[ 34.843774] audit: type=1800 audit(1585744596.114:33): pid=7152 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 34.870580] audit: type=1800 audit(1585744596.114:34): pid=7152 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 37.267080] random: sshd: uninitialized urandom read (32 bytes read) [ 37.528444] audit: type=1400 audit(1585744598.794:35): avc: denied { map } for pid=7324 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 37.579308] random: sshd: uninitialized urandom read (32 bytes read) [ 38.305936] random: sshd: uninitialized urandom read (32 bytes read) [ 38.494457] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.14' (ECDSA) to the list of known hosts. [ 44.029177] random: sshd: uninitialized urandom read (32 bytes read) [ 44.146181] audit: type=1400 audit(1585744605.414:36): avc: denied { map } for pid=7336 comm="syz-executor144" path="/root/syz-executor144063263" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 44.391207] IPVS: ftp: loaded support on port[0] = 21 executing program [ 45.133012] ODEBUG: activate active (active state 1) object type: rcu_head hint: (null) [ 45.142865] ------------[ cut here ]------------ [ 45.147617] WARNING: CPU: 0 PID: 7340 at lib/debugobjects.c:287 debug_print_object.cold+0xa7/0xdb [ 45.156753] Kernel panic - not syncing: panic_on_warn set ... [ 45.156753] [ 45.164185] CPU: 0 PID: 7340 Comm: syz-executor144 Not tainted 4.14.174-syzkaller #0 [ 45.172051] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.181590] Call Trace: [ 45.184281] dump_stack+0x13e/0x194 [ 45.187897] panic+0x1f9/0x42d [ 45.191082] ? add_taint.cold+0x16/0x16 [ 45.195044] ? debug_print_object.cold+0xa7/0xdb [ 45.199791] ? debug_print_object.cold+0xa7/0xdb [ 45.204539] __warn.cold+0x2f/0x30 [ 45.208156] ? ist_end_non_atomic+0x10/0x10 [ 45.212466] ? debug_print_object.cold+0xa7/0xdb [ 45.217211] report_bug+0x20a/0x248 [ 45.220829] do_error_trap+0x195/0x2d0 [ 45.224842] ? math_error+0x2d0/0x2d0 [ 45.228629] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 45.233463] invalid_op+0x1b/0x40 [ 45.236906] RIP: 0010:debug_print_object.cold+0xa7/0xdb [ 45.242253] RSP: 0018:ffff88809f1cf430 EFLAGS: 00010082 [ 45.247602] RAX: 0000000000000055 RBX: 0000000000000003 RCX: 0000000000000000 [ 45.254860] RDX: 0000000000000000 RSI: ffffffff86ac07e0 RDI: ffffed1013e39e7c [ 45.262116] RBP: ffffffff86ab5ee0 R08: 0000000000000055 R09: 0000000000000000 [ 45.269379] R10: fffffbfff14a8cd8 R11: ffff88808b6fa280 R12: 0000000000000000 [ 45.276780] R13: 0000000000000001 R14: 1ffff11013e39e90 R15: ffffffff87d84240 [ 45.284061] debug_object_activate+0x307/0x450 [ 45.288637] ? debug_object_free+0x390/0x390 [ 45.293041] ? find_held_lock+0x2d/0x110 [ 45.297096] ? route4_walk+0x450/0x450 [ 45.300974] __call_rcu.constprop.0+0x31/0x7e0 [ 45.305670] route4_change+0xb27/0x1c4d [ 45.309789] ? route4_delete+0x760/0x760 [ 45.313839] ? route4_delete+0x760/0x760 [ 45.317977] tc_ctl_tfilter+0xf13/0x18e6 [ 45.322081] ? tfilter_notify+0x240/0x240 [ 45.326225] ? mutex_trylock+0x1a0/0x1a0 [ 45.330275] ? rtnetlink_rcv_msg+0x2e8/0xb10 [ 45.334672] ? tfilter_notify+0x240/0x240 [ 45.338804] rtnetlink_rcv_msg+0x3be/0xb10 [ 45.343092] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 45.347671] ? save_trace+0x290/0x290 [ 45.351463] ? save_trace+0x290/0x290 [ 45.355437] netlink_rcv_skb+0x127/0x370 [ 45.359532] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 45.364102] ? netlink_ack+0x980/0x980 [ 45.367977] netlink_unicast+0x437/0x620 [ 45.372029] ? netlink_attachskb+0x600/0x600 [ 45.376425] netlink_sendmsg+0x733/0xbe0 [ 45.380473] ? netlink_unicast+0x620/0x620 [ 45.384697] ? SYSC_sendto+0x2b0/0x2b0 [ 45.388707] ? security_socket_sendmsg+0x83/0xb0 [ 45.393467] ? netlink_unicast+0x620/0x620 [ 45.397686] sock_sendmsg+0xc5/0x100 [ 45.401390] ___sys_sendmsg+0x70a/0x840 [ 45.405416] ? trace_hardirqs_on+0x10/0x10 [ 45.409644] ? copy_msghdr_from_user+0x380/0x380 [ 45.414547] ? find_held_lock+0x2d/0x110 [ 45.418682] ? lock_downgrade+0x6e0/0x6e0 [ 45.422991] ? __fget+0x228/0x360 [ 45.426701] ? __fget_light+0x199/0x1f0 [ 45.430671] ? sockfd_lookup_light+0xb2/0x160 [ 45.435164] __sys_sendmsg+0xa3/0x120 [ 45.438957] ? SyS_shutdown+0x160/0x160 [ 45.442937] ? move_addr_to_kernel+0x60/0x60 [ 45.447335] SyS_sendmsg+0x27/0x40 [ 45.450863] ? __sys_sendmsg+0x120/0x120 [ 45.454920] do_syscall_64+0x1d5/0x640 [ 45.458884] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.464068] RIP: 0033:0x446e09 [ 45.467332] RSP: 002b:00007fafd9728d98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 45.475031] RAX: ffffffffffffffda RBX: 00000000006dbc78 RCX: 0000000000446e09 [ 45.482291] RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000006 [ 45.489662] RBP: 00000000006dbc70 R08: 0000000000000000 R09: 0000000000000000 [ 45.497032] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc7c [ 45.504434] R13: 0000000000000005 R14: 00a3a20740000000 R15: 0507002400000038 [ 45.511705] [ 45.511708] ====================================================== [ 45.511709] WARNING: possible circular locking dependency detected [ 45.511751] 4.14.174-syzkaller #0 Not tainted [ 45.511754] ------------------------------------------------------ [ 45.511755] syz-executor144/7340 is trying to acquire lock: [ 45.511756] ((console_sem).lock){-...}, at: [] down_trylock+0xe/0x60 [ 45.511760] [ 45.511762] but task is already holding lock: [ 45.511762] (&obj_hash[i].lock){-.-.}, at: [] debug_object_activate+0x10b/0x450 [ 45.511766] [ 45.511768] which lock already depends on the new lock. [ 45.511769] [ 45.511769] [ 45.511771] the existing dependency chain (in reverse order) is: [ 45.511772] [ 45.511772] -> #5 (&obj_hash[i].lock){-.-.}: [ 45.511776] _raw_spin_lock_irqsave+0x8c/0xbf [ 45.511778] debug_object_activate+0x10b/0x450 [ 45.511779] enqueue_hrtimer+0x22/0x3b0 [ 45.511780] hrtimer_start_range_ns+0x4e6/0x1060 [ 45.511782] schedule_hrtimeout_range_clock+0x13c/0x2f0 [ 45.511783] wait_task_inactive+0x478/0x530 [ 45.511785] __kthread_bind_mask+0x1f/0xb0 [ 45.511786] create_worker+0x313/0x530 [ 45.511787] workqueue_init+0x55f/0x66e [ 45.511788] kernel_init_freeable+0x2ab/0x526 [ 45.511789] kernel_init+0xd/0x15b [ 45.511791] ret_from_fork+0x24/0x30 [ 45.511791] [ 45.511792] -> #4 (hrtimer_bases.lock){-.-.}: [ 45.511796] _raw_spin_lock_irqsave+0x8c/0xbf [ 45.511797] lock_hrtimer_base.isra.0+0x6d/0x120 [ 45.511799] hrtimer_start_range_ns+0x7b/0x1060 [ 45.511801] enqueue_task_rt+0x94d/0xdb0 [ 45.511802] __sched_setscheduler.constprop.0+0xc11/0x1f70 [ 45.511803] _sched_setscheduler+0xf9/0x150 [ 45.511804] watchdog_enable+0xff/0x150 [ 45.511806] smpboot_thread_fn+0x40d/0x920 [ 45.511807] kthread+0x30d/0x420 [ 45.511808] ret_from_fork+0x24/0x30 [ 45.511809] [ 45.511809] -> #3 (&rt_b->rt_runtime_lock){-.-.}: [ 45.511813] _raw_spin_lock+0x2a/0x40 [ 45.511815] enqueue_task_rt+0x508/0xdb0 [ 45.511816] __sched_setscheduler.constprop.0+0xc11/0x1f70 [ 45.511818] _sched_setscheduler+0xf9/0x150 [ 45.511819] watchdog_enable+0xff/0x150 [ 45.511820] smpboot_thread_fn+0x40d/0x920 [ 45.511821] kthread+0x30d/0x420 [ 45.511822] ret_from_fork+0x24/0x30 [ 45.511823] [ 45.511824] -> #2 (&rq->lock){-.-.}: [ 45.511828] _raw_spin_lock+0x2a/0x40 [ 45.511829] task_fork_fair+0x63/0x5b0 [ 45.511830] sched_fork+0x39a/0xbd0 [ 45.511831] copy_process.part.0+0x15b7/0x6a70 [ 45.511832] _do_fork+0x180/0xc80 [ 45.511834] kernel_thread+0x2f/0x40 [ 45.511835] rest_init+0x1f/0x1d2 [ 45.511836] start_kernel+0x659/0x676 [ 45.511837] secondary_startup_64+0xa5/0xb0 [ 45.511838] [ 45.511839] -> #1 (&p->pi_lock){-.-.}: [ 45.511843] _raw_spin_lock_irqsave+0x8c/0xbf [ 45.511844] try_to_wake_up+0x6a/0xef0 [ 45.511845] up+0x92/0xe0 [ 45.511846] __up_console_sem+0xa9/0x1b0 [ 45.511847] console_unlock+0x596/0xec0 [ 45.511849] vprintk_emit+0x1f8/0x600 [ 45.511850] vprintk_func+0x58/0x152 [ 45.511851] printk+0x9e/0xbc [ 45.511852] kauditd_hold_skb.cold+0x3e/0x4d [ 45.511853] kauditd_send_queue+0xfb/0x140 [ 45.511855] kauditd_thread+0x625/0x840 [ 45.511856] kthread+0x30d/0x420 [ 45.511857] ret_from_fork+0x24/0x30 [ 45.511858] [ 45.511858] -> #0 ((console_sem).lock){-...}: [ 45.511862] lock_acquire+0x170/0x3f0 [ 45.511864] _raw_spin_lock_irqsave+0x8c/0xbf [ 45.511865] down_trylock+0xe/0x60 [ 45.511866] __down_trylock_console_sem+0x97/0x1f0 [ 45.511867] console_trylock+0x14/0x70 [ 45.511869] vprintk_emit+0x1ea/0x600 [ 45.511870] vprintk_func+0x58/0x152 [ 45.511871] printk+0x9e/0xbc [ 45.511872] debug_print_object.cold+0xa7/0xdb [ 45.511874] debug_object_activate+0x307/0x450 [ 45.511875] __call_rcu.constprop.0+0x31/0x7e0 [ 45.511876] route4_change+0xb27/0x1c4d [ 45.511878] tc_ctl_tfilter+0xf13/0x18e6 [ 45.511879] rtnetlink_rcv_msg+0x3be/0xb10 [ 45.511880] netlink_rcv_skb+0x127/0x370 [ 45.511881] netlink_unicast+0x437/0x620 [ 45.511883] netlink_sendmsg+0x733/0xbe0 [ 45.511884] sock_sendmsg+0xc5/0x100 [ 45.511885] ___sys_sendmsg+0x70a/0x840 [ 45.511886] __sys_sendmsg+0xa3/0x120 [ 45.511887] SyS_sendmsg+0x27/0x40 [ 45.511889] do_syscall_64+0x1d5/0x640 [ 45.511890] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.511891] [ 45.511892] other info that might help us debug this: [ 45.511893] [ 45.511894] Chain exists of: [ 45.511894] (console_sem).lock --> hrtimer_bases.lock --> &obj_hash[i].lock [ 45.511900] [ 45.511901] Possible unsafe locking scenario: [ 45.511901] [ 45.511903] CPU0 CPU1 [ 45.511904] ---- ---- [ 45.511905] lock(&obj_hash[i].lock); [ 45.511907] lock(hrtimer_bases.lock); [ 45.511910] lock(&obj_hash[i].lock); [ 45.511913] lock((console_sem).lock); [ 45.511915] [ 45.511916] *** DEADLOCK *** [ 45.511916] [ 45.511918] 2 locks held by syz-executor144/7340: [ 45.511918] #0: (rtnl_mutex){+.+.}, at: [] rtnetlink_rcv_msg+0x31d/0xb10 [ 45.511923] #1: (&obj_hash[i].lock){-.-.}, at: [] debug_object_activate+0x10b/0x450 [ 45.511927] [ 45.511928] stack backtrace: [ 45.511930] CPU: 0 PID: 7340 Comm: syz-executor144 Not tainted 4.14.174-syzkaller #0 [ 45.511933] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.511933] Call Trace: [ 45.511935] dump_stack+0x13e/0x194 [ 45.511936] print_circular_bug.isra.0.cold+0x1c4/0x282 [ 45.511937] __lock_acquire+0x2cb3/0x4620 [ 45.511938] ? string+0x17e/0x1d0 [ 45.511940] ? trace_hardirqs_on+0x10/0x10 [ 45.511941] ? netdev_bits+0xa0/0xa0 [ 45.511942] ? kvm_clock_read+0x1f/0x30 [ 45.511943] ? kvm_sched_clock_read+0x5/0x10 [ 45.511944] lock_acquire+0x170/0x3f0 [ 45.511945] ? down_trylock+0xe/0x60 [ 45.511947] _raw_spin_lock_irqsave+0x8c/0xbf [ 45.511948] ? down_trylock+0xe/0x60 [ 45.511949] down_trylock+0xe/0x60 [ 45.511950] ? vprintk_emit+0x1ea/0x600 [ 45.511952] __down_trylock_console_sem+0x97/0x1f0 [ 45.511953] console_trylock+0x14/0x70 [ 45.511954] vprintk_emit+0x1ea/0x600 [ 45.511955] vprintk_func+0x58/0x152 [ 45.511956] printk+0x9e/0xbc [ 45.511957] ? show_regs_print_info+0x5b/0x5b [ 45.511958] ? lock_acquire+0x170/0x3f0 [ 45.511960] ? debug_object_activate+0x10b/0x450 [ 45.511965] debug_print_object.cold+0xa7/0xdb [ 45.511966] debug_object_activate+0x307/0x450 [ 45.511968] ? debug_object_free+0x390/0x390 [ 45.511969] ? find_held_lock+0x2d/0x110 [ 45.511970] ? route4_walk+0x450/0x450 [ 45.511971] __call_rcu.constprop.0+0x31/0x7e0 [ 45.511973] route4_change+0xb27/0x1c4d [ 45.511974] ? route4_delete+0x760/0x760 [ 45.511975] ? route4_delete+0x760/0x760 [ 45.511976] tc_ctl_tfilter+0xf13/0x18e6 [ 45.511977] ? tfilter_notify+0x240/0x240 [ 45.511979] ? mutex_trylock+0x1a0/0x1a0 [ 45.511980] ? rtnetlink_rcv_msg+0x2e8/0xb10 [ 45.511981] ? tfilter_notify+0x240/0x240 [ 45.511982] rtnetlink_rcv_msg+0x3be/0xb10 [ 45.511984] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 45.511985] ? save_trace+0x290/0x290 [ 45.511986] ? save_trace+0x290/0x290 [ 45.511987] netlink_rcv_skb+0x127/0x370 [ 45.511988] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 45.511989] ? netlink_ack+0x980/0x980 [ 45.511991] netlink_unicast+0x437/0x620 [ 45.511992] ? netlink_attachskb+0x600/0x600 [ 45.511993] netlink_sendmsg+0x733/0xbe0 [ 45.511994] ? netlink_unicast+0x620/0x620 [ 45.511995] ? SYSC_sendto+0x2b0/0x2b0 [ 45.511997] ? security_socket_sendmsg+0x83/0xb0 [ 45.511998] ? netlink_unicast+0x620/0x620 [ 45.511999] sock_sendmsg+0xc5/0x100 [ 45.512000] ___sys_sendmsg+0x70a/0x840 [ 45.512001] ? trace_hardirqs_on+0x10/0x10 [ 45.512003] ? copy_msghdr_from_user+0x380/0x380 [ 45.512004] ? find_held_lock+0x2d/0x110 [ 45.512005] ? lock_downgrade+0x6e0/0x6e0 [ 45.512006] ? __fget+0x228/0x360 [ 45.512007] ? __fget_light+0x199/0x1f0 [ 45.512008] ? sockfd_lookup_light+0xb2/0x160 [ 45.512010] __sys_sendmsg+0xa3/0x120 [ 45.512011] ? SyS_shutdown+0x160/0x160 [ 45.512012] ? move_addr_to_kernel+0x60/0x60 [ 45.512013] SyS_sendmsg+0x27/0x40 [ 45.512014] ? __sys_sendmsg+0x120/0x120 [ 45.512015] do_syscall_64+0x1d5/0x640 [ 45.512017] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.512018] RIP: 0033:0x446e09 [ 45.512019] RSP: 002b:00007fafd9728d98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 45.512022] RAX: ffffffffffffffda RBX: 00000000006dbc78 RCX: 0000000000446e09 [ 45.512024] RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000006 [ 45.512026] RBP: 00000000006dbc70 R08: 0000000000000000 R09: 0000000000000000 [ 45.512028] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc7c [ 45.512030] R13: 0000000000000005 R14: 00a3a20740000000 R15: 0507002400000038 [ 45.513525] Kernel Offset: disabled [ 46.400586] Rebooting in 86400 seconds..