[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 20.886980] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 24.463828] random: sshd: uninitialized urandom read (32 bytes read) [ 24.855656] random: sshd: uninitialized urandom read (32 bytes read) [ 25.585283] random: sshd: uninitialized urandom read (32 bytes read) [ 25.747275] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.56' (ECDSA) to the list of known hosts. [ 31.255176] random: sshd: uninitialized urandom read (32 bytes read) [ 31.347829] [ 31.349502] ====================================================== [ 31.355795] WARNING: possible circular locking dependency detected [ 31.362097] 4.17.0-rc2+ #19 Not tainted [ 31.366047] ------------------------------------------------------ [ 31.372358] syz-executor057/4517 is trying to acquire lock: [ 31.378055] (ptrval) (sk_lock-AF_INET){+.+.}, at: tcp_mmap+0x1c7/0x14f0 [ 31.385514] [ 31.385514] but task is already holding lock: [ 31.391464] (ptrval) (&mm->mmap_sem){++++}, at: vm_mmap_pgoff+0x1a1/0x2a0 [ 31.399083] [ 31.399083] which lock already depends on the new lock. [ 31.399083] [ 31.407392] [ 31.407392] the existing dependency chain (in reverse order) is: [ 31.415004] [ 31.415004] -> #1 (&mm->mmap_sem){++++}: [ 31.420558] __might_fault+0x155/0x1e0 [ 31.424958] _copy_from_iter_full+0x2fd/0xd10 [ 31.429961] tcp_sendmsg_locked+0x2f98/0x3e10 [ 31.434960] tcp_sendmsg+0x2f/0x50 [ 31.439007] inet_sendmsg+0x19f/0x690 [ 31.443320] sock_sendmsg+0xd5/0x120 [ 31.447536] sock_write_iter+0x35a/0x5a0 [ 31.452110] __vfs_write+0x64d/0x960 [ 31.456323] vfs_write+0x1f8/0x560 [ 31.460368] ksys_write+0xf9/0x250 [ 31.464409] __x64_sys_write+0x73/0xb0 [ 31.468813] do_syscall_64+0x1b1/0x800 [ 31.473204] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.478890] [ 31.478890] -> #0 (sk_lock-AF_INET){+.+.}: [ 31.484601] lock_acquire+0x1dc/0x520 [ 31.488905] lock_sock_nested+0xd0/0x120 [ 31.493469] tcp_mmap+0x1c7/0x14f0 [ 31.497517] sock_mmap+0x8e/0xc0 [ 31.501385] mmap_region+0xd13/0x1820 [ 31.505703] do_mmap+0xc79/0x11d0 [ 31.509664] vm_mmap_pgoff+0x1fb/0x2a0 [ 31.514055] ksys_mmap_pgoff+0x4c9/0x640 [ 31.518620] __x64_sys_mmap+0xe9/0x1b0 [ 31.523012] do_syscall_64+0x1b1/0x800 [ 31.527410] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.533096] [ 31.533096] other info that might help us debug this: [ 31.533096] [ 31.541222] Possible unsafe locking scenario: [ 31.541222] [ 31.547272] CPU0 CPU1 [ 31.551914] ---- ---- [ 31.556566] lock(&mm->mmap_sem); [ 31.560170] lock(sk_lock-AF_INET); [ 31.566377] lock(&mm->mmap_sem); [ 31.572407] lock(sk_lock-AF_INET); [ 31.576109] [ 31.576109] *** DEADLOCK *** [ 31.576109] [ 31.582152] 1 lock held by syz-executor057/4517: [ 31.586890] #0: (ptrval) (&mm->mmap_sem){++++}, at: vm_mmap_pgoff+0x1a1/0x2a0 [ 31.594936] [ 31.594936] stack backtrace: [ 31.599414] CPU: 0 PID: 4517 Comm: syz-executor057 Not tainted 4.17.0-rc2+ #19 [ 31.606751] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.616082] Call Trace: [ 31.618660] dump_stack+0x1b9/0x294 [ 31.622278] ? dump_stack_print_info.cold.2+0x52/0x52 [ 31.627455] ? print_lock+0xd1/0xd6 [ 31.631082] ? vprintk_func+0x81/0xe7 [ 31.634873] print_circular_bug.isra.36.cold.54+0x1bd/0x27d [ 31.640561] ? save_trace+0xe0/0x290 [ 31.644253] __lock_acquire+0x343e/0x5140 [ 31.648383] ? debug_check_no_locks_freed+0x310/0x310 [ 31.653549] ? find_held_lock+0x36/0x1c0 [ 31.657593] ? kasan_check_read+0x11/0x20 [ 31.661721] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 31.666892] ? graph_lock+0x170/0x170 [ 31.670672] ? kernel_text_address+0x79/0xf0 [ 31.675071] ? __unwind_start+0x166/0x330 [ 31.679202] ? __save_stack_trace+0x7e/0xd0 [ 31.683508] lock_acquire+0x1dc/0x520 [ 31.687292] ? tcp_mmap+0x1c7/0x14f0 [ 31.690987] ? lock_release+0xa10/0xa10 [ 31.694944] ? kasan_check_read+0x11/0x20 [ 31.699074] ? do_raw_spin_unlock+0x9e/0x2e0 [ 31.703463] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 31.708035] ? kasan_check_write+0x14/0x20 [ 31.712252] ? do_raw_spin_lock+0xc1/0x200 [ 31.716466] lock_sock_nested+0xd0/0x120 [ 31.720507] ? tcp_mmap+0x1c7/0x14f0 [ 31.724213] tcp_mmap+0x1c7/0x14f0 [ 31.727733] ? __lock_is_held+0xb5/0x140 [ 31.731784] ? tcp_splice_read+0xfc0/0xfc0 [ 31.735997] ? rcu_read_lock_sched_held+0x108/0x120 [ 31.741005] ? kmem_cache_alloc+0x5fa/0x760 [ 31.745333] sock_mmap+0x8e/0xc0 [ 31.748682] mmap_region+0xd13/0x1820 [ 31.752466] ? __x64_sys_brk+0x790/0x790 [ 31.756507] ? arch_get_unmapped_area+0x750/0x750 [ 31.761328] ? lock_acquire+0x1dc/0x520 [ 31.765282] ? vm_mmap_pgoff+0x1a1/0x2a0 [ 31.769340] ? cap_mmap_addr+0x52/0x130 [ 31.773296] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.778822] ? security_mmap_addr+0x80/0xa0 [ 31.783130] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 31.788643] ? get_unmapped_area+0x292/0x3b0 [ 31.793039] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 31.798561] do_mmap+0xc79/0x11d0 [ 31.801995] ? mmap_region+0x1820/0x1820 [ 31.806045] ? vm_mmap_pgoff+0x1a1/0x2a0 [ 31.810089] ? down_read_killable+0x1f0/0x1f0 [ 31.814571] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.820091] ? security_mmap_file+0x166/0x1b0 [ 31.824564] vm_mmap_pgoff+0x1fb/0x2a0 [ 31.828430] ? vma_is_stack_for_current+0xd0/0xd0 [ 31.833254] ? sock_release+0x1b0/0x1b0 [ 31.837217] ? get_unused_fd_flags+0x121/0x190 [ 31.841779] ? __alloc_fd+0x700/0x700 [ 31.845558] ksys_mmap_pgoff+0x4c9/0x640 [ 31.849596] ? find_mergeable_anon_vma+0xd0/0xd0 [ 31.854328] ? move_addr_to_kernel+0x70/0x70 [ 31.858713] ? __ia32_sys_fallocate+0xf0/0xf0 [ 31.863204] __x64_sys_mmap+0xe9/0x1b0 [ 31.867070] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 31.872066] do_syscall_64+0x1b1/0x800 [ 31.875933] ? syscall_return_slowpath+0x5c0/0x5c0 [ 31.880842] ? syscall_return_slowpath+0x30f/0x5c0 [ 31.885759] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 31.891107] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.895930] entry_SYSCALL_64_after_hwframe+0x49