[ 37.740907] audit: type=1800 audit(1585746958.034:33): pid=7412 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 37.771398] audit: type=1800 audit(1585746958.034:34): pid=7412 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 42.242844] random: sshd: uninitialized urandom read (32 bytes read) [ 42.716569] audit: type=1400 audit(1585746963.004:35): avc: denied { map } for pid=7583 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 42.767612] random: sshd: uninitialized urandom read (32 bytes read) [ 43.533027] random: sshd: uninitialized urandom read (32 bytes read) [ 76.444598] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.47' (ECDSA) to the list of known hosts. [ 82.050392] random: sshd: uninitialized urandom read (32 bytes read) [ 82.176234] audit: type=1400 audit(1585747002.464:36): avc: denied { map } for pid=7595 comm="syz-executor044" path="/root/syz-executor044535495" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 82.431206] IPVS: ftp: loaded support on port[0] = 21 executing program [ 83.226735] audit: type=1400 audit(1585747003.514:37): avc: denied { create } for pid=7596 comm="syz-executor044" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 83.248603] ODEBUG: activate active (active state 1) object type: rcu_head hint: (null) [ 83.250864] audit: type=1400 audit(1585747003.514:38): avc: denied { write } for pid=7596 comm="syz-executor044" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 83.259893] ------------[ cut here ]------------ [ 83.284023] audit: type=1400 audit(1585747003.514:39): avc: denied { read } for pid=7596 comm="syz-executor044" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 83.288335] WARNING: CPU: 1 PID: 7598 at lib/debugobjects.c:287 debug_print_object.cold+0xa7/0xdb [ 83.288339] Kernel panic - not syncing: panic_on_warn set ... [ 83.288339] [ 83.288346] CPU: 1 PID: 7598 Comm: syz-executor044 Not tainted 4.14.174-syzkaller #0 [ 83.288350] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 83.288352] Call Trace: [ 83.288364] dump_stack+0x13e/0x194 [ 83.288372] panic+0x1f9/0x42d [ 83.288378] ? add_taint.cold+0x16/0x16 [ 83.288386] ? debug_print_object.cold+0xa7/0xdb [ 83.288394] ? debug_print_object.cold+0xa7/0xdb [ 83.288398] __warn.cold+0x2f/0x30 [ 83.288406] ? ist_end_non_atomic+0x10/0x10 [ 83.288412] ? debug_print_object.cold+0xa7/0xdb [ 83.288417] report_bug+0x20a/0x248 [ 83.288425] do_error_trap+0x195/0x2d0 [ 83.288431] ? math_error+0x2d0/0x2d0 [ 83.288442] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 83.288451] invalid_op+0x1b/0x40 [ 83.288458] RIP: 0010:debug_print_object.cold+0xa7/0xdb [ 83.288462] RSP: 0018:ffff8880894e7430 EFLAGS: 00010082 [ 83.288472] RAX: 0000000000000055 RBX: 0000000000000003 RCX: 0000000000000000 [ 83.418492] RDX: 0000000000000000 RSI: ffffffff86ac07e0 RDI: ffffed101129ce7c [ 83.425762] RBP: ffffffff86ab5ee0 R08: 0000000000000055 R09: 0000000000000000 [ 83.433019] R10: fffffbfff14a8cd8 R11: ffff88807cf3a280 R12: 0000000000000000 [ 83.440283] R13: 0000000000000001 R14: 1ffff1101129ce90 R15: ffffffff87d84240 [ 83.447550] debug_object_activate+0x307/0x450 [ 83.452118] ? debug_object_free+0x390/0x390 [ 83.456526] ? find_held_lock+0x2d/0x110 [ 83.460567] ? route4_walk+0x450/0x450 [ 83.464435] __call_rcu.constprop.0+0x31/0x7e0 [ 83.468998] route4_change+0xb27/0x1c4d [ 83.472955] ? route4_delete+0x760/0x760 [ 83.476994] ? route4_delete+0x760/0x760 [ 83.481048] tc_ctl_tfilter+0xf13/0x18e6 [ 83.485091] ? tfilter_notify+0x240/0x240 [ 83.489218] ? mutex_trylock+0x1a0/0x1a0 [ 83.493261] ? rtnetlink_rcv_msg+0x2e8/0xb10 [ 83.497665] ? tfilter_notify+0x240/0x240 [ 83.501795] rtnetlink_rcv_msg+0x3be/0xb10 [ 83.506013] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 83.510606] ? save_trace+0x290/0x290 [ 83.514417] ? save_trace+0x290/0x290 [ 83.518204] netlink_rcv_skb+0x127/0x370 [ 83.522256] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 83.526817] ? netlink_ack+0x980/0x980 [ 83.530686] netlink_unicast+0x437/0x620 [ 83.535163] ? netlink_attachskb+0x600/0x600 [ 83.539550] netlink_sendmsg+0x733/0xbe0 [ 83.543591] ? netlink_unicast+0x620/0x620 [ 83.547819] ? SYSC_sendto+0x2b0/0x2b0 [ 83.551699] ? security_socket_sendmsg+0x83/0xb0 [ 83.556433] ? netlink_unicast+0x620/0x620 [ 83.560742] sock_sendmsg+0xc5/0x100 [ 83.564468] ___sys_sendmsg+0x70a/0x840 [ 83.568510] ? trace_hardirqs_on+0x10/0x10 [ 83.572726] ? copy_msghdr_from_user+0x380/0x380 [ 83.577465] ? find_held_lock+0x2d/0x110 [ 83.581510] ? lock_downgrade+0x6e0/0x6e0 [ 83.585652] ? __fget+0x228/0x360 [ 83.589083] ? __fget_light+0x199/0x1f0 [ 83.593049] ? sockfd_lookup_light+0xb2/0x160 [ 83.597542] __sys_sendmsg+0xa3/0x120 [ 83.601361] ? SyS_shutdown+0x160/0x160 [ 83.605350] ? move_addr_to_kernel+0x60/0x60 [ 83.609770] SyS_sendmsg+0x27/0x40 [ 83.613290] ? __sys_sendmsg+0x120/0x120 [ 83.617329] do_syscall_64+0x1d5/0x640 [ 83.621198] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 83.626414] RIP: 0033:0x4473d9 [ 83.629592] RSP: 002b:00007f81f752bd98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 83.637282] RAX: ffffffffffffffda RBX: 00000000006ddc78 RCX: 00000000004473d9 [ 83.644531] RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000006 [ 83.651794] RBP: 00000000006ddc70 R08: 0000000000000000 R09: 0000000000000000 [ 83.659041] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006ddc7c [ 83.666303] R13: 0000000000000005 R14: 00a3a20740000000 R15: 0507002400000038 [ 83.673608] [ 83.673610] ====================================================== [ 83.673612] WARNING: possible circular locking dependency detected [ 83.673613] 4.14.174-syzkaller #0 Not tainted [ 83.673615] ------------------------------------------------------ [ 83.673617] syz-executor044/7598 is trying to acquire lock: [ 83.673618] ((console_sem).lock){-...}, at: [] down_trylock+0xe/0x60 [ 83.673622] [ 83.673623] but task is already holding lock: [ 83.673624] (&obj_hash[i].lock){-.-.}, at: [] debug_object_activate+0x10b/0x450 [ 83.673628] [ 83.673629] which lock already depends on the new lock. [ 83.673630] [ 83.673631] [ 83.673632] the existing dependency chain (in reverse order) is: [ 83.673633] [ 83.673634] -> #5 (&obj_hash[i].lock){-.-.}: [ 83.673638] _raw_spin_lock_irqsave+0x8c/0xbf [ 83.673639] debug_object_activate+0x10b/0x450 [ 83.673640] enqueue_hrtimer+0x22/0x3b0 [ 83.673642] hrtimer_start_range_ns+0x4e6/0x1060 [ 83.673643] schedule_hrtimeout_range_clock+0x13c/0x2f0 [ 83.673644] wait_task_inactive+0x478/0x530 [ 83.673645] __kthread_bind_mask+0x1f/0xb0 [ 83.673646] create_worker+0x313/0x530 [ 83.673648] workqueue_init+0x55f/0x66e [ 83.673649] kernel_init_freeable+0x2ab/0x526 [ 83.673650] kernel_init+0xd/0x15b [ 83.673651] ret_from_fork+0x24/0x30 [ 83.673652] [ 83.673652] -> #4 (hrtimer_bases.lock){-.-.}: [ 83.673656] _raw_spin_lock_irqsave+0x8c/0xbf [ 83.673658] lock_hrtimer_base.isra.0+0x6d/0x120 [ 83.673659] hrtimer_start_range_ns+0x7b/0x1060 [ 83.673660] enqueue_task_rt+0x94d/0xdb0 [ 83.673662] __sched_setscheduler.constprop.0+0xc11/0x1f70 [ 83.673663] _sched_setscheduler+0xf9/0x150 [ 83.673664] watchdog_enable+0xff/0x150 [ 83.673665] smpboot_thread_fn+0x40d/0x920 [ 83.673666] kthread+0x30d/0x420 [ 83.673667] ret_from_fork+0x24/0x30 [ 83.673668] [ 83.673669] -> #3 (&rt_b->rt_runtime_lock){-.-.}: [ 83.673673] _raw_spin_lock+0x2a/0x40 [ 83.673674] enqueue_task_rt+0x508/0xdb0 [ 83.673675] __sched_setscheduler.constprop.0+0xc11/0x1f70 [ 83.673677] _sched_setscheduler+0xf9/0x150 [ 83.673678] watchdog_enable+0xff/0x150 [ 83.673679] smpboot_thread_fn+0x40d/0x920 [ 83.673680] kthread+0x30d/0x420 [ 83.673681] ret_from_fork+0x24/0x30 [ 83.673682] [ 83.673683] -> #2 (&rq->lock){-.-.}: [ 83.673687] _raw_spin_lock+0x2a/0x40 [ 83.673688] task_fork_fair+0x63/0x5b0 [ 83.673689] sched_fork+0x39a/0xbd0 [ 83.673690] copy_process.part.0+0x15b7/0x6a70 [ 83.673691] _do_fork+0x180/0xc80 [ 83.673692] kernel_thread+0x2f/0x40 [ 83.673693] rest_init+0x1f/0x1d2 [ 83.673694] start_kernel+0x659/0x676 [ 83.673695] secondary_startup_64+0xa5/0xb0 [ 83.673696] [ 83.673697] -> #1 (&p->pi_lock){-.-.}: [ 83.673701] _raw_spin_lock_irqsave+0x8c/0xbf [ 83.673702] try_to_wake_up+0x6a/0xef0 [ 83.673703] up+0x92/0xe0 [ 83.673704] __up_console_sem+0xa9/0x1b0 [ 83.673705] console_unlock+0x596/0xec0 [ 83.673706] vprintk_emit+0x1f8/0x600 [ 83.673708] vprintk_func+0x58/0x152 [ 83.673709] printk+0x9e/0xbc [ 83.673710] kauditd_hold_skb.cold+0x3e/0x4d [ 83.673711] kauditd_send_queue+0xfb/0x140 [ 83.673712] kauditd_thread+0x625/0x840 [ 83.673713] kthread+0x30d/0x420 [ 83.673714] ret_from_fork+0x24/0x30 [ 83.673715] [ 83.673716] -> #0 ((console_sem).lock){-...}: [ 83.673720] lock_acquire+0x170/0x3f0 [ 83.673721] _raw_spin_lock_irqsave+0x8c/0xbf [ 83.673722] down_trylock+0xe/0x60 [ 83.673723] __down_trylock_console_sem+0x97/0x1f0 [ 83.673724] console_trylock+0x14/0x70 [ 83.673726] vprintk_emit+0x1ea/0x600 [ 83.673727] vprintk_func+0x58/0x152 [ 83.673728] printk+0x9e/0xbc [ 83.673729] debug_print_object.cold+0xa7/0xdb [ 83.673730] debug_object_activate+0x307/0x450 [ 83.673732] __call_rcu.constprop.0+0x31/0x7e0 [ 83.673733] route4_change+0xb27/0x1c4d [ 83.673734] tc_ctl_tfilter+0xf13/0x18e6 [ 83.673735] rtnetlink_rcv_msg+0x3be/0xb10 [ 83.673736] netlink_rcv_skb+0x127/0x370 [ 83.673737] netlink_unicast+0x437/0x620 [ 83.673738] netlink_sendmsg+0x733/0xbe0 [ 83.673740] sock_sendmsg+0xc5/0x100 [ 83.673741] ___sys_sendmsg+0x70a/0x840 [ 83.673742] __sys_sendmsg+0xa3/0x120 [ 83.673743] SyS_sendmsg+0x27/0x40 [ 83.673744] do_syscall_64+0x1d5/0x640 [ 83.673745] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 83.673746] [ 83.673747] other info that might help us debug this: [ 83.673748] [ 83.673749] Chain exists of: [ 83.673749] (console_sem).lock --> hrtimer_bases.lock --> &obj_hash[i].lock [ 83.673755] [ 83.673756] Possible unsafe locking scenario: [ 83.673757] [ 83.673758] CPU0 CPU1 [ 83.673759] ---- ---- [ 83.673760] lock(&obj_hash[i].lock); [ 83.673762] lock(hrtimer_bases.lock); [ 83.673765] lock(&obj_hash[i].lock); [ 83.673767] lock((console_sem).lock); [ 83.673770] [ 83.673771] *** DEADLOCK *** [ 83.673771] [ 83.673773] 2 locks held by syz-executor044/7598: [ 83.673773] #0: (rtnl_mutex){+.+.}, at: [] rtnetlink_rcv_msg+0x31d/0xb10 [ 83.673777] #1: (&obj_hash[i].lock){-.-.}, at: [] debug_object_activate+0x10b/0x450 [ 83.673782] [ 83.673783] stack backtrace: [ 83.673785] CPU: 1 PID: 7598 Comm: syz-executor044 Not tainted 4.14.174-syzkaller #0 [ 83.673787] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 83.673788] Call Trace: [ 83.673789] dump_stack+0x13e/0x194 [ 83.673790] print_circular_bug.isra.0.cold+0x1c4/0x282 [ 83.673791] __lock_acquire+0x2cb3/0x4620 [ 83.673792] ? string+0x17e/0x1d0 [ 83.673794] ? trace_hardirqs_on+0x10/0x10 [ 83.673795] ? netdev_bits+0xa0/0xa0 [ 83.673796] ? kvm_clock_read+0x1f/0x30 [ 83.673797] ? kvm_sched_clock_read+0x5/0x10 [ 83.673798] lock_acquire+0x170/0x3f0 [ 83.673799] ? down_trylock+0xe/0x60 [ 83.673801] _raw_spin_lock_irqsave+0x8c/0xbf [ 83.673802] ? down_trylock+0xe/0x60 [ 83.673803] down_trylock+0xe/0x60 [ 83.673804] ? vprintk_emit+0x1ea/0x600 [ 83.673805] __down_trylock_console_sem+0x97/0x1f0 [ 83.673806] console_trylock+0x14/0x70 [ 83.673807] vprintk_emit+0x1ea/0x600 [ 83.673808] vprintk_func+0x58/0x152 [ 83.673809] printk+0x9e/0xbc [ 83.673810] ? show_regs_print_info+0x5b/0x5b [ 83.673812] ? lock_acquire+0x170/0x3f0 [ 83.673813] ? debug_object_activate+0x10b/0x450 [ 83.673814] debug_print_object.cold+0xa7/0xdb [ 83.673815] debug_object_activate+0x307/0x450 [ 83.673816] ? debug_object_free+0x390/0x390 [ 83.673817] ? find_held_lock+0x2d/0x110 [ 83.673819] ? route4_walk+0x450/0x450 [ 83.673820] __call_rcu.constprop.0+0x31/0x7e0 [ 83.673821] route4_change+0xb27/0x1c4d [ 83.673822] ? route4_delete+0x760/0x760 [ 83.673823] ? route4_delete+0x760/0x760 [ 83.673824] tc_ctl_tfilter+0xf13/0x18e6 [ 83.673825] ? tfilter_notify+0x240/0x240 [ 83.673827] ? mutex_trylock+0x1a0/0x1a0 [ 83.673828] ? rtnetlink_rcv_msg+0x2e8/0xb10 [ 83.673829] ? tfilter_notify+0x240/0x240 [ 83.673830] rtnetlink_rcv_msg+0x3be/0xb10 [ 83.673831] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 83.673832] ? save_trace+0x290/0x290 [ 83.673833] ? save_trace+0x290/0x290 [ 83.673834] netlink_rcv_skb+0x127/0x370 [ 83.673836] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 83.673837] ? netlink_ack+0x980/0x980 [ 83.673838] netlink_unicast+0x437/0x620 [ 83.673839] ? netlink_attachskb+0x600/0x600 [ 83.673840] netlink_sendmsg+0x733/0xbe0 [ 83.673841] ? netlink_unicast+0x620/0x620 [ 83.673842] ? SYSC_sendto+0x2b0/0x2b0 [ 83.673844] ? security_socket_sendmsg+0x83/0xb0 [ 83.673845] ? netlink_unicast+0x620/0x620 [ 83.673846] sock_sendmsg+0xc5/0x100 [ 83.673847] ___sys_sendmsg+0x70a/0x840 [ 83.673848] ? trace_hardirqs_on+0x10/0x10 [ 83.673849] ? copy_msghdr_from_user+0x380/0x380 [ 83.673850] ? find_held_lock+0x2d/0x110 [ 83.673852] ? lock_downgrade+0x6e0/0x6e0 [ 83.673853] ? __fget+0x228/0x360 [ 83.673854] ? __fget_light+0x199/0x1f0 [ 83.673855] ? sockfd_lookup_light+0xb2/0x160 [ 83.673856] __sys_sendmsg+0xa3/0x120 [ 83.673857] ? SyS_shutdown+0x160/0x160 [ 83.673858] ? move_addr_to_kernel+0x60/0x60 [ 83.673859] SyS_sendmsg+0x27/0x40 [ 83.673861] ? __sys_sendmsg+0x120/0x120 [ 83.673862] do_syscall_64+0x1d5/0x640 [ 83.673863] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 83.673864] RIP: 0033:0x4473d9 [ 83.673865] RSP: 002b:00007f81f752bd98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 83.673868] RAX: ffffffffffffffda RBX: 00000000006ddc78 RCX: 00000000004473d9 [ 83.673870] RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000006 [ 83.673871] RBP: 00000000006ddc70 R08: 0000000000000000 R09: 0000000000000000 [ 83.673873] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006ddc7c [ 83.673875] R13: 0000000000000005 R14: 00a3a20740000000 R15: 0507002400000038 [ 83.675052] Kernel Offset: disabled [ 84.555210] Rebooting in 86400 seconds..