[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 20.598572] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 23.134847] random: sshd: uninitialized urandom read (32 bytes read) [ 23.526190] random: sshd: uninitialized urandom read (32 bytes read) [ 24.069129] random: sshd: uninitialized urandom read (32 bytes read) [ 24.253519] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.12' (ECDSA) to the list of known hosts. [ 30.005933] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 30.105865] L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html for details. [ 30.131312] ================================================================== [ 30.141260] BUG: KASAN: use-after-free in __schedule+0xf54/0x1df0 [ 30.147515] Read of size 8 at addr ffff8801cad88058 by task syz-executor221/4300 [ 30.155059] [ 30.156694] CPU: 1 PID: 4300 Comm: syz-executor221 Not tainted 4.19.0-rc2+ #226 [ 30.164135] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.173488] Call Trace: [ 30.176102] dump_stack+0x1c9/0x2b4 [ 30.179730] ? dump_stack_print_info.cold.2+0x52/0x52 [ 30.184921] ? printk+0xa7/0xcf [ 30.188203] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 30.192967] ? __schedule+0xf54/0x1df0 [ 30.196867] print_address_description+0x6c/0x20b [ 30.201725] ? __schedule+0xf54/0x1df0 [ 30.205613] kasan_report.cold.7+0x242/0x30d [ 30.210025] __asan_report_load8_noabort+0x14/0x20 [ 30.214969] __schedule+0xf54/0x1df0 [ 30.218689] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 30.223793] ? __sched_text_start+0x8/0x8 [ 30.227940] ? __call_srcu+0x7e7/0x1040 [ 30.231918] ? check_same_owner+0x340/0x340 [ 30.236240] ? mark_held_locks+0x160/0x160 [ 30.240472] ? find_held_lock+0x36/0x1c0 [ 30.244555] preempt_schedule_common+0x22/0x60 [ 30.249136] _cond_resched+0x1d/0x30 [ 30.252849] wait_for_completion+0xa5/0x8d0 [ 30.257169] ? wait_for_completion_interruptible+0x950/0x950 [ 30.263003] ? __lockdep_init_map+0x105/0x590 [ 30.267508] ? __init_waitqueue_head+0x9e/0x150 [ 30.272177] ? init_wait_entry+0x1c0/0x1c0 [ 30.276433] __synchronize_srcu+0x189/0x240 [ 30.280777] ? call_srcu+0x10/0x10 [ 30.284326] ? rcu_unexpedite_gp+0x20/0x20 [ 30.288568] synchronize_srcu+0x335/0x56f [ 30.292713] ? lock_downgrade+0x8f0/0x8f0 [ 30.296863] ? synchronize_srcu_expedited+0x20/0x20 [ 30.301879] ? kasan_check_read+0x11/0x20 [ 30.306026] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 30.310623] ? kasan_check_write+0x14/0x20 [ 30.314862] ? do_raw_spin_lock+0xc1/0x200 [ 30.319097] kvm_page_track_unregister_notifier+0x17d/0x250 [ 30.324812] ? kvm_slot_page_track_remove_page+0x70/0x70 [ 30.330295] ? kvfree+0x61/0x70 [ 30.333596] ? rcu_read_lock_sched_held+0x108/0x120 [ 30.338623] kvm_mmu_uninit_vm+0x1c/0x20 [ 30.342691] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 30.347098] ? kvm_arch_sync_events+0x30/0x30 [ 30.351624] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 30.357179] ? mmu_notifier_unregister+0x474/0x600 [ 30.362109] ? trace_hardirqs_on+0x2c0/0x2c0 [ 30.366526] ? kfree+0x111/0x210 [ 30.369937] ? __mmu_notifier_register+0x30/0x30 [ 30.374710] ? __free_pages+0x10a/0x190 [ 30.378685] ? free_unref_page+0x930/0x930 [ 30.382933] kvm_put_kvm+0x73f/0x1060 [ 30.386740] ? kvm_write_guest_cached+0x40/0x40 [ 30.391417] ? _raw_spin_unlock_irq+0x27/0x70 [ 30.395911] ? _raw_spin_unlock_irq+0x27/0x70 [ 30.400409] ? lockdep_hardirqs_on+0x421/0x5c0 [ 30.404997] ? kasan_check_write+0x14/0x20 [ 30.409244] ? do_raw_spin_lock+0xc1/0x200 [ 30.413535] ? kvm_irqfd_release+0xdd/0x120 [ 30.417856] ? kvm_irqfd_release+0xdd/0x120 [ 30.422185] ? kvm_put_kvm+0x1060/0x1060 [ 30.426248] kvm_vm_release+0x42/0x50 [ 30.430049] __fput+0x38a/0xa40 [ 30.433329] ? __alloc_file+0x400/0x400 [ 30.437332] ? check_same_owner+0x340/0x340 [ 30.441696] ? kasan_check_write+0x14/0x20 [ 30.445946] ? do_raw_spin_lock+0xc1/0x200 [ 30.450187] ____fput+0x15/0x20 [ 30.453491] task_work_run+0x1e8/0x2a0 [ 30.457397] ? task_work_cancel+0x240/0x240 [ 30.461744] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 30.467298] ? switch_task_namespaces+0xa2/0xd0 [ 30.471976] do_exit+0x1ae4/0x26e0 [ 30.475529] ? mm_update_next_owner+0x9a0/0x9a0 [ 30.480199] ? rcu_pm_notify+0xc0/0xc0 [ 30.484089] ? mark_held_locks+0x160/0x160 [ 30.488321] ? kmem_cache_free+0x246/0x280 [ 30.492567] ? sock_destroy_inode+0x51/0x60 [ 30.497196] ? sockfs_dname+0x90/0x90 [ 30.500994] ? destroy_inode+0x15e/0x200 [ 30.505064] ? __destroy_inode+0x7f0/0x7f0 [ 30.509334] ? kasan_check_write+0x14/0x20 [ 30.513566] ? do_raw_spin_lock+0xc1/0x200 [ 30.517799] ? evict+0x5d5/0x990 [ 30.521166] ? destroy_inode+0x200/0x200 [ 30.525250] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 30.530793] ? kasan_check_read+0x11/0x20 [ 30.534942] ? do_raw_spin_unlock+0xa7/0x2f0 [ 30.539351] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 30.543932] ? find_held_lock+0x36/0x1c0 [ 30.547999] ? __fget_light+0x2f7/0x440 [ 30.551997] ? fget_raw+0x20/0x20 [ 30.555445] ? lock_downgrade+0x8f0/0x8f0 [ 30.559592] ? kasan_check_read+0x11/0x20 [ 30.563741] ? do_raw_spin_unlock+0xa7/0x2f0 [ 30.568152] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 30.572758] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 30.577774] ? __fget_light+0x2f7/0x440 [ 30.581764] ? fget_raw+0x20/0x20 [ 30.585215] ? sockfd_lookup_light+0xc5/0x160 [ 30.589736] ? __sys_setsockopt+0x257/0x3b0 [ 30.594073] do_group_exit+0x177/0x440 [ 30.597996] ? trace_hardirqs_on+0xbd/0x2c0 [ 30.602323] ? __ia32_sys_exit+0x50/0x50 [ 30.606890] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 30.612022] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 30.617585] ? ksys_ioctl+0x81/0xd0 [ 30.621218] __x64_sys_exit_group+0x3e/0x50 [ 30.625540] do_syscall_64+0x1b9/0x820 [ 30.629434] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 30.634800] ? syscall_return_slowpath+0x5e0/0x5e0 [ 30.639727] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.644569] ? trace_hardirqs_on_caller+0x2c0/0x2c0 [ 30.649592] ? prepare_exit_to_usermode+0x291/0x3b0 [ 30.654611] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.659452] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 30.664636] RIP: 0033:0x43f308 [ 30.667835] Code: Bad RIP value. [ 30.671196] RSP: 002b:00007ffd4f475838 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 30.678903] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043f308 [ 30.686172] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 30.693436] RBP: 00000000004bede8 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 30.700713] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 [ 30.707977] R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000 [ 30.715249] [ 30.716874] Allocated by task 4300: [ 30.720511] save_stack+0x43/0xd0 [ 30.723977] kasan_kmalloc+0xc4/0xe0 [ 30.727729] kasan_slab_alloc+0x12/0x20 [ 30.731696] kmem_cache_alloc+0x12e/0x710 [ 30.735842] vmx_create_vcpu+0xcf/0x2830 [ 30.739901] kvm_arch_vcpu_create+0xe5/0x220 [ 30.744317] kvm_vm_ioctl+0x488/0x1d80 [ 30.748231] do_vfs_ioctl+0x1de/0x1720 [ 30.752211] ksys_ioctl+0xa9/0xd0 [ 30.755648] __x64_sys_ioctl+0x73/0xb0 [ 30.759531] do_syscall_64+0x1b9/0x820 [ 30.763428] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 30.768609] [ 30.770229] Freed by task 4300: [ 30.773507] save_stack+0x43/0xd0 [ 30.776973] __kasan_slab_free+0x11a/0x170 [ 30.781201] kasan_slab_free+0xe/0x10 [ 30.785018] kmem_cache_free+0x86/0x280 [ 30.789026] vmx_free_vcpu+0x26b/0x300 [ 30.792914] kvm_arch_destroy_vm+0x365/0x7c0 [ 30.797348] kvm_put_kvm+0x73f/0x1060 [ 30.801142] kvm_vm_release+0x42/0x50 [ 30.804966] __fput+0x38a/0xa40 [ 30.808247] ____fput+0x15/0x20 [ 30.811528] task_work_run+0x1e8/0x2a0 [ 30.815411] do_exit+0x1ae4/0x26e0 [ 30.818946] do_group_exit+0x177/0x440 [ 30.822829] __x64_sys_exit_group+0x3e/0x50 [ 30.827149] do_syscall_64+0x1b9/0x820 [ 30.831031] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 30.836212] [ 30.837839] The buggy address belongs to the object at ffff8801cad88040 [ 30.837839] which belongs to the cache kvm_vcpu of size 23872 [ 30.850408] The buggy address is located 24 bytes inside of [ 30.850408] 23872-byte region [ffff8801cad88040, ffff8801cad8dd80) [ 30.862359] The buggy address belongs to the page: [ 30.867285] page:ffffea00072b6200 count:1 mapcount:0 mapping:ffff8801d9f09240 index:0x0 compound_mapcount: 0 [ 30.877260] flags: 0x2fffc0000008100(slab|head) [ 30.881939] raw: 02fffc0000008100 ffff8801d6174a48 ffff8801d6174a48 ffff8801d9f09240 [ 30.889819] raw: 0000000000000000 ffff8801cad88040 0000000100000001 0000000000000000 [ 30.897688] page dumped because: kasan: bad access detected [ 30.903383] [ 30.905052] Memory state around the buggy address: [ 30.909990] ffff8801cad87f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.917339] ffff8801cad87f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.924701] >ffff8801cad88000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 30.932054] ^ [ 30.938276] ffff8801cad88080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.945629] ffff8801cad88100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.952994] ================================================================== [ 30.960342] Kernel panic - not syncing: panic_on_warn set ... [ 30.960342] [ 30.967709] CPU: 1 PID: 4300 Comm: syz-executor221 Tainted: G B 4.19.0-rc2+ #226 [ 30.976534] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.985879] Call Trace: [ 30.988487] dump_stack+0x1c9/0x2b4 [ 30.992126] ? dump_stack_print_info.cold.2+0x52/0x52 [ 30.997322] ? lock_downgrade+0x8f0/0x8f0 [ 31.001477] ? __schedule+0xf54/0x1df0 [ 31.005375] panic+0x238/0x4e7 [ 31.008571] ? add_taint.cold.5+0x16/0x16 [ 31.012729] ? print_shadow_for_address+0xba/0x116 [ 31.017666] ? trace_hardirqs_off+0xaf/0x2c0 [ 31.022107] ? trace_hardirqs_off+0x77/0x2c0 [ 31.026532] ? __schedule+0xf54/0x1df0 [ 31.030447] kasan_end_report+0x47/0x4f [ 31.034429] kasan_report.cold.7+0x76/0x30d [ 31.038773] __asan_report_load8_noabort+0x14/0x20 [ 31.043709] __schedule+0xf54/0x1df0 [ 31.047434] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 31.052538] ? __sched_text_start+0x8/0x8 [ 31.056702] ? __call_srcu+0x7e7/0x1040 [ 31.060681] ? check_same_owner+0x340/0x340 [ 31.065001] ? mark_held_locks+0x160/0x160 [ 31.069232] ? find_held_lock+0x36/0x1c0 [ 31.073295] preempt_schedule_common+0x22/0x60 [ 31.077873] _cond_resched+0x1d/0x30 [ 31.081582] wait_for_completion+0xa5/0x8d0 [ 31.085914] ? wait_for_completion_interruptible+0x950/0x950 [ 31.091720] ? __lockdep_init_map+0x105/0x590 [ 31.096238] ? __init_waitqueue_head+0x9e/0x150 [ 31.100926] ? init_wait_entry+0x1c0/0x1c0 [ 31.105190] __synchronize_srcu+0x189/0x240 [ 31.109529] ? call_srcu+0x10/0x10 [ 31.113074] ? rcu_unexpedite_gp+0x20/0x20 [ 31.117317] synchronize_srcu+0x335/0x56f [ 31.121463] ? lock_downgrade+0x8f0/0x8f0 [ 31.125609] ? synchronize_srcu_expedited+0x20/0x20 [ 31.130624] ? kasan_check_read+0x11/0x20 [ 31.134767] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 31.139363] ? kasan_check_write+0x14/0x20 [ 31.143593] ? do_raw_spin_lock+0xc1/0x200 [ 31.147842] kvm_page_track_unregister_notifier+0x17d/0x250 [ 31.153564] ? kvm_slot_page_track_remove_page+0x70/0x70 [ 31.159019] ? kvfree+0x61/0x70 [ 31.162302] ? rcu_read_lock_sched_held+0x108/0x120 [ 31.167318] kvm_mmu_uninit_vm+0x1c/0x20 [ 31.171374] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 31.175779] ? kvm_arch_sync_events+0x30/0x30 [ 31.180279] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 31.185818] ? mmu_notifier_unregister+0x474/0x600 [ 31.190742] ? trace_hardirqs_on+0x2c0/0x2c0 [ 31.195147] ? kfree+0x111/0x210 [ 31.198518] ? __mmu_notifier_register+0x30/0x30 [ 31.203289] ? __free_pages+0x10a/0x190 [ 31.207259] ? free_unref_page+0x930/0x930 [ 31.211510] kvm_put_kvm+0x73f/0x1060 [ 31.215316] ? kvm_write_guest_cached+0x40/0x40 [ 31.219997] ? _raw_spin_unlock_irq+0x27/0x70 [ 31.224488] ? _raw_spin_unlock_irq+0x27/0x70 [ 31.228987] ? lockdep_hardirqs_on+0x421/0x5c0 [ 31.233573] ? kasan_check_write+0x14/0x20 [ 31.237809] ? do_raw_spin_lock+0xc1/0x200 [ 31.242073] ? kvm_irqfd_release+0xdd/0x120 [ 31.246398] ? kvm_irqfd_release+0xdd/0x120 [ 31.250723] ? kvm_put_kvm+0x1060/0x1060 [ 31.254782] kvm_vm_release+0x42/0x50 [ 31.258581] __fput+0x38a/0xa40 [ 31.261867] ? __alloc_file+0x400/0x400 [ 31.265848] ? check_same_owner+0x340/0x340 [ 31.270173] ? kasan_check_write+0x14/0x20 [ 31.274406] ? do_raw_spin_lock+0xc1/0x200 [ 31.278647] ____fput+0x15/0x20 [ 31.281928] task_work_run+0x1e8/0x2a0 [ 31.285814] ? task_work_cancel+0x240/0x240 [ 31.290140] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 31.295693] ? switch_task_namespaces+0xa2/0xd0 [ 31.300368] do_exit+0x1ae4/0x26e0 [ 31.303919] ? mm_update_next_owner+0x9a0/0x9a0 [ 31.308601] ? rcu_pm_notify+0xc0/0xc0 [ 31.312492] ? mark_held_locks+0x160/0x160 [ 31.316755] ? kmem_cache_free+0x246/0x280 [ 31.320997] ? sock_destroy_inode+0x51/0x60 [ 31.325358] ? sockfs_dname+0x90/0x90 [ 31.329161] ? destroy_inode+0x15e/0x200 [ 31.333218] ? __destroy_inode+0x7f0/0x7f0 [ 31.337457] ? kasan_check_write+0x14/0x20 [ 31.341695] ? do_raw_spin_lock+0xc1/0x200 [ 31.345949] ? evict+0x5d5/0x990 [ 31.349325] ? destroy_inode+0x200/0x200 [ 31.353403] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 31.358960] ? kasan_check_read+0x11/0x20 [ 31.363124] ? do_raw_spin_unlock+0xa7/0x2f0 [ 31.367558] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 31.372163] ? find_held_lock+0x36/0x1c0 [ 31.376235] ? __fget_light+0x2f7/0x440 [ 31.380220] ? fget_raw+0x20/0x20 [ 31.383680] ? lock_downgrade+0x8f0/0x8f0 [ 31.387843] ? kasan_check_read+0x11/0x20 [ 31.391994] ? do_raw_spin_unlock+0xa7/0x2f0 [ 31.396399] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 31.400981] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 31.406009] ? __fget_light+0x2f7/0x440 [ 31.409982] ? fget_raw+0x20/0x20 [ 31.413437] ? sockfd_lookup_light+0xc5/0x160 [ 31.417939] ? __sys_setsockopt+0x257/0x3b0 [ 31.422267] do_group_exit+0x177/0x440 [ 31.426157] ? trace_hardirqs_on+0xbd/0x2c0 [ 31.430514] ? __ia32_sys_exit+0x50/0x50 [ 31.434580] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 31.439689] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 31.445229] ? ksys_ioctl+0x81/0xd0 [ 31.448858] __x64_sys_exit_group+0x3e/0x50 [ 31.453195] do_syscall_64+0x1b9/0x820 [ 31.458298] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 31.463675] ? syscall_return_slowpath+0x5e0/0x5e0 [ 31.468590] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.473434] ? trace_hardirqs_on_caller+0x2c0/0x2c0 [ 31.478467] ? prepare_exit_to_usermode+0x291/0x3b0 [ 31.483514] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.488366] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.493557] RIP: 0033:0x43f308 [ 31.496752] Code: Bad RIP value. [ 31.500111] RSP: 002b:00007ffd4f475838 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 31.507821] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043f308 [ 31.515099] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 31.522370] RBP: 00000000004bede8 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 31.529661] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 [ 31.536941] R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000 [ 31.544223] [ 31.544229] ====================================================== [ 31.544235] WARNING: possible circular locking dependency detected [ 31.544238] 4.19.0-rc2+ #226 Not tainted [ 31.544244] ------------------------------------------------------ [ 31.544248] syz-executor221/4300 is trying to acquire lock: [ 31.544252] 000000006257585c ((console_sem).lock){-...}, at: down_trylock+0x13/0x70 [ 31.544267] [ 31.544271] but task is already holding lock: [ 31.544274] 00000000683c6bf3 (report_lock){....}, at: kasan_report+0x8e/0x110 [ 31.544288] [ 31.544292] which lock already depends on the new lock. [ 31.544294] [ 31.544297] [ 31.544302] the existing dependency chain (in reverse order) is: [ 31.544304] [ 31.544306] -> #3 (report_lock){....}: [ 31.544320] _raw_spin_lock_irqsave+0x96/0xc0 [ 31.544324] kasan_report+0x8e/0x110 [ 31.544329] __asan_report_load8_noabort+0x14/0x20 [ 31.544332] __schedule+0xf54/0x1df0 [ 31.544337] preempt_schedule_common+0x22/0x60 [ 31.544340] _cond_resched+0x1d/0x30 [ 31.544344] wait_for_completion+0xa5/0x8d0 [ 31.544348] __synchronize_srcu+0x189/0x240 [ 31.544352] synchronize_srcu+0x335/0x56f [ 31.544357] kvm_page_track_unregister_notifier+0x17d/0x250 [ 31.544361] kvm_mmu_uninit_vm+0x1c/0x20 [ 31.544365] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 31.544369] kvm_put_kvm+0x73f/0x1060 [ 31.544373] kvm_vm_release+0x42/0x50 [ 31.544376] __fput+0x38a/0xa40 [ 31.544380] ____fput+0x15/0x20 [ 31.544383] task_work_run+0x1e8/0x2a0 [ 31.544387] do_exit+0x1ae4/0x26e0 [ 31.544391] do_group_exit+0x177/0x440 [ 31.544395] __x64_sys_exit_group+0x3e/0x50 [ 31.544399] do_syscall_64+0x1b9/0x820 [ 31.544403] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.544406] [ 31.544408] -> #2 (&rq->lock){-.-.}: [ 31.544421] _raw_spin_lock+0x2a/0x40 [ 31.544425] task_fork_fair+0x93/0x680 [ 31.544429] sched_fork+0x44b/0xbd0 [ 31.544433] copy_process+0x235e/0x7af0 [ 31.544436] _do_fork+0x1ca/0x1170 [ 31.544440] kernel_thread+0x34/0x40 [ 31.544444] rest_init+0x22/0xe4 [ 31.544447] start_kernel+0x913/0x94e [ 31.544452] x86_64_start_reservations+0x29/0x2b [ 31.544456] x86_64_start_kernel+0x76/0x79 [ 31.544460] secondary_startup_64+0xa4/0xb0 [ 31.544462] [ 31.544464] -> #1 (&p->pi_lock){-.-.}: [ 31.544478] _raw_spin_lock_irqsave+0x96/0xc0 [ 31.544482] try_to_wake_up+0xd2/0x1250 [ 31.544486] wake_up_process+0x10/0x20 [ 31.544490] __up.isra.1+0x1c0/0x2a0 [ 31.544493] up+0x13c/0x1c0 [ 31.544497] __up_console_sem+0xbe/0x1b0 [ 31.544509] console_unlock+0x506/0x10e0 [ 31.544513] vprintk_emit+0x33a/0x910 [ 31.544517] vprintk_default+0x28/0x30 [ 31.544521] vprintk_func+0x7a/0x117 [ 31.544524] printk+0xa7/0xcf [ 31.544528] load_umh+0x51/0xbd [ 31.544531] do_one_initcall+0x127/0x838 [ 31.544536] kernel_init_freeable+0x4bb/0x5ae [ 31.544539] kernel_init+0x11/0x1b3 [ 31.544543] ret_from_fork+0x3a/0x50 [ 31.544545] [ 31.544547] -> #0 ((console_sem).lock){-...}: [ 31.544562] lock_acquire+0x1e4/0x4f0 [ 31.544566] _raw_spin_lock_irqsave+0x96/0xc0 [ 31.544570] down_trylock+0x13/0x70 [ 31.544574] __down_trylock_console_sem+0xae/0x200 [ 31.544578] console_trylock+0x15/0xa0 [ 31.544582] vprintk_emit+0x31f/0x910 [ 31.544586] vprintk_default+0x28/0x30 [ 31.544590] vprintk_func+0x7a/0x117 [ 31.544593] printk+0xa7/0xcf [ 31.544597] kasan_report+0x9e/0x110 [ 31.544601] __asan_report_load8_noabort+0x14/0x20 [ 31.544605] __schedule+0xf54/0x1df0 [ 31.544609] preempt_schedule_common+0x22/0x60 [ 31.544613] _cond_resched+0x1d/0x30 [ 31.544617] wait_for_completion+0xa5/0x8d0 [ 31.544622] __synchronize_srcu+0x189/0x240 [ 31.544626] synchronize_srcu+0x335/0x56f [ 31.544631] kvm_page_track_unregister_notifier+0x17d/0x250 [ 31.544634] kvm_mmu_uninit_vm+0x1c/0x20 [ 31.544652] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 31.544656] kvm_put_kvm+0x73f/0x1060 [ 31.544659] kvm_vm_release+0x42/0x50 [ 31.544663] __fput+0x38a/0xa40 [ 31.544666] ____fput+0x15/0x20 [ 31.544670] task_work_run+0x1e8/0x2a0 [ 31.544673] do_exit+0x1ae4/0x26e0 [ 31.544677] do_group_exit+0x177/0x440 [ 31.544694] __x64_sys_exit_group+0x3e/0x50 [ 31.544698] do_syscall_64+0x1b9/0x820 [ 31.544702] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 31.544705] [ 31.544709] other info that might help us debug this: [ 31.544711] [ 31.544714] Chain exists of: [ 31.544716] (console_sem).lock --> &rq->lock --> report_lock [ 31.544734] [ 31.544738] Possible unsafe locking scenario: [ 31.544740] [ 31.544744] CPU0 CPU1 [ 31.544748] ---- ---- [ 31.544751] lock(report_lock); [ 31.544760] lock(&rq->lock); [ 31.544782] lock(report_lock); [ 31.544803] lock((console_sem).lock); [ 31.544811] [ 31.544813] *** DEADLOCK *** [ 31.544816] [ 31.544820] 2 locks held by syz-executor221/4300: [ 31.544822] #0: 000000003d9fb45e (&rq->lock){-.-.}, at: __schedule+0x24d/0x1df0 [ 31.544837] #1: 00000000683c6bf3 (report_lock){....}, at: kasan_report+0x8e/0x110 [ 31.544853] [ 31.544856] stack backtrace: [ 31.544861] CPU: 1 PID: 4300 Comm: syz-executor221 Not tainted 4.19.0-rc2+ #226 [ 31.544868] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.544871] Call Trace: [ 31.544874] dump_stack+0x1c9/0x2b4 [ 31.544879] ? dump_stack_print_info.cold.2+0x52/0x52 [ 31.544882] ? vprintk_func+0x100/0x117 [ 31.544887] print_circular_bug.isra.34.cold.55+0x1bd/0x27d [ 31.544890] ? save_trace+0xe0/0x290 [ 31.544894] __lock_acquire+0x3449/0x5020 [ 31.544898] ? mark_held_locks+0x160/0x160 [ 31.544902] ? mark_held_locks+0x160/0x160 [ 31.544906] ? rcu_cleanup_dead_rnp+0x200/0x200 [ 31.544909] ? is_bpf_text_address+0xd7/0x170 [ 31.544913] ? kernel_text_address+0x79/0xf0 [ 31.544917] ? __kernel_text_address+0xd/0x40 [ 31.544921] ? __save_stack_trace+0x8d/0xf0 [ 31.544925] ? add_lock_to_list.isra.27+0x1ec/0x4b0 [ 31.544929] ? save_trace+0x290/0x290 [ 31.544932] ? save_stack_trace+0x1a/0x20 [ 31.544936] ? save_trace+0xe0/0x290 [ 31.544939] ? graph_lock+0x170/0x170 [ 31.544944] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 31.544947] lock_acquire+0x1e4/0x4f0 [ 31.544951] ? down_trylock+0x13/0x70 [ 31.544954] ? lock_release+0x9f0/0x9f0 [ 31.544958] ? trace_hardirqs_off+0xb8/0x2c0 [ 31.544962] ? trace_hardirqs_on+0x2c0/0x2c0 [ 31.544966] ? trace_hardirqs_off+0xb8/0x2c0 [ 31.544969] ? log_store+0x34f/0x4c0 [ 31.544973] ? vprintk_emit+0x31f/0x910 [ 31.544977] _raw_spin_lock_irqsave+0x96/0xc0 [ 31.544980] ? down_trylock+0x13/0x70 [ 31.544984] down_trylock+0x13/0x70 [ 31.544988] __down_trylock_console_sem+0xae/0x200 [ 31.544991] console_trylock+0x15/0xa0 [ 31.544995] vprintk_emit+0x31f/0x910 [ 31.544998] ? wake_up_klogd+0x110/0x110 [ 31.545002] ? run_rebalance_domains+0x4c0/0x4c0 [ 31.545006] ? kasan_check_read+0x11/0x20 [ 31.545010] ? rcu_is_watching+0x8c/0x150 [ 31.545013] ? rcu_pm_notify+0xc0/0xc0 [ 31.545017] ? lock_acquire+0x1e4/0x4f0 [ 31.545021] ? kasan_report+0x8e/0x110 [ 31.545024] ? __schedule+0xf54/0x1df0 [ 31.545028] vprintk_default+0x28/0x30 [ 31.545031] vprintk_func+0x7a/0x117 [ 31.545034] printk+0xa7/0xcf [ 31.545038] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 31.545047] ? kasan_check_write+0x14/0x20 [ 31.545051] ? do_raw_spin_lock+0xc1/0x200 [ 31.545055] ? do_raw_spin_lock+0xc1/0x200 [ 31.545059] kasan_report+0x9e/0x110 [ 31.545063] __asan_report_load8_noabort+0x14/0x20 [ 31.545066] __schedule+0xf54/0x1df0 [ 31.545070] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 31.545074] ? __sched_text_start+0x8/0x8 [ 31.545078] ? __call_srcu+0x7e7/0x1040 [ 31.545082] ? check_same_owner+0x340/0x340 [ 31.545085] ? mark_held_locks+0x160/0x160 [ 31.545089] ? find_held_lock+0x36/0x1c0 [ 31.545093] preempt_schedule_common+0x22/0x60 [ 31.545096] _cond_resched+0x1d/0x30 [ 31.545100] wait_for_completion+0xa5/0x8d0 [ 31.545105] ? wait_for_completion_interruptible+0x950/0x950 [ 31.545109] ? __lockdep_init_map+0x105/0x590 [ 31.545113] ? __init_waitqueue_head+0x9e/0x150 [ 31.545116] ? init_wait_entry+0x1c0/0x1c0 [ 31.545120] __synchronize_srcu+0x189/0x240 [ 31.545123] ? call_srcu+0x10/0x10 [ 31.545127] ? rcu_unexpedite_gp+0x20/0x20 [ 31.545131] synchronize_srcu+0x335/0x56f [ 31.545135] ? lock_downgrade+0x8f0/0x8f0 [ 31.545151] ? synchronize_srcu_expedited+0x20/0x20 [ 31.545155] ? kasan_check_read+0x11/0x20 [ 31.545159] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 31.545175] ? kasan_check_write+0x14/0x20 [ 31.545179] ? do_raw_spin_lock+0xc1/0x200 [ 31.545184] kvm_page_track_unregister_notifier+0x17d/0x250 [ 31.545189] ? kvm_slot_page_track_remove_page+0x70/0x70 [ 31.545192] ? kvfree+0x61/0x70 [ 31.545197] ? rcu_read_lock_sched_held+0x108/0x120 [ 31.545201] kvm_mmu_uninit_vm+0x1c/0x20 [ 31.545205] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 31.545209] ? kvm_arch_sync_events+0x30/0x30 [ 31.545214] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 31.545218] ? mmu_notifier_unregister+0x474/0x600 [ 31.545223] ? trace_hardirqs_on+0x2c0/0x2c0 [ 31.545226] ? kfree+0x111/0x210 [ 31.545230] ? __mmu_notifier_register+0x30/0x30 [ 31.545234] ? __free_pages+0x10a/0x190 [ 31.545238] ? free_unref_page+0x930/0x930 [ 31.545242] kvm_put_kvm+0x73f/0x1060 [ 31.545246] ? kvm_write_guest_cached+0x40/0x40 [ 31.545251] ? _raw_spin_unlock_irq+0x27/0x70 [ 31.545255] ? _raw_spin_unlock_irq+0x27/0x70 [ 31.545259] ? lockdep_hardirqs_on+0x421/0x5c0 [ 31.545263] ? kasan_check_write+0x14/0x20 [ 31.545267] ? do_raw_spin_lock+0xc1/0x200 [ 31.545271] ? kvm_irqfd_release+0xdd/0x120 [ 31.545275] ? kvm_irqfd_release+0xdd/0x120 [ 31.545279] ? kvm_put_kvm+0x1060/0x1060 [ 31.545283] kvm_vm_release+0x42/0x50 [ 31.545286] __fput+0x38a/0xa40 [ 31.545290] ? __alloc_file+0x400/0x400 [ 31.545294] ? check_same_owner+0x340/0x340 [ 31.545298] ? kasan_check_write+0x14/0x20 [ 31.545302] ? do_raw_spin_lock+0xc1/0x200 [ 31.545305] ____fput+0x15/0x20 [ 31.545309] task_work_run+0x1e8/0x2a0 [ 31.545313] ? task_work_cancel+0x240/0x240 [ 31.545318] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 31.545322] ? switch_task_namespaces+0xa2/0xd0 [ 31.545326] do_exit+0x1ae4/0x26e0 [ 31.545330] ? mm_update_next_owner+0x9a0/0x9a0 [ 31.545334] ? rcu_pm_notify+0xc0/0xc0 [ 31.545338] ? mark_held_locks+0x160/0x160 [ 31.545342] ? kmem_cache_free+0x246/0x280 [ 31.545346] ? sock_destroy_inode+0x51/0x60 [ 31.545350] ? sockfs_dname+0x90/0x90 [ 31.545353] ? destroy_inode+0x15e/0x200 [ 31.545357] ? __destroy_inode+0x7f0/0x7f0 [ 31.545362] Lost 44 message(s)! [ 32.648167] Shutting down cpus with NMI [ 33.708009] Dumping ftrace buffer: [ 33.711539] (ftrace buffer empty) [ 33.715241] Kernel Offset: disabled [ 33.718863] Rebooting in 86400 seconds..