[....] Starting OpenBSD Secure Shell server: sshd[ 25.481444] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. [ 25.620260] random: sshd: uninitialized urandom read (32 bytes read) [ 25.915814] audit: type=1400 audit(1536332048.094:6): avc: denied { map } for pid=4769 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 25.956104] random: sshd: uninitialized urandom read (32 bytes read) [ 26.518580] random: sshd: uninitialized urandom read (32 bytes read) Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 28.002695] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.8' (ECDSA) to the list of known hosts. [ 33.565657] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 33.672188] audit: type=1400 audit(1536332055.850:7): avc: denied { map } for pid=4784 comm="syz-executor444" path="/root/syz-executor444435411" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 33.675879] L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html for details. [ 33.724605] ================================================================== [ 33.734407] BUG: KASAN: use-after-free in __schedule+0xf54/0x1df0 [ 33.740634] Read of size 8 at addr ffff8801cf6c0058 by task syz-executor444/4784 [ 33.748156] [ 33.749780] CPU: 1 PID: 4784 Comm: syz-executor444 Not tainted 4.19.0-rc2+ #5 [ 33.757040] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.766386] Call Trace: [ 33.768978] dump_stack+0x1c9/0x2b4 [ 33.772610] ? dump_stack_print_info.cold.2+0x52/0x52 [ 33.777793] ? printk+0xa7/0xcf [ 33.781073] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 33.785826] ? __schedule+0xf54/0x1df0 [ 33.789722] print_address_description+0x6c/0x20b [ 33.794561] ? __schedule+0xf54/0x1df0 [ 33.798446] kasan_report.cold.7+0x242/0x30d [ 33.802862] __asan_report_load8_noabort+0x14/0x20 [ 33.807787] __schedule+0xf54/0x1df0 [ 33.811496] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 33.816599] ? __sched_text_start+0x8/0x8 [ 33.820745] ? __call_srcu+0x7e7/0x1040 [ 33.824722] ? check_same_owner+0x340/0x340 [ 33.829039] ? mark_held_locks+0x160/0x160 [ 33.833270] ? find_held_lock+0x36/0x1c0 [ 33.837329] preempt_schedule_common+0x22/0x60 [ 33.841909] _cond_resched+0x1d/0x30 [ 33.845620] wait_for_completion+0xa5/0x8d0 [ 33.849939] ? wait_for_completion_interruptible+0x950/0x950 [ 33.855731] ? __lockdep_init_map+0x105/0x590 [ 33.860223] ? __init_waitqueue_head+0x9e/0x150 [ 33.864886] ? init_wait_entry+0x1c0/0x1c0 [ 33.869121] __synchronize_srcu+0x189/0x240 [ 33.873441] ? call_srcu+0x10/0x10 [ 33.876987] ? rcu_unexpedite_gp+0x20/0x20 [ 33.881222] synchronize_srcu+0x335/0x56f [ 33.885372] ? lock_downgrade+0x8f0/0x8f0 [ 33.889517] ? synchronize_srcu_expedited+0x20/0x20 [ 33.894530] ? kasan_check_read+0x11/0x20 [ 33.898673] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 33.903252] ? kasan_check_write+0x14/0x20 [ 33.907480] ? do_raw_spin_lock+0xc1/0x200 [ 33.911715] kvm_page_track_unregister_notifier+0x17d/0x250 [ 33.917945] ? kvm_slot_page_track_remove_page+0x70/0x70 [ 33.923396] ? kvfree+0x61/0x70 [ 33.926673] ? rcu_read_lock_sched_held+0x108/0x120 [ 33.931690] kvm_mmu_uninit_vm+0x1c/0x20 [ 33.935745] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 33.940153] ? kvm_arch_sync_events+0x30/0x30 [ 33.944651] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 33.950183] ? mmu_notifier_unregister+0x474/0x600 [ 33.955105] ? trace_hardirqs_on+0x2c0/0x2c0 [ 33.959509] ? kfree+0x111/0x210 [ 33.962881] ? __mmu_notifier_register+0x30/0x30 [ 33.967633] ? __free_pages+0x10a/0x190 [ 33.971603] ? free_unref_page+0x930/0x930 [ 33.975842] kvm_put_kvm+0x73f/0x1060 [ 33.979659] ? kvm_write_guest_cached+0x40/0x40 [ 33.984328] ? _raw_spin_unlock_irq+0x27/0x70 [ 33.988821] ? _raw_spin_unlock_irq+0x27/0x70 [ 33.993320] ? lockdep_hardirqs_on+0x421/0x5c0 [ 33.997903] ? kasan_check_write+0x14/0x20 [ 34.002131] ? do_raw_spin_lock+0xc1/0x200 [ 34.006365] ? kvm_irqfd_release+0xdd/0x120 [ 34.010685] ? kvm_irqfd_release+0xdd/0x120 [ 34.015004] ? kvm_put_kvm+0x1060/0x1060 [ 34.019063] kvm_vm_release+0x42/0x50 [ 34.022868] __fput+0x38a/0xa40 [ 34.026641] ? __alloc_file+0x400/0x400 [ 34.030618] ? check_same_owner+0x340/0x340 [ 34.034935] ? kasan_check_write+0x14/0x20 [ 34.039165] ? do_raw_spin_lock+0xc1/0x200 [ 34.043400] ____fput+0x15/0x20 [ 34.046676] task_work_run+0x1e8/0x2a0 [ 34.050557] ? task_work_cancel+0x240/0x240 [ 34.054886] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 34.060418] ? switch_task_namespaces+0xa2/0xd0 [ 34.065085] do_exit+0x1ae4/0x26e0 [ 34.068627] ? mm_update_next_owner+0x9a0/0x9a0 [ 34.073294] ? kvm_vcpu_ioctl+0x2b5/0x1280 [ 34.077525] ? rcu_read_lock_sched_held+0x108/0x120 [ 34.082536] ? kfree+0x1d7/0x210 [ 34.085902] ? kvm_vcpu_ioctl+0x2ba/0x1280 [ 34.090133] ? kvm_uevent_notify_change.part.32+0x440/0x440 [ 34.095842] ? kasan_check_write+0x14/0x20 [ 34.100105] ? finish_task_switch+0x2ca/0x870 [ 34.104597] ? preempt_notifier_register+0x200/0x200 [ 34.109694] ? __switch_to_asm+0x34/0x70 [ 34.113752] ? __switch_to_asm+0x34/0x70 [ 34.117808] ? __switch_to_asm+0x40/0x70 [ 34.121865] ? __switch_to_asm+0x34/0x70 [ 34.125918] ? __switch_to_asm+0x40/0x70 [ 34.129973] ? __switch_to_asm+0x34/0x70 [ 34.134026] ? __switch_to_asm+0x40/0x70 [ 34.138081] ? __switch_to_asm+0x34/0x70 [ 34.142133] ? __switch_to_asm+0x34/0x70 [ 34.146190] ? __switch_to_asm+0x40/0x70 [ 34.150244] ? __switch_to_asm+0x34/0x70 [ 34.154299] ? __switch_to_asm+0x40/0x70 [ 34.158355] ? __switch_to_asm+0x34/0x70 [ 34.162413] ? __switch_to_asm+0x40/0x70 [ 34.166476] ? __sched_text_start+0x8/0x8 [ 34.170630] ? initcall_blacklisted+0x9a/0x1e0 [ 34.175215] ? rcu_note_context_switch+0x680/0x680 [ 34.180143] ? kvm_uevent_notify_change.part.32+0x440/0x440 [ 34.185857] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.191394] ? do_vfs_ioctl+0x201/0x1720 [ 34.195452] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 34.200641] ? ioctl_preallocate+0x300/0x300 [ 34.205046] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.210577] ? selinux_capable+0x40/0x40 [ 34.214632] ? trace_hardirqs_off+0xb8/0x2c0 [ 34.219037] ? kmem_cache_free+0x246/0x280 [ 34.223269] ? trace_hardirqs_on+0x2c0/0x2c0 [ 34.227675] ? putname+0xf7/0x130 [ 34.231130] do_group_exit+0x177/0x440 [ 34.235011] ? trace_hardirqs_on+0xbd/0x2c0 [ 34.239326] ? __ia32_sys_exit+0x50/0x50 [ 34.243385] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 34.248485] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.254016] ? ksys_ioctl+0x81/0xd0 [ 34.257643] __x64_sys_exit_group+0x3e/0x50 [ 34.261965] do_syscall_64+0x1b9/0x820 [ 34.265857] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 34.271218] ? syscall_return_slowpath+0x5e0/0x5e0 [ 34.276141] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 34.280980] ? trace_hardirqs_on_caller+0x2c0/0x2c0 [ 34.285993] ? prepare_exit_to_usermode+0x291/0x3b0 [ 34.291014] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 34.295862] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.301051] RIP: 0033:0x43f028 [ 34.304256] Code: Bad RIP value. [ 34.307613] RSP: 002b:00007ffd02141ac8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 34.315316] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043f028 [ 34.322577] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 34.329838] RBP: 00000000004c08e8 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 34.337109] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 [ 34.344378] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000 [ 34.351731] [ 34.353359] Allocated by task 4784: [ 34.356993] save_stack+0x43/0xd0 [ 34.360443] kasan_kmalloc+0xc4/0xe0 [ 34.364153] kasan_slab_alloc+0x12/0x20 [ 34.368119] kmem_cache_alloc+0x12e/0x710 [ 34.372265] vmx_create_vcpu+0xcf/0x2830 [ 34.376320] kvm_arch_vcpu_create+0xe5/0x220 [ 34.380722] kvm_vm_ioctl+0x488/0x1d80 [ 34.384607] do_vfs_ioctl+0x1de/0x1720 [ 34.388486] ksys_ioctl+0xa9/0xd0 [ 34.391932] __x64_sys_ioctl+0x73/0xb0 [ 34.395824] do_syscall_64+0x1b9/0x820 [ 34.399712] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.404888] [ 34.406503] Freed by task 4784: [ 34.409779] save_stack+0x43/0xd0 [ 34.413226] __kasan_slab_free+0x11a/0x170 [ 34.417454] kasan_slab_free+0xe/0x10 [ 34.421343] kmem_cache_free+0x86/0x280 [ 34.425315] vmx_free_vcpu+0x26b/0x300 [ 34.429195] kvm_arch_destroy_vm+0x365/0x7c0 [ 34.433601] kvm_put_kvm+0x73f/0x1060 [ 34.437398] kvm_vm_release+0x42/0x50 [ 34.441191] __fput+0x38a/0xa40 [ 34.444460] ____fput+0x15/0x20 [ 34.447732] task_work_run+0x1e8/0x2a0 [ 34.451613] do_exit+0x1ae4/0x26e0 [ 34.455149] do_group_exit+0x177/0x440 [ 34.459028] __x64_sys_exit_group+0x3e/0x50 [ 34.463342] do_syscall_64+0x1b9/0x820 [ 34.467227] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.472400] [ 34.474024] The buggy address belongs to the object at ffff8801cf6c0040 [ 34.474024] which belongs to the cache kvm_vcpu of size 23872 [ 34.486593] The buggy address is located 24 bytes inside of [ 34.486593] 23872-byte region [ffff8801cf6c0040, ffff8801cf6c5d80) [ 34.498545] The buggy address belongs to the page: [ 34.503471] page:ffffea00073db000 count:1 mapcount:0 mapping:ffff8801d4c14dc0 index:0x0 compound_mapcount: 0 [ 34.513437] flags: 0x2fffc0000008100(slab|head) [ 34.518108] raw: 02fffc0000008100 ffff8801d4c0a648 ffff8801d4c0a648 ffff8801d4c14dc0 [ 34.525987] raw: 0000000000000000 ffff8801cf6c0040 0000000100000001 0000000000000000 [ 34.533859] page dumped because: kasan: bad access detected [ 34.539555] [ 34.541168] Memory state around the buggy address: [ 34.546091] ffff8801cf6bff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.553441] ffff8801cf6bff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.560795] >ffff8801cf6c0000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 34.568143] ^ [ 34.574363] ffff8801cf6c0080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.581724] ffff8801cf6c0100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.589070] ================================================================== [ 34.596417] Kernel panic - not syncing: panic_on_warn set ... [ 34.596417] [ 34.603781] CPU: 1 PID: 4784 Comm: syz-executor444 Tainted: G B 4.19.0-rc2+ #5 [ 34.612429] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.621774] Call Trace: [ 34.624361] dump_stack+0x1c9/0x2b4 [ 34.627993] ? dump_stack_print_info.cold.2+0x52/0x52 [ 34.633183] ? lock_downgrade+0x8f0/0x8f0 [ 34.637326] ? __schedule+0xf54/0x1df0 [ 34.641210] panic+0x238/0x4e7 [ 34.644403] ? add_taint.cold.5+0x16/0x16 [ 34.648569] ? print_shadow_for_address+0xba/0x116 [ 34.653495] ? trace_hardirqs_off+0xaf/0x2c0 [ 34.657898] ? trace_hardirqs_off+0x77/0x2c0 [ 34.662305] ? __schedule+0xf54/0x1df0 [ 34.666187] kasan_end_report+0x47/0x4f [ 34.670159] kasan_report.cold.7+0x76/0x30d [ 34.674481] __asan_report_load8_noabort+0x14/0x20 [ 34.679424] __schedule+0xf54/0x1df0 [ 34.683134] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 34.688240] ? __sched_text_start+0x8/0x8 [ 34.692396] ? __call_srcu+0x7e7/0x1040 [ 34.696379] ? check_same_owner+0x340/0x340 [ 34.700699] ? mark_held_locks+0x160/0x160 [ 34.704930] ? find_held_lock+0x36/0x1c0 [ 34.708995] preempt_schedule_common+0x22/0x60 [ 34.713577] _cond_resched+0x1d/0x30 [ 34.717289] wait_for_completion+0xa5/0x8d0 [ 34.721609] ? wait_for_completion_interruptible+0x950/0x950 [ 34.727402] ? __lockdep_init_map+0x105/0x590 [ 34.731901] ? __init_waitqueue_head+0x9e/0x150 [ 34.736563] ? init_wait_entry+0x1c0/0x1c0 [ 34.740801] __synchronize_srcu+0x189/0x240 [ 34.745117] ? call_srcu+0x10/0x10 [ 34.748655] ? rcu_unexpedite_gp+0x20/0x20 [ 34.752894] synchronize_srcu+0x335/0x56f [ 34.757042] ? lock_downgrade+0x8f0/0x8f0 [ 34.761193] ? synchronize_srcu_expedited+0x20/0x20 [ 34.766214] ? kasan_check_read+0x11/0x20 [ 34.770364] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 34.774973] ? kasan_check_write+0x14/0x20 [ 34.779208] ? do_raw_spin_lock+0xc1/0x200 [ 34.783446] kvm_page_track_unregister_notifier+0x17d/0x250 [ 34.789162] ? kvm_slot_page_track_remove_page+0x70/0x70 [ 34.794617] ? kvfree+0x61/0x70 [ 34.797900] ? rcu_read_lock_sched_held+0x108/0x120 [ 34.802916] kvm_mmu_uninit_vm+0x1c/0x20 [ 34.806975] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 34.811388] ? kvm_arch_sync_events+0x30/0x30 [ 34.815889] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 34.821426] ? mmu_notifier_unregister+0x474/0x600 [ 34.826350] ? trace_hardirqs_on+0x2c0/0x2c0 [ 34.830757] ? kfree+0x111/0x210 [ 34.834120] ? __mmu_notifier_register+0x30/0x30 [ 34.838892] ? __free_pages+0x10a/0x190 [ 34.842874] ? free_unref_page+0x930/0x930 [ 34.847119] kvm_put_kvm+0x73f/0x1060 [ 34.850923] ? kvm_write_guest_cached+0x40/0x40 [ 34.855593] ? _raw_spin_unlock_irq+0x27/0x70 [ 34.860081] ? _raw_spin_unlock_irq+0x27/0x70 [ 34.864570] ? lockdep_hardirqs_on+0x421/0x5c0 [ 34.869152] ? kasan_check_write+0x14/0x20 [ 34.873396] ? do_raw_spin_lock+0xc1/0x200 [ 34.877647] ? kvm_irqfd_release+0xdd/0x120 [ 34.881963] ? kvm_irqfd_release+0xdd/0x120 [ 34.886283] ? kvm_put_kvm+0x1060/0x1060 [ 34.890338] kvm_vm_release+0x42/0x50 [ 34.894358] __fput+0x38a/0xa40 [ 34.897643] ? __alloc_file+0x400/0x400 [ 34.901620] ? check_same_owner+0x340/0x340 [ 34.905939] ? kasan_check_write+0x14/0x20 [ 34.910169] ? do_raw_spin_lock+0xc1/0x200 [ 34.914398] ____fput+0x15/0x20 [ 34.917674] task_work_run+0x1e8/0x2a0 [ 34.921556] ? task_work_cancel+0x240/0x240 [ 34.925888] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 34.931424] ? switch_task_namespaces+0xa2/0xd0 [ 34.936093] do_exit+0x1ae4/0x26e0 [ 34.939631] ? mm_update_next_owner+0x9a0/0x9a0 [ 34.944301] ? kvm_vcpu_ioctl+0x2b5/0x1280 [ 34.948536] ? rcu_read_lock_sched_held+0x108/0x120 [ 34.953547] ? kfree+0x1d7/0x210 [ 34.956915] ? kvm_vcpu_ioctl+0x2ba/0x1280 [ 34.961147] ? kvm_uevent_notify_change.part.32+0x440/0x440 [ 34.966867] ? kasan_check_write+0x14/0x20 [ 34.971101] ? finish_task_switch+0x2ca/0x870 [ 34.975594] ? preempt_notifier_register+0x200/0x200 [ 34.980692] ? __switch_to_asm+0x34/0x70 [ 34.984750] ? __switch_to_asm+0x34/0x70 [ 34.988805] ? __switch_to_asm+0x40/0x70 [ 34.992865] ? __switch_to_asm+0x34/0x70 [ 34.996924] ? __switch_to_asm+0x40/0x70 [ 35.001291] ? __switch_to_asm+0x34/0x70 [ 35.005345] ? __switch_to_asm+0x40/0x70 [ 35.009422] ? __switch_to_asm+0x34/0x70 [ 35.013492] ? __switch_to_asm+0x34/0x70 [ 35.017546] ? __switch_to_asm+0x40/0x70 [ 35.021599] ? __switch_to_asm+0x34/0x70 [ 35.026134] ? __switch_to_asm+0x40/0x70 [ 35.030191] ? __switch_to_asm+0x34/0x70 [ 35.034243] ? __switch_to_asm+0x40/0x70 [ 35.038309] ? __sched_text_start+0x8/0x8 [ 35.042462] ? initcall_blacklisted+0x9a/0x1e0 [ 35.047041] ? rcu_note_context_switch+0x680/0x680 [ 35.051977] ? kvm_uevent_notify_change.part.32+0x440/0x440 [ 35.057685] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.063220] ? do_vfs_ioctl+0x201/0x1720 [ 35.067282] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 35.072470] ? ioctl_preallocate+0x300/0x300 [ 35.076881] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.082415] ? selinux_capable+0x40/0x40 [ 35.086477] ? trace_hardirqs_off+0xb8/0x2c0 [ 35.090883] ? kmem_cache_free+0x246/0x280 [ 35.095112] ? trace_hardirqs_on+0x2c0/0x2c0 [ 35.099518] ? putname+0xf7/0x130 [ 35.102972] do_group_exit+0x177/0x440 [ 35.106864] ? trace_hardirqs_on+0xbd/0x2c0 [ 35.111183] ? __ia32_sys_exit+0x50/0x50 [ 35.115241] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 35.120344] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.125885] ? ksys_ioctl+0x81/0xd0 [ 35.129517] __x64_sys_exit_group+0x3e/0x50 [ 35.133836] do_syscall_64+0x1b9/0x820 [ 35.137727] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 35.143610] ? syscall_return_slowpath+0x5e0/0x5e0 [ 35.148536] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 35.153380] ? trace_hardirqs_on_caller+0x2c0/0x2c0 [ 35.158398] ? prepare_exit_to_usermode+0x291/0x3b0 [ 35.163411] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 35.168252] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.173437] RIP: 0033:0x43f028 [ 35.176626] Code: Bad RIP value. [ 35.179985] RSP: 002b:00007ffd02141ac8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 35.187689] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043f028 [ 35.194953] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 35.202214] RBP: 00000000004c08e8 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 35.209476] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 [ 35.216737] R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000 [ 35.224011] [ 35.224016] ====================================================== [ 35.224022] WARNING: possible circular locking dependency detected [ 35.224026] 4.19.0-rc2+ #5 Not tainted [ 35.224031] ------------------------------------------------------ [ 35.224036] syz-executor444/4784 is trying to acquire lock: [ 35.224040] 000000007345a0a5 ((console_sem).lock){-...}, at: down_trylock+0x13/0x70 [ 35.224054] [ 35.224058] but task is already holding lock: [ 35.224062] 0000000055414f49 (report_lock){....}, at: kasan_report+0x8e/0x110 [ 35.224076] [ 35.224080] which lock already depends on the new lock. [ 35.224083] [ 35.224085] [ 35.224090] the existing dependency chain (in reverse order) is: [ 35.224093] [ 35.224095] -> #3 (report_lock){....}: [ 35.224109] _raw_spin_lock_irqsave+0x96/0xc0 [ 35.224113] kasan_report+0x8e/0x110 [ 35.224118] __asan_report_load8_noabort+0x14/0x20 [ 35.224122] __schedule+0xf54/0x1df0 [ 35.224126] preempt_schedule_common+0x22/0x60 [ 35.224130] _cond_resched+0x1d/0x30 [ 35.224134] wait_for_completion+0xa5/0x8d0 [ 35.224138] __synchronize_srcu+0x189/0x240 [ 35.224142] synchronize_srcu+0x335/0x56f [ 35.224147] kvm_page_track_unregister_notifier+0x17d/0x250 [ 35.224152] kvm_mmu_uninit_vm+0x1c/0x20 [ 35.224156] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 35.224160] kvm_put_kvm+0x73f/0x1060 [ 35.224164] kvm_vm_release+0x42/0x50 [ 35.224167] __fput+0x38a/0xa40 [ 35.224171] ____fput+0x15/0x20 [ 35.224175] task_work_run+0x1e8/0x2a0 [ 35.224178] do_exit+0x1ae4/0x26e0 [ 35.224182] do_group_exit+0x177/0x440 [ 35.224187] __x64_sys_exit_group+0x3e/0x50 [ 35.224191] do_syscall_64+0x1b9/0x820 [ 35.224196] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.224198] [ 35.224200] -> #2 (&rq->lock){-.-.}: [ 35.224214] _raw_spin_lock+0x2a/0x40 [ 35.224218] task_fork_fair+0x93/0x680 [ 35.224222] sched_fork+0x44b/0xbd0 [ 35.224226] copy_process+0x235e/0x7af0 [ 35.224229] _do_fork+0x1ca/0x1170 [ 35.224233] kernel_thread+0x34/0x40 [ 35.224237] rest_init+0x22/0xe4 [ 35.224241] start_kernel+0x913/0x94e [ 35.224245] x86_64_start_reservations+0x29/0x2b [ 35.224249] x86_64_start_kernel+0x76/0x79 [ 35.224253] secondary_startup_64+0xa4/0xb0 [ 35.224255] [ 35.224258] -> #1 (&p->pi_lock){-.-.}: [ 35.224272] _raw_spin_lock_irqsave+0x96/0xc0 [ 35.224276] try_to_wake_up+0xd2/0x1250 [ 35.224280] wake_up_process+0x10/0x20 [ 35.224284] __up.isra.1+0x1c0/0x2a0 [ 35.224287] up+0x13c/0x1c0 [ 35.224291] __up_console_sem+0xbe/0x1b0 [ 35.224295] console_unlock+0x506/0x10e0 [ 35.224299] vprintk_emit+0x33a/0x910 [ 35.224303] vprintk_default+0x28/0x30 [ 35.224307] vprintk_func+0x7a/0x117 [ 35.224310] printk+0xa7/0xcf [ 35.224314] regdb_fw_cb.cold.35+0x18/0x89 [ 35.224319] request_firmware_work_func+0x15c/0x2e0 [ 35.224323] process_one_work+0xc73/0x1aa0 [ 35.224327] worker_thread+0x189/0x13c0 [ 35.224331] kthread+0x35a/0x420 [ 35.224335] ret_from_fork+0x3a/0x50 [ 35.224337] [ 35.224339] -> #0 ((console_sem).lock){-...}: [ 35.224354] lock_acquire+0x1e4/0x4f0 [ 35.224358] _raw_spin_lock_irqsave+0x96/0xc0 [ 35.224362] down_trylock+0x13/0x70 [ 35.224366] __down_trylock_console_sem+0xae/0x200 [ 35.224376] console_trylock+0x15/0xa0 [ 35.224380] vprintk_emit+0x31f/0x910 [ 35.224384] vprintk_default+0x28/0x30 [ 35.224388] vprintk_func+0x7a/0x117 [ 35.224391] printk+0xa7/0xcf [ 35.224395] kasan_report+0x9e/0x110 [ 35.224400] __asan_report_load8_noabort+0x14/0x20 [ 35.224404] __schedule+0xf54/0x1df0 [ 35.224408] preempt_schedule_common+0x22/0x60 [ 35.224412] _cond_resched+0x1d/0x30 [ 35.224416] wait_for_completion+0xa5/0x8d0 [ 35.224420] __synchronize_srcu+0x189/0x240 [ 35.224424] synchronize_srcu+0x335/0x56f [ 35.224430] kvm_page_track_unregister_notifier+0x17d/0x250 [ 35.224434] kvm_mmu_uninit_vm+0x1c/0x20 [ 35.224438] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 35.224442] kvm_put_kvm+0x73f/0x1060 [ 35.224446] kvm_vm_release+0x42/0x50 [ 35.224449] __fput+0x38a/0xa40 [ 35.224453] ____fput+0x15/0x20 [ 35.224457] task_work_run+0x1e8/0x2a0 [ 35.224461] do_exit+0x1ae4/0x26e0 [ 35.224465] do_group_exit+0x177/0x440 [ 35.224469] __x64_sys_exit_group+0x3e/0x50 [ 35.224473] do_syscall_64+0x1b9/0x820 [ 35.224478] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.224480] [ 35.224485] other info that might help us debug this: [ 35.224487] [ 35.224490] Chain exists of: [ 35.224492] (console_sem).lock --> &rq->lock --> report_lock [ 35.224511] [ 35.224515] Possible unsafe locking scenario: [ 35.224517] [ 35.224521] CPU0 CPU1 [ 35.224526] ---- ---- [ 35.224528] lock(report_lock); [ 35.224537] lock(&rq->lock); [ 35.224547] lock(report_lock); [ 35.224555] lock((console_sem).lock); [ 35.224563] [ 35.224566] *** DEADLOCK *** [ 35.224569] [ 35.224573] 2 locks held by syz-executor444/4784: [ 35.224575] #0: 000000007f22c938 (&rq->lock){-.-.}, at: __schedule+0x24d/0x1df0 [ 35.224592] #1: 0000000055414f49 (report_lock){....}, at: kasan_report+0x8e/0x110 [ 35.224609] [ 35.224613] stack backtrace: [ 35.224619] CPU: 1 PID: 4784 Comm: syz-executor444 Not tainted 4.19.0-rc2+ #5 [ 35.224626] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.224629] Call Trace: [ 35.224633] dump_stack+0x1c9/0x2b4 [ 35.224638] ? dump_stack_print_info.cold.2+0x52/0x52 [ 35.224641] ? vprintk_func+0x100/0x117 [ 35.224647] print_circular_bug.isra.34.cold.55+0x1bd/0x27d [ 35.224650] ? save_trace+0xe0/0x290 [ 35.224654] __lock_acquire+0x3449/0x5020 [ 35.224659] ? mark_held_locks+0x160/0x160 [ 35.224663] ? mark_held_locks+0x160/0x160 [ 35.224667] ? rcu_cleanup_dead_rnp+0x200/0x200 [ 35.224671] ? is_bpf_text_address+0xd7/0x170 [ 35.224675] ? kernel_text_address+0x79/0xf0 [ 35.224680] ? __kernel_text_address+0xd/0x40 [ 35.224684] ? __save_stack_trace+0x8d/0xf0 [ 35.224688] ? add_lock_to_list.isra.27+0x1ec/0x4b0 [ 35.224692] ? save_trace+0x290/0x290 [ 35.224696] ? save_stack_trace+0x1a/0x20 [ 35.224700] ? save_trace+0xe0/0x290 [ 35.224704] ? graph_lock+0x170/0x170 [ 35.224709] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 35.224713] lock_acquire+0x1e4/0x4f0 [ 35.224717] ? down_trylock+0x13/0x70 [ 35.224721] ? lock_release+0x9f0/0x9f0 [ 35.224725] ? trace_hardirqs_off+0xb8/0x2c0 [ 35.224729] ? trace_hardirqs_on+0x2c0/0x2c0 [ 35.224733] ? trace_hardirqs_off+0xb8/0x2c0 [ 35.224737] ? log_store+0x34f/0x4c0 [ 35.224741] ? vprintk_emit+0x31f/0x910 [ 35.224745] _raw_spin_lock_irqsave+0x96/0xc0 [ 35.224749] ? down_trylock+0x13/0x70 [ 35.224753] down_trylock+0x13/0x70 [ 35.224757] __down_trylock_console_sem+0xae/0x200 [ 35.224761] console_trylock+0x15/0xa0 [ 35.224765] vprintk_emit+0x31f/0x910 [ 35.224769] ? wake_up_klogd+0x110/0x110 [ 35.224774] ? run_rebalance_domains+0x4c0/0x4c0 [ 35.224778] ? kasan_check_read+0x11/0x20 [ 35.224782] ? rcu_is_watching+0x8c/0x150 [ 35.224786] ? rcu_pm_notify+0xc0/0xc0 [ 35.224790] ? lock_acquire+0x1e4/0x4f0 [ 35.224793] ? kasan_report+0x8e/0x110 [ 35.224797] ? __schedule+0xf54/0x1df0 [ 35.224801] vprintk_default+0x28/0x30 [ 35.224805] vprintk_func+0x7a/0x117 [ 35.224808] printk+0xa7/0xcf [ 35.224813] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 35.224817] ? kasan_check_write+0x14/0x20 [ 35.224821] ? do_raw_spin_lock+0xc1/0x200 [ 35.224825] ? do_raw_spin_lock+0xc1/0x200 [ 35.224829] kasan_report+0x9e/0x110 [ 35.224834] __asan_report_load8_noabort+0x14/0x20 [ 35.224837] __schedule+0xf54/0x1df0 [ 35.224842] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 35.224855] ? __sched_text_start+0x8/0x8 [ 35.224859] ? __call_srcu+0x7e7/0x1040 [ 35.224863] ? check_same_owner+0x340/0x340 [ 35.224868] ? mark_held_locks+0x160/0x160 [ 35.224871] ? find_held_lock+0x36/0x1c0 [ 35.224876] preempt_schedule_common+0x22/0x60 [ 35.224880] _cond_resched+0x1d/0x30 [ 35.224884] wait_for_completion+0xa5/0x8d0 [ 35.224889] ? wait_for_completion_interruptible+0x950/0x950 [ 35.224894] ? __lockdep_init_map+0x105/0x590 [ 35.224898] ? __init_waitqueue_head+0x9e/0x150 [ 35.224902] ? init_wait_entry+0x1c0/0x1c0 [ 35.224906] __synchronize_srcu+0x189/0x240 [ 35.224910] ? call_srcu+0x10/0x10 [ 35.224914] ? rcu_unexpedite_gp+0x20/0x20 [ 35.224918] synchronize_srcu+0x335/0x56f [ 35.224922] ? lock_downgrade+0x8f0/0x8f0 [ 35.224927] ? synchronize_srcu_expedited+0x20/0x20 [ 35.224931] ? kasan_check_read+0x11/0x20 [ 35.224936] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 35.224940] ? kasan_check_write+0x14/0x20 [ 35.224944] ? do_raw_spin_lock+0xc1/0x200 [ 35.224949] kvm_page_track_unregister_notifier+0x17d/0x250 [ 35.224954] ? kvm_slot_page_track_remove_page+0x70/0x70 [ 35.224958] ? kvfree+0x61/0x70 [ 35.224962] ? rcu_read_lock_sched_held+0x108/0x120 [ 35.224966] kvm_mmu_uninit_vm+0x1c/0x20 [ 35.224971] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 35.224975] ? kvm_arch_sync_events+0x30/0x30 [ 35.224980] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 35.224985] ? mmu_notifier_unregister+0x474/0x600 [ 35.224989] ? trace_hardirqs_on+0x2c0/0x2c0 [ 35.224992] ? kfree+0x111/0x210 [ 35.224997] ? __mmu_notifier_register+0x30/0x30 [ 35.225001] ? __free_pages+0x10a/0x190 [ 35.225005] ? free_unref_page+0x930/0x930 [ 35.225009] kvm_put_kvm+0x73f/0x1060 [ 35.225013] ? kvm_write_guest_cached+0x40/0x40 [ 35.225018] ? _raw_spin_unlock_irq+0x27/0x70 [ 35.225022] ? _raw_spin_unlock_irq+0x27/0x70 [ 35.225026] ? lockdep_hardirqs_on+0x421/0x5c0 [ 35.225030] ? kasan_check_write+0x14/0x20 [ 35.225034] ? do_raw_spin_lock+0xc1/0x200 [ 35.225038] ? kvm_irqfd_release+0xdd/0x120 [ 35.225043] ? kvm_irqfd_release+0xdd/0x120 [ 35.225047] ? kvm_put_kvm+0x1060/0x1060 [ 35.225050] kvm_vm_release+0x42/0x50 [ 35.225054] __fput+0x38a/0xa40 [ 35.225058] ? __alloc_file+0x400/0x400 [ 35.225062] ? check_same_owner+0x340/0x340 [ 35.225066] ? kasan_check_write+0x14/0x20 [ 35.225070] ? do_raw_spin_lock+0xc1/0x200 [ 35.225074] ____fput+0x15/0x20 [ 35.225078] task_work_run+0x1e8/0x2a0 [ 35.225082] ? task_work_cancel+0x240/0x240 [ 35.225087] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 35.225091] ? switch_task_namespaces+0xa2/0xd0 [ 35.225095] do_exit+0x1ae4/0x26e0 [ 35.225099] ? mm_update_next_owner+0x9a0/0x9a0 [ 35.225103] ? kvm_vcpu_ioctl+0x2b5/0x1280 [ 35.225108] ? rcu_read_lock_sched_held+0x108/0x120 [ 35.225112] ? kfree+0x1d7/0x210 [ 35.225116] ? kvm_vcpu_ioctl+0x2ba/0x1280 [ 35.225120] ? kvm_uevent_notify_change.part.32+0x440/ [ 35.225128] Lost 55 message(s)! [ 36.286480] Shutting down cpus with NMI [ 37.345143] Dumping ftrace buffer: [ 37.348661] (ftrace buffer empty) [ 37.352349] Kernel Offset: disabled [ 37.355956] Rebooting in 86400 seconds..