[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 19.178686] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 22.864107] random: sshd: uninitialized urandom read (32 bytes read) [ 23.245797] random: sshd: uninitialized urandom read (32 bytes read) [ 23.801185] random: sshd: uninitialized urandom read (32 bytes read) [ 23.981177] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.15.202' (ECDSA) to the list of known hosts. [ 29.682378] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 29.778600] L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html for details. [ 29.805103] ================================================================== [ 29.814955] BUG: KASAN: use-after-free in __schedule+0xf54/0x1df0 [ 29.821183] Read of size 8 at addr ffff8801cac48058 by task syz-executor540/4287 [ 29.828700] [ 29.830323] CPU: 0 PID: 4287 Comm: syz-executor540 Not tainted 4.19.0-rc2+ #226 [ 29.837757] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.847096] Call Trace: [ 29.849683] dump_stack+0x1c9/0x2b4 [ 29.853310] ? dump_stack_print_info.cold.2+0x52/0x52 [ 29.858496] ? printk+0xa7/0xcf [ 29.861774] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 29.866525] ? __schedule+0xf54/0x1df0 [ 29.870417] print_address_description+0x6c/0x20b [ 29.875259] ? __schedule+0xf54/0x1df0 [ 29.879155] kasan_report.cold.7+0x242/0x30d [ 29.883566] __asan_report_load8_noabort+0x14/0x20 [ 29.888488] __schedule+0xf54/0x1df0 [ 29.892200] ? __sched_text_start+0x8/0x8 [ 29.896344] ? _raw_spin_unlock_irqrestore+0xa1/0xc0 [ 29.901447] ? __call_srcu+0x7e7/0x1040 [ 29.905427] ? check_same_owner+0x340/0x340 [ 29.909743] ? mark_held_locks+0x160/0x160 [ 29.913973] ? find_held_lock+0x36/0x1c0 [ 29.918033] preempt_schedule_common+0x22/0x60 [ 29.922611] _cond_resched+0x1d/0x30 [ 29.926319] wait_for_completion+0xa5/0x8d0 [ 29.930640] ? wait_for_completion_interruptible+0x950/0x950 [ 29.936432] ? __lockdep_init_map+0x105/0x590 [ 29.940929] ? __init_waitqueue_head+0x9e/0x150 [ 29.945595] ? init_wait_entry+0x1c0/0x1c0 [ 29.949830] __synchronize_srcu+0x189/0x240 [ 29.954144] ? call_srcu+0x10/0x10 [ 29.957683] ? rcu_unexpedite_gp+0x20/0x20 [ 29.961933] synchronize_srcu+0x335/0x56f [ 29.966106] ? lock_downgrade+0x8f0/0x8f0 [ 29.970259] ? synchronize_srcu_expedited+0x20/0x20 [ 29.975292] ? kasan_check_read+0x11/0x20 [ 29.979439] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 29.984015] ? kasan_check_write+0x14/0x20 [ 29.988245] ? do_raw_spin_lock+0xc1/0x200 [ 29.992503] kvm_page_track_unregister_notifier+0x17d/0x250 [ 29.998210] ? kvm_slot_page_track_remove_page+0x70/0x70 [ 30.003657] ? kvfree+0x61/0x70 [ 30.006948] ? rcu_read_lock_sched_held+0x108/0x120 [ 30.011958] kvm_mmu_uninit_vm+0x1c/0x20 [ 30.016027] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 30.020439] ? kvm_arch_sync_events+0x30/0x30 [ 30.024935] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 30.030473] ? mmu_notifier_unregister+0x474/0x600 [ 30.035399] ? trace_hardirqs_on+0x2c0/0x2c0 [ 30.039802] ? kfree+0x111/0x210 [ 30.043169] ? __mmu_notifier_register+0x30/0x30 [ 30.047929] ? __free_pages+0x10a/0x190 [ 30.051902] ? free_unref_page+0x930/0x930 [ 30.056143] kvm_put_kvm+0x73f/0x1060 [ 30.059943] ? kvm_write_guest_cached+0x40/0x40 [ 30.064613] ? _raw_spin_unlock_irq+0x27/0x70 [ 30.069106] ? _raw_spin_unlock_irq+0x27/0x70 [ 30.073599] ? lockdep_hardirqs_on+0x421/0x5c0 [ 30.078181] ? kasan_check_write+0x14/0x20 [ 30.082411] ? do_raw_spin_lock+0xc1/0x200 [ 30.086645] ? kvm_irqfd_release+0xdd/0x120 [ 30.090963] ? kvm_irqfd_release+0xdd/0x120 [ 30.095289] ? kvm_put_kvm+0x1060/0x1060 [ 30.099344] kvm_vm_release+0x42/0x50 [ 30.103601] __fput+0x38a/0xa40 [ 30.106882] ? __alloc_file+0x400/0x400 [ 30.110856] ? check_same_owner+0x340/0x340 [ 30.115173] ? kasan_check_write+0x14/0x20 [ 30.119406] ? do_raw_spin_lock+0xc1/0x200 [ 30.123636] ____fput+0x15/0x20 [ 30.126911] task_work_run+0x1e8/0x2a0 [ 30.130793] ? task_work_cancel+0x240/0x240 [ 30.135113] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 30.140648] ? switch_task_namespaces+0xa2/0xd0 [ 30.145315] do_exit+0x1ae4/0x26e0 [ 30.148867] ? mm_update_next_owner+0x9a0/0x9a0 [ 30.153546] ? kvm_vcpu_ioctl+0x2b5/0x1280 [ 30.157786] ? rcu_read_lock_sched_held+0x108/0x120 [ 30.162796] ? kfree+0x1d7/0x210 [ 30.166162] ? kvm_vcpu_ioctl+0x2ba/0x1280 [ 30.170411] ? kvm_uevent_notify_change.part.32+0x440/0x440 [ 30.176133] ? is_bpf_text_address+0xd7/0x170 [ 30.180637] ? kernel_text_address+0x79/0xf0 [ 30.185042] ? __kernel_text_address+0xd/0x40 [ 30.189543] ? unwind_get_return_address+0x61/0xa0 [ 30.194471] ? __save_stack_trace+0x8d/0xf0 [ 30.198794] ? save_stack+0xa9/0xd0 [ 30.202415] ? save_stack+0x43/0xd0 [ 30.206050] ? __kasan_slab_free+0x11a/0x170 [ 30.210457] ? kasan_slab_free+0xe/0x10 [ 30.214430] ? putname+0xf2/0x130 [ 30.217887] ? __x64_sys_openat+0x9d/0x100 [ 30.222136] ? do_syscall_64+0x1b9/0x820 [ 30.226201] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 30.231567] ? trace_hardirqs_off+0xb8/0x2c0 [ 30.235973] ? kasan_check_read+0x11/0x20 [ 30.240118] ? do_raw_spin_unlock+0xa7/0x2f0 [ 30.244525] ? trace_hardirqs_on+0x2c0/0x2c0 [ 30.248939] ? initcall_blacklisted+0x9a/0x1e0 [ 30.253543] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 30.258648] ? kvm_uevent_notify_change.part.32+0x440/0x440 [ 30.264358] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.269892] ? do_vfs_ioctl+0x201/0x1720 [ 30.273948] ? rcu_is_watching+0x8c/0x150 [ 30.278088] ? trace_hardirqs_on+0xbd/0x2c0 [ 30.282409] ? ioctl_preallocate+0x300/0x300 [ 30.286817] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.292353] ? __fget_light+0x2f7/0x440 [ 30.296325] ? fget_raw+0x20/0x20 [ 30.299774] ? putname+0xf2/0x130 [ 30.303895] ? rcu_read_lock_sched_held+0x108/0x120 [ 30.308939] ? kmem_cache_free+0x246/0x280 [ 30.313169] ? putname+0xf7/0x130 [ 30.316651] do_group_exit+0x177/0x440 [ 30.320543] ? trace_hardirqs_on+0xbd/0x2c0 [ 30.324867] ? __ia32_sys_exit+0x50/0x50 [ 30.328925] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 30.334083] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 30.339638] ? ksys_ioctl+0x81/0xd0 [ 30.343276] __x64_sys_exit_group+0x3e/0x50 [ 30.347603] do_syscall_64+0x1b9/0x820 [ 30.351486] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 30.356850] ? syscall_return_slowpath+0x5e0/0x5e0 [ 30.361775] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.366617] ? trace_hardirqs_on_caller+0x2c0/0x2c0 [ 30.371629] ? prepare_exit_to_usermode+0x291/0x3b0 [ 30.376644] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.381489] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 30.386672] RIP: 0033:0x43ef08 [ 30.389866] Code: Bad RIP value. [ 30.393226] RSP: 002b:00007ffd771bc628 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 30.400929] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ef08 [ 30.408188] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 30.415449] RBP: 00000000004be7c8 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 30.422711] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 [ 30.429973] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 30.437256] [ 30.438915] Allocated by task 4287: [ 30.442548] save_stack+0x43/0xd0 [ 30.446001] kasan_kmalloc+0xc4/0xe0 [ 30.449710] kasan_slab_alloc+0x12/0x20 [ 30.453678] kmem_cache_alloc+0x12e/0x710 [ 30.457826] vmx_create_vcpu+0xcf/0x2830 [ 30.461886] kvm_arch_vcpu_create+0xe5/0x220 [ 30.466304] kvm_vm_ioctl+0x488/0x1d80 [ 30.470187] do_vfs_ioctl+0x1de/0x1720 [ 30.474200] ksys_ioctl+0xa9/0xd0 [ 30.477636] __x64_sys_ioctl+0x73/0xb0 [ 30.481507] do_syscall_64+0x1b9/0x820 [ 30.485397] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 30.490575] [ 30.492196] Freed by task 4287: [ 30.495479] save_stack+0x43/0xd0 [ 30.498926] __kasan_slab_free+0x11a/0x170 [ 30.503154] kasan_slab_free+0xe/0x10 [ 30.506951] kmem_cache_free+0x86/0x280 [ 30.510924] vmx_free_vcpu+0x26b/0x300 [ 30.514809] kvm_arch_destroy_vm+0x365/0x7c0 [ 30.519216] kvm_put_kvm+0x73f/0x1060 [ 30.523012] kvm_vm_release+0x42/0x50 [ 30.526813] __fput+0x38a/0xa40 [ 30.530089] ____fput+0x15/0x20 [ 30.533372] task_work_run+0x1e8/0x2a0 [ 30.537264] do_exit+0x1ae4/0x26e0 [ 30.540815] do_group_exit+0x177/0x440 [ 30.544703] __x64_sys_exit_group+0x3e/0x50 [ 30.549023] do_syscall_64+0x1b9/0x820 [ 30.552914] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 30.558089] [ 30.559717] The buggy address belongs to the object at ffff8801cac48040 [ 30.559717] which belongs to the cache kvm_vcpu of size 23872 [ 30.572302] The buggy address is located 24 bytes inside of [ 30.572302] 23872-byte region [ffff8801cac48040, ffff8801cac4dd80) [ 30.584290] The buggy address belongs to the page: [ 30.589237] page:ffffea00072b1200 count:1 mapcount:0 mapping:ffff8801d6133080 index:0x0 compound_mapcount: 0 [ 30.599249] flags: 0x2fffc0000008100(slab|head) [ 30.603953] raw: 02fffc0000008100 ffff8801d6135648 ffff8801d6135648 ffff8801d6133080 [ 30.611839] raw: 0000000000000000 ffff8801cac48040 0000000100000001 0000000000000000 [ 30.619714] page dumped because: kasan: bad access detected [ 30.625416] [ 30.627032] Memory state around the buggy address: [ 30.631964] ffff8801cac47f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.639344] ffff8801cac47f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.646735] >ffff8801cac48000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 30.654097] ^ [ 30.660341] ffff8801cac48080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.667701] ffff8801cac48100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.675052] ================================================================== [ 30.682415] Kernel panic - not syncing: panic_on_warn set ... [ 30.682415] [ 30.690402] CPU: 0 PID: 4287 Comm: syz-executor540 Tainted: G B 4.19.0-rc2+ #226 [ 30.699232] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.708583] Call Trace: [ 30.711182] dump_stack+0x1c9/0x2b4 [ 30.714820] ? dump_stack_print_info.cold.2+0x52/0x52 [ 30.720013] ? lock_downgrade+0x8f0/0x8f0 [ 30.724157] ? __schedule+0xf54/0x1df0 [ 30.728047] panic+0x238/0x4e7 [ 30.731237] ? add_taint.cold.5+0x16/0x16 [ 30.735394] ? print_shadow_for_address+0xba/0x116 [ 30.740323] ? trace_hardirqs_off+0xaf/0x2c0 [ 30.744734] ? trace_hardirqs_off+0x77/0x2c0 [ 30.749143] ? __schedule+0xf54/0x1df0 [ 30.753030] kasan_end_report+0x47/0x4f [ 30.757005] kasan_report.cold.7+0x76/0x30d [ 30.761337] __asan_report_load8_noabort+0x14/0x20 [ 30.766264] __schedule+0xf54/0x1df0 [ 30.769990] ? __sched_text_start+0x8/0x8 [ 30.774132] ? _raw_spin_unlock_irqrestore+0xa1/0xc0 [ 30.779238] ? __call_srcu+0x7e7/0x1040 [ 30.783230] ? check_same_owner+0x340/0x340 [ 30.787547] ? mark_held_locks+0x160/0x160 [ 30.791777] ? find_held_lock+0x36/0x1c0 [ 30.795840] preempt_schedule_common+0x22/0x60 [ 30.800424] _cond_resched+0x1d/0x30 [ 30.804139] wait_for_completion+0xa5/0x8d0 [ 30.808461] ? wait_for_completion_interruptible+0x950/0x950 [ 30.814260] ? __lockdep_init_map+0x105/0x590 [ 30.818767] ? __init_waitqueue_head+0x9e/0x150 [ 30.823435] ? init_wait_entry+0x1c0/0x1c0 [ 30.827674] __synchronize_srcu+0x189/0x240 [ 30.831995] ? call_srcu+0x10/0x10 [ 30.835533] ? rcu_unexpedite_gp+0x20/0x20 [ 30.839775] synchronize_srcu+0x335/0x56f [ 30.843922] ? lock_downgrade+0x8f0/0x8f0 [ 30.848083] ? synchronize_srcu_expedited+0x20/0x20 [ 30.853102] ? kasan_check_read+0x11/0x20 [ 30.857292] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 30.861900] ? kasan_check_write+0x14/0x20 [ 30.866133] ? do_raw_spin_lock+0xc1/0x200 [ 30.870373] kvm_page_track_unregister_notifier+0x17d/0x250 [ 30.876092] ? kvm_slot_page_track_remove_page+0x70/0x70 [ 30.881544] ? kvfree+0x61/0x70 [ 30.884825] ? rcu_read_lock_sched_held+0x108/0x120 [ 30.889839] kvm_mmu_uninit_vm+0x1c/0x20 [ 30.893912] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 30.898321] ? kvm_arch_sync_events+0x30/0x30 [ 30.902828] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 30.908366] ? mmu_notifier_unregister+0x474/0x600 [ 30.913299] ? trace_hardirqs_on+0x2c0/0x2c0 [ 30.917709] ? kfree+0x111/0x210 [ 30.921076] ? __mmu_notifier_register+0x30/0x30 [ 30.925844] ? __free_pages+0x10a/0x190 [ 30.929819] ? free_unref_page+0x930/0x930 [ 30.934062] kvm_put_kvm+0x73f/0x1060 [ 30.937869] ? kvm_write_guest_cached+0x40/0x40 [ 30.942541] ? _raw_spin_unlock_irq+0x27/0x70 [ 30.947035] ? _raw_spin_unlock_irq+0x27/0x70 [ 30.951532] ? lockdep_hardirqs_on+0x421/0x5c0 [ 30.956124] ? kasan_check_write+0x14/0x20 [ 30.960366] ? do_raw_spin_lock+0xc1/0x200 [ 30.964605] ? kvm_irqfd_release+0xdd/0x120 [ 30.968923] ? kvm_irqfd_release+0xdd/0x120 [ 30.973247] ? kvm_put_kvm+0x1060/0x1060 [ 30.977322] kvm_vm_release+0x42/0x50 [ 30.981135] __fput+0x38a/0xa40 [ 30.984416] ? __alloc_file+0x400/0x400 [ 30.988397] ? check_same_owner+0x340/0x340 [ 30.992716] ? kasan_check_write+0x14/0x20 [ 30.996951] ? do_raw_spin_lock+0xc1/0x200 [ 31.001207] ____fput+0x15/0x20 [ 31.004485] task_work_run+0x1e8/0x2a0 [ 31.008373] ? task_work_cancel+0x240/0x240 [ 31.012703] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 31.018244] ? switch_task_namespaces+0xa2/0xd0 [ 31.022925] do_exit+0x1ae4/0x26e0 [ 31.026475] ? mm_update_next_owner+0x9a0/0x9a0 [ 31.031153] ? kvm_vcpu_ioctl+0x2b5/0x1280 [ 31.035397] ? rcu_read_lock_sched_held+0x108/0x120 [ 31.040421] ? kfree+0x1d7/0x210 [ 31.043801] ? kvm_vcpu_ioctl+0x2ba/0x1280 [ 31.048046] ? kvm_uevent_notify_change.part.32+0x440/0x440 [ 31.053768] ? is_bpf_text_address+0xd7/0x170 [ 31.058262] ? kernel_text_address+0x79/0xf0 [ 31.062679] ? __kernel_text_address+0xd/0x40 [ 31.067171] ? unwind_get_return_address+0x61/0xa0 [ 31.072098] ? __save_stack_trace+0x8d/0xf0 [ 31.076423] ? save_stack+0xa9/0xd0 [ 31.080071] ? save_stack+0x43/0xd0 [ 31.083693] ? __kasan_slab_free+0x11a/0x170 [ 31.088097] ? kasan_slab_free+0xe/0x10 [ 31.092070] ? putname+0xf2/0x130 [ 31.095523] ? __x64_sys_openat+0x9d/0x100 [ 31.099754] ? do_syscall_64+0x1b9/0x820 [ 31.103830] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.109205] ? trace_hardirqs_off+0xb8/0x2c0 [ 31.113630] ? kasan_check_read+0x11/0x20 [ 31.117778] ? do_raw_spin_unlock+0xa7/0x2f0 [ 31.122183] ? trace_hardirqs_on+0x2c0/0x2c0 [ 31.126593] ? initcall_blacklisted+0x9a/0x1e0 [ 31.131177] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 31.136290] ? kvm_uevent_notify_change.part.32+0x440/0x440 [ 31.142005] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.147561] ? do_vfs_ioctl+0x201/0x1720 [ 31.151621] ? rcu_is_watching+0x8c/0x150 [ 31.156211] ? trace_hardirqs_on+0xbd/0x2c0 [ 31.160542] ? ioctl_preallocate+0x300/0x300 [ 31.164952] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.170515] ? __fget_light+0x2f7/0x440 [ 31.174496] ? fget_raw+0x20/0x20 [ 31.177946] ? putname+0xf2/0x130 [ 31.181398] ? rcu_read_lock_sched_held+0x108/0x120 [ 31.186410] ? kmem_cache_free+0x246/0x280 [ 31.190640] ? putname+0xf7/0x130 [ 31.194095] do_group_exit+0x177/0x440 [ 31.197982] ? trace_hardirqs_on+0xbd/0x2c0 [ 31.202314] ? __ia32_sys_exit+0x50/0x50 [ 31.206375] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 31.211477] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.217013] ? ksys_ioctl+0x81/0xd0 [ 31.220641] __x64_sys_exit_group+0x3e/0x50 [ 31.224963] do_syscall_64+0x1b9/0x820 [ 31.228848] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 31.234306] ? syscall_return_slowpath+0x5e0/0x5e0 [ 31.239236] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.244075] ? trace_hardirqs_on_caller+0x2c0/0x2c0 [ 31.249090] ? prepare_exit_to_usermode+0x291/0x3b0 [ 31.254105] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.258948] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.264131] RIP: 0033:0x43ef08 [ 31.267321] Code: Bad RIP value. [ 31.270683] RSP: 002b:00007ffd771bc628 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 31.278387] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ef08 [ 31.285648] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 31.292911] RBP: 00000000004be7c8 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 31.300175] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 [ 31.307438] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 31.314712] [ 31.314718] ====================================================== [ 31.314723] WARNING: possible circular locking dependency detected [ 31.314727] 4.19.0-rc2+ #226 Not tainted [ 31.314733] ------------------------------------------------------ [ 31.314738] syz-executor540/4287 is trying to acquire lock: [ 31.314741] 00000000527e7a89 ((console_sem).lock){-...}, at: down_trylock+0x13/0x70 [ 31.314756] [ 31.314760] but task is already holding lock: [ 31.314763] 0000000018ef3a45 (report_lock){....}, at: kasan_report+0x8e/0x110 [ 31.314778] [ 31.314782] which lock already depends on the new lock. [ 31.314784] [ 31.314787] [ 31.314792] the existing dependency chain (in reverse order) is: [ 31.314794] [ 31.314796] -> #3 (report_lock){....}: [ 31.314811] _raw_spin_lock_irqsave+0x96/0xc0 [ 31.314815] kasan_report+0x8e/0x110 [ 31.314820] __asan_report_load8_noabort+0x14/0x20 [ 31.314824] __schedule+0xf54/0x1df0 [ 31.314828] preempt_schedule_common+0x22/0x60 [ 31.314833] _cond_resched+0x1d/0x30 [ 31.314837] wait_for_completion+0xa5/0x8d0 [ 31.314841] __synchronize_srcu+0x189/0x240 [ 31.314845] synchronize_srcu+0x335/0x56f [ 31.314850] kvm_page_track_unregister_notifier+0x17d/0x250 [ 31.314854] kvm_mmu_uninit_vm+0x1c/0x20 [ 31.314859] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 31.314862] kvm_put_kvm+0x73f/0x1060 [ 31.314866] kvm_vm_release+0x42/0x50 [ 31.314870] __fput+0x38a/0xa40 [ 31.314873] ____fput+0x15/0x20 [ 31.314877] task_work_run+0x1e8/0x2a0 [ 31.314881] do_exit+0x1ae4/0x26e0 [ 31.314885] do_group_exit+0x177/0x440 [ 31.314889] __x64_sys_exit_group+0x3e/0x50 [ 31.314893] do_syscall_64+0x1b9/0x820 [ 31.314898] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.314900] [ 31.314902] -> #2 (&rq->lock){-.-.}: [ 31.314916] _raw_spin_lock+0x2a/0x40 [ 31.314920] task_fork_fair+0x93/0x680 [ 31.314924] sched_fork+0x44b/0xbd0 [ 31.314928] copy_process+0x235e/0x7af0 [ 31.314932] _do_fork+0x1ca/0x1170 [ 31.314936] kernel_thread+0x34/0x40 [ 31.314939] rest_init+0x22/0xe4 [ 31.314943] start_kernel+0x913/0x94e [ 31.314948] x86_64_start_reservations+0x29/0x2b [ 31.314952] x86_64_start_kernel+0x76/0x79 [ 31.314956] secondary_startup_64+0xa4/0xb0 [ 31.314958] [ 31.314961] -> #1 (&p->pi_lock){-.-.}: [ 31.314975] _raw_spin_lock_irqsave+0x96/0xc0 [ 31.314979] try_to_wake_up+0xd2/0x1250 [ 31.314983] wake_up_process+0x10/0x20 [ 31.314987] __up.isra.1+0x1c0/0x2a0 [ 31.314990] up+0x13c/0x1c0 [ 31.314994] __up_console_sem+0xbe/0x1b0 [ 31.314998] console_unlock+0x506/0x10e0 [ 31.315002] vprintk_emit+0x33a/0x910 [ 31.315006] vprintk_default+0x28/0x30 [ 31.315010] vprintk_func+0x7a/0x117 [ 31.315013] printk+0xa7/0xcf [ 31.315017] load_umh+0x51/0xbd [ 31.315021] do_one_initcall+0x127/0x838 [ 31.315025] kernel_init_freeable+0x4bb/0x5ae [ 31.315029] kernel_init+0x11/0x1b3 [ 31.315033] ret_from_fork+0x3a/0x50 [ 31.315035] [ 31.315037] -> #0 ((console_sem).lock){-...}: [ 31.315052] lock_acquire+0x1e4/0x4f0 [ 31.315056] _raw_spin_lock_irqsave+0x96/0xc0 [ 31.315060] down_trylock+0x13/0x70 [ 31.315065] __down_trylock_console_sem+0xae/0x200 [ 31.315068] console_trylock+0x15/0xa0 [ 31.315072] vprintk_emit+0x31f/0x910 [ 31.315076] vprintk_default+0x28/0x30 [ 31.315080] vprintk_func+0x7a/0x117 [ 31.315084] printk+0xa7/0xcf [ 31.315087] kasan_report+0x9e/0x110 [ 31.315092] __asan_report_load8_noabort+0x14/0x20 [ 31.315096] __schedule+0xf54/0x1df0 [ 31.315100] preempt_schedule_common+0x22/0x60 [ 31.315104] _cond_resched+0x1d/0x30 [ 31.315108] wait_for_completion+0xa5/0x8d0 [ 31.315113] __synchronize_srcu+0x189/0x240 [ 31.315117] synchronize_srcu+0x335/0x56f [ 31.315122] kvm_page_track_unregister_notifier+0x17d/0x250 [ 31.315126] kvm_mmu_uninit_vm+0x1c/0x20 [ 31.315130] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 31.315134] kvm_put_kvm+0x73f/0x1060 [ 31.315138] kvm_vm_release+0x42/0x50 [ 31.315141] __fput+0x38a/0xa40 [ 31.315145] ____fput+0x15/0x20 [ 31.315149] task_work_run+0x1e8/0x2a0 [ 31.315152] do_exit+0x1ae4/0x26e0 [ 31.315156] do_group_exit+0x177/0x440 [ 31.315160] __x64_sys_exit_group+0x3e/0x50 [ 31.315164] do_syscall_64+0x1b9/0x820 [ 31.315169] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.315171] [ 31.315176] other info that might help us debug this: [ 31.315178] [ 31.315181] Chain exists of: [ 31.315183] (console_sem).lock --> &rq->lock --> report_lock [ 31.315201] [ 31.315205] Possible unsafe locking scenario: [ 31.315208] [ 31.315212] CPU0 CPU1 [ 31.315216] ---- ---- [ 31.315218] lock(report_lock); [ 31.315228] lock(&rq->lock); [ 31.315237] lock(report_lock); [ 31.315245] lock((console_sem).lock); [ 31.315253] [ 31.315256] *** DEADLOCK *** [ 31.315258] [ 31.315262] 2 locks held by syz-executor540/4287: [ 31.315264] #0: 000000006407c3a3 (&rq->lock){-.-.}, at: __schedule+0x24d/0x1df0 [ 31.315290] #1: 0000000018ef3a45 (report_lock){....}, at: kasan_report+0x8e/0x110 [ 31.315307] [ 31.315310] stack backtrace: [ 31.315316] CPU: 0 PID: 4287 Comm: syz-executor540 Not tainted 4.19.0-rc2+ #226 [ 31.315323] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.315331] Call Trace: [ 31.315335] dump_stack+0x1c9/0x2b4 [ 31.315340] ? dump_stack_print_info.cold.2+0x52/0x52 [ 31.315344] ? vprintk_func+0x100/0x117 [ 31.315349] print_circular_bug.isra.34.cold.55+0x1bd/0x27d [ 31.315352] ? save_trace+0xe0/0x290 [ 31.315356] __lock_acquire+0x3449/0x5020 [ 31.315360] ? mark_held_locks+0x160/0x160 [ 31.315365] ? mark_held_locks+0x160/0x160 [ 31.315369] ? rcu_cleanup_dead_rnp+0x200/0x200 [ 31.315373] ? is_bpf_text_address+0xd7/0x170 [ 31.315377] ? kernel_text_address+0x79/0xf0 [ 31.315381] ? __kernel_text_address+0xd/0x40 [ 31.315386] ? __save_stack_trace+0x8d/0xf0 [ 31.315390] ? add_lock_to_list.isra.27+0x1ec/0x4b0 [ 31.315394] ? save_trace+0x290/0x290 [ 31.315398] ? save_stack_trace+0x1a/0x20 [ 31.315402] ? save_trace+0xe0/0x290 [ 31.315406] ? graph_lock+0x170/0x170 [ 31.315411] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 31.315414] lock_acquire+0x1e4/0x4f0 [ 31.315419] ? down_trylock+0x13/0x70 [ 31.315422] ? lock_release+0x9f0/0x9f0 [ 31.315427] ? trace_hardirqs_off+0xb8/0x2c0 [ 31.315431] ? trace_hardirqs_on+0x2c0/0x2c0 [ 31.315435] ? trace_hardirqs_off+0xb8/0x2c0 [ 31.315439] ? log_store+0x34f/0x4c0 [ 31.315443] ? vprintk_emit+0x31f/0x910 [ 31.315447] _raw_spin_lock_irqsave+0x96/0xc0 [ 31.315451] ? down_trylock+0x13/0x70 [ 31.315455] down_trylock+0x13/0x70 [ 31.315459] __down_trylock_console_sem+0xae/0x200 [ 31.315463] console_trylock+0x15/0xa0 [ 31.315467] vprintk_emit+0x31f/0x910 [ 31.315471] ? wake_up_klogd+0x110/0x110 [ 31.315475] ? run_rebalance_domains+0x4c0/0x4c0 [ 31.315479] ? kasan_check_read+0x11/0x20 [ 31.315483] ? rcu_is_watching+0x8c/0x150 [ 31.315487] ? rcu_pm_notify+0xc0/0xc0 [ 31.315491] ? lock_acquire+0x1e4/0x4f0 [ 31.315495] ? kasan_report+0x8e/0x110 [ 31.315499] ? __schedule+0xf54/0x1df0 [ 31.315502] vprintk_default+0x28/0x30 [ 31.315506] vprintk_func+0x7a/0x117 [ 31.315510] printk+0xa7/0xcf [ 31.315514] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 31.315518] ? kasan_check_write+0x14/0x20 [ 31.315522] ? do_raw_spin_lock+0xc1/0x200 [ 31.315526] ? do_raw_spin_lock+0xc1/0x200 [ 31.315530] kasan_report+0x9e/0x110 [ 31.315534] __asan_report_load8_noabort+0x14/0x20 [ 31.315538] __schedule+0xf54/0x1df0 [ 31.315542] ? __sched_text_start+0x8/0x8 [ 31.315547] ? _raw_spin_unlock_irqrestore+0xa1/0xc0 [ 31.315551] ? __call_srcu+0x7e7/0x1040 [ 31.315555] ? check_same_owner+0x340/0x340 [ 31.315559] ? mark_held_locks+0x160/0x160 [ 31.315563] ? find_held_lock+0x36/0x1c0 [ 31.315567] preempt_schedule_common+0x22/0x60 [ 31.315571] _cond_resched+0x1d/0x30 [ 31.315575] wait_for_completion+0xa5/0x8d0 [ 31.315580] ? wait_for_completion_interruptible+0x950/0x950 [ 31.315584] ? __lockdep_init_map+0x105/0x590 [ 31.315588] ? __init_waitqueue_head+0x9e/0x150 [ 31.315593] ? init_wait_entry+0x1c0/0x1c0 [ 31.315597] __synchronize_srcu+0x189/0x240 [ 31.315600] ? call_srcu+0x10/0x10 [ 31.315604] ? rcu_unexpedite_gp+0x20/0x20 [ 31.315608] synchronize_srcu+0x335/0x56f [ 31.315613] ? lock_downgrade+0x8f0/0x8f0 [ 31.315617] ? synchronize_srcu_expedited+0x20/0x20 [ 31.315621] ? kasan_check_read+0x11/0x20 [ 31.315626] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 31.315630] ? kasan_check_write+0x14/0x20 [ 31.315634] ? do_raw_spin_lock+0xc1/0x200 [ 31.315639] kvm_page_track_unregister_notifier+0x17d/0x250 [ 31.315644] ? kvm_slot_page_track_remove_page+0x70/0x70 [ 31.315648] ? kvfree+0x61/0x70 [ 31.315652] ? rcu_read_lock_sched_held+0x108/0x120 [ 31.315656] kvm_mmu_uninit_vm+0x1c/0x20 [ 31.315660] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 31.315665] ? kvm_arch_sync_events+0x30/0x30 [ 31.315670] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 31.315674] ? mmu_notifier_unregister+0x474/0x600 [ 31.315678] ? trace_hardirqs_on+0x2c0/0x2c0 [ 31.315682] ? kfree+0x111/0x210 [ 31.315686] ? __mmu_notifier_register+0x30/0x30 [ 31.315690] ? __free_pages+0x10a/0x190 [ 31.315694] ? free_unref_page+0x930/0x930 [ 31.315698] kvm_put_kvm+0x73f/0x1060 [ 31.315702] ? kvm_write_guest_cached+0x40/0x40 [ 31.315707] ? _raw_spin_unlock_irq+0x27/0x70 [ 31.315711] ? _raw_spin_unlock_irq+0x27/0x70 [ 31.315715] ? lockdep_hardirqs_on+0x421/0x5c0 [ 31.315719] ? kasan_check_write+0x14/0x20 [ 31.315723] ? do_raw_spin_lock+0xc1/0x200 [ 31.315727] ? kvm_irqfd_release+0xdd/0x120 [ 31.315731] ? kvm_irqfd_release+0xdd/0x120 [ 31.315735] ? kvm_put_kvm+0x1060/0x1060 [ 31.315739] kvm_vm_release+0x42/0x50 [ 31.315743] __fput+0x38a/0xa40 [ 31.315747] ? __alloc_file+0x400/0x400 [ 31.315751] ? check_same_owner+0x340/0x340 [ 31.315755] ? kasan_check_write+0x14/0x20 [ 31.315759] ? do_raw_spin_lock+0xc1/0x200 [ 31.315762] ____fput+0x15/0x20 [ 31.315766] task_work_run+0x1e8/0x2a0 [ 31.315770] ? task_work_cancel+0x240/0x240 [ 31.315775] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 31.315779] ? switch_task_namespaces+0xa2/0xd0 [ 31.315783] do_exit+0x1ae4/0x26e0 [ 31.315787] ? mm_update_next_owner+0x9a0/0x9a0 [ 31.315791] ? kvm_vcpu_ioctl+0x2b5/0x1280 [ 31.315796] ? rcu_read_lock_sched_held+0x108/0x120 [ 31.315799] ? kfree+0x1d7/0x210 [ 31.315803] ? kvm_vcpu_ioctl+0x2ba/0x1280 [ 31.315808] ? kvm_uevent_notify_change.part.32+0x440/0x440 [ 31.315813] ? is_bpf_text_address+0xd7/0x170 [ 31.315815] ? [ 31.315822] Lost 54 message(s)! [ 32.432680] Shutting down cpus with NMI [ 33.491793] Dumping ftrace buffer: [ 33.495319] (ftrace buffer empty) [ 33.499008] Kernel Offset: disabled [ 33.502616] Rebooting in 86400 seconds..