[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 38.781954] random: sshd: uninitialized urandom read (32 bytes read) [ 39.022951] kauditd_printk_skb: 9 callbacks suppressed [ 39.022959] audit: type=1400 audit(1569067130.618:35): avc: denied { map } for pid=6909 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 39.084682] random: sshd: uninitialized urandom read (32 bytes read) [ 39.637302] random: sshd: uninitialized urandom read (32 bytes read) [ 59.785070] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.199' (ECDSA) to the list of known hosts. [ 65.301708] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 65.432377] audit: type=1400 audit(1569067157.028:36): avc: denied { map } for pid=6922 comm="syz-executor908" path="/root/syz-executor908506408" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 70.442207] ODEBUG: free active (active state 0) object type: timer_list hint: rfcomm_dlc_timeout+0x0/0x60 [ 70.452902] ------------[ cut here ]------------ [ 70.457834] WARNING: CPU: 1 PID: 6925 at lib/debugobjects.c:287 debug_print_object.cold+0xa7/0xdb [ 70.466843] Kernel panic - not syncing: panic_on_warn set ... [ 70.466843] [ 70.475248] CPU: 1 PID: 6925 Comm: syz-executor908 Not tainted 4.14.146 #0 [ 70.482250] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 70.493685] Call Trace: [ 70.496263] dump_stack+0x138/0x197 [ 70.499872] panic+0x1f2/0x426 [ 70.503055] ? add_taint.cold+0x16/0x16 [ 70.507012] ? debug_print_object.cold+0xa7/0xdb [ 70.511754] ? debug_print_object.cold+0xa7/0xdb [ 70.516504] __warn.cold+0x2f/0x36 [ 70.520034] ? ist_end_non_atomic+0x10/0x10 [ 70.524353] ? debug_print_object.cold+0xa7/0xdb [ 70.529090] report_bug+0x216/0x254 [ 70.532699] do_error_trap+0x1bb/0x310 [ 70.536578] ? math_error+0x360/0x360 [ 70.540376] ? vprintk_emit+0x171/0x600 [ 70.544344] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 70.549363] do_invalid_op+0x1b/0x20 [ 70.553074] invalid_op+0x1b/0x40 [ 70.556618] RIP: 0010:debug_print_object.cold+0xa7/0xdb [ 70.561960] RSP: 0018:ffff8880a5cc7aa8 EFLAGS: 00010086 [ 70.567404] RAX: 000000000000005e RBX: 0000000000000003 RCX: 0000000000000000 [ 70.574759] RDX: 0000000000000000 RSI: ffffffff866d10e0 RDI: ffffed1014b98f4b [ 70.582018] RBP: ffff8880a5cc7ad0 R08: 000000000000005e R09: 0000000000000000 [ 70.589284] R10: 0000000000000000 R11: ffff8880892e43c0 R12: ffffffff866cc2e0 [ 70.596623] R13: ffffffff8582cb20 R14: 0000000000000000 R15: ffff8880917d90e8 [ 70.604064] ? rfcomm_session_add+0x340/0x340 [ 70.608559] ? debug_print_object.cold+0xa7/0xdb [ 70.613303] debug_check_no_obj_freed+0x3f5/0x7b7 [ 70.618140] ? free_obj_work+0x6d0/0x6d0 [ 70.622194] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 70.627634] kfree+0xbd/0x270 [ 70.630743] rfcomm_dlc_free+0x20/0x30 [ 70.634614] rfcomm_dev_ioctl+0x1590/0x18b0 [ 70.638930] ? mark_held_locks+0xb1/0x100 [ 70.643069] ? __local_bh_enable_ip+0x99/0x1a0 [ 70.647702] ? rfcomm_dev_state_change+0x130/0x130 [ 70.652626] ? __local_bh_enable_ip+0x99/0x1a0 [ 70.657539] rfcomm_sock_ioctl+0x82/0xa0 [ 70.661607] sock_do_ioctl+0x64/0xb0 [ 70.665303] sock_ioctl+0x2a6/0x470 [ 70.668926] ? dlci_ioctl_set+0x40/0x40 [ 70.672903] do_vfs_ioctl+0x7ae/0x1060 [ 70.676786] ? selinux_file_mprotect+0x5d0/0x5d0 [ 70.681613] ? ioctl_preallocate+0x1c0/0x1c0 [ 70.686091] ? lock_downgrade+0x6e0/0x6e0 [ 70.690230] ? security_file_ioctl+0x7d/0xb0 [ 70.695990] ? security_file_ioctl+0x89/0xb0 [ 70.700390] SyS_ioctl+0x8f/0xc0 [ 70.704268] ? do_vfs_ioctl+0x1060/0x1060 [ 70.709106] do_syscall_64+0x1e8/0x640 [ 70.712972] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 70.717801] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 70.722970] RIP: 0033:0x441229 [ 70.726148] RSP: 002b:00007ffc3764d6d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 70.733852] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441229 [ 70.741117] RDX: 0000000020000100 RSI: 00000000400452c8 RDI: 0000000000000003 [ 70.748375] RBP: 0000000000011325 R08: 00000000004002c8 R09: 00000000004002c8 [ 70.755646] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000402050 [ 70.762999] R13: 00000000004020e0 R14: 0000000000000000 R15: 0000000000000000 [ 70.770270] [ 70.770272] ====================================================== [ 70.770273] WARNING: possible circular locking dependency detected [ 70.770274] 4.14.146 #0 Not tainted [ 70.770276] ------------------------------------------------------ [ 70.770277] syz-executor908/6925 is trying to acquire lock: [ 70.770279] ((console_sem).lock){-...}, at: [] down_trylock+0x13/0x70 [ 70.770283] [ 70.770284] but task is already holding lock: [ 70.770285] (&obj_hash[i].lock){-.-.}, at: [] debug_check_no_obj_freed+0x12d/0x7b7 [ 70.770289] [ 70.770290] which lock already depends on the new lock. [ 70.770291] [ 70.770292] [ 70.770293] the existing dependency chain (in reverse order) is: [ 70.770294] [ 70.770295] -> #3 (&obj_hash[i].lock){-.-.}: [ 70.770299] lock_acquire+0x16f/0x430 [ 70.770300] _raw_spin_lock_irqsave+0x95/0xcd [ 70.770301] __debug_object_init+0xa9/0x8e0 [ 70.770303] debug_object_init+0x16/0x20 [ 70.770304] hrtimer_init+0x2a/0x2e0 [ 70.770305] init_dl_task_timer+0x1b/0x50 [ 70.770306] __sched_fork+0x222/0xab0 [ 70.770307] init_idle+0x75/0x800 [ 70.770308] sched_init+0xaa1/0xbb3 [ 70.770309] start_kernel+0x339/0x6fd [ 70.770311] x86_64_start_reservations+0x29/0x2b [ 70.770312] x86_64_start_kernel+0x77/0x7b [ 70.770313] secondary_startup_64+0xa5/0xb0 [ 70.770314] [ 70.770315] -> #2 (&rq->lock){-.-.}: [ 70.770319] lock_acquire+0x16f/0x430 [ 70.770320] _raw_spin_lock+0x2f/0x40 [ 70.770321] task_fork_fair+0x63/0x5b0 [ 70.770322] sched_fork+0x3a6/0xc10 [ 70.770323] copy_process.part.0+0x15b7/0x6a00 [ 70.770324] _do_fork+0x19e/0xce0 [ 70.770326] kernel_thread+0x34/0x40 [ 70.770327] rest_init+0x24/0x1e2 [ 70.770328] start_kernel+0x6df/0x6fd [ 70.770329] x86_64_start_reservations+0x29/0x2b [ 70.770330] x86_64_start_kernel+0x77/0x7b [ 70.770332] secondary_startup_64+0xa5/0xb0 [ 70.770332] [ 70.770333] -> #1 (&p->pi_lock){-.-.}: [ 70.770337] lock_acquire+0x16f/0x430 [ 70.770338] _raw_spin_lock_irqsave+0x95/0xcd [ 70.770339] try_to_wake_up+0x79/0xf90 [ 70.770341] wake_up_process+0x10/0x20 [ 70.770342] __up.isra.0+0x136/0x1a0 [ 70.770343] up+0x9c/0xe0 [ 70.770344] __up_console_sem+0xad/0x1b0 [ 70.770345] console_unlock+0x59d/0xed0 [ 70.770346] vprintk_emit+0x1f9/0x600 [ 70.770347] vprintk_default+0x28/0x30 [ 70.770348] vprintk_func+0x5d/0x159 [ 70.770349] printk+0x9e/0xbc [ 70.770351] kauditd_hold_skb.cold+0x3e/0x4d [ 70.770352] kauditd_send_queue+0xfc/0x140 [ 70.770353] kauditd_thread+0x644/0x860 [ 70.770354] kthread+0x319/0x430 [ 70.770355] ret_from_fork+0x24/0x30 [ 70.770356] [ 70.770357] -> #0 ((console_sem).lock){-...}: [ 70.770361] __lock_acquire+0x2cb3/0x4620 [ 70.770362] lock_acquire+0x16f/0x430 [ 70.770363] _raw_spin_lock_irqsave+0x95/0xcd [ 70.770364] down_trylock+0x13/0x70 [ 70.770366] __down_trylock_console_sem+0x9c/0x200 [ 70.770367] console_trylock+0x17/0x80 [ 70.770368] vprintk_emit+0x1eb/0x600 [ 70.770369] vprintk_default+0x28/0x30 [ 70.770371] vprintk_func+0x5d/0x159 [ 70.770372] printk+0x9e/0xbc [ 70.770373] debug_print_object.cold+0xa7/0xdb [ 70.770374] debug_check_no_obj_freed+0x3f5/0x7b7 [ 70.770376] kfree+0xbd/0x270 [ 70.770377] rfcomm_dlc_free+0x20/0x30 [ 70.770378] rfcomm_dev_ioctl+0x1590/0x18b0 [ 70.770379] rfcomm_sock_ioctl+0x82/0xa0 [ 70.770380] sock_do_ioctl+0x64/0xb0 [ 70.770382] sock_ioctl+0x2a6/0x470 [ 70.770383] do_vfs_ioctl+0x7ae/0x1060 [ 70.770384] SyS_ioctl+0x8f/0xc0 [ 70.770385] do_syscall_64+0x1e8/0x640 [ 70.770386] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 70.770387] [ 70.770388] other info that might help us debug this: [ 70.770389] [ 70.770390] Chain exists of: [ 70.770391] (console_sem).lock --> &rq->lock --> &obj_hash[i].lock [ 70.770396] [ 70.770397] Possible unsafe locking scenario: [ 70.770398] [ 70.770399] CPU0 CPU1 [ 70.770400] ---- ---- [ 70.770401] lock(&obj_hash[i].lock); [ 70.770403] lock(&rq->lock); [ 70.770406] lock(&obj_hash[i].lock); [ 70.770409] lock((console_sem).lock); [ 70.770411] [ 70.770412] *** DEADLOCK *** [ 70.770413] [ 70.770414] 3 locks held by syz-executor908/6925: [ 70.770415] #0: (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}, at: [] rfcomm_sock_ioctl+0x74/0xa0 [ 70.770419] #1: (rfcomm_ioctl_mutex){+.+.}, at: [] rfcomm_dev_ioctl+0x442/0x18b0 [ 70.770424] #2: (&obj_hash[i].lock){-.-.}, at: [] debug_check_no_obj_freed+0x12d/0x7b7 [ 70.770428] [ 70.770429] stack backtrace: [ 70.770431] CPU: 1 PID: 6925 Comm: syz-executor908 Not tainted 4.14.146 #0 [ 70.770433] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 70.770434] Call Trace: [ 70.770435] dump_stack+0x138/0x197 [ 70.770436] print_circular_bug.isra.0.cold+0x1cc/0x28f [ 70.770437] __lock_acquire+0x2cb3/0x4620 [ 70.770439] ? add_lock_to_list.isra.0+0x17c/0x330 [ 70.770440] ? trace_hardirqs_on+0x10/0x10 [ 70.770441] ? netdev_bits+0xb0/0xb0 [ 70.770442] ? save_trace+0x290/0x290 [ 70.770443] ? kvm_clock_read+0x23/0x40 [ 70.770445] ? kvm_sched_clock_read+0x9/0x20 [ 70.770446] lock_acquire+0x16f/0x430 [ 70.770447] ? down_trylock+0x13/0x70 [ 70.770448] ? vprintk_emit+0x109/0x600 [ 70.770449] _raw_spin_lock_irqsave+0x95/0xcd [ 70.770450] ? down_trylock+0x13/0x70 [ 70.770451] ? vprintk_emit+0x1eb/0x600 [ 70.770452] down_trylock+0x13/0x70 [ 70.770453] ? vprintk_emit+0x1eb/0x600 [ 70.770455] __down_trylock_console_sem+0x9c/0x200 [ 70.770456] console_trylock+0x17/0x80 [ 70.770457] vprintk_emit+0x1eb/0x600 [ 70.770458] vprintk_default+0x28/0x30 [ 70.770459] vprintk_func+0x5d/0x159 [ 70.770460] ? rfcomm_session_add+0x340/0x340 [ 70.770461] printk+0x9e/0xbc [ 70.770463] ? show_regs_print_info+0x63/0x63 [ 70.770464] ? lock_acquire+0x16f/0x430 [ 70.770465] ? debug_check_no_obj_freed+0x12d/0x7b7 [ 70.770466] ? rfcomm_session_add+0x340/0x340 [ 70.770467] debug_print_object.cold+0xa7/0xdb [ 70.770469] debug_check_no_obj_freed+0x3f5/0x7b7 [ 70.770470] ? free_obj_work+0x6d0/0x6d0 [ 70.770471] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 70.770472] kfree+0xbd/0x270 [ 70.770473] rfcomm_dlc_free+0x20/0x30 [ 70.770475] rfcomm_dev_ioctl+0x1590/0x18b0 [ 70.770476] ? mark_held_locks+0xb1/0x100 [ 70.770477] ? __local_bh_enable_ip+0x99/0x1a0 [ 70.770478] ? rfcomm_dev_state_change+0x130/0x130 [ 70.770480] ? __local_bh_enable_ip+0x99/0x1a0 [ 70.770481] rfcomm_sock_ioctl+0x82/0xa0 [ 70.770482] sock_do_ioctl+0x64/0xb0 [ 70.770483] sock_ioctl+0x2a6/0x470 [ 70.770485] ? dlci_ioctl_set+0x40/0x40 [ 70.770486] do_vfs_ioctl+0x7ae/0x1060 [ 70.770487] ? selinux_file_mprotect+0x5d0/0x5d0 [ 70.770488] ? ioctl_preallocate+0x1c0/0x1c0 [ 70.770490] ? lock_downgrade+0x6e0/0x6e0 [ 70.770491] ? security_file_ioctl+0x7d/0xb0 [ 70.770492] ? security_file_ioctl+0x89/0xb0 [ 70.770493] SyS_ioctl+0x8f/0xc0 [ 70.770495] ? do_vfs_ioctl+0x1060/0x1060 [ 70.770496] do_syscall_64+0x1e8/0x640 [ 70.770497] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 70.770498] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 70.770499] RIP: 0033:0x441229 [ 70.770501] RSP: 002b:00007ffc3764d6d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 70.770504] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441229 [ 70.770505] RDX: 0000000020000100 RSI: 00000000400452c8 RDI: 0000000000000003 [ 70.770507] RBP: 0000000000011325 R08: 00000000004002c8 R09: 00000000004002c8 [ 70.770509] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000402050 [ 70.770541] R13: 00000000004020e0 R14: 0000000000000000 R15: 0000000000000000 [ 70.772170] Kernel Offset: disabled [ 71.551763] Rebooting in 86400 seconds..