[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 38.114184] random: sshd: uninitialized urandom read (32 bytes read) [ 38.545292] kauditd_printk_skb: 10 callbacks suppressed [ 38.545301] audit: type=1400 audit(1578312930.798:35): avc: denied { map } for pid=7143 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 38.588748] random: sshd: uninitialized urandom read (32 bytes read) [ 39.206881] random: sshd: uninitialized urandom read (32 bytes read) [ 39.383054] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.1.48' (ECDSA) to the list of known hosts. [ 44.903369] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 45.018633] audit: type=1400 audit(1578312937.268:36): avc: denied { map } for pid=7155 comm="syz-executor972" path="/root/syz-executor972059612" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 50.027598] ODEBUG: free active (active state 0) object type: timer_list hint: rfcomm_dlc_timeout+0x0/0x60 [ 50.038013] ------------[ cut here ]------------ [ 50.042762] WARNING: CPU: 0 PID: 7158 at lib/debugobjects.c:287 debug_print_object.cold+0xa7/0xdb [ 50.051752] Kernel panic - not syncing: panic_on_warn set ... [ 50.051752] [ 50.059100] CPU: 0 PID: 7158 Comm: syz-executor972 Not tainted 4.14.162-syzkaller #0 [ 50.066965] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 50.076305] Call Trace: [ 50.078882] dump_stack+0x142/0x197 [ 50.082488] panic+0x1f9/0x42d [ 50.085676] ? add_taint.cold+0x16/0x16 [ 50.089644] ? debug_print_object.cold+0xa7/0xdb [ 50.094384] ? debug_print_object.cold+0xa7/0xdb [ 50.099128] __warn.cold+0x2f/0x2f [ 50.102660] ? ist_end_non_atomic+0x10/0x10 [ 50.106970] ? debug_print_object.cold+0xa7/0xdb [ 50.111719] report_bug+0x216/0x254 [ 50.115335] do_error_trap+0x1bb/0x310 [ 50.119211] ? math_error+0x360/0x360 [ 50.123006] ? vprintk_emit+0x171/0x600 [ 50.126967] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 50.131791] do_invalid_op+0x1b/0x20 [ 50.135493] invalid_op+0x1b/0x40 [ 50.138934] RIP: 0010:debug_print_object.cold+0xa7/0xdb [ 50.144278] RSP: 0018:ffff888091e6faa8 EFLAGS: 00010086 [ 50.149625] RAX: 000000000000005e RBX: 0000000000000003 RCX: 0000000000000000 [ 50.156920] RDX: 0000000000000000 RSI: ffffffff86cc44e0 RDI: ffffed10123cdf4b [ 50.164206] RBP: ffff888091e6fad0 R08: 000000000000005e R09: 0000000000000000 [ 50.171455] R10: 0000000000000000 R11: ffff88807b7b62c0 R12: ffffffff86cbf760 [ 50.178747] R13: ffffffff85ce2990 R14: 0000000000000000 R15: ffff8880a9f90068 [ 50.186136] ? rfcomm_dlc_link+0x160/0x160 [ 50.190374] ? debug_print_object.cold+0xa7/0xdb [ 50.195116] debug_check_no_obj_freed+0x3f5/0x7b7 [ 50.199961] ? free_obj_work+0x6d0/0x6d0 [ 50.204003] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 50.209432] kfree+0xbd/0x270 [ 50.212518] rfcomm_dlc_free+0x20/0x30 [ 50.216384] rfcomm_dev_ioctl+0x1637/0x1920 [ 50.220694] ? mark_held_locks+0xb1/0x100 [ 50.224834] ? rfcomm_tty_install+0x180/0x180 [ 50.229322] ? __local_bh_enable_ip+0x99/0x1a0 [ 50.233891] rfcomm_sock_ioctl+0x82/0xa0 [ 50.237932] sock_do_ioctl+0x64/0xb0 [ 50.241625] sock_ioctl+0x2a6/0x470 [ 50.245233] ? dlci_ioctl_set+0x40/0x40 [ 50.249189] do_vfs_ioctl+0x7ae/0x1060 [ 50.253056] ? selinux_file_mprotect+0x5d0/0x5d0 [ 50.257789] ? ioctl_preallocate+0x1c0/0x1c0 [ 50.262175] ? fd_install+0x4d/0x60 [ 50.265782] ? security_file_ioctl+0x7d/0xb0 [ 50.270169] ? security_file_ioctl+0x89/0xb0 [ 50.274555] SyS_ioctl+0x8f/0xc0 [ 50.277900] ? do_vfs_ioctl+0x1060/0x1060 [ 50.282026] do_syscall_64+0x1e8/0x640 [ 50.285890] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 50.290714] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 50.295877] RIP: 0033:0x4412b9 [ 50.299042] RSP: 002b:00007ffe37d4a9f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 50.306724] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004412b9 [ 50.313972] RDX: 0000000020000100 RSI: 00000000400452c8 RDI: 0000000000000004 [ 50.321229] RBP: 000000000000c366 R08: 00000000004002c8 R09: 00000000004002c8 [ 50.328475] R10: 00000000004002c8 R11: 0000000000000246 R12: 00000000004020e0 [ 50.335738] R13: 0000000000402170 R14: 0000000000000000 R15: 0000000000000000 [ 50.342995] [ 50.342997] ====================================================== [ 50.342998] WARNING: possible circular locking dependency detected [ 50.343000] 4.14.162-syzkaller #0 Not tainted [ 50.343001] ------------------------------------------------------ [ 50.343003] syz-executor972/7158 is trying to acquire lock: [ 50.343004] ((console_sem).lock){-...}, at: [] down_trylock+0x13/0x70 [ 50.343008] [ 50.343009] but task is already holding lock: [ 50.343010] (&obj_hash[i].lock){-.-.}, at: [] debug_check_no_obj_freed+0x12d/0x7b7 [ 50.343014] [ 50.343015] which lock already depends on the new lock. [ 50.343016] [ 50.343016] [ 50.343018] the existing dependency chain (in reverse order) is: [ 50.343019] [ 50.343019] -> #5 (&obj_hash[i].lock){-.-.}: [ 50.343023] lock_acquire+0x16f/0x430 [ 50.343025] _raw_spin_lock_irqsave+0x95/0xcd [ 50.343026] debug_object_activate+0x10b/0x450 [ 50.343027] enqueue_hrtimer+0x27/0x3b0 [ 50.343029] hrtimer_start_range_ns+0x50a/0x10d0 [ 50.343030] schedule_hrtimeout_range_clock+0x17c/0x340 [ 50.343031] schedule_hrtimeout+0x25/0x30 [ 50.343033] wait_task_inactive+0x4ac/0x580 [ 50.343034] __kthread_bind_mask+0x24/0xc0 [ 50.343035] kthread_bind_mask+0x23/0x30 [ 50.343036] create_worker+0x31b/0x530 [ 50.343037] workqueue_init+0x57b/0x68a [ 50.343039] kernel_init_freeable+0x2af/0x532 [ 50.343040] kernel_init+0x12/0x162 [ 50.343041] ret_from_fork+0x24/0x30 [ 50.343042] [ 50.343042] -> #4 (hrtimer_bases.lock){-.-.}: [ 50.343046] lock_acquire+0x16f/0x430 [ 50.343048] _raw_spin_lock_irqsave+0x95/0xcd [ 50.343049] lock_hrtimer_base.isra.0+0x75/0x130 [ 50.343050] hrtimer_start_range_ns+0x7a/0x10d0 [ 50.343051] enqueue_task_rt+0x972/0xe40 [ 50.343053] __sched_setscheduler+0xd2a/0x2540 [ 50.343054] _sched_setscheduler+0x113/0x180 [ 50.343055] sched_setscheduler+0xe/0x10 [ 50.343056] watchdog_enable+0x10b/0x160 [ 50.343058] smpboot_thread_fn+0x444/0x960 [ 50.343059] kthread+0x319/0x430 [ 50.343060] ret_from_fork+0x24/0x30 [ 50.343061] [ 50.343061] -> #3 (&rt_b->rt_runtime_lock){-.-.}: [ 50.343065] lock_acquire+0x16f/0x430 [ 50.343066] _raw_spin_lock+0x2f/0x40 [ 50.343068] enqueue_task_rt+0x524/0xe40 [ 50.343069] __sched_setscheduler+0xd2a/0x2540 [ 50.343070] _sched_setscheduler+0x113/0x180 [ 50.343071] sched_setscheduler+0xe/0x10 [ 50.343073] watchdog_enable+0x10b/0x160 [ 50.343074] smpboot_thread_fn+0x444/0x960 [ 50.343075] kthread+0x319/0x430 [ 50.343076] ret_from_fork+0x24/0x30 [ 50.343077] [ 50.343078] -> #2 (&rq->lock){-.-.}: [ 50.343081] lock_acquire+0x16f/0x430 [ 50.343083] _raw_spin_lock+0x2f/0x40 [ 50.343084] task_fork_fair+0x63/0x5b0 [ 50.343085] sched_fork+0x3a6/0xc10 [ 50.343086] copy_process.part.0+0x15b7/0x6a70 [ 50.343087] _do_fork+0x19e/0xce0 [ 50.343088] kernel_thread+0x34/0x40 [ 50.343089] rest_init+0x24/0x1e2 [ 50.343091] start_kernel+0x6df/0x6fd [ 50.343092] x86_64_start_reservations+0x29/0x2b [ 50.343093] x86_64_start_kernel+0x77/0x7b [ 50.343094] secondary_startup_64+0xa5/0xb0 [ 50.343095] [ 50.343096] -> #1 (&p->pi_lock){-.-.}: [ 50.343100] lock_acquire+0x16f/0x430 [ 50.343101] _raw_spin_lock_irqsave+0x95/0xcd [ 50.343102] try_to_wake_up+0x79/0xf90 [ 50.343103] wake_up_process+0x10/0x20 [ 50.343104] __up.isra.0+0x136/0x1a0 [ 50.343105] up+0x9c/0xe0 [ 50.343106] __up_console_sem+0xad/0x1b0 [ 50.343108] console_unlock+0x59d/0xed0 [ 50.343109] vprintk_emit+0x1f9/0x600 [ 50.343110] vprintk_default+0x28/0x30 [ 50.343111] vprintk_func+0x5d/0x159 [ 50.343112] printk+0x9e/0xbc [ 50.343113] kauditd_hold_skb.cold+0x3e/0x4d [ 50.343115] kauditd_send_queue+0xfe/0x140 [ 50.343116] kauditd_thread+0x644/0x860 [ 50.343117] kthread+0x319/0x430 [ 50.343118] ret_from_fork+0x24/0x30 [ 50.343119] [ 50.343119] -> #0 ((console_sem).lock){-...}: [ 50.343123] __lock_acquire+0x2cb3/0x4620 [ 50.343125] lock_acquire+0x16f/0x430 [ 50.343126] _raw_spin_lock_irqsave+0x95/0xcd [ 50.343127] down_trylock+0x13/0x70 [ 50.343128] __down_trylock_console_sem+0x9c/0x200 [ 50.343130] console_trylock+0x17/0x80 [ 50.343131] vprintk_emit+0x1eb/0x600 [ 50.343132] vprintk_default+0x28/0x30 [ 50.343133] vprintk_func+0x5d/0x159 [ 50.343134] printk+0x9e/0xbc [ 50.343135] debug_print_object.cold+0xa7/0xdb [ 50.343137] debug_check_no_obj_freed+0x3f5/0x7b7 [ 50.343138] kfree+0xbd/0x270 [ 50.343139] rfcomm_dlc_free+0x20/0x30 [ 50.343140] rfcomm_dev_ioctl+0x1637/0x1920 [ 50.343141] rfcomm_sock_ioctl+0x82/0xa0 [ 50.343143] sock_do_ioctl+0x64/0xb0 [ 50.343144] sock_ioctl+0x2a6/0x470 [ 50.343145] do_vfs_ioctl+0x7ae/0x1060 [ 50.343146] SyS_ioctl+0x8f/0xc0 [ 50.343147] do_syscall_64+0x1e8/0x640 [ 50.343148] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 50.343149] [ 50.343150] other info that might help us debug this: [ 50.343151] [ 50.343152] Chain exists of: [ 50.343153] (console_sem).lock --> hrtimer_bases.lock --> &obj_hash[i].lock [ 50.343158] [ 50.343159] Possible unsafe locking scenario: [ 50.343160] [ 50.343161] CPU0 CPU1 [ 50.343162] ---- ---- [ 50.343163] lock(&obj_hash[i].lock); [ 50.343166] lock(hrtimer_bases.lock); [ 50.343168] lock(&obj_hash[i].lock); [ 50.343171] lock((console_sem).lock); [ 50.343173] [ 50.343174] *** DEADLOCK *** [ 50.343175] [ 50.343176] 3 locks held by syz-executor972/7158: [ 50.343177] #0: (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}, at: [] rfcomm_sock_ioctl+0x74/0xa0 [ 50.343181] #1: (rfcomm_ioctl_mutex){+.+.}, at: [] rfcomm_dev_ioctl+0x452/0x1920 [ 50.343186] #2: (&obj_hash[i].lock){-.-.}, at: [] debug_check_no_obj_freed+0x12d/0x7b7 [ 50.343190] [ 50.343191] stack backtrace: [ 50.343193] CPU: 0 PID: 7158 Comm: syz-executor972 Not tainted 4.14.162-syzkaller #0 [ 50.343195] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 50.343196] Call Trace: [ 50.343197] dump_stack+0x142/0x197 [ 50.343199] print_circular_bug.isra.0.cold+0x1cc/0x28f [ 50.343200] __lock_acquire+0x2cb3/0x4620 [ 50.343201] ? add_lock_to_list.isra.0+0x17c/0x330 [ 50.343202] ? trace_hardirqs_on+0x10/0x10 [ 50.343203] ? netdev_bits+0xb0/0xb0 [ 50.343205] ? save_trace+0x290/0x290 [ 50.343206] ? kvm_clock_read+0x23/0x40 [ 50.343207] ? kvm_sched_clock_read+0x9/0x20 [ 50.343208] lock_acquire+0x16f/0x430 [ 50.343209] ? down_trylock+0x13/0x70 [ 50.343210] ? vprintk_emit+0x109/0x600 [ 50.343211] _raw_spin_lock_irqsave+0x95/0xcd [ 50.343213] ? down_trylock+0x13/0x70 [ 50.343214] ? vprintk_emit+0x1eb/0x600 [ 50.343215] down_trylock+0x13/0x70 [ 50.343216] ? vprintk_emit+0x1eb/0x600 [ 50.343217] __down_trylock_console_sem+0x9c/0x200 [ 50.343218] console_trylock+0x17/0x80 [ 50.343219] vprintk_emit+0x1eb/0x600 [ 50.343220] vprintk_default+0x28/0x30 [ 50.343222] vprintk_func+0x5d/0x159 [ 50.343223] ? rfcomm_dlc_link+0x160/0x160 [ 50.343224] printk+0x9e/0xbc [ 50.343225] ? show_regs_print_info+0x63/0x63 [ 50.343226] ? lock_acquire+0x16f/0x430 [ 50.343228] ? debug_check_no_obj_freed+0x12d/0x7b7 [ 50.343229] ? rfcomm_dlc_link+0x160/0x160 [ 50.343230] debug_print_object.cold+0xa7/0xdb [ 50.343231] debug_check_no_obj_freed+0x3f5/0x7b7 [ 50.343232] ? free_obj_work+0x6d0/0x6d0 [ 50.343234] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 50.343235] kfree+0xbd/0x270 [ 50.343236] rfcomm_dlc_free+0x20/0x30 [ 50.343237] rfcomm_dev_ioctl+0x1637/0x1920 [ 50.343238] ? mark_held_locks+0xb1/0x100 [ 50.343240] ? rfcomm_tty_install+0x180/0x180 [ 50.343241] ? __local_bh_enable_ip+0x99/0x1a0 [ 50.343242] rfcomm_sock_ioctl+0x82/0xa0 [ 50.343243] sock_do_ioctl+0x64/0xb0 [ 50.343244] sock_ioctl+0x2a6/0x470 [ 50.343245] ? dlci_ioctl_set+0x40/0x40 [ 50.343246] do_vfs_ioctl+0x7ae/0x1060 [ 50.343248] ? selinux_file_mprotect+0x5d0/0x5d0 [ 50.343249] ? ioctl_preallocate+0x1c0/0x1c0 [ 50.343250] ? fd_install+0x4d/0x60 [ 50.343251] ? security_file_ioctl+0x7d/0xb0 [ 50.343253] ? security_file_ioctl+0x89/0xb0 [ 50.343254] SyS_ioctl+0x8f/0xc0 [ 50.343255] ? do_vfs_ioctl+0x1060/0x1060 [ 50.343256] do_syscall_64+0x1e8/0x640 [ 50.343257] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 50.343259] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 50.343260] RIP: 0033:0x4412b9 [ 50.343261] RSP: 002b:00007ffe37d4a9f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 50.343264] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004412b9 [ 50.343266] RDX: 0000000020000100 RSI: 00000000400452c8 RDI: 0000000000000004 [ 50.343268] RBP: 000000000000c366 R08: 00000000004002c8 R09: 00000000004002c8 [ 50.343270] R10: 00000000004002c8 R11: 0000000000000246 R12: 00000000004020e0 [ 50.343272] R13: 0000000000402170 R14: 0000000000000000 R15: 0000000000000000 [ 50.344410] Kernel Offset: disabled [ 51.240113] Rebooting in 86400 seconds..