Warning: Permanently added '10.128.0.6' (ECDSA) to the list of known hosts. executing program [ 54.864697] audit: type=1400 audit(1565794412.407:36): avc: denied { map } for pid=7807 comm="syz-executor072" path="/root/syz-executor072595684" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 59.875811] ------------[ cut here ]------------ [ 59.881772] ODEBUG: free active (active state 0) object type: timer_list hint: rfcomm_dlc_timeout+0x0/0x80 [ 59.891967] WARNING: CPU: 1 PID: 7810 at lib/debugobjects.c:325 debug_print_object+0x168/0x250 [ 59.900712] Kernel panic - not syncing: panic_on_warn set ... [ 59.900712] [ 59.908073] CPU: 1 PID: 7810 Comm: syz-executor072 Not tainted 4.19.66 #40 [ 59.915062] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 59.924397] Call Trace: [ 59.926986] dump_stack+0x172/0x1f0 [ 59.930606] panic+0x263/0x507 [ 59.933781] ? __warn_printk+0xf3/0xf3 [ 59.937663] ? debug_print_object+0x168/0x250 [ 59.942144] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 59.947676] ? __warn.cold+0x5/0x4a [ 59.951288] ? __warn+0xe8/0x1d0 [ 59.954682] ? debug_print_object+0x168/0x250 [ 59.959182] __warn.cold+0x20/0x4a [ 59.962716] ? trace_hardirqs_off+0x62/0x220 [ 59.967109] ? debug_print_object+0x168/0x250 [ 59.971589] report_bug+0x263/0x2b0 [ 59.975218] do_error_trap+0x204/0x360 [ 59.979097] ? math_error+0x340/0x340 [ 59.982907] ? wake_up_klogd+0x99/0xd0 [ 59.986780] ? vprintk_emit+0x1ab/0x690 [ 59.990737] ? error_entry+0x7c/0xe0 [ 59.994435] ? trace_hardirqs_off_caller+0x65/0x220 [ 59.999439] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 60.004290] do_invalid_op+0x1b/0x20 [ 60.007991] invalid_op+0x14/0x20 [ 60.011431] RIP: 0010:debug_print_object+0x168/0x250 [ 60.016524] Code: dd a0 52 82 87 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 b5 00 00 00 48 8b 14 dd a0 52 82 87 48 c7 c7 e0 47 82 87 e8 a6 23 19 fe <0f> 0b 83 05 bb aa 17 06 01 48 83 c4 20 5b 41 5c 41 5d 41 5e 5d c3 [ 60.035760] RSP: 0018:ffff8880810d78d8 EFLAGS: 00010086 [ 60.041122] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000 [ 60.048380] RDX: 0000000000000000 RSI: ffffffff8155d916 RDI: ffffed101021af0d [ 60.055909] RBP: ffff8880810d7918 R08: ffff8880963f4540 R09: ffffed1015d23ee3 [ 60.063165] R10: ffffed1015d23ee2 R11: ffff8880ae91f717 R12: 0000000000000001 [ 60.070496] R13: ffffffff887ac4c0 R14: ffffffff815b4e70 R15: ffff88809ddf2368 [ 60.077769] ? __internal_add_timer+0x1f0/0x1f0 [ 60.082432] ? vprintk_func+0x86/0x189 [ 60.086315] ? debug_print_object+0x168/0x250 [ 60.090801] debug_check_no_obj_freed+0x29f/0x464 [ 60.095637] kfree+0xbd/0x220 [ 60.098873] rfcomm_dlc_free+0x20/0x30 [ 60.102747] rfcomm_dev_ioctl+0x181f/0x1b60 [ 60.107056] ? __local_bh_enable_ip+0x15a/0x270 [ 60.111715] ? lock_sock_nested+0xe2/0x120 [ 60.115950] ? __local_bh_enable_ip+0x15a/0x270 [ 60.120614] ? rfcomm_dev_state_change+0x150/0x150 [ 60.125534] ? __local_bh_enable_ip+0x15a/0x270 [ 60.130195] rfcomm_sock_ioctl+0x90/0xb0 [ 60.134250] sock_do_ioctl+0xd8/0x2f0 [ 60.138152] ? compat_ifr_data_ioctl+0x160/0x160 [ 60.142900] ? __lock_acquire+0x6ee/0x49c0 [ 60.147131] ? rcu_read_lock_sched_held+0x110/0x130 [ 60.152149] ? kmem_cache_alloc+0x32a/0x700 [ 60.156461] sock_ioctl+0x325/0x610 [ 60.160081] ? dlci_ioctl_set+0x40/0x40 [ 60.164049] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 60.169587] ? __might_sleep+0x95/0x190 [ 60.173566] ? find_held_lock+0x35/0x130 [ 60.177690] ? dlci_ioctl_set+0x40/0x40 [ 60.181661] do_vfs_ioctl+0xd5f/0x1380 [ 60.185539] ? selinux_file_ioctl+0x46f/0x5e0 [ 60.190080] ? selinux_file_ioctl+0x125/0x5e0 [ 60.194565] ? ioctl_preallocate+0x210/0x210 [ 60.198968] ? selinux_file_mprotect+0x620/0x620 [ 60.203711] ? __sanitizer_cov_trace_cmp1+0x1b/0x20 [ 60.208710] ? __fd_install+0x200/0x640 [ 60.212668] ? fd_install+0x4d/0x60 [ 60.216284] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 60.221857] ? security_file_ioctl+0x8d/0xc0 [ 60.226259] ksys_ioctl+0xab/0xd0 [ 60.229704] __x64_sys_ioctl+0x73/0xb0 [ 60.233579] do_syscall_64+0xfd/0x620 [ 60.237368] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 60.242541] RIP: 0033:0x441229 [ 60.245716] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 60.264603] RSP: 002b:00007fff2e8ce878 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 60.272297] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441229 [ 60.279551] RDX: 0000000020000100 RSI: 00000000400452c8 RDI: 0000000000000004 [ 60.286814] RBP: 000000000000e9c2 R08: 00000000004002c8 R09: 00000000004002c8 [ 60.294194] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000402050 [ 60.301450] R13: 00000000004020e0 R14: 0000000000000000 R15: 0000000000000000 [ 60.309037] [ 60.309041] ====================================================== [ 60.309044] WARNING: possible circular locking dependency detected [ 60.309046] 4.19.66 #40 Not tainted [ 60.309049] ------------------------------------------------------ [ 60.309052] syz-executor072/7810 is trying to acquire lock: [ 60.309054] 0000000019248e65 ((console_sem).lock){-...}, at: down_trylock+0x13/0x70 [ 60.309063] [ 60.309066] but task is already holding lock: [ 60.309067] 00000000d215bddb (&obj_hash[i].lock){-.-.}, at: debug_check_no_obj_freed+0xbe/0x464 [ 60.309076] [ 60.309079] which lock already depends on the new lock. [ 60.309080] [ 60.309081] [ 60.309084] the existing dependency chain (in reverse order) is: [ 60.309086] [ 60.309087] -> #3 (&obj_hash[i].lock){-.-.}: [ 60.309095] _raw_spin_lock_irqsave+0x95/0xcd [ 60.309098] __debug_object_init+0xc6/0xc30 [ 60.309100] debug_object_init+0x16/0x20 [ 60.309102] hrtimer_init+0x2a/0x300 [ 60.309105] init_dl_task_timer+0x1b/0x50 [ 60.309107] __sched_fork+0x22a/0x4b0 [ 60.309109] init_idle+0x75/0x800 [ 60.309111] sched_init+0x952/0x9f0 [ 60.309114] start_kernel+0x402/0x8c5 [ 60.309116] x86_64_start_reservations+0x29/0x2b [ 60.309119] x86_64_start_kernel+0x77/0x7b [ 60.309121] secondary_startup_64+0xa4/0xb0 [ 60.309122] [ 60.309123] -> #2 (&rq->lock){-.-.}: [ 60.309131] _raw_spin_lock+0x2f/0x40 [ 60.309134] task_fork_fair+0x6a/0x520 [ 60.309136] sched_fork+0x3af/0x900 [ 60.309139] copy_process.part.0+0x1859/0x7a30 [ 60.309142] _do_fork+0x257/0xfd0 [ 60.309145] kernel_thread+0x34/0x40 [ 60.309147] rest_init+0x24/0x222 [ 60.309150] start_kernel+0x88c/0x8c5 [ 60.309152] x86_64_start_reservations+0x29/0x2b [ 60.309155] x86_64_start_kernel+0x77/0x7b [ 60.309157] secondary_startup_64+0xa4/0xb0 [ 60.309158] [ 60.309160] -> #1 (&p->pi_lock){-.-.}: [ 60.309168] _raw_spin_lock_irqsave+0x95/0xcd [ 60.309170] try_to_wake_up+0x94/0xf50 [ 60.309172] wake_up_process+0x10/0x20 [ 60.309175] __up.isra.0+0x136/0x1a0 [ 60.309176] up+0x9c/0xe0 [ 60.309179] __up_console_sem+0xb7/0x1c0 [ 60.309181] console_unlock+0x6c7/0x10b0 [ 60.309183] vprintk_emit+0x238/0x690 [ 60.309186] vprintk_default+0x28/0x30 [ 60.309188] vprintk_func+0x7e/0x189 [ 60.309190] printk+0xba/0xed [ 60.309192] kauditd_hold_skb.cold+0x3f/0x4e [ 60.309195] kauditd_send_queue+0x12b/0x170 [ 60.309197] kauditd_thread+0x732/0xa60 [ 60.309199] kthread+0x354/0x420 [ 60.309202] ret_from_fork+0x24/0x30 [ 60.309203] [ 60.309204] -> #0 ((console_sem).lock){-...}: [ 60.309212] lock_acquire+0x16f/0x3f0 [ 60.309215] _raw_spin_lock_irqsave+0x95/0xcd [ 60.309217] down_trylock+0x13/0x70 [ 60.309220] __down_trylock_console_sem+0xa8/0x210 [ 60.309222] console_trylock+0x15/0xa0 [ 60.309224] vprintk_emit+0x21d/0x690 [ 60.309227] vprintk_default+0x28/0x30 [ 60.309229] vprintk_func+0x7e/0x189 [ 60.309231] printk+0xba/0xed [ 60.309233] __warn_printk+0x9b/0xf3 [ 60.309236] debug_print_object+0x168/0x250 [ 60.309239] debug_check_no_obj_freed+0x29f/0x464 [ 60.309243] kfree+0xbd/0x220 [ 60.309246] rfcomm_dlc_free+0x20/0x30 [ 60.309248] rfcomm_dev_ioctl+0x181f/0x1b60 [ 60.309251] rfcomm_sock_ioctl+0x90/0xb0 [ 60.309253] sock_do_ioctl+0xd8/0x2f0 [ 60.309255] sock_ioctl+0x325/0x610 [ 60.309257] do_vfs_ioctl+0xd5f/0x1380 [ 60.309260] ksys_ioctl+0xab/0xd0 [ 60.309262] __x64_sys_ioctl+0x73/0xb0 [ 60.309264] do_syscall_64+0xfd/0x620 [ 60.309267] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 60.309268] [ 60.309271] other info that might help us debug this: [ 60.309272] [ 60.309274] Chain exists of: [ 60.309275] (console_sem).lock --> &rq->lock --> &obj_hash[i].lock [ 60.309286] [ 60.309288] Possible unsafe locking scenario: [ 60.309289] [ 60.309292] CPU0 CPU1 [ 60.309294] ---- ---- [ 60.309295] lock(&obj_hash[i].lock); [ 60.309301] lock(&rq->lock); [ 60.309306] lock(&obj_hash[i].lock); [ 60.309311] lock((console_sem).lock); [ 60.309315] [ 60.309317] *** DEADLOCK *** [ 60.309318] [ 60.309321] 3 locks held by syz-executor072/7810: [ 60.309322] #0: 00000000f6428f51 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}, at: rfcomm_sock_ioctl+0x82/0xb0 [ 60.309332] #1: 00000000c2049cc0 (rfcomm_ioctl_mutex){+.+.}, at: rfcomm_dev_ioctl+0x4f0/0x1b60 [ 60.309342] #2: 00000000d215bddb (&obj_hash[i].lock){-.-.}, at: debug_check_no_obj_freed+0xbe/0x464 [ 60.309352] [ 60.309354] stack backtrace: [ 60.309358] CPU: 1 PID: 7810 Comm: syz-executor072 Not tainted 4.19.66 #40 [ 60.309362] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.309364] Call Trace: [ 60.309366] dump_stack+0x172/0x1f0 [ 60.309369] print_circular_bug.isra.0.cold+0x1cc/0x28f [ 60.309371] __lock_acquire+0x2e19/0x49c0 [ 60.309373] ? mark_held_locks+0x100/0x100 [ 60.309376] ? kvm_clock_read+0x18/0x30 [ 60.309378] ? kvm_sched_clock_read+0x9/0x20 [ 60.309380] lock_acquire+0x16f/0x3f0 [ 60.309382] ? down_trylock+0x13/0x70 [ 60.309385] _raw_spin_lock_irqsave+0x95/0xcd [ 60.309387] ? down_trylock+0x13/0x70 [ 60.309389] ? vprintk_emit+0x21d/0x690 [ 60.309391] down_trylock+0x13/0x70 [ 60.309394] ? vprintk_emit+0x21d/0x690 [ 60.309396] __down_trylock_console_sem+0xa8/0x210 [ 60.309399] console_trylock+0x15/0xa0 [ 60.309401] vprintk_emit+0x21d/0x690 [ 60.309403] ? __internal_add_timer+0x1f0/0x1f0 [ 60.309406] vprintk_default+0x28/0x30 [ 60.309408] vprintk_func+0x7e/0x189 [ 60.309410] printk+0xba/0xed [ 60.309412] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 60.309414] ? __warn_printk+0x8f/0xf3 [ 60.309417] ? rfcomm_session_add+0x300/0x300 [ 60.309419] __warn_printk+0x9b/0xf3 [ 60.309421] ? add_taint.cold+0x16/0x16 [ 60.309423] ? skb_dequeue+0x12e/0x180 [ 60.309426] ? rfcomm_session_add+0x300/0x300 [ 60.309428] debug_print_object+0x168/0x250 [ 60.309431] debug_check_no_obj_freed+0x29f/0x464 [ 60.309433] kfree+0xbd/0x220 [ 60.309435] rfcomm_dlc_free+0x20/0x30 [ 60.309438] rfcomm_dev_ioctl+0x181f/0x1b60 [ 60.309440] ? __local_bh_enable_ip+0x15a/0x270 [ 60.309442] ? lock_sock_nested+0xe2/0x120 [ 60.309445] ? __local_bh_enable_ip+0x15a/0x270 [ 60.309448] ? rfcomm_dev_state_change+0x150/0x150 [ 60.309450] ? __local_bh_enable_ip+0x15a/0x270 [ 60.309452] rfcomm_sock_ioctl+0x90/0xb0 [ 60.309455] sock_do_ioctl+0xd8/0x2f0 [ 60.309457] ? compat_ifr_data_ioctl+0x160/0x160 [ 60.309460] ? __lock_acquire+0x6ee/0x49c0 [ 60.309462] ? rcu_read_lock_sched_held+0x110/0x130 [ 60.309465] ? kmem_cache_alloc+0x32a/0x700 [ 60.309467] sock_ioctl+0x325/0x610 [ 60.309469] ? dlci_ioctl_set+0x40/0x40 [ 60.309472] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 60.309475] ? __might_sleep+0x95/0x190 [ 60.309477] ? find_held_lock+0x35/0x130 [ 60.309479] ? dlci_ioctl_set+0x40/0x40 [ 60.309481] do_vfs_ioctl+0xd5f/0x1380 [ 60.309484] ? selinux_file_ioctl+0x46f/0x5e0 [ 60.309486] ? selinux_file_ioctl+0x125/0x5e0 [ 60.309489] ? ioctl_preallocate+0x210/0x210 [ 60.309491] ? selinux_file_mprotect+0x620/0x620 [ 60.309494] ? __sanitizer_cov_trace_cmp1+0x1b/0x20 [ 60.309496] ? __fd_install+0x200/0x640 [ 60.309498] ? fd_install+0x4d/0x60 [ 60.309501] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 60.309504] ? security_file_ioctl+0x8d/0xc0 [ 60.309506] ksys_ioctl+0xab/0xd0 [ 60.309508] __x64_sys_ioctl+0x73/0xb0 [ 60.309510] do_syscall_64+0xfd/0x620 [ 60.309513] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 60.309515] RIP: 0033:0x441229 [ 60.309523] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 60.309526] RSP: 002b:00007fff2e8ce878 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 60.309532] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441229 [ 60.309535] RDX: 0000000020000100 RSI: 00000000400452c8 RDI: 0000000000000004 [ 60.309539] RBP: 000000000000e9c2 R08: 00000000004002c8 R09: 00000000004002c8 [ 60.309542] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000402050 [ 60.309546] R13: 00000000004020e0 R14: 0000000000000000 R15: 0000000000000000 [ 60.310538] Kernel Offset: disabled [ 61.141759] Rebooting in 86400 seconds..