[ 51.891193] audit: type=1800 audit(1585388674.952:29): pid=8059 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2447 res=0 [ 51.923195] audit: type=1800 audit(1585388674.952:30): pid=8059 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2490 res=0 Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.72' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 63.828965] kauditd_printk_skb: 5 callbacks suppressed [ 63.828981] audit: type=1400 audit(1585388686.892:36): avc: denied { map } for pid=8244 comm="syz-executor838" path="/root/syz-executor838454775" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 68.842702] ------------[ cut here ]------------ [ 68.848651] ODEBUG: free active (active state 0) object type: timer_list hint: rfcomm_dlc_timeout+0x0/0x70 [ 68.858637] WARNING: CPU: 1 PID: 8247 at lib/debugobjects.c:325 debug_print_object+0x160/0x250 [ 68.867374] Kernel panic - not syncing: panic_on_warn set ... [ 68.867374] [ 68.874729] CPU: 1 PID: 8247 Comm: syz-executor838 Not tainted 4.19.113-syzkaller #0 [ 68.882614] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 68.891958] Call Trace: [ 68.894541] dump_stack+0x188/0x20d [ 68.898156] panic+0x26a/0x50e [ 68.901336] ? __warn_printk+0xf3/0xf3 [ 68.905223] ? debug_print_object+0x160/0x250 [ 68.909712] ? __probe_kernel_read+0x16c/0x1b0 [ 68.914279] ? __warn.cold+0x5/0x46 [ 68.917890] ? __warn+0xe4/0x1c0 [ 68.921245] ? debug_print_object+0x160/0x250 [ 68.925727] __warn.cold+0x20/0x46 [ 68.929257] ? debug_print_object+0x160/0x250 [ 68.933753] report_bug+0x262/0x2a0 [ 68.937372] do_error_trap+0x1d7/0x310 [ 68.941245] ? math_error+0x310/0x310 [ 68.945036] ? irq_work_queue+0x2b/0x80 [ 68.949000] ? wake_up_klogd+0x8c/0xc0 [ 68.952876] ? vprintk_emit+0x1d0/0x6e0 [ 68.956842] ? trace_hardirqs_off_caller+0x55/0x210 [ 68.961889] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 68.967536] invalid_op+0x14/0x20 [ 68.970990] RIP: 0010:debug_print_object+0x160/0x250 [ 68.976078] Code: dd 60 0b ab 87 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 bf 00 00 00 48 8b 14 dd 60 0b ab 87 48 c7 c7 a0 00 ab 87 e8 0b 65 e6 fd <0f> 0b 83 05 13 11 37 06 01 48 83 c4 20 5b 5d 41 5c 41 5d c3 48 89 [ 68.994977] RSP: 0018:ffff88809f757920 EFLAGS: 00010086 [ 69.000459] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000 [ 69.007725] RDX: 0000000000000000 RSI: ffffffff8152d3a1 RDI: ffffed1013eeaf16 [ 69.015054] RBP: 0000000000000001 R08: ffff888090af2540 R09: ffffed1015ce3ee3 [ 69.022326] R10: ffffed1015ce3ee2 R11: ffff8880ae71f717 R12: ffffffff88b9faa0 [ 69.029588] R13: ffffffff81581ee0 R14: ffffffff8b8c98c8 R15: ffff88808b5bd3a8 [ 69.036863] ? __internal_add_timer+0x1d0/0x1d0 [ 69.041544] ? vprintk_func+0x81/0x17e [ 69.045440] debug_check_no_obj_freed+0x2a3/0x42e [ 69.050384] kfree+0xbb/0x220 [ 69.053481] rfcomm_dev_ioctl+0x1827/0x1b20 [ 69.057815] ? rfcomm_tty_install+0x1a0/0x1a0 [ 69.062320] ? lock_acquire+0x170/0x400 [ 69.066293] ? mark_held_locks+0xa6/0xf0 [ 69.070345] ? __local_bh_enable_ip+0x159/0x270 [ 69.075028] rfcomm_sock_ioctl+0x86/0xb0 [ 69.079088] sock_do_ioctl+0xd8/0x2f0 [ 69.082886] ? compat_ifr_data_ioctl+0x160/0x160 [ 69.087637] ? __lock_acquire+0x6ee/0x49c0 [ 69.091867] ? selinux_file_alloc_security+0xaf/0x190 [ 69.097050] ? rcu_read_lock_sched_held+0x10a/0x130 [ 69.102215] sock_ioctl+0x325/0x610 [ 69.105852] ? dlci_ioctl_set+0x30/0x30 [ 69.109827] ? dlci_ioctl_set+0x30/0x30 [ 69.113819] do_vfs_ioctl+0xcda/0x12e0 [ 69.117706] ? selinux_file_ioctl+0x46c/0x5d0 [ 69.122192] ? selinux_file_ioctl+0x125/0x5d0 [ 69.126677] ? ioctl_preallocate+0x200/0x200 [ 69.131095] ? selinux_file_mprotect+0x600/0x600 [ 69.135851] ? lock_downgrade+0x740/0x740 [ 69.140127] ? check_preemption_disabled+0x41/0x280 [ 69.145495] ? __fd_install+0x1eb/0x610 [ 69.149481] ? security_file_ioctl+0x6c/0xb0 [ 69.153887] ksys_ioctl+0x9b/0xc0 [ 69.157332] __x64_sys_ioctl+0x6f/0xb0 [ 69.161212] ? lockdep_hardirqs_on+0x40b/0x5d0 [ 69.165905] do_syscall_64+0xf9/0x620 [ 69.169703] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 69.175015] RIP: 0033:0x441309 [ 69.178316] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 69.197218] RSP: 002b:00007fff89399938 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 69.204917] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441309 [ 69.212176] RDX: 0000000020000100 RSI: 00000000400452c8 RDI: 0000000000000005 [ 69.219463] RBP: 0000000000010cb7 R08: 00000000004002c8 R09: 00000000004002c8 [ 69.226741] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000402130 [ 69.234134] R13: 00000000004021c0 R14: 0000000000000000 R15: 0000000000000000 [ 69.242428] [ 69.242433] ====================================================== [ 69.242438] WARNING: possible circular locking dependency detected [ 69.242442] 4.19.113-syzkaller #0 Not tainted [ 69.242447] ------------------------------------------------------ [ 69.242452] syz-executor838/8247 is trying to acquire lock: [ 69.242455] 0000000043b89a9d ((console_sem).lock){-...}, at: down_trylock+0xe/0x60 [ 69.242468] [ 69.242472] but task is already holding lock: [ 69.242474] 0000000066f85a7e (&obj_hash[i].lock){-.-.}, at: debug_check_no_obj_freed+0xc4/0x42e [ 69.242482] [ 69.242485] which lock already depends on the new lock. [ 69.242486] [ 69.242488] [ 69.242490] the existing dependency chain (in reverse order) is: [ 69.242492] [ 69.242493] -> #5 (&obj_hash[i].lock){-.-.}: [ 69.242501] debug_object_activate+0x131/0x4e0 [ 69.242503] enqueue_hrtimer+0x27/0x3f0 [ 69.242506] hrtimer_start_range_ns+0x580/0xbe0 [ 69.242509] schedule_hrtimeout_range_clock+0x17a/0x360 [ 69.242511] wait_task_inactive+0x443/0x550 [ 69.242513] __kthread_bind_mask+0x1f/0xb0 [ 69.242516] init_rescuer.part.0+0xf2/0x190 [ 69.242518] workqueue_init+0x504/0x7e9 [ 69.242521] kernel_init_freeable+0x2bd/0x5bb [ 69.242523] kernel_init+0xd/0x1c2 [ 69.242525] ret_from_fork+0x24/0x30 [ 69.242526] [ 69.242527] -> #4 (hrtimer_bases.lock){-.-.}: [ 69.242554] lock_hrtimer_base.isra.0+0x6d/0x120 [ 69.242556] hrtimer_start_range_ns+0xf5/0xbe0 [ 69.242559] enqueue_task_rt+0x97f/0xdf0 [ 69.242562] __sched_setscheduler.constprop.0+0xc79/0x1df0 [ 69.242564] _sched_setscheduler+0xee/0x180 [ 69.242566] watchdog_dev_init+0xdd/0x1ae [ 69.242568] watchdog_init+0x14/0x17e [ 69.242570] do_one_initcall+0xf1/0x734 [ 69.242573] kernel_init_freeable+0x4c9/0x5bb [ 69.242593] kernel_init+0xd/0x1c2 [ 69.242596] ret_from_fork+0x24/0x30 [ 69.242597] [ 69.242598] -> #3 (&rt_b->rt_runtime_lock){-...}: [ 69.242605] rq_online_rt+0xaf/0x390 [ 69.242608] set_rq_online.part.0+0xe3/0x140 [ 69.242610] sched_cpu_activate+0x17f/0x270 [ 69.242613] cpuhp_invoke_callback+0x213/0x1bb0 [ 69.242615] cpuhp_thread_fun+0x440/0x840 [ 69.242617] smpboot_thread_fn+0x653/0x9d0 [ 69.242619] kthread+0x34a/0x420 [ 69.242621] ret_from_fork+0x24/0x30 [ 69.242622] [ 69.242623] -> #2 (&rq->lock){-.-.}: [ 69.242631] task_fork_fair+0x6a/0x520 [ 69.242633] sched_fork+0x3a7/0x8b0 [ 69.242635] copy_process.part.0+0x187d/0x7a60 [ 69.242637] _do_fork+0x22f/0xf40 [ 69.242639] kernel_thread+0x2f/0x40 [ 69.242641] rest_init+0x1f/0x212 [ 69.242643] start_kernel+0x7e4/0x81c [ 69.242646] secondary_startup_64+0xa4/0xb0 [ 69.242647] [ 69.242648] -> #1 (&p->pi_lock){-.-.}: [ 69.242655] try_to_wake_up+0x80/0xe90 [ 69.242657] up+0x92/0xe0 [ 69.242659] __up_console_sem+0xb3/0x1c0 [ 69.242661] console_unlock+0x64d/0xfe0 [ 69.242664] vprintk_emit+0x282/0x6e0 [ 69.242666] vprintk_func+0x79/0x17e [ 69.242667] printk+0xba/0xed [ 69.242670] kauditd_hold_skb.cold+0x41/0x50 [ 69.242672] kauditd_send_queue+0x12d/0x170 [ 69.242674] kauditd_thread+0x6f4/0xa20 [ 69.242676] kthread+0x34a/0x420 [ 69.242678] ret_from_fork+0x24/0x30 [ 69.242679] [ 69.242681] -> #0 ((console_sem).lock){-...}: [ 69.242688] _raw_spin_lock_irqsave+0x8c/0xbf [ 69.242690] down_trylock+0xe/0x60 [ 69.242693] __down_trylock_console_sem+0xa3/0x210 [ 69.242695] console_trylock+0x12/0x90 [ 69.242697] vprintk_emit+0x269/0x6e0 [ 69.242699] vprintk_func+0x79/0x17e [ 69.242701] printk+0xba/0xed [ 69.242703] __warn_printk+0x9b/0xf3 [ 69.242706] debug_print_object+0x160/0x250 [ 69.242708] debug_check_no_obj_freed+0x2a3/0x42e [ 69.242710] kfree+0xbb/0x220 [ 69.242713] rfcomm_dev_ioctl+0x1827/0x1b20 [ 69.242715] rfcomm_sock_ioctl+0x86/0xb0 [ 69.242717] sock_do_ioctl+0xd8/0x2f0 [ 69.242719] sock_ioctl+0x325/0x610 [ 69.242721] do_vfs_ioctl+0xcda/0x12e0 [ 69.242723] ksys_ioctl+0x9b/0xc0 [ 69.242725] __x64_sys_ioctl+0x6f/0xb0 [ 69.242727] do_syscall_64+0xf9/0x620 [ 69.242730] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 69.242731] [ 69.242734] other info that might help us debug this: [ 69.242735] [ 69.242736] Chain exists of: [ 69.242737] (console_sem).lock --> hrtimer_bases.lock --> &obj_hash[i].lock [ 69.242747] [ 69.242749] Possible unsafe locking scenario: [ 69.242750] [ 69.242753] CPU0 CPU1 [ 69.242755] ---- ---- [ 69.242756] lock(&obj_hash[i].lock); [ 69.242761] lock(hrtimer_bases.lock); [ 69.242767] lock(&obj_hash[i].lock); [ 69.242771] lock((console_sem).lock); [ 69.242775] [ 69.242777] *** DEADLOCK *** [ 69.242778] [ 69.242780] 3 locks held by syz-executor838/8247: [ 69.242781] #0: 00000000ba914ac6 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}, at: rfcomm_sock_ioctl+0x79/0xb0 [ 69.242791] #1: 00000000b10df6d0 (rfcomm_ioctl_mutex){+.+.}, at: rfcomm_dev_ioctl+0x8d4/0x1b20 [ 69.242800] #2: 0000000066f85a7e (&obj_hash[i].lock){-.-.}, at: debug_check_no_obj_freed+0xc4/0x42e [ 69.242809] [ 69.242811] stack backtrace: [ 69.242814] CPU: 1 PID: 8247 Comm: syz-executor838 Not tainted 4.19.113-syzkaller #0 [ 69.242819] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 69.242820] Call Trace: [ 69.242822] dump_stack+0x188/0x20d [ 69.242825] print_circular_bug.isra.0.cold+0x1c4/0x282 [ 69.242827] __lock_acquire+0x2e19/0x49c0 [ 69.242830] ? add_lock_to_list.isra.0+0x179/0x330 [ 69.242832] ? mark_held_locks+0xf0/0xf0 [ 69.242834] ? memcpy+0x35/0x50 [ 69.242836] ? kvm_sched_clock_read+0x5/0x10 [ 69.242838] lock_acquire+0x170/0x400 [ 69.242840] ? down_trylock+0xe/0x60 [ 69.242843] _raw_spin_lock_irqsave+0x8c/0xbf [ 69.242845] ? down_trylock+0xe/0x60 [ 69.242847] down_trylock+0xe/0x60 [ 69.242849] ? vprintk_emit+0x269/0x6e0 [ 69.242851] __down_trylock_console_sem+0xa3/0x210 [ 69.242853] console_trylock+0x12/0x90 [ 69.242855] vprintk_emit+0x269/0x6e0 [ 69.242858] ? __internal_add_timer+0x1d0/0x1d0 [ 69.242860] vprintk_func+0x79/0x17e [ 69.242862] printk+0xba/0xed [ 69.242864] ? kmsg_dump_rewind_nolock+0xd9/0xd9 [ 69.242866] ? mark_held_locks+0xf0/0xf0 [ 69.242868] ? __warn_printk+0x8f/0xf3 [ 69.242870] ? rfcomm_dlc_link+0x170/0x170 [ 69.242872] __warn_printk+0x9b/0xf3 [ 69.242875] ? add_taint.cold+0x16/0x16 [ 69.242877] ? rfcomm_dlc_link+0x170/0x170 [ 69.242879] debug_print_object+0x160/0x250 [ 69.242882] debug_check_no_obj_freed+0x2a3/0x42e [ 69.242883] kfree+0xbb/0x220 [ 69.242886] rfcomm_dev_ioctl+0x1827/0x1b20 [ 69.242888] ? rfcomm_tty_install+0x1a0/0x1a0 [ 69.242890] ? lock_acquire+0x170/0x400 [ 69.242893] ? mark_held_locks+0xa6/0xf0 [ 69.242895] ? __local_bh_enable_ip+0x159/0x270 [ 69.242897] rfcomm_sock_ioctl+0x86/0xb0 [ 69.242899] sock_do_ioctl+0xd8/0x2f0 [ 69.242902] ? compat_ifr_data_ioctl+0x160/0x160 [ 69.242904] ? __lock_acquire+0x6ee/0x49c0 [ 69.242906] ? selinux_file_alloc_security+0xaf/0x190 [ 69.242909] ? rcu_read_lock_sched_held+0x10a/0x130 [ 69.242911] sock_ioctl+0x325/0x610 [ 69.242913] ? dlci_ioctl_set+0x30/0x30 [ 69.242915] ? dlci_ioctl_set+0x30/0x30 [ 69.242917] do_vfs_ioctl+0xcda/0x12e0 [ 69.242920] ? selinux_file_ioctl+0x46c/0x5d0 [ 69.242922] ? selinux_file_ioctl+0x125/0x5d0 [ 69.242924] ? ioctl_preallocate+0x200/0x200 [ 69.242927] ? selinux_file_mprotect+0x600/0x600 [ 69.242929] ? lock_downgrade+0x740/0x740 [ 69.242932] ? check_preemption_disabled+0x41/0x280 [ 69.242934] ? __fd_install+0x1eb/0x610 [ 69.242936] ? security_file_ioctl+0x6c/0xb0 [ 69.242938] ksys_ioctl+0x9b/0xc0 [ 69.242940] __x64_sys_ioctl+0x6f/0xb0 [ 69.242943] ? lockdep_hardirqs_on+0x40b/0x5d0 [ 69.242945] do_syscall_64+0xf9/0x620 [ 69.242947] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 69.242949] RIP: 0033:0x441309 [ 69.242957] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 69.242960] RSP: 002b:00007fff89399938 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 69.242965] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441309 [ 69.242969] RDX: 0000000020000100 RSI: 00000000400452c8 RDI: 0000000000000005 [ 69.242972] RBP: 0000000000010cb7 R08: 00000000004002c8 R09: 00000000004002c8 [ 69.242976] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000402130 [ 69.242979] R13: 00000000004021c0 R14: 0000000000000000 R15: 0000000000000000 [ 69.244608] Kernel Offset: disabled [ 70.097877] Rebooting in 86400 seconds..