[ 36.658399] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.1.44' (ECDSA) to the list of known hosts. [ 42.162992] random: sshd: uninitialized urandom read (32 bytes read) [ 42.283464] audit: type=1400 audit(1585206649.648:36): avc: denied { map } for pid=7343 comm="syz-executor260" path="/root/syz-executor260695743" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 42.521070] IPVS: ftp: loaded support on port[0] = 21 executing program [ 43.436320] audit: type=1400 audit(1585206650.798:37): avc: denied { create } for pid=7344 comm="syz-executor260" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 43.454897] ODEBUG: activate active (active state 1) object type: rcu_head hint: (null) [ 43.469431] ------------[ cut here ]------------ [ 43.474176] WARNING: CPU: 0 PID: 7346 at lib/debugobjects.c:287 debug_print_object.cold+0xa7/0xdb [ 43.484738] Kernel panic - not syncing: panic_on_warn set ... [ 43.484738] [ 43.492100] CPU: 0 PID: 7346 Comm: syz-executor260 Not tainted 4.14.174-syzkaller #0 [ 43.499958] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.509302] Call Trace: [ 43.511875] dump_stack+0x13e/0x194 [ 43.515496] panic+0x1f9/0x42d [ 43.518752] ? add_taint.cold+0x16/0x16 [ 43.522702] ? debug_print_object.cold+0xa7/0xdb [ 43.527437] ? debug_print_object.cold+0xa7/0xdb [ 43.532167] __warn.cold+0x2f/0x30 [ 43.535697] ? ist_end_non_atomic+0x10/0x10 [ 43.540008] ? debug_print_object.cold+0xa7/0xdb [ 43.544863] report_bug+0x20a/0x248 [ 43.548487] do_error_trap+0x195/0x2d0 [ 43.552365] ? math_error+0x2d0/0x2d0 [ 43.556673] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 43.561502] invalid_op+0x1b/0x40 [ 43.564951] RIP: 0010:debug_print_object.cold+0xa7/0xdb [ 43.570292] RSP: 0018:ffff888094e97430 EFLAGS: 00010082 [ 43.575641] RAX: 0000000000000055 RBX: 0000000000000003 RCX: 0000000000000000 [ 43.582889] RDX: 0000000000000000 RSI: ffffffff86ac07e0 RDI: ffffed10129d2e7c [ 43.590139] RBP: ffffffff86ab5ee0 R08: 0000000000000055 R09: 0000000000000000 [ 43.597386] R10: fffffbfff14a8cd8 R11: ffff88808a926480 R12: 0000000000000000 [ 43.604633] R13: 0000000000000001 R14: 1ffff110129d2e90 R15: ffffffff87d84240 [ 43.612064] debug_object_activate+0x307/0x450 [ 43.616669] ? debug_object_free+0x390/0x390 [ 43.621246] ? find_held_lock+0x2d/0x110 [ 43.625288] ? route4_walk+0x450/0x450 [ 43.629155] __call_rcu.constprop.0+0x31/0x7e0 [ 43.634685] route4_change+0xb27/0x1c4d [ 43.638641] ? route4_delete+0x760/0x760 [ 43.642692] ? route4_delete+0x760/0x760 [ 43.646740] tc_ctl_tfilter+0xf13/0x18e6 [ 43.650782] ? tfilter_notify+0x240/0x240 [ 43.654907] ? mutex_trylock+0x1a0/0x1a0 [ 43.658951] ? rtnetlink_rcv_msg+0x2e8/0xb10 [ 43.663350] ? tfilter_notify+0x240/0x240 [ 43.667473] rtnetlink_rcv_msg+0x3be/0xb10 [ 43.671689] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 43.676249] ? save_trace+0x290/0x290 [ 43.680026] ? save_trace+0x290/0x290 [ 43.683802] netlink_rcv_skb+0x127/0x370 [ 43.687839] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 43.692410] ? netlink_ack+0x980/0x980 [ 43.696290] netlink_unicast+0x437/0x620 [ 43.700335] ? netlink_attachskb+0x600/0x600 [ 43.704734] netlink_sendmsg+0x733/0xbe0 [ 43.708778] ? netlink_unicast+0x620/0x620 [ 43.713001] ? SYSC_sendto+0x2b0/0x2b0 [ 43.716868] ? security_socket_sendmsg+0x83/0xb0 [ 43.721610] ? netlink_unicast+0x620/0x620 [ 43.725824] sock_sendmsg+0xc5/0x100 [ 43.729519] ___sys_sendmsg+0x70a/0x840 [ 43.733488] ? trace_hardirqs_on+0x10/0x10 [ 43.737697] ? copy_msghdr_from_user+0x380/0x380 [ 43.742429] ? find_held_lock+0x2d/0x110 [ 43.746485] ? lock_downgrade+0x6e0/0x6e0 [ 43.750611] ? __fget+0x228/0x360 [ 43.754053] ? __fget_light+0x199/0x1f0 [ 43.758003] ? sockfd_lookup_light+0xb2/0x160 [ 43.762483] __sys_sendmsg+0xa3/0x120 [ 43.766260] ? SyS_shutdown+0x160/0x160 [ 43.770209] ? move_addr_to_kernel+0x60/0x60 [ 43.774593] SyS_sendmsg+0x27/0x40 [ 43.778119] ? __sys_sendmsg+0x120/0x120 [ 43.782157] do_syscall_64+0x1d5/0x640 [ 43.786022] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 43.791187] RIP: 0033:0x447319 [ 43.794353] RSP: 002b:00007fcc89f8ad98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 43.802036] RAX: ffffffffffffffda RBX: 00000000006dcc78 RCX: 0000000000447319 [ 43.809298] RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000006 [ 43.816543] RBP: 00000000006dcc70 R08: 0000000000000000 R09: 0000000000000000 [ 43.823802] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc7c [ 43.831049] R13: 0000000000000005 R14: 00a3a20740000000 R15: 0507002400000038 [ 43.838324] [ 43.838326] ====================================================== [ 43.838328] WARNING: possible circular locking dependency detected [ 43.838329] 4.14.174-syzkaller #0 Not tainted [ 43.838331] ------------------------------------------------------ [ 43.838332] syz-executor260/7346 is trying to acquire lock: [ 43.838333] ((console_sem).lock){-.-.}, at: [] down_trylock+0xe/0x60 [ 43.838337] [ 43.838338] but task is already holding lock: [ 43.838339] (&obj_hash[i].lock){-.-.}, at: [] debug_object_activate+0x10b/0x450 [ 43.838343] [ 43.838345] which lock already depends on the new lock. [ 43.838345] [ 43.838346] [ 43.838348] the existing dependency chain (in reverse order) is: [ 43.838349] [ 43.838349] -> #5 (&obj_hash[i].lock){-.-.}: [ 43.838360] _raw_spin_lock_irqsave+0x8c/0xbf [ 43.838361] debug_object_activate+0x10b/0x450 [ 43.838362] enqueue_hrtimer+0x22/0x3b0 [ 43.838364] hrtimer_start_range_ns+0x4e6/0x1060 [ 43.838365] schedule_hrtimeout_range_clock+0x13c/0x2f0 [ 43.838367] wait_task_inactive+0x478/0x530 [ 43.838368] __kthread_bind_mask+0x1f/0xb0 [ 43.838369] create_worker+0x313/0x530 [ 43.838370] workqueue_init+0x55f/0x66e [ 43.838372] kernel_init_freeable+0x2ab/0x526 [ 43.838373] kernel_init+0xd/0x15b [ 43.838374] ret_from_fork+0x24/0x30 [ 43.838375] [ 43.838375] -> #4 (hrtimer_bases.lock){-.-.}: [ 43.838379] _raw_spin_lock_irqsave+0x8c/0xbf [ 43.838381] lock_hrtimer_base.isra.0+0x6d/0x120 [ 43.838382] hrtimer_start_range_ns+0x7b/0x1060 [ 43.838383] enqueue_task_rt+0x94d/0xdb0 [ 43.838385] __sched_setscheduler.constprop.0+0xc11/0x1f70 [ 43.838386] _sched_setscheduler+0xf9/0x150 [ 43.838388] watchdog_enable+0xff/0x150 [ 43.838389] smpboot_thread_fn+0x40d/0x920 [ 43.838390] kthread+0x30d/0x420 [ 43.838391] ret_from_fork+0x24/0x30 [ 43.838392] [ 43.838392] -> #3 (&rt_b->rt_runtime_lock){-.-.}: [ 43.838396] _raw_spin_lock+0x2a/0x40 [ 43.838398] enqueue_task_rt+0x508/0xdb0 [ 43.838399] __sched_setscheduler.constprop.0+0xc11/0x1f70 [ 43.838401] _sched_setscheduler+0xf9/0x150 [ 43.838402] watchdog_enable+0xff/0x150 [ 43.838403] smpboot_thread_fn+0x40d/0x920 [ 43.838404] kthread+0x30d/0x420 [ 43.838406] ret_from_fork+0x24/0x30 [ 43.838406] [ 43.838407] -> #2 (&rq->lock){-.-.}: [ 43.838411] _raw_spin_lock+0x2a/0x40 [ 43.838412] task_fork_fair+0x63/0x5b0 [ 43.838413] sched_fork+0x39a/0xbd0 [ 43.838414] copy_process.part.0+0x15b7/0x6a70 [ 43.838416] _do_fork+0x180/0xc80 [ 43.838417] kernel_thread+0x2f/0x40 [ 43.838418] rest_init+0x1f/0x1d2 [ 43.838419] start_kernel+0x659/0x676 [ 43.838420] secondary_startup_64+0xa5/0xb0 [ 43.838421] [ 43.838422] -> #1 (&p->pi_lock){-.-.}: [ 43.838426] _raw_spin_lock_irqsave+0x8c/0xbf [ 43.838427] try_to_wake_up+0x6a/0xef0 [ 43.838428] up+0x92/0xe0 [ 43.838429] __up_console_sem+0xa9/0x1b0 [ 43.838430] console_unlock+0x596/0xec0 [ 43.838432] vprintk_emit+0x1f8/0x600 [ 43.838433] vprintk_func+0x58/0x152 [ 43.838434] printk+0x9e/0xbc [ 43.838435] kauditd_hold_skb.cold+0x3e/0x4d [ 43.838437] kauditd_send_queue+0xfb/0x140 [ 43.838438] kauditd_thread+0x625/0x840 [ 43.838439] kthread+0x30d/0x420 [ 43.838440] ret_from_fork+0x24/0x30 [ 43.838441] [ 43.838441] -> #0 ((console_sem).lock){-.-.}: [ 43.838445] lock_acquire+0x170/0x3f0 [ 43.838447] _raw_spin_lock_irqsave+0x8c/0xbf [ 43.838448] down_trylock+0xe/0x60 [ 43.838449] __down_trylock_console_sem+0x97/0x1f0 [ 43.838451] console_trylock+0x14/0x70 [ 43.838452] vprintk_emit+0x1ea/0x600 [ 43.838453] vprintk_func+0x58/0x152 [ 43.838454] printk+0x9e/0xbc [ 43.838455] debug_print_object.cold+0xa7/0xdb [ 43.838457] debug_object_activate+0x307/0x450 [ 43.838458] __call_rcu.constprop.0+0x31/0x7e0 [ 43.838459] route4_change+0xb27/0x1c4d [ 43.838460] tc_ctl_tfilter+0xf13/0x18e6 [ 43.838462] rtnetlink_rcv_msg+0x3be/0xb10 [ 43.838463] netlink_rcv_skb+0x127/0x370 [ 43.838464] netlink_unicast+0x437/0x620 [ 43.838465] netlink_sendmsg+0x733/0xbe0 [ 43.838467] sock_sendmsg+0xc5/0x100 [ 43.838468] ___sys_sendmsg+0x70a/0x840 [ 43.838469] __sys_sendmsg+0xa3/0x120 [ 43.838470] SyS_sendmsg+0x27/0x40 [ 43.838471] do_syscall_64+0x1d5/0x640 [ 43.838473] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 43.838474] [ 43.838475] other info that might help us debug this: [ 43.838476] [ 43.838476] Chain exists of: [ 43.838477] (console_sem).lock --> hrtimer_bases.lock --> &obj_hash[i].lock [ 43.838482] [ 43.838484] Possible unsafe locking scenario: [ 43.838484] [ 43.838485] CPU0 CPU1 [ 43.838487] ---- ---- [ 43.838487] lock(&obj_hash[i].lock); [ 43.838490] lock(hrtimer_bases.lock); [ 43.838493] lock(&obj_hash[i].lock); [ 43.838495] lock((console_sem).lock); [ 43.838498] [ 43.838499] *** DEADLOCK *** [ 43.838499] [ 43.838500] 2 locks held by syz-executor260/7346: [ 43.838501] #0: (rtnl_mutex){+.+.}, at: [] rtnetlink_rcv_msg+0x31d/0xb10 [ 43.838506] #1: (&obj_hash[i].lock){-.-.}, at: [] debug_object_activate+0x10b/0x450 [ 43.838510] [ 43.838511] stack backtrace: [ 43.838513] CPU: 0 PID: 7346 Comm: syz-executor260 Not tainted 4.14.174-syzkaller #0 [ 43.838516] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.838517] Call Trace: [ 43.838518] dump_stack+0x13e/0x194 [ 43.838519] print_circular_bug.isra.0.cold+0x1c4/0x282 [ 43.838520] __lock_acquire+0x2cb3/0x4620 [ 43.838521] ? string+0x17e/0x1d0 [ 43.838523] ? trace_hardirqs_on+0x10/0x10 [ 43.838524] ? netdev_bits+0xa0/0xa0 [ 43.838525] ? kvm_clock_read+0x1f/0x30 [ 43.838526] ? kvm_sched_clock_read+0x5/0x10 [ 43.838527] lock_acquire+0x170/0x3f0 [ 43.838528] ? down_trylock+0xe/0x60 [ 43.838530] _raw_spin_lock_irqsave+0x8c/0xbf [ 43.838531] ? down_trylock+0xe/0x60 [ 43.838532] down_trylock+0xe/0x60 [ 43.838533] ? vprintk_emit+0x1ea/0x600 [ 43.838534] __down_trylock_console_sem+0x97/0x1f0 [ 43.838536] console_trylock+0x14/0x70 [ 43.838537] vprintk_emit+0x1ea/0x600 [ 43.838538] vprintk_func+0x58/0x152 [ 43.838539] printk+0x9e/0xbc [ 43.838540] ? show_regs_print_info+0x5b/0x5b [ 43.838541] ? lock_acquire+0x170/0x3f0 [ 43.838543] ? debug_object_activate+0x10b/0x450 [ 43.838544] debug_print_object.cold+0xa7/0xdb [ 43.838545] debug_object_activate+0x307/0x450 [ 43.838546] ? debug_object_free+0x390/0x390 [ 43.838548] ? find_held_lock+0x2d/0x110 [ 43.838549] ? route4_walk+0x450/0x450 [ 43.838550] __call_rcu.constprop.0+0x31/0x7e0 [ 43.838551] route4_change+0xb27/0x1c4d [ 43.838552] ? route4_delete+0x760/0x760 [ 43.838554] ? route4_delete+0x760/0x760 [ 43.838555] tc_ctl_tfilter+0xf13/0x18e6 [ 43.838556] ? tfilter_notify+0x240/0x240 [ 43.838557] ? mutex_trylock+0x1a0/0x1a0 [ 43.838558] ? rtnetlink_rcv_msg+0x2e8/0xb10 [ 43.838560] ? tfilter_notify+0x240/0x240 [ 43.838561] rtnetlink_rcv_msg+0x3be/0xb10 [ 43.838562] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 43.838563] ? save_trace+0x290/0x290 [ 43.838564] ? save_trace+0x290/0x290 [ 43.838566] netlink_rcv_skb+0x127/0x370 [ 43.838567] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 43.838568] ? netlink_ack+0x980/0x980 [ 43.838569] netlink_unicast+0x437/0x620 [ 43.838570] ? netlink_attachskb+0x600/0x600 [ 43.838572] netlink_sendmsg+0x733/0xbe0 [ 43.838573] ? netlink_unicast+0x620/0x620 [ 43.838574] ? SYSC_sendto+0x2b0/0x2b0 [ 43.838575] ? security_socket_sendmsg+0x83/0xb0 [ 43.838577] ? netlink_unicast+0x620/0x620 [ 43.838578] sock_sendmsg+0xc5/0x100 [ 43.838579] ___sys_sendmsg+0x70a/0x840 [ 43.838580] ? trace_hardirqs_on+0x10/0x10 [ 43.838581] ? copy_msghdr_from_user+0x380/0x380 [ 43.838582] ? find_held_lock+0x2d/0x110 [ 43.838584] ? lock_downgrade+0x6e0/0x6e0 [ 43.838585] ? __fget+0x228/0x360 [ 43.838586] ? __fget_light+0x199/0x1f0 [ 43.838587] ? sockfd_lookup_light+0xb2/0x160 [ 43.838588] __sys_sendmsg+0xa3/0x120 [ 43.838590] ? SyS_shutdown+0x160/0x160 [ 43.838591] ? move_addr_to_kernel+0x60/0x60 [ 43.838592] SyS_sendmsg+0x27/0x40 [ 43.838593] ? __sys_sendmsg+0x120/0x120 [ 43.838594] do_syscall_64+0x1d5/0x640 [ 43.838596] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 43.838597] RIP: 0033:0x447319 [ 43.838598] RSP: 002b:00007fcc89f8ad98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 43.838605] RAX: ffffffffffffffda RBX: 00000000006dcc78 RCX: 0000000000447319 [ 43.838607] RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000006 [ 43.838609] RBP: 00000000006dcc70 R08: 0000000000000000 R09: 0000000000000000 [ 43.838611] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc7c [ 43.838612] R13: 0000000000000005 R14: 00a3a20740000000 R15: 0507002400000038 [ 44.962761] Shutting down cpus with NMI [ 45.850550] Kernel Offset: disabled [ 45.854181] Rebooting in 86400 seconds..