[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 24.452205] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 26.764209] random: sshd: uninitialized urandom read (32 bytes read) [ 27.183947] random: sshd: uninitialized urandom read (32 bytes read) [ 27.777478] random: sshd: uninitialized urandom read (32 bytes read) [ 28.726130] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.39' (ECDSA) to the list of known hosts. [ 34.291066] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 34.394472] L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html for details. [ 34.426445] ================================================================== [ 34.436360] BUG: KASAN: use-after-free in __schedule+0xf54/0x1df0 [ 34.442605] Read of size 8 at addr ffff8801c0598058 by task syz-executor624/4668 [ 34.450125] [ 34.451785] CPU: 0 PID: 4668 Comm: syz-executor624 Not tainted 4.19.0-rc1+ #215 [ 34.459222] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.468562] Call Trace: [ 34.471152] dump_stack+0x1c9/0x2b4 [ 34.474801] ? dump_stack_print_info.cold.2+0x52/0x52 [ 34.479989] ? printk+0xa7/0xcf [ 34.483262] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 34.488021] ? __schedule+0xf54/0x1df0 [ 34.491907] print_address_description+0x6c/0x20b [ 34.496761] ? __schedule+0xf54/0x1df0 [ 34.500652] kasan_report.cold.7+0x242/0x30d [ 34.505059] __asan_report_load8_noabort+0x14/0x20 [ 34.509985] __schedule+0xf54/0x1df0 [ 34.513700] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 34.518820] ? __sched_text_start+0x8/0x8 [ 34.522975] ? __call_srcu+0x7e7/0x1040 [ 34.526955] ? check_same_owner+0x340/0x340 [ 34.531270] ? mark_held_locks+0x160/0x160 [ 34.535510] preempt_schedule_common+0x22/0x60 [ 34.540088] _cond_resched+0x1d/0x30 [ 34.543802] wait_for_completion+0xa5/0x8d0 [ 34.548211] ? wait_for_completion_interruptible+0x950/0x950 [ 34.554004] ? __lockdep_init_map+0x105/0x590 [ 34.558496] ? __init_waitqueue_head+0x9e/0x150 [ 34.563158] ? init_wait_entry+0x1c0/0x1c0 [ 34.567392] __synchronize_srcu+0x189/0x240 [ 34.571706] ? call_srcu+0x10/0x10 [ 34.575250] ? rcu_unexpedite_gp+0x20/0x20 [ 34.579489] synchronize_srcu+0x335/0x56f [ 34.583632] ? lock_downgrade+0x8f0/0x8f0 [ 34.587783] ? synchronize_srcu_expedited+0x20/0x20 [ 34.592802] ? kasan_check_read+0x11/0x20 [ 34.596950] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 34.601533] ? kasan_check_write+0x14/0x20 [ 34.605776] ? do_raw_spin_lock+0xc1/0x200 [ 34.610016] kvm_page_track_unregister_notifier+0x17d/0x250 [ 34.615723] ? kvm_slot_page_track_remove_page+0x70/0x70 [ 34.621210] ? kvfree+0x61/0x70 [ 34.624489] ? rcu_read_lock_sched_held+0x108/0x120 [ 34.629513] kvm_mmu_uninit_vm+0x1c/0x20 [ 34.633571] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 34.637977] ? kvm_arch_sync_events+0x30/0x30 [ 34.642472] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 34.648011] ? mmu_notifier_unregister+0x474/0x600 [ 34.652934] ? trace_hardirqs_on+0x2c0/0x2c0 [ 34.657337] ? kfree+0x111/0x210 [ 34.660704] ? __mmu_notifier_register+0x30/0x30 [ 34.665470] ? __free_pages+0x10a/0x190 [ 34.669440] ? free_unref_page+0x930/0x930 [ 34.673681] kvm_put_kvm+0x73f/0x1060 [ 34.677482] ? kvm_write_guest_cached+0x40/0x40 [ 34.682149] ? _raw_spin_unlock_irq+0x27/0x70 [ 34.686637] ? _raw_spin_unlock_irq+0x27/0x70 [ 34.691133] ? kasan_check_write+0x14/0x20 [ 34.695364] ? do_raw_spin_lock+0xc1/0x200 [ 34.699599] ? kvm_irqfd_release+0xdd/0x120 [ 34.704005] ? kvm_irqfd_release+0xdd/0x120 [ 34.708323] ? kvm_put_kvm+0x1060/0x1060 [ 34.712382] kvm_vm_release+0x42/0x50 [ 34.716178] __fput+0x38a/0xa40 [ 34.719453] ? __alloc_file+0x400/0x400 [ 34.723427] ? check_same_owner+0x340/0x340 [ 34.727751] ? kasan_check_write+0x14/0x20 [ 34.731987] ? do_raw_spin_lock+0xc1/0x200 [ 34.736234] ____fput+0x15/0x20 [ 34.739509] task_work_run+0x1e8/0x2a0 [ 34.743394] ? task_work_cancel+0x240/0x240 [ 34.747715] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 34.753259] ? switch_task_namespaces+0xa2/0xd0 [ 34.757927] do_exit+0x1ae4/0x26e0 [ 34.761466] ? lockdep_hardirqs_on+0x421/0x5c0 [ 34.766047] ? mm_update_next_owner+0x9a0/0x9a0 [ 34.770715] ? profiling_store+0xd0/0xd0 [ 34.774791] ? kasan_check_write+0x14/0x20 [ 34.779024] ? do_raw_spin_lock+0xc1/0x200 [ 34.783266] ? do_coredump+0x477/0x3fff [ 34.787244] ? kasan_check_write+0x14/0x20 [ 34.791480] ? do_raw_spin_lock+0xc1/0x200 [ 34.795716] ? _raw_spin_unlock_irqrestore+0x40/0xc0 [ 34.801834] ? dump_align+0xa0/0xa0 [ 34.805456] ? save_stack+0xa9/0xd0 [ 34.809079] ? save_stack+0x43/0xd0 [ 34.812699] ? __kasan_slab_free+0x11a/0x170 [ 34.817103] ? kasan_slab_free+0xe/0x10 [ 34.821070] ? kmem_cache_free+0x86/0x280 [ 34.825215] ? __sigqueue_free.part.29+0x7d/0xa0 [ 34.829961] ? __dequeue_signal+0x530/0x7d0 [ 34.834304] ? dequeue_signal+0xbc/0x620 [ 34.838358] ? get_signal+0x3f0/0x18e0 [ 34.842240] ? do_signal+0x9c/0x21c0 [ 34.845950] ? exit_to_usermode_loop+0x2e5/0x380 [ 34.850700] ? prepare_exit_to_usermode+0x342/0x3b0 [ 34.856147] ? trace_hardirqs_off+0xb8/0x2b0 [ 34.860557] ? kasan_check_read+0x11/0x20 [ 34.864699] ? do_raw_spin_unlock+0xa7/0x2f0 [ 34.869102] ? trace_hardirqs_on+0x2c0/0x2c0 [ 34.873509] ? kasan_check_write+0x14/0x20 [ 34.877750] ? graph_lock+0x170/0x170 [ 34.881549] ? trace_hardirqs_off+0xb8/0x2b0 [ 34.885959] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 34.891066] ? __lock_is_held+0xb5/0x140 [ 34.895130] ? __sigqueue_free.part.29+0x7d/0xa0 [ 34.899882] ? graph_lock+0x170/0x170 [ 34.903682] ? __sigqueue_free.part.29+0x7d/0xa0 [ 34.908446] ? rcu_read_lock_sched_held+0x108/0x120 [ 34.913456] ? kmem_cache_free+0x246/0x280 [ 34.917687] ? __sigqueue_free.part.29+0x7d/0xa0 [ 34.922437] ? find_held_lock+0x36/0x1c0 [ 34.926500] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.932036] ? proc_coredump_connector+0x4d0/0x610 [ 34.936984] ? proc_comm_connector+0x500/0x500 [ 34.941565] do_group_exit+0x177/0x440 [ 34.945449] ? __ia32_sys_exit+0x50/0x50 [ 34.949523] get_signal+0x851/0x18e0 [ 34.953234] ? ptrace_notify+0x130/0x130 [ 34.957299] ? lock_release+0x9f0/0x9f0 [ 34.961276] ? __bad_area_nosemaphore+0x311/0x3f0 [ 34.966118] do_signal+0x9c/0x21c0 [ 34.969653] ? __bad_area+0x159/0x200 [ 34.973450] ? bad_area_nosemaphore+0x40/0x40 [ 34.977943] ? setup_sigcontext+0x7d0/0x7d0 [ 34.982264] ? bad_area_access_error+0x1f2/0x2e0 [ 34.987020] ? find_vma+0x34/0x190 [ 34.990556] ? __do_page_fault+0x449/0xe50 [ 34.994795] ? exit_to_usermode_loop+0x8c/0x380 [ 34.999464] ? trace_hardirqs_on+0x2c0/0x2c0 [ 35.003874] exit_to_usermode_loop+0x2e5/0x380 [ 35.008453] ? syscall_slow_exit_work+0x490/0x490 [ 35.013290] ? trace_hardirqs_off_caller+0xbb/0x2b0 [ 35.018303] ? syscall_return_slowpath+0x5e0/0x5e0 [ 35.023229] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 35.028065] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 35.032915] prepare_exit_to_usermode+0x342/0x3b0 [ 35.037760] ? perf_trace_sys_enter+0xb10/0xb10 [ 35.042433] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 35.047271] ? page_fault+0x8/0x30 [ 35.050805] retint_user+0x8/0x18 [ 35.054257] RIP: 0033:0x40119b [ 35.057457] Code: Bad RIP value. [ 35.060811] RSP: 002b:00007ffc25dc05a0 EFLAGS: 00010217 [ 35.066174] RAX: 0000000020011000 RBX: 7363762f7665642f RCX: 0000000000444529 [ 35.073436] RDX: 0000000000000001 RSI: 0000000000003000 RDI: 0000000020011000 [ 35.080705] RBP: 00000000006cf018 R08: 00000000ffffffff R09: 0000000000000000 [ 35.087967] R10: 0000000000000032 R11: 0000000000000286 R12: 0000000000402230 [ 35.095232] R13: 00000000004022c0 R14: 0000000000000000 R15: 0000000000000000 [ 35.102521] [ 35.104142] Allocated by task 4668: [ 35.107780] save_stack+0x43/0xd0 [ 35.111226] kasan_kmalloc+0xc4/0xe0 [ 35.114934] kasan_slab_alloc+0x12/0x20 [ 35.118900] kmem_cache_alloc+0x12e/0x710 [ 35.123043] vmx_create_vcpu+0xcf/0x2830 [ 35.127096] kvm_arch_vcpu_create+0xe5/0x220 [ 35.131503] kvm_vm_ioctl+0x488/0x1d80 [ 35.135386] do_vfs_ioctl+0x1de/0x1720 [ 35.139267] ksys_ioctl+0xa9/0xd0 [ 35.142719] __x64_sys_ioctl+0x73/0xb0 [ 35.146609] do_syscall_64+0x1b9/0x820 [ 35.150494] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.155670] [ 35.157292] Freed by task 4668: [ 35.160568] save_stack+0x43/0xd0 [ 35.164019] __kasan_slab_free+0x11a/0x170 [ 35.168254] kasan_slab_free+0xe/0x10 [ 35.172053] kmem_cache_free+0x86/0x280 [ 35.176021] vmx_free_vcpu+0x26b/0x300 [ 35.179927] kvm_arch_destroy_vm+0x365/0x7c0 [ 35.184333] kvm_put_kvm+0x73f/0x1060 [ 35.188129] kvm_vm_release+0x42/0x50 [ 35.191922] __fput+0x38a/0xa40 [ 35.195194] ____fput+0x15/0x20 [ 35.198470] task_work_run+0x1e8/0x2a0 [ 35.202353] do_exit+0x1ae4/0x26e0 [ 35.205896] do_group_exit+0x177/0x440 [ 35.209782] get_signal+0x851/0x18e0 [ 35.213524] do_signal+0x9c/0x21c0 [ 35.217073] exit_to_usermode_loop+0x2e5/0x380 [ 35.221649] prepare_exit_to_usermode+0x342/0x3b0 [ 35.226488] retint_user+0x8/0x18 [ 35.229926] [ 35.231546] The buggy address belongs to the object at ffff8801c0598040 [ 35.231546] which belongs to the cache kvm_vcpu of size 23872 [ 35.244127] The buggy address is located 24 bytes inside of [ 35.244127] 23872-byte region [ffff8801c0598040, ffff8801c059dd80) [ 35.256090] The buggy address belongs to the page: [ 35.261027] page:ffffea0007016600 count:1 mapcount:0 mapping:ffff8801d52a79c0 index:0x0 compound_mapcount: 0 [ 35.271025] flags: 0x2fffc0000008100(slab|head) [ 35.275705] raw: 02fffc0000008100 ffff8801d52a4448 ffff8801d52a4448 ffff8801d52a79c0 [ 35.283606] raw: 0000000000000000 ffff8801c0598040 0000000100000001 0000000000000000 [ 35.291485] page dumped because: kasan: bad access detected [ 35.297188] [ 35.298803] Memory state around the buggy address: [ 35.303724] ffff8801c0597f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.311090] ffff8801c0597f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.318442] >ffff8801c0598000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 35.325793] ^ [ 35.332023] ffff8801c0598080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.339390] ffff8801c0598100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.346758] ================================================================== [ 35.354131] Kernel panic - not syncing: panic_on_warn set ... [ 35.354131] [ 35.361502] CPU: 0 PID: 4668 Comm: syz-executor624 Tainted: G B 4.19.0-rc1+ #215 [ 35.370331] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.379673] Call Trace: [ 35.382262] dump_stack+0x1c9/0x2b4 [ 35.385892] ? dump_stack_print_info.cold.2+0x52/0x52 [ 35.391078] ? lock_downgrade+0x8f0/0x8f0 [ 35.395223] ? __schedule+0xf54/0x1df0 [ 35.399105] panic+0x238/0x4e7 [ 35.402291] ? add_taint.cold.5+0x16/0x16 [ 35.406441] ? print_shadow_for_address+0xba/0x116 [ 35.411369] ? trace_hardirqs_off+0xaf/0x2b0 [ 35.415780] ? trace_hardirqs_off+0x77/0x2b0 [ 35.420191] ? __schedule+0xf54/0x1df0 [ 35.424094] kasan_end_report+0x47/0x4f [ 35.428067] kasan_report.cold.7+0x76/0x30d [ 35.432389] __asan_report_load8_noabort+0x14/0x20 [ 35.437320] __schedule+0xf54/0x1df0 [ 35.441031] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 35.446131] ? __sched_text_start+0x8/0x8 [ 35.450279] ? __call_srcu+0x7e7/0x1040 [ 35.454258] ? check_same_owner+0x340/0x340 [ 35.458591] ? mark_held_locks+0x160/0x160 [ 35.462833] preempt_schedule_common+0x22/0x60 [ 35.467411] _cond_resched+0x1d/0x30 [ 35.471131] wait_for_completion+0xa5/0x8d0 [ 35.475455] ? wait_for_completion_interruptible+0x950/0x950 [ 35.481247] ? __lockdep_init_map+0x105/0x590 [ 35.485753] ? __init_waitqueue_head+0x9e/0x150 [ 35.490424] ? init_wait_entry+0x1c0/0x1c0 [ 35.494660] __synchronize_srcu+0x189/0x240 [ 35.498977] ? call_srcu+0x10/0x10 [ 35.502515] ? rcu_unexpedite_gp+0x20/0x20 [ 35.506760] synchronize_srcu+0x335/0x56f [ 35.510917] ? lock_downgrade+0x8f0/0x8f0 [ 35.515058] ? synchronize_srcu_expedited+0x20/0x20 [ 35.520073] ? kasan_check_read+0x11/0x20 [ 35.524222] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 35.528810] ? kasan_check_write+0x14/0x20 [ 35.533043] ? do_raw_spin_lock+0xc1/0x200 [ 35.537279] kvm_page_track_unregister_notifier+0x17d/0x250 [ 35.542994] ? kvm_slot_page_track_remove_page+0x70/0x70 [ 35.548441] ? kvfree+0x61/0x70 [ 35.551720] ? rcu_read_lock_sched_held+0x108/0x120 [ 35.556751] kvm_mmu_uninit_vm+0x1c/0x20 [ 35.560815] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 35.565220] ? kvm_arch_sync_events+0x30/0x30 [ 35.569714] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 35.575277] ? mmu_notifier_unregister+0x474/0x600 [ 35.580204] ? trace_hardirqs_on+0x2c0/0x2c0 [ 35.584608] ? kfree+0x111/0x210 [ 35.587980] ? __mmu_notifier_register+0x30/0x30 [ 35.592744] ? __free_pages+0x10a/0x190 [ 35.596720] ? free_unref_page+0x930/0x930 [ 35.600966] kvm_put_kvm+0x73f/0x1060 [ 35.604781] ? kvm_write_guest_cached+0x40/0x40 [ 35.609453] ? _raw_spin_unlock_irq+0x27/0x70 [ 35.613942] ? _raw_spin_unlock_irq+0x27/0x70 [ 35.618440] ? kasan_check_write+0x14/0x20 [ 35.622674] ? do_raw_spin_lock+0xc1/0x200 [ 35.626910] ? kvm_irqfd_release+0xdd/0x120 [ 35.631228] ? kvm_irqfd_release+0xdd/0x120 [ 35.635550] ? kvm_put_kvm+0x1060/0x1060 [ 35.639605] kvm_vm_release+0x42/0x50 [ 35.643404] __fput+0x38a/0xa40 [ 35.646688] ? __alloc_file+0x400/0x400 [ 35.650662] ? check_same_owner+0x340/0x340 [ 35.654977] ? kasan_check_write+0x14/0x20 [ 35.659210] ? do_raw_spin_lock+0xc1/0x200 [ 35.663439] ____fput+0x15/0x20 [ 35.666714] task_work_run+0x1e8/0x2a0 [ 35.670625] ? task_work_cancel+0x240/0x240 [ 35.674948] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 35.680479] ? switch_task_namespaces+0xa2/0xd0 [ 35.685146] do_exit+0x1ae4/0x26e0 [ 35.688679] ? lockdep_hardirqs_on+0x421/0x5c0 [ 35.693258] ? mm_update_next_owner+0x9a0/0x9a0 [ 35.697925] ? profiling_store+0xd0/0xd0 [ 35.701982] ? kasan_check_write+0x14/0x20 [ 35.706223] ? do_raw_spin_lock+0xc1/0x200 [ 35.710457] ? do_coredump+0x477/0x3fff [ 35.714430] ? kasan_check_write+0x14/0x20 [ 35.718659] ? do_raw_spin_lock+0xc1/0x200 [ 35.722891] ? _raw_spin_unlock_irqrestore+0x40/0xc0 [ 35.727991] ? dump_align+0xa0/0xa0 [ 35.731616] ? save_stack+0xa9/0xd0 [ 35.735236] ? save_stack+0x43/0xd0 [ 35.738857] ? __kasan_slab_free+0x11a/0x170 [ 35.743272] ? kasan_slab_free+0xe/0x10 [ 35.747243] ? kmem_cache_free+0x86/0x280 [ 35.751388] ? __sigqueue_free.part.29+0x7d/0xa0 [ 35.756140] ? __dequeue_signal+0x530/0x7d0 [ 35.760454] ? dequeue_signal+0xbc/0x620 [ 35.764507] ? get_signal+0x3f0/0x18e0 [ 35.768387] ? do_signal+0x9c/0x21c0 [ 35.772097] ? exit_to_usermode_loop+0x2e5/0x380 [ 35.776834] ? prepare_exit_to_usermode+0x342/0x3b0 [ 35.781831] ? trace_hardirqs_off+0xb8/0x2b0 [ 35.786220] ? kasan_check_read+0x11/0x20 [ 35.790347] ? do_raw_spin_unlock+0xa7/0x2f0 [ 35.794760] ? trace_hardirqs_on+0x2c0/0x2c0 [ 35.799173] ? kasan_check_write+0x14/0x20 [ 35.803405] ? graph_lock+0x170/0x170 [ 35.807207] ? trace_hardirqs_off+0xb8/0x2b0 [ 35.811752] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 35.816902] ? __lock_is_held+0xb5/0x140 [ 35.820968] ? __sigqueue_free.part.29+0x7d/0xa0 [ 35.825717] ? graph_lock+0x170/0x170 [ 35.829525] ? __sigqueue_free.part.29+0x7d/0xa0 [ 35.834283] ? rcu_read_lock_sched_held+0x108/0x120 [ 35.839296] ? kmem_cache_free+0x246/0x280 [ 35.843526] ? __sigqueue_free.part.29+0x7d/0xa0 [ 35.848281] ? find_held_lock+0x36/0x1c0 [ 35.852344] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.857878] ? proc_coredump_connector+0x4d0/0x610 [ 35.862808] ? proc_comm_connector+0x500/0x500 [ 35.867391] do_group_exit+0x177/0x440 [ 35.871283] ? __ia32_sys_exit+0x50/0x50 [ 35.875347] get_signal+0x851/0x18e0 [ 35.879059] ? ptrace_notify+0x130/0x130 [ 35.883148] ? lock_release+0x9f0/0x9f0 [ 35.887132] ? __bad_area_nosemaphore+0x311/0x3f0 [ 35.891977] do_signal+0x9c/0x21c0 [ 35.895515] ? __bad_area+0x159/0x200 [ 35.899313] ? bad_area_nosemaphore+0x40/0x40 [ 35.903807] ? setup_sigcontext+0x7d0/0x7d0 [ 35.908126] ? bad_area_access_error+0x1f2/0x2e0 [ 35.912877] ? find_vma+0x34/0x190 [ 35.916425] ? __do_page_fault+0x449/0xe50 [ 35.920668] ? exit_to_usermode_loop+0x8c/0x380 [ 35.925335] ? trace_hardirqs_on+0x2c0/0x2c0 [ 35.929756] exit_to_usermode_loop+0x2e5/0x380 [ 35.934343] ? syscall_slow_exit_work+0x490/0x490 [ 35.939182] ? trace_hardirqs_off_caller+0xbb/0x2b0 [ 35.944194] ? syscall_return_slowpath+0x5e0/0x5e0 [ 35.949120] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 35.953956] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 35.958795] prepare_exit_to_usermode+0x342/0x3b0 [ 35.963620] ? perf_trace_sys_enter+0xb10/0xb10 [ 35.968287] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 35.973132] ? page_fault+0x8/0x30 [ 35.976671] retint_user+0x8/0x18 [ 35.980115] RIP: 0033:0x40119b [ 35.983307] Code: Bad RIP value. [ 35.986669] RSP: 002b:00007ffc25dc05a0 EFLAGS: 00010217 [ 35.992028] RAX: 0000000020011000 RBX: 7363762f7665642f RCX: 0000000000444529 [ 35.999288] RDX: 0000000000000001 RSI: 0000000000003000 RDI: 0000000020011000 [ 36.006572] RBP: 00000000006cf018 R08: 00000000ffffffff R09: 0000000000000000 [ 36.013863] R10: 0000000000000032 R11: 0000000000000286 R12: 0000000000402230 [ 36.021130] R13: 00000000004022c0 R14: 0000000000000000 R15: 0000000000000000 [ 36.028403] [ 36.028408] ====================================================== [ 36.028414] WARNING: possible circular locking dependency detected [ 36.028417] 4.19.0-rc1+ #215 Not tainted [ 36.028423] ------------------------------------------------------ [ 36.028427] syz-executor624/4668 is trying to acquire lock: [ 36.028431] 00000000a189bafe ((console_sem).lock){-...}, at: down_trylock+0x13/0x70 [ 36.028445] [ 36.028449] but task is already holding lock: [ 36.028452] 00000000c833bb40 (report_lock){....}, at: kasan_report+0x8e/0x110 [ 36.028466] [ 36.028470] which lock already depends on the new lock. [ 36.028472] [ 36.028475] [ 36.028480] the existing dependency chain (in reverse order) is: [ 36.028482] [ 36.028484] -> #3 (report_lock){....}: [ 36.028498] _raw_spin_lock_irqsave+0x96/0xc0 [ 36.028502] kasan_report+0x8e/0x110 [ 36.028506] __asan_report_load8_noabort+0x14/0x20 [ 36.028510] __schedule+0xf54/0x1df0 [ 36.028514] preempt_schedule_common+0x22/0x60 [ 36.028518] _cond_resched+0x1d/0x30 [ 36.028522] wait_for_completion+0xa5/0x8d0 [ 36.028526] __synchronize_srcu+0x189/0x240 [ 36.028530] synchronize_srcu+0x335/0x56f [ 36.028535] kvm_page_track_unregister_notifier+0x17d/0x250 [ 36.028538] kvm_mmu_uninit_vm+0x1c/0x20 [ 36.028542] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 36.028546] kvm_put_kvm+0x73f/0x1060 [ 36.028550] kvm_vm_release+0x42/0x50 [ 36.028553] __fput+0x38a/0xa40 [ 36.028557] ____fput+0x15/0x20 [ 36.028560] task_work_run+0x1e8/0x2a0 [ 36.028564] do_exit+0x1ae4/0x26e0 [ 36.028568] do_group_exit+0x177/0x440 [ 36.028572] get_signal+0x851/0x18e0 [ 36.028575] do_signal+0x9c/0x21c0 [ 36.028579] exit_to_usermode_loop+0x2e5/0x380 [ 36.028584] prepare_exit_to_usermode+0x342/0x3b0 [ 36.028587] retint_user+0x8/0x18 [ 36.028589] [ 36.028592] -> #2 (&rq->lock){-.-.}: [ 36.028605] _raw_spin_lock+0x2a/0x40 [ 36.028609] task_fork_fair+0x93/0x680 [ 36.028613] sched_fork+0x44b/0xbd0 [ 36.028616] copy_process+0x235e/0x7ad0 [ 36.028620] _do_fork+0x1ca/0x1170 [ 36.028624] kernel_thread+0x34/0x40 [ 36.028627] rest_init+0x22/0xe4 [ 36.028631] start_kernel+0x913/0x94e [ 36.028635] x86_64_start_reservations+0x29/0x2b [ 36.028639] x86_64_start_kernel+0x76/0x79 [ 36.028643] secondary_startup_64+0xa4/0xb0 [ 36.028645] [ 36.028648] -> #1 (&p->pi_lock){-.-.}: [ 36.028662] _raw_spin_lock_irqsave+0x96/0xc0 [ 36.028666] try_to_wake_up+0xd2/0x1250 [ 36.028669] wake_up_process+0x10/0x20 [ 36.028673] __up.isra.1+0x1c0/0x2a0 [ 36.028676] up+0x13c/0x1c0 [ 36.028680] __up_console_sem+0xbe/0x1b0 [ 36.028684] console_unlock+0x506/0x10d0 [ 36.028688] vprintk_emit+0x33a/0x910 [ 36.028691] vprintk_default+0x28/0x30 [ 36.028695] vprintk_func+0x7a/0x117 [ 36.028698] printk+0xa7/0xcf [ 36.028702] load_umh+0x51/0xbd [ 36.028706] do_one_initcall+0x127/0x838 [ 36.028710] kernel_init_freeable+0x4bb/0x5ae [ 36.028713] kernel_init+0x11/0x1b3 [ 36.028717] ret_from_fork+0x3a/0x50 [ 36.028719] [ 36.028722] -> #0 ((console_sem).lock){-...}: [ 36.028736] lock_acquire+0x1e4/0x4f0 [ 36.028748] _raw_spin_lock_irqsave+0x96/0xc0 [ 36.028752] down_trylock+0x13/0x70 [ 36.028756] __down_trylock_console_sem+0xae/0x200 [ 36.028760] console_trylock+0x15/0xa0 [ 36.028764] vprintk_emit+0x31f/0x910 [ 36.028767] vprintk_default+0x28/0x30 [ 36.028771] vprintk_func+0x7a/0x117 [ 36.028775] printk+0xa7/0xcf [ 36.028778] kasan_report+0x9e/0x110 [ 36.028783] __asan_report_load8_noabort+0x14/0x20 [ 36.028786] __schedule+0xf54/0x1df0 [ 36.028791] preempt_schedule_common+0x22/0x60 [ 36.028794] _cond_resched+0x1d/0x30 [ 36.028798] wait_for_completion+0xa5/0x8d0 [ 36.028802] __synchronize_srcu+0x189/0x240 [ 36.028806] synchronize_srcu+0x335/0x56f [ 36.028811] kvm_page_track_unregister_notifier+0x17d/0x250 [ 36.028815] kvm_mmu_uninit_vm+0x1c/0x20 [ 36.028824] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 36.028828] kvm_put_kvm+0x73f/0x1060 [ 36.028832] kvm_vm_release+0x42/0x50 [ 36.028835] __fput+0x38a/0xa40 [ 36.028839] ____fput+0x15/0x20 [ 36.028843] task_work_run+0x1e8/0x2a0 [ 36.028847] do_exit+0x1ae4/0x26e0 [ 36.028851] do_group_exit+0x177/0x440 [ 36.028854] get_signal+0x851/0x18e0 [ 36.028858] do_signal+0x9c/0x21c0 [ 36.028862] exit_to_usermode_loop+0x2e5/0x380 [ 36.028866] prepare_exit_to_usermode+0x342/0x3b0 [ 36.028870] retint_user+0x8/0x18 [ 36.028872] [ 36.028876] other info that might help us debug this: [ 36.028879] [ 36.028882] Chain exists of: [ 36.028884] (console_sem).lock --> &rq->lock --> report_lock [ 36.028902] [ 36.028905] Possible unsafe locking scenario: [ 36.028908] [ 36.028912] CPU0 CPU1 [ 36.028916] ---- ---- [ 36.028918] lock(report_lock); [ 36.028927] lock(&rq->lock); [ 36.028936] lock(report_lock); [ 36.028944] lock((console_sem).lock); [ 36.028952] [ 36.028955] *** DEADLOCK *** [ 36.028957] [ 36.028961] 2 locks held by syz-executor624/4668: [ 36.028963] #0: 00000000d28486b6 (&rq->lock){-.-.}, at: __schedule+0x24d/0x1df0 [ 36.028980] #1: 00000000c833bb40 (report_lock){....}, at: kasan_report+0x8e/0x110 [ 36.028996] [ 36.028999] stack backtrace: [ 36.029005] CPU: 0 PID: 4668 Comm: syz-executor624 Not tainted 4.19.0-rc1+ #215 [ 36.029012] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.029015] Call Trace: [ 36.029018] dump_stack+0x1c9/0x2b4 [ 36.029023] ? dump_stack_print_info.cold.2+0x52/0x52 [ 36.029027] ? vprintk_func+0x100/0x117 [ 36.029031] print_circular_bug.isra.34.cold.55+0x1bd/0x27d [ 36.029035] ? save_trace+0xe0/0x290 [ 36.029039] __lock_acquire+0x3449/0x5020 [ 36.029043] ? mark_held_locks+0x160/0x160 [ 36.029047] ? mark_held_locks+0x160/0x160 [ 36.029051] ? rcu_cleanup_dead_rnp+0x200/0x200 [ 36.029055] ? is_bpf_text_address+0xd7/0x170 [ 36.029059] ? kernel_text_address+0x79/0xf0 [ 36.029063] ? __kernel_text_address+0xd/0x40 [ 36.029067] ? __save_stack_trace+0x8d/0xf0 [ 36.029071] ? add_lock_to_list.isra.27+0x1ec/0x4b0 [ 36.029075] ? save_trace+0x290/0x290 [ 36.029079] ? save_stack_trace+0x1a/0x20 [ 36.029082] ? save_trace+0xe0/0x290 [ 36.029086] ? graph_lock+0x170/0x170 [ 36.029091] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 36.029094] lock_acquire+0x1e4/0x4f0 [ 36.029098] ? down_trylock+0x13/0x70 [ 36.029102] ? lock_release+0x9f0/0x9f0 [ 36.029106] ? trace_hardirqs_off+0xb8/0x2b0 [ 36.029110] ? trace_hardirqs_on+0x2c0/0x2c0 [ 36.029114] ? trace_hardirqs_off+0xb8/0x2b0 [ 36.029117] ? log_store+0x34f/0x4c0 [ 36.029121] ? vprintk_emit+0x31f/0x910 [ 36.029125] _raw_spin_lock_irqsave+0x96/0xc0 [ 36.029129] ? down_trylock+0x13/0x70 [ 36.029133] down_trylock+0x13/0x70 [ 36.029137] __down_trylock_console_sem+0xae/0x200 [ 36.029140] console_trylock+0x15/0xa0 [ 36.029144] vprintk_emit+0x31f/0x910 [ 36.029148] ? wake_up_klogd+0x110/0x110 [ 36.029152] ? run_rebalance_domains+0x4c0/0x4c0 [ 36.029156] ? kasan_check_read+0x11/0x20 [ 36.029160] ? rcu_is_watching+0x8c/0x150 [ 36.029164] ? rcu_pm_notify+0xc0/0xc0 [ 36.029167] ? lock_acquire+0x1e4/0x4f0 [ 36.029171] ? kasan_report+0x8e/0x110 [ 36.029175] ? __schedule+0xf54/0x1df0 [ 36.029179] vprintk_default+0x28/0x30 [ 36.029182] vprintk_func+0x7a/0x117 [ 36.029186] printk+0xa7/0xcf [ 36.029190] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 36.029194] ? kasan_check_write+0x14/0x20 [ 36.029198] ? do_raw_spin_lock+0xc1/0x200 [ 36.029201] ? do_raw_spin_lock+0xc1/0x200 [ 36.029205] kasan_report+0x9e/0x110 [ 36.029209] __asan_report_load8_noabort+0x14/0x20 [ 36.029213] __schedule+0xf54/0x1df0 [ 36.029217] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 36.029221] ? __sched_text_start+0x8/0x8 [ 36.029225] ? __call_srcu+0x7e7/0x1040 [ 36.029229] ? check_same_owner+0x340/0x340 [ 36.029233] ? mark_held_locks+0x160/0x160 [ 36.029237] preempt_schedule_common+0x22/0x60 [ 36.029241] _cond_resched+0x1d/0x30 [ 36.029245] wait_for_completion+0xa5/0x8d0 [ 36.029249] ? wait_for_completion_interruptible+0x950/0x950 [ 36.029253] ? __lockdep_init_map+0x105/0x590 [ 36.029257] ? __init_waitqueue_head+0x9e/0x150 [ 36.029261] ? init_wait_entry+0x1c0/0x1c0 [ 36.029265] __synchronize_srcu+0x189/0x240 [ 36.029268] ? call_srcu+0x10/0x10 [ 36.029272] ? rcu_unexpedite_gp+0x20/0x20 [ 36.029276] synchronize_srcu+0x335/0x56f [ 36.029280] ? lock_downgrade+0x8f0/0x8f0 [ 36.029284] ? synchronize_srcu_expedited+0x20/0x20 [ 36.029288] ? kasan_check_read+0x11/0x20 [ 36.029292] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 36.029296] ? kasan_check_write+0x14/0x20 [ 36.029300] ? do_raw_spin_lock+0xc1/0x200 [ 36.029305] kvm_page_track_unregister_notifier+0x17d/0x250 [ 36.029309] ? kvm_slot_page_track_remove_page+0x70/0x70 [ 36.029313] ? kvfree+0x61/0x70 [ 36.029317] ? rcu_read_lock_sched_held+0x108/0x120 [ 36.029321] kvm_mmu_uninit_vm+0x1c/0x20 [ 36.029325] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 36.029329] ? kvm_arch_sync_events+0x30/0x30 [ 36.029340] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 36.029344] ? mmu_notifier_unregister+0x474/0x600 [ 36.029348] ? trace_hardirqs_on+0x2c0/0x2c0 [ 36.029352] ? kfree+0x111/0x210 [ 36.029356] ? __mmu_notifier_register+0x30/0x30 [ 36.029360] ? __free_pages+0x10a/0x190 [ 36.029364] ? free_unref_page+0x930/0x930 [ 36.029367] kvm_put_kvm+0x73f/0x1060 [ 36.029372] ? kvm_write_guest_cached+0x40/0x40 [ 36.029376] ? _raw_spin_unlock_irq+0x27/0x70 [ 36.029380] ? _raw_spin_unlock_irq+0x27/0x70 [ 36.029384] ? kasan_check_write+0x14/0x20 [ 36.029388] ? do_raw_spin_lock+0xc1/0x200 [ 36.029392] ? kvm_irqfd_release+0xdd/0x120 [ 36.029396] ? kvm_irqfd_release+0xdd/0x120 [ 36.029400] ? kvm_put_kvm+0x1060/0x1060 [ 36.029403] kvm_vm_release+0x42/0x50 [ 36.029407] __fput+0x38a/0xa40 [ 36.029410] ? __alloc_file+0x400/0x400 [ 36.029414] ? check_same_owner+0x340/0x340 [ 36.029418] ? kasan_check_write+0x14/0x20 [ 36.029422] ? do_raw_spin_lock+0xc1/0x200 [ 36.029426] ____fput+0x15/0x20 [ 36.029429] task_work_run+0x1e8/0x2a0 [ 36.029433] ? task_work_cancel+0x240/0x240 [ 36.029438] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 36.029442] ? switch_task_namespaces+0xa2/0xd0 [ 36.029446] do_exit+0x1ae4/0x26e0 [ 36.029450] ? lockdep_hardirqs_on+0x421/0x5c0 [ 36.029454] ? mm_update_next_owner+0x9a0/0x9a0 [ 36.029458] ? profiling_store+0xd0/0xd0 [ 36.029462] ? kasan_check_write+0x14/0x20 [ 36.029466] ? do_raw_spin_lock+0xc1/0x200 [ 36.029469] ? do_coredump+0x477/0x3fff [ 36.029472] ? kasan_check_ [ 36.029480] Lost 69 message(s)! [ 37.110515] Shutting down cpus with NMI [ 38.171783] Dumping ftrace buffer: [ 38.175310] (ftrace buffer empty) [ 38.178996] Kernel Offset: disabled [ 38.182602] Rebooting in 86400 seconds..