[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 17.386332] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 18.944671] random: sshd: uninitialized urandom read (32 bytes read) [ 19.100844] random: sshd: uninitialized urandom read (32 bytes read) [ 19.799333] random: sshd: uninitialized urandom read (32 bytes read) [ 21.370809] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.8' (ECDSA) to the list of known hosts. [ 26.772427] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 26.875417] [ 26.877069] ====================================================== [ 26.883360] WARNING: possible circular locking dependency detected [ 26.889679] 4.17.0-rc2+ #22 Not tainted [ 26.893625] ------------------------------------------------------ [ 26.899918] syz-executor987/4429 is trying to acquire lock: [ 26.905609] (ptrval) (&mm->mmap_sem){++++}, at: __might_fault+0xfb/0x1e0 [ 26.913233] [ 26.913233] but task is already holding lock: [ 26.919186] (ptrval) (sk_lock-AF_INET6){+.+.}, at: do_ipv6_setsockopt.isra.9+0x5ba/0x4680 [ 26.928186] [ 26.928186] which lock already depends on the new lock. [ 26.928186] [ 26.936489] [ 26.936489] the existing dependency chain (in reverse order) is: [ 26.944086] [ 26.944086] -> #1 (sk_lock-AF_INET6){+.+.}: [ 26.949883] lock_sock_nested+0xd0/0x120 [ 26.954450] tcp_mmap+0x1c7/0x14f0 [ 26.958493] sock_mmap+0x8e/0xc0 [ 26.962357] mmap_region+0xd13/0x1820 [ 26.966654] do_mmap+0xc79/0x11d0 [ 26.970608] vm_mmap_pgoff+0x1fb/0x2a0 [ 26.974990] ksys_mmap_pgoff+0x4c9/0x640 [ 26.979555] __x64_sys_mmap+0xe9/0x1b0 [ 26.983942] do_syscall_64+0x1b1/0x800 [ 26.988334] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 26.994027] [ 26.994027] -> #0 (&mm->mmap_sem){++++}: [ 26.999562] lock_acquire+0x1dc/0x520 [ 27.003869] __might_fault+0x155/0x1e0 [ 27.008256] _copy_from_user+0x30/0x150 [ 27.012731] memdup_user+0x54/0xa0 [ 27.016770] xfrm_user_policy+0x1c0/0xae0 [ 27.021415] do_ipv6_setsockopt.isra.9+0x881/0x4680 [ 27.026929] ipv6_setsockopt+0xbd/0x170 [ 27.031404] udpv6_setsockopt+0x62/0xa0 [ 27.035877] sock_common_setsockopt+0x9a/0xe0 [ 27.040879] __sys_setsockopt+0x1bd/0x390 [ 27.045533] __x64_sys_setsockopt+0xbe/0x150 [ 27.050440] do_syscall_64+0x1b1/0x800 [ 27.054837] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 27.060516] [ 27.060516] other info that might help us debug this: [ 27.060516] [ 27.068633] Possible unsafe locking scenario: [ 27.068633] [ 27.074666] CPU0 CPU1 [ 27.079304] ---- ---- [ 27.083945] lock(sk_lock-AF_INET6); [ 27.087722] lock(&mm->mmap_sem); [ 27.093855] lock(sk_lock-AF_INET6); [ 27.100147] lock(&mm->mmap_sem); [ 27.103662] [ 27.103662] *** DEADLOCK *** [ 27.103662] [ 27.109699] 1 lock held by syz-executor987/4429: [ 27.114426] #0: (ptrval) (sk_lock-AF_INET6){+.+.}, at: do_ipv6_setsockopt.isra.9+0x5ba/0x4680 [ 27.123870] [ 27.123870] stack backtrace: [ 27.128346] CPU: 1 PID: 4429 Comm: syz-executor987 Not tainted 4.17.0-rc2+ #22 [ 27.135685] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.145021] Call Trace: [ 27.147599] dump_stack+0x1b9/0x294 [ 27.151206] ? dump_stack_print_info.cold.2+0x52/0x52 [ 27.156383] ? print_lock+0xd1/0xd6 [ 27.159987] ? vprintk_func+0x81/0xe7 [ 27.163768] print_circular_bug.isra.36.cold.54+0x1bd/0x27d [ 27.169459] ? save_trace+0xe0/0x290 [ 27.173156] __lock_acquire+0x343e/0x5140 [ 27.177285] ? debug_check_no_locks_freed+0x310/0x310 [ 27.182455] ? lock_downgrade+0x8e0/0x8e0 [ 27.186587] ? mark_held_locks+0xc9/0x160 [ 27.190711] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 27.195279] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 27.200362] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 27.205365] ? trace_hardirqs_on+0xd/0x10 [ 27.209493] ? depot_save_stack+0x26b/0x450 [ 27.213792] ? save_stack+0xa9/0xd0 [ 27.217396] ? save_stack+0x43/0xd0 [ 27.221000] ? __kmalloc_track_caller+0x14a/0x760 [ 27.225834] ? memdup_user+0x2c/0xa0 [ 27.229526] ? xfrm_user_policy+0x1c0/0xae0 [ 27.233825] ? do_ipv6_setsockopt.isra.9+0x881/0x4680 [ 27.238992] ? ipv6_setsockopt+0xbd/0x170 [ 27.243122] ? udpv6_setsockopt+0x62/0xa0 [ 27.247252] ? sock_common_setsockopt+0x9a/0xe0 [ 27.251914] ? __x64_sys_setsockopt+0xbe/0x150 [ 27.256473] ? do_syscall_64+0x1b1/0x800 [ 27.260511] ? graph_lock+0x170/0x170 [ 27.264292] ? find_held_lock+0x36/0x1c0 [ 27.268333] ? print_usage_bug+0xc0/0xc0 [ 27.272371] lock_acquire+0x1dc/0x520 [ 27.276155] ? __might_fault+0xfb/0x1e0 [ 27.280115] ? lock_release+0xa10/0xa10 [ 27.284071] ? check_same_owner+0x320/0x320 [ 27.288378] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 27.293372] ? __check_object_size+0x95/0x5d9 [ 27.297851] ? __might_sleep+0x95/0x190 [ 27.301808] __might_fault+0x155/0x1e0 [ 27.305672] ? __might_fault+0xfb/0x1e0 [ 27.309631] _copy_from_user+0x30/0x150 [ 27.313586] ? xfrm_user_policy+0x1c0/0xae0 [ 27.317890] memdup_user+0x54/0xa0 [ 27.321410] xfrm_user_policy+0x1c0/0xae0 [ 27.325535] ? xfrm_replay_timer_handler+0x4e0/0x4e0 [ 27.330618] ? lock_acquire+0x1dc/0x520 [ 27.334569] ? do_ipv6_setsockopt.isra.9+0x5ba/0x4680 [ 27.339740] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 27.345260] ? cap_capable+0x1f9/0x260 [ 27.349134] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 27.354655] ? security_capable+0x99/0xc0 [ 27.358782] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 27.364294] ? ns_capable_common+0x13f/0x170 [ 27.368681] do_ipv6_setsockopt.isra.9+0x881/0x4680 [ 27.373682] ? ipv6_update_options+0x390/0x390 [ 27.378245] ? __thp_get_unmapped_area+0x180/0x180 [ 27.383154] ? debug_check_no_locks_freed+0x310/0x310 [ 27.388325] ? alloc_file+0x24/0x3e0 [ 27.392022] ? sock_alloc_file+0x1f3/0x4e0 [ 27.396236] ? __sys_socket+0x16f/0x250 [ 27.400188] ? do_syscall_64+0x1b1/0x800 [ 27.404235] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 27.409577] ? debug_mutex_init+0x1c/0x60 [ 27.413702] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 27.418793] ? graph_lock+0x170/0x170 [ 27.422571] ? pud_val+0x80/0xf0 [ 27.425912] ? pmd_val+0xf0/0xf0 [ 27.429257] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 27.434781] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 27.440298] ? __handle_mm_fault+0x93a/0x4310 [ 27.444774] ? vm_insert_mixed_mkwrite+0x40/0x40 [ 27.449504] ? graph_lock+0x170/0x170 [ 27.453287] ? graph_lock+0x170/0x170 [ 27.457073] ? find_held_lock+0x36/0x1c0 [ 27.461213] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 27.466728] ? __fget_light+0x2ef/0x430 [ 27.470678] ? fget_raw+0x20/0x20 [ 27.474109] ? lock_downgrade+0x8e0/0x8e0 [ 27.478232] ? handle_mm_fault+0x8c0/0xc70 [ 27.482445] ipv6_setsockopt+0xbd/0x170 [ 27.486395] ? ipv6_setsockopt+0xbd/0x170 [ 27.490518] udpv6_setsockopt+0x62/0xa0 [ 27.494469] sock_common_setsockopt+0x9a/0xe0 [ 27.498951] __sys_setsockopt+0x1bd/0x390 [ 27.503077] ? kernel_accept+0x310/0x310 [ 27.507119] ? mm_fault_error+0x380/0x380 [ 27.511262] ? __ia32_sys_fallocate+0xf0/0xf0 [ 27.515739] __x64_sys_setsockopt+0xbe/0x150 [ 27.520134] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 27.525127] do_syscall_64+0x1b1/0x800 [ 27.528991] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 27.533823] ? syscall_return_slowpath+0x5c0/0x5c0 [ 27.538743] ? syscall_return_slowpath+0x30f/0x5c0 [ 27.543671] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 27.549194] ? retint_user+0x18/0x18 [ 27.552892] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 27.557716] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 27.562883] RIP: 0033:0x43ffc9 [ 27.566052] RSP: 002b:00007ffff926cc08 EFLAGS: 00000217 ORIG_RAX: 0000000000000036 [ 27.573736] RAX: ffffffffffffffda RBX: 00000000004002c8