[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 21.447232] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.954408] random: sshd: uninitialized urandom read (32 bytes read) [ 23.201719] random: sshd: uninitialized urandom read (32 bytes read) [ 23.932976] random: sshd: uninitialized urandom read (32 bytes read) [ 25.258417] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.27' (ECDSA) to the list of known hosts. [ 30.782395] random: sshd: uninitialized urandom read (32 bytes read) [ 30.878414] [ 30.880105] ====================================================== [ 30.886400] WARNING: possible circular locking dependency detected [ 30.892706] 4.17.0-rc2+ #19 Not tainted [ 30.896651] ------------------------------------------------------ [ 30.902946] syz-executor111/4552 is trying to acquire lock: [ 30.908635] (ptrval) (sk_lock-AF_INET6){+.+.}, at: tcp_mmap+0x1c7/0x14f0 [ 30.916166] [ 30.916166] but task is already holding lock: [ 30.922115] (ptrval) (&mm->mmap_sem){++++}, at: vm_mmap_pgoff+0x1a1/0x2a0 [ 30.929738] [ 30.929738] which lock already depends on the new lock. [ 30.929738] [ 30.938176] [ 30.938176] the existing dependency chain (in reverse order) is: [ 30.945782] [ 30.945782] -> #1 (&mm->mmap_sem){++++}: [ 30.951325] __might_fault+0x155/0x1e0 [ 30.955719] _copy_from_user+0x30/0x150 [ 30.960203] ipv6_flowlabel_opt+0x258/0x3310 [ 30.965129] do_ipv6_setsockopt.isra.9+0xb81/0x4660 [ 30.970651] ipv6_setsockopt+0xbd/0x170 [ 30.975127] tcp_setsockopt+0x93/0xe0 [ 30.979432] sock_common_setsockopt+0x9a/0xe0 [ 30.984432] __sys_setsockopt+0x1bd/0x390 [ 30.989083] __x64_sys_setsockopt+0xbe/0x150 [ 30.994012] do_syscall_64+0x1b1/0x800 [ 30.998410] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.004099] [ 31.004099] -> #0 (sk_lock-AF_INET6){+.+.}: [ 31.009907] lock_acquire+0x1dc/0x520 [ 31.014228] lock_sock_nested+0xd0/0x120 [ 31.018793] tcp_mmap+0x1c7/0x14f0 [ 31.022838] sock_mmap+0x8e/0xc0 [ 31.026711] mmap_region+0xd13/0x1820 [ 31.031020] do_mmap+0xc79/0x11d0 [ 31.034987] vm_mmap_pgoff+0x1fb/0x2a0 [ 31.039384] ksys_mmap_pgoff+0x4c9/0x640 [ 31.043960] __x64_sys_mmap+0xe9/0x1b0 [ 31.048363] do_syscall_64+0x1b1/0x800 [ 31.052763] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.058450] [ 31.058450] other info that might help us debug this: [ 31.058450] [ 31.066581] Possible unsafe locking scenario: [ 31.066581] [ 31.072620] CPU0 CPU1 [ 31.077278] ---- ---- [ 31.081920] lock(&mm->mmap_sem); [ 31.085454] lock(sk_lock-AF_INET6); [ 31.091761] lock(&mm->mmap_sem); [ 31.097814] lock(sk_lock-AF_INET6); [ 31.101600] [ 31.101600] *** DEADLOCK *** [ 31.101600] [ 31.107656] 1 lock held by syz-executor111/4552: [ 31.112403] #0: (ptrval) (&mm->mmap_sem){++++}, at: vm_mmap_pgoff+0x1a1/0x2a0 [ 31.120559] [ 31.120559] stack backtrace: [ 31.125054] CPU: 0 PID: 4552 Comm: syz-executor111 Not tainted 4.17.0-rc2+ #19 [ 31.132396] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.141731] Call Trace: [ 31.144324] dump_stack+0x1b9/0x294 [ 31.147941] ? dump_stack_print_info.cold.2+0x52/0x52 [ 31.153117] ? print_lock+0xd1/0xd6 [ 31.156750] ? vprintk_func+0x81/0xe7 [ 31.160535] print_circular_bug.isra.36.cold.54+0x1bd/0x27d [ 31.166231] ? save_trace+0xe0/0x290 [ 31.169930] __lock_acquire+0x343e/0x5140 [ 31.174067] ? debug_check_no_locks_freed+0x310/0x310 [ 31.179242] ? find_held_lock+0x36/0x1c0 [ 31.183292] ? kasan_check_read+0x11/0x20 [ 31.187426] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 31.192616] ? graph_lock+0x170/0x170 [ 31.196424] ? kernel_text_address+0x79/0xf0 [ 31.200831] ? __unwind_start+0x166/0x330 [ 31.204972] ? __save_stack_trace+0x7e/0xd0 [ 31.209291] lock_acquire+0x1dc/0x520 [ 31.213077] ? tcp_mmap+0x1c7/0x14f0 [ 31.216777] ? lock_release+0xa10/0xa10 [ 31.220749] ? kasan_check_read+0x11/0x20 [ 31.224894] ? do_raw_spin_unlock+0x9e/0x2e0 [ 31.229284] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 31.233848] ? kasan_check_write+0x14/0x20 [ 31.238076] ? do_raw_spin_lock+0xc1/0x200 [ 31.242309] lock_sock_nested+0xd0/0x120 [ 31.246351] ? tcp_mmap+0x1c7/0x14f0 [ 31.250222] tcp_mmap+0x1c7/0x14f0 [ 31.253746] ? __lock_is_held+0xb5/0x140 [ 31.257790] ? tcp_splice_read+0xfc0/0xfc0 [ 31.262035] ? rcu_read_lock_sched_held+0x108/0x120 [ 31.267050] ? kmem_cache_alloc+0x5fa/0x760 [ 31.271355] sock_mmap+0x8e/0xc0 [ 31.274710] mmap_region+0xd13/0x1820 [ 31.278498] ? __x64_sys_brk+0x790/0x790 [ 31.282634] ? arch_get_unmapped_area+0x750/0x750 [ 31.287489] ? lock_acquire+0x1dc/0x520 [ 31.291451] ? vm_mmap_pgoff+0x1a1/0x2a0 [ 31.295589] ? cap_mmap_addr+0x52/0x130 [ 31.299548] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.305074] ? security_mmap_addr+0x80/0xa0 [ 31.309387] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 31.314906] ? get_unmapped_area+0x292/0x3b0 [ 31.319307] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 31.324826] do_mmap+0xc79/0x11d0 [ 31.328260] ? mmap_region+0x1820/0x1820 [ 31.332299] ? vm_mmap_pgoff+0x1a1/0x2a0 [ 31.336361] ? down_read_killable+0x1f0/0x1f0 [ 31.340842] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.346368] ? security_mmap_file+0x166/0x1b0 [ 31.350860] vm_mmap_pgoff+0x1fb/0x2a0 [ 31.354739] ? vma_is_stack_for_current+0xd0/0xd0 [ 31.359568] ? sock_release+0x1b0/0x1b0 [ 31.363539] ? get_unused_fd_flags+0x121/0x190 [ 31.368102] ? __alloc_fd+0x700/0x700 [ 31.371899] ksys_mmap_pgoff+0x4c9/0x640 [ 31.375949] ? find_mergeable_anon_vma+0xd0/0xd0 [ 31.380704] ? move_addr_to_kernel+0x70/0x70 [ 31.385110] ? __ia32_sys_fallocate+0xf0/0xf0 [ 31.389610] __x64_sys_mmap+0xe9/0x1b0 [ 31.393491] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 31.398496] do_syscall_64+0x1b1/0x800 [ 31.402369] ? syscall_return_slowpath+0x5c0/0x5c0 [ 31.407292] ? syscall_return_slowpath+0x30f/0x5c0 [ 31.412205] ? entry_SYSCALL_64_after_hwframe+0x59/0xbe [ 31.417560] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.422400] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.427574] RIP: 0033:0x43fdb9 [