[ 33.979490] audit: type=1800 audit(1585379285.241:33): pid=7189 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 34.007895] audit: type=1800 audit(1585379285.241:34): pid=7189 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 36.925325] random: sshd: uninitialized urandom read (32 bytes read) [ 37.172565] audit: type=1400 audit(1585379288.441:35): avc: denied { map } for pid=7360 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 37.222567] random: sshd: uninitialized urandom read (32 bytes read) [ 37.944306] random: sshd: uninitialized urandom read (32 bytes read) [ 38.128852] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.165' (ECDSA) to the list of known hosts. [ 43.611890] random: sshd: uninitialized urandom read (32 bytes read) [ 43.736361] audit: type=1400 audit(1585379295.001:36): avc: denied { map } for pid=7372 comm="syz-executor969" path="/root/syz-executor969544536" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 43.981069] IPVS: ftp: loaded support on port[0] = 21 executing program [ 44.832634] ODEBUG: activate active (active state 1) object type: rcu_head hint: (null) [ 44.842357] ------------[ cut here ]------------ [ 44.847099] WARNING: CPU: 1 PID: 7376 at lib/debugobjects.c:287 debug_print_object.cold+0xa7/0xdb [ 44.856086] Kernel panic - not syncing: panic_on_warn set ... [ 44.856086] [ 44.863425] CPU: 1 PID: 7376 Comm: syz-executor969 Not tainted 4.14.174-syzkaller #0 [ 44.871282] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.880648] Call Trace: [ 44.883224] dump_stack+0x13e/0x194 [ 44.886867] panic+0x1f9/0x42d [ 44.890042] ? add_taint.cold+0x16/0x16 [ 44.894071] ? debug_print_object.cold+0xa7/0xdb [ 44.898806] ? debug_print_object.cold+0xa7/0xdb [ 44.903545] __warn.cold+0x2f/0x30 [ 44.907064] ? ist_end_non_atomic+0x10/0x10 [ 44.911374] ? debug_print_object.cold+0xa7/0xdb [ 44.916141] report_bug+0x20a/0x248 [ 44.919758] do_error_trap+0x195/0x2d0 [ 44.923656] ? math_error+0x2d0/0x2d0 [ 44.927441] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 44.932270] invalid_op+0x1b/0x40 [ 44.935715] RIP: 0010:debug_print_object.cold+0xa7/0xdb [ 44.941088] RSP: 0018:ffff8880920af430 EFLAGS: 00010082 [ 44.946435] RAX: 0000000000000055 RBX: 0000000000000003 RCX: 0000000000000000 [ 44.953689] RDX: 0000000000000000 RSI: ffffffff86ac07e0 RDI: ffffed1012415e7c [ 44.960946] RBP: ffffffff86ab5ee0 R08: 0000000000000055 R09: 0000000000000000 [ 44.968197] R10: fffffbfff14a8cd8 R11: ffff8880947800c0 R12: 0000000000000000 [ 44.975450] R13: 0000000000000001 R14: 1ffff11012415e90 R15: ffffffff87d84240 [ 44.982891] debug_object_activate+0x307/0x450 [ 44.987509] ? debug_object_free+0x390/0x390 [ 44.991897] ? find_held_lock+0x2d/0x110 [ 44.996113] ? route4_walk+0x450/0x450 [ 44.999978] __call_rcu.constprop.0+0x31/0x7e0 [ 45.004539] route4_change+0xb27/0x1c4d [ 45.008501] ? route4_delete+0x760/0x760 [ 45.012563] ? route4_delete+0x760/0x760 [ 45.016601] tc_ctl_tfilter+0xf13/0x18e6 [ 45.020643] ? tfilter_notify+0x240/0x240 [ 45.024768] ? mutex_trylock+0x1a0/0x1a0 [ 45.028806] ? rtnetlink_rcv_msg+0x2e8/0xb10 [ 45.033194] ? tfilter_notify+0x240/0x240 [ 45.037331] rtnetlink_rcv_msg+0x3be/0xb10 [ 45.041578] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 45.046142] ? save_trace+0x290/0x290 [ 45.049960] ? save_trace+0x290/0x290 [ 45.053741] netlink_rcv_skb+0x127/0x370 [ 45.057826] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 45.062386] ? netlink_ack+0x980/0x980 [ 45.066256] netlink_unicast+0x437/0x620 [ 45.070294] ? netlink_attachskb+0x600/0x600 [ 45.074683] netlink_sendmsg+0x733/0xbe0 [ 45.078734] ? netlink_unicast+0x620/0x620 [ 45.082943] ? SYSC_sendto+0x2b0/0x2b0 [ 45.086810] ? security_socket_sendmsg+0x83/0xb0 [ 45.091540] ? netlink_unicast+0x620/0x620 [ 45.095750] sock_sendmsg+0xc5/0x100 [ 45.099440] ___sys_sendmsg+0x70a/0x840 [ 45.103400] ? trace_hardirqs_on+0x10/0x10 [ 45.107610] ? copy_msghdr_from_user+0x380/0x380 [ 45.112347] ? find_held_lock+0x2d/0x110 [ 45.116392] ? lock_downgrade+0x6e0/0x6e0 [ 45.120524] ? __fget+0x228/0x360 [ 45.123996] ? __fget_light+0x199/0x1f0 [ 45.127984] ? sockfd_lookup_light+0xb2/0x160 [ 45.132492] __sys_sendmsg+0xa3/0x120 [ 45.136270] ? SyS_shutdown+0x160/0x160 [ 45.140268] ? move_addr_to_kernel+0x60/0x60 [ 45.144657] SyS_sendmsg+0x27/0x40 [ 45.148184] ? __sys_sendmsg+0x120/0x120 [ 45.152266] do_syscall_64+0x1d5/0x640 [ 45.156143] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.161323] RIP: 0033:0x446e09 [ 45.164494] RSP: 002b:00007f5dcb0e4d98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 45.172207] RAX: ffffffffffffffda RBX: 00000000006dbc78 RCX: 0000000000446e09 [ 45.179456] RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000006 [ 45.186756] RBP: 00000000006dbc70 R08: 0000000000000000 R09: 0000000000000000 [ 45.194007] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc7c [ 45.201287] R13: 0000000000000005 R14: 00a3a20740000000 R15: 0507002400000038 [ 45.208549] [ 45.208551] ====================================================== [ 45.208553] WARNING: possible circular locking dependency detected [ 45.208554] 4.14.174-syzkaller #0 Not tainted [ 45.208556] ------------------------------------------------------ [ 45.208558] syz-executor969/7376 is trying to acquire lock: [ 45.208558] ((console_sem).lock){-...}, at: [] down_trylock+0xe/0x60 [ 45.208562] [ 45.208564] but task is already holding lock: [ 45.208564] (&obj_hash[i].lock){-.-.}, at: [] debug_object_activate+0x10b/0x450 [ 45.208568] [ 45.208570] which lock already depends on the new lock. [ 45.208570] [ 45.208571] [ 45.208573] the existing dependency chain (in reverse order) is: [ 45.208573] [ 45.208574] -> #5 (&obj_hash[i].lock){-.-.}: [ 45.208578] _raw_spin_lock_irqsave+0x8c/0xbf [ 45.208580] debug_object_activate+0x10b/0x450 [ 45.208581] enqueue_hrtimer+0x22/0x3b0 [ 45.208582] hrtimer_start_range_ns+0x4e6/0x1060 [ 45.208584] schedule_hrtimeout_range_clock+0x13c/0x2f0 [ 45.208585] wait_task_inactive+0x478/0x530 [ 45.208586] __kthread_bind_mask+0x1f/0xb0 [ 45.208588] create_worker+0x313/0x530 [ 45.208589] workqueue_init+0x55f/0x66e [ 45.208590] kernel_init_freeable+0x2ab/0x526 [ 45.208591] kernel_init+0xd/0x15b [ 45.208593] ret_from_fork+0x24/0x30 [ 45.208593] [ 45.208594] -> #4 (hrtimer_bases.lock){-.-.}: [ 45.208598] _raw_spin_lock_irqsave+0x8c/0xbf [ 45.208599] lock_hrtimer_base.isra.0+0x6d/0x120 [ 45.208601] hrtimer_start_range_ns+0x7b/0x1060 [ 45.208602] enqueue_task_rt+0x94d/0xdb0 [ 45.208604] __sched_setscheduler.constprop.0+0xc11/0x1f70 [ 45.208605] _sched_setscheduler+0xf9/0x150 [ 45.208606] watchdog_enable+0xff/0x150 [ 45.208607] smpboot_thread_fn+0x40d/0x920 [ 45.208608] kthread+0x30d/0x420 [ 45.208610] ret_from_fork+0x24/0x30 [ 45.208610] [ 45.208611] -> #3 (&rt_b->rt_runtime_lock){-.-.}: [ 45.208615] _raw_spin_lock+0x2a/0x40 [ 45.208616] enqueue_task_rt+0x508/0xdb0 [ 45.208618] __sched_setscheduler.constprop.0+0xc11/0x1f70 [ 45.208619] _sched_setscheduler+0xf9/0x150 [ 45.208620] watchdog_enable+0xff/0x150 [ 45.208622] smpboot_thread_fn+0x40d/0x920 [ 45.208623] kthread+0x30d/0x420 [ 45.208624] ret_from_fork+0x24/0x30 [ 45.208624] [ 45.208625] -> #2 (&rq->lock){-.-.}: [ 45.208629] _raw_spin_lock+0x2a/0x40 [ 45.208630] task_fork_fair+0x63/0x5b0 [ 45.208631] sched_fork+0x39a/0xbd0 [ 45.208633] copy_process.part.0+0x15b7/0x6a70 [ 45.208634] _do_fork+0x180/0xc80 [ 45.208635] kernel_thread+0x2f/0x40 [ 45.208636] rest_init+0x1f/0x1d2 [ 45.208637] start_kernel+0x659/0x676 [ 45.208638] secondary_startup_64+0xa5/0xb0 [ 45.208639] [ 45.208640] -> #1 (&p->pi_lock){-.-.}: [ 45.208644] _raw_spin_lock_irqsave+0x8c/0xbf [ 45.208645] try_to_wake_up+0x6a/0xef0 [ 45.208646] up+0x92/0xe0 [ 45.208647] __up_console_sem+0xa9/0x1b0 [ 45.208649] console_unlock+0x596/0xec0 [ 45.208650] vprintk_emit+0x1f8/0x600 [ 45.208651] vprintk_func+0x58/0x152 [ 45.208652] printk+0x9e/0xbc [ 45.208653] kauditd_hold_skb.cold+0x3e/0x4d [ 45.208655] kauditd_send_queue+0xfb/0x140 [ 45.208656] kauditd_thread+0x625/0x840 [ 45.208657] kthread+0x30d/0x420 [ 45.208658] ret_from_fork+0x24/0x30 [ 45.208659] [ 45.208659] -> #0 ((console_sem).lock){-...}: [ 45.208663] lock_acquire+0x170/0x3f0 [ 45.208665] _raw_spin_lock_irqsave+0x8c/0xbf [ 45.208666] down_trylock+0xe/0x60 [ 45.208667] __down_trylock_console_sem+0x97/0x1f0 [ 45.208668] console_trylock+0x14/0x70 [ 45.208670] vprintk_emit+0x1ea/0x600 [ 45.208671] vprintk_func+0x58/0x152 [ 45.208672] printk+0x9e/0xbc [ 45.208673] debug_print_object.cold+0xa7/0xdb [ 45.208675] debug_object_activate+0x307/0x450 [ 45.208676] __call_rcu.constprop.0+0x31/0x7e0 [ 45.208677] route4_change+0xb27/0x1c4d [ 45.208678] tc_ctl_tfilter+0xf13/0x18e6 [ 45.208680] rtnetlink_rcv_msg+0x3be/0xb10 [ 45.208681] netlink_rcv_skb+0x127/0x370 [ 45.208682] netlink_unicast+0x437/0x620 [ 45.208683] netlink_sendmsg+0x733/0xbe0 [ 45.208685] sock_sendmsg+0xc5/0x100 [ 45.208686] ___sys_sendmsg+0x70a/0x840 [ 45.208687] __sys_sendmsg+0xa3/0x120 [ 45.208688] SyS_sendmsg+0x27/0x40 [ 45.208689] do_syscall_64+0x1d5/0x640 [ 45.208691] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.208692] [ 45.208693] other info that might help us debug this: [ 45.208694] [ 45.208694] Chain exists of: [ 45.208695] (console_sem).lock --> hrtimer_bases.lock --> &obj_hash[i].lock [ 45.208700] [ 45.208702] Possible unsafe locking scenario: [ 45.208702] [ 45.208704] CPU0 CPU1 [ 45.208705] ---- ---- [ 45.208705] lock(&obj_hash[i].lock); [ 45.208708] lock(hrtimer_bases.lock); [ 45.208711] lock(&obj_hash[i].lock); [ 45.208713] lock((console_sem).lock); [ 45.208716] [ 45.208717] *** DEADLOCK *** [ 45.208717] [ 45.208719] 2 locks held by syz-executor969/7376: [ 45.208719] #0: (rtnl_mutex){+.+.}, at: [] rtnetlink_rcv_msg+0x31d/0xb10 [ 45.208724] #1: (&obj_hash[i].lock){-.-.}, at: [] debug_object_activate+0x10b/0x450 [ 45.208728] [ 45.208729] stack backtrace: [ 45.208731] CPU: 1 PID: 7376 Comm: syz-executor969 Not tainted 4.14.174-syzkaller #0 [ 45.208734] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.208735] Call Trace: [ 45.208736] dump_stack+0x13e/0x194 [ 45.208737] print_circular_bug.isra.0.cold+0x1c4/0x282 [ 45.208739] __lock_acquire+0x2cb3/0x4620 [ 45.208740] ? string+0x17e/0x1d0 [ 45.208741] ? trace_hardirqs_on+0x10/0x10 [ 45.208742] ? netdev_bits+0xa0/0xa0 [ 45.208743] ? kvm_clock_read+0x1f/0x30 [ 45.208744] ? kvm_sched_clock_read+0x5/0x10 [ 45.208745] lock_acquire+0x170/0x3f0 [ 45.208747] ? down_trylock+0xe/0x60 [ 45.208748] _raw_spin_lock_irqsave+0x8c/0xbf [ 45.208749] ? down_trylock+0xe/0x60 [ 45.208750] down_trylock+0xe/0x60 [ 45.208751] ? vprintk_emit+0x1ea/0x600 [ 45.208753] __down_trylock_console_sem+0x97/0x1f0 [ 45.208754] console_trylock+0x14/0x70 [ 45.208755] vprintk_emit+0x1ea/0x600 [ 45.208756] vprintk_func+0x58/0x152 [ 45.208757] printk+0x9e/0xbc [ 45.208758] ? show_regs_print_info+0x5b/0x5b [ 45.208759] ? lock_acquire+0x170/0x3f0 [ 45.208761] ? debug_object_activate+0x10b/0x450 [ 45.208762] debug_print_object.cold+0xa7/0xdb [ 45.208763] debug_object_activate+0x307/0x450 [ 45.208765] ? debug_object_free+0x390/0x390 [ 45.208766] ? find_held_lock+0x2d/0x110 [ 45.208767] ? route4_walk+0x450/0x450 [ 45.208768] __call_rcu.constprop.0+0x31/0x7e0 [ 45.208770] route4_change+0xb27/0x1c4d [ 45.208771] ? route4_delete+0x760/0x760 [ 45.208772] ? route4_delete+0x760/0x760 [ 45.208773] tc_ctl_tfilter+0xf13/0x18e6 [ 45.208774] ? tfilter_notify+0x240/0x240 [ 45.208776] ? mutex_trylock+0x1a0/0x1a0 [ 45.208777] ? rtnetlink_rcv_msg+0x2e8/0xb10 [ 45.208778] ? tfilter_notify+0x240/0x240 [ 45.208779] rtnetlink_rcv_msg+0x3be/0xb10 [ 45.208781] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 45.208782] ? save_trace+0x290/0x290 [ 45.208783] ? save_trace+0x290/0x290 [ 45.208784] netlink_rcv_skb+0x127/0x370 [ 45.208785] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 45.208786] ? netlink_ack+0x980/0x980 [ 45.208788] netlink_unicast+0x437/0x620 [ 45.208789] ? netlink_attachskb+0x600/0x600 [ 45.208790] netlink_sendmsg+0x733/0xbe0 [ 45.208791] ? netlink_unicast+0x620/0x620 [ 45.208792] ? SYSC_sendto+0x2b0/0x2b0 [ 45.208794] ? security_socket_sendmsg+0x83/0xb0 [ 45.208795] ? netlink_unicast+0x620/0x620 [ 45.208796] sock_sendmsg+0xc5/0x100 [ 45.208797] ___sys_sendmsg+0x70a/0x840 [ 45.208799] ? trace_hardirqs_on+0x10/0x10 [ 45.208800] ? copy_msghdr_from_user+0x380/0x380 [ 45.208801] ? find_held_lock+0x2d/0x110 [ 45.208802] ? lock_downgrade+0x6e0/0x6e0 [ 45.208803] ? __fget+0x228/0x360 [ 45.208805] ? __fget_light+0x199/0x1f0 [ 45.208806] ? sockfd_lookup_light+0xb2/0x160 [ 45.208807] __sys_sendmsg+0xa3/0x120 [ 45.208808] ? SyS_shutdown+0x160/0x160 [ 45.208809] ? move_addr_to_kernel+0x60/0x60 [ 45.208811] SyS_sendmsg+0x27/0x40 [ 45.208812] ? __sys_sendmsg+0x120/0x120 [ 45.208813] do_syscall_64+0x1d5/0x640 [ 45.208814] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.208815] RIP: 0033:0x446e09 [ 45.208817] RSP: 002b:00007f5dcb0e4d98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 45.208820] RAX: ffffffffffffffda RBX: 00000000006dbc78 RCX: 0000000000446e09 [ 45.208822] RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000006 [ 45.208823] RBP: 00000000006dbc70 R08: 0000000000000000 R09: 0000000000000000 [ 45.208825] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc7c [ 45.208827] R13: 0000000000000005 R14: 00a3a20740000000 R15: 0507002400000038 [ 45.210178] Kernel Offset: disabled [ 46.089557] Rebooting in 86400 seconds..