[ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.17' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 27.653590] ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x90 [ 27.664646] ------------[ cut here ]------------ [ 27.669388] WARNING: CPU: 1 PID: 7968 at lib/debugobjects.c:287 debug_print_object.cold+0xa7/0xdb [ 27.678371] Kernel panic - not syncing: panic_on_warn set ... [ 27.678371] [ 27.685708] CPU: 1 PID: 7968 Comm: syz-executor355 Not tainted 4.14.281-syzkaller #0 [ 27.693577] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.702903] Call Trace: [ 27.705469] dump_stack+0x1b2/0x281 [ 27.709088] panic+0x1f9/0x42d [ 27.712257] ? add_taint.cold+0x16/0x16 [ 27.716224] ? debug_print_object.cold+0xa7/0xdb [ 27.720956] ? debug_print_object.cold+0xa7/0xdb [ 27.725727] __warn.cold+0x20/0x44 [ 27.729244] ? ist_end_non_atomic+0x10/0x10 [ 27.733538] ? debug_print_object.cold+0xa7/0xdb [ 27.738266] report_bug+0x208/0x250 [ 27.741886] do_error_trap+0x195/0x2d0 [ 27.745746] ? math_error+0x2d0/0x2d0 [ 27.749532] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 27.754350] invalid_op+0x1b/0x40 [ 27.757783] RIP: 0010:debug_print_object.cold+0xa7/0xdb [ 27.763116] RSP: 0018:ffff88809d1972d8 EFLAGS: 00010086 [ 27.768459] RAX: 0000000000000061 RBX: 0000000000000003 RCX: 0000000000000000 [ 27.775705] RDX: 0000000000000000 RSI: ffffffff878bc600 RDI: ffffed1013a32e51 [ 27.782947] RBP: ffffffff878b78c0 R08: 0000000000000061 R09: 0000000000000000 [ 27.790206] R10: 0000000000000000 R11: ffff8880ae0023c0 R12: ffffffff81361490 [ 27.797455] R13: 0000000000000000 R14: ffff8880b4d19a80 R15: ffff8880b387bb98 [ 27.804704] ? execute_in_process_context+0x140/0x140 [ 27.809873] ? debug_print_object.cold+0xa7/0xdb [ 27.814619] debug_check_no_obj_freed+0x3b7/0x680 [ 27.819437] ? debug_object_activate+0x490/0x490 [ 27.824204] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 27.829633] kfree+0xb9/0x250 [ 27.832719] ? xps_cpus_show+0x620/0x620 [ 27.836756] kvfree+0x45/0x50 [ 27.839834] device_release+0x15f/0x1a0 [ 27.843782] ? dev_attr_show+0xc0/0xc0 [ 27.847643] kobject_put+0x251/0x550 [ 27.851331] put_device+0x1c/0x30 [ 27.854806] free_netdev+0x26f/0x360 [ 27.858529] rtnl_newlink+0x14cd/0x1830 [ 27.862484] ? rtnl_newlink+0x437/0x1830 [ 27.866530] ? __lock_acquire+0x5fc/0x3f20 [ 27.870746] ? trace_hardirqs_on+0x10/0x10 [ 27.874956] ? rtnl_dellink+0x6a0/0x6a0 [ 27.878919] ? trace_hardirqs_on+0x10/0x10 [ 27.883139] ? __read_once_size_nocheck.constprop.0+0x10/0x10 [ 27.888998] ? deref_stack_reg+0x124/0x1a0 [ 27.893230] ? lock_acquire+0x170/0x3f0 [ 27.897176] ? lock_downgrade+0x740/0x740 [ 27.901300] ? rtnl_dellink+0x6a0/0x6a0 [ 27.905247] rtnetlink_rcv_msg+0x3be/0xb10 [ 27.909478] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 27.913951] ? __netlink_lookup+0x345/0x5d0 [ 27.918247] netlink_rcv_skb+0x125/0x390 [ 27.922371] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 27.926839] ? netlink_ack+0x9a0/0x9a0 [ 27.930703] netlink_unicast+0x437/0x610 [ 27.934738] ? netlink_sendskb+0xd0/0xd0 [ 27.938772] ? __check_object_size+0x179/0x230 [ 27.943326] netlink_sendmsg+0x648/0xbc0 [ 27.947361] ? nlmsg_notify+0x1b0/0x1b0 [ 27.951310] ? kernel_recvmsg+0x210/0x210 [ 27.955433] ? security_socket_sendmsg+0x83/0xb0 [ 27.960171] ? nlmsg_notify+0x1b0/0x1b0 [ 27.964117] sock_sendmsg+0xb5/0x100 [ 27.967804] ___sys_sendmsg+0x6c8/0x800 [ 27.971863] ? copy_msghdr_from_user+0x3b0/0x3b0 [ 27.976604] ? trace_hardirqs_on+0x10/0x10 [ 27.980812] ? trace_hardirqs_on+0x10/0x10 [ 27.985029] ? trace_hardirqs_on+0x10/0x10 [ 27.989237] ? __might_fault+0x104/0x1b0 [ 27.993272] ? lock_acquire+0x170/0x3f0 [ 27.997220] ? lock_downgrade+0x740/0x740 [ 28.001344] ? __might_fault+0x177/0x1b0 [ 28.005381] ? _copy_to_user+0x82/0xd0 [ 28.009251] ? move_addr_to_user+0x13f/0x180 [ 28.013641] ? __fdget+0x167/0x1f0 [ 28.017154] ? sockfd_lookup_light+0xb2/0x160 [ 28.021622] __sys_sendmsg+0xa3/0x120 [ 28.025399] ? SyS_shutdown+0x160/0x160 [ 28.029363] ? move_addr_to_kernel+0x60/0x60 [ 28.033743] ? __do_page_fault+0x159/0xad0 [ 28.037966] SyS_sendmsg+0x27/0x40 [ 28.041480] ? __sys_sendmsg+0x120/0x120 [ 28.045515] do_syscall_64+0x1d5/0x640 [ 28.049393] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 28.054556] RIP: 0033:0x7f8004db7509 [ 28.058238] RSP: 002b:00007ffd7833fbb8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 28.065918] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f8004db7509 [ 28.073164] RDX: 0000000020040000 RSI: 0000000020000080 RDI: 0000000000000004 [ 28.080409] RBP: 0000000000000003 R08: 000000000000000c R09: 65732f636f72702f [ 28.087651] R10: 0000000000000001 R11: 0000000000000246 R12: 00007f8004d7b490 [ 28.094895] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 28.102319] [ 28.102321] ====================================================== [ 28.102323] WARNING: possible circular locking dependency detected [ 28.102324] 4.14.281-syzkaller #0 Not tainted [ 28.102326] ------------------------------------------------------ [ 28.102327] syz-executor355/7968 is trying to acquire lock: [ 28.102328] ((console_sem).lock){....}, at: [] down_trylock+0xe/0x60 [ 28.102333] [ 28.102334] but task is already holding lock: [ 28.102334] (&obj_hash[i].lock){-.-.}, at: [] debug_check_no_obj_freed+0x135/0x680 [ 28.102339] [ 28.102340] which lock already depends on the new lock. [ 28.102341] [ 28.102341] [ 28.102343] the existing dependency chain (in reverse order) is: [ 28.102344] [ 28.102344] -> #5 (&obj_hash[i].lock){-.-.}: [ 28.102350] _raw_spin_lock_irqsave+0x8c/0xc0 [ 28.102352] debug_object_activate+0x10f/0x490 [ 28.102354] enqueue_hrtimer+0x22/0x3b0 [ 28.102356] hrtimer_start_range_ns+0x4a0/0x10b0 [ 28.102358] schedule_hrtimeout_range_clock+0x144/0x320 [ 28.102360] wait_task_inactive+0x469/0x520 [ 28.102362] __kthread_bind_mask+0x1f/0xb0 [ 28.102364] create_worker+0x437/0x6c0 [ 28.102366] workqueue_init+0x4ef/0x759 [ 28.102369] kernel_init_freeable+0x3ac/0x626 [ 28.102371] kernel_init+0xd/0x163 [ 28.102373] ret_from_fork+0x24/0x30 [ 28.102374] [ 28.102375] -> #4 (hrtimer_bases.lock){-.-.}: [ 28.102382] _raw_spin_lock_irqsave+0x8c/0xc0 [ 28.102384] hrtimer_start_range_ns+0x77/0x10b0 [ 28.102385] enqueue_task_rt+0x584/0xf30 [ 28.102387] __sched_setscheduler.constprop.0+0xe73/0x2640 [ 28.102388] sched_setscheduler+0xfa/0x150 [ 28.102389] watchdog_enable+0x11b/0x170 [ 28.102391] smpboot_thread_fn+0x40d/0x920 [ 28.102392] kthread+0x30d/0x420 [ 28.102393] ret_from_fork+0x24/0x30 [ 28.102394] [ 28.102394] -> #3 (&rt_b->rt_runtime_lock){-...}: [ 28.102398] _raw_spin_lock+0x2a/0x40 [ 28.102400] enqueue_task_rt+0x514/0xf30 [ 28.102401] __sched_setscheduler.constprop.0+0xe73/0x2640 [ 28.102402] sched_setscheduler+0xfa/0x150 [ 28.102404] watchdog_enable+0x11b/0x170 [ 28.102405] smpboot_thread_fn+0x40d/0x920 [ 28.102406] kthread+0x30d/0x420 [ 28.102407] ret_from_fork+0x24/0x30 [ 28.102408] [ 28.102408] -> #2 (&rq->lock){-.-.}: [ 28.102412] _raw_spin_lock+0x2a/0x40 [ 28.102414] task_fork_fair+0x63/0x550 [ 28.102415] sched_fork+0x39a/0xb60 [ 28.102416] copy_process.part.0+0x15b2/0x71c0 [ 28.102417] _do_fork+0x184/0xc80 [ 28.102418] kernel_thread+0x2f/0x40 [ 28.102419] rest_init+0x1f/0x2a3 [ 28.102421] start_kernel+0x750/0x770 [ 28.102422] secondary_startup_64+0xa5/0xb0 [ 28.102423] [ 28.102423] -> #1 (&p->pi_lock){-.-.}: [ 28.102427] _raw_spin_lock_irqsave+0x8c/0xc0 [ 28.102428] try_to_wake_up+0x6a/0x1100 [ 28.102430] up+0x75/0xb0 [ 28.102431] __up_console_sem+0xa9/0x1b0 [ 28.102432] console_unlock+0x531/0xf20 [ 28.102433] vt_ioctl+0x150a/0x1d50 [ 28.102434] tty_ioctl+0x50f/0x1430 [ 28.102435] do_vfs_ioctl+0x75a/0xff0 [ 28.102437] SyS_ioctl+0x7f/0xb0 [ 28.102438] do_syscall_64+0x1d5/0x640 [ 28.102439] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 28.102440] [ 28.102440] -> #0 ((console_sem).lock){....}: [ 28.102445] lock_acquire+0x170/0x3f0 [ 28.102446] _raw_spin_lock_irqsave+0x8c/0xc0 [ 28.102447] down_trylock+0xe/0x60 [ 28.102448] __down_trylock_console_sem+0x97/0x1e0 [ 28.102450] vprintk_emit+0x1ee/0x620 [ 28.102451] vprintk_func+0x58/0x160 [ 28.102452] printk+0x9e/0xbc [ 28.102453] debug_print_object.cold+0xa7/0xdb [ 28.102454] debug_check_no_obj_freed+0x3b7/0x680 [ 28.102455] kfree+0xb9/0x250 [ 28.102457] kvfree+0x45/0x50 [ 28.102458] device_release+0x15f/0x1a0 [ 28.102459] kobject_put+0x251/0x550 [ 28.102460] put_device+0x1c/0x30 [ 28.102461] free_netdev+0x26f/0x360 [ 28.102462] rtnl_newlink+0x14cd/0x1830 [ 28.102464] rtnetlink_rcv_msg+0x3be/0xb10 [ 28.102465] netlink_rcv_skb+0x125/0x390 [ 28.102466] netlink_unicast+0x437/0x610 [ 28.102467] netlink_sendmsg+0x648/0xbc0 [ 28.102468] sock_sendmsg+0xb5/0x100 [ 28.102470] ___sys_sendmsg+0x6c8/0x800 [ 28.102471] __sys_sendmsg+0xa3/0x120 [ 28.102472] SyS_sendmsg+0x27/0x40 [ 28.102473] do_syscall_64+0x1d5/0x640 [ 28.102474] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 28.102475] [ 28.102476] other info that might help us debug this: [ 28.102477] [ 28.102478] Chain exists of: [ 28.102479] (console_sem).lock --> hrtimer_bases.lock --> &obj_hash[i].lock [ 28.102484] [ 28.102485] Possible unsafe locking scenario: [ 28.102486] [ 28.102487] CPU0 CPU1 [ 28.102488] ---- ---- [ 28.102489] lock(&obj_hash[i].lock); [ 28.102492] lock(hrtimer_bases.lock); [ 28.102495] lock(&obj_hash[i].lock); [ 28.102497] lock((console_sem).lock); [ 28.102499] [ 28.102500] *** DEADLOCK *** [ 28.102501] [ 28.102502] 2 locks held by syz-executor355/7968: [ 28.102503] #0: (rtnl_mutex){+.+.}, at: [] rtnetlink_rcv_msg+0x31d/0xb10 [ 28.102507] #1: (&obj_hash[i].lock){-.-.}, at: [] debug_check_no_obj_freed+0x135/0x680 [ 28.102512] [ 28.102513] stack backtrace: [ 28.102515] CPU: 1 PID: 7968 Comm: syz-executor355 Not tainted 4.14.281-syzkaller #0 [ 28.102517] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.102518] Call Trace: [ 28.102519] dump_stack+0x1b2/0x281 [ 28.102521] print_circular_bug.constprop.0.cold+0x2d7/0x41e [ 28.102522] __lock_acquire+0x2e0e/0x3f20 [ 28.102523] ? pointer+0x31f/0x9e0 [ 28.102524] ? trace_hardirqs_on+0x10/0x10 [ 28.102525] ? format_decode+0x1cb/0x890 [ 28.102526] ? unwind_next_frame+0xe54/0x17d0 [ 28.102528] ? check_preemption_disabled+0x35/0x240 [ 28.102529] ? kvm_clock_read+0x1f/0x30 [ 28.102530] ? kvm_sched_clock_read+0x5/0x10 [ 28.102531] ? sched_clock+0x2a/0x40 [ 28.102533] ? sched_clock_cpu+0x18/0x1b0 [ 28.102534] lock_acquire+0x170/0x3f0 [ 28.102535] ? down_trylock+0xe/0x60 [ 28.102536] ? vprintk_func+0x58/0x160 [ 28.102537] _raw_spin_lock_irqsave+0x8c/0xc0 [ 28.102538] ? down_trylock+0xe/0x60 [ 28.102539] down_trylock+0xe/0x60 [ 28.102541] ? vprintk_func+0x58/0x160 [ 28.102542] ? vprintk_func+0x58/0x160 [ 28.102543] __down_trylock_console_sem+0x97/0x1e0 [ 28.102544] vprintk_emit+0x1ee/0x620 [ 28.102545] vprintk_func+0x58/0x160 [ 28.102546] ? free_object+0xe4/0x240 [ 28.102547] printk+0x9e/0xbc [ 28.102549] ? log_store.cold+0x16/0x16 [ 28.102550] ? lock_acquire+0x170/0x3f0 [ 28.102551] ? debug_check_no_obj_freed+0x135/0x680 [ 28.102552] ? execute_in_process_context+0x140/0x140 [ 28.102554] ? execute_in_process_context+0x140/0x140 [ 28.102555] debug_print_object.cold+0xa7/0xdb [ 28.102556] debug_check_no_obj_freed+0x3b7/0x680 [ 28.102558] ? debug_object_activate+0x490/0x490 [ 28.102559] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 28.102560] kfree+0xb9/0x250 [ 28.102561] ? xps_cpus_show+0x620/0x620 [ 28.102562] kvfree+0x45/0x50 [ 28.102563] device_release+0x15f/0x1a0 [ 28.102565] ? dev_attr_show+0xc0/0xc0 [ 28.102566] kobject_put+0x251/0x550 [ 28.102567] put_device+0x1c/0x30 [ 28.102568] free_netdev+0x26f/0x360 [ 28.102569] rtnl_newlink+0x14cd/0x1830 [ 28.102570] ? rtnl_newlink+0x437/0x1830 [ 28.102571] ? __lock_acquire+0x5fc/0x3f20 [ 28.102572] ? trace_hardirqs_on+0x10/0x10 [ 28.102574] ? rtnl_dellink+0x6a0/0x6a0 [ 28.102575] ? trace_hardirqs_on+0x10/0x10 [ 28.102576] ? __read_once_size_nocheck.constprop.0+0x10/0x10 [ 28.102578] ? deref_stack_reg+0x124/0x1a0 [ 28.102579] ? lock_acquire+0x170/0x3f0 [ 28.102580] ? lock_downgrade+0x740/0x740 [ 28.102581] ? rtnl_dellink+0x6a0/0x6a0 [ 28.102582] rtnetlink_rcv_msg+0x3be/0xb10 [ 28.102584] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 28.102585] ? __netlink_lookup+0x345/0x5d0 [ 28.102586] netlink_rcv_skb+0x125/0x390 [ 28.102587] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 28.102588] ? netlink_ack+0x9a0/0x9a0 [ 28.102589] netlink_unicast+0x437/0x610 [ 28.102591] ? netlink_sendskb+0xd0/0xd0 [ 28.102592] ? __check_object_size+0x179/0x230 [ 28.102593] netlink_sendmsg+0x648/0xbc0 [ 28.102594] ? nlmsg_notify+0x1b0/0x1b0 [ 28.102596] ? kernel_recvmsg+0x210/0x210 [ 28.102597] ? security_socket_sendmsg+0x83/0xb0 [ 28.102598] ? nlmsg_notify+0x1b0/0x1b0 [ 28.102599] sock_sendmsg+0xb5/0x100 [ 28.102600] ___sys_sendmsg+0x6c8/0x800 [ 28.102602] ? copy_msghdr_from_user+0x3b0/0x3b0 [ 28.102603] ? trace_hardirqs_on+0x10/0x10 [ 28.102604] ? trace_hardirqs_on+0x10/0x10 [ 28.102605] ? trace_hardirqs_on+0x10/0x10 [ 28.102607] ? __might_fault+0x104/0x1b0 [ 28.102608] ? lock_acquire+0x170/0x3f0 [ 28.102609] ? lock_downgrade+0x740/0x740 [ 28.102610] ? __might_fault+0x177/0x1b0 [ 28.102611] ? _copy_to_user+0x82/0xd0 [ 28.102612] ? move_addr_to_user+0x13f/0x180 [ 28.102614] ? __fdget+0x167/0x1f0 [ 28.102615] ? sockfd_lookup_light+0xb2/0x160 [ 28.102616] __sys_sendmsg+0xa3/0x120 [ 28.102617] ? SyS_shutdown+0x160/0x160 [ 28.102618] ? move_addr_to_kernel+0x60/0x60 [ 28.102620] ? __do_page_fault+0x159/0xad0 [ 28.102621] SyS_sendmsg+0x27/0x40 [ 28.102622] ? __sys_sendmsg+0x120/0x120 [ 28.102623] do_syscall_64+0x1d5/0x640 [ 28.102624] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 28.102625] RIP: 0033:0x7f8004db7509 [ 28.102627] RSP: 002b:00007ffd7833fbb8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 28.102630] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f8004db7509 [ 28.102632] RDX: 0000000020040000 RSI: 0000000020000080 RDI: 0000000000000004 [ 28.102633] RBP: 0000000000000003 R08: 000000000000000c R09: 65732f636f72702f [ 28.102635] R10: 0000000000000001 R11: 0000000000000246 R12: 00007f8004d7b490 [ 28.102637] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 28.102802] Kernel Offset: disabled [ 29.078308] Rebooting in 86400 seconds..