Warning: Permanently added '10.128.0.172' (ECDSA) to the list of known hosts. executing program [ 53.309070] audit: type=1400 audit(1564264884.705:36): avc: denied { map } for pid=7926 comm="syz-executor851" path="/root/syz-executor851514735" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 58.320604] ------------[ cut here ]------------ [ 58.326330] ODEBUG: free active (active state 0) object type: timer_list hint: rfcomm_dlc_timeout+0x0/0x80 [ 58.336330] WARNING: CPU: 1 PID: 7929 at lib/debugobjects.c:325 debug_print_object+0x168/0x250 [ 58.345064] Kernel panic - not syncing: panic_on_warn set ... [ 58.345064] [ 58.352420] CPU: 1 PID: 7929 Comm: syz-executor851 Not tainted 4.19.61 #35 [ 58.359430] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.368796] Call Trace: [ 58.371374] dump_stack+0x172/0x1f0 [ 58.374988] panic+0x263/0x507 [ 58.378210] ? __warn_printk+0xf3/0xf3 [ 58.382104] ? debug_print_object+0x168/0x250 [ 58.386588] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 58.392109] ? __warn.cold+0x5/0x4a [ 58.395719] ? __warn+0xe8/0x1d0 [ 58.399070] ? debug_print_object+0x168/0x250 [ 58.403554] __warn.cold+0x20/0x4a [ 58.407081] ? trace_hardirqs_off+0x62/0x220 [ 58.411476] ? debug_print_object+0x168/0x250 [ 58.415958] report_bug+0x263/0x2b0 [ 58.419588] do_error_trap+0x204/0x360 [ 58.423464] ? math_error+0x340/0x340 [ 58.427251] ? wake_up_klogd+0x99/0xd0 [ 58.431124] ? vprintk_emit+0x1ab/0x690 [ 58.435083] ? error_entry+0x76/0xd0 [ 58.438789] ? trace_hardirqs_off_caller+0x65/0x220 [ 58.443818] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 58.448650] do_invalid_op+0x1b/0x20 [ 58.452349] invalid_op+0x14/0x20 [ 58.455804] RIP: 0010:debug_print_object+0x168/0x250 [ 58.460906] Code: dd e0 4d 82 87 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 b5 00 00 00 48 8b 14 dd e0 4d 82 87 48 c7 c7 20 43 82 87 e8 c6 37 19 fe <0f> 0b 83 05 db c9 17 06 01 48 83 c4 20 5b 41 5c 41 5d 41 5e 5d c3 [ 58.479806] RSP: 0018:ffff8880960878d8 EFLAGS: 00010086 [ 58.485155] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000 [ 58.492413] RDX: 0000000000000000 RSI: ffffffff8155d376 RDI: ffffed1012c10f0d [ 58.499669] RBP: ffff888096087918 R08: ffff8880951c4180 R09: ffffed1015d23ee3 [ 58.506921] R10: ffffed1015d23ee2 R11: ffff8880ae91f717 R12: 0000000000000001 [ 58.514183] R13: ffffffff887ac380 R14: ffffffff815b48d0 R15: ffff88808adcdd28 [ 58.521449] ? __internal_add_timer+0x1f0/0x1f0 [ 58.526111] ? vprintk_func+0x86/0x189 [ 58.530007] ? debug_print_object+0x168/0x250 [ 58.534492] debug_check_no_obj_freed+0x29f/0x464 [ 58.539325] kfree+0xbd/0x220 [ 58.542419] rfcomm_dlc_free+0x20/0x30 [ 58.546295] rfcomm_dev_ioctl+0x181f/0x1b60 [ 58.550604] ? __local_bh_enable_ip+0x15a/0x270 [ 58.555261] ? lock_sock_nested+0xe2/0x120 [ 58.559502] ? __local_bh_enable_ip+0x15a/0x270 [ 58.564182] ? rfcomm_dev_state_change+0x150/0x150 [ 58.569119] ? __local_bh_enable_ip+0x15a/0x270 [ 58.573792] rfcomm_sock_ioctl+0x90/0xb0 [ 58.577866] sock_do_ioctl+0xd8/0x2f0 [ 58.581669] ? compat_ifr_data_ioctl+0x160/0x160 [ 58.586433] ? __lock_acquire+0x6ee/0x49c0 [ 58.590676] ? rcu_read_lock_sched_held+0x110/0x130 [ 58.595678] ? kmem_cache_alloc+0x32a/0x700 [ 58.599990] sock_ioctl+0x325/0x610 [ 58.603605] ? dlci_ioctl_set+0x40/0x40 [ 58.607565] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 58.613091] ? __might_sleep+0x95/0x190 [ 58.617065] ? find_held_lock+0x35/0x130 [ 58.621114] ? dlci_ioctl_set+0x40/0x40 [ 58.625074] do_vfs_ioctl+0xd5f/0x1380 [ 58.628948] ? selinux_file_ioctl+0x46f/0x5e0 [ 58.633438] ? selinux_file_ioctl+0x125/0x5e0 [ 58.637918] ? ioctl_preallocate+0x210/0x210 [ 58.642311] ? selinux_file_mprotect+0x620/0x620 [ 58.647054] ? __sanitizer_cov_trace_cmp8+0x1b/0x20 [ 58.652056] ? __fd_install+0x200/0x640 [ 58.656017] ? fd_install+0x4d/0x60 [ 58.659635] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 58.665160] ? security_file_ioctl+0x8d/0xc0 [ 58.669553] ksys_ioctl+0xab/0xd0 [ 58.672991] __x64_sys_ioctl+0x73/0xb0 [ 58.676865] do_syscall_64+0xfd/0x620 [ 58.680663] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 58.685834] RIP: 0033:0x441229 [ 58.689021] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 58.707909] RSP: 002b:00007ffc048c29c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 58.715621] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441229 [ 58.722880] RDX: 0000000020000100 RSI: 00000000400452c8 RDI: 0000000000000004 [ 58.730227] RBP: 000000000000e3af R08: 00000000004002c8 R09: 00000000004002c8 [ 58.737483] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000402050 [ 58.744737] R13: 00000000004020e0 R14: 0000000000000000 R15: 0000000000000000 [ 58.751999] [ 58.752003] ====================================================== [ 58.752007] WARNING: possible circular locking dependency detected [ 58.752009] 4.19.61 #35 Not tainted [ 58.752012] ------------------------------------------------------ [ 58.752015] syz-executor851/7929 is trying to acquire lock: [ 58.752017] 000000003b65dc97 ((console_sem).lock){-...}, at: down_trylock+0x13/0x70 [ 58.752026] [ 58.752028] but task is already holding lock: [ 58.752030] 000000001e863e0c (&obj_hash[i].lock){-.-.}, at: debug_check_no_obj_freed+0xbe/0x464 [ 58.752039] [ 58.752042] which lock already depends on the new lock. [ 58.752043] [ 58.752045] [ 58.752049] the existing dependency chain (in reverse order) is: [ 58.752051] [ 58.752053] -> #3 (&obj_hash[i].lock){-.-.}: [ 58.752068] _raw_spin_lock_irqsave+0x95/0xcd [ 58.752072] __debug_object_init+0xc6/0xc30 [ 58.752077] debug_object_init+0x16/0x20 [ 58.752081] hrtimer_init+0x2a/0x300 [ 58.752085] init_dl_task_timer+0x1b/0x50 [ 58.752089] __sched_fork+0x22a/0x4b0 [ 58.752093] init_idle+0x75/0x800 [ 58.752097] sched_init+0x952/0x9f0 [ 58.752102] start_kernel+0x402/0x8c5 [ 58.752106] x86_64_start_reservations+0x29/0x2b [ 58.752111] x86_64_start_kernel+0x77/0x7b [ 58.752115] secondary_startup_64+0xa4/0xb0 [ 58.752117] [ 58.752118] -> #2 (&rq->lock){-.-.}: [ 58.752126] _raw_spin_lock+0x2f/0x40 [ 58.752129] task_fork_fair+0x6a/0x520 [ 58.752131] sched_fork+0x3af/0x900 [ 58.752134] copy_process.part.0+0x1859/0x7a30 [ 58.752136] _do_fork+0x257/0xfd0 [ 58.752138] kernel_thread+0x34/0x40 [ 58.752140] rest_init+0x24/0x222 [ 58.752143] start_kernel+0x88c/0x8c5 [ 58.752145] x86_64_start_reservations+0x29/0x2b [ 58.752148] x86_64_start_kernel+0x77/0x7b [ 58.752150] secondary_startup_64+0xa4/0xb0 [ 58.752151] [ 58.752153] -> #1 (&p->pi_lock){-.-.}: [ 58.752161] _raw_spin_lock_irqsave+0x95/0xcd [ 58.752164] try_to_wake_up+0x94/0xf50 [ 58.752166] wake_up_process+0x10/0x20 [ 58.752168] __up.isra.0+0x136/0x1a0 [ 58.752170] up+0x9c/0xe0 [ 58.752173] __up_console_sem+0xb7/0x1c0 [ 58.752175] console_unlock+0x6c7/0x10b0 [ 58.752178] do_con_write.part.0+0xeec/0x1eb0 [ 58.752180] con_write+0x46/0xd0 [ 58.752182] n_tty_write+0x3f9/0x10f0 [ 58.752184] tty_write+0x458/0x7a0 [ 58.752187] __vfs_write+0x114/0x810 [ 58.752189] vfs_write+0x20c/0x560 [ 58.752191] ksys_write+0x14f/0x2d0 [ 58.752193] __x64_sys_write+0x73/0xb0 [ 58.752196] do_syscall_64+0xfd/0x620 [ 58.752199] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 58.752200] [ 58.752201] -> #0 ((console_sem).lock){-...}: [ 58.752210] lock_acquire+0x16f/0x3f0 [ 58.752212] _raw_spin_lock_irqsave+0x95/0xcd [ 58.752215] down_trylock+0x13/0x70 [ 58.752217] __down_trylock_console_sem+0xa8/0x210 [ 58.752220] console_trylock+0x15/0xa0 [ 58.752222] vprintk_emit+0x21d/0x690 [ 58.752225] vprintk_default+0x28/0x30 [ 58.752227] vprintk_func+0x7e/0x189 [ 58.752229] printk+0xba/0xed [ 58.752231] __warn_printk+0x9b/0xf3 [ 58.752234] debug_print_object+0x168/0x250 [ 58.752237] debug_check_no_obj_freed+0x29f/0x464 [ 58.752239] kfree+0xbd/0x220 [ 58.752241] rfcomm_dlc_free+0x20/0x30 [ 58.752244] rfcomm_dev_ioctl+0x181f/0x1b60 [ 58.752246] rfcomm_sock_ioctl+0x90/0xb0 [ 58.752248] sock_do_ioctl+0xd8/0x2f0 [ 58.752250] sock_ioctl+0x325/0x610 [ 58.752253] do_vfs_ioctl+0xd5f/0x1380 [ 58.752255] ksys_ioctl+0xab/0xd0 [ 58.752257] __x64_sys_ioctl+0x73/0xb0 [ 58.752259] do_syscall_64+0xfd/0x620 [ 58.752262] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 58.752264] [ 58.752266] other info that might help us debug this: [ 58.752267] [ 58.752269] Chain exists of: [ 58.752271] (console_sem).lock --> &rq->lock --> &obj_hash[i].lock [ 58.752283] [ 58.752286] Possible unsafe locking scenario: [ 58.752287] [ 58.752289] CPU0 CPU1 [ 58.752292] ---- ---- [ 58.752293] lock(&obj_hash[i].lock); [ 58.752299] lock(&rq->lock); [ 58.752304] lock(&obj_hash[i].lock); [ 58.752309] lock((console_sem).lock); [ 58.752314] [ 58.752315] *** DEADLOCK *** [ 58.752317] [ 58.752319] 3 locks held by syz-executor851/7929: [ 58.752321] #0: 0000000072f25ef6 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}, at: rfcomm_sock_ioctl+0x82/0xb0 [ 58.752331] #1: 00000000017dcfcb (rfcomm_ioctl_mutex){+.+.}, at: rfcomm_dev_ioctl+0x4f0/0x1b60 [ 58.752342] #2: 000000001e863e0c (&obj_hash[i].lock){-.-.}, at: debug_check_no_obj_freed+0xbe/0x464 [ 58.752352] [ 58.752354] stack backtrace: [ 58.752358] CPU: 1 PID: 7929 Comm: syz-executor851 Not tainted 4.19.61 #35 [ 58.752362] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.752364] Call Trace: [ 58.752366] dump_stack+0x172/0x1f0 [ 58.752369] print_circular_bug.isra.0.cold+0x1cc/0x28f [ 58.752371] __lock_acquire+0x2e19/0x49c0 [ 58.752374] ? mark_held_locks+0x100/0x100 [ 58.752376] ? kvm_clock_read+0x18/0x30 [ 58.752379] ? kvm_sched_clock_read+0x9/0x20 [ 58.752381] lock_acquire+0x16f/0x3f0 [ 58.752383] ? down_trylock+0x13/0x70 [ 58.752386] _raw_spin_lock_irqsave+0x95/0xcd [ 58.752388] ? down_trylock+0x13/0x70 [ 58.752390] ? vprintk_emit+0x21d/0x690 [ 58.752392] down_trylock+0x13/0x70 [ 58.752395] ? vprintk_emit+0x21d/0x690 [ 58.752397] __down_trylock_console_sem+0xa8/0x210 [ 58.752400] console_trylock+0x15/0xa0 [ 58.752402] vprintk_emit+0x21d/0x690 [ 58.752404] ? __internal_add_timer+0x1f0/0x1f0 [ 58.752407] vprintk_default+0x28/0x30 [ 58.752409] vprintk_func+0x7e/0x189 [ 58.752411] printk+0xba/0xed [ 58.752413] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 58.752415] ? __warn_printk+0x8f/0xf3 [ 58.752418] ? rfcomm_session_add+0x300/0x300 [ 58.752420] __warn_printk+0x9b/0xf3 [ 58.752422] ? add_taint.cold+0x16/0x16 [ 58.752425] ? skb_dequeue+0x12e/0x180 [ 58.752427] ? rfcomm_session_add+0x300/0x300 [ 58.752430] debug_print_object+0x168/0x250 [ 58.752432] debug_check_no_obj_freed+0x29f/0x464 [ 58.752434] kfree+0xbd/0x220 [ 58.752436] rfcomm_dlc_free+0x20/0x30 [ 58.752439] rfcomm_dev_ioctl+0x181f/0x1b60 [ 58.752441] ? __local_bh_enable_ip+0x15a/0x270 [ 58.752444] ? lock_sock_nested+0xe2/0x120 [ 58.752446] ? __local_bh_enable_ip+0x15a/0x270 [ 58.752449] ? rfcomm_dev_state_change+0x150/0x150 [ 58.752452] ? __local_bh_enable_ip+0x15a/0x270 [ 58.752454] rfcomm_sock_ioctl+0x90/0xb0 [ 58.752456] sock_do_ioctl+0xd8/0x2f0 [ 58.752459] ? compat_ifr_data_ioctl+0x160/0x160 [ 58.752461] ? __lock_acquire+0x6ee/0x49c0 [ 58.752464] ? rcu_read_lock_sched_held+0x110/0x130 [ 58.752467] ? kmem_cache_alloc+0x32a/0x700 [ 58.752469] sock_ioctl+0x325/0x610 [ 58.752471] ? dlci_ioctl_set+0x40/0x40 [ 58.752474] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 58.752476] ? __might_sleep+0x95/0x190 [ 58.752479] ? find_held_lock+0x35/0x130 [ 58.752481] ? dlci_ioctl_set+0x40/0x40 [ 58.752483] do_vfs_ioctl+0xd5f/0x1380 [ 58.752486] ? selinux_file_ioctl+0x46f/0x5e0 [ 58.752488] ? selinux_file_ioctl+0x125/0x5e0 [ 58.752491] ? ioctl_preallocate+0x210/0x210 [ 58.752493] ? selinux_file_mprotect+0x620/0x620 [ 58.752496] ? __sanitizer_cov_trace_cmp8+0x1b/0x20 [ 58.752498] ? __fd_install+0x200/0x640 [ 58.752500] ? fd_install+0x4d/0x60 [ 58.752503] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 58.752506] ? security_file_ioctl+0x8d/0xc0 [ 58.752508] ksys_ioctl+0xab/0xd0 [ 58.752510] __x64_sys_ioctl+0x73/0xb0 [ 58.752512] do_syscall_64+0xfd/0x620 [ 58.752515] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 58.752517] RIP: 0033:0x441229 [ 58.752525] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 58.752528] RSP: 002b:00007ffc048c29c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 58.752534] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441229 [ 58.752537] RDX: 0000000020000100 RSI: 00000000400452c8 RDI: 0000000000000004 [ 58.752541] RBP: 000000000000e3af R08: 00000000004002c8 R09: 00000000004002c8 [ 58.752544] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000402050 [ 58.752548] R13: 00000000004020e0 R14: 0000000000000000 R15: 0000000000000000 [ 58.753480] Kernel Offset: disabled [ 59.582707] Rebooting in 86400 seconds..