[ 33.712114] audit: type=1800 audit(1582740290.842:33): pid=7177 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 33.741191] audit: type=1800 audit(1582740290.842:34): pid=7177 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 38.418744] random: sshd: uninitialized urandom read (32 bytes read) [ 38.769205] audit: type=1400 audit(1582740295.892:35): avc: denied { map } for pid=7348 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 38.813926] random: sshd: uninitialized urandom read (32 bytes read) [ 39.579621] random: sshd: uninitialized urandom read (32 bytes read) [ 39.781965] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.1.34' (ECDSA) to the list of known hosts. [ 45.367342] random: sshd: uninitialized urandom read (32 bytes read) [ 45.483332] audit: type=1400 audit(1582740302.612:36): avc: denied { map } for pid=7360 comm="syz-executor124" path="/root/syz-executor124392399" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 45.486524] ODEBUG: free active (active state 1) object type: rcu_head hint: (null) [ 45.518332] ------------[ cut here ]------------ [ 45.523082] WARNING: CPU: 0 PID: 7360 at lib/debugobjects.c:287 debug_print_object.cold+0xa7/0xdb [ 45.532069] Kernel panic - not syncing: panic_on_warn set ... [ 45.532069] [ 45.539453] CPU: 0 PID: 7360 Comm: syz-executor124 Not tainted 4.14.171-syzkaller #0 [ 45.547311] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.556647] Call Trace: [ 45.559215] dump_stack+0x13e/0x194 [ 45.562819] panic+0x1f9/0x42d [ 45.565988] ? add_taint.cold+0x16/0x16 [ 45.569947] ? debug_print_object.cold+0xa7/0xdb [ 45.574680] ? debug_print_object.cold+0xa7/0xdb [ 45.579408] __warn.cold+0x2f/0x30 [ 45.582925] ? ist_end_non_atomic+0x10/0x10 [ 45.587257] ? debug_print_object.cold+0xa7/0xdb [ 45.591991] report_bug+0x20a/0x248 [ 45.595604] do_error_trap+0x195/0x2d0 [ 45.599468] ? math_error+0x2d0/0x2d0 [ 45.603247] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 45.608064] invalid_op+0x1b/0x40 [ 45.611496] RIP: 0010:debug_print_object.cold+0xa7/0xdb [ 45.616986] RSP: 0018:ffff888088fef1e8 EFLAGS: 00010082 [ 45.622336] RAX: 0000000000000051 RBX: 0000000000000003 RCX: 0000000000000000 [ 45.629585] RDX: 0000000000000000 RSI: ffffffff86ac07e0 RDI: ffffed10111fde33 [ 45.636839] RBP: ffffffff86ab5ee0 R08: 0000000000000051 R09: 0000000000000000 [ 45.644088] R10: fffffbfff14a8cdf R11: ffff88809e90c240 R12: 0000000000000000 [ 45.651336] R13: 0000000000000001 R14: ffffffff8a736488 R15: ffff88808e3d5a10 [ 45.658593] ? debug_print_object.cold+0xa7/0xdb [ 45.663326] debug_check_no_obj_freed+0x3cd/0x6e4 [ 45.668144] ? __lock_is_held+0xad/0x140 [ 45.672207] ? free_obj_work+0x600/0x600 [ 45.676244] kfree+0xbb/0x260 [ 45.679329] __tcf_idr_release+0x202/0x260 [ 45.683537] tcf_sample_init+0x788/0x8c0 [ 45.687574] ? tcf_sample_act+0x9e0/0x9e0 [ 45.691705] tcf_action_init_1+0x51a/0x9f0 [ 45.695917] ? tcf_action_dump_old+0x80/0x80 [ 45.700355] ? find_held_lock+0x2d/0x110 [ 45.704393] ? avc_has_perm_noaudit+0x270/0x400 [ 45.709041] ? nla_parse+0x183/0x240 [ 45.712733] tcf_action_init+0x26d/0x400 [ 45.716770] ? tcf_action_init_1+0x9f0/0x9f0 [ 45.721156] ? lock_downgrade+0x6e0/0x6e0 [ 45.725283] ? memset+0x20/0x40 [ 45.728543] ? nla_parse+0x183/0x240 [ 45.732247] tc_ctl_action+0x2e3/0x513 [ 45.736109] ? tca_action_gd+0x7b0/0x7b0 [ 45.740157] ? rtnetlink_rcv_msg+0x2e8/0xb10 [ 45.744559] ? tca_action_gd+0x7b0/0x7b0 [ 45.748599] rtnetlink_rcv_msg+0x3be/0xb10 [ 45.752877] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 45.757443] ? save_trace+0x290/0x290 [ 45.761224] ? save_trace+0x290/0x290 [ 45.765006] netlink_rcv_skb+0x127/0x370 [ 45.769048] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 45.773606] ? netlink_ack+0x960/0x960 [ 45.777471] netlink_unicast+0x437/0x620 [ 45.781510] ? netlink_attachskb+0x600/0x600 [ 45.785896] netlink_sendmsg+0x733/0xbe0 [ 45.789935] ? netlink_unicast+0x620/0x620 [ 45.794221] ? SYSC_sendto+0x2b0/0x2b0 [ 45.798112] ? security_socket_sendmsg+0x83/0xb0 [ 45.802854] ? netlink_unicast+0x620/0x620 [ 45.807080] sock_sendmsg+0xc5/0x100 [ 45.810774] ___sys_sendmsg+0x70a/0x840 [ 45.814724] ? do_huge_pmd_anonymous_page+0xc63/0x11e0 [ 45.819985] ? copy_msghdr_from_user+0x380/0x380 [ 45.824724] ? lock_downgrade+0x6e0/0x6e0 [ 45.828857] ? __lru_cache_add+0x17b/0x250 [ 45.833071] ? do_raw_spin_unlock+0x164/0x250 [ 45.837540] ? _raw_spin_unlock+0x29/0x40 [ 45.841674] ? prep_transhuge_page+0xa0/0xa0 [ 45.846091] ? pud_val+0x6c/0xd0 [ 45.849433] ? pmd_val+0xd0/0xd0 [ 45.852774] ? trace_hardirqs_on+0x10/0x10 [ 45.856999] ? __handle_mm_fault+0x644/0x3280 [ 45.861481] ? save_trace+0x290/0x290 [ 45.865269] ? copy_page_range+0x1d70/0x1d70 [ 45.869658] ? __fget_light+0x16a/0x1f0 [ 45.873613] ? sockfd_lookup_light+0xb2/0x160 [ 45.878126] __sys_sendmsg+0xa3/0x120 [ 45.881908] ? SyS_shutdown+0x160/0x160 [ 45.885885] ? up_read+0x17/0x30 [ 45.889229] ? __do_page_fault+0x35b/0xb40 [ 45.893441] SyS_sendmsg+0x27/0x40 [ 45.896959] ? __sys_sendmsg+0x120/0x120 [ 45.900999] do_syscall_64+0x1d5/0x640 [ 45.904863] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.910030] RIP: 0033:0x440369 [ 45.913202] RSP: 002b:00007ffd16ac0808 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 45.920924] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440369 [ 45.928179] RDX: 0000000000000000 RSI: 0000000020002980 RDI: 0000000000000003 [ 45.935471] RBP: 00000000006ca018 R08: 000000000000000b R09: 00000000004002c8 [ 45.942726] R10: 0000000000000040 R11: 0000000000000246 R12: 0000000000401bf0 [ 45.949982] R13: 0000000000401c80 R14: 0000000000000000 R15: 0000000000000000 [ 45.957244] [ 45.957246] ====================================================== [ 45.957248] WARNING: possible circular locking dependency detected [ 45.957249] 4.14.171-syzkaller #0 Not tainted [ 45.957251] ------------------------------------------------------ [ 45.957252] syz-executor124/7360 is trying to acquire lock: [ 45.957253] ((console_sem).lock){-...}, at: [] down_trylock+0xe/0x60 [ 45.957257] [ 45.957259] but task is already holding lock: [ 45.957259] (&obj_hash[i].lock){-.-.}, at: [] debug_check_no_obj_freed+0x125/0x6e4 [ 45.957263] [ 45.957265] which lock already depends on the new lock. [ 45.957265] [ 45.957266] [ 45.957268] the existing dependency chain (in reverse order) is: [ 45.957268] [ 45.957269] -> #5 (&obj_hash[i].lock){-.-.}: [ 45.957273] _raw_spin_lock_irqsave+0x8c/0xbf [ 45.957274] debug_object_activate+0x10b/0x450 [ 45.957276] enqueue_hrtimer+0x22/0x3b0 [ 45.957277] hrtimer_start_range_ns+0x4e6/0x1060 [ 45.957279] schedule_hrtimeout_range_clock+0x13c/0x2f0 [ 45.957280] wait_task_inactive+0x478/0x530 [ 45.957281] __kthread_bind_mask+0x1f/0xb0 [ 45.957282] create_worker+0x313/0x530 [ 45.957283] workqueue_init+0x55f/0x66e [ 45.957285] kernel_init_freeable+0x2ab/0x526 [ 45.957286] kernel_init+0xd/0x15b [ 45.957287] ret_from_fork+0x24/0x30 [ 45.957288] [ 45.957288] -> #4 (hrtimer_bases.lock){-.-.}: [ 45.957292] _raw_spin_lock_irqsave+0x8c/0xbf [ 45.957294] lock_hrtimer_base.isra.0+0x6d/0x120 [ 45.957295] hrtimer_start_range_ns+0x7b/0x1060 [ 45.957297] enqueue_task_rt+0x94d/0xdb0 [ 45.957298] __sched_setscheduler.constprop.0+0xc11/0x1f70 [ 45.957299] _sched_setscheduler+0xf9/0x150 [ 45.957303] watchdog_enable+0xff/0x150 [ 45.957304] smpboot_thread_fn+0x40d/0x920 [ 45.957305] kthread+0x30d/0x420 [ 45.957306] ret_from_fork+0x24/0x30 [ 45.957307] [ 45.957308] -> #3 (&rt_b->rt_runtime_lock){-.-.}: [ 45.957312] _raw_spin_lock+0x2a/0x40 [ 45.957313] enqueue_task_rt+0x508/0xdb0 [ 45.957314] __sched_setscheduler.constprop.0+0xc11/0x1f70 [ 45.957316] _sched_setscheduler+0xf9/0x150 [ 45.957317] watchdog_enable+0xff/0x150 [ 45.957318] smpboot_thread_fn+0x40d/0x920 [ 45.957319] kthread+0x30d/0x420 [ 45.957320] ret_from_fork+0x24/0x30 [ 45.957321] [ 45.957322] -> #2 (&rq->lock){-.-.}: [ 45.957325] _raw_spin_lock+0x2a/0x40 [ 45.957327] task_fork_fair+0x63/0x5b0 [ 45.957328] sched_fork+0x39a/0xbd0 [ 45.957329] copy_process.part.0+0x15b7/0x6a70 [ 45.957330] _do_fork+0x180/0xc80 [ 45.957331] kernel_thread+0x2f/0x40 [ 45.957332] rest_init+0x1f/0x1d2 [ 45.957333] start_kernel+0x659/0x676 [ 45.957335] secondary_startup_64+0xa5/0xb0 [ 45.957335] [ 45.957336] -> #1 (&p->pi_lock){-.-.}: [ 45.957340] _raw_spin_lock_irqsave+0x8c/0xbf [ 45.957341] try_to_wake_up+0x6a/0xef0 [ 45.957342] up+0x92/0xe0 [ 45.957343] __up_console_sem+0xa9/0x1b0 [ 45.957345] console_unlock+0x596/0xec0 [ 45.957346] vprintk_emit+0x1f8/0x600 [ 45.957347] vprintk_func+0x58/0x152 [ 45.957348] printk+0x9e/0xbc [ 45.957349] kauditd_hold_skb.cold+0x3e/0x4d [ 45.957351] kauditd_send_queue+0xfb/0x140 [ 45.957352] kauditd_thread+0x625/0x840 [ 45.957353] kthread+0x30d/0x420 [ 45.957354] ret_from_fork+0x24/0x30 [ 45.957355] [ 45.957355] -> #0 ((console_sem).lock){-...}: [ 45.957359] lock_acquire+0x170/0x3f0 [ 45.957361] _raw_spin_lock_irqsave+0x8c/0xbf [ 45.957362] down_trylock+0xe/0x60 [ 45.957363] __down_trylock_console_sem+0x97/0x1f0 [ 45.957364] console_trylock+0x14/0x70 [ 45.957366] vprintk_emit+0x1ea/0x600 [ 45.957367] vprintk_func+0x58/0x152 [ 45.957368] printk+0x9e/0xbc [ 45.957369] debug_print_object.cold+0xa7/0xdb [ 45.957370] debug_check_no_obj_freed+0x3cd/0x6e4 [ 45.957372] kfree+0xbb/0x260 [ 45.957373] __tcf_idr_release+0x202/0x260 [ 45.957374] tcf_sample_init+0x788/0x8c0 [ 45.957375] tcf_action_init_1+0x51a/0x9f0 [ 45.957376] tcf_action_init+0x26d/0x400 [ 45.957378] tc_ctl_action+0x2e3/0x513 [ 45.957379] rtnetlink_rcv_msg+0x3be/0xb10 [ 45.957380] netlink_rcv_skb+0x127/0x370 [ 45.957381] netlink_unicast+0x437/0x620 [ 45.957383] netlink_sendmsg+0x733/0xbe0 [ 45.957384] sock_sendmsg+0xc5/0x100 [ 45.957385] ___sys_sendmsg+0x70a/0x840 [ 45.957386] __sys_sendmsg+0xa3/0x120 [ 45.957387] SyS_sendmsg+0x27/0x40 [ 45.957388] do_syscall_64+0x1d5/0x640 [ 45.957390] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.957390] [ 45.957392] other info that might help us debug this: [ 45.957392] [ 45.957393] Chain exists of: [ 45.957394] (console_sem).lock --> hrtimer_bases.lock --> &obj_hash[i].lock [ 45.957399] [ 45.957400] Possible unsafe locking scenario: [ 45.957401] [ 45.957402] CPU0 CPU1 [ 45.957403] ---- ---- [ 45.957404] lock(&obj_hash[i].lock); [ 45.957407] lock(hrtimer_bases.lock); [ 45.957410] lock(&obj_hash[i].lock); [ 45.957412] lock((console_sem).lock); [ 45.957414] [ 45.957415] *** DEADLOCK *** [ 45.957416] [ 45.957417] 2 locks held by syz-executor124/7360: [ 45.957418] #0: (rtnl_mutex){+.+.}, at: [] rtnetlink_rcv_msg+0x31d/0xb10 [ 45.957422] #1: (&obj_hash[i].lock){-.-.}, at: [] debug_check_no_obj_freed+0x125/0x6e4 [ 45.957426] [ 45.957427] stack backtrace: [ 45.957429] CPU: 0 PID: 7360 Comm: syz-executor124 Not tainted 4.14.171-syzkaller #0 [ 45.957432] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.957432] Call Trace: [ 45.957434] dump_stack+0x13e/0x194 [ 45.957435] print_circular_bug.isra.0.cold+0x1c4/0x282 [ 45.957436] __lock_acquire+0x2cb3/0x4620 [ 45.957437] ? string+0x17e/0x1d0 [ 45.957438] ? trace_hardirqs_on+0x10/0x10 [ 45.957439] ? format_decode+0x1cb/0x8c0 [ 45.957441] ? mark_held_locks+0xa6/0xf0 [ 45.957442] ? save_trace+0x290/0x290 [ 45.957443] ? kvm_clock_read+0x1f/0x30 [ 45.957444] ? kvm_sched_clock_read+0x5/0x10 [ 45.957445] lock_acquire+0x170/0x3f0 [ 45.957446] ? down_trylock+0xe/0x60 [ 45.957448] _raw_spin_lock_irqsave+0x8c/0xbf [ 45.957449] ? down_trylock+0xe/0x60 [ 45.957450] down_trylock+0xe/0x60 [ 45.957451] ? vprintk_emit+0x1ea/0x600 [ 45.957452] __down_trylock_console_sem+0x97/0x1f0 [ 45.957453] console_trylock+0x14/0x70 [ 45.957454] vprintk_emit+0x1ea/0x600 [ 45.957455] vprintk_func+0x58/0x152 [ 45.957457] ? trace_hardirqs_on+0x10/0x10 [ 45.957458] printk+0x9e/0xbc [ 45.957459] ? show_regs_print_info+0x5b/0x5b [ 45.957460] ? lock_acquire+0x170/0x3f0 [ 45.957461] ? debug_check_no_obj_freed+0x125/0x6e4 [ 45.957463] debug_print_object.cold+0xa7/0xdb [ 45.957464] debug_check_no_obj_freed+0x3cd/0x6e4 [ 45.957465] ? __lock_is_held+0xad/0x140 [ 45.957466] ? free_obj_work+0x600/0x600 [ 45.957467] kfree+0xbb/0x260 [ 45.957468] __tcf_idr_release+0x202/0x260 [ 45.957469] tcf_sample_init+0x788/0x8c0 [ 45.957471] ? tcf_sample_act+0x9e0/0x9e0 [ 45.957472] tcf_action_init_1+0x51a/0x9f0 [ 45.957473] ? tcf_action_dump_old+0x80/0x80 [ 45.957474] ? find_held_lock+0x2d/0x110 [ 45.957475] ? avc_has_perm_noaudit+0x270/0x400 [ 45.957477] ? nla_parse+0x183/0x240 [ 45.957478] tcf_action_init+0x26d/0x400 [ 45.957479] ? tcf_action_init_1+0x9f0/0x9f0 [ 45.957480] ? lock_downgrade+0x6e0/0x6e0 [ 45.957481] ? memset+0x20/0x40 [ 45.957482] ? nla_parse+0x183/0x240 [ 45.957483] tc_ctl_action+0x2e3/0x513 [ 45.957484] ? tca_action_gd+0x7b0/0x7b0 [ 45.957486] ? rtnetlink_rcv_msg+0x2e8/0xb10 [ 45.957487] ? tca_action_gd+0x7b0/0x7b0 [ 45.957488] rtnetlink_rcv_msg+0x3be/0xb10 [ 45.957489] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 45.957490] ? save_trace+0x290/0x290 [ 45.957492] ? save_trace+0x290/0x290 [ 45.957493] netlink_rcv_skb+0x127/0x370 [ 45.957494] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 45.957495] ? netlink_ack+0x960/0x960 [ 45.957496] netlink_unicast+0x437/0x620 [ 45.957497] ? netlink_attachskb+0x600/0x600 [ 45.957499] netlink_sendmsg+0x733/0xbe0 [ 45.957500] ? netlink_unicast+0x620/0x620 [ 45.957501] ? SYSC_sendto+0x2b0/0x2b0 [ 45.957502] ? security_socket_sendmsg+0x83/0xb0 [ 45.957503] ? netlink_unicast+0x620/0x620 [ 45.957504] sock_sendmsg+0xc5/0x100 [ 45.957506] ___sys_sendmsg+0x70a/0x840 [ 45.957507] ? do_huge_pmd_anonymous_page+0xc63/0x11e0 [ 45.957508] ? copy_msghdr_from_user+0x380/0x380 [ 45.957510] ? lock_downgrade+0x6e0/0x6e0 [ 45.957511] ? __lru_cache_add+0x17b/0x250 [ 45.957512] ? do_raw_spin_unlock+0x164/0x250 [ 45.957513] ? _raw_spin_unlock+0x29/0x40 [ 45.957514] ? prep_transhuge_page+0xa0/0xa0 [ 45.957515] ? pud_val+0x6c/0xd0 [ 45.957516] ? pmd_val+0xd0/0xd0 [ 45.957518] ? trace_hardirqs_on+0x10/0x10 [ 45.957519] ? __handle_mm_fault+0x644/0x3280 [ 45.957520] ? save_trace+0x290/0x290 [ 45.957522] ? copy_page_range+0x1d70/0x1d70 [ 45.957523] ? __fget_light+0x16a/0x1f0 [ 45.957524] ? sockfd_lookup_light+0xb2/0x160 [ 45.957525] __sys_sendmsg+0xa3/0x120 [ 45.957526] ? SyS_shutdown+0x160/0x160 [ 45.957527] ? up_read+0x17/0x30 [ 45.957528] ? __do_page_fault+0x35b/0xb40 [ 45.957529] SyS_sendmsg+0x27/0x40 [ 45.957531] ? __sys_sendmsg+0x120/0x120 [ 45.957532] do_syscall_64+0x1d5/0x640 [ 45.957533] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.957534] RIP: 0033:0x440369 [ 45.957535] RSP: 002b:00007ffd16ac0808 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 45.957538] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440369 [ 45.957540] RDX: 0000000000000000 RSI: 0000000020002980 RDI: 0000000000000003 [ 45.957542] RBP: 00000000006ca018 R08: 000000000000000b R09: 00000000004002c8 [ 45.957544] R10: 0000000000000040 R11: 0000000000000246 R12: 0000000000401bf0 [ 45.957545] R13: 0000000000401c80 R14: 0000000000000000 R15: 0000000000000000 [ 45.958704] Kernel Offset: disabled [ 46.932521] Rebooting in 86400 seconds..