[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 23.020406] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 24.487432] random: sshd: uninitialized urandom read (32 bytes read) [ 24.784751] random: sshd: uninitialized urandom read (32 bytes read) [ 25.345208] random: sshd: uninitialized urandom read (32 bytes read) [ 25.515788] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.32' (ECDSA) to the list of known hosts. [ 31.232580] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 31.327264] L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html for details. [ 31.351279] ================================================================== [ 31.361098] BUG: KASAN: use-after-free in __schedule+0xf54/0x1df0 [ 31.367325] Read of size 8 at addr ffff8801acb20058 by task syz-executor131/4465 [ 31.374842] [ 31.376464] CPU: 0 PID: 4465 Comm: syz-executor131 Not tainted 4.18.0+ #204 [ 31.383549] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.392892] Call Trace: [ 31.395474] dump_stack+0x1c9/0x2b4 [ 31.399098] ? dump_stack_print_info.cold.2+0x52/0x52 [ 31.404282] ? printk+0xa7/0xcf [ 31.407556] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 31.412310] ? __schedule+0xf54/0x1df0 [ 31.416192] print_address_description+0x6c/0x20b [ 31.421027] ? __schedule+0xf54/0x1df0 [ 31.424910] kasan_report.cold.7+0x242/0x30d [ 31.429317] __asan_report_load8_noabort+0x14/0x20 [ 31.434243] __schedule+0xf54/0x1df0 [ 31.437952] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 31.443054] ? __sched_text_start+0x8/0x8 [ 31.447198] ? __call_srcu+0x7e7/0x1040 [ 31.451187] ? check_same_owner+0x340/0x340 [ 31.455499] ? mark_held_locks+0x160/0x160 [ 31.459727] ? find_held_lock+0x36/0x1c0 [ 31.463785] preempt_schedule_common+0x22/0x60 [ 31.468360] _cond_resched+0x1d/0x30 [ 31.472070] wait_for_completion+0xa5/0x8d0 [ 31.476392] ? wait_for_completion_interruptible+0x950/0x950 [ 31.482187] ? __lockdep_init_map+0x105/0x590 [ 31.486677] ? __init_waitqueue_head+0x9e/0x150 [ 31.491344] ? init_wait_entry+0x1c0/0x1c0 [ 31.495577] __synchronize_srcu+0x189/0x240 [ 31.499892] ? call_srcu+0x10/0x10 [ 31.503427] ? rcu_unexpedite_gp+0x20/0x20 [ 31.507666] synchronize_srcu+0x335/0x56f [ 31.511809] ? lock_downgrade+0x8f0/0x8f0 [ 31.515953] ? synchronize_srcu_expedited+0x20/0x20 [ 31.520964] ? kasan_check_read+0x11/0x20 [ 31.525109] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 31.529696] ? kasan_check_write+0x14/0x20 [ 31.533924] ? do_raw_spin_lock+0xc1/0x200 [ 31.538192] kvm_page_track_unregister_notifier+0x17d/0x250 [ 31.543897] ? kvm_slot_page_track_remove_page+0x70/0x70 [ 31.549340] ? kvfree+0x61/0x70 [ 31.552619] ? rcu_read_lock_sched_held+0x108/0x120 [ 31.557631] kvm_mmu_uninit_vm+0x1c/0x20 [ 31.561686] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 31.566090] ? kvm_arch_sync_events+0x30/0x30 [ 31.570584] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 31.576116] ? mmu_notifier_unregister+0x474/0x600 [ 31.581048] ? trace_hardirqs_on+0x2c0/0x2c0 [ 31.585450] ? kfree+0x111/0x210 [ 31.588814] ? __mmu_notifier_register+0x30/0x30 [ 31.593570] ? __free_pages+0x10a/0x190 [ 31.597555] ? free_unref_page+0x930/0x930 [ 31.601799] kvm_put_kvm+0x73f/0x1060 [ 31.605602] ? kvm_write_guest_cached+0x40/0x40 [ 31.610279] ? _raw_spin_unlock_irq+0x27/0x70 [ 31.614772] ? _raw_spin_unlock_irq+0x27/0x70 [ 31.619265] ? lockdep_hardirqs_on+0x421/0x5c0 [ 31.623846] ? kasan_check_write+0x14/0x20 [ 31.628078] ? do_raw_spin_lock+0xc1/0x200 [ 31.632311] ? kvm_irqfd_release+0xdd/0x120 [ 31.636630] ? kvm_put_kvm+0x1060/0x1060 [ 31.640687] kvm_vm_release+0x42/0x50 [ 31.644483] __fput+0x36e/0x8c0 [ 31.647761] ? __alloc_file+0x400/0x400 [ 31.651732] ? check_same_owner+0x340/0x340 [ 31.656048] ? kasan_check_write+0x14/0x20 [ 31.660275] ? do_raw_spin_lock+0xc1/0x200 [ 31.664503] ____fput+0x15/0x20 [ 31.667775] task_work_run+0x1e8/0x2a0 [ 31.671668] ? task_work_cancel+0x240/0x240 [ 31.675993] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 31.681528] ? switch_task_namespaces+0xa2/0xd0 [ 31.686196] do_exit+0x1ae4/0x26e0 [ 31.689738] ? mm_update_next_owner+0x9a0/0x9a0 [ 31.694406] ? kvm_vcpu_ioctl+0x2b5/0x1280 [ 31.698637] ? rcu_read_lock_sched_held+0x108/0x120 [ 31.703644] ? kfree+0x1d7/0x210 [ 31.707503] ? kvm_vcpu_ioctl+0x2ba/0x1280 [ 31.711739] ? kvm_uevent_notify_change.part.32+0x440/0x440 [ 31.717446] ? is_bpf_text_address+0xd7/0x170 [ 31.721933] ? kernel_text_address+0x79/0xf0 [ 31.726336] ? __kernel_text_address+0xd/0x40 [ 31.730826] ? unwind_get_return_address+0x61/0xa0 [ 31.735753] ? __save_stack_trace+0x8d/0xf0 [ 31.740074] ? save_stack+0xa9/0xd0 [ 31.743695] ? save_stack+0x43/0xd0 [ 31.747338] ? __kasan_slab_free+0x11a/0x170 [ 31.751746] ? kasan_slab_free+0xe/0x10 [ 31.755718] ? putname+0xf2/0x130 [ 31.759180] ? __x64_sys_openat+0x9d/0x100 [ 31.763409] ? do_syscall_64+0x1b9/0x820 [ 31.767469] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.772875] ? trace_hardirqs_off+0xb8/0x2b0 [ 31.777279] ? kasan_check_read+0x11/0x20 [ 31.781421] ? do_raw_spin_unlock+0xa7/0x2f0 [ 31.785824] ? trace_hardirqs_on+0x2c0/0x2c0 [ 31.790230] ? initcall_blacklisted+0x9a/0x1e0 [ 31.794813] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 31.799931] ? kvm_uevent_notify_change.part.32+0x440/0x440 [ 31.805637] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.811215] ? do_vfs_ioctl+0x201/0x1720 [ 31.815271] ? rcu_is_watching+0x8c/0x150 [ 31.819410] ? trace_hardirqs_on+0xbd/0x2c0 [ 31.823768] ? ioctl_preallocate+0x300/0x300 [ 31.828188] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.833720] ? __fget_light+0x2f7/0x440 [ 31.837696] ? fget_raw+0x20/0x20 [ 31.841154] ? putname+0xf2/0x130 [ 31.844607] ? rcu_read_lock_sched_held+0x108/0x120 [ 31.849626] ? kmem_cache_free+0x246/0x280 [ 31.853857] ? putname+0xf7/0x130 [ 31.857311] do_group_exit+0x177/0x440 [ 31.861195] ? trace_hardirqs_on+0xbd/0x2c0 [ 31.865510] ? __ia32_sys_exit+0x50/0x50 [ 31.869569] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 31.874677] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.880211] ? ksys_ioctl+0x81/0xd0 [ 31.883836] __x64_sys_exit_group+0x3e/0x50 [ 31.888166] do_syscall_64+0x1b9/0x820 [ 31.892055] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 31.897418] ? syscall_return_slowpath+0x5e0/0x5e0 [ 31.902344] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.907180] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 31.912191] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 31.917222] ? prepare_exit_to_usermode+0x291/0x3b0 [ 31.922236] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.927080] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.932263] RIP: 0033:0x43ecc8 [ 31.935452] Code: Bad RIP value. [ 31.938809] RSP: 002b:00007fff81a7db78 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 31.946514] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ecc8 [ 31.953775] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 31.961036] RBP: 00000000004be588 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 31.968299] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 [ 31.975558] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 31.982822] [ 31.984454] Allocated by task 4465: [ 31.988082] save_stack+0x43/0xd0 [ 31.991528] kasan_kmalloc+0xc4/0xe0 [ 31.995235] kasan_slab_alloc+0x12/0x20 [ 31.999201] kmem_cache_alloc+0x12e/0x710 [ 32.003343] vmx_create_vcpu+0xcf/0x2830 [ 32.007398] kvm_arch_vcpu_create+0xe5/0x220 [ 32.011800] kvm_vm_ioctl+0x488/0x1d80 [ 32.015696] do_vfs_ioctl+0x1de/0x1720 [ 32.019608] ksys_ioctl+0xa9/0xd0 [ 32.023068] __x64_sys_ioctl+0x73/0xb0 [ 32.026951] do_syscall_64+0x1b9/0x820 [ 32.030845] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.036022] [ 32.037637] Freed by task 4465: [ 32.040922] save_stack+0x43/0xd0 [ 32.044367] __kasan_slab_free+0x11a/0x170 [ 32.048593] kasan_slab_free+0xe/0x10 [ 32.052384] kmem_cache_free+0x86/0x280 [ 32.056349] vmx_free_vcpu+0x26b/0x300 [ 32.060232] kvm_arch_destroy_vm+0x365/0x7c0 [ 32.064635] kvm_put_kvm+0x73f/0x1060 [ 32.068432] kvm_vm_release+0x42/0x50 [ 32.072223] __fput+0x36e/0x8c0 [ 32.075491] ____fput+0x15/0x20 [ 32.078761] task_work_run+0x1e8/0x2a0 [ 32.082687] do_exit+0x1ae4/0x26e0 [ 32.086239] do_group_exit+0x177/0x440 [ 32.090117] __x64_sys_exit_group+0x3e/0x50 [ 32.094447] do_syscall_64+0x1b9/0x820 [ 32.098333] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.103544] [ 32.105194] The buggy address belongs to the object at ffff8801acb20040 [ 32.105194] which belongs to the cache kvm_vcpu of size 23872 [ 32.117759] The buggy address is located 24 bytes inside of [ 32.117759] 23872-byte region [ffff8801acb20040, ffff8801acb25d80) [ 32.129707] The buggy address belongs to the page: [ 32.134651] page:ffffea0006b2c800 count:1 mapcount:0 mapping:ffff8801d9e69180 index:0x0 compound_mapcount: 0 [ 32.144618] flags: 0x2fffc0000008100(slab|head) [ 32.149287] raw: 02fffc0000008100 ffff8801d6efe048 ffff8801d6efe048 ffff8801d9e69180 [ 32.157173] raw: 0000000000000000 ffff8801acb20040 0000000100000001 0000000000000000 [ 32.165042] page dumped because: kasan: bad access detected [ 32.170735] [ 32.172349] Memory state around the buggy address: [ 32.177268] ffff8801acb1ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.184617] ffff8801acb1ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.191965] >ffff8801acb20000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 32.199309] ^ [ 32.205530] ffff8801acb20080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.212893] ffff8801acb20100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.220233] ================================================================== [ 32.227580] Kernel panic - not syncing: panic_on_warn set ... [ 32.227580] [ 32.234940] CPU: 0 PID: 4465 Comm: syz-executor131 Tainted: G B 4.18.0+ #204 [ 32.243417] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.252757] Call Trace: [ 32.255344] dump_stack+0x1c9/0x2b4 [ 32.258968] ? dump_stack_print_info.cold.2+0x52/0x52 [ 32.264168] ? lock_downgrade+0x8f0/0x8f0 [ 32.268315] ? __schedule+0xf54/0x1df0 [ 32.272197] panic+0x238/0x4e7 [ 32.275382] ? add_taint.cold.5+0x16/0x16 [ 32.279532] ? print_shadow_for_address+0xba/0x116 [ 32.284455] ? trace_hardirqs_off+0xaf/0x2b0 [ 32.288855] ? trace_hardirqs_off+0x77/0x2b0 [ 32.293257] ? __schedule+0xf54/0x1df0 [ 32.297155] kasan_end_report+0x47/0x4f [ 32.301124] kasan_report.cold.7+0x76/0x30d [ 32.305646] __asan_report_load8_noabort+0x14/0x20 [ 32.310613] __schedule+0xf54/0x1df0 [ 32.314325] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 32.319424] ? __sched_text_start+0x8/0x8 [ 32.323570] ? __call_srcu+0x7e7/0x1040 [ 32.327550] ? check_same_owner+0x340/0x340 [ 32.331864] ? mark_held_locks+0x160/0x160 [ 32.336095] ? find_held_lock+0x36/0x1c0 [ 32.340163] preempt_schedule_common+0x22/0x60 [ 32.344752] _cond_resched+0x1d/0x30 [ 32.348462] wait_for_completion+0xa5/0x8d0 [ 32.352810] ? wait_for_completion_interruptible+0x950/0x950 [ 32.358604] ? __lockdep_init_map+0x105/0x590 [ 32.363095] ? __init_waitqueue_head+0x9e/0x150 [ 32.367757] ? init_wait_entry+0x1c0/0x1c0 [ 32.372005] __synchronize_srcu+0x189/0x240 [ 32.376320] ? call_srcu+0x10/0x10 [ 32.379869] ? rcu_unexpedite_gp+0x20/0x20 [ 32.384104] synchronize_srcu+0x335/0x56f [ 32.388265] ? lock_downgrade+0x8f0/0x8f0 [ 32.392413] ? synchronize_srcu_expedited+0x20/0x20 [ 32.397465] ? kasan_check_read+0x11/0x20 [ 32.401610] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 32.406189] ? kasan_check_write+0x14/0x20 [ 32.410424] ? do_raw_spin_lock+0xc1/0x200 [ 32.414661] kvm_page_track_unregister_notifier+0x17d/0x250 [ 32.420371] ? kvm_slot_page_track_remove_page+0x70/0x70 [ 32.425815] ? kvfree+0x61/0x70 [ 32.429090] ? rcu_read_lock_sched_held+0x108/0x120 [ 32.434107] kvm_mmu_uninit_vm+0x1c/0x20 [ 32.438178] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 32.442582] ? kvm_arch_sync_events+0x30/0x30 [ 32.447088] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 32.452625] ? mmu_notifier_unregister+0x474/0x600 [ 32.457550] ? trace_hardirqs_on+0x2c0/0x2c0 [ 32.461956] ? kfree+0x111/0x210 [ 32.465317] ? __mmu_notifier_register+0x30/0x30 [ 32.470070] ? __free_pages+0x10a/0x190 [ 32.474041] ? free_unref_page+0x930/0x930 [ 32.478278] kvm_put_kvm+0x73f/0x1060 [ 32.482081] ? kvm_write_guest_cached+0x40/0x40 [ 32.486750] ? _raw_spin_unlock_irq+0x27/0x70 [ 32.491241] ? _raw_spin_unlock_irq+0x27/0x70 [ 32.495741] ? lockdep_hardirqs_on+0x421/0x5c0 [ 32.500327] ? kasan_check_write+0x14/0x20 [ 32.504554] ? do_raw_spin_lock+0xc1/0x200 [ 32.508788] ? kvm_irqfd_release+0xdd/0x120 [ 32.513106] ? kvm_put_kvm+0x1060/0x1060 [ 32.517174] kvm_vm_release+0x42/0x50 [ 32.520970] __fput+0x36e/0x8c0 [ 32.524264] ? __alloc_file+0x400/0x400 [ 32.528237] ? check_same_owner+0x340/0x340 [ 32.532551] ? kasan_check_write+0x14/0x20 [ 32.536781] ? do_raw_spin_lock+0xc1/0x200 [ 32.541014] ____fput+0x15/0x20 [ 32.544290] task_work_run+0x1e8/0x2a0 [ 32.548178] ? task_work_cancel+0x240/0x240 [ 32.552500] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 32.558553] ? switch_task_namespaces+0xa2/0xd0 [ 32.563224] do_exit+0x1ae4/0x26e0 [ 32.566764] ? mm_update_next_owner+0x9a0/0x9a0 [ 32.571432] ? kvm_vcpu_ioctl+0x2b5/0x1280 [ 32.575678] ? rcu_read_lock_sched_held+0x108/0x120 [ 32.580688] ? kfree+0x1d7/0x210 [ 32.584050] ? kvm_vcpu_ioctl+0x2ba/0x1280 [ 32.588281] ? kvm_uevent_notify_change.part.32+0x440/0x440 [ 32.594027] ? is_bpf_text_address+0xd7/0x170 [ 32.598515] ? kernel_text_address+0x79/0xf0 [ 32.602931] ? __kernel_text_address+0xd/0x40 [ 32.607440] ? unwind_get_return_address+0x61/0xa0 [ 32.612370] ? __save_stack_trace+0x8d/0xf0 [ 32.616694] ? save_stack+0xa9/0xd0 [ 32.620314] ? save_stack+0x43/0xd0 [ 32.623937] ? __kasan_slab_free+0x11a/0x170 [ 32.628342] ? kasan_slab_free+0xe/0x10 [ 32.632310] ? putname+0xf2/0x130 [ 32.635760] ? __x64_sys_openat+0x9d/0x100 [ 32.639993] ? do_syscall_64+0x1b9/0x820 [ 32.644054] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.649415] ? trace_hardirqs_off+0xb8/0x2b0 [ 32.653818] ? kasan_check_read+0x11/0x20 [ 32.657962] ? do_raw_spin_unlock+0xa7/0x2f0 [ 32.662367] ? trace_hardirqs_on+0x2c0/0x2c0 [ 32.666770] ? initcall_blacklisted+0x9a/0x1e0 [ 32.671351] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 32.676455] ? kvm_uevent_notify_change.part.32+0x440/0x440 [ 32.682176] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.687945] ? do_vfs_ioctl+0x201/0x1720 [ 32.692006] ? rcu_is_watching+0x8c/0x150 [ 32.696162] ? trace_hardirqs_on+0xbd/0x2c0 [ 32.700501] ? ioctl_preallocate+0x300/0x300 [ 32.704929] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.710466] ? __fget_light+0x2f7/0x440 [ 32.714438] ? fget_raw+0x20/0x20 [ 32.717883] ? putname+0xf2/0x130 [ 32.721333] ? rcu_read_lock_sched_held+0x108/0x120 [ 32.726343] ? kmem_cache_free+0x246/0x280 [ 32.730573] ? putname+0xf7/0x130 [ 32.734028] do_group_exit+0x177/0x440 [ 32.737918] ? trace_hardirqs_on+0xbd/0x2c0 [ 32.742247] ? __ia32_sys_exit+0x50/0x50 [ 32.746301] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 32.751400] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.756932] ? ksys_ioctl+0x81/0xd0 [ 32.760558] __x64_sys_exit_group+0x3e/0x50 [ 32.764897] do_syscall_64+0x1b9/0x820 [ 32.768787] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 32.774159] ? syscall_return_slowpath+0x5e0/0x5e0 [ 32.779086] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.783922] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 32.788965] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 32.793977] ? prepare_exit_to_usermode+0x291/0x3b0 [ 32.798990] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.803859] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.809045] RIP: 0033:0x43ecc8 [ 32.812236] Code: Bad RIP value. [ 32.815590] RSP: 002b:00007fff81a7db78 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 32.823295] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ecc8 [ 32.830557] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 32.837821] RBP: 00000000004be588 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 32.845082] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 [ 32.852342] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 32.859613] [ 32.859619] ====================================================== [ 32.859624] WARNING: possible circular locking dependency detected [ 32.859628] 4.18.0+ #204 Not tainted [ 32.859633] ------------------------------------------------------ [ 32.859638] syz-executor131/4465 is trying to acquire lock: [ 32.859641] 000000008e95370d ((console_sem).lock){-...}, at: down_trylock+0x13/0x70 [ 32.859656] [ 32.859660] but task is already holding lock: [ 32.859664] 0000000006dd9a80 (report_lock){....}, at: kasan_report+0x8e/0x110 [ 32.859678] [ 32.859682] which lock already depends on the new lock. [ 32.859684] [ 32.859687] [ 32.859692] the existing dependency chain (in reverse order) is: [ 32.859694] [ 32.859696] -> #3 (report_lock){....}: [ 32.859711] _raw_spin_lock_irqsave+0x96/0xc0 [ 32.859714] kasan_report+0x8e/0x110 [ 32.859719] __asan_report_load8_noabort+0x14/0x20 [ 32.859723] __schedule+0xf54/0x1df0 [ 32.859727] preempt_schedule_common+0x22/0x60 [ 32.859731] _cond_resched+0x1d/0x30 [ 32.859735] wait_for_completion+0xa5/0x8d0 [ 32.859739] __synchronize_srcu+0x189/0x240 [ 32.859743] synchronize_srcu+0x335/0x56f [ 32.859747] kvm_page_track_unregister_notifier+0x17d/0x250 [ 32.859751] kvm_mmu_uninit_vm+0x1c/0x20 [ 32.859755] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 32.859759] kvm_put_kvm+0x73f/0x1060 [ 32.859763] kvm_vm_release+0x42/0x50 [ 32.859766] __fput+0x36e/0x8c0 [ 32.859770] ____fput+0x15/0x20 [ 32.859774] task_work_run+0x1e8/0x2a0 [ 32.859777] do_exit+0x1ae4/0x26e0 [ 32.859781] do_group_exit+0x177/0x440 [ 32.859785] __x64_sys_exit_group+0x3e/0x50 [ 32.859789] do_syscall_64+0x1b9/0x820 [ 32.859793] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.859795] [ 32.859798] -> #2 (&rq->lock){-.-.}: [ 32.859811] _raw_spin_lock+0x2a/0x40 [ 32.859815] task_fork_fair+0x93/0x680 [ 32.859819] sched_fork+0x44b/0xbd0 [ 32.859823] copy_process+0x235e/0x7ad0 [ 32.859826] _do_fork+0x1ca/0x1170 [ 32.859830] kernel_thread+0x34/0x40 [ 32.859833] rest_init+0x22/0xe4 [ 32.859837] start_kernel+0x913/0x94e [ 32.859841] x86_64_start_reservations+0x29/0x2b [ 32.859845] x86_64_start_kernel+0x76/0x79 [ 32.859849] secondary_startup_64+0xa4/0xb0 [ 32.859852] [ 32.859854] -> #1 (&p->pi_lock){-.-.}: [ 32.859868] _raw_spin_lock_irqsave+0x96/0xc0 [ 32.859872] try_to_wake_up+0xd2/0x1250 [ 32.859876] wake_up_process+0x10/0x20 [ 32.859879] __up.isra.1+0x1c0/0x2a0 [ 32.859883] up+0x13c/0x1c0 [ 32.859887] __up_console_sem+0xbe/0x1b0 [ 32.859890] console_unlock+0x506/0x10d0 [ 32.859894] vprintk_emit+0x33a/0x910 [ 32.859898] vprintk_default+0x28/0x30 [ 32.859902] vprintk_func+0x7a/0x117 [ 32.859905] printk+0xa7/0xcf [ 32.859908] load_umh+0x51/0xbd [ 32.859912] do_one_initcall+0x127/0x838 [ 32.859916] kernel_init_freeable+0x4bb/0x5ae [ 32.859920] kernel_init+0x11/0x1b3 [ 32.859924] ret_from_fork+0x3a/0x50 [ 32.859926] [ 32.859928] -> #0 ((console_sem).lock){-...}: [ 32.859942] lock_acquire+0x1e4/0x4f0 [ 32.859946] _raw_spin_lock_irqsave+0x96/0xc0 [ 32.859950] down_trylock+0x13/0x70 [ 32.859954] __down_trylock_console_sem+0xae/0x200 [ 32.859958] console_trylock+0x15/0xa0 [ 32.859962] vprintk_emit+0x31f/0x910 [ 32.859966] vprintk_default+0x28/0x30 [ 32.859969] vprintk_func+0x7a/0x117 [ 32.859973] printk+0xa7/0xcf [ 32.859977] kasan_report+0x9e/0x110 [ 32.859981] __asan_report_load8_noabort+0x14/0x20 [ 32.859985] __schedule+0xf54/0x1df0 [ 32.859989] preempt_schedule_common+0x22/0x60 [ 32.859993] _cond_resched+0x1d/0x30 [ 32.859997] wait_for_completion+0xa5/0x8d0 [ 32.860001] __synchronize_srcu+0x189/0x240 [ 32.860005] synchronize_srcu+0x335/0x56f [ 32.860009] kvm_page_track_unregister_notifier+0x17d/0x250 [ 32.860013] kvm_mmu_uninit_vm+0x1c/0x20 [ 32.860017] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 32.860021] kvm_put_kvm+0x73f/0x1060 [ 32.860025] kvm_vm_release+0x42/0x50 [ 32.860029] __fput+0x36e/0x8c0 [ 32.860032] ____fput+0x15/0x20 [ 32.860036] task_work_run+0x1e8/0x2a0 [ 32.860039] do_exit+0x1ae4/0x26e0 [ 32.860043] do_group_exit+0x177/0x440 [ 32.860047] __x64_sys_exit_group+0x3e/0x50 [ 32.860051] do_syscall_64+0x1b9/0x820 [ 32.860056] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.860058] [ 32.860062] other info that might help us debug this: [ 32.860065] [ 32.860068] Chain exists of: [ 32.860070] (console_sem).lock --> &rq->lock --> report_lock [ 32.860088] [ 32.860092] Possible unsafe locking scenario: [ 32.860094] [ 32.860098] CPU0 CPU1 [ 32.860102] ---- ---- [ 32.860104] lock(report_lock); [ 32.860113] lock(&rq->lock); [ 32.860122] lock(report_lock); [ 32.860130] lock((console_sem).lock); [ 32.860145] [ 32.860155] *** DEADLOCK *** [ 32.860157] [ 32.860161] 2 locks held by syz-executor131/4465: [ 32.860163] #0: 00000000f93ef48e (&rq->lock){-.-.}, at: __schedule+0x24d/0x1df0 [ 32.860180] #1: 0000000006dd9a80 (report_lock){....}, at: kasan_report+0x8e/0x110 [ 32.860197] [ 32.860200] stack backtrace: [ 32.860206] CPU: 0 PID: 4465 Comm: syz-executor131 Not tainted 4.18.0+ #204 [ 32.860213] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.860216] Call Trace: [ 32.860219] dump_stack+0x1c9/0x2b4 [ 32.860224] ? dump_stack_print_info.cold.2+0x52/0x52 [ 32.860228] ? vprintk_func+0x100/0x117 [ 32.860233] print_circular_bug.isra.34.cold.55+0x1bd/0x27d [ 32.860236] ? save_trace+0xe0/0x290 [ 32.860240] __lock_acquire+0x3449/0x5020 [ 32.860244] ? mark_held_locks+0x160/0x160 [ 32.860248] ? mark_held_locks+0x160/0x160 [ 32.860253] ? rcu_cleanup_dead_rnp+0x200/0x200 [ 32.860257] ? is_bpf_text_address+0xd7/0x170 [ 32.860261] ? kernel_text_address+0x79/0xf0 [ 32.860265] ? __kernel_text_address+0xd/0x40 [ 32.860269] ? __save_stack_trace+0x8d/0xf0 [ 32.860273] ? add_lock_to_list.isra.27+0x1ec/0x4b0 [ 32.860277] ? save_trace+0x290/0x290 [ 32.860281] ? save_stack_trace+0x1a/0x20 [ 32.860285] ? save_trace+0xe0/0x290 [ 32.860289] ? graph_lock+0x170/0x170 [ 32.860293] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 32.860297] lock_acquire+0x1e4/0x4f0 [ 32.860301] ? down_trylock+0x13/0x70 [ 32.860305] ? lock_release+0x9f0/0x9f0 [ 32.860309] ? trace_hardirqs_off+0xb8/0x2b0 [ 32.860313] ? trace_hardirqs_on+0x2c0/0x2c0 [ 32.860317] ? trace_hardirqs_off+0xb8/0x2b0 [ 32.860320] ? log_store+0x34f/0x4c0 [ 32.860324] ? vprintk_emit+0x31f/0x910 [ 32.860328] _raw_spin_lock_irqsave+0x96/0xc0 [ 32.860332] ? down_trylock+0x13/0x70 [ 32.860336] down_trylock+0x13/0x70 [ 32.860340] __down_trylock_console_sem+0xae/0x200 [ 32.860344] console_trylock+0x15/0xa0 [ 32.860348] vprintk_emit+0x31f/0x910 [ 32.860352] ? wake_up_klogd+0x110/0x110 [ 32.860356] ? run_rebalance_domains+0x4c0/0x4c0 [ 32.860360] ? kasan_check_read+0x11/0x20 [ 32.860364] ? rcu_is_watching+0x8c/0x150 [ 32.860367] ? rcu_pm_notify+0xc0/0xc0 [ 32.860371] ? lock_acquire+0x1e4/0x4f0 [ 32.860375] ? kasan_report+0x8e/0x110 [ 32.860379] ? __schedule+0xf54/0x1df0 [ 32.860383] vprintk_default+0x28/0x30 [ 32.860386] vprintk_func+0x7a/0x117 [ 32.860390] printk+0xa7/0xcf [ 32.860394] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 32.860398] ? kasan_check_write+0x14/0x20 [ 32.860402] ? do_raw_spin_lock+0xc1/0x200 [ 32.860406] ? do_raw_spin_lock+0xc1/0x200 [ 32.860410] kasan_report+0x9e/0x110 [ 32.860414] __asan_report_load8_noabort+0x14/0x20 [ 32.860418] __schedule+0xf54/0x1df0 [ 32.860422] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 32.860426] ? __sched_text_start+0x8/0x8 [ 32.860430] ? __call_srcu+0x7e7/0x1040 [ 32.860434] ? check_same_owner+0x340/0x340 [ 32.860438] ? mark_held_locks+0x160/0x160 [ 32.860442] ? find_held_lock+0x36/0x1c0 [ 32.860446] preempt_schedule_common+0x22/0x60 [ 32.860450] _cond_resched+0x1d/0x30 [ 32.860454] wait_for_completion+0xa5/0x8d0 [ 32.860459] ? wait_for_completion_interruptible+0x950/0x950 [ 32.860463] ? __lockdep_init_map+0x105/0x590 [ 32.860468] ? __init_waitqueue_head+0x9e/0x150 [ 32.860472] ? init_wait_entry+0x1c0/0x1c0 [ 32.860476] __synchronize_srcu+0x189/0x240 [ 32.860479] ? call_srcu+0x10/0x10 [ 32.860483] ? rcu_unexpedite_gp+0x20/0x20 [ 32.860487] synchronize_srcu+0x335/0x56f [ 32.860491] ? lock_downgrade+0x8f0/0x8f0 [ 32.860496] ? synchronize_srcu_expedited+0x20/0x20 [ 32.860500] ? kasan_check_read+0x11/0x20 [ 32.860504] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 32.860508] ? kasan_check_write+0x14/0x20 [ 32.860512] ? do_raw_spin_lock+0xc1/0x200 [ 32.860517] kvm_page_track_unregister_notifier+0x17d/0x250 [ 32.860521] ? kvm_slot_page_track_remove_page+0x70/0x70 [ 32.860525] ? kvfree+0x61/0x70 [ 32.860529] ? rcu_read_lock_sched_held+0x108/0x120 [ 32.860533] kvm_mmu_uninit_vm+0x1c/0x20 [ 32.860537] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 32.860542] ? kvm_arch_sync_events+0x30/0x30 [ 32.860546] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 32.860551] ? mmu_notifier_unregister+0x474/0x600 [ 32.860555] ? trace_hardirqs_on+0x2c0/0x2c0 [ 32.860558] ? kfree+0x111/0x210 [ 32.860563] ? __mmu_notifier_register+0x30/0x30 [ 32.860566] ? __free_pages+0x10a/0x190 [ 32.860570] ? free_unref_page+0x930/0x930 [ 32.860574] kvm_put_kvm+0x73f/0x1060 [ 32.860578] ? kvm_write_guest_cached+0x40/0x40 [ 32.860583] ? _raw_spin_unlock_irq+0x27/0x70 [ 32.860587] ? _raw_spin_unlock_irq+0x27/0x70 [ 32.860591] ? lockdep_hardirqs_on+0x421/0x5c0 [ 32.860595] ? kasan_check_write+0x14/0x20 [ 32.860599] ? do_raw_spin_lock+0xc1/0x200 [ 32.860603] ? kvm_irqfd_release+0xdd/0x120 [ 32.860607] ? kvm_put_kvm+0x1060/0x1060 [ 32.860610] kvm_vm_release+0x42/0x50 [ 32.860614] __fput+0x36e/0x8c0 [ 32.860618] ? __alloc_file+0x400/0x400 [ 32.860622] ? check_same_owner+0x340/0x340 [ 32.860626] ? kasan_check_write+0x14/0x20 [ 32.860630] ? do_raw_spin_lock+0xc1/0x200 [ 32.860633] ____fput+0x15/0x20 [ 32.860637] task_work_run+0x1e8/0x2a0 [ 32.860641] ? task_work_cancel+0x240/0x240 [ 32.860646] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 32.860650] ? switch_task_namespaces+0xa2/0xd0 [ 32.860654] do_exit+0x1ae4/0x26e0 [ 32.860658] ? mm_update_next_owner+0x9a0/0x9a0 [ 32.860662] ? kvm_vcpu_ioctl+0x2b5/0x1280 [ 32.860667] ? rcu_read_lock_sched_held+0x108/0x120 [ 32.860670] ? kfree+0x1d7/0x210 [ 32.860674] ? kvm_vcpu_ioctl+0x2ba/0x1280 [ 32.860679] ? kvm_uevent_notify_change.part.32+0x440/0x440 [ 32.860683] ? is_bpf_text_address+0xd7/0x170 [ 32.860687] ? kernel_text_address+0x79/0xf0 [ 32.860690] ? __kern [ 32.860697] Lost 54 message(s)! [ 33.936737] Shutting down cpus with NMI [ 34.996191] Dumping ftrace buffer: [ 34.999715] (ftrace buffer empty) [ 35.003400] Kernel Offset: disabled [ 35.007005] Rebooting in 86400 seconds..