329] do_syscall_64+0x1b1/0x800 [ 37.038734] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 37.044433] [ 37.044433] -> #0 (sk_lock-AF_INET){+.+.}: [ 37.050140] lock_acquire+0x1dc/0x520 [ 37.054446] lock_sock_nested+0xd0/0x120 [ 37.059030] tcp_mmap+0x1c7/0x14f0 [ 37.063084] sock_mmap+0x8e/0xc0 [ 37.066952] mmap_region+0xd13/0x1820 [ 37.071257] do_mmap+0xc79/0x11d0 [ 37.075213] vm_mmap_pgoff+0x1fb/0x2a0 [ 37.079602] ksys_mmap_pgoff+0x4c9/0x640 [ 37.084168] __x64_sys_mmap+0xe9/0x1b0 [ 37.088556] do_syscall_64+0x1b1/0x800 [ 37.092949] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 37.098636] [ 37.098636] other info that might help us debug this: [ 37.098636] [ 37.106758] Possible unsafe locking scenario: [ 37.106758] [ 37.112809] CPU0 CPU1 [ 37.117460] ---- ---- [ 37.122106] lock(&mm->mmap_sem); [ 37.125628] lock(sk_lock-AF_INET); [ 37.131850] lock(&mm->mmap_sem); [ 37.137891] lock(sk_lock-AF_INET); [ 37.141582] [ 37.141582] *** DEADLOCK *** [ 37.141582] [ 37.147629] 1 lock held by syz-executor164/4538: [ 37.152370] #0: (ptrval) (&mm->mmap_sem){++++}, at: vm_mmap_pgoff+0x1a1/0x2a0 [ 37.160423] [ 37.160423] stack backtrace: [ 37.164906] CPU: 1 PID: 4538 Comm: syz-executor164 Not tainted 4.17.0-rc2+ #19 [ 37.172251] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.181583] Call Trace: [ 37.184160] dump_stack+0x1b9/0x294 [ 37.187778] ? dump_stack_print_info.cold.2+0x52/0x52 [ 37.192958] ? print_lock+0xd1/0xd6 [ 37.196567] ? vprintk_func+0x81/0xe7 [ 37.200352] print_circular_bug.isra.36.cold.54+0x1bd/0x27d [ 37.206045] ? save_trace+0xe0/0x290 [ 37.209753] __lock_acquire+0x343e/0x5140 [ 37.213889] ? debug_check_no_locks_freed+0x310/0x310 [ 37.219062] ? find_held_lock+0x36/0x1c0 [ 37.223121] ? kasan_check_read+0x11/0x20 [ 37.227269] ? graph_lock+0x170/0x170 [ 37.231054] ? kernel_text_address+0x79/0xf0 [ 37.235448] ? __unwind_start+0x166/0x330 [ 37.239578] ? __save_stack_trace+0x7e/0xd0 [ 37.243887] lock_acquire+0x1dc/0x520 [ 37.247673] ? tcp_mmap+0x1c7/0x14f0 [ 37.251377] ? lock_release+0xa10/0xa10 [ 37.255331] ? kasan_check_read+0x11/0x20 [ 37.259467] ? do_raw_spin_unlock+0x9e/0x2e0 [ 37.263857] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 37.268422] ? kasan_check_write+0x14/0x20 [ 37.272644] ? do_raw_spin_lock+0xc1/0x200 [ 37.276876] lock_sock_nested+0xd0/0x120 [ 37.280932] ? tcp_mmap+0x1c7/0x14f0 [ 37.284644] tcp_mmap+0x1c7/0x14f0 [ 37.288176] ? __lock_is_held+0xb5/0x140 [ 37.292222] ? tcp_splice_read+0xfc0/0xfc0 [ 37.296446] ? rcu_read_lock_sched_held+0x108/0x120 [ 37.301654] ? kmem_cache_alloc+0x5fa/0x760 [ 37.305975] sock_mmap+0x8e/0xc0 [ 37.309329] mmap_region+0xd13/0x1820 [ 37.313120] ? __x64_sys_brk+0x790/0x790 [ 37.317166] ? arch_get_unmapped_area+0x750/0x750 [ 37.321997] ? lock_acquire+0x1dc/0x520 [ 37.325954] ? vm_mmap_pgoff+0x1a1/0x2a0 [ 37.330006] ? cap_mmap_addr+0x52/0x130 [ 37.333967] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 37.339488] ? security_mmap_addr+0x80/0xa0 [ 37.343793] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 37.349314] ? get_unmapped_area+0x292/0x3b0 [ 37.353717] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 37.359238] do_mmap+0xc79/0x11d0 [ 37.362676] ? mmap_region+0x1820/0x1820 [ 37.366727] ? vm_mmap_pgoff+0x1a1/0x2a0 [ 37.370779] ? down_read_killable+0x1f0/0x1f0 [ 37.375273] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 37.380796] ? security_mmap_file+0x166/0x1b0 [ 37.385274] vm_mmap_pgoff+0x1fb/0x2a0 [ 37.389156] ? vma_is_stack_for_current+0xd0/0xd0 [ 37.393983] ? sock_release+0x1b0/0x1b0 [ 37.397941] ? get_unused_fd_flags+0x121/0x190 [ 37.402506] ? __alloc_fd+0x700/0x700 [ 37.406293] ksys_mmap_pgoff+0x4c9/0x640 [ 37.410341] ? find_mergeable_anon_vma+0xd0/0xd0 [ 37.415081] ? move_addr_to_kernel+0x70/0x70 [ 37.419475] ? __ia32_sys_fallocate+0xf0/0xf0 [ 37.423957] __x64_sys_mmap+0xe9/0x1b0 [ 37.427830] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 37.432840] do_syscall_64+0x1b1/0x800 [ 37.436731] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 37.441562] ? syscall_return_slowpath+0x5c0/0x5c0 [ 37.446478] ? syscall_return_slowpath+0x30f/0x5c0 [ 37.451391] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 37.456744] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 37.461579] entry_SYSCALL_64_after_hwframe+0x49