[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 22.337742] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 27.458388] random: sshd: uninitialized urandom read (32 bytes read) [ 27.676468] random: sshd: uninitialized urandom read (32 bytes read) [ 28.146395] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.16' (ECDSA) to the list of known hosts. [ 33.858117] urandom_read: 1 callbacks suppressed [ 33.858124] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 33.964412] L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html for details. [ 33.989543] ================================================================== [ 33.998367] BUG: KASAN: use-after-free in __schedule+0xf54/0x1df0 [ 34.004585] Read of size 8 at addr ffff8801b2f90058 by task syz-executor878/4463 [ 34.012101] [ 34.013718] CPU: 1 PID: 4463 Comm: syz-executor878 Not tainted 4.18.0+ #208 [ 34.020799] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.030160] Call Trace: [ 34.032743] dump_stack+0x1c9/0x2b4 [ 34.036358] ? dump_stack_print_info.cold.2+0x52/0x52 [ 34.041539] ? printk+0xa7/0xcf [ 34.044807] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 34.049555] ? __schedule+0xf54/0x1df0 [ 34.053439] print_address_description+0x6c/0x20b [ 34.058273] ? __schedule+0xf54/0x1df0 [ 34.062152] kasan_report.cold.7+0x242/0x30d [ 34.066576] __asan_report_load8_noabort+0x14/0x20 [ 34.071502] __schedule+0xf54/0x1df0 [ 34.075214] ? __sched_text_start+0x8/0x8 [ 34.079355] ? _raw_spin_unlock_irqrestore+0xa1/0xc0 [ 34.084450] ? __call_srcu+0x7e7/0x1040 [ 34.088420] ? check_same_owner+0x340/0x340 [ 34.092735] ? mark_held_locks+0x160/0x160 [ 34.096957] ? find_held_lock+0x36/0x1c0 [ 34.101023] preempt_schedule_common+0x22/0x60 [ 34.105595] _cond_resched+0x1d/0x30 [ 34.109297] wait_for_completion+0xa5/0x8d0 [ 34.113615] ? wait_for_completion_interruptible+0x950/0x950 [ 34.119579] ? __lockdep_init_map+0x105/0x590 [ 34.124069] ? __init_waitqueue_head+0x9e/0x150 [ 34.128744] ? init_wait_entry+0x1c0/0x1c0 [ 34.132976] __synchronize_srcu+0x189/0x240 [ 34.137295] ? call_srcu+0x10/0x10 [ 34.140833] ? rcu_unexpedite_gp+0x20/0x20 [ 34.145067] synchronize_srcu+0x335/0x56f [ 34.149207] ? lock_downgrade+0x8f0/0x8f0 [ 34.153347] ? synchronize_srcu_expedited+0x20/0x20 [ 34.158362] ? kasan_check_read+0x11/0x20 [ 34.162507] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 34.167080] ? kasan_check_write+0x14/0x20 [ 34.171302] ? do_raw_spin_lock+0xc1/0x200 [ 34.175531] kvm_page_track_unregister_notifier+0x17d/0x250 [ 34.181246] ? kvm_slot_page_track_remove_page+0x70/0x70 [ 34.186713] ? kvfree+0x61/0x70 [ 34.189984] ? rcu_read_lock_sched_held+0x108/0x120 [ 34.195030] kvm_mmu_uninit_vm+0x1c/0x20 [ 34.199087] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 34.203489] ? kvm_arch_sync_events+0x30/0x30 [ 34.207990] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 34.213524] ? mmu_notifier_unregister+0x474/0x600 [ 34.218442] ? trace_hardirqs_on+0x2c0/0x2c0 [ 34.222844] ? kfree+0x111/0x210 [ 34.226203] ? __mmu_notifier_register+0x30/0x30 [ 34.230953] ? __free_pages+0x10a/0x190 [ 34.234918] ? free_unref_page+0x930/0x930 [ 34.239157] kvm_put_kvm+0x73f/0x1060 [ 34.242959] ? kvm_write_guest_cached+0x40/0x40 [ 34.247626] ? _raw_spin_unlock_irq+0x27/0x70 [ 34.252127] ? _raw_spin_unlock_irq+0x27/0x70 [ 34.256614] ? lockdep_hardirqs_on+0x421/0x5c0 [ 34.261191] ? kasan_check_write+0x14/0x20 [ 34.265417] ? do_raw_spin_lock+0xc1/0x200 [ 34.269640] ? kvm_irqfd_release+0xdd/0x120 [ 34.273947] ? kvm_irqfd_release+0xdd/0x120 [ 34.278258] ? kvm_put_kvm+0x1060/0x1060 [ 34.282312] kvm_vm_release+0x42/0x50 [ 34.286111] __fput+0x36e/0x8c0 [ 34.289382] ? __alloc_file+0x400/0x400 [ 34.293348] ? check_same_owner+0x340/0x340 [ 34.297661] ? kasan_check_write+0x14/0x20 [ 34.301888] ? do_raw_spin_lock+0xc1/0x200 [ 34.306114] ____fput+0x15/0x20 [ 34.309382] task_work_run+0x1e8/0x2a0 [ 34.313257] ? task_work_cancel+0x240/0x240 [ 34.317577] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 34.323106] ? switch_task_namespaces+0xa2/0xd0 [ 34.327763] do_exit+0x1ae4/0x26e0 [ 34.331292] ? mm_update_next_owner+0x9a0/0x9a0 [ 34.335954] ? kvm_vcpu_ioctl+0x2b5/0x1280 [ 34.340189] ? rcu_read_lock_sched_held+0x108/0x120 [ 34.345194] ? kfree+0x1d7/0x210 [ 34.348551] ? kvm_vcpu_ioctl+0x2ba/0x1280 [ 34.352775] ? kvm_uevent_notify_change.part.32+0x440/0x440 [ 34.358498] ? is_bpf_text_address+0xd7/0x170 [ 34.362989] ? kernel_text_address+0x79/0xf0 [ 34.367393] ? __kernel_text_address+0xd/0x40 [ 34.371875] ? unwind_get_return_address+0x61/0xa0 [ 34.376792] ? __save_stack_trace+0x8d/0xf0 [ 34.381105] ? save_stack+0xa9/0xd0 [ 34.384720] ? save_stack+0x43/0xd0 [ 34.388337] ? __kasan_slab_free+0x11a/0x170 [ 34.392735] ? kasan_slab_free+0xe/0x10 [ 34.396708] ? putname+0xf2/0x130 [ 34.400151] ? __x64_sys_openat+0x9d/0x100 [ 34.404376] ? do_syscall_64+0x1b9/0x820 [ 34.408431] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.413788] ? trace_hardirqs_off+0xb8/0x2b0 [ 34.418185] ? kasan_check_read+0x11/0x20 [ 34.422325] ? do_raw_spin_unlock+0xa7/0x2f0 [ 34.426724] ? trace_hardirqs_on+0x2c0/0x2c0 [ 34.431142] ? initcall_blacklisted+0x9a/0x1e0 [ 34.435717] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 34.440830] ? kvm_uevent_notify_change.part.32+0x440/0x440 [ 34.446529] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.452060] ? do_vfs_ioctl+0x201/0x1720 [ 34.456111] ? rcu_is_watching+0x8c/0x150 [ 34.460245] ? trace_hardirqs_on+0xbd/0x2c0 [ 34.464574] ? ioctl_preallocate+0x300/0x300 [ 34.468978] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.474512] ? __fget_light+0x2f7/0x440 [ 34.478486] ? fget_raw+0x20/0x20 [ 34.481928] ? putname+0xf2/0x130 [ 34.485389] ? rcu_read_lock_sched_held+0x108/0x120 [ 34.490426] ? kmem_cache_free+0x246/0x280 [ 34.494655] ? putname+0xf7/0x130 [ 34.498102] do_group_exit+0x177/0x440 [ 34.501988] ? trace_hardirqs_on+0xbd/0x2c0 [ 34.506298] ? __ia32_sys_exit+0x50/0x50 [ 34.510349] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 34.515445] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.520985] ? ksys_ioctl+0x81/0xd0 [ 34.524601] __x64_sys_exit_group+0x3e/0x50 [ 34.528917] do_syscall_64+0x1b9/0x820 [ 34.532797] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 34.538168] ? syscall_return_slowpath+0x5e0/0x5e0 [ 34.543090] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 34.547920] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 34.552927] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 34.557932] ? prepare_exit_to_usermode+0x291/0x3b0 [ 34.562942] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 34.567782] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.572959] RIP: 0033:0x43ecf8 [ 34.576153] Code: Bad RIP value. [ 34.579518] RSP: 002b:00007ffc76c57978 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 34.587231] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ecf8 [ 34.594500] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 34.601758] RBP: 00000000004be5a8 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 34.609013] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 [ 34.616285] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 34.623545] [ 34.625155] Allocated by task 4463: [ 34.628770] save_stack+0x43/0xd0 [ 34.632207] kasan_kmalloc+0xc4/0xe0 [ 34.635906] kasan_slab_alloc+0x12/0x20 [ 34.639864] kmem_cache_alloc+0x12e/0x710 [ 34.644003] vmx_create_vcpu+0xcf/0x2830 [ 34.648050] kvm_arch_vcpu_create+0xe5/0x220 [ 34.652445] kvm_vm_ioctl+0x488/0x1d80 [ 34.656325] do_vfs_ioctl+0x1de/0x1720 [ 34.660199] ksys_ioctl+0xa9/0xd0 [ 34.663637] __x64_sys_ioctl+0x73/0xb0 [ 34.667512] do_syscall_64+0x1b9/0x820 [ 34.671387] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.676555] [ 34.678165] Freed by task 4463: [ 34.681454] save_stack+0x43/0xd0 [ 34.684894] __kasan_slab_free+0x11a/0x170 [ 34.689115] kasan_slab_free+0xe/0x10 [ 34.692899] kmem_cache_free+0x86/0x280 [ 34.696858] vmx_free_vcpu+0x26b/0x300 [ 34.700730] kvm_arch_destroy_vm+0x365/0x7c0 [ 34.705130] kvm_put_kvm+0x73f/0x1060 [ 34.708916] kvm_vm_release+0x42/0x50 [ 34.712698] __fput+0x36e/0x8c0 [ 34.715970] ____fput+0x15/0x20 [ 34.719252] task_work_run+0x1e8/0x2a0 [ 34.723126] do_exit+0x1ae4/0x26e0 [ 34.726651] do_group_exit+0x177/0x440 [ 34.730522] __x64_sys_exit_group+0x3e/0x50 [ 34.734831] do_syscall_64+0x1b9/0x820 [ 34.738707] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.743878] [ 34.745494] The buggy address belongs to the object at ffff8801b2f90040 [ 34.745494] which belongs to the cache kvm_vcpu of size 23872 [ 34.758052] The buggy address is located 24 bytes inside of [ 34.758052] 23872-byte region [ffff8801b2f90040, ffff8801b2f95d80) [ 34.769997] The buggy address belongs to the page: [ 34.774927] page:ffffea0006cbe400 count:1 mapcount:0 mapping:ffff8801d4b54600 index:0x0 compound_mapcount: 0 [ 34.784887] flags: 0x2fffc0000008100(slab|head) [ 34.789545] raw: 02fffc0000008100 ffff8801d4b55348 ffff8801d4b55348 ffff8801d4b54600 [ 34.797413] raw: 0000000000000000 ffff8801b2f90040 0000000100000001 0000000000000000 [ 34.805364] page dumped because: kasan: bad access detected [ 34.811053] [ 34.812679] Memory state around the buggy address: [ 34.817592] ffff8801b2f8ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.824935] ffff8801b2f8ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.832443] >ffff8801b2f90000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 34.839855] ^ [ 34.846104] ffff8801b2f90080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.853460] ffff8801b2f90100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.860799] ================================================================== [ 34.868140] Kernel panic - not syncing: panic_on_warn set ... [ 34.868140] [ 34.875493] CPU: 1 PID: 4463 Comm: syz-executor878 Tainted: G B 4.18.0+ #208 [ 34.883969] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.893304] Call Trace: [ 34.895883] dump_stack+0x1c9/0x2b4 [ 34.899500] ? dump_stack_print_info.cold.2+0x52/0x52 [ 34.904678] ? lock_downgrade+0x8f0/0x8f0 [ 34.908813] ? __schedule+0xf54/0x1df0 [ 34.912687] panic+0x238/0x4e7 [ 34.915866] ? add_taint.cold.5+0x16/0x16 [ 34.920004] ? print_shadow_for_address+0xba/0x116 [ 34.924919] ? trace_hardirqs_off+0xaf/0x2b0 [ 34.929317] ? trace_hardirqs_off+0x77/0x2b0 [ 34.933711] ? __schedule+0xf54/0x1df0 [ 34.937602] kasan_end_report+0x47/0x4f [ 34.941579] kasan_report.cold.7+0x76/0x30d [ 34.945890] __asan_report_load8_noabort+0x14/0x20 [ 34.950805] __schedule+0xf54/0x1df0 [ 34.954506] ? __sched_text_start+0x8/0x8 [ 34.958639] ? _raw_spin_unlock_irqrestore+0xa1/0xc0 [ 34.963728] ? __call_srcu+0x7e7/0x1040 [ 34.967696] ? check_same_owner+0x340/0x340 [ 34.972002] ? mark_held_locks+0x160/0x160 [ 34.976220] ? find_held_lock+0x36/0x1c0 [ 34.980271] preempt_schedule_common+0x22/0x60 [ 34.984858] _cond_resched+0x1d/0x30 [ 34.988557] wait_for_completion+0xa5/0x8d0 [ 34.992866] ? wait_for_completion_interruptible+0x950/0x950 [ 34.998668] ? __lockdep_init_map+0x105/0x590 [ 35.003155] ? __init_waitqueue_head+0x9e/0x150 [ 35.007810] ? init_wait_entry+0x1c0/0x1c0 [ 35.012034] __synchronize_srcu+0x189/0x240 [ 35.016338] ? call_srcu+0x10/0x10 [ 35.019865] ? rcu_unexpedite_gp+0x20/0x20 [ 35.024091] synchronize_srcu+0x335/0x56f [ 35.028241] ? lock_downgrade+0x8f0/0x8f0 [ 35.032374] ? synchronize_srcu_expedited+0x20/0x20 [ 35.037377] ? kasan_check_read+0x11/0x20 [ 35.041512] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 35.046081] ? kasan_check_write+0x14/0x20 [ 35.050302] ? do_raw_spin_lock+0xc1/0x200 [ 35.054529] kvm_page_track_unregister_notifier+0x17d/0x250 [ 35.060229] ? kvm_slot_page_track_remove_page+0x70/0x70 [ 35.065664] ? kvfree+0x61/0x70 [ 35.068938] ? rcu_read_lock_sched_held+0x108/0x120 [ 35.073950] kvm_mmu_uninit_vm+0x1c/0x20 [ 35.078000] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 35.082393] ? kvm_arch_sync_events+0x30/0x30 [ 35.086881] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 35.092408] ? mmu_notifier_unregister+0x474/0x600 [ 35.097328] ? trace_hardirqs_on+0x2c0/0x2c0 [ 35.101719] ? kfree+0x111/0x210 [ 35.105098] ? __mmu_notifier_register+0x30/0x30 [ 35.109859] ? __free_pages+0x10a/0x190 [ 35.113817] ? free_unref_page+0x930/0x930 [ 35.118044] kvm_put_kvm+0x73f/0x1060 [ 35.121853] ? kvm_write_guest_cached+0x40/0x40 [ 35.126539] ? _raw_spin_unlock_irq+0x27/0x70 [ 35.131030] ? _raw_spin_unlock_irq+0x27/0x70 [ 35.135509] ? lockdep_hardirqs_on+0x421/0x5c0 [ 35.140079] ? kasan_check_write+0x14/0x20 [ 35.144301] ? do_raw_spin_lock+0xc1/0x200 [ 35.148523] ? kvm_irqfd_release+0xdd/0x120 [ 35.152829] ? kvm_irqfd_release+0xdd/0x120 [ 35.157157] ? kvm_put_kvm+0x1060/0x1060 [ 35.161204] kvm_vm_release+0x42/0x50 [ 35.164989] __fput+0x36e/0x8c0 [ 35.168258] ? __alloc_file+0x400/0x400 [ 35.172216] ? check_same_owner+0x340/0x340 [ 35.176523] ? kasan_check_write+0x14/0x20 [ 35.180745] ? do_raw_spin_lock+0xc1/0x200 [ 35.184967] ____fput+0x15/0x20 [ 35.188235] task_work_run+0x1e8/0x2a0 [ 35.192111] ? task_work_cancel+0x240/0x240 [ 35.196443] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 35.201970] ? switch_task_namespaces+0xa2/0xd0 [ 35.206634] do_exit+0x1ae4/0x26e0 [ 35.210163] ? mm_update_next_owner+0x9a0/0x9a0 [ 35.214821] ? kvm_vcpu_ioctl+0x2b5/0x1280 [ 35.219045] ? rcu_read_lock_sched_held+0x108/0x120 [ 35.224046] ? kfree+0x1d7/0x210 [ 35.227400] ? kvm_vcpu_ioctl+0x2ba/0x1280 [ 35.231625] ? kvm_uevent_notify_change.part.32+0x440/0x440 [ 35.237323] ? is_bpf_text_address+0xd7/0x170 [ 35.241801] ? kernel_text_address+0x79/0xf0 [ 35.246194] ? __kernel_text_address+0xd/0x40 [ 35.250676] ? unwind_get_return_address+0x61/0xa0 [ 35.255593] ? __save_stack_trace+0x8d/0xf0 [ 35.259904] ? save_stack+0xa9/0xd0 [ 35.263523] ? save_stack+0x43/0xd0 [ 35.267134] ? __kasan_slab_free+0x11a/0x170 [ 35.271525] ? kasan_slab_free+0xe/0x10 [ 35.275484] ? putname+0xf2/0x130 [ 35.278932] ? __x64_sys_openat+0x9d/0x100 [ 35.283152] ? do_syscall_64+0x1b9/0x820 [ 35.287201] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.292552] ? trace_hardirqs_off+0xb8/0x2b0 [ 35.296948] ? kasan_check_read+0x11/0x20 [ 35.301084] ? do_raw_spin_unlock+0xa7/0x2f0 [ 35.305480] ? trace_hardirqs_on+0x2c0/0x2c0 [ 35.309887] ? initcall_blacklisted+0x9a/0x1e0 [ 35.314655] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 35.319761] ? kvm_uevent_notify_change.part.32+0x440/0x440 [ 35.325478] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.331137] ? do_vfs_ioctl+0x201/0x1720 [ 35.335194] ? rcu_is_watching+0x8c/0x150 [ 35.339341] ? trace_hardirqs_on+0xbd/0x2c0 [ 35.343664] ? ioctl_preallocate+0x300/0x300 [ 35.348075] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.353609] ? __fget_light+0x2f7/0x440 [ 35.357577] ? fget_raw+0x20/0x20 [ 35.361018] ? putname+0xf2/0x130 [ 35.364462] ? rcu_read_lock_sched_held+0x108/0x120 [ 35.369465] ? kmem_cache_free+0x246/0x280 [ 35.373691] ? putname+0xf7/0x130 [ 35.377159] do_group_exit+0x177/0x440 [ 35.381041] ? trace_hardirqs_on+0xbd/0x2c0 [ 35.385349] ? __ia32_sys_exit+0x50/0x50 [ 35.389394] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 35.394487] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.400009] ? ksys_ioctl+0x81/0xd0 [ 35.403623] __x64_sys_exit_group+0x3e/0x50 [ 35.407938] do_syscall_64+0x1b9/0x820 [ 35.411818] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 35.417171] ? syscall_return_slowpath+0x5e0/0x5e0 [ 35.422086] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 35.426921] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 35.431929] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 35.436935] ? prepare_exit_to_usermode+0x291/0x3b0 [ 35.441940] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 35.446776] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.451952] RIP: 0033:0x43ecf8 [ 35.455138] Code: Bad RIP value. [ 35.458504] RSP: 002b:00007ffc76c57978 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 35.466216] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ecf8 [ 35.473473] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 35.480731] RBP: 00000000004be5a8 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 35.487985] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 [ 35.495239] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 35.502505] [ 35.502509] ====================================================== [ 35.502513] WARNING: possible circular locking dependency detected [ 35.502516] 4.18.0+ #208 Not tainted [ 35.502520] ------------------------------------------------------ [ 35.502524] syz-executor878/4463 is trying to acquire lock: [ 35.502527] 000000009e3fdba4 ((console_sem).lock){-...}, at: down_trylock+0x13/0x70 [ 35.502538] [ 35.502541] but task is already holding lock: [ 35.502543] 0000000064eb3ffc (report_lock){....}, at: kasan_report+0x8e/0x110 [ 35.502553] [ 35.502557] which lock already depends on the new lock. [ 35.502558] [ 35.502560] [ 35.502564] the existing dependency chain (in reverse order) is: [ 35.502566] [ 35.502567] -> #3 (report_lock){....}: [ 35.502578] _raw_spin_lock_irqsave+0x96/0xc0 [ 35.502581] kasan_report+0x8e/0x110 [ 35.502584] __asan_report_load8_noabort+0x14/0x20 [ 35.502587] __schedule+0xf54/0x1df0 [ 35.502591] preempt_schedule_common+0x22/0x60 [ 35.502594] _cond_resched+0x1d/0x30 [ 35.502597] wait_for_completion+0xa5/0x8d0 [ 35.502600] __synchronize_srcu+0x189/0x240 [ 35.502603] synchronize_srcu+0x335/0x56f [ 35.502607] kvm_page_track_unregister_notifier+0x17d/0x250 [ 35.502610] kvm_mmu_uninit_vm+0x1c/0x20 [ 35.502614] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 35.502617] kvm_put_kvm+0x73f/0x1060 [ 35.502619] kvm_vm_release+0x42/0x50 [ 35.502622] __fput+0x36e/0x8c0 [ 35.502625] ____fput+0x15/0x20 [ 35.502628] task_work_run+0x1e8/0x2a0 [ 35.502631] do_exit+0x1ae4/0x26e0 [ 35.502634] do_group_exit+0x177/0x440 [ 35.502637] __x64_sys_exit_group+0x3e/0x50 [ 35.502640] do_syscall_64+0x1b9/0x820 [ 35.502644] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.502645] [ 35.502647] -> #2 (&rq->lock){-.-.}: [ 35.502657] _raw_spin_lock+0x2a/0x40 [ 35.502660] task_fork_fair+0x93/0x680 [ 35.502667] sched_fork+0x44b/0xbd0 [ 35.502671] copy_process+0x235e/0x7ad0 [ 35.502673] _do_fork+0x1ca/0x1170 [ 35.502676] kernel_thread+0x34/0x40 [ 35.502679] rest_init+0x22/0xe4 [ 35.502682] start_kernel+0x913/0x94e [ 35.502685] x86_64_start_reservations+0x29/0x2b [ 35.502689] x86_64_start_kernel+0x76/0x79 [ 35.502692] secondary_startup_64+0xa4/0xb0 [ 35.502693] [ 35.502695] -> #1 (&p->pi_lock){-.-.}: [ 35.502706] _raw_spin_lock_irqsave+0x96/0xc0 [ 35.502709] try_to_wake_up+0xd2/0x1250 [ 35.502712] wake_up_process+0x10/0x20 [ 35.502715] __up.isra.1+0x1c0/0x2a0 [ 35.502717] up+0x13c/0x1c0 [ 35.502720] __up_console_sem+0xbe/0x1b0 [ 35.502723] console_unlock+0x506/0x10d0 [ 35.502726] vprintk_emit+0x33a/0x910 [ 35.502729] vprintk_default+0x28/0x30 [ 35.502732] vprintk_func+0x7a/0x117 [ 35.502735] printk+0xa7/0xcf [ 35.502737] load_umh+0x51/0xbd [ 35.502741] do_one_initcall+0x127/0x838 [ 35.502744] kernel_init_freeable+0x4bb/0x5ae [ 35.502747] kernel_init+0x11/0x1b3 [ 35.502750] ret_from_fork+0x3a/0x50 [ 35.502751] [ 35.502753] -> #0 ((console_sem).lock){-...}: [ 35.502763] lock_acquire+0x1e4/0x4f0 [ 35.502767] _raw_spin_lock_irqsave+0x96/0xc0 [ 35.502770] down_trylock+0x13/0x70 [ 35.502773] __down_trylock_console_sem+0xae/0x200 [ 35.502776] console_trylock+0x15/0xa0 [ 35.502779] vprintk_emit+0x31f/0x910 [ 35.502782] vprintk_default+0x28/0x30 [ 35.502785] vprintk_func+0x7a/0x117 [ 35.502788] printk+0xa7/0xcf [ 35.502791] kasan_report+0x9e/0x110 [ 35.502794] __asan_report_load8_noabort+0x14/0x20 [ 35.502797] __schedule+0xf54/0x1df0 [ 35.502801] preempt_schedule_common+0x22/0x60 [ 35.502804] _cond_resched+0x1d/0x30 [ 35.502807] wait_for_completion+0xa5/0x8d0 [ 35.502810] __synchronize_srcu+0x189/0x240 [ 35.502813] synchronize_srcu+0x335/0x56f [ 35.502817] kvm_page_track_unregister_notifier+0x17d/0x250 [ 35.502820] kvm_mmu_uninit_vm+0x1c/0x20 [ 35.502824] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 35.502827] kvm_put_kvm+0x73f/0x1060 [ 35.502830] kvm_vm_release+0x42/0x50 [ 35.502832] __fput+0x36e/0x8c0 [ 35.502835] ____fput+0x15/0x20 [ 35.502838] task_work_run+0x1e8/0x2a0 [ 35.502841] do_exit+0x1ae4/0x26e0 [ 35.502844] do_group_exit+0x177/0x440 [ 35.502847] __x64_sys_exit_group+0x3e/0x50 [ 35.502850] do_syscall_64+0x1b9/0x820 [ 35.502854] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.502855] [ 35.502858] other info that might help us debug this: [ 35.502860] [ 35.502862] Chain exists of: [ 35.502864] (console_sem).lock --> &rq->lock --> report_lock [ 35.502877] [ 35.502880] Possible unsafe locking scenario: [ 35.502882] [ 35.502885] CPU0 CPU1 [ 35.502888] ---- ---- [ 35.502890] lock(report_lock); [ 35.502904] lock(&rq->lock); [ 35.502911] lock(report_lock); [ 35.502917] lock((console_sem).lock); [ 35.502923] [ 35.502925] *** DEADLOCK *** [ 35.502927] [ 35.502930] 2 locks held by syz-executor878/4463: [ 35.502932] #0: 00000000af44ec18 (&rq->lock){-.-.}, at: __schedule+0x24d/0x1df0 [ 35.502944] #1: 0000000064eb3ffc (report_lock){....}, at: kasan_report+0x8e/0x110 [ 35.502957] [ 35.502959] stack backtrace: [ 35.502964] CPU: 1 PID: 4463 Comm: syz-executor878 Not tainted 4.18.0+ #208 [ 35.502970] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.502972] Call Trace: [ 35.502975] dump_stack+0x1c9/0x2b4 [ 35.502979] ? dump_stack_print_info.cold.2+0x52/0x52 [ 35.502982] ? vprintk_func+0x100/0x117 [ 35.502986] print_circular_bug.isra.34.cold.55+0x1bd/0x27d [ 35.502989] ? save_trace+0xe0/0x290 [ 35.502992] __lock_acquire+0x3449/0x5020 [ 35.502995] ? mark_held_locks+0x160/0x160 [ 35.502999] ? mark_held_locks+0x160/0x160 [ 35.503002] ? rcu_cleanup_dead_rnp+0x200/0x200 [ 35.503005] ? is_bpf_text_address+0xd7/0x170 [ 35.503009] ? kernel_text_address+0x79/0xf0 [ 35.503012] ? __kernel_text_address+0xd/0x40 [ 35.503015] ? __save_stack_trace+0x8d/0xf0 [ 35.503019] ? add_lock_to_list.isra.27+0x1ec/0x4b0 [ 35.503022] ? save_trace+0x290/0x290 [ 35.503025] ? save_stack_trace+0x1a/0x20 [ 35.503028] ? save_trace+0xe0/0x290 [ 35.503031] ? graph_lock+0x170/0x170 [ 35.503035] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 35.503038] lock_acquire+0x1e4/0x4f0 [ 35.503041] ? down_trylock+0x13/0x70 [ 35.503044] ? lock_release+0x9f0/0x9f0 [ 35.503047] ? trace_hardirqs_off+0xb8/0x2b0 [ 35.503051] ? trace_hardirqs_on+0x2c0/0x2c0 [ 35.503054] ? trace_hardirqs_off+0xb8/0x2b0 [ 35.503057] ? log_store+0x34f/0x4c0 [ 35.503060] ? vprintk_emit+0x31f/0x910 [ 35.503063] _raw_spin_lock_irqsave+0x96/0xc0 [ 35.503066] ? down_trylock+0x13/0x70 [ 35.503069] down_trylock+0x13/0x70 [ 35.503073] __down_trylock_console_sem+0xae/0x200 [ 35.503076] console_trylock+0x15/0xa0 [ 35.503079] vprintk_emit+0x31f/0x910 [ 35.503082] ? wake_up_klogd+0x110/0x110 [ 35.503085] ? run_rebalance_domains+0x4c0/0x4c0 [ 35.503089] ? kasan_check_read+0x11/0x20 [ 35.503092] ? rcu_is_watching+0x8c/0x150 [ 35.503095] ? rcu_pm_notify+0xc0/0xc0 [ 35.503098] ? lock_acquire+0x1e4/0x4f0 [ 35.503101] ? kasan_report+0x8e/0x110 [ 35.503104] ? __schedule+0xf54/0x1df0 [ 35.503107] vprintk_default+0x28/0x30 [ 35.503110] vprintk_func+0x7a/0x117 [ 35.503112] printk+0xa7/0xcf [ 35.503116] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 35.503119] ? kasan_check_write+0x14/0x20 [ 35.503122] ? do_raw_spin_lock+0xc1/0x200 [ 35.503125] ? do_raw_spin_lock+0xc1/0x200 [ 35.503128] kasan_report+0x9e/0x110 [ 35.503132] __asan_report_load8_noabort+0x14/0x20 [ 35.503135] __schedule+0xf54/0x1df0 [ 35.503138] ? __sched_text_start+0x8/0x8 [ 35.503142] ? _raw_spin_unlock_irqrestore+0xa1/0xc0 [ 35.503145] ? __call_srcu+0x7e7/0x1040 [ 35.503148] ? check_same_owner+0x340/0x340 [ 35.503152] ? mark_held_locks+0x160/0x160 [ 35.503155] ? find_held_lock+0x36/0x1c0 [ 35.503158] preempt_schedule_common+0x22/0x60 [ 35.503161] _cond_resched+0x1d/0x30 [ 35.503165] wait_for_completion+0xa5/0x8d0 [ 35.503170] ? wait_for_completion_interruptible+0x950/0x950 [ 35.503173] ? __lockdep_init_map+0x105/0x590 [ 35.503177] ? __init_waitqueue_head+0x9e/0x150 [ 35.503180] ? init_wait_entry+0x1c0/0x1c0 [ 35.503183] __synchronize_srcu+0x189/0x240 [ 35.503186] ? call_srcu+0x10/0x10 [ 35.503189] ? rcu_unexpedite_gp+0x20/0x20 [ 35.503192] synchronize_srcu+0x335/0x56f [ 35.503195] ? lock_downgrade+0x8f0/0x8f0 [ 35.503199] ? synchronize_srcu_expedited+0x20/0x20 [ 35.503202] ? kasan_check_read+0x11/0x20 [ 35.503206] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 35.503209] ? kasan_check_write+0x14/0x20 [ 35.503212] ? do_raw_spin_lock+0xc1/0x200 [ 35.503216] kvm_page_track_unregister_notifier+0x17d/0x250 [ 35.503220] ? kvm_slot_page_track_remove_page+0x70/0x70 [ 35.503222] ? kvfree+0x61/0x70 [ 35.503226] ? rcu_read_lock_sched_held+0x108/0x120 [ 35.503229] kvm_mmu_uninit_vm+0x1c/0x20 [ 35.503233] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 35.503236] ? kvm_arch_sync_events+0x30/0x30 [ 35.503240] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 35.503243] ? mmu_notifier_unregister+0x474/0x600 [ 35.503247] ? trace_hardirqs_on+0x2c0/0x2c0 [ 35.503250] ? kfree+0x111/0x210 [ 35.503253] ? __mmu_notifier_register+0x30/0x30 [ 35.503256] ? __free_pages+0x10a/0x190 [ 35.503259] ? free_unref_page+0x930/0x930 [ 35.503262] kvm_put_kvm+0x73f/0x1060 [ 35.503266] ? kvm_write_guest_cached+0x40/0x40 [ 35.503269] ? _raw_spin_unlock_irq+0x27/0x70 [ 35.503272] ? _raw_spin_unlock_irq+0x27/0x70 [ 35.503276] ? lockdep_hardirqs_on+0x421/0x5c0 [ 35.503279] ? kasan_check_write+0x14/0x20 [ 35.503282] ? do_raw_spin_lock+0xc1/0x200 [ 35.503285] ? kvm_irqfd_release+0xdd/0x120 [ 35.503289] ? kvm_irqfd_release+0xdd/0x120 [ 35.503292] ? kvm_put_kvm+0x1060/0x1060 [ 35.503295] kvm_vm_release+0x42/0x50 [ 35.503298] __fput+0x36e/0x8c0 [ 35.503301] ? __alloc_file+0x400/0x400 [ 35.503304] ? check_same_owner+0x340/0x340 [ 35.503307] ? kasan_check_write+0x14/0x20 [ 35.503310] ? do_raw_spin_lock+0xc1/0x200 [ 35.503313] ____fput+0x15/0x20 [ 35.503316] task_work_run+0x1e8/0x2a0 [ 35.503319] ? task_work_cancel+0x240/0x240 [ 35.503323] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 35.503326] ? switch_task_namespaces+0xa2/0xd0 [ 35.503329] do_exit+0x1ae4/0x26e0 [ 35.503333] ? mm_update_next_owner+0x9a0/0x9a0 [ 35.503336] ? kvm_vcpu_ioctl+0x2b5/0x1280 [ 35.503340] ? rcu_read_lock_sched_held+0x108/0x120 [ 35.503342] ? kfree+0x1d7/0x210 [ 35.503346] ? kvm_vcpu_ioctl+0x2ba/0x1280 [ 35.503350] ? kvm_uevent_notify_change.part.32+0x440/0x440 [ 35.503353] ? is_bpf_text_address+0xd7/0x170 [ 35.503355] ? kernel_ [ 35.503361] Lost 55 message(s)! [ 36.572150] Shutting down cpus with NMI [ 37.632592] Dumping ftrace buffer: [ 37.636114] (ftrace buffer empty) [ 37.639804] Kernel Offset: disabled [ 37.643452] Rebooting in 86400 seconds..