Warning: Permanently added '10.128.10.38' (ECDSA) to the list of known hosts. executing program [ 51.596184] audit: type=1400 audit(1578537634.339:36): avc: denied { map } for pid=7748 comm="syz-executor082" path="/root/syz-executor082066101" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 56.606870] ------------[ cut here ]------------ [ 56.612755] ODEBUG: free active (active state 0) object type: timer_list hint: rfcomm_dlc_timeout+0x0/0x80 [ 56.622864] WARNING: CPU: 1 PID: 7751 at lib/debugobjects.c:325 debug_print_object+0x168/0x250 [ 56.631639] Kernel panic - not syncing: panic_on_warn set ... [ 56.631639] [ 56.638988] CPU: 1 PID: 7751 Comm: syz-executor082 Not tainted 4.19.93-syzkaller #0 [ 56.646763] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 56.656096] Call Trace: [ 56.658673] dump_stack+0x197/0x210 [ 56.662334] panic+0x26a/0x50e [ 56.665508] ? __warn_printk+0xf3/0xf3 [ 56.669379] ? debug_print_object+0x168/0x250 [ 56.673866] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 56.679568] ? __warn.cold+0x5/0x53 [ 56.683180] ? __warn+0xe8/0x1d0 [ 56.686532] ? debug_print_object+0x168/0x250 [ 56.691022] __warn.cold+0x20/0x53 [ 56.694612] ? trace_hardirqs_off+0x62/0x220 [ 56.699088] ? debug_print_object+0x168/0x250 [ 56.703581] report_bug+0x263/0x2b0 [ 56.707217] do_error_trap+0x204/0x360 [ 56.711145] ? math_error+0x340/0x340 [ 56.714934] ? wake_up_klogd+0x99/0xd0 [ 56.718837] ? vprintk_emit+0x1ce/0x6d0 [ 56.722801] ? error_entry+0x7c/0xe0 [ 56.726593] ? trace_hardirqs_off_caller+0x65/0x220 [ 56.731596] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 56.736425] do_invalid_op+0x1b/0x20 [ 56.740127] invalid_op+0x14/0x20 [ 56.743569] RIP: 0010:debug_print_object+0x168/0x250 [ 56.748664] Code: dd 60 4c eb 87 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 b5 00 00 00 48 8b 14 dd 60 4c eb 87 48 c7 c7 a0 41 eb 87 e8 06 9a d4 fd <0f> 0b 83 05 4b 0f 64 06 01 48 83 c4 20 5b 41 5c 41 5d 41 5e 5d c3 [ 56.767561] RSP: 0018:ffff8880947a78b8 EFLAGS: 00010082 [ 56.772920] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000 [ 56.780194] RDX: 0000000000000000 RSI: ffffffff8155bad6 RDI: ffffed10128f4f09 [ 56.787460] RBP: ffff8880947a78f8 R08: ffff888093fa22c0 R09: ffffed1015d23ee3 [ 56.794728] R10: ffffed1015d23ee2 R11: ffff8880ae91f717 R12: 0000000000000001 [ 56.801993] R13: ffffffff88fa4160 R14: ffffffff815b3090 R15: ffff88809abd93a8 [ 56.809258] ? __internal_add_timer+0x1f0/0x1f0 [ 56.813929] ? vprintk_func+0x86/0x189 [ 56.817803] ? debug_print_object+0x168/0x250 [ 56.822284] debug_check_no_obj_freed+0x29f/0x464 [ 56.827112] kfree+0xbd/0x220 [ 56.830206] rfcomm_dlc_free+0x20/0x30 [ 56.834100] rfcomm_dev_ioctl+0x1988/0x1c90 [ 56.838414] ? mark_held_locks+0xb1/0x100 [ 56.842553] ? lock_sock_nested+0xe2/0x120 [ 56.846788] ? rfcomm_tty_install+0x1a0/0x1a0 [ 56.851278] ? lock_sock_nested+0x9a/0x120 [ 56.855502] ? trace_hardirqs_on+0x67/0x220 [ 56.859809] ? __local_bh_enable_ip+0x15a/0x270 [ 56.864476] rfcomm_sock_ioctl+0x90/0xb0 [ 56.868522] sock_do_ioctl+0xd8/0x2f0 [ 56.872307] ? compat_ifr_data_ioctl+0x160/0x160 [ 56.877051] ? __lock_acquire+0x6ee/0x49c0 [ 56.881286] ? rcu_read_lock_sched_held+0x110/0x130 [ 56.886295] ? kmem_cache_alloc+0x32a/0x700 [ 56.890605] sock_ioctl+0x325/0x610 [ 56.894219] ? dlci_ioctl_set+0x40/0x40 [ 56.898179] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 56.903719] ? __might_sleep+0x95/0x190 [ 56.907690] ? find_held_lock+0x35/0x130 [ 56.911748] ? dlci_ioctl_set+0x40/0x40 [ 56.915723] do_vfs_ioctl+0xd5f/0x1380 [ 56.919605] ? selinux_file_ioctl+0x46f/0x5e0 [ 56.924130] ? selinux_file_ioctl+0x125/0x5e0 [ 56.928622] ? ioctl_preallocate+0x210/0x210 [ 56.933037] ? selinux_file_mprotect+0x620/0x620 [ 56.937793] ? __sanitizer_cov_trace_cmp8+0x1b/0x20 [ 56.942823] ? __fd_install+0x200/0x640 [ 56.946799] ? fd_install+0x4d/0x60 [ 56.950415] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 56.955946] ? security_file_ioctl+0x8d/0xc0 [ 56.960348] ksys_ioctl+0xab/0xd0 [ 56.963798] __x64_sys_ioctl+0x73/0xb0 [ 56.967676] do_syscall_64+0xfd/0x620 [ 56.971467] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 56.976642] RIP: 0033:0x4412b9 [ 56.979824] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 56.998714] RSP: 002b:00007ffcd6f6a3d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 57.006410] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004412b9 [ 57.013664] RDX: 0000000020000100 RSI: 00000000400452c8 RDI: 0000000000000004 [ 57.020918] RBP: 000000000000dceb R08: 00000000004002c8 R09: 00000000004002c8 [ 57.028183] R10: 00000000004002c8 R11: 0000000000000246 R12: 00000000004020e0 [ 57.035456] R13: 0000000000402170 R14: 0000000000000000 R15: 0000000000000000 [ 57.042716] [ 57.042720] ====================================================== [ 57.042723] WARNING: possible circular locking dependency detected [ 57.042725] 4.19.93-syzkaller #0 Not tainted [ 57.042729] ------------------------------------------------------ [ 57.042732] syz-executor082/7751 is trying to acquire lock: [ 57.042734] 00000000d204fc00 ((console_sem).lock){-...}, at: down_trylock+0x13/0x70 [ 57.042743] [ 57.042745] but task is already holding lock: [ 57.042747] 00000000bb815e09 (&obj_hash[i].lock){-.-.}, at: debug_check_no_obj_freed+0xbe/0x464 [ 57.042756] [ 57.042758] which lock already depends on the new lock. [ 57.042760] [ 57.042761] [ 57.042764] the existing dependency chain (in reverse order) is: [ 57.042766] [ 57.042767] -> #5 (&obj_hash[i].lock){-.-.}: [ 57.042775] _raw_spin_lock_irqsave+0x95/0xcd [ 57.042778] debug_object_activate+0x131/0x4e0 [ 57.042780] enqueue_hrtimer+0x2a/0x3f0 [ 57.042783] hrtimer_start_range_ns+0x5fb/0xc70 [ 57.042786] schedule_hrtimeout_range_clock+0x1a0/0x380 [ 57.042788] schedule_hrtimeout+0x25/0x30 [ 57.042791] wait_task_inactive+0x4a2/0x630 [ 57.042794] __kthread_bind_mask+0x24/0xb0 [ 57.042796] kthread_bind_mask+0x23/0x30 [ 57.042799] init_rescuer.part.0+0xfc/0x190 [ 57.042801] workqueue_init+0x51a/0x808 [ 57.042804] kernel_init_freeable+0x2c0/0x5c8 [ 57.042806] kernel_init+0x12/0x1c3 [ 57.042808] ret_from_fork+0x24/0x30 [ 57.042809] [ 57.042811] -> #4 (hrtimer_bases.lock){-.-.}: [ 57.042819] _raw_spin_lock_irqsave+0x95/0xcd [ 57.042822] lock_hrtimer_base.isra.0+0x75/0x130 [ 57.042824] hrtimer_start_range_ns+0xff/0xc70 [ 57.042827] enqueue_task_rt+0x998/0xe70 [ 57.042830] __sched_setscheduler.constprop.0+0xd1a/0x22f0 [ 57.042832] _sched_setscheduler+0x105/0x1a0 [ 57.042835] sched_setscheduler+0xe/0x10 [ 57.042837] watchdog_dev_init+0xe0/0x1b2 [ 57.042840] watchdog_init+0x17/0x181 [ 57.042842] do_one_initcall+0x107/0x78c [ 57.042845] kernel_init_freeable+0x4d4/0x5c8 [ 57.042847] kernel_init+0x12/0x1c3 [ 57.042849] ret_from_fork+0x24/0x30 [ 57.042850] [ 57.042852] -> #3 (&rt_b->rt_runtime_lock){-.-.}: [ 57.042860] _raw_spin_lock+0x2f/0x40 [ 57.042862] rq_online_rt+0xb4/0x390 [ 57.042865] set_rq_online.part.0+0xe4/0x140 [ 57.042867] sched_cpu_activate+0x17f/0x270 [ 57.042870] cpuhp_invoke_callback+0x201/0x1af0 [ 57.042873] cpuhp_thread_fun+0x453/0x850 [ 57.042875] smpboot_thread_fn+0x6a3/0xa30 [ 57.042877] kthread+0x354/0x420 [ 57.042879] ret_from_fork+0x24/0x30 [ 57.042881] [ 57.042882] -> #2 (&rq->lock){-.-.}: [ 57.042890] _raw_spin_lock+0x2f/0x40 [ 57.042892] task_fork_fair+0x6a/0x520 [ 57.042894] sched_fork+0x3af/0x900 [ 57.042897] copy_process.part.0+0x1859/0x7a30 [ 57.042899] _do_fork+0x257/0xfd0 [ 57.042902] kernel_thread+0x34/0x40 [ 57.042904] rest_init+0x24/0x222 [ 57.042906] start_kernel+0x88c/0x8c5 [ 57.042909] x86_64_start_reservations+0x29/0x2b [ 57.042912] x86_64_start_kernel+0x77/0x7b [ 57.042914] secondary_startup_64+0xa4/0xb0 [ 57.042916] [ 57.042917] -> #1 (&p->pi_lock){-.-.}: [ 57.042925] _raw_spin_lock_irqsave+0x95/0xcd [ 57.042927] try_to_wake_up+0x94/0xf50 [ 57.042930] wake_up_process+0x10/0x20 [ 57.042932] __up.isra.0+0x136/0x1a0 [ 57.042934] up+0x9c/0xe0 [ 57.042937] __up_console_sem+0xb7/0x1c0 [ 57.042939] console_unlock+0x6c7/0x10d0 [ 57.042941] vprintk_emit+0x280/0x6d0 [ 57.042944] vprintk_default+0x28/0x30 [ 57.042946] vprintk_func+0x7e/0x189 [ 57.042948] printk+0xba/0xed [ 57.042951] kauditd_hold_skb.cold+0x3f/0x4e [ 57.042953] kauditd_send_queue+0x12d/0x170 [ 57.042956] kauditd_thread+0x71c/0xa50 [ 57.042958] kthread+0x354/0x420 [ 57.042960] ret_from_fork+0x24/0x30 [ 57.042962] [ 57.042963] -> #0 ((console_sem).lock){-...}: [ 57.042971] lock_acquire+0x16f/0x3f0 [ 57.042974] _raw_spin_lock_irqsave+0x95/0xcd [ 57.042976] down_trylock+0x13/0x70 [ 57.042979] __down_trylock_console_sem+0xa8/0x210 [ 57.042981] console_trylock+0x15/0xa0 [ 57.042983] vprintk_emit+0x267/0x6d0 [ 57.042986] vprintk_default+0x28/0x30 [ 57.042988] vprintk_func+0x7e/0x189 [ 57.042990] printk+0xba/0xed [ 57.042992] __warn_printk+0x9b/0xf3 [ 57.042995] debug_print_object+0x168/0x250 [ 57.042998] debug_check_no_obj_freed+0x29f/0x464 [ 57.043000] kfree+0xbd/0x220 [ 57.043002] rfcomm_dlc_free+0x20/0x30 [ 57.043005] rfcomm_dev_ioctl+0x1988/0x1c90 [ 57.043007] rfcomm_sock_ioctl+0x90/0xb0 [ 57.043009] sock_do_ioctl+0xd8/0x2f0 [ 57.043011] sock_ioctl+0x325/0x610 [ 57.043014] do_vfs_ioctl+0xd5f/0x1380 [ 57.043016] ksys_ioctl+0xab/0xd0 [ 57.043018] __x64_sys_ioctl+0x73/0xb0 [ 57.043021] do_syscall_64+0xfd/0x620 [ 57.043024] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 57.043025] [ 57.043028] other info that might help us debug this: [ 57.043029] [ 57.043031] Chain exists of: [ 57.043032] (console_sem).lock --> hrtimer_bases.lock --> &obj_hash[i].lock [ 57.043042] [ 57.043045] Possible unsafe locking scenario: [ 57.043046] [ 57.043049] CPU0 CPU1 [ 57.043051] ---- ---- [ 57.043052] lock(&obj_hash[i].lock); [ 57.043058] lock(hrtimer_bases.lock); [ 57.043064] lock(&obj_hash[i].lock); [ 57.043068] lock((console_sem).lock); [ 57.043073] [ 57.043074] *** DEADLOCK *** [ 57.043076] [ 57.043078] 3 locks held by syz-executor082/7751: [ 57.043080] #0: 0000000069eb0978 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}, at: rfcomm_sock_ioctl+0x82/0xb0 [ 57.043090] #1: 000000000b072ec4 (rfcomm_ioctl_mutex){+.+.}, at: rfcomm_dev_ioctl+0x923/0x1c90 [ 57.043100] #2: 00000000bb815e09 (&obj_hash[i].lock){-.-.}, at: debug_check_no_obj_freed+0xbe/0x464 [ 57.043110] [ 57.043112] stack backtrace: [ 57.043116] CPU: 1 PID: 7751 Comm: syz-executor082 Not tainted 4.19.93-syzkaller #0 [ 57.043120] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 57.043122] Call Trace: [ 57.043125] dump_stack+0x197/0x210 [ 57.043128] print_circular_bug.isra.0.cold+0x1cc/0x28f [ 57.043130] __lock_acquire+0x2e19/0x49c0 [ 57.043132] ? mark_held_locks+0x100/0x100 [ 57.043135] ? kvm_clock_read+0x18/0x30 [ 57.043137] ? kvm_sched_clock_read+0x9/0x20 [ 57.043140] lock_acquire+0x16f/0x3f0 [ 57.043142] ? down_trylock+0x13/0x70 [ 57.043144] _raw_spin_lock_irqsave+0x95/0xcd [ 57.043147] ? down_trylock+0x13/0x70 [ 57.043149] ? vprintk_emit+0x267/0x6d0 [ 57.043151] down_trylock+0x13/0x70 [ 57.043153] ? vprintk_emit+0x267/0x6d0 [ 57.043156] __down_trylock_console_sem+0xa8/0x210 [ 57.043158] console_trylock+0x15/0xa0 [ 57.043161] vprintk_emit+0x267/0x6d0 [ 57.043163] ? __internal_add_timer+0x1f0/0x1f0 [ 57.043166] vprintk_default+0x28/0x30 [ 57.043168] vprintk_func+0x7e/0x189 [ 57.043170] printk+0xba/0xed [ 57.043172] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 57.043175] ? __warn_printk+0x8f/0xf3 [ 57.043177] ? rfcomm_dlc_link+0x170/0x170 [ 57.043179] __warn_printk+0x9b/0xf3 [ 57.043182] ? add_taint.cold+0x16/0x16 [ 57.043184] ? skb_dequeue+0x12e/0x180 [ 57.043186] ? rfcomm_dlc_link+0x170/0x170 [ 57.043189] debug_print_object+0x168/0x250 [ 57.043192] debug_check_no_obj_freed+0x29f/0x464 [ 57.043194] kfree+0xbd/0x220 [ 57.043196] rfcomm_dlc_free+0x20/0x30 [ 57.043198] rfcomm_dev_ioctl+0x1988/0x1c90 [ 57.043201] ? mark_held_locks+0xb1/0x100 [ 57.043203] ? lock_sock_nested+0xe2/0x120 [ 57.043206] ? rfcomm_tty_install+0x1a0/0x1a0 [ 57.043208] ? lock_sock_nested+0x9a/0x120 [ 57.043211] ? trace_hardirqs_on+0x67/0x220 [ 57.043213] ? __local_bh_enable_ip+0x15a/0x270 [ 57.043216] rfcomm_sock_ioctl+0x90/0xb0 [ 57.043218] sock_do_ioctl+0xd8/0x2f0 [ 57.043220] ? compat_ifr_data_ioctl+0x160/0x160 [ 57.043223] ? __lock_acquire+0x6ee/0x49c0 [ 57.043226] ? rcu_read_lock_sched_held+0x110/0x130 [ 57.043228] ? kmem_cache_alloc+0x32a/0x700 [ 57.043230] sock_ioctl+0x325/0x610 [ 57.043233] ? dlci_ioctl_set+0x40/0x40 [ 57.043236] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 57.043238] ? __might_sleep+0x95/0x190 [ 57.043241] ? find_held_lock+0x35/0x130 [ 57.043243] ? dlci_ioctl_set+0x40/0x40 [ 57.043245] do_vfs_ioctl+0xd5f/0x1380 [ 57.043248] ? selinux_file_ioctl+0x46f/0x5e0 [ 57.043250] ? selinux_file_ioctl+0x125/0x5e0 [ 57.043253] ? ioctl_preallocate+0x210/0x210 [ 57.043255] ? selinux_file_mprotect+0x620/0x620 [ 57.043258] ? __sanitizer_cov_trace_cmp8+0x1b/0x20 [ 57.043261] ? __fd_install+0x200/0x640 [ 57.043263] ? fd_install+0x4d/0x60 [ 57.043266] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 57.043268] ? security_file_ioctl+0x8d/0xc0 [ 57.043270] ksys_ioctl+0xab/0xd0 [ 57.043273] __x64_sys_ioctl+0x73/0xb0 [ 57.043275] do_syscall_64+0xfd/0x620 [ 57.043278] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 57.043280] RIP: 0033:0x4412b9 [ 57.043288] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 57.043291] RSP: 002b:00007ffcd6f6a3d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 57.043297] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004412b9 [ 57.043301] RDX: 0000000020000100 RSI: 00000000400452c8 RDI: 0000000000000004 [ 57.043304] RBP: 000000000000dceb R08: 00000000004002c8 R09: 00000000004002c8 [ 57.043308] R10: 00000000004002c8 R11: 0000000000000246 R12: 00000000004020e0 [ 57.043312] R13: 0000000000402170 R14: 0000000000000000 R15: 0000000000000000 [ 57.044625] Kernel Offset: disabled [ 57.998576] Rebooting in 86400 seconds..