[ 40.790270] audit: type=1800 audit(1578261396.776:30): pid=7781 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2490 res=0 Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 46.360756] kauditd_printk_skb: 4 callbacks suppressed [ 46.360772] audit: type=1400 audit(1578261402.366:35): avc: denied { map } for pid=7958 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.1.29' (ECDSA) to the list of known hosts. executing program [ 53.216262] audit: type=1400 audit(1578261409.226:36): avc: denied { map } for pid=7970 comm="syz-executor128" path="/root/syz-executor128820036" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 58.226860] ------------[ cut here ]------------ [ 58.232774] ODEBUG: free active (active state 0) object type: timer_list hint: rfcomm_dlc_timeout+0x0/0x80 [ 58.242795] WARNING: CPU: 0 PID: 7973 at lib/debugobjects.c:325 debug_print_object+0x168/0x250 [ 58.251537] Kernel panic - not syncing: panic_on_warn set ... [ 58.251537] [ 58.258884] CPU: 0 PID: 7973 Comm: syz-executor128 Not tainted 4.19.93-syzkaller #0 [ 58.266664] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.275998] Call Trace: [ 58.278575] dump_stack+0x197/0x210 [ 58.282194] panic+0x26a/0x50e [ 58.285379] ? __warn_printk+0xf3/0xf3 [ 58.289264] ? debug_print_object+0x168/0x250 [ 58.293741] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 58.299281] ? __warn.cold+0x5/0x53 [ 58.302896] ? __warn+0xe8/0x1d0 [ 58.306243] ? debug_print_object+0x168/0x250 [ 58.310737] __warn.cold+0x20/0x53 [ 58.314267] ? trace_hardirqs_off+0x62/0x220 [ 58.318669] ? debug_print_object+0x168/0x250 [ 58.323152] report_bug+0x263/0x2b0 [ 58.326858] do_error_trap+0x204/0x360 [ 58.330746] ? math_error+0x340/0x340 [ 58.334530] ? wake_up_klogd+0x99/0xd0 [ 58.338451] ? vprintk_emit+0x1ce/0x6d0 [ 58.342506] ? error_entry+0x7c/0xe0 [ 58.346221] ? trace_hardirqs_off_caller+0x65/0x220 [ 58.351227] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 58.356059] do_invalid_op+0x1b/0x20 [ 58.359804] invalid_op+0x14/0x20 [ 58.363255] RIP: 0010:debug_print_object+0x168/0x250 [ 58.368340] Code: dd 60 4d eb 87 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 b5 00 00 00 48 8b 14 dd 60 4d eb 87 48 c7 c7 a0 42 eb 87 e8 a6 98 d4 fd <0f> 0b 83 05 2b 3a 64 06 01 48 83 c4 20 5b 41 5c 41 5d 41 5e 5d c3 [ 58.387223] RSP: 0018:ffff8880810e78b8 EFLAGS: 00010082 [ 58.392566] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000 [ 58.399829] RDX: 0000000000000000 RSI: ffffffff8155bc26 RDI: ffffed101021cf09 [ 58.407080] RBP: ffff8880810e78f8 R08: ffff8880935dc540 R09: ffffed1015d03ee3 [ 58.414946] R10: ffffed1015d03ee2 R11: ffff8880ae81f717 R12: 0000000000000001 [ 58.422204] R13: ffffffff88fa4420 R14: ffffffff815b31e0 R15: ffff88808e746d68 [ 58.429469] ? __internal_add_timer+0x1f0/0x1f0 [ 58.434132] ? vprintk_func+0x86/0x189 [ 58.438064] ? debug_print_object+0x168/0x250 [ 58.442584] debug_check_no_obj_freed+0x29f/0x464 [ 58.447417] kfree+0xbd/0x220 [ 58.450509] rfcomm_dlc_free+0x20/0x30 [ 58.454435] rfcomm_dev_ioctl+0x1988/0x1c90 [ 58.458750] ? mark_held_locks+0xb1/0x100 [ 58.462908] ? lock_sock_nested+0xe2/0x120 [ 58.467128] ? rfcomm_tty_install+0x1a0/0x1a0 [ 58.471607] ? lock_sock_nested+0x9a/0x120 [ 58.475828] ? trace_hardirqs_on+0x67/0x220 [ 58.480140] ? __local_bh_enable_ip+0x15a/0x270 [ 58.484811] rfcomm_sock_ioctl+0x90/0xb0 [ 58.489210] sock_do_ioctl+0xd8/0x2f0 [ 58.493001] ? compat_ifr_data_ioctl+0x160/0x160 [ 58.497756] ? __lock_acquire+0x6ee/0x49c0 [ 58.501998] ? rcu_read_lock_sched_held+0x110/0x130 [ 58.507027] ? kmem_cache_alloc+0x32a/0x700 [ 58.511355] sock_ioctl+0x325/0x610 [ 58.514976] ? dlci_ioctl_set+0x40/0x40 [ 58.518948] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 58.524480] ? __might_sleep+0x95/0x190 [ 58.528497] ? find_held_lock+0x35/0x130 [ 58.532548] ? dlci_ioctl_set+0x40/0x40 [ 58.536561] do_vfs_ioctl+0xd5f/0x1380 [ 58.540432] ? selinux_file_ioctl+0x46f/0x5e0 [ 58.544909] ? selinux_file_ioctl+0x125/0x5e0 [ 58.549394] ? ioctl_preallocate+0x210/0x210 [ 58.553784] ? selinux_file_mprotect+0x620/0x620 [ 58.558527] ? __sanitizer_cov_trace_cmp2+0xb/0x20 [ 58.563447] ? __fd_install+0x200/0x640 [ 58.567409] ? fd_install+0x4d/0x60 [ 58.571075] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 58.576692] ? security_file_ioctl+0x8d/0xc0 [ 58.581089] ksys_ioctl+0xab/0xd0 [ 58.584527] __x64_sys_ioctl+0x73/0xb0 [ 58.588403] do_syscall_64+0xfd/0x620 [ 58.592192] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 58.597365] RIP: 0033:0x4412b9 [ 58.600540] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 58.619519] RSP: 002b:00007ffd8eded2c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 58.627213] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004412b9 [ 58.634468] RDX: 0000000020000100 RSI: 00000000400452c8 RDI: 0000000000000004 [ 58.641722] RBP: 000000000000e350 R08: 00000000004002c8 R09: 00000000004002c8 [ 58.648972] R10: 00000000004002c8 R11: 0000000000000246 R12: 00000000004020e0 [ 58.656222] R13: 0000000000402170 R14: 0000000000000000 R15: 0000000000000000 [ 58.663486] [ 58.663490] ====================================================== [ 58.663494] WARNING: possible circular locking dependency detected [ 58.663496] 4.19.93-syzkaller #0 Not tainted [ 58.663499] ------------------------------------------------------ [ 58.663503] syz-executor128/7973 is trying to acquire lock: [ 58.663505] 000000004d671aaf ((console_sem).lock){-.-.}, at: down_trylock+0x13/0x70 [ 58.663513] [ 58.663516] but task is already holding lock: [ 58.663517] 00000000adc8678e (&obj_hash[i].lock){-.-.}, at: debug_check_no_obj_freed+0xbe/0x464 [ 58.663526] [ 58.663529] which lock already depends on the new lock. [ 58.663530] [ 58.663532] [ 58.663535] the existing dependency chain (in reverse order) is: [ 58.663536] [ 58.663537] -> #5 (&obj_hash[i].lock){-.-.}: [ 58.663546] _raw_spin_lock_irqsave+0x95/0xcd [ 58.663548] debug_object_activate+0x131/0x4e0 [ 58.663551] enqueue_hrtimer+0x2a/0x3f0 [ 58.663553] hrtimer_start_range_ns+0x5fb/0xc70 [ 58.663556] schedule_hrtimeout_range_clock+0x1a0/0x380 [ 58.663559] schedule_hrtimeout+0x25/0x30 [ 58.663561] wait_task_inactive+0x4a2/0x630 [ 58.663564] __kthread_bind_mask+0x24/0xb0 [ 58.663566] kthread_bind_mask+0x23/0x30 [ 58.663569] init_rescuer.part.0+0xfc/0x190 [ 58.663571] workqueue_init+0x51a/0x808 [ 58.663574] kernel_init_freeable+0x2c0/0x5c8 [ 58.663576] kernel_init+0x12/0x1c3 [ 58.663578] ret_from_fork+0x24/0x30 [ 58.663580] [ 58.663581] -> #4 (hrtimer_bases.lock){-.-.}: [ 58.663589] _raw_spin_lock_irqsave+0x95/0xcd [ 58.663592] lock_hrtimer_base.isra.0+0x75/0x130 [ 58.663594] hrtimer_start_range_ns+0xff/0xc70 [ 58.663597] enqueue_task_rt+0x998/0xe70 [ 58.663599] __sched_setscheduler+0xd93/0x1ed0 [ 58.663602] _sched_setscheduler+0x10a/0x1b0 [ 58.663605] sched_setscheduler+0xe/0x10 [ 58.663607] watchdog_dev_init+0xe0/0x1b2 [ 58.663610] watchdog_init+0x17/0x181 [ 58.663612] do_one_initcall+0x107/0x78c [ 58.663615] kernel_init_freeable+0x4d4/0x5c8 [ 58.663617] kernel_init+0x12/0x1c3 [ 58.663619] ret_from_fork+0x24/0x30 [ 58.663621] [ 58.663622] -> #3 (&rt_b->rt_runtime_lock){-...}: [ 58.663630] _raw_spin_lock+0x2f/0x40 [ 58.663632] rq_online_rt+0xb4/0x390 [ 58.663635] set_rq_online.part.0+0xe4/0x140 [ 58.663638] sched_cpu_activate+0x17f/0x270 [ 58.663640] cpuhp_invoke_callback+0x201/0x1af0 [ 58.663643] cpuhp_thread_fun+0x453/0x850 [ 58.663645] smpboot_thread_fn+0x6a3/0xa30 [ 58.663647] kthread+0x354/0x420 [ 58.663650] ret_from_fork+0x24/0x30 [ 58.663651] [ 58.663652] -> #2 (&rq->lock){-.-.}: [ 58.663660] _raw_spin_lock+0x2f/0x40 [ 58.663662] task_fork_fair+0x6a/0x520 [ 58.663664] sched_fork+0x3af/0x900 [ 58.663667] copy_process.part.0+0x1859/0x7a30 [ 58.663669] _do_fork+0x257/0xfd0 [ 58.663672] kernel_thread+0x34/0x40 [ 58.663674] rest_init+0x24/0x222 [ 58.663676] start_kernel+0x88c/0x8c5 [ 58.663679] x86_64_start_reservations+0x29/0x2b [ 58.663681] x86_64_start_kernel+0x77/0x7b [ 58.663684] secondary_startup_64+0xa4/0xb0 [ 58.663685] [ 58.663687] -> #1 (&p->pi_lock){-.-.}: [ 58.663695] _raw_spin_lock_irqsave+0x95/0xcd [ 58.663697] try_to_wake_up+0x94/0xf50 [ 58.663699] wake_up_process+0x10/0x20 [ 58.663702] __up.isra.0+0x136/0x1a0 [ 58.663704] up+0x9c/0xe0 [ 58.663706] __up_console_sem+0xb7/0x1c0 [ 58.663709] console_unlock+0x6c7/0x10d0 [ 58.663711] vprintk_emit+0x280/0x6d0 [ 58.663713] vprintk_default+0x28/0x30 [ 58.663715] vprintk_func+0x7e/0x189 [ 58.663717] printk+0xba/0xed [ 58.663720] kauditd_hold_skb.cold+0x3f/0x4e [ 58.663723] kauditd_send_queue+0x12d/0x170 [ 58.663725] kauditd_thread+0x71c/0xa50 [ 58.663727] kthread+0x354/0x420 [ 58.663729] ret_from_fork+0x24/0x30 [ 58.663730] [ 58.663732] -> #0 ((console_sem).lock){-.-.}: [ 58.663740] lock_acquire+0x16f/0x3f0 [ 58.663742] _raw_spin_lock_irqsave+0x95/0xcd [ 58.663745] down_trylock+0x13/0x70 [ 58.663747] __down_trylock_console_sem+0xa8/0x210 [ 58.663750] console_trylock+0x15/0xa0 [ 58.663752] vprintk_emit+0x267/0x6d0 [ 58.663754] vprintk_default+0x28/0x30 [ 58.663757] vprintk_func+0x7e/0x189 [ 58.663759] printk+0xba/0xed [ 58.663761] __warn_printk+0x9b/0xf3 [ 58.663764] debug_print_object+0x168/0x250 [ 58.663766] debug_check_no_obj_freed+0x29f/0x464 [ 58.663768] kfree+0xbd/0x220 [ 58.663771] rfcomm_dlc_free+0x20/0x30 [ 58.663773] rfcomm_dev_ioctl+0x1988/0x1c90 [ 58.663776] rfcomm_sock_ioctl+0x90/0xb0 [ 58.663778] sock_do_ioctl+0xd8/0x2f0 [ 58.663780] sock_ioctl+0x325/0x610 [ 58.663782] do_vfs_ioctl+0xd5f/0x1380 [ 58.663785] ksys_ioctl+0xab/0xd0 [ 58.663787] __x64_sys_ioctl+0x73/0xb0 [ 58.663789] do_syscall_64+0xfd/0x620 [ 58.663792] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 58.663793] [ 58.663796] other info that might help us debug this: [ 58.663797] [ 58.663799] Chain exists of: [ 58.663800] (console_sem).lock --> hrtimer_bases.lock --> &obj_hash[i].lock [ 58.663811] [ 58.663813] Possible unsafe locking scenario: [ 58.663814] [ 58.663817] CPU0 CPU1 [ 58.663819] ---- ---- [ 58.663821] lock(&obj_hash[i].lock); [ 58.663826] lock(hrtimer_bases.lock); [ 58.663831] lock(&obj_hash[i].lock); [ 58.663836] lock((console_sem).lock); [ 58.663840] [ 58.663842] *** DEADLOCK *** [ 58.663843] [ 58.663846] 3 locks held by syz-executor128/7973: [ 58.663847] #0: 00000000f3e1e990 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}, at: rfcomm_sock_ioctl+0x82/0xb0 [ 58.663858] #1: 000000003a25ca5a (rfcomm_ioctl_mutex){+.+.}, at: rfcomm_dev_ioctl+0x923/0x1c90 [ 58.663868] #2: 00000000adc8678e (&obj_hash[i].lock){-.-.}, at: debug_check_no_obj_freed+0xbe/0x464 [ 58.663877] [ 58.663879] stack backtrace: [ 58.663883] CPU: 0 PID: 7973 Comm: syz-executor128 Not tainted 4.19.93-syzkaller #0 [ 58.663888] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.663890] Call Trace: [ 58.663892] dump_stack+0x197/0x210 [ 58.663895] print_circular_bug.isra.0.cold+0x1cc/0x28f [ 58.663897] __lock_acquire+0x2e19/0x49c0 [ 58.663899] ? mark_held_locks+0x100/0x100 [ 58.663902] ? kvm_clock_read+0x18/0x30 [ 58.663904] ? kvm_sched_clock_read+0x9/0x20 [ 58.663907] lock_acquire+0x16f/0x3f0 [ 58.663909] ? down_trylock+0x13/0x70 [ 58.663911] _raw_spin_lock_irqsave+0x95/0xcd [ 58.663914] ? down_trylock+0x13/0x70 [ 58.663916] ? vprintk_emit+0x267/0x6d0 [ 58.663918] down_trylock+0x13/0x70 [ 58.663920] ? vprintk_emit+0x267/0x6d0 [ 58.663923] __down_trylock_console_sem+0xa8/0x210 [ 58.663925] console_trylock+0x15/0xa0 [ 58.663928] vprintk_emit+0x267/0x6d0 [ 58.663930] ? __internal_add_timer+0x1f0/0x1f0 [ 58.663932] vprintk_default+0x28/0x30 [ 58.663935] vprintk_func+0x7e/0x189 [ 58.663937] printk+0xba/0xed [ 58.663939] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 58.663941] ? __warn_printk+0x8f/0xf3 [ 58.663944] ? rfcomm_dlc_link+0x170/0x170 [ 58.663946] __warn_printk+0x9b/0xf3 [ 58.663948] ? add_taint.cold+0x16/0x16 [ 58.663951] ? skb_dequeue+0x12e/0x180 [ 58.663953] ? rfcomm_dlc_link+0x170/0x170 [ 58.663955] debug_print_object+0x168/0x250 [ 58.663958] debug_check_no_obj_freed+0x29f/0x464 [ 58.663960] kfree+0xbd/0x220 [ 58.663962] rfcomm_dlc_free+0x20/0x30 [ 58.663965] rfcomm_dev_ioctl+0x1988/0x1c90 [ 58.663967] ? mark_held_locks+0xb1/0x100 [ 58.663970] ? lock_sock_nested+0xe2/0x120 [ 58.663972] ? rfcomm_tty_install+0x1a0/0x1a0 [ 58.663975] ? lock_sock_nested+0x9a/0x120 [ 58.663977] ? trace_hardirqs_on+0x67/0x220 [ 58.663980] ? __local_bh_enable_ip+0x15a/0x270 [ 58.663982] rfcomm_sock_ioctl+0x90/0xb0 [ 58.663984] sock_do_ioctl+0xd8/0x2f0 [ 58.663987] ? compat_ifr_data_ioctl+0x160/0x160 [ 58.663989] ? __lock_acquire+0x6ee/0x49c0 [ 58.663992] ? rcu_read_lock_sched_held+0x110/0x130 [ 58.663994] ? kmem_cache_alloc+0x32a/0x700 [ 58.663997] sock_ioctl+0x325/0x610 [ 58.663999] ? dlci_ioctl_set+0x40/0x40 [ 58.664002] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 58.664004] ? __might_sleep+0x95/0x190 [ 58.664007] ? find_held_lock+0x35/0x130 [ 58.664009] ? dlci_ioctl_set+0x40/0x40 [ 58.664011] do_vfs_ioctl+0xd5f/0x1380 [ 58.664014] ? selinux_file_ioctl+0x46f/0x5e0 [ 58.664016] ? selinux_file_ioctl+0x125/0x5e0 [ 58.664019] ? ioctl_preallocate+0x210/0x210 [ 58.664022] ? selinux_file_mprotect+0x620/0x620 [ 58.664024] ? __sanitizer_cov_trace_cmp2+0xb/0x20 [ 58.664027] ? __fd_install+0x200/0x640 [ 58.664029] ? fd_install+0x4d/0x60 [ 58.664032] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 58.664034] ? security_file_ioctl+0x8d/0xc0 [ 58.664036] ksys_ioctl+0xab/0xd0 [ 58.664039] __x64_sys_ioctl+0x73/0xb0 [ 58.664041] do_syscall_64+0xfd/0x620 [ 58.664054] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 58.664057] RIP: 0033:0x4412b9 [ 58.664071] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 58.664076] RSP: 002b:00007ffd8eded2c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 58.664086] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004412b9 [ 58.664092] RDX: 0000000020000100 RSI: 00000000400452c8 RDI: 0000000000000004 [ 58.664099] RBP: 000000000000e350 R08: 00000000004002c8 R09: 00000000004002c8 [ 58.664105] R10: 00000000004002c8 R11: 0000000000000246 R12: 00000000004020e0 [ 58.664111] R13: 0000000000402170 R14: 0000000000000000 R15: 0000000000000000 [ 58.665341] Kernel Offset: disabled [ 59.623043] Rebooting in 86400 seconds..