[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 21.169329] random: sshd: uninitialized urandom read (32 bytes read, 33 bits of entropy available) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 26.349528] random: sshd: uninitialized urandom read (32 bytes read, 39 bits of entropy available) [ 26.624136] random: sshd: uninitialized urandom read (32 bytes read, 39 bits of entropy available) [ 28.069896] random: nonblocking pool is initialized Warning: Permanently added '10.128.0.35' (ECDSA) to the list of known hosts. net.ipv6.conf.syz_tun.accept_dad = 0 [ 33.797027] IPVS: Creating netns size=2552 id=1 net.ipv6.conf.syz_tun.router_solicitations = 0 executing program [ 33.893315] [ 33.894997] ====================================================== [ 33.901286] [ INFO: possible circular locking dependency detected ] [ 33.907670] 4.4.141-g1b37d68 #71 Not tainted [ 33.912057] ------------------------------------------------------- [ 33.918440] syz-executor919/3838 is trying to acquire lock: [ 33.924119] (&(&q->lock)->rlock){+.-...}, at: [] ip_defrag+0x318/0x3fe0 [ 33.932995] [ 33.932995] but task is already holding lock: [ 33.938937] (_xmit_NETROM){+.-...}, at: [] sch_direct_xmit+0x23c/0x6e0 [ 33.947705] [ 33.947705] which lock already depends on the new lock. [ 33.947705] [ 33.955992] [ 33.955992] the existing dependency chain (in reverse order) is: [ 33.963595] -> #1 (_xmit_NETROM){+.-...}: [ 33.968380] [] lock_acquire+0x15e/0x450 [ 33.974617] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 33.981547] [] depot_save_stack+0x211/0x610 [ 33.988151] [] save_stack+0xa9/0xd0 [ 33.994064] [] kasan_kmalloc+0xc7/0xe0 [ 34.000213] [] kasan_slab_alloc+0x12/0x20 [ 34.006624] [] kmem_cache_alloc+0xbe/0x2a0 [ 34.013145] [] inet_getpeer.part.5+0xeac/0x15a0 [ 34.020084] [] inet_getpeer+0x55b/0x6f0 [ 34.026353] [] icmp6_send+0x17c5/0x1b80 [ 34.032590] [] icmpv6_param_prob+0x29/0x40 [ 34.039086] [] ipv6_frag_rcv+0x3f94/0x4fd0 [ 34.045596] [] ip6_input_finish+0x32e/0x1550 [ 34.052278] [] ip6_input+0xf6/0x200 [ 34.058189] [] ip6_rcv_finish+0x13d/0x640 [ 34.064600] [] ipv6_rcv+0x10cb/0x1cd0 [ 34.070699] [] __netif_receive_skb_core+0x12d6/0x2940 [ 34.078164] [] __netif_receive_skb+0x5b/0x1b0 [ 34.084938] [] process_backlog+0x216/0x6a0 [ 34.091455] [] net_rx_action+0x3a2/0xdb0 [ 34.097803] [] __do_softirq+0x22c/0xa1a [ 34.104052] [] do_softirq_own_stack+0x1c/0x30 [ 34.110817] [] do_softirq.part.16+0x54/0x60 [ 34.117422] [] do_softirq+0x19/0x20 [ 34.123317] [] netif_rx_ni+0xec/0x3a0 [ 34.129388] [] tun_get_user+0xbe7/0x2410 [ 34.135724] [] tun_chr_write_iter+0xd5/0x190 [ 34.142396] [] do_iter_readv_writev+0x13c/0x1e0 [ 34.149344] [] do_readv_writev+0x2e0/0x6e0 [ 34.155848] [] vfs_writev+0x7b/0xb0 [ 34.161762] [] SyS_writev+0xd9/0x250 [ 34.167735] [] entry_SYSCALL_64_fastpath+0x22/0x9e [ 34.174944] -> #0 (&(&q->lock)->rlock){+.-...}: [ 34.180264] [] __lock_acquire+0x3902/0x5270 [ 34.186859] [] lock_acquire+0x15e/0x450 [ 34.193125] [] _raw_spin_lock+0x36/0x50 [ 34.199365] [] ip_defrag+0x318/0x3fe0 [ 34.205451] [] ip_check_defrag+0x3c8/0x7e0 [ 34.211963] [] packet_rcv_fanout+0x52a/0x5e0 [ 34.218677] [] dev_hard_start_xmit+0x644/0x11c0 [ 34.225620] [] sch_direct_xmit+0x2c1/0x6e0 [ 34.232117] [] __dev_queue_xmit+0xef3/0x1c80 [ 34.239054] [] dev_queue_xmit+0x17/0x20 [ 34.245290] [] neigh_resolve_output+0x637/0x790 [ 34.252227] [] ip_finish_output2+0x6ab/0x1110 [ 34.258987] [] ip_do_fragment+0x19cc/0x2190 [ 34.265577] [] ip_fragment.constprop.51+0x143/0x200 [ 34.272872] [] ip_finish_output+0x48a/0xc00 [ 34.279457] [] ip_mc_output+0x233/0x980 [ 34.285704] [] ip_local_out+0x9b/0x180 [ 34.291854] [] ip_send_skb+0x3c/0xc0 [ 34.297843] [] udp_send_skb+0x5c3/0xc60 [ 34.304082] [] udp_sendmsg+0x16c9/0x1c70 [ 34.310434] [] inet_sendmsg+0x203/0x4d0 [ 34.316700] [] sock_sendmsg+0xcc/0x110 [ 34.322863] [] SYSC_sendto+0x21c/0x370 [ 34.329021] [] SyS_sendto+0x40/0x50 [ 34.334911] [] entry_SYSCALL_64_fastpath+0x22/0x9e [ 34.342123] [ 34.342123] other info that might help us debug this: [ 34.342123] [ 34.350257] Possible unsafe locking scenario: [ 34.350257] [ 34.356285] CPU0 CPU1 [ 34.360922] ---- ---- [ 34.365563] lock(_xmit_NETROM); [ 34.369229] lock(&(&q->lock)->rlock); [ 34.375936] lock(_xmit_NETROM); [ 34.382115] lock(&(&q->lock)->rlock); [ 34.386308] [ 34.386308] *** DEADLOCK *** [ 34.386308] [ 34.392341] 4 locks held by syz-executor919/3838: [ 34.397155] #0: (rcu_read_lock_bh){......}, at: [] ip_finish_output2+0x212/0x1110 [ 34.407093] #1: (rcu_read_lock_bh){......}, at: [] __dev_queue_xmit+0x1d7/0x1c80 [ 34.416959] #2: (_xmit_NETROM){+.-...}, at: [] sch_direct_xmit+0x23c/0x6e0 [ 34.426344] #3: (rcu_read_lock){......}, at: [] dev_hard_start_xmit+0xa8/0x11c0 [ 34.436108] [ 34.436108] stack backtrace: [ 34.440578] CPU: 0 PID: 3838 Comm: syz-executor919 Not tainted 4.4.141-g1b37d68 #71 [ 34.448344] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.457670] 0000000000000000 17e9575619f9cf09 ffff8801d934ed38 ffffffff81e0e18d [ 34.465678] ffffffff853eb570 ffffffff853ebc30 ffffffff853eb570 ffff8800bae5a150 [ 34.473676] ffff8800bae59800 ffff8801d934ed80 ffffffff8140e71b 0000000000000003 [ 34.481672] Call Trace: [ 34.484232] [] dump_stack+0xc1/0x124 [ 34.489580] [] print_circular_bug.cold.50+0x1bd/0x27d [ 34.496403] [] __lock_acquire+0x3902/0x5270 [ 34.502352] [] ? debug_check_no_locks_freed+0x210/0x210 [ 34.509361] [] ? trace_hardirqs_on_caller+0x266/0x590 [ 34.516190] [] lock_acquire+0x15e/0x450 [ 34.521789] [] ? ip_defrag+0x318/0x3fe0 [ 34.527400] [] ? inet_frag_find+0x22e/0x9c0 [ 34.533353] [] _raw_spin_lock+0x36/0x50 [ 34.538950] [] ? ip_defrag+0x318/0x3fe0 [ 34.544555] [] ip_defrag+0x318/0x3fe0 [ 34.549989] [] ? debug_check_no_locks_freed+0x210/0x210 [ 34.556983] [] ? memcpy+0x45/0x50 [ 34.562068] [] ? ip_expire+0x770/0x770 [ 34.567576] [] ip_check_defrag+0x3c8/0x7e0 [ 34.573445] [] ? ip_defrag+0x3fe0/0x3fe0 [ 34.579131] [] packet_rcv_fanout+0x52a/0x5e0 [ 34.585161] [] ? packet_bind+0x190/0x190 [ 34.590846] [] dev_hard_start_xmit+0x644/0x11c0 [ 34.597135] [] ? dev_hard_start_xmit+0xa8/0x11c0 [ 34.603512] [] sch_direct_xmit+0x2c1/0x6e0 [ 34.609367] [] ? dev_watchdog+0x7f0/0x7f0 [ 34.615136] [] __dev_queue_xmit+0xef3/0x1c80 [ 34.621172] [] ? __dev_queue_xmit+0x1d7/0x1c80 [ 34.627377] [] ? debug_check_no_locks_freed+0x210/0x210 [ 34.634360] [] ? netdev_pick_tx+0x2c0/0x2c0 [ 34.640302] [] ? memcpy+0x45/0x50 [ 34.645378] [] dev_queue_xmit+0x17/0x20 [ 34.650974] [] neigh_resolve_output+0x637/0x790 [ 34.657266] [] ? ip_finish_output2+0x6ab/0x1110 [ 34.663573] [] ip_finish_output2+0x6ab/0x1110 [ 34.669715] [] ? ip_finish_output2+0x212/0x1110 [ 34.676013] [] ? nf_ct_deliver_cached_events+0x335/0x560 [ 34.683083] [] ? ip_copy_metadata+0x700/0x700 [ 34.689211] [] ip_do_fragment+0x19cc/0x2190 [ 34.695160] [] ? ip_copy_metadata+0x700/0x700 [ 34.701280] [] ip_fragment.constprop.51+0x143/0x200 [ 34.707920] [] ip_finish_output+0x48a/0xc00 [ 34.713861] [] ip_mc_output+0x233/0x980 [ 34.719457] [] ? ip_queue_xmit+0x1af0/0x1af0 [ 34.725487] [] ? ip_make_skb+0x116/0x210 [ 34.731168] [] ? ip_fragment.constprop.51+0x200/0x200 [ 34.737980] [] ? ip_flush_pending_frames+0x30/0x30 [ 34.744526] [] ip_local_out+0x9b/0x180 [ 34.750035] [] ip_send_skb+0x3c/0xc0 [ 34.755378] [] udp_send_skb+0x5c3/0xc60 [ 34.760975] [] udp_sendmsg+0x16c9/0x1c70 [ 34.766657] [] ? ip_reply_glue_bits+0xc0/0xc0 [ 34.773382] [] ? udp4_lib_lookup+0x60/0x60 [ 34.779239] [] ? debug_check_no_locks_freed+0x210/0x210 [ 34.786234] [] ? sock_has_perm+0x1c1/0x400 [ 34.792176] [] ? sock_has_perm+0x29f/0x400 [ 34.798029] [] ? sock_has_perm+0x9f/0x400 [ 34.803810] [] ? inet_sendmsg+0x143/0x4d0 [ 34.809587] [] inet_sendmsg+0x203/0x4d0 [ 34.815190] [] ? inet_sendmsg+0x73/0x4d0 [ 34.820872] [] ? inet_recvmsg+0x4c0/0x4c0 [ 34.826644] [] sock_sendmsg+0xcc/0x110 [ 34.832152] [] SYSC_sendto+0x21c/0x370 [ 34.837659] [] ? SYSC_connect+0x300/0x300 [ 34.843427] [] ? _raw_spin_unlock+0x2c/0x50 [ 34.849371] [] ? do_huge_pmd_anonymous_page+0x38c/0x9d0 [ 34.856367] [] ? handle_mm_fault+0xbf7/0x30b0 [ 34.862483] [] ? SYSC_connect+0x22a/0x300 [ 34.868254] [] ? __do_page_fault+0x38a/0xa10 [ 34.874282] [] ? retint_user+0x18/0x3c [ 34.879801] [] SyS_sendto+0x40/0x50 [ 34.885052] [] entry_SYSCALL_64_fastpath+0x22/0x9e