[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 22.104247] random: sshd: uninitialized urandom read (32 bytes read, 33 bits of entropy available) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 27.192200] random: sshd: uninitialized urandom read (32 bytes read, 40 bits of entropy available) [ 27.699193] random: sshd: uninitialized urandom read (32 bytes read, 40 bits of entropy available) [ 29.176148] random: sshd: uninitialized urandom read (32 bytes read, 116 bits of entropy available) [ 29.344805] random: sshd: uninitialized urandom read (32 bytes read, 118 bits of entropy available) Warning: Permanently added '10.128.0.23' (ECDSA) to the list of known hosts. [ 34.864168] random: sshd: uninitialized urandom read (32 bytes read, 124 bits of entropy available) 2018/07/21 01:32:34 parsed 1 programs [ 36.651083] random: cc1: uninitialized urandom read (8 bytes read, 126 bits of entropy available) [ 37.544116] random: nonblocking pool is initialized 2018/07/21 01:32:37 executed programs: 0 [ 37.719979] IPVS: Creating netns size=2552 id=1 [ 37.841977] [ 37.843643] ====================================================== [ 37.849961] [ INFO: possible circular locking dependency detected ] [ 37.856339] 4.4.141-g1b37d68 #7 Not tainted [ 37.860638] ------------------------------------------------------- [ 37.867016] syz-executor0/3876 is trying to acquire lock: [ 37.872530] (_xmit_NETROM){+.-...}, at: [] sch_direct_xmit+0x23c/0x6e0 [ 37.881323] [ 37.881323] but task is already holding lock: [ 37.887265] (&(&q->lock)->rlock){+.-...}, at: [] ipv6_frag_rcv+0x605/0x4fd0 [ 37.896516] [ 37.896516] which lock already depends on the new lock. [ 37.896516] [ 37.904811] [ 37.904811] the existing dependency chain (in reverse order) is: [ 37.912499] -> #1 (&(&q->lock)->rlock){+.-...}: [ 37.917810] [] lock_acquire+0x15e/0x450 [ 37.924059] [] _raw_spin_lock_irqsave+0x4e/0x70 [ 37.930995] [] lock_timer_base+0xd5/0x170 [ 37.937410] [] mod_timer+0x1b7/0xa80 [ 37.943401] [] inet_frag_find+0x71a/0x9c0 [ 37.949817] [] ip_defrag+0x2ed/0x3fe0 [ 37.955885] [] ip_check_defrag+0x3c8/0x7e0 [ 37.962386] [] packet_rcv_fanout+0x52a/0x5e0 [ 37.969063] [] dev_hard_start_xmit+0x644/0x11c0 [ 37.976000] [] sch_direct_xmit+0x2c1/0x6e0 [ 37.982530] [] __dev_queue_xmit+0xef3/0x1c80 [ 37.989227] [] dev_queue_xmit+0x17/0x20 [ 37.995651] [] neigh_resolve_output+0x637/0x790 [ 38.002616] [] ip_finish_output2+0x6ab/0x1110 [ 38.009386] [] ip_do_fragment+0x19cc/0x2190 [ 38.015971] [] ip_fragment.constprop.51+0x143/0x200 [ 38.023249] [] ip_finish_output+0x48a/0xc00 [ 38.029845] [] ip_mc_output+0x233/0x980 [ 38.036091] [] ip_local_out+0x9b/0x180 [ 38.042242] [] ip_send_skb+0x3c/0xc0 [ 38.048225] [] udp_send_skb+0x5c3/0xc60 [ 38.054479] [] udp_sendmsg+0x16c9/0x1c70 [ 38.060816] [] inet_sendmsg+0x203/0x4d0 [ 38.067052] [] sock_sendmsg+0xcc/0x110 [ 38.073209] [] SYSC_sendto+0x21c/0x370 [ 38.079373] [] SyS_sendto+0x40/0x50 [ 38.085277] [] do_fast_syscall_32+0x326/0x8b0 [ 38.092033] [] sysenter_flags_fixed+0xd/0x17 [ 38.098707] -> #0 (_xmit_NETROM){+.-...}: [ 38.103496] [] __lock_acquire+0x3902/0x5270 [ 38.110084] [] lock_acquire+0x15e/0x450 [ 38.116324] [] _raw_spin_lock+0x36/0x50 [ 38.122575] [] sch_direct_xmit+0x23c/0x6e0 [ 38.129084] [] __dev_queue_xmit+0xef3/0x1c80 [ 38.135760] [] dev_queue_xmit+0x17/0x20 [ 38.141998] [] neigh_resolve_output+0x637/0x790 [ 38.148937] [] ip6_finish_output2+0x929/0x1ca0 [ 38.155811] [] ip6_finish_output+0x3b8/0x760 [ 38.162490] [] ip6_output+0x1b8/0x520 [ 38.168564] [] ip6_local_out+0x9b/0x180 [ 38.174813] [] ip6_send_skb+0xa1/0x340 [ 38.180993] [] ip6_push_pending_frames+0xb3/0xe0 [ 38.188023] [] icmpv6_push_pending_frames+0x33c/0x530 [ 38.195509] [] icmp6_send+0x15cd/0x1b80 [ 38.201750] [] icmpv6_param_prob+0x29/0x40 [ 38.208267] [] ipv6_frag_rcv+0x3f94/0x4fd0 [ 38.214769] [] ip6_input_finish+0x32e/0x1550 [ 38.221450] [] ip6_input+0xf6/0x200 [ 38.227346] [] ip6_rcv_finish+0x13d/0x640 [ 38.233767] [] ipv6_rcv+0x10cb/0x1cd0 [ 38.240016] [] __netif_receive_skb_core+0x12d6/0x2940 [ 38.247470] [] __netif_receive_skb+0x5b/0x1b0 [ 38.254235] [] process_backlog+0x216/0x6a0 [ 38.260735] [] net_rx_action+0x3a2/0xdb0 [ 38.267061] [] __do_softirq+0x22c/0xa1a [ 38.273300] [] do_softirq_own_stack+0x1c/0x30 [ 38.280114] [] do_softirq.part.16+0x54/0x60 [ 38.286966] [] do_softirq+0x19/0x20 [ 38.292860] [] netif_rx_ni+0xec/0x3a0 [ 38.298933] [] tun_get_user+0xbe7/0x2410 [ 38.305270] [] tun_chr_write_iter+0xd5/0x190 [ 38.311949] [] do_iter_readv_writev+0x13c/0x1e0 [ 38.318885] [] compat_do_readv_writev+0x2e2/0x6e0 [ 38.325996] [] compat_writev+0xe1/0x150 [ 38.332259] [] compat_SyS_writev+0xd8/0x1c0 [ 38.338852] [] do_fast_syscall_32+0x326/0x8b0 [ 38.345617] [] sysenter_flags_fixed+0xd/0x17 [ 38.352290] [ 38.352290] other info that might help us debug this: [ 38.352290] [ 38.360414] Possible unsafe locking scenario: [ 38.360414] [ 38.366449] CPU0 CPU1 [ 38.371086] ---- ---- [ 38.375729] lock(&(&q->lock)->rlock); [ 38.379941] lock(_xmit_NETROM); [ 38.386148] lock(&(&q->lock)->rlock); [ 38.392859] lock(_xmit_NETROM); [ 38.396520] [ 38.396520] *** DEADLOCK *** [ 38.396520] [ 38.402554] 7 locks held by syz-executor0/3876: [ 38.407191] #0: (rcu_read_lock){......}, at: [] process_backlog+0x1b2/0x6a0 [ 38.416605] #1: (rcu_read_lock){......}, at: [] ip6_input_finish+0x0/0x1550 [ 38.426037] #2: (&(&q->lock)->rlock){+.-...}, at: [] ipv6_frag_rcv+0x605/0x4fd0 [ 38.435807] #3: (slock-AF_INET6){+.....}, at: [] icmp6_send+0x7e8/0x1b80 [ 38.444957] #4: (rcu_read_lock){......}, at: [] icmp6_send+0x102b/0x1b80 [ 38.454131] #5: (rcu_read_lock_bh){......}, at: [] ip6_finish_output2+0x1d5/0x1ca0 [ 38.464177] #6: (rcu_read_lock_bh){......}, at: [] __dev_queue_xmit+0x1d7/0x1c80 [ 38.474028] [ 38.474028] stack backtrace: [ 38.478504] CPU: 1 PID: 3876 Comm: syz-executor0 Not tainted 4.4.141-g1b37d68 #7 [ 38.486011] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.495340] 0000000000000000 490b1f01742067a7 ffff8801db306a48 ffffffff81e0e18d [ 38.503346] ffffffff853ec2f0 ffffffff853ed070 ffffffff853ec2f0 ffff8800baa4a150 [ 38.511353] ffff8800baa49800 ffff8801db306a90 ffffffff8140e71b 0000000000000003 [ 38.519370] Call Trace: [ 38.521927] [] dump_stack+0xc1/0x124 [ 38.528012] [] print_circular_bug.cold.50+0x1bd/0x27d [ 38.534831] [] __lock_acquire+0x3902/0x5270 [ 38.540782] [] ? debug_check_no_locks_freed+0x210/0x210 [ 38.547774] [] ? __lock_acquire+0x2c00/0x5270 [ 38.553911] [] ? __dev_get_by_index+0x1a0/0x1a0 [ 38.560212] [] ? __skb_gso_segment+0x490/0x490 [ 38.566424] [] lock_acquire+0x15e/0x450 [ 38.572032] [] ? sch_direct_xmit+0x23c/0x6e0 [ 38.578073] [] _raw_spin_lock+0x36/0x50 [ 38.583768] [] ? sch_direct_xmit+0x23c/0x6e0 [ 38.589807] [] sch_direct_xmit+0x23c/0x6e0 [ 38.595675] [] ? dev_watchdog+0x7f0/0x7f0 [ 38.601451] [] __dev_queue_xmit+0xef3/0x1c80 [ 38.607500] [] ? __dev_queue_xmit+0x1d7/0x1c80 [ 38.613713] [] ? debug_check_no_locks_freed+0x210/0x210 [ 38.620709] [] ? ip6t_do_table+0xac3/0x17e0 [ 38.626661] [] ? netdev_pick_tx+0x2c0/0x2c0 [ 38.632611] [] ? mark_held_locks+0xc7/0x130 [ 38.638742] [] ? memcpy+0x45/0x50 [ 38.643830] [] dev_queue_xmit+0x17/0x20 [ 38.649436] [] neigh_resolve_output+0x637/0x790 [ 38.655736] [] ? ip6_finish_output2+0x929/0x1ca0 [ 38.662127] [] ip6_finish_output2+0x929/0x1ca0 [ 38.668341] [] ? ip6_finish_output2+0x1d5/0x1ca0 [ 38.674726] [] ? ip6_sk_dst_lookup_flow+0x580/0x580 [ 38.681367] [] ? ip6_mtu+0x217/0x340 [ 38.686704] [] ip6_finish_output+0x3b8/0x760 [ 38.692737] [] ip6_output+0x1b8/0x520 [ 38.698165] [] ? ip6_finish_output+0x760/0x760 [ 38.704389] [] ? ip6_fragment+0x3510/0x3510 [ 38.710335] [] ? ip6_setup_cork+0x11a0/0x11a0 [ 38.716481] [] ip6_local_out+0x9b/0x180 [ 38.722083] [] ip6_send_skb+0xa1/0x340 [ 38.727598] [] ip6_push_pending_frames+0xb3/0xe0 [ 38.733983] [] icmpv6_push_pending_frames+0x33c/0x530 [ 38.740808] [] icmp6_send+0x15cd/0x1b80 [ 38.746412] [] ? icmpv6_push_pending_frames+0x530/0x530 [ 38.753411] [] ? trace_hardirqs_on_caller+0x266/0x590 [ 38.760241] [] ? mod_timer+0x434/0xa80 [ 38.765765] [] ? ipv6_frag_rcv+0x605/0x4fd0 [ 38.771714] [] icmpv6_param_prob+0x29/0x40 [ 38.777580] [] ipv6_frag_rcv+0x3f94/0x4fd0 [ 38.783446] [] ? ip6_frag_expire+0x60/0x60 [ 38.789320] [] ? raw6_local_deliver+0x3d5/0x7d0 [ 38.795619] [] ip6_input_finish+0x32e/0x1550 [ 38.801654] [] ? ip6_rcv_finish+0x640/0x640 [ 38.807625] [] ip6_input+0xf6/0x200 [ 38.812964] [] ? ipv6_rcv+0x1cd0/0x1cd0 [ 38.818566] [] ? ip6_rcv_finish+0x640/0x640 [ 38.824512] [] ip6_rcv_finish+0x13d/0x640 [ 38.830286] [] ? sk_receive_skb+0x940/0x940 [ 38.836233] [] ipv6_rcv+0x10cb/0x1cd0 [ 38.841665] [] ? ipv6_rcv+0xf8/0x1cd0 [ 38.847106] [] ? ip6_input_finish+0x1550/0x1550 [ 38.853396] [] ? ip6_make_skb+0x400/0x400 [ 38.859171] [] ? packet_rcv_fanout+0x170/0x5e0 [ 38.865383] [] ? ip6_input_finish+0x1550/0x1550 [ 38.871686] [] __netif_receive_skb_core+0x12d6/0x2940 [ 38.878508] [] ? dev_cpu_callback+0x660/0x660 [ 38.884639] [] ? debug_check_no_locks_freed+0x210/0x210 [ 38.891634] [] __netif_receive_skb+0x5b/0x1b0 [ 38.897753] [] process_backlog+0x216/0x6a0 [ 38.903621] [] ? process_backlog+0x1b2/0x6a0 [ 38.909663] [] net_rx_action+0x3a2/0xdb0 [ 38.915367] [] ? napi_complete_done+0x1f0/0x1f0 [ 38.921759] [] ? check_preemption_disabled+0x3b/0x170 [ 38.928579] [] __do_softirq+0x22c/0xa1a [ 38.934264] [] ? sock_has_perm+0x1c1/0x400 [ 38.940132] [] do_softirq_own_stack+0x1c/0x30 [ 38.946248] [] do_softirq.part.16+0x54/0x60 [ 38.952964] [] do_softirq+0x19/0x20 [ 38.958227] [] netif_rx_ni+0xec/0x3a0 [ 38.963670] [] tun_get_user+0xbe7/0x2410 [ 38.969361] [] ? tun_net_xmit+0xe60/0xe60 [ 38.975133] [] ? futex_lock_pi_atomic+0x2b0/0x2b0 [ 38.981635] [] ? __tun_get+0x126/0x230 [ 38.987150] [] tun_chr_write_iter+0xd5/0x190 [ 38.993195] [] do_iter_readv_writev+0x13c/0x1e0 [ 38.999490] [] ? tun_sendmsg+0x140/0x140 [ 39.005188] [] ? vfs_iter_read+0x270/0x270 [ 39.011050] [] ? rw_verify_area+0x100/0x300 [ 39.017004] [] ? tun_sendmsg+0x140/0x140 [ 39.022698] [] compat_do_readv_writev+0x2e2/0x6e0 [ 39.029173] [] ? vfs_writev+0xb0/0xb0 [ 39.034697] [] ? _raw_spin_unlock+0x2c/0x50 [ 39.040652] [] ? handle_mm_fault+0xbf7/0x30b0 [ 39.046777] [] compat_writev+0xe1/0x150 [ 39.052387] [] compat_SyS_writev+0xd8/0x1c0 [ 39.058351] [] ? compat_SyS_preadv+0x50/0x50 [ 39.064401] [] ? do_fast_syscall_32+0xdb/0x8b0 [ 39.070624] [] ? compat_SyS_preadv+0x50/0x50 [ 39.076674] [] do_fast_syscall_32+0x326/0x8b0 [ 39.082801] [] sysenter_flags_fixed+0xd/0x17