Warning: Permanently added '10.128.0.188' (ECDSA) to the list of known hosts. [ 42.679289] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 42.796599] audit: type=1400 audit(1584990865.292:36): avc: denied { map } for pid=7401 comm="syz-executor812" path="/root/syz-executor812287922" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 47.806502] ODEBUG: free active (active state 0) object type: timer_list hint: rfcomm_dlc_timeout+0x0/0x60 [ 47.817119] ------------[ cut here ]------------ [ 47.821946] WARNING: CPU: 0 PID: 7404 at lib/debugobjects.c:287 debug_print_object.cold+0xa7/0xdb [ 47.831222] Kernel panic - not syncing: panic_on_warn set ... [ 47.831222] [ 47.839062] CPU: 0 PID: 7404 Comm: syz-executor812 Not tainted 4.14.174-syzkaller #0 [ 47.846939] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 47.856278] Call Trace: [ 47.858855] dump_stack+0x13e/0x194 [ 47.862466] panic+0x1f9/0x42d [ 47.865655] ? add_taint.cold+0x16/0x16 [ 47.869623] ? debug_print_object.cold+0xa7/0xdb [ 47.874370] ? debug_print_object.cold+0xa7/0xdb [ 47.879120] __warn.cold+0x2f/0x30 [ 47.882652] ? ist_end_non_atomic+0x10/0x10 [ 47.887158] ? debug_print_object.cold+0xa7/0xdb [ 47.891917] report_bug+0x20a/0x248 [ 47.895697] do_error_trap+0x195/0x2d0 [ 47.899661] ? math_error+0x2d0/0x2d0 [ 47.903465] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 47.909679] invalid_op+0x1b/0x40 [ 47.913118] RIP: 0010:debug_print_object.cold+0xa7/0xdb [ 47.918473] RSP: 0018:ffff88809157fb10 EFLAGS: 00010086 [ 47.923816] RAX: 000000000000005e RBX: 0000000000000003 RCX: 0000000000000000 [ 47.931064] RDX: 0000000000000000 RSI: ffffffff86ac07e0 RDI: ffffed10122aff58 [ 47.938322] RBP: ffffffff86abba60 R08: 000000000000005e R09: 0000000000000000 [ 47.945571] R10: fffffbfff14a8cd9 R11: ffff8880827e4600 R12: ffffffff85a89100 [ 47.952819] R13: 0000000000000000 R14: ffffffff8a72d088 R15: ffff88808fad9c40 [ 47.960226] ? rfcomm_dlc_link+0x150/0x150 [ 47.964544] debug_check_no_obj_freed+0x3cd/0x6e4 [ 47.969392] ? __lock_is_held+0xad/0x140 [ 47.973446] ? free_obj_work+0x600/0x600 [ 47.977494] kfree+0xbb/0x260 [ 47.980587] rfcomm_dev_ioctl+0x151f/0x1810 [ 47.985007] ? rfcomm_tty_install+0x180/0x180 [ 47.989621] ? __local_bh_enable_ip+0x94/0x190 [ 47.994213] rfcomm_sock_ioctl+0x7d/0xa0 [ 47.998272] sock_do_ioctl+0x5f/0xa0 [ 48.001972] sock_ioctl+0x28d/0x450 [ 48.005728] ? selinux_file_ioctl+0x3f7/0x560 [ 48.010212] ? dlci_ioctl_set+0x30/0x30 [ 48.014181] do_vfs_ioctl+0x75a/0xfe0 [ 48.017972] ? selinux_file_mprotect+0x5c0/0x5c0 [ 48.022733] ? get_unused_fd_flags+0xc0/0xc0 [ 48.027214] ? ioctl_preallocate+0x1a0/0x1a0 [ 48.031624] ? __sock_create+0x6d/0x620 [ 48.035712] ? security_file_ioctl+0x76/0xb0 [ 48.040129] ? security_file_ioctl+0x83/0xb0 [ 48.044731] SyS_ioctl+0x7f/0xb0 [ 48.048170] ? do_vfs_ioctl+0xfe0/0xfe0 [ 48.052192] do_syscall_64+0x1d5/0x640 [ 48.056142] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 48.061327] RIP: 0033:0x441309 [ 48.064506] RSP: 002b:00007ffff0f7aa08 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 48.072438] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441309 [ 48.079779] RDX: 0000000020000100 RSI: 00000000400452c8 RDI: 0000000000000005 [ 48.087350] RBP: 000000000000bab9 R08: 00000000004002c8 R09: 00000000004002c8 [ 48.094615] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000402130 [ 48.101952] R13: 00000000004021c0 R14: 0000000000000000 R15: 0000000000000000 [ 48.109212] [ 48.109214] ====================================================== [ 48.109215] WARNING: possible circular locking dependency detected [ 48.109217] 4.14.174-syzkaller #0 Not tainted [ 48.109218] ------------------------------------------------------ [ 48.109220] syz-executor812/7404 is trying to acquire lock: [ 48.109221] ((console_sem).lock){-...}, at: [] down_trylock+0xe/0x60 [ 48.109225] [ 48.109226] but task is already holding lock: [ 48.109227] (&obj_hash[i].lock){-.-.}, at: [] debug_check_no_obj_freed+0x125/0x6e4 [ 48.109231] [ 48.109232] which lock already depends on the new lock. [ 48.109233] [ 48.109234] [ 48.109235] the existing dependency chain (in reverse order) is: [ 48.109236] [ 48.109236] -> #5 (&obj_hash[i].lock){-.-.}: [ 48.109241] _raw_spin_lock_irqsave+0x8c/0xbf [ 48.109242] debug_object_activate+0x10b/0x450 [ 48.109243] enqueue_hrtimer+0x22/0x3b0 [ 48.109245] hrtimer_start_range_ns+0x4e6/0x1060 [ 48.109246] schedule_hrtimeout_range_clock+0x13c/0x2f0 [ 48.109247] wait_task_inactive+0x478/0x530 [ 48.109249] __kthread_bind_mask+0x1f/0xb0 [ 48.109250] create_worker+0x313/0x530 [ 48.109251] workqueue_init+0x55f/0x66e [ 48.109253] kernel_init_freeable+0x2ab/0x526 [ 48.109254] kernel_init+0xd/0x15b [ 48.109255] ret_from_fork+0x24/0x30 [ 48.109255] [ 48.109256] -> #4 (hrtimer_bases.lock){-.-.}: [ 48.109260] _raw_spin_lock_irqsave+0x8c/0xbf [ 48.109262] lock_hrtimer_base.isra.0+0x6d/0x120 [ 48.109263] hrtimer_start_range_ns+0x7b/0x1060 [ 48.109264] enqueue_task_rt+0x94d/0xdb0 [ 48.109266] __sched_setscheduler.constprop.0+0xc11/0x1f70 [ 48.109267] _sched_setscheduler+0xf9/0x150 [ 48.109268] watchdog_enable+0xff/0x150 [ 48.109270] smpboot_thread_fn+0x40d/0x920 [ 48.109271] kthread+0x30d/0x420 [ 48.109272] ret_from_fork+0x24/0x30 [ 48.109273] [ 48.109273] -> #3 (&rt_b->rt_runtime_lock){-.-.}: [ 48.109277] _raw_spin_lock+0x2a/0x40 [ 48.109279] enqueue_task_rt+0x508/0xdb0 [ 48.109280] __sched_setscheduler.constprop.0+0xc11/0x1f70 [ 48.109281] _sched_setscheduler+0xf9/0x150 [ 48.109283] watchdog_enable+0xff/0x150 [ 48.109284] smpboot_thread_fn+0x40d/0x920 [ 48.109285] kthread+0x30d/0x420 [ 48.109286] ret_from_fork+0x24/0x30 [ 48.109287] [ 48.109287] -> #2 (&rq->lock){-.-.}: [ 48.109291] _raw_spin_lock+0x2a/0x40 [ 48.109293] task_fork_fair+0x63/0x5b0 [ 48.109294] sched_fork+0x39a/0xbd0 [ 48.109295] copy_process.part.0+0x15b7/0x6a70 [ 48.109296] _do_fork+0x180/0xc80 [ 48.109297] kernel_thread+0x2f/0x40 [ 48.109298] rest_init+0x1f/0x1d2 [ 48.109300] start_kernel+0x659/0x676 [ 48.109301] secondary_startup_64+0xa5/0xb0 [ 48.109302] [ 48.109302] -> #1 (&p->pi_lock){-.-.}: [ 48.109306] _raw_spin_lock_irqsave+0x8c/0xbf [ 48.109308] try_to_wake_up+0x6a/0xef0 [ 48.109308] up+0x92/0xe0 [ 48.109310] __up_console_sem+0xa9/0x1b0 [ 48.109311] console_unlock+0x596/0xec0 [ 48.109312] vprintk_emit+0x1f8/0x600 [ 48.109313] vprintk_func+0x58/0x152 [ 48.109314] printk+0x9e/0xbc [ 48.109316] kauditd_hold_skb.cold+0x3e/0x4d [ 48.109317] kauditd_send_queue+0xfb/0x140 [ 48.109318] kauditd_thread+0x625/0x840 [ 48.109319] kthread+0x30d/0x420 [ 48.109320] ret_from_fork+0x24/0x30 [ 48.109321] [ 48.109322] -> #0 ((console_sem).lock){-...}: [ 48.109326] lock_acquire+0x170/0x3f0 [ 48.109327] _raw_spin_lock_irqsave+0x8c/0xbf [ 48.109328] down_trylock+0xe/0x60 [ 48.109330] __down_trylock_console_sem+0x97/0x1f0 [ 48.109331] console_trylock+0x14/0x70 [ 48.109332] vprintk_emit+0x1ea/0x600 [ 48.109334] vprintk_func+0x58/0x152 [ 48.109335] printk+0x9e/0xbc [ 48.109336] debug_print_object.cold+0xa7/0xdb [ 48.109338] debug_check_no_obj_freed+0x3cd/0x6e4 [ 48.109339] kfree+0xbb/0x260 [ 48.109340] rfcomm_dev_ioctl+0x151f/0x1810 [ 48.109341] rfcomm_sock_ioctl+0x7d/0xa0 [ 48.109342] sock_do_ioctl+0x5f/0xa0 [ 48.109343] sock_ioctl+0x28d/0x450 [ 48.109345] do_vfs_ioctl+0x75a/0xfe0 [ 48.109346] SyS_ioctl+0x7f/0xb0 [ 48.109347] do_syscall_64+0x1d5/0x640 [ 48.109349] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 48.109349] [ 48.109351] other info that might help us debug this: [ 48.109351] [ 48.109352] Chain exists of: [ 48.109353] (console_sem).lock --> hrtimer_bases.lock --> &obj_hash[i].lock [ 48.109358] [ 48.109359] Possible unsafe locking scenario: [ 48.109360] [ 48.109361] CPU0 CPU1 [ 48.109362] ---- ---- [ 48.109363] lock(&obj_hash[i].lock); [ 48.109366] lock(hrtimer_bases.lock); [ 48.109368] lock(&obj_hash[i].lock); [ 48.109371] lock((console_sem).lock); [ 48.109373] [ 48.109374] *** DEADLOCK *** [ 48.109375] [ 48.109376] 3 locks held by syz-executor812/7404: [ 48.109377] #0: (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}, at: [] rfcomm_sock_ioctl+0x6f/0xa0 [ 48.109381] #1: (rfcomm_ioctl_mutex){+.+.}, at: [] rfcomm_dev_ioctl+0x450/0x1810 [ 48.109386] #2: (&obj_hash[i].lock){-.-.}, at: [] debug_check_no_obj_freed+0x125/0x6e4 [ 48.109390] [ 48.109391] stack backtrace: [ 48.109393] CPU: 0 PID: 7404 Comm: syz-executor812 Not tainted 4.14.174-syzkaller #0 [ 48.109396] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 48.109396] Call Trace: [ 48.109398] dump_stack+0x13e/0x194 [ 48.109399] print_circular_bug.isra.0.cold+0x1c4/0x282 [ 48.109400] __lock_acquire+0x2cb3/0x4620 [ 48.109402] ? add_lock_to_list.isra.0+0x179/0x330 [ 48.109403] ? save_trace+0xd6/0x290 [ 48.109404] ? trace_hardirqs_on+0x10/0x10 [ 48.109405] ? netdev_bits+0xa0/0xa0 [ 48.109406] ? __bfs+0x220/0x5b0 [ 48.109407] ? kvm_clock_read+0x1f/0x30 [ 48.109409] ? kvm_sched_clock_read+0x5/0x10 [ 48.109410] lock_acquire+0x170/0x3f0 [ 48.109411] ? down_trylock+0xe/0x60 [ 48.109412] _raw_spin_lock_irqsave+0x8c/0xbf [ 48.109414] ? down_trylock+0xe/0x60 [ 48.109415] down_trylock+0xe/0x60 [ 48.109416] ? vprintk_emit+0x1ea/0x600 [ 48.109417] __down_trylock_console_sem+0x97/0x1f0 [ 48.109418] console_trylock+0x14/0x70 [ 48.109419] vprintk_emit+0x1ea/0x600 [ 48.109421] vprintk_func+0x58/0x152 [ 48.109422] printk+0x9e/0xbc [ 48.109423] ? show_regs_print_info+0x5b/0x5b [ 48.109424] ? lock_acquire+0x170/0x3f0 [ 48.109425] ? debug_check_no_obj_freed+0x125/0x6e4 [ 48.109427] ? rfcomm_dlc_link+0x150/0x150 [ 48.109428] ? rfcomm_dlc_link+0x150/0x150 [ 48.109429] debug_print_object.cold+0xa7/0xdb [ 48.109431] debug_check_no_obj_freed+0x3cd/0x6e4 [ 48.109432] ? __lock_is_held+0xad/0x140 [ 48.109433] ? free_obj_work+0x600/0x600 [ 48.109434] kfree+0xbb/0x260 [ 48.109435] rfcomm_dev_ioctl+0x151f/0x1810 [ 48.109436] ? rfcomm_tty_install+0x180/0x180 [ 48.109438] ? __local_bh_enable_ip+0x94/0x190 [ 48.109439] rfcomm_sock_ioctl+0x7d/0xa0 [ 48.109440] sock_do_ioctl+0x5f/0xa0 [ 48.109441] sock_ioctl+0x28d/0x450 [ 48.109442] ? selinux_file_ioctl+0x3f7/0x560 [ 48.109444] ? dlci_ioctl_set+0x30/0x30 [ 48.109445] do_vfs_ioctl+0x75a/0xfe0 [ 48.109446] ? selinux_file_mprotect+0x5c0/0x5c0 [ 48.109447] ? get_unused_fd_flags+0xc0/0xc0 [ 48.109449] ? ioctl_preallocate+0x1a0/0x1a0 [ 48.109450] ? __sock_create+0x6d/0x620 [ 48.109451] ? security_file_ioctl+0x76/0xb0 [ 48.109452] ? security_file_ioctl+0x83/0xb0 [ 48.109453] SyS_ioctl+0x7f/0xb0 [ 48.109455] ? do_vfs_ioctl+0xfe0/0xfe0 [ 48.109456] do_syscall_64+0x1d5/0x640 [ 48.109457] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 48.109458] RIP: 0033:0x441309 [ 48.109459] RSP: 002b:00007ffff0f7aa08 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 48.109462] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441309 [ 48.109465] RDX: 0000000020000100 RSI: 00000000400452c8 RDI: 0000000000000005 [ 48.109467] RBP: 000000000000bab9 R08: 00000000004002c8 R09: 00000000004002c8 [ 48.109470] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000402130 [ 48.109472] R13: 00000000004021c0 R14: 0000000000000000 R15: 0000000000000000 [ 48.110725] Kernel Offset: disabled [ 48.930230] Rebooting in 86400 seconds..