[....] Starting OpenBSD Secure Shell server: sshd[ 30.164688] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 32.013681] random: sshd: uninitialized urandom read (32 bytes read) [ 32.346074] audit: type=1400 audit(1537548618.260:6): avc: denied { map } for pid=5483 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 32.406353] random: sshd: uninitialized urandom read (32 bytes read) [ 33.048328] random: sshd: uninitialized urandom read (32 bytes read) [ 33.282205] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.68' (ECDSA) to the list of known hosts. [ 38.898545] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 39.045071] audit: type=1400 audit(1537548624.960:7): avc: denied { map } for pid=5497 comm="syz-executor694" path="/root/syz-executor694427405" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 39.048752] L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html for details. [ 39.096294] ================================================================== [ 39.106373] BUG: KASAN: use-after-free in __schedule+0xfc3/0x1ed0 [ 39.112625] Read of size 8 at addr ffff8801bbd48058 by task syz-executor694/5497 [ 39.120156] [ 39.121781] CPU: 0 PID: 5497 Comm: syz-executor694 Not tainted 4.19.0-rc4+ #27 [ 39.129132] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.138487] Call Trace: [ 39.141069] dump_stack+0x1c4/0x2b4 [ 39.144695] ? dump_stack_print_info.cold.2+0x52/0x52 [ 39.149908] ? printk+0xa7/0xcf [ 39.153204] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 39.157978] print_address_description.cold.8+0x9/0x1ff [ 39.163344] kasan_report.cold.9+0x242/0x309 [ 39.167751] ? __schedule+0xfc3/0x1ed0 [ 39.171635] __asan_report_load8_noabort+0x14/0x20 [ 39.176567] __schedule+0xfc3/0x1ed0 [ 39.180295] ? __sched_text_start+0x8/0x8 [ 39.184449] ? __lock_is_held+0xb5/0x140 [ 39.188520] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 39.193633] ? find_held_lock+0x36/0x1c0 [ 39.197708] ? __call_srcu+0x7f9/0x1070 [ 39.201677] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 39.206783] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 39.211900] ? lockdep_hardirqs_on+0x421/0x5c0 [ 39.216487] ? preempt_schedule+0x4d/0x60 [ 39.220637] preempt_schedule_common+0x1f/0xd0 [ 39.225382] preempt_schedule+0x4d/0x60 [ 39.229354] ___preempt_schedule+0x16/0x18 [ 39.233588] _raw_spin_unlock_irqrestore+0xbb/0xd0 [ 39.238522] __call_srcu+0x7f9/0x1070 [ 39.242355] ? _raw_spin_unlock_irqrestore+0x6d/0xd0 [ 39.247483] ? srcu_offline_cpu+0x120/0x120 [ 39.251826] ? debug_object_free+0x690/0x690 [ 39.256231] ? mark_held_locks+0x130/0x130 [ 39.260462] ? kvm_arch_destroy_vm+0x414/0x7c0 [ 39.265156] ? lock_release+0x970/0x970 [ 39.269143] ? arch_local_save_flags+0x40/0x40 [ 39.273720] ? depot_save_stack+0x292/0x470 [ 39.278056] ? __lockdep_init_map+0x105/0x590 [ 39.282552] ? __init_waitqueue_head+0x9e/0x150 [ 39.287236] ? init_wait_entry+0x1c0/0x1c0 [ 39.291474] __synchronize_srcu+0x17b/0x230 [ 39.295806] ? call_srcu+0x10/0x10 [ 39.299363] ? rcu_unexpedite_gp+0x20/0x20 [ 39.303607] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 39.309137] ? check_preemption_disabled+0x48/0x200 [ 39.314174] synchronize_srcu+0x356/0x5ab [ 39.318322] ? lock_downgrade+0x900/0x900 [ 39.322465] ? synchronize_srcu_expedited+0x20/0x20 [ 39.327488] ? kasan_check_read+0x11/0x20 [ 39.331692] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 39.336285] ? kasan_check_write+0x14/0x20 [ 39.340520] ? do_raw_spin_lock+0xc1/0x200 [ 39.344756] kvm_page_track_unregister_notifier+0x17d/0x250 [ 39.350461] ? kvm_slot_page_track_remove_page+0x70/0x70 [ 39.356208] ? kvfree+0x61/0x70 [ 39.359487] ? rcu_read_lock_sched_held+0x108/0x120 [ 39.364519] kvm_mmu_uninit_vm+0x1c/0x20 [ 39.368576] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 39.372998] ? kvm_arch_sync_events+0x30/0x30 [ 39.377490] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 39.383017] ? mmu_notifier_unregister+0x474/0x600 [ 39.387960] ? kfree+0x107/0x230 [ 39.391328] ? __mmu_notifier_register+0x30/0x30 [ 39.396082] ? __free_pages+0x10a/0x190 [ 39.400053] ? free_unref_page+0x960/0x960 [ 39.404291] kvm_put_kvm+0x6c8/0xff0 [ 39.408055] ? kvm_write_guest_cached+0x40/0x40 [ 39.412721] ? kvm_irqfd_release+0xd1/0x120 [ 39.417055] ? _raw_spin_unlock_irq+0x27/0x80 [ 39.421548] ? _raw_spin_unlock_irq+0x27/0x80 [ 39.426045] ? kasan_check_write+0x14/0x20 [ 39.430281] ? do_raw_spin_lock+0xc1/0x200 [ 39.434516] ? kvm_irqfd_release+0xdd/0x120 [ 39.438829] ? kvm_irqfd_release+0xdd/0x120 [ 39.443143] ? kvm_put_kvm+0xff0/0xff0 [ 39.447023] kvm_vm_release+0x42/0x50 [ 39.450815] __fput+0x385/0xa30 [ 39.454094] ? get_max_files+0x20/0x20 [ 39.457980] ? trace_hardirqs_on+0xbd/0x310 [ 39.462319] ? ___might_sleep+0x1ed/0x300 [ 39.466477] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 39.471922] ? arch_local_save_flags+0x40/0x40 [ 39.476513] ? kasan_check_write+0x14/0x20 [ 39.480755] ? do_raw_spin_lock+0xc1/0x200 [ 39.484978] ____fput+0x15/0x20 [ 39.488269] task_work_run+0x1e8/0x2a0 [ 39.492154] ? task_work_cancel+0x240/0x240 [ 39.496494] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 39.502026] ? switch_task_namespaces+0x9d/0xd0 [ 39.506691] do_exit+0x1ad7/0x2610 [ 39.510230] ? mm_update_next_owner+0x990/0x990 [ 39.514898] ? kvm_vcpu_ioctl+0x29c/0x1150 [ 39.519141] ? rcu_read_lock_sched_held+0x108/0x120 [ 39.524169] ? kfree+0x1fa/0x230 [ 39.527532] ? kvm_vcpu_ioctl+0x2a1/0x1150 [ 39.531765] ? kvm_vcpu_block+0x1030/0x1030 [ 39.536085] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 39.541618] ? avc_has_extended_perms+0xab2/0x15a0 [ 39.546563] ? save_stack_address+0x4b/0x60 [ 39.550876] ? avc_ss_reset+0x190/0x190 [ 39.554853] ? save_stack+0xa9/0xd0 [ 39.558472] ? save_stack+0x43/0xd0 [ 39.562097] ? __kasan_slab_free+0x102/0x150 [ 39.566498] ? kasan_slab_free+0xe/0x10 [ 39.570466] ? putname+0xf2/0x130 [ 39.573931] ? __x64_sys_openat+0x9d/0x100 [ 39.578163] ? do_syscall_64+0x1b9/0x820 [ 39.582219] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.587584] ? ___might_sleep+0x1ed/0x300 [ 39.591739] ? __bpf_trace_initcall_finish+0x2a/0x30 [ 39.596843] ? trace_hardirqs_off+0xb8/0x310 [ 39.601253] ? kvm_vcpu_block+0x1030/0x1030 [ 39.605604] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 39.611166] ? do_vfs_ioctl+0x201/0x1720 [ 39.615225] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 39.620428] ? ioctl_preallocate+0x300/0x300 [ 39.624839] ? selinux_file_mprotect+0x620/0x620 [ 39.629606] ? path_mountpoint+0x51e/0x2190 [ 39.633955] ? rcu_read_lock_sched_held+0x108/0x120 [ 39.638975] ? kmem_cache_free+0x24f/0x290 [ 39.643222] ? putname+0xf7/0x130 [ 39.646752] do_group_exit+0x177/0x440 [ 39.650638] ? trace_hardirqs_on+0xbd/0x310 [ 39.654969] ? __ia32_sys_exit+0x50/0x50 [ 39.659030] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 39.664529] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 39.670064] ? ksys_ioctl+0x81/0xd0 [ 39.673690] __x64_sys_exit_group+0x3e/0x50 [ 39.678026] do_syscall_64+0x1b9/0x820 [ 39.681938] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 39.687297] ? syscall_return_slowpath+0x5e0/0x5e0 [ 39.692229] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 39.697069] ? trace_hardirqs_on_caller+0x310/0x310 [ 39.702101] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 39.707115] ? prepare_exit_to_usermode+0x291/0x3b0 [ 39.712132] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 39.717070] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.722256] RIP: 0033:0x43ef08 [ 39.725447] Code: Bad RIP value. [ 39.728807] RSP: 002b:00007ffdb89c1eb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 39.736524] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ef08 [ 39.743784] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 39.751046] RBP: 00000000004be7c8 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 39.758307] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 [ 39.765639] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 39.772910] [ 39.774528] Allocated by task 5497: [ 39.778149] save_stack+0x43/0xd0 [ 39.781627] kasan_kmalloc+0xc7/0xe0 [ 39.785350] kasan_slab_alloc+0x12/0x20 [ 39.789329] kmem_cache_alloc+0x12e/0x730 [ 39.793471] vmx_create_vcpu+0xcf/0x25e0 [ 39.797568] kvm_arch_vcpu_create+0xe5/0x220 [ 39.801970] kvm_vm_ioctl+0x470/0x1d40 [ 39.805864] do_vfs_ioctl+0x1de/0x1720 [ 39.809778] ksys_ioctl+0xa9/0xd0 [ 39.813225] __x64_sys_ioctl+0x73/0xb0 [ 39.817104] do_syscall_64+0x1b9/0x820 [ 39.820983] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.826154] [ 39.827768] Freed by task 5497: [ 39.831037] save_stack+0x43/0xd0 [ 39.834500] __kasan_slab_free+0x102/0x150 [ 39.838725] kasan_slab_free+0xe/0x10 [ 39.842532] kmem_cache_free+0x83/0x290 [ 39.846502] vmx_free_vcpu+0x26b/0x300 [ 39.850396] kvm_arch_destroy_vm+0x365/0x7c0 [ 39.854800] kvm_put_kvm+0x6c8/0xff0 [ 39.858509] kvm_vm_release+0x42/0x50 [ 39.862299] __fput+0x385/0xa30 [ 39.865575] ____fput+0x15/0x20 [ 39.868861] task_work_run+0x1e8/0x2a0 [ 39.872741] do_exit+0x1ad7/0x2610 [ 39.876273] do_group_exit+0x177/0x440 [ 39.880154] __x64_sys_exit_group+0x3e/0x50 [ 39.884476] do_syscall_64+0x1b9/0x820 [ 39.888371] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.893547] [ 39.895170] The buggy address belongs to the object at ffff8801bbd48040 [ 39.895170] which belongs to the cache kvm_vcpu of size 23872 [ 39.907733] The buggy address is located 24 bytes inside of [ 39.907733] 23872-byte region [ffff8801bbd48040, ffff8801bbd4dd80) [ 39.919698] The buggy address belongs to the page: [ 39.924622] page:ffffea0006ef5200 count:1 mapcount:0 mapping:ffff8801d5f52600 index:0x0 compound_mapcount: 0 [ 39.934585] flags: 0x2fffc0000008100(slab|head) [ 39.939263] raw: 02fffc0000008100 ffff8801d5f58c48 ffff8801d5f58c48 ffff8801d5f52600 [ 39.947139] raw: 0000000000000000 ffff8801bbd48040 0000000100000001 0000000000000000 [ 39.955009] page dumped because: kasan: bad access detected [ 39.960706] [ 39.962324] Memory state around the buggy address: [ 39.967386] ffff8801bbd47f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 39.974756] ffff8801bbd47f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 39.982108] >ffff8801bbd48000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 39.989460] ^ [ 39.995703] ffff8801bbd48080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.003063] ffff8801bbd48100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.010451] ================================================================== [ 40.017816] Kernel panic - not syncing: panic_on_warn set ... [ 40.017816] [ 40.025179] CPU: 0 PID: 5497 Comm: syz-executor694 Tainted: G B 4.19.0-rc4+ #27 [ 40.033930] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.043270] Call Trace: [ 40.045860] dump_stack+0x1c4/0x2b4 [ 40.049484] ? dump_stack_print_info.cold.2+0x52/0x52 [ 40.054673] ? lock_downgrade+0x900/0x900 [ 40.058832] panic+0x238/0x4e7 [ 40.062021] ? add_taint.cold.5+0x16/0x16 [ 40.066168] ? print_shadow_for_address+0xb6/0x116 [ 40.071107] ? trace_hardirqs_off+0xaf/0x310 [ 40.075513] kasan_end_report+0x47/0x4f [ 40.079494] kasan_report.cold.9+0x76/0x309 [ 40.083815] ? __schedule+0xfc3/0x1ed0 [ 40.087698] __asan_report_load8_noabort+0x14/0x20 [ 40.092625] __schedule+0xfc3/0x1ed0 [ 40.096344] ? __sched_text_start+0x8/0x8 [ 40.100489] ? __lock_is_held+0xb5/0x140 [ 40.104562] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 40.109659] ? find_held_lock+0x36/0x1c0 [ 40.113736] ? __call_srcu+0x7f9/0x1070 [ 40.117743] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 40.122847] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 40.127974] ? lockdep_hardirqs_on+0x421/0x5c0 [ 40.132576] ? preempt_schedule+0x4d/0x60 [ 40.136729] preempt_schedule_common+0x1f/0xd0 [ 40.141308] preempt_schedule+0x4d/0x60 [ 40.145296] ___preempt_schedule+0x16/0x18 [ 40.149547] _raw_spin_unlock_irqrestore+0xbb/0xd0 [ 40.154471] __call_srcu+0x7f9/0x1070 [ 40.158266] ? _raw_spin_unlock_irqrestore+0x6d/0xd0 [ 40.163384] ? srcu_offline_cpu+0x120/0x120 [ 40.167717] ? debug_object_free+0x690/0x690 [ 40.172130] ? mark_held_locks+0x130/0x130 [ 40.176371] ? kvm_arch_destroy_vm+0x414/0x7c0 [ 40.180953] ? lock_release+0x970/0x970 [ 40.184923] ? arch_local_save_flags+0x40/0x40 [ 40.189502] ? depot_save_stack+0x292/0x470 [ 40.193827] ? __lockdep_init_map+0x105/0x590 [ 40.198328] ? __init_waitqueue_head+0x9e/0x150 [ 40.203009] ? init_wait_entry+0x1c0/0x1c0 [ 40.207289] __synchronize_srcu+0x17b/0x230 [ 40.211616] ? call_srcu+0x10/0x10 [ 40.215151] ? rcu_unexpedite_gp+0x20/0x20 [ 40.219391] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 40.225415] ? check_preemption_disabled+0x48/0x200 [ 40.230434] synchronize_srcu+0x356/0x5ab [ 40.234578] ? lock_downgrade+0x900/0x900 [ 40.238760] ? synchronize_srcu_expedited+0x20/0x20 [ 40.243776] ? kasan_check_read+0x11/0x20 [ 40.247952] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 40.252533] ? kasan_check_write+0x14/0x20 [ 40.256766] ? do_raw_spin_lock+0xc1/0x200 [ 40.261013] kvm_page_track_unregister_notifier+0x17d/0x250 [ 40.266733] ? kvm_slot_page_track_remove_page+0x70/0x70 [ 40.272197] ? kvfree+0x61/0x70 [ 40.275477] ? rcu_read_lock_sched_held+0x108/0x120 [ 40.280508] kvm_mmu_uninit_vm+0x1c/0x20 [ 40.284576] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 40.289010] ? kvm_arch_sync_events+0x30/0x30 [ 40.293524] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 40.299076] ? mmu_notifier_unregister+0x474/0x600 [ 40.304028] ? kfree+0x107/0x230 [ 40.307405] ? __mmu_notifier_register+0x30/0x30 [ 40.312158] ? __free_pages+0x10a/0x190 [ 40.316135] ? free_unref_page+0x960/0x960 [ 40.320376] kvm_put_kvm+0x6c8/0xff0 [ 40.324122] ? kvm_write_guest_cached+0x40/0x40 [ 40.328805] ? kvm_irqfd_release+0xd1/0x120 [ 40.333127] ? _raw_spin_unlock_irq+0x27/0x80 [ 40.337619] ? _raw_spin_unlock_irq+0x27/0x80 [ 40.342120] ? kasan_check_write+0x14/0x20 [ 40.346351] ? do_raw_spin_lock+0xc1/0x200 [ 40.350586] ? kvm_irqfd_release+0xdd/0x120 [ 40.354898] ? kvm_irqfd_release+0xdd/0x120 [ 40.359213] ? kvm_put_kvm+0xff0/0xff0 [ 40.363098] kvm_vm_release+0x42/0x50 [ 40.366895] __fput+0x385/0xa30 [ 40.370174] ? get_max_files+0x20/0x20 [ 40.374104] ? trace_hardirqs_on+0xbd/0x310 [ 40.378467] ? ___might_sleep+0x1ed/0x300 [ 40.382648] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 40.388091] ? arch_local_save_flags+0x40/0x40 [ 40.392696] ? kasan_check_write+0x14/0x20 [ 40.396929] ? do_raw_spin_lock+0xc1/0x200 [ 40.401160] ____fput+0x15/0x20 [ 40.404436] task_work_run+0x1e8/0x2a0 [ 40.408325] ? task_work_cancel+0x240/0x240 [ 40.412649] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 40.418180] ? switch_task_namespaces+0x9d/0xd0 [ 40.422852] do_exit+0x1ad7/0x2610 [ 40.426426] ? mm_update_next_owner+0x990/0x990 [ 40.431096] ? kvm_vcpu_ioctl+0x29c/0x1150 [ 40.435336] ? rcu_read_lock_sched_held+0x108/0x120 [ 40.440409] ? kfree+0x1fa/0x230 [ 40.443811] ? kvm_vcpu_ioctl+0x2a1/0x1150 [ 40.448042] ? kvm_vcpu_block+0x1030/0x1030 [ 40.452377] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 40.457915] ? avc_has_extended_perms+0xab2/0x15a0 [ 40.462848] ? save_stack_address+0x4b/0x60 [ 40.467165] ? avc_ss_reset+0x190/0x190 [ 40.471139] ? save_stack+0xa9/0xd0 [ 40.474766] ? save_stack+0x43/0xd0 [ 40.478394] ? __kasan_slab_free+0x102/0x150 [ 40.482808] ? kasan_slab_free+0xe/0x10 [ 40.486802] ? putname+0xf2/0x130 [ 40.490248] ? __x64_sys_openat+0x9d/0x100 [ 40.494484] ? do_syscall_64+0x1b9/0x820 [ 40.498541] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.503921] ? ___might_sleep+0x1ed/0x300 [ 40.508112] ? __bpf_trace_initcall_finish+0x2a/0x30 [ 40.513224] ? trace_hardirqs_off+0xb8/0x310 [ 40.517631] ? kvm_vcpu_block+0x1030/0x1030 [ 40.521953] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 40.527514] ? do_vfs_ioctl+0x201/0x1720 [ 40.531584] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 40.536784] ? ioctl_preallocate+0x300/0x300 [ 40.541209] ? selinux_file_mprotect+0x620/0x620 [ 40.545962] ? path_mountpoint+0x51e/0x2190 [ 40.550278] ? rcu_read_lock_sched_held+0x108/0x120 [ 40.555289] ? kmem_cache_free+0x24f/0x290 [ 40.559528] ? putname+0xf7/0x130 [ 40.562987] do_group_exit+0x177/0x440 [ 40.566875] ? trace_hardirqs_on+0xbd/0x310 [ 40.571190] ? __ia32_sys_exit+0x50/0x50 [ 40.575247] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 40.580700] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 40.586236] ? ksys_ioctl+0x81/0xd0 [ 40.589909] __x64_sys_exit_group+0x3e/0x50 [ 40.594244] do_syscall_64+0x1b9/0x820 [ 40.598129] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 40.603488] ? syscall_return_slowpath+0x5e0/0x5e0 [ 40.608412] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 40.613267] ? trace_hardirqs_on_caller+0x310/0x310 [ 40.618279] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 40.623292] ? prepare_exit_to_usermode+0x291/0x3b0 [ 40.628331] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 40.633174] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.638353] RIP: 0033:0x43ef08 [ 40.641543] Code: Bad RIP value. [ 40.644902] RSP: 002b:00007ffdb89c1eb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 40.652611] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ef08 [ 40.659874] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 40.667136] RBP: 00000000004be7c8 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 40.674396] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 [ 40.681660] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 40.688946] [ 40.688951] ====================================================== [ 40.688957] WARNING: possible circular locking dependency detected [ 40.688960] 4.19.0-rc4+ #27 Not tainted [ 40.688966] ------------------------------------------------------ [ 40.688971] syz-executor694/5497 is trying to acquire lock: [ 40.688974] 0000000005f6509f ((console_sem).lock){-...}, at: down_trylock+0x13/0x70 [ 40.688989] [ 40.688993] but task is already holding lock: [ 40.688996] 00000000ea18bafc (report_lock){....}, at: kasan_report+0x8b/0x110 [ 40.689011] [ 40.689015] which lock already depends on the new lock. [ 40.689018] [ 40.689021] [ 40.689025] the existing dependency chain (in reverse order) is: [ 40.689028] [ 40.689030] -> #3 (report_lock){....}: [ 40.689045] _raw_spin_lock_irqsave+0x99/0xd0 [ 40.689049] kasan_report+0x8b/0x110 [ 40.689053] __asan_report_load8_noabort+0x14/0x20 [ 40.689057] __schedule+0xfc3/0x1ed0 [ 40.689061] preempt_schedule_common+0x1f/0xd0 [ 40.689065] preempt_schedule+0x4d/0x60 [ 40.689069] ___preempt_schedule+0x16/0x18 [ 40.689074] _raw_spin_unlock_irqrestore+0xbb/0xd0 [ 40.689078] __call_srcu+0x7f9/0x1070 [ 40.689082] __synchronize_srcu+0x17b/0x230 [ 40.689086] synchronize_srcu+0x356/0x5ab [ 40.689091] kvm_page_track_unregister_notifier+0x17d/0x250 [ 40.689095] kvm_mmu_uninit_vm+0x1c/0x20 [ 40.689098] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 40.689103] kvm_put_kvm+0x6c8/0xff0 [ 40.689107] kvm_vm_release+0x42/0x50 [ 40.689111] __fput+0x385/0xa30 [ 40.689114] ____fput+0x15/0x20 [ 40.689118] task_work_run+0x1e8/0x2a0 [ 40.689122] do_exit+0x1ad7/0x2610 [ 40.689125] do_group_exit+0x177/0x440 [ 40.689130] __x64_sys_exit_group+0x3e/0x50 [ 40.689133] do_syscall_64+0x1b9/0x820 [ 40.689138] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.689140] [ 40.689143] -> #2 (&rq->lock){-.-.}: [ 40.689157] _raw_spin_lock+0x2d/0x40 [ 40.689161] task_fork_fair+0xb0/0x6d0 [ 40.689164] sched_fork+0x443/0xba0 [ 40.689168] copy_process+0x2586/0x8780 [ 40.689172] _do_fork+0x1cb/0x11d0 [ 40.689176] kernel_thread+0x34/0x40 [ 40.689179] rest_init+0x22/0xe5 [ 40.689183] start_kernel+0x8f4/0x92f [ 40.689188] x86_64_start_reservations+0x29/0x2b [ 40.689192] x86_64_start_kernel+0x76/0x79 [ 40.689196] secondary_startup_64+0xa4/0xb0 [ 40.689198] [ 40.689201] -> #1 (&p->pi_lock){-.-.}: [ 40.689216] _raw_spin_lock_irqsave+0x99/0xd0 [ 40.689220] try_to_wake_up+0xd2/0x12f0 [ 40.689223] wake_up_process+0x10/0x20 [ 40.689227] __up.isra.1+0x1c0/0x2a0 [ 40.689231] up+0x13c/0x1c0 [ 40.689235] __up_console_sem+0xbe/0x1b0 [ 40.689239] console_unlock+0x814/0x1160 [ 40.689243] vprintk_emit+0x33d/0x930 [ 40.689247] vprintk_default+0x28/0x30 [ 40.689251] vprintk_func+0x7e/0x181 [ 40.689254] printk+0xa7/0xcf [ 40.689258] load_umh+0x51/0xbd [ 40.689262] do_one_initcall+0x145/0x957 [ 40.689266] kernel_init_freeable+0x4bb/0x5ae [ 40.689270] kernel_init+0x11/0x1b2 [ 40.689274] ret_from_fork+0x3a/0x50 [ 40.689276] [ 40.689278] -> #0 ((console_sem).lock){-...}: [ 40.689293] lock_acquire+0x1ed/0x520 [ 40.689297] _raw_spin_lock_irqsave+0x99/0xd0 [ 40.689301] down_trylock+0x13/0x70 [ 40.689305] __down_trylock_console_sem+0xae/0x200 [ 40.689309] console_trylock+0x15/0xa0 [ 40.689320] vprintk_emit+0x322/0x930 [ 40.689324] vprintk_default+0x28/0x30 [ 40.689328] vprintk_func+0x7e/0x181 [ 40.689331] printk+0xa7/0xcf [ 40.689335] kasan_report+0x9b/0x110 [ 40.689339] __asan_report_load8_noabort+0x14/0x20 [ 40.689343] __schedule+0xfc3/0x1ed0 [ 40.689347] preempt_schedule_common+0x1f/0xd0 [ 40.689352] preempt_schedule+0x4d/0x60 [ 40.689356] ___preempt_schedule+0x16/0x18 [ 40.689360] _raw_spin_unlock_irqrestore+0xbb/0xd0 [ 40.689364] __call_srcu+0x7f9/0x1070 [ 40.689368] __synchronize_srcu+0x17b/0x230 [ 40.689372] synchronize_srcu+0x356/0x5ab [ 40.689377] kvm_page_track_unregister_notifier+0x17d/0x250 [ 40.689381] kvm_mmu_uninit_vm+0x1c/0x20 [ 40.689385] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 40.689389] kvm_put_kvm+0x6c8/0xff0 [ 40.689393] kvm_vm_release+0x42/0x50 [ 40.689396] __fput+0x385/0xa30 [ 40.689400] ____fput+0x15/0x20 [ 40.689404] task_work_run+0x1e8/0x2a0 [ 40.689408] do_exit+0x1ad7/0x2610 [ 40.689411] do_group_exit+0x177/0x440 [ 40.689416] __x64_sys_exit_group+0x3e/0x50 [ 40.689419] do_syscall_64+0x1b9/0x820 [ 40.689424] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.689426] [ 40.689431] other info that might help us debug this: [ 40.689433] [ 40.689436] Chain exists of: [ 40.689438] (console_sem).lock --> &rq->lock --> report_lock [ 40.689456] [ 40.689460] Possible unsafe locking scenario: [ 40.689463] [ 40.689467] CPU0 CPU1 [ 40.689471] ---- ---- [ 40.689473] lock(report_lock); [ 40.689482] lock(&rq->lock); [ 40.689492] lock(report_lock); [ 40.689500] lock((console_sem).lock); [ 40.689522] [ 40.689525] *** DEADLOCK *** [ 40.689527] [ 40.689531] 2 locks held by syz-executor694/5497: [ 40.689533] #0: 00000000501d6714 (&rq->lock){-.-.}, at: __schedule+0x236/0x1ed0 [ 40.689549] #1: 00000000ea18bafc (report_lock){....}, at: kasan_report+0x8b/0x110 [ 40.689565] [ 40.689568] stack backtrace: [ 40.689574] CPU: 0 PID: 5497 Comm: syz-executor694 Not tainted 4.19.0-rc4+ #27 [ 40.689581] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.689584] Call Trace: [ 40.689587] dump_stack+0x1c4/0x2b4 [ 40.689592] ? dump_stack_print_info.cold.2+0x52/0x52 [ 40.689601] ? vprintk_func+0x85/0x181 [ 40.689606] print_circular_bug.isra.33.cold.54+0x1bd/0x27d [ 40.689610] ? save_trace+0xe0/0x290 [ 40.689613] __lock_acquire+0x33e4/0x4ec0 [ 40.689617] ? mark_held_locks+0x130/0x130 [ 40.689621] ? mark_held_locks+0x130/0x130 [ 40.689625] ? rcu_bh_qs+0xc0/0xc0 [ 40.689628] ? unwind_dump+0x190/0x190 [ 40.689633] ? is_bpf_text_address+0xd3/0x170 [ 40.689637] ? kernel_text_address+0x79/0xf0 [ 40.689641] ? __kernel_text_address+0xd/0x40 [ 40.689645] ? __save_stack_trace+0x8d/0xf0 [ 40.689649] ? add_lock_to_list.isra.26+0x1ec/0x4b0 [ 40.689653] ? save_trace+0x290/0x290 [ 40.689657] ? save_stack_trace+0x1a/0x20 [ 40.689661] ? save_trace+0xe0/0x290 [ 40.689664] ? kasan_check_read+0x11/0x20 [ 40.689668] ? graph_lock+0x170/0x170 [ 40.689673] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 40.689677] lock_acquire+0x1ed/0x520 [ 40.689680] ? down_trylock+0x13/0x70 [ 40.689684] ? find_held_lock+0x36/0x1c0 [ 40.689688] ? lock_release+0x970/0x970 [ 40.689692] ? trace_hardirqs_off+0xb8/0x310 [ 40.689696] ? vprintk_emit+0x1d3/0x930 [ 40.689700] ? trace_hardirqs_on+0x310/0x310 [ 40.689704] ? trace_hardirqs_off+0xb8/0x310 [ 40.689708] ? log_store+0x344/0x4c0 [ 40.689711] ? vprintk_emit+0x322/0x930 [ 40.689715] _raw_spin_lock_irqsave+0x99/0xd0 [ 40.689719] ? down_trylock+0x13/0x70 [ 40.689723] down_trylock+0x13/0x70 [ 40.689727] __down_trylock_console_sem+0xae/0x200 [ 40.689731] console_trylock+0x15/0xa0 [ 40.689734] vprintk_emit+0x322/0x930 [ 40.689738] ? wake_up_klogd+0x180/0x180 [ 40.689742] ? run_rebalance_domains+0x500/0x500 [ 40.689761] ? wake_up_worker+0x117/0x190 [ 40.689765] ? find_held_lock+0x36/0x1c0 [ 40.689769] ? __queue_work+0x6be/0x1440 [ 40.689788] ? lock_acquire+0x1ed/0x520 [ 40.689792] vprintk_default+0x28/0x30 [ 40.689796] vprintk_func+0x7e/0x181 [ 40.689800] printk+0xa7/0xcf [ 40.689804] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 40.689808] ? kasan_check_write+0x14/0x20 [ 40.689812] ? do_raw_spin_lock+0xc1/0x200 [ 40.689817] ? do_raw_spin_lock+0xc1/0x200 [ 40.689820] kasan_report+0x9b/0x110 [ 40.689824] ? __schedule+0xfc3/0x1ed0 [ 40.689829] __asan_report_load8_noabort+0x14/0x20 [ 40.689833] __schedule+0xfc3/0x1ed0 [ 40.689837] ? __sched_text_start+0x8/0x8 [ 40.689841] ? __lock_is_held+0xb5/0x140 [ 40.689846] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 40.689850] ? find_held_lock+0x36/0x1c0 [ 40.689854] ? __call_srcu+0x7f9/0x1070 [ 40.689859] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 40.689863] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 40.689868] ? lockdep_hardirqs_on+0x421/0x5c0 [ 40.689872] ? preempt_schedule+0x4d/0x60 [ 40.689876] preempt_schedule_common+0x1f/0xd0 [ 40.689880] preempt_schedule+0x4d/0x60 [ 40.689884] ___preempt_schedule+0x16/0x18 [ 40.689889] _raw_spin_unlock_irqrestore+0xbb/0xd0 [ 40.689893] __call_srcu+0x7f9/0x1070 [ 40.689897] ? _raw_spin_unlock_irqrestore+0x6d/0xd0 [ 40.689902] ? srcu_offline_cpu+0x120/0x120 [ 40.689906] ? debug_object_free+0x690/0x690 [ 40.689910] ? mark_held_locks+0x130/0x130 [ 40.689915] ? kvm_arch_destroy_vm+0x414/0x7c0 [ 40.689919] ? lock_release+0x970/0x970 [ 40.689923] ? arch_local_save_flags+0x40/0x40 [ 40.689942] ? depot_save_stack+0x292/0x470 [ 40.689946] ? __lockdep_init_map+0x105/0x590 [ 40.689951] ? __init_waitqueue_head+0x9e/0x150 [ 40.689955] ? init_wait_entry+0x1c0/0x1c0 [ 40.689959] __synchronize_srcu+0x17b/0x230 [ 40.689978] ? call_srcu+0x10/0x10 [ 40.689982] ? rcu_unexpedite_gp+0x20/0x20 [ 40.689986] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 40.689990] ? check_preemption_disabled+0x48/0x200 [ 40.689994] synchronize_srcu+0x356/0x5ab [ 40.689998] ? lock_downgrade+0x900/0x900 [ 40.690002] ? synchronize_srcu_expedited+0x20/0x20 [ 40.690006] ? kasan_check_read+0x11/0x20 [ 40.690010] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 40.690014] ? kasan_check_write+0x14/0x20 [ 40.690018] ? do_raw_spin_lock+0xc1/0x200 [ 40.690023] kvm_page_track_unregister_notifier+0x17d/0x250 [ 40.690027] ? kvm_slot_page_track_remove_page+0x70/0x70 [ 40.690031] ? kvfree+0x61/0x70 [ 40.690035] ? rcu_read_lock_sched_held+0x108/0x120 [ 40.690039] kvm_mmu_uninit_vm+0x1c/0x20 [ 40.690043] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 40.690047] ? kvm_arch_sync_events+0x30/0x30 [ 40.690052] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 40.690056] ? mmu_notifier_unregister+0x474/0x600 [ 40.690060] ? kfree+0x107/0x230 [ 40.690064] ? __mmu_notifier_register+0x30/0x30 [ 40.690068] ? __free_pages+0x10a/0x190 [ 40.690087] ? free_unref_page+0x960/0x960 [ 40.690091] kvm_put_kvm+0x6c8/0xff0 [ 40.690096] ? kvm_write_guest_cached+0x40/0x40 [ 40.690116] ? kvm_irqfd_release+0xd1/0x120 [ 40.690121] ? _raw_spin_unlock_irq+0x27/0x80 [ 40.690125] ? _raw_spin_unlock_irq+0x27/0x80 [ 40.690129] ? kasan_check_write+0x14/0x20 [ 40.690133] ? do_raw_spin_lock+0xc1/0x200 [ 40.690136] ? kvm_irqfd_release+0xdd [ 40.690143] Lost 73 message(s)! [ 41.910546] Shutting down cpus with NMI [ 42.968309] Kernel Offset: disabled [ 42.971943] Rebooting in 86400 seconds..