[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 22.943346] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 26.497601] random: sshd: uninitialized urandom read (32 bytes read) [ 26.821267] random: sshd: uninitialized urandom read (32 bytes read) [ 27.373039] random: sshd: uninitialized urandom read (32 bytes read) [ 27.544213] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.53' (ECDSA) to the list of known hosts. [ 33.213589] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 33.308284] L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html for details. [ 33.332430] ================================================================== [ 33.342253] BUG: KASAN: use-after-free in __schedule+0xf54/0x1df0 [ 33.348486] Read of size 8 at addr ffff8801acad8058 by task syz-executor929/4456 [ 33.356005] [ 33.357628] CPU: 1 PID: 4456 Comm: syz-executor929 Not tainted 4.18.0+ #209 [ 33.364717] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.374061] Call Trace: [ 33.376648] dump_stack+0x1c9/0x2b4 [ 33.380278] ? dump_stack_print_info.cold.2+0x52/0x52 [ 33.385469] ? printk+0xa7/0xcf [ 33.388750] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 33.393511] ? __schedule+0xf54/0x1df0 [ 33.397399] print_address_description+0x6c/0x20b [ 33.402259] ? __schedule+0xf54/0x1df0 [ 33.406144] kasan_report.cold.7+0x242/0x30d [ 33.410551] __asan_report_load8_noabort+0x14/0x20 [ 33.415497] __schedule+0xf54/0x1df0 [ 33.419210] ? __sched_text_start+0x8/0x8 [ 33.423356] ? _raw_spin_unlock_irqrestore+0xa1/0xc0 [ 33.428464] ? __call_srcu+0x7e7/0x1040 [ 33.432446] ? check_same_owner+0x340/0x340 [ 33.436770] ? mark_held_locks+0x160/0x160 [ 33.441000] ? find_held_lock+0x36/0x1c0 [ 33.445063] preempt_schedule_common+0x22/0x60 [ 33.449642] _cond_resched+0x1d/0x30 [ 33.453356] wait_for_completion+0xa5/0x8d0 [ 33.458144] ? wait_for_completion_interruptible+0x950/0x950 [ 33.463938] ? __lockdep_init_map+0x105/0x590 [ 33.468443] ? __init_waitqueue_head+0x9e/0x150 [ 33.473114] ? init_wait_entry+0x1c0/0x1c0 [ 33.477351] __synchronize_srcu+0x189/0x240 [ 33.481667] ? call_srcu+0x10/0x10 [ 33.485207] ? rcu_unexpedite_gp+0x20/0x20 [ 33.489449] synchronize_srcu+0x335/0x56f [ 33.493599] ? lock_downgrade+0x8f0/0x8f0 [ 33.497744] ? synchronize_srcu_expedited+0x20/0x20 [ 33.502758] ? kasan_check_read+0x11/0x20 [ 33.506906] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 33.511490] ? kasan_check_write+0x14/0x20 [ 33.515721] ? do_raw_spin_lock+0xc1/0x200 [ 33.519966] kvm_page_track_unregister_notifier+0x17d/0x250 [ 33.525680] ? kvm_slot_page_track_remove_page+0x70/0x70 [ 33.531128] ? kvfree+0x61/0x70 [ 33.534410] ? rcu_read_lock_sched_held+0x108/0x120 [ 33.539427] kvm_mmu_uninit_vm+0x1c/0x20 [ 33.543500] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 33.547906] ? kvm_arch_sync_events+0x30/0x30 [ 33.552406] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 33.557943] ? mmu_notifier_unregister+0x474/0x600 [ 33.562878] ? trace_hardirqs_on+0x2c0/0x2c0 [ 33.567379] ? kfree+0x111/0x210 [ 33.570773] ? __mmu_notifier_register+0x30/0x30 [ 33.575532] ? __free_pages+0x10a/0x190 [ 33.579504] ? free_unref_page+0x930/0x930 [ 33.583753] kvm_put_kvm+0x73f/0x1060 [ 33.587555] ? kvm_write_guest_cached+0x40/0x40 [ 33.592229] ? _raw_spin_unlock_irq+0x27/0x70 [ 33.596723] ? _raw_spin_unlock_irq+0x27/0x70 [ 33.601212] ? lockdep_hardirqs_on+0x421/0x5c0 [ 33.605793] ? kasan_check_write+0x14/0x20 [ 33.610026] ? do_raw_spin_lock+0xc1/0x200 [ 33.614262] ? kvm_irqfd_release+0xdd/0x120 [ 33.618577] ? kvm_irqfd_release+0xdd/0x120 [ 33.622899] ? kvm_put_kvm+0x1060/0x1060 [ 33.626964] kvm_vm_release+0x42/0x50 [ 33.630763] __fput+0x36e/0x8c0 [ 33.634041] ? __alloc_file+0x400/0x400 [ 33.638013] ? check_same_owner+0x340/0x340 [ 33.642330] ? kasan_check_write+0x14/0x20 [ 33.646559] ? do_raw_spin_lock+0xc1/0x200 [ 33.650789] ____fput+0x15/0x20 [ 33.654063] task_work_run+0x1e8/0x2a0 [ 33.657960] ? task_work_cancel+0x240/0x240 [ 33.662285] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 33.667822] ? switch_task_namespaces+0xa2/0xd0 [ 33.672491] do_exit+0x1ae4/0x26e0 [ 33.676032] ? mm_update_next_owner+0x9a0/0x9a0 [ 33.680700] ? kvm_vcpu_ioctl+0x2b5/0x1280 [ 33.684933] ? rcu_read_lock_sched_held+0x108/0x120 [ 33.689960] ? kfree+0x1d7/0x210 [ 33.693325] ? kvm_vcpu_ioctl+0x2ba/0x1280 [ 33.697560] ? kvm_uevent_notify_change.part.32+0x440/0x440 [ 33.703269] ? is_bpf_text_address+0xd7/0x170 [ 33.707761] ? kernel_text_address+0x79/0xf0 [ 33.712172] ? __kernel_text_address+0xd/0x40 [ 33.716666] ? unwind_get_return_address+0x61/0xa0 [ 33.721597] ? __save_stack_trace+0x8d/0xf0 [ 33.725920] ? save_stack+0xa9/0xd0 [ 33.729551] ? save_stack+0x43/0xd0 [ 33.733173] ? __kasan_slab_free+0x11a/0x170 [ 33.737578] ? kasan_slab_free+0xe/0x10 [ 33.741553] ? putname+0xf2/0x130 [ 33.745004] ? __x64_sys_openat+0x9d/0x100 [ 33.749239] ? do_syscall_64+0x1b9/0x820 [ 33.753299] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.758663] ? trace_hardirqs_off+0xb8/0x2b0 [ 33.763067] ? kasan_check_read+0x11/0x20 [ 33.767211] ? do_raw_spin_unlock+0xa7/0x2f0 [ 33.771615] ? trace_hardirqs_on+0x2c0/0x2c0 [ 33.776022] ? initcall_blacklisted+0x9a/0x1e0 [ 33.780607] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 33.785710] ? kvm_uevent_notify_change.part.32+0x440/0x440 [ 33.791425] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.796969] ? do_vfs_ioctl+0x201/0x1720 [ 33.801036] ? rcu_is_watching+0x8c/0x150 [ 33.805178] ? trace_hardirqs_on+0xbd/0x2c0 [ 33.809498] ? ioctl_preallocate+0x300/0x300 [ 33.813904] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.819441] ? __fget_light+0x2f7/0x440 [ 33.823416] ? fget_raw+0x20/0x20 [ 33.826864] ? putname+0xf2/0x130 [ 33.830319] ? rcu_read_lock_sched_held+0x108/0x120 [ 33.835331] ? kmem_cache_free+0x246/0x280 [ 33.839565] ? putname+0xf7/0x130 [ 33.843022] do_group_exit+0x177/0x440 [ 33.846908] ? trace_hardirqs_on+0xbd/0x2c0 [ 33.851230] ? __ia32_sys_exit+0x50/0x50 [ 33.855306] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 33.860412] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 33.865959] ? ksys_ioctl+0x81/0xd0 [ 33.869610] __x64_sys_exit_group+0x3e/0x50 [ 33.873936] do_syscall_64+0x1b9/0x820 [ 33.877922] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 33.883303] ? syscall_return_slowpath+0x5e0/0x5e0 [ 33.888230] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 33.893068] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 33.898088] ? prepare_exit_to_usermode+0x291/0x3b0 [ 33.903114] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 33.907971] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.913162] RIP: 0033:0x43ecc8 [ 33.916355] Code: Bad RIP value. [ 33.919711] RSP: 002b:00007fffe766a3d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 33.927419] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ecc8 [ 33.934682] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 33.941973] RBP: 00000000004be588 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 33.949242] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 [ 33.956506] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 33.963787] [ 33.965411] Allocated by task 4456: [ 33.969043] save_stack+0x43/0xd0 [ 33.972491] kasan_kmalloc+0xc4/0xe0 [ 33.976210] kasan_slab_alloc+0x12/0x20 [ 33.980177] kmem_cache_alloc+0x12e/0x710 [ 33.984320] vmx_create_vcpu+0xcf/0x2830 [ 33.988393] kvm_arch_vcpu_create+0xe5/0x220 [ 33.992799] kvm_vm_ioctl+0x488/0x1d80 [ 33.996685] do_vfs_ioctl+0x1de/0x1720 [ 34.000566] ksys_ioctl+0xa9/0xd0 [ 34.004128] __x64_sys_ioctl+0x73/0xb0 [ 34.008014] do_syscall_64+0x1b9/0x820 [ 34.011898] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.017072] [ 34.018714] Freed by task 4456: [ 34.021990] save_stack+0x43/0xd0 [ 34.025439] __kasan_slab_free+0x11a/0x170 [ 34.029670] kasan_slab_free+0xe/0x10 [ 34.033470] kmem_cache_free+0x86/0x280 [ 34.037439] vmx_free_vcpu+0x26b/0x300 [ 34.041326] kvm_arch_destroy_vm+0x365/0x7c0 [ 34.045734] kvm_put_kvm+0x73f/0x1060 [ 34.049530] kvm_vm_release+0x42/0x50 [ 34.053430] __fput+0x36e/0x8c0 [ 34.056705] ____fput+0x15/0x20 [ 34.059980] task_work_run+0x1e8/0x2a0 [ 34.063860] do_exit+0x1ae4/0x26e0 [ 34.067393] do_group_exit+0x177/0x440 [ 34.071276] __x64_sys_exit_group+0x3e/0x50 [ 34.075596] do_syscall_64+0x1b9/0x820 [ 34.079494] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.084668] [ 34.086291] The buggy address belongs to the object at ffff8801acad8040 [ 34.086291] which belongs to the cache kvm_vcpu of size 23872 [ 34.098858] The buggy address is located 24 bytes inside of [ 34.098858] 23872-byte region [ffff8801acad8040, ffff8801acaddd80) [ 34.110811] The buggy address belongs to the page: [ 34.115735] page:ffffea0006b2b600 count:1 mapcount:0 mapping:ffff8801d9ff03c0 index:0x0 compound_mapcount: 0 [ 34.125699] flags: 0x2fffc0000008100(slab|head) [ 34.130382] raw: 02fffc0000008100 ffff8801d5707c48 ffff8801d5707c48 ffff8801d9ff03c0 [ 34.138260] raw: 0000000000000000 ffff8801acad8040 0000000100000001 0000000000000000 [ 34.146127] page dumped because: kasan: bad access detected [ 34.151826] [ 34.153442] Memory state around the buggy address: [ 34.158367] ffff8801acad7f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 34.165720] ffff8801acad7f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 34.173072] >ffff8801acad8000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 34.180419] ^ [ 34.186641] ffff8801acad8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.193995] ffff8801acad8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.201345] ================================================================== [ 34.208698] Kernel panic - not syncing: panic_on_warn set ... [ 34.208698] [ 34.216064] CPU: 1 PID: 4456 Comm: syz-executor929 Tainted: G B 4.18.0+ #209 [ 34.224541] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.233891] Call Trace: [ 34.236487] dump_stack+0x1c9/0x2b4 [ 34.240114] ? dump_stack_print_info.cold.2+0x52/0x52 [ 34.245305] ? lock_downgrade+0x8f0/0x8f0 [ 34.249447] ? __schedule+0xf54/0x1df0 [ 34.253344] panic+0x238/0x4e7 [ 34.256532] ? add_taint.cold.5+0x16/0x16 [ 34.260682] ? print_shadow_for_address+0xba/0x116 [ 34.265607] ? trace_hardirqs_off+0xaf/0x2b0 [ 34.270010] ? trace_hardirqs_off+0x77/0x2b0 [ 34.274419] ? __schedule+0xf54/0x1df0 [ 34.278304] kasan_end_report+0x47/0x4f [ 34.282278] kasan_report.cold.7+0x76/0x30d [ 34.286602] __asan_report_load8_noabort+0x14/0x20 [ 34.291535] __schedule+0xf54/0x1df0 [ 34.295250] ? __sched_text_start+0x8/0x8 [ 34.299395] ? _raw_spin_unlock_irqrestore+0xa1/0xc0 [ 34.304507] ? __call_srcu+0x7e7/0x1040 [ 34.308489] ? check_same_owner+0x340/0x340 [ 34.312822] ? mark_held_locks+0x160/0x160 [ 34.317053] ? find_held_lock+0x36/0x1c0 [ 34.321114] preempt_schedule_common+0x22/0x60 [ 34.325910] _cond_resched+0x1d/0x30 [ 34.329613] wait_for_completion+0xa5/0x8d0 [ 34.333935] ? wait_for_completion_interruptible+0x950/0x950 [ 34.339739] ? __lockdep_init_map+0x105/0x590 [ 34.344234] ? __init_waitqueue_head+0x9e/0x150 [ 34.348898] ? init_wait_entry+0x1c0/0x1c0 [ 34.353136] __synchronize_srcu+0x189/0x240 [ 34.357465] ? call_srcu+0x10/0x10 [ 34.361005] ? rcu_unexpedite_gp+0x20/0x20 [ 34.365243] synchronize_srcu+0x335/0x56f [ 34.369388] ? lock_downgrade+0x8f0/0x8f0 [ 34.373531] ? synchronize_srcu_expedited+0x20/0x20 [ 34.378545] ? kasan_check_read+0x11/0x20 [ 34.382709] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 34.387295] ? kasan_check_write+0x14/0x20 [ 34.391529] ? do_raw_spin_lock+0xc1/0x200 [ 34.395767] kvm_page_track_unregister_notifier+0x17d/0x250 [ 34.401480] ? kvm_slot_page_track_remove_page+0x70/0x70 [ 34.407106] ? kvfree+0x61/0x70 [ 34.410383] ? rcu_read_lock_sched_held+0x108/0x120 [ 34.415409] kvm_mmu_uninit_vm+0x1c/0x20 [ 34.419479] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 34.423887] ? kvm_arch_sync_events+0x30/0x30 [ 34.428387] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 34.433924] ? mmu_notifier_unregister+0x474/0x600 [ 34.438860] ? trace_hardirqs_on+0x2c0/0x2c0 [ 34.443263] ? kfree+0x111/0x210 [ 34.446627] ? __mmu_notifier_register+0x30/0x30 [ 34.451385] ? __free_pages+0x10a/0x190 [ 34.455357] ? free_unref_page+0x930/0x930 [ 34.460066] kvm_put_kvm+0x73f/0x1060 [ 34.463872] ? kvm_write_guest_cached+0x40/0x40 [ 34.468545] ? _raw_spin_unlock_irq+0x27/0x70 [ 34.473039] ? _raw_spin_unlock_irq+0x27/0x70 [ 34.477537] ? lockdep_hardirqs_on+0x421/0x5c0 [ 34.482118] ? kasan_check_write+0x14/0x20 [ 34.486358] ? do_raw_spin_lock+0xc1/0x200 [ 34.490592] ? kvm_irqfd_release+0xdd/0x120 [ 34.494907] ? kvm_irqfd_release+0xdd/0x120 [ 34.499231] ? kvm_put_kvm+0x1060/0x1060 [ 34.503288] kvm_vm_release+0x42/0x50 [ 34.507084] __fput+0x36e/0x8c0 [ 34.510360] ? __alloc_file+0x400/0x400 [ 34.514334] ? check_same_owner+0x340/0x340 [ 34.518652] ? kasan_check_write+0x14/0x20 [ 34.522882] ? do_raw_spin_lock+0xc1/0x200 [ 34.527112] ____fput+0x15/0x20 [ 34.530389] task_work_run+0x1e8/0x2a0 [ 34.534278] ? task_work_cancel+0x240/0x240 [ 34.538603] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 34.544137] ? switch_task_namespaces+0xa2/0xd0 [ 34.548807] do_exit+0x1ae4/0x26e0 [ 34.552347] ? mm_update_next_owner+0x9a0/0x9a0 [ 34.557018] ? kvm_vcpu_ioctl+0x2b5/0x1280 [ 34.561252] ? rcu_read_lock_sched_held+0x108/0x120 [ 34.566263] ? kfree+0x1d7/0x210 [ 34.569627] ? kvm_vcpu_ioctl+0x2ba/0x1280 [ 34.573870] ? kvm_uevent_notify_change.part.32+0x440/0x440 [ 34.579583] ? is_bpf_text_address+0xd7/0x170 [ 34.584075] ? kernel_text_address+0x79/0xf0 [ 34.588482] ? __kernel_text_address+0xd/0x40 [ 34.592983] ? unwind_get_return_address+0x61/0xa0 [ 34.597911] ? __save_stack_trace+0x8d/0xf0 [ 34.602238] ? save_stack+0xa9/0xd0 [ 34.605865] ? save_stack+0x43/0xd0 [ 34.609489] ? __kasan_slab_free+0x11a/0x170 [ 34.613896] ? kasan_slab_free+0xe/0x10 [ 34.617865] ? putname+0xf2/0x130 [ 34.621314] ? __x64_sys_openat+0x9d/0x100 [ 34.625546] ? do_syscall_64+0x1b9/0x820 [ 34.629608] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.634975] ? trace_hardirqs_off+0xb8/0x2b0 [ 34.639387] ? kasan_check_read+0x11/0x20 [ 34.643537] ? do_raw_spin_unlock+0xa7/0x2f0 [ 34.647941] ? trace_hardirqs_on+0x2c0/0x2c0 [ 34.652359] ? initcall_blacklisted+0x9a/0x1e0 [ 34.656943] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 34.662061] ? kvm_uevent_notify_change.part.32+0x440/0x440 [ 34.667782] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.673321] ? do_vfs_ioctl+0x201/0x1720 [ 34.677379] ? rcu_is_watching+0x8c/0x150 [ 34.681523] ? trace_hardirqs_on+0xbd/0x2c0 [ 34.685842] ? ioctl_preallocate+0x300/0x300 [ 34.690251] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.695794] ? __fget_light+0x2f7/0x440 [ 34.699765] ? fget_raw+0x20/0x20 [ 34.703213] ? putname+0xf2/0x130 [ 34.706665] ? rcu_read_lock_sched_held+0x108/0x120 [ 34.711679] ? kmem_cache_free+0x246/0x280 [ 34.715908] ? putname+0xf7/0x130 [ 34.719360] do_group_exit+0x177/0x440 [ 34.723245] ? trace_hardirqs_on+0xbd/0x2c0 [ 34.727562] ? __ia32_sys_exit+0x50/0x50 [ 34.731622] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 34.736728] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.742265] ? ksys_ioctl+0x81/0xd0 [ 34.745893] __x64_sys_exit_group+0x3e/0x50 [ 34.750214] do_syscall_64+0x1b9/0x820 [ 34.754105] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 34.759474] ? syscall_return_slowpath+0x5e0/0x5e0 [ 34.764401] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 34.769241] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 34.774255] ? prepare_exit_to_usermode+0x291/0x3b0 [ 34.779271] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 34.784123] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.789332] RIP: 0033:0x43ecc8 [ 34.792526] Code: Bad RIP value. [ 34.795884] RSP: 002b:00007fffe766a3d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 34.803647] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ecc8 [ 34.810909] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 34.818170] RBP: 00000000004be588 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 34.825435] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 [ 34.832701] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 34.839992] [ 34.839998] ====================================================== [ 34.840003] WARNING: possible circular locking dependency detected [ 34.840007] 4.18.0+ #209 Not tainted [ 34.840012] ------------------------------------------------------ [ 34.840017] syz-executor929/4456 is trying to acquire lock: [ 34.840020] 000000000faa2c65 ((console_sem).lock){-...}, at: down_trylock+0x13/0x70 [ 34.840035] [ 34.840039] but task is already holding lock: [ 34.840042] 00000000977ae910 (report_lock){....}, at: kasan_report+0x8e/0x110 [ 34.840056] [ 34.840061] which lock already depends on the new lock. [ 34.840063] [ 34.840065] [ 34.840070] the existing dependency chain (in reverse order) is: [ 34.840073] [ 34.840075] -> #3 (report_lock){....}: [ 34.840089] _raw_spin_lock_irqsave+0x96/0xc0 [ 34.840093] kasan_report+0x8e/0x110 [ 34.840098] __asan_report_load8_noabort+0x14/0x20 [ 34.840101] __schedule+0xf54/0x1df0 [ 34.840106] preempt_schedule_common+0x22/0x60 [ 34.840110] _cond_resched+0x1d/0x30 [ 34.840114] wait_for_completion+0xa5/0x8d0 [ 34.840118] __synchronize_srcu+0x189/0x240 [ 34.840122] synchronize_srcu+0x335/0x56f [ 34.840127] kvm_page_track_unregister_notifier+0x17d/0x250 [ 34.840131] kvm_mmu_uninit_vm+0x1c/0x20 [ 34.840135] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 34.840139] kvm_put_kvm+0x73f/0x1060 [ 34.840142] kvm_vm_release+0x42/0x50 [ 34.840146] __fput+0x36e/0x8c0 [ 34.840149] ____fput+0x15/0x20 [ 34.840153] task_work_run+0x1e8/0x2a0 [ 34.840157] do_exit+0x1ae4/0x26e0 [ 34.840161] do_group_exit+0x177/0x440 [ 34.840165] __x64_sys_exit_group+0x3e/0x50 [ 34.840169] do_syscall_64+0x1b9/0x820 [ 34.840173] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.840175] [ 34.840178] -> #2 (&rq->lock){-.-.}: [ 34.840191] _raw_spin_lock+0x2a/0x40 [ 34.840195] task_fork_fair+0x93/0x680 [ 34.840199] sched_fork+0x44b/0xbd0 [ 34.840203] copy_process+0x235e/0x7ad0 [ 34.840206] _do_fork+0x1ca/0x1170 [ 34.840210] kernel_thread+0x34/0x40 [ 34.840214] rest_init+0x22/0xe4 [ 34.840217] start_kernel+0x913/0x94e [ 34.840222] x86_64_start_reservations+0x29/0x2b [ 34.840226] x86_64_start_kernel+0x76/0x79 [ 34.840230] secondary_startup_64+0xa4/0xb0 [ 34.840232] [ 34.840234] -> #1 (&p->pi_lock){-.-.}: [ 34.840248] _raw_spin_lock_irqsave+0x96/0xc0 [ 34.840252] try_to_wake_up+0xd2/0x1250 [ 34.840256] wake_up_process+0x10/0x20 [ 34.840260] __up.isra.1+0x1c0/0x2a0 [ 34.840263] up+0x13c/0x1c0 [ 34.840267] __up_console_sem+0xbe/0x1b0 [ 34.840271] console_unlock+0x506/0x10d0 [ 34.840275] vprintk_emit+0x33a/0x910 [ 34.840279] vprintk_default+0x28/0x30 [ 34.840283] vprintk_func+0x7a/0x117 [ 34.840286] printk+0xa7/0xcf [ 34.840289] load_umh+0x51/0xbd [ 34.840293] do_one_initcall+0x127/0x838 [ 34.840297] kernel_init_freeable+0x4bb/0x5ae [ 34.840301] kernel_init+0x11/0x1b3 [ 34.840305] ret_from_fork+0x3a/0x50 [ 34.840307] [ 34.840309] -> #0 ((console_sem).lock){-...}: [ 34.840324] lock_acquire+0x1e4/0x4f0 [ 34.840328] _raw_spin_lock_irqsave+0x96/0xc0 [ 34.840331] down_trylock+0x13/0x70 [ 34.840336] __down_trylock_console_sem+0xae/0x200 [ 34.840340] console_trylock+0x15/0xa0 [ 34.840343] vprintk_emit+0x31f/0x910 [ 34.840347] vprintk_default+0x28/0x30 [ 34.840351] vprintk_func+0x7a/0x117 [ 34.840354] printk+0xa7/0xcf [ 34.840358] kasan_report+0x9e/0x110 [ 34.840363] __asan_report_load8_noabort+0x14/0x20 [ 34.840366] __schedule+0xf54/0x1df0 [ 34.840371] preempt_schedule_common+0x22/0x60 [ 34.840374] _cond_resched+0x1d/0x30 [ 34.840378] wait_for_completion+0xa5/0x8d0 [ 34.840383] __synchronize_srcu+0x189/0x240 [ 34.840387] synchronize_srcu+0x335/0x56f [ 34.840392] kvm_page_track_unregister_notifier+0x17d/0x250 [ 34.840395] kvm_mmu_uninit_vm+0x1c/0x20 [ 34.840400] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 34.840403] kvm_put_kvm+0x73f/0x1060 [ 34.840407] kvm_vm_release+0x42/0x50 [ 34.840411] __fput+0x36e/0x8c0 [ 34.840414] ____fput+0x15/0x20 [ 34.840418] task_work_run+0x1e8/0x2a0 [ 34.840422] do_exit+0x1ae4/0x26e0 [ 34.840426] do_group_exit+0x177/0x440 [ 34.840430] __x64_sys_exit_group+0x3e/0x50 [ 34.840434] do_syscall_64+0x1b9/0x820 [ 34.840438] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.840441] [ 34.840445] other info that might help us debug this: [ 34.840447] [ 34.840450] Chain exists of: [ 34.840452] (console_sem).lock --> &rq->lock --> report_lock [ 34.840477] [ 34.840481] Possible unsafe locking scenario: [ 34.840483] [ 34.840487] CPU0 CPU1 [ 34.840491] ---- ---- [ 34.840493] lock(report_lock); [ 34.840503] lock(&rq->lock); [ 34.840512] lock(report_lock); [ 34.840520] lock((console_sem).lock); [ 34.840528] [ 34.840531] *** DEADLOCK *** [ 34.840533] [ 34.840537] 2 locks held by syz-executor929/4456: [ 34.840539] #0: 0000000051e381b2 (&rq->lock){-.-.}, at: __schedule+0x24d/0x1df0 [ 34.840556] #1: 00000000977ae910 (report_lock){....}, at: kasan_report+0x8e/0x110 [ 34.840573] [ 34.840576] stack backtrace: [ 34.840582] CPU: 1 PID: 4456 Comm: syz-executor929 Not tainted 4.18.0+ #209 [ 34.840589] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.840592] Call Trace: [ 34.840595] dump_stack+0x1c9/0x2b4 [ 34.840600] ? dump_stack_print_info.cold.2+0x52/0x52 [ 34.840604] ? vprintk_func+0x100/0x117 [ 34.840608] print_circular_bug.isra.34.cold.55+0x1bd/0x27d [ 34.840612] ? save_trace+0xe0/0x290 [ 34.840616] __lock_acquire+0x3449/0x5020 [ 34.840620] ? mark_held_locks+0x160/0x160 [ 34.840624] ? mark_held_locks+0x160/0x160 [ 34.840628] ? rcu_cleanup_dead_rnp+0x200/0x200 [ 34.840633] ? is_bpf_text_address+0xd7/0x170 [ 34.840637] ? kernel_text_address+0x79/0xf0 [ 34.840641] ? __kernel_text_address+0xd/0x40 [ 34.840645] ? __save_stack_trace+0x8d/0xf0 [ 34.840649] ? add_lock_to_list.isra.27+0x1ec/0x4b0 [ 34.840653] ? save_trace+0x290/0x290 [ 34.840657] ? save_stack_trace+0x1a/0x20 [ 34.840661] ? save_trace+0xe0/0x290 [ 34.840664] ? graph_lock+0x170/0x170 [ 34.840669] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 34.840673] lock_acquire+0x1e4/0x4f0 [ 34.840677] ? down_trylock+0x13/0x70 [ 34.840680] ? lock_release+0x9f0/0x9f0 [ 34.840685] ? trace_hardirqs_off+0xb8/0x2b0 [ 34.840689] ? trace_hardirqs_on+0x2c0/0x2c0 [ 34.840693] ? trace_hardirqs_off+0xb8/0x2b0 [ 34.840696] ? log_store+0x34f/0x4c0 [ 34.840700] ? vprintk_emit+0x31f/0x910 [ 34.840704] _raw_spin_lock_irqsave+0x96/0xc0 [ 34.840708] ? down_trylock+0x13/0x70 [ 34.840712] down_trylock+0x13/0x70 [ 34.840716] __down_trylock_console_sem+0xae/0x200 [ 34.840720] console_trylock+0x15/0xa0 [ 34.840723] vprintk_emit+0x31f/0x910 [ 34.840727] ? wake_up_klogd+0x110/0x110 [ 34.840732] ? run_rebalance_domains+0x4c0/0x4c0 [ 34.840736] ? kasan_check_read+0x11/0x20 [ 34.840739] ? rcu_is_watching+0x8c/0x150 [ 34.840743] ? rcu_pm_notify+0xc0/0xc0 [ 34.840747] ? lock_acquire+0x1e4/0x4f0 [ 34.840751] ? kasan_report+0x8e/0x110 [ 34.840755] ? __schedule+0xf54/0x1df0 [ 34.840758] vprintk_default+0x28/0x30 [ 34.840762] vprintk_func+0x7a/0x117 [ 34.840765] printk+0xa7/0xcf [ 34.840770] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 34.840774] ? kasan_check_write+0x14/0x20 [ 34.840778] ? do_raw_spin_lock+0xc1/0x200 [ 34.840782] ? do_raw_spin_lock+0xc1/0x200 [ 34.840785] kasan_report+0x9e/0x110 [ 34.840790] __asan_report_load8_noabort+0x14/0x20 [ 34.840793] __schedule+0xf54/0x1df0 [ 34.840797] ? __sched_text_start+0x8/0x8 [ 34.840802] ? _raw_spin_unlock_irqrestore+0xa1/0xc0 [ 34.840806] ? __call_srcu+0x7e7/0x1040 [ 34.840810] ? check_same_owner+0x340/0x340 [ 34.840814] ? mark_held_locks+0x160/0x160 [ 34.840818] ? find_held_lock+0x36/0x1c0 [ 34.840822] preempt_schedule_common+0x22/0x60 [ 34.840826] _cond_resched+0x1d/0x30 [ 34.840830] wait_for_completion+0xa5/0x8d0 [ 34.840835] ? wait_for_completion_interruptible+0x950/0x950 [ 34.840839] ? __lockdep_init_map+0x105/0x590 [ 34.840843] ? __init_waitqueue_head+0x9e/0x150 [ 34.840847] ? init_wait_entry+0x1c0/0x1c0 [ 34.840851] __synchronize_srcu+0x189/0x240 [ 34.840855] ? call_srcu+0x10/0x10 [ 34.840859] ? rcu_unexpedite_gp+0x20/0x20 [ 34.840863] synchronize_srcu+0x335/0x56f [ 34.840867] ? lock_downgrade+0x8f0/0x8f0 [ 34.840871] ? synchronize_srcu_expedited+0x20/0x20 [ 34.840875] ? kasan_check_read+0x11/0x20 [ 34.840879] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 34.840883] ? kasan_check_write+0x14/0x20 [ 34.840887] ? do_raw_spin_lock+0xc1/0x200 [ 34.840892] kvm_page_track_unregister_notifier+0x17d/0x250 [ 34.840897] ? kvm_slot_page_track_remove_page+0x70/0x70 [ 34.840900] ? kvfree+0x61/0x70 [ 34.840905] ? rcu_read_lock_sched_held+0x108/0x120 [ 34.840909] kvm_mmu_uninit_vm+0x1c/0x20 [ 34.840913] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 34.840917] ? kvm_arch_sync_events+0x30/0x30 [ 34.840922] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 34.840926] ? mmu_notifier_unregister+0x474/0x600 [ 34.840930] ? trace_hardirqs_on+0x2c0/0x2c0 [ 34.840934] ? kfree+0x111/0x210 [ 34.840938] ? __mmu_notifier_register+0x30/0x30 [ 34.840942] ? __free_pages+0x10a/0x190 [ 34.840946] ? free_unref_page+0x930/0x930 [ 34.840958] kvm_put_kvm+0x73f/0x1060 [ 34.840962] ? kvm_write_guest_cached+0x40/0x40 [ 34.840965] ? _raw_spin_unlock_irq+0x27/0x70 [ 34.840969] ? _raw_spin_unlock_irq+0x27/0x70 [ 34.840972] ? lockdep_hardirqs_on+0x421/0x5c0 [ 34.840977] ? kasan_check_write+0x14/0x20 [ 34.840981] ? do_raw_spin_lock+0xc1/0x200 [ 34.840985] ? kvm_irqfd_release+0xdd/0x120 [ 34.840989] ? kvm_irqfd_release+0xdd/0x120 [ 34.840993] ? kvm_put_kvm+0x1060/0x1060 [ 34.840996] kvm_vm_release+0x42/0x50 [ 34.841000] __fput+0x36e/0x8c0 [ 34.841004] ? __alloc_file+0x400/0x400 [ 34.841008] ? check_same_owner+0x340/0x340 [ 34.841012] ? kasan_check_write+0x14/0x20 [ 34.841016] ? do_raw_spin_lock+0xc1/0x200 [ 34.841019] ____fput+0x15/0x20 [ 34.841023] task_work_run+0x1e8/0x2a0 [ 34.841027] ? task_work_cancel+0x240/0x240 [ 34.841032] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 34.841036] ? switch_task_namespaces+0xa2/0xd0 [ 34.841040] do_exit+0x1ae4/0x26e0 [ 34.841044] ? mm_update_next_owner+0x9a0/0x9a0 [ 34.841048] ? kvm_vcpu_ioctl+0x2b5/0x1280 [ 34.841052] ? rcu_read_lock_sched_held+0x108/0x120 [ 34.841056] ? kfree+0x1d7/0x210 [ 34.841060] ? kvm_vcpu_ioctl+0x2ba/0x1280 [ 34.841064] ? kvm_uevent_notify_change.part.32+0x440/0x440 [ 34.841069] ? is_bpf_text_address+0xd7/0x170 [ 34.841071] ? kernel_ [ 34.841079] Lost 54 message(s)! [ 35.910850] Shutting down cpus with NMI [ 36.971616] Dumping ftrace buffer: [ 36.975147] (ftrace buffer empty) [ 36.978884] Kernel Offset: disabled [ 36.982584] Rebooting in 86400 seconds..