[ 38.296255] audit: type=1800 audit(1583880392.191:33): pid=7483 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 43.036207] random: sshd: uninitialized urandom read (32 bytes read) [ 43.333050] kauditd_printk_skb: 1 callbacks suppressed [ 43.333059] audit: type=1400 audit(1583880397.231:35): avc: denied { map } for pid=7655 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 43.398220] random: sshd: uninitialized urandom read (32 bytes read) [ 44.163883] random: sshd: uninitialized urandom read (32 bytes read) [ 44.369086] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.51' (ECDSA) to the list of known hosts. [ 49.979832] random: sshd: uninitialized urandom read (32 bytes read) [ 50.124457] audit: type=1400 audit(1583880404.021:36): avc: denied { map } for pid=7668 comm="syz-executor512" path="/root/syz-executor512625539" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 50.361432] IPVS: ftp: loaded support on port[0] = 21 executing program [ 51.176581] ODEBUG: activate active (active state 1) object type: rcu_head hint: (null) [ 51.187041] ------------[ cut here ]------------ [ 51.191818] WARNING: CPU: 1 PID: 7671 at lib/debugobjects.c:287 debug_print_object.cold+0xa7/0xdb [ 51.200834] Kernel panic - not syncing: panic_on_warn set ... [ 51.200834] [ 51.208203] CPU: 1 PID: 7671 Comm: syz-executor512 Not tainted 4.14.172-syzkaller #0 [ 51.216079] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 51.225817] Call Trace: [ 51.228594] dump_stack+0x13e/0x194 [ 51.232384] panic+0x1f9/0x42d [ 51.235577] ? add_taint.cold+0x16/0x16 [ 51.239561] ? debug_print_object.cold+0xa7/0xdb [ 51.244839] ? debug_print_object.cold+0xa7/0xdb [ 51.249589] __warn.cold+0x2f/0x30 [ 51.253281] ? ist_end_non_atomic+0x10/0x10 [ 51.257602] ? debug_print_object.cold+0xa7/0xdb [ 51.262484] report_bug+0x20a/0x248 [ 51.266261] do_error_trap+0x195/0x2d0 [ 51.270147] ? math_error+0x2d0/0x2d0 [ 51.274826] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 51.279698] invalid_op+0x1b/0x40 [ 51.283140] RIP: 0010:debug_print_object.cold+0xa7/0xdb [ 51.288512] RSP: 0018:ffff8880801d7430 EFLAGS: 00010082 [ 51.293863] RAX: 0000000000000055 RBX: 0000000000000003 RCX: 0000000000000000 [ 51.301124] RDX: 0000000000000000 RSI: ffffffff86ac0860 RDI: ffffed101003ae7c [ 51.308393] RBP: ffffffff86ab5f60 R08: 0000000000000055 R09: 0000000000000000 [ 51.315657] R10: fffffbfff14a8ce0 R11: ffff88809dce8100 R12: 0000000000000000 [ 51.322963] R13: 0000000000000001 R14: 1ffff1101003ae90 R15: ffffffff87d842c0 [ 51.330356] debug_object_activate+0x307/0x450 [ 51.334995] ? debug_object_free+0x390/0x390 [ 51.339435] ? find_held_lock+0x2d/0x110 [ 51.343610] ? route4_walk+0x450/0x450 [ 51.347504] __call_rcu.constprop.0+0x31/0x7e0 [ 51.355778] route4_change+0xb27/0x1c4d [ 51.359997] ? route4_delete+0x760/0x760 [ 51.364255] ? route4_delete+0x760/0x760 [ 51.368325] tc_ctl_tfilter+0xf13/0x18e6 [ 51.372398] ? tfilter_notify+0x240/0x240 [ 51.376550] ? mutex_trylock+0x1a0/0x1a0 [ 51.380617] ? rtnetlink_rcv_msg+0x2e8/0xb10 [ 51.385034] ? tfilter_notify+0x240/0x240 [ 51.389194] rtnetlink_rcv_msg+0x3be/0xb10 [ 51.393423] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 51.397995] ? save_trace+0x290/0x290 [ 51.401786] ? save_trace+0x290/0x290 [ 51.405579] netlink_rcv_skb+0x127/0x370 [ 51.409633] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 51.414201] ? netlink_ack+0x960/0x960 [ 51.418079] netlink_unicast+0x437/0x620 [ 51.422139] ? netlink_attachskb+0x600/0x600 [ 51.426549] netlink_sendmsg+0x733/0xbe0 [ 51.431218] ? netlink_unicast+0x620/0x620 [ 51.435727] ? SYSC_sendto+0x2b0/0x2b0 [ 51.439625] ? security_socket_sendmsg+0x83/0xb0 [ 51.444382] ? netlink_unicast+0x620/0x620 [ 51.448737] sock_sendmsg+0xc5/0x100 [ 51.452574] ___sys_sendmsg+0x70a/0x840 [ 51.456550] ? trace_hardirqs_on+0x10/0x10 [ 51.461738] ? copy_msghdr_from_user+0x380/0x380 [ 51.466544] ? find_held_lock+0x2d/0x110 [ 51.470612] ? lock_downgrade+0x6e0/0x6e0 [ 51.477146] ? __fget+0x228/0x360 [ 51.480592] ? __fget_light+0x199/0x1f0 [ 51.484580] ? sockfd_lookup_light+0xb2/0x160 [ 51.489072] __sys_sendmsg+0xa3/0x120 [ 51.492879] ? SyS_shutdown+0x160/0x160 [ 51.496842] ? move_addr_to_kernel+0x60/0x60 [ 51.501310] ? __do_page_fault+0x35b/0xb40 [ 51.506152] SyS_sendmsg+0x27/0x40 [ 51.509694] ? __sys_sendmsg+0x120/0x120 [ 51.513759] do_syscall_64+0x1d5/0x640 [ 51.517706] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 51.522935] RIP: 0033:0x446ed9 [ 51.526148] RSP: 002b:00007f9123dbfd98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 51.534406] RAX: ffffffffffffffda RBX: 00000000006dbc68 RCX: 0000000000446ed9 [ 51.541665] RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003 [ 51.548989] RBP: 00000000006dbc60 R08: 0000000000000000 R09: 0000000000000000 [ 51.556264] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc6c [ 51.563656] R13: 0000000000000005 R14: 00a3a20740000000 R15: 0507002400000038 [ 51.570931] [ 51.570934] ====================================================== [ 51.570935] WARNING: possible circular locking dependency detected [ 51.570936] 4.14.172-syzkaller #0 Not tainted [ 51.570938] ------------------------------------------------------ [ 51.570940] syz-executor512/7671 is trying to acquire lock: [ 51.570941] ((console_sem).lock){-...}, at: [] down_trylock+0xe/0x60 [ 51.570945] [ 51.570946] but task is already holding lock: [ 51.570947] (&obj_hash[i].lock){-.-.}, at: [] debug_object_activate+0x10b/0x450 [ 51.570951] [ 51.570953] which lock already depends on the new lock. [ 51.570954] [ 51.570954] [ 51.570956] the existing dependency chain (in reverse order) is: [ 51.570957] [ 51.570957] -> #5 (&obj_hash[i].lock){-.-.}: [ 51.570962] _raw_spin_lock_irqsave+0x8c/0xbf [ 51.570963] debug_object_activate+0x10b/0x450 [ 51.570965] enqueue_hrtimer+0x22/0x3b0 [ 51.570966] hrtimer_start_range_ns+0x4e6/0x1060 [ 51.570968] schedule_hrtimeout_range_clock+0x13c/0x2f0 [ 51.570969] wait_task_inactive+0x478/0x530 [ 51.570970] __kthread_bind_mask+0x1f/0xb0 [ 51.570972] create_worker+0x313/0x530 [ 51.570973] workqueue_init+0x55f/0x66e [ 51.570974] kernel_init_freeable+0x2ab/0x526 [ 51.570976] kernel_init+0xd/0x15b [ 51.570977] ret_from_fork+0x24/0x30 [ 51.570977] [ 51.570978] -> #4 (hrtimer_bases.lock){-.-.}: [ 51.570983] _raw_spin_lock_irqsave+0x8c/0xbf [ 51.570984] lock_hrtimer_base.isra.0+0x6d/0x120 [ 51.570985] hrtimer_start_range_ns+0x7b/0x1060 [ 51.570987] enqueue_task_rt+0x94d/0xdb0 [ 51.570988] __sched_setscheduler.constprop.0+0xc11/0x1f70 [ 51.570989] _sched_setscheduler+0xf9/0x150 [ 51.570991] watchdog_enable+0xff/0x150 [ 51.570992] smpboot_thread_fn+0x40d/0x920 [ 51.570993] kthread+0x30d/0x420 [ 51.570994] ret_from_fork+0x24/0x30 [ 51.570995] [ 51.570996] -> #3 (&rt_b->rt_runtime_lock){-...}: [ 51.571000] _raw_spin_lock+0x2a/0x40 [ 51.571001] enqueue_task_rt+0x508/0xdb0 [ 51.571003] __sched_setscheduler.constprop.0+0xc11/0x1f70 [ 51.571004] _sched_setscheduler+0xf9/0x150 [ 51.571006] watchdog_enable+0xff/0x150 [ 51.571007] smpboot_thread_fn+0x40d/0x920 [ 51.571008] kthread+0x30d/0x420 [ 51.571009] ret_from_fork+0x24/0x30 [ 51.571010] [ 51.571011] -> #2 (&rq->lock){-.-.}: [ 51.571015] _raw_spin_lock+0x2a/0x40 [ 51.571016] task_fork_fair+0x63/0x5b0 [ 51.571017] sched_fork+0x39a/0xbd0 [ 51.571018] copy_process.part.0+0x15b7/0x6a70 [ 51.571020] _do_fork+0x180/0xc80 [ 51.571021] kernel_thread+0x2f/0x40 [ 51.571022] rest_init+0x1f/0x1d2 [ 51.571023] start_kernel+0x659/0x676 [ 51.571024] secondary_startup_64+0xa5/0xb0 [ 51.571025] [ 51.571026] -> #1 (&p->pi_lock){-.-.}: [ 51.571030] _raw_spin_lock_irqsave+0x8c/0xbf [ 51.571031] try_to_wake_up+0x6a/0xef0 [ 51.571033] up+0x92/0xe0 [ 51.571035] __up_console_sem+0xa9/0x1b0 [ 51.571037] console_unlock+0x596/0xec0 [ 51.571038] vprintk_emit+0x1f8/0x600 [ 51.571039] vprintk_func+0x58/0x152 [ 51.571040] printk+0x9e/0xbc [ 51.571042] kauditd_hold_skb.cold+0x3e/0x4d [ 51.571043] kauditd_send_queue+0xfb/0x140 [ 51.571044] kauditd_thread+0x625/0x840 [ 51.571045] kthread+0x30d/0x420 [ 51.571047] ret_from_fork+0x24/0x30 [ 51.571047] [ 51.571048] -> #0 ((console_sem).lock){-...}: [ 51.571052] lock_acquire+0x170/0x3f0 [ 51.571054] _raw_spin_lock_irqsave+0x8c/0xbf [ 51.571055] down_trylock+0xe/0x60 [ 51.571056] __down_trylock_console_sem+0x97/0x1f0 [ 51.571058] console_trylock+0x14/0x70 [ 51.571059] vprintk_emit+0x1ea/0x600 [ 51.571060] vprintk_func+0x58/0x152 [ 51.571061] printk+0x9e/0xbc [ 51.571062] debug_print_object.cold+0xa7/0xdb [ 51.571064] debug_object_activate+0x307/0x450 [ 51.571065] __call_rcu.constprop.0+0x31/0x7e0 [ 51.571067] route4_change+0xb27/0x1c4d [ 51.571068] tc_ctl_tfilter+0xf13/0x18e6 [ 51.571069] rtnetlink_rcv_msg+0x3be/0xb10 [ 51.571070] netlink_rcv_skb+0x127/0x370 [ 51.571072] netlink_unicast+0x437/0x620 [ 51.571073] netlink_sendmsg+0x733/0xbe0 [ 51.571074] sock_sendmsg+0xc5/0x100 [ 51.571075] ___sys_sendmsg+0x70a/0x840 [ 51.571076] __sys_sendmsg+0xa3/0x120 [ 51.571077] SyS_sendmsg+0x27/0x40 [ 51.571079] do_syscall_64+0x1d5/0x640 [ 51.571080] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 51.571081] [ 51.571082] other info that might help us debug this: [ 51.571083] [ 51.571084] Chain exists of: [ 51.571085] (console_sem).lock --> hrtimer_bases.lock --> &obj_hash[i].lock [ 51.571090] [ 51.571092] Possible unsafe locking scenario: [ 51.571092] [ 51.571094] CPU0 CPU1 [ 51.571095] ---- ---- [ 51.571097] lock(&obj_hash[i].lock); [ 51.571100] lock(hrtimer_bases.lock); [ 51.571103] lock(&obj_hash[i].lock); [ 51.571106] lock((console_sem).lock); [ 51.571108] [ 51.571109] *** DEADLOCK *** [ 51.571110] [ 51.571111] 2 locks held by syz-executor512/7671: [ 51.571112] #0: (rtnl_mutex){+.+.}, at: [] rtnetlink_rcv_msg+0x31d/0xb10 [ 51.571116] #1: (&obj_hash[i].lock){-.-.}, at: [] debug_object_activate+0x10b/0x450 [ 51.571121] [ 51.571122] stack backtrace: [ 51.571124] CPU: 1 PID: 7671 Comm: syz-executor512 Not tainted 4.14.172-syzkaller #0 [ 51.571126] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 51.571128] Call Trace: [ 51.571129] dump_stack+0x13e/0x194 [ 51.571130] print_circular_bug.isra.0.cold+0x1c4/0x282 [ 51.571131] __lock_acquire+0x2cb3/0x4620 [ 51.571133] ? string+0x17e/0x1d0 [ 51.571134] ? trace_hardirqs_on+0x10/0x10 [ 51.571135] ? netdev_bits+0xa0/0xa0 [ 51.571136] ? kvm_clock_read+0x1f/0x30 [ 51.571137] ? kvm_sched_clock_read+0x5/0x10 [ 51.571139] lock_acquire+0x170/0x3f0 [ 51.571140] ? down_trylock+0xe/0x60 [ 51.571141] _raw_spin_lock_irqsave+0x8c/0xbf [ 51.571142] ? down_trylock+0xe/0x60 [ 51.571143] down_trylock+0xe/0x60 [ 51.571145] ? vprintk_emit+0x1ea/0x600 [ 51.571146] __down_trylock_console_sem+0x97/0x1f0 [ 51.571147] console_trylock+0x14/0x70 [ 51.571148] vprintk_emit+0x1ea/0x600 [ 51.571149] vprintk_func+0x58/0x152 [ 51.571151] printk+0x9e/0xbc [ 51.571153] ? show_regs_print_info+0x5b/0x5b [ 51.571155] ? lock_acquire+0x170/0x3f0 [ 51.571156] ? debug_object_activate+0x10b/0x450 [ 51.571157] debug_print_object.cold+0xa7/0xdb [ 51.571159] debug_object_activate+0x307/0x450 [ 51.571160] ? debug_object_free+0x390/0x390 [ 51.571161] ? find_held_lock+0x2d/0x110 [ 51.571162] ? route4_walk+0x450/0x450 [ 51.571164] __call_rcu.constprop.0+0x31/0x7e0 [ 51.571165] route4_change+0xb27/0x1c4d [ 51.571166] ? route4_delete+0x760/0x760 [ 51.571167] ? route4_delete+0x760/0x760 [ 51.571169] tc_ctl_tfilter+0xf13/0x18e6 [ 51.571170] ? tfilter_notify+0x240/0x240 [ 51.571171] ? mutex_trylock+0x1a0/0x1a0 [ 51.571172] ? rtnetlink_rcv_msg+0x2e8/0xb10 [ 51.571174] ? tfilter_notify+0x240/0x240 [ 51.571175] rtnetlink_rcv_msg+0x3be/0xb10 [ 51.571176] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 51.571178] ? save_trace+0x290/0x290 [ 51.571180] ? save_trace+0x290/0x290 [ 51.571182] netlink_rcv_skb+0x127/0x370 [ 51.571184] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 51.571185] ? netlink_ack+0x960/0x960 [ 51.571186] netlink_unicast+0x437/0x620 [ 51.571187] ? netlink_attachskb+0x600/0x600 [ 51.571189] netlink_sendmsg+0x733/0xbe0 [ 51.571190] ? netlink_unicast+0x620/0x620 [ 51.571191] ? SYSC_sendto+0x2b0/0x2b0 [ 51.571192] ? security_socket_sendmsg+0x83/0xb0 [ 51.571194] ? netlink_unicast+0x620/0x620 [ 51.571195] sock_sendmsg+0xc5/0x100 [ 51.571196] ___sys_sendmsg+0x70a/0x840 [ 51.571197] ? trace_hardirqs_on+0x10/0x10 [ 51.571199] ? copy_msghdr_from_user+0x380/0x380 [ 51.571200] ? find_held_lock+0x2d/0x110 [ 51.571208] ? lock_downgrade+0x6e0/0x6e0 [ 51.571210] ? __fget+0x228/0x360 [ 51.571211] ? __fget_light+0x199/0x1f0 [ 51.571212] ? sockfd_lookup_light+0xb2/0x160 [ 51.571213] __sys_sendmsg+0xa3/0x120 [ 51.571214] ? SyS_shutdown+0x160/0x160 [ 51.571216] ? move_addr_to_kernel+0x60/0x60 [ 51.571217] ? __do_page_fault+0x35b/0xb40 [ 51.571219] SyS_sendmsg+0x27/0x40 [ 51.571220] ? __sys_sendmsg+0x120/0x120 [ 51.571221] do_syscall_64+0x1d5/0x640 [ 51.571223] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 51.571224] RIP: 0033:0x446ed9 [ 51.571225] RSP: 002b:00007f9123dbfd98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 51.571228] RAX: ffffffffffffffda RBX: 00000000006dbc68 RCX: 0000000000446ed9 [ 51.571230] RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003 [ 51.571232] RBP: 00000000006dbc60 R08: 0000000000000000 R09: 0000000000000000 [ 51.571234] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc6c [ 51.571236] R13: 0000000000000005 R14: 00a3a20740000000 R15: 0507002400000038 [ 51.572522] Kernel Offset: disabled [ 52.479773] Rebooting in 86400 seconds..