[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 36.141187] random: sshd: uninitialized urandom read (32 bytes read) [ 37.342154] kauditd_printk_skb: 10 callbacks suppressed [ 37.342162] audit: type=1400 audit(1566879052.279:35): avc: denied { map } for pid=6891 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 37.397610] random: sshd: uninitialized urandom read (32 bytes read) [ 38.038562] random: sshd: uninitialized urandom read (32 bytes read) [ 38.218419] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.230' (ECDSA) to the list of known hosts. [ 43.839317] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 43.964447] audit: type=1400 audit(1566879058.899:36): avc: denied { map } for pid=6903 comm="syz-executor783" path="/root/syz-executor783333664" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 48.975080] ODEBUG: free active (active state 0) object type: timer_list hint: rfcomm_dlc_timeout+0x0/0x60 [ 48.993632] ------------[ cut here ]------------ [ 49.007168] WARNING: CPU: 1 PID: 6906 at lib/debugobjects.c:287 debug_print_object.cold+0xa7/0xdb [ 49.016502] Kernel panic - not syncing: panic_on_warn set ... [ 49.016502] [ 49.024440] CPU: 1 PID: 6906 Comm: syz-executor783 Not tainted 4.14.140 #36 [ 49.031974] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.043057] Call Trace: [ 49.046090] dump_stack+0x138/0x197 [ 49.050918] panic+0x1f2/0x426 [ 49.054406] ? add_taint.cold+0x16/0x16 [ 49.058554] ? debug_print_object.cold+0xa7/0xdb [ 49.063619] ? debug_print_object.cold+0xa7/0xdb [ 49.068380] __warn.cold+0x2f/0x36 [ 49.072074] ? ist_end_non_atomic+0x10/0x10 [ 49.076938] ? debug_print_object.cold+0xa7/0xdb [ 49.082061] report_bug+0x216/0x254 [ 49.086032] do_error_trap+0x1bb/0x310 [ 49.089908] ? math_error+0x360/0x360 [ 49.093977] ? vprintk_emit+0x171/0x600 [ 49.098113] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 49.103622] do_invalid_op+0x1b/0x20 [ 49.107514] invalid_op+0x1b/0x40 [ 49.110960] RIP: 0010:debug_print_object.cold+0xa7/0xdb [ 49.116880] RSP: 0018:ffff8880a4827aa8 EFLAGS: 00010086 [ 49.122642] RAX: 000000000000005e RBX: 0000000000000003 RCX: 0000000000000000 [ 49.130696] RDX: 0000000000000000 RSI: ffffffff866d0ee0 RDI: ffffed1014904f4b [ 49.138799] RBP: ffff8880a4827ad0 R08: 000000000000005e R09: 0000000000000000 [ 49.146339] R10: 0000000000000000 R11: ffff88809e0f0700 R12: ffffffff866cc0e0 [ 49.154748] R13: ffffffff858291f0 R14: 0000000000000000 R15: ffff88809b52c7e8 [ 49.162360] ? rfcomm_session_add+0x340/0x340 [ 49.167126] ? debug_print_object.cold+0xa7/0xdb [ 49.172186] debug_check_no_obj_freed+0x3f5/0x7b7 [ 49.177379] ? free_obj_work+0x6d0/0x6d0 [ 49.181718] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 49.187435] kfree+0xbd/0x270 [ 49.190533] rfcomm_dlc_free+0x20/0x30 [ 49.194747] rfcomm_dev_ioctl+0x1590/0x18b0 [ 49.199782] ? mark_held_locks+0xb1/0x100 [ 49.204370] ? __local_bh_enable_ip+0x99/0x1a0 [ 49.208955] ? rfcomm_dev_state_change+0x130/0x130 [ 49.214558] ? __local_bh_enable_ip+0x99/0x1a0 [ 49.219316] rfcomm_sock_ioctl+0x82/0xa0 [ 49.223390] sock_do_ioctl+0x64/0xb0 [ 49.227985] sock_ioctl+0x2a6/0x470 [ 49.231786] ? dlci_ioctl_set+0x40/0x40 [ 49.235979] do_vfs_ioctl+0x7ae/0x1060 [ 49.240121] ? selinux_file_mprotect+0x5d0/0x5d0 [ 49.244890] ? ioctl_preallocate+0x1c0/0x1c0 [ 49.249838] ? fd_install+0x4d/0x60 [ 49.253549] ? security_file_ioctl+0x7d/0xb0 [ 49.258523] ? security_file_ioctl+0x89/0xb0 [ 49.263014] SyS_ioctl+0x8f/0xc0 [ 49.266597] ? do_vfs_ioctl+0x1060/0x1060 [ 49.271217] do_syscall_64+0x1e8/0x640 [ 49.275232] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 49.280605] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 49.286189] RIP: 0033:0x441229 [ 49.289893] RSP: 002b:00007ffe3cb3bed8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 49.298318] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441229 [ 49.306280] RDX: 0000000020000100 RSI: 00000000400452c8 RDI: 0000000000000004 [ 49.314229] RBP: 000000000000bf49 R08: 00000000004002c8 R09: 00000000004002c8 [ 49.322447] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000402050 [ 49.332199] R13: 00000000004020e0 R14: 0000000000000000 R15: 0000000000000000 [ 49.339943] [ 49.339946] ====================================================== [ 49.339948] WARNING: possible circular locking dependency detected [ 49.339949] 4.14.140 #36 Not tainted [ 49.339952] ------------------------------------------------------ [ 49.339953] syz-executor783/6906 is trying to acquire lock: [ 49.339954] ((console_sem).lock){-...}, at: [] down_trylock+0x13/0x70 [ 49.339959] [ 49.339960] but task is already holding lock: [ 49.339961] (&obj_hash[i].lock){-.-.}, at: [] debug_check_no_obj_freed+0x12d/0x7b7 [ 49.339965] [ 49.339967] which lock already depends on the new lock. [ 49.339967] [ 49.339968] [ 49.339969] the existing dependency chain (in reverse order) is: [ 49.339970] [ 49.339971] -> #3 (&obj_hash[i].lock){-.-.}: [ 49.339975] lock_acquire+0x16f/0x430 [ 49.339976] _raw_spin_lock_irqsave+0x95/0xcd [ 49.339978] __debug_object_init+0xa9/0x8e0 [ 49.339980] debug_object_init+0x16/0x20 [ 49.339981] hrtimer_init+0x2a/0x2e0 [ 49.339983] init_dl_task_timer+0x1b/0x50 [ 49.339984] __sched_fork+0x222/0xab0 [ 49.339985] init_idle+0x75/0x800 [ 49.339986] sched_init+0xaa1/0xbb3 [ 49.339988] start_kernel+0x339/0x6fd [ 49.339989] x86_64_start_reservations+0x29/0x2b [ 49.339990] x86_64_start_kernel+0x77/0x7b [ 49.339991] secondary_startup_64+0xa5/0xb0 [ 49.339992] [ 49.339993] -> #2 (&rq->lock){-.-.}: [ 49.339997] lock_acquire+0x16f/0x430 [ 49.339998] _raw_spin_lock+0x2f/0x40 [ 49.339999] task_fork_fair+0x63/0x5b0 [ 49.340000] sched_fork+0x3a6/0xc10 [ 49.340001] copy_process.part.0+0x15b7/0x6a00 [ 49.340003] _do_fork+0x19e/0xce0 [ 49.340004] kernel_thread+0x34/0x40 [ 49.340005] rest_init+0x24/0x1e2 [ 49.340006] start_kernel+0x6df/0x6fd [ 49.340008] x86_64_start_reservations+0x29/0x2b [ 49.340009] x86_64_start_kernel+0x77/0x7b [ 49.340011] secondary_startup_64+0xa5/0xb0 [ 49.340012] [ 49.340012] -> #1 (&p->pi_lock){-.-.}: [ 49.340016] lock_acquire+0x16f/0x430 [ 49.340018] _raw_spin_lock_irqsave+0x95/0xcd [ 49.340019] try_to_wake_up+0x79/0xf90 [ 49.340021] wake_up_process+0x10/0x20 [ 49.340022] __up.isra.0+0x136/0x1a0 [ 49.340023] up+0x9c/0xe0 [ 49.340024] __up_console_sem+0xad/0x1b0 [ 49.340026] console_unlock+0x59d/0xed0 [ 49.340027] do_con_write.part.0+0xbf1/0x1b50 [ 49.340028] con_write+0x38/0xc0 [ 49.340029] n_tty_write+0x38b/0xee0 [ 49.340030] tty_write+0x3f6/0x700 [ 49.340031] __vfs_write+0x105/0x6b0 [ 49.340033] vfs_write+0x198/0x500 [ 49.340034] SyS_write+0xfd/0x230 [ 49.340035] do_syscall_64+0x1e8/0x640 [ 49.340036] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 49.340037] [ 49.340038] -> #0 ((console_sem).lock){-...}: [ 49.340042] __lock_acquire+0x2cb3/0x4620 [ 49.340043] lock_acquire+0x16f/0x430 [ 49.340045] _raw_spin_lock_irqsave+0x95/0xcd [ 49.340046] down_trylock+0x13/0x70 [ 49.340047] __down_trylock_console_sem+0x9c/0x200 [ 49.340048] console_trylock+0x17/0x80 [ 49.340049] vprintk_emit+0x1eb/0x600 [ 49.340050] vprintk_default+0x28/0x30 [ 49.340052] vprintk_func+0x5d/0x159 [ 49.340053] printk+0x9e/0xbc [ 49.340054] debug_print_object.cold+0xa7/0xdb [ 49.340055] debug_check_no_obj_freed+0x3f5/0x7b7 [ 49.340056] kfree+0xbd/0x270 [ 49.340058] rfcomm_dlc_free+0x20/0x30 [ 49.340059] rfcomm_dev_ioctl+0x1590/0x18b0 [ 49.340060] rfcomm_sock_ioctl+0x82/0xa0 [ 49.340061] sock_do_ioctl+0x64/0xb0 [ 49.340062] sock_ioctl+0x2a6/0x470 [ 49.340064] do_vfs_ioctl+0x7ae/0x1060 [ 49.340065] SyS_ioctl+0x8f/0xc0 [ 49.340066] do_syscall_64+0x1e8/0x640 [ 49.340068] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 49.340068] [ 49.340075] other info that might help us debug this: [ 49.340076] [ 49.340076] Chain exists of: [ 49.340077] (console_sem).lock --> &rq->lock --> &obj_hash[i].lock [ 49.340082] [ 49.340084] Possible unsafe locking scenario: [ 49.340084] [ 49.340086] CPU0 CPU1 [ 49.340087] ---- ---- [ 49.340088] lock(&obj_hash[i].lock); [ 49.340090] lock(&rq->lock); [ 49.340093] lock(&obj_hash[i].lock); [ 49.340096] lock((console_sem).lock); [ 49.340098] [ 49.340099] *** DEADLOCK *** [ 49.340099] [ 49.340101] 3 locks held by syz-executor783/6906: [ 49.340101] #0: (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}, at: [] rfcomm_sock_ioctl+0x74/0xa0 [ 49.340106] #1: (rfcomm_ioctl_mutex){+.+.}, at: [] rfcomm_dev_ioctl+0x442/0x18b0 [ 49.340110] #2: (&obj_hash[i].lock){-.-.}, at: [] debug_check_no_obj_freed+0x12d/0x7b7 [ 49.340115] [ 49.340116] stack backtrace: [ 49.340118] CPU: 1 PID: 6906 Comm: syz-executor783 Not tainted 4.14.140 #36 [ 49.340120] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.340121] Call Trace: [ 49.340122] dump_stack+0x138/0x197 [ 49.340123] print_circular_bug.isra.0.cold+0x1cc/0x28f [ 49.340124] __lock_acquire+0x2cb3/0x4620 [ 49.340126] ? add_lock_to_list.isra.0+0x17c/0x330 [ 49.340127] ? trace_hardirqs_on+0x10/0x10 [ 49.340128] ? netdev_bits+0xb0/0xb0 [ 49.340129] ? save_trace+0x290/0x290 [ 49.340130] ? kvm_clock_read+0x23/0x40 [ 49.340132] ? kvm_sched_clock_read+0x9/0x20 [ 49.340133] lock_acquire+0x16f/0x430 [ 49.340134] ? down_trylock+0x13/0x70 [ 49.340135] ? vprintk_emit+0x109/0x600 [ 49.340136] _raw_spin_lock_irqsave+0x95/0xcd [ 49.340138] ? down_trylock+0x13/0x70 [ 49.340139] ? vprintk_emit+0x1eb/0x600 [ 49.340140] down_trylock+0x13/0x70 [ 49.340141] ? vprintk_emit+0x1eb/0x600 [ 49.340142] __down_trylock_console_sem+0x9c/0x200 [ 49.340143] console_trylock+0x17/0x80 [ 49.340144] vprintk_emit+0x1eb/0x600 [ 49.340146] vprintk_default+0x28/0x30 [ 49.340147] vprintk_func+0x5d/0x159 [ 49.340148] ? rfcomm_session_add+0x340/0x340 [ 49.340149] printk+0x9e/0xbc [ 49.340150] ? show_regs_print_info+0x63/0x63 [ 49.340151] ? lock_acquire+0x16f/0x430 [ 49.340153] ? debug_check_no_obj_freed+0x12d/0x7b7 [ 49.340154] ? rfcomm_session_add+0x340/0x340 [ 49.340155] debug_print_object.cold+0xa7/0xdb [ 49.340156] debug_check_no_obj_freed+0x3f5/0x7b7 [ 49.340158] ? free_obj_work+0x6d0/0x6d0 [ 49.340159] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 49.340160] kfree+0xbd/0x270 [ 49.340161] rfcomm_dlc_free+0x20/0x30 [ 49.340162] rfcomm_dev_ioctl+0x1590/0x18b0 [ 49.340164] ? mark_held_locks+0xb1/0x100 [ 49.340165] ? __local_bh_enable_ip+0x99/0x1a0 [ 49.340166] ? rfcomm_dev_state_change+0x130/0x130 [ 49.340167] ? __local_bh_enable_ip+0x99/0x1a0 [ 49.340169] rfcomm_sock_ioctl+0x82/0xa0 [ 49.340170] sock_do_ioctl+0x64/0xb0 [ 49.340171] sock_ioctl+0x2a6/0x470 [ 49.340172] ? dlci_ioctl_set+0x40/0x40 [ 49.340173] do_vfs_ioctl+0x7ae/0x1060 [ 49.340174] ? selinux_file_mprotect+0x5d0/0x5d0 [ 49.340176] ? ioctl_preallocate+0x1c0/0x1c0 [ 49.340177] ? fd_install+0x4d/0x60 [ 49.340178] ? security_file_ioctl+0x7d/0xb0 [ 49.340179] ? security_file_ioctl+0x89/0xb0 [ 49.340180] SyS_ioctl+0x8f/0xc0 [ 49.340181] ? do_vfs_ioctl+0x1060/0x1060 [ 49.340182] do_syscall_64+0x1e8/0x640 [ 49.340184] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 49.340185] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 49.340186] RIP: 0033:0x441229 [ 49.340187] RSP: 002b:00007ffe3cb3bed8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 49.340190] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441229 [ 49.340192] RDX: 0000000020000100 RSI: 00000000400452c8 RDI: 0000000000000004 [ 49.340194] RBP: 000000000000bf49 R08: 00000000004002c8 R09: 00000000004002c8 [ 49.340196] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000402050 [ 49.340198] R13: 00000000004020e0 R14: 0000000000000000 R15: 0000000000000000 [ 49.341707] Kernel Offset: disabled [ 50.185746] Rebooting in 86400 seconds..