[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 24.535481] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 27.146917] random: sshd: uninitialized urandom read (32 bytes read) [ 27.544551] random: sshd: uninitialized urandom read (32 bytes read) [ 28.120682] random: sshd: uninitialized urandom read (32 bytes read) [ 28.306728] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.6' (ECDSA) to the list of known hosts. [ 33.988863] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 34.104248] L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html for details. [ 34.132611] ================================================================== [ 34.141580] BUG: KASAN: use-after-free in __schedule+0xf54/0x1df0 [ 34.147805] Read of size 8 at addr ffff8801b6c70058 by task syz-executor937/4673 [ 34.155384] [ 34.157039] CPU: 1 PID: 4673 Comm: syz-executor937 Not tainted 4.19.0-rc1+ #217 [ 34.164491] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.173913] Call Trace: [ 34.176499] dump_stack+0x1c9/0x2b4 [ 34.180129] ? dump_stack_print_info.cold.2+0x52/0x52 [ 34.185316] ? printk+0xa7/0xcf [ 34.188595] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 34.193348] ? __schedule+0xf54/0x1df0 [ 34.197234] print_address_description+0x6c/0x20b [ 34.202085] ? __schedule+0xf54/0x1df0 [ 34.205984] kasan_report.cold.7+0x242/0x30d [ 34.210388] __asan_report_load8_noabort+0x14/0x20 [ 34.215341] __schedule+0xf54/0x1df0 [ 34.219058] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 34.224170] ? __sched_text_start+0x8/0x8 [ 34.228317] ? __call_srcu+0x7e7/0x1040 [ 34.232296] ? check_same_owner+0x340/0x340 [ 34.236614] ? mark_held_locks+0x160/0x160 [ 34.240843] ? find_held_lock+0x36/0x1c0 [ 34.244925] preempt_schedule_common+0x22/0x60 [ 34.249505] _cond_resched+0x1d/0x30 [ 34.253217] wait_for_completion+0xa5/0x8d0 [ 34.257540] ? wait_for_completion_interruptible+0x950/0x950 [ 34.263336] ? __lockdep_init_map+0x105/0x590 [ 34.267943] ? __init_waitqueue_head+0x9e/0x150 [ 34.272610] ? init_wait_entry+0x1c0/0x1c0 [ 34.276846] __synchronize_srcu+0x189/0x240 [ 34.281164] ? call_srcu+0x10/0x10 [ 34.284704] ? rcu_unexpedite_gp+0x20/0x20 [ 34.288939] synchronize_srcu+0x335/0x56f [ 34.293094] ? lock_downgrade+0x8f0/0x8f0 [ 34.297255] ? synchronize_srcu_expedited+0x20/0x20 [ 34.302272] ? kasan_check_read+0x11/0x20 [ 34.306532] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 34.311121] ? kasan_check_write+0x14/0x20 [ 34.315358] ? do_raw_spin_lock+0xc1/0x200 [ 34.319593] kvm_page_track_unregister_notifier+0x17d/0x250 [ 34.325390] ? kvm_slot_page_track_remove_page+0x70/0x70 [ 34.330878] ? kvfree+0x61/0x70 [ 34.334160] ? rcu_read_lock_sched_held+0x108/0x120 [ 34.339302] kvm_mmu_uninit_vm+0x1c/0x20 [ 34.343360] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 34.347765] ? kvm_arch_sync_events+0x30/0x30 [ 34.352259] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 34.357793] ? mmu_notifier_unregister+0x474/0x600 [ 34.363035] ? trace_hardirqs_on+0x2c0/0x2c0 [ 34.367475] ? kfree+0x111/0x210 [ 34.370842] ? __mmu_notifier_register+0x30/0x30 [ 34.375645] ? __free_pages+0x10a/0x190 [ 34.379615] ? free_unref_page+0x930/0x930 [ 34.383851] kvm_put_kvm+0x73f/0x1060 [ 34.387719] ? kvm_write_guest_cached+0x40/0x40 [ 34.392399] ? _raw_spin_unlock_irq+0x27/0x70 [ 34.396917] ? _raw_spin_unlock_irq+0x27/0x70 [ 34.401438] ? lockdep_hardirqs_on+0x421/0x5c0 [ 34.406024] ? kasan_check_write+0x14/0x20 [ 34.410270] ? do_raw_spin_lock+0xc1/0x200 [ 34.414507] ? kvm_irqfd_release+0xdd/0x120 [ 34.418938] ? kvm_irqfd_release+0xdd/0x120 [ 34.423318] ? kvm_put_kvm+0x1060/0x1060 [ 34.427380] kvm_vm_release+0x42/0x50 [ 34.431182] __fput+0x38a/0xa40 [ 34.434474] ? __alloc_file+0x400/0x400 [ 34.438472] ? check_same_owner+0x340/0x340 [ 34.442793] ? kasan_check_write+0x14/0x20 [ 34.447046] ? do_raw_spin_lock+0xc1/0x200 [ 34.451303] ____fput+0x15/0x20 [ 34.454594] task_work_run+0x1e8/0x2a0 [ 34.458492] ? task_work_cancel+0x240/0x240 [ 34.462900] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 34.468472] ? switch_task_namespaces+0xa2/0xd0 [ 34.473259] do_exit+0x1ae4/0x26e0 [ 34.476803] ? mm_update_next_owner+0x9a0/0x9a0 [ 34.481480] ? kvm_vcpu_ioctl+0x2b5/0x1280 [ 34.485787] ? rcu_read_lock_sched_held+0x108/0x120 [ 34.490801] ? kfree+0x1d7/0x210 [ 34.494169] ? kvm_vcpu_ioctl+0x2ba/0x1280 [ 34.498406] ? kvm_uevent_notify_change.part.32+0x440/0x440 [ 34.504261] ? is_bpf_text_address+0xd7/0x170 [ 34.508761] ? kernel_text_address+0x79/0xf0 [ 34.513179] ? __kernel_text_address+0xd/0x40 [ 34.517680] ? unwind_get_return_address+0x61/0xa0 [ 34.522612] ? __save_stack_trace+0x8d/0xf0 [ 34.527025] ? save_stack+0xa9/0xd0 [ 34.530672] ? save_stack+0x43/0xd0 [ 34.534303] ? __kasan_slab_free+0x11a/0x170 [ 34.538714] ? kasan_slab_free+0xe/0x10 [ 34.542693] ? putname+0xf2/0x130 [ 34.546150] ? __x64_sys_openat+0x9d/0x100 [ 34.550390] ? do_syscall_64+0x1b9/0x820 [ 34.554666] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.560038] ? trace_hardirqs_off+0xb8/0x2b0 [ 34.564481] ? kasan_check_read+0x11/0x20 [ 34.568635] ? do_raw_spin_unlock+0xa7/0x2f0 [ 34.573066] ? trace_hardirqs_on+0x2c0/0x2c0 [ 34.577495] ? initcall_blacklisted+0x9a/0x1e0 [ 34.582100] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 34.587227] ? kvm_uevent_notify_change.part.32+0x440/0x440 [ 34.593116] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.598665] ? do_vfs_ioctl+0x201/0x1720 [ 34.602731] ? rcu_is_watching+0x8c/0x150 [ 34.606875] ? trace_hardirqs_on+0xbd/0x2c0 [ 34.611199] ? ioctl_preallocate+0x300/0x300 [ 34.615613] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.621154] ? __fget_light+0x2f7/0x440 [ 34.625134] ? fget_raw+0x20/0x20 [ 34.628592] ? putname+0xf2/0x130 [ 34.632053] ? rcu_read_lock_sched_held+0x108/0x120 [ 34.637191] ? kmem_cache_free+0x246/0x280 [ 34.641455] ? putname+0xf7/0x130 [ 34.645170] do_group_exit+0x177/0x440 [ 34.649065] ? trace_hardirqs_on+0xbd/0x2c0 [ 34.653396] ? __ia32_sys_exit+0x50/0x50 [ 34.657487] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 34.662588] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.668126] ? ksys_ioctl+0x81/0xd0 [ 34.671752] __x64_sys_exit_group+0x3e/0x50 [ 34.676083] do_syscall_64+0x1b9/0x820 [ 34.679987] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 34.685355] ? syscall_return_slowpath+0x5e0/0x5e0 [ 34.690350] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 34.695196] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 34.700285] ? prepare_exit_to_usermode+0x291/0x3b0 [ 34.705311] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 34.710164] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.715352] RIP: 0033:0x43ef08 [ 34.718544] Code: Bad RIP value. [ 34.721902] RSP: 002b:00007ffd6a954f18 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 34.729609] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ef08 [ 34.736872] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 34.744141] RBP: 00000000004be7c8 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 34.751407] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 [ 34.758766] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 34.766042] [ 34.767685] Allocated by task 4673: [ 34.771314] save_stack+0x43/0xd0 [ 34.774765] kasan_kmalloc+0xc4/0xe0 [ 34.778479] kasan_slab_alloc+0x12/0x20 [ 34.782481] kmem_cache_alloc+0x12e/0x710 [ 34.786712] vmx_create_vcpu+0xcf/0x2830 [ 34.790844] kvm_arch_vcpu_create+0xe5/0x220 [ 34.795252] kvm_vm_ioctl+0x488/0x1d80 [ 34.799140] do_vfs_ioctl+0x1de/0x1720 [ 34.803110] ksys_ioctl+0xa9/0xd0 [ 34.806576] __x64_sys_ioctl+0x73/0xb0 [ 34.810477] do_syscall_64+0x1b9/0x820 [ 34.814362] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.819539] [ 34.821162] Freed by task 4673: [ 34.824458] save_stack+0x43/0xd0 [ 34.827910] __kasan_slab_free+0x11a/0x170 [ 34.832140] kasan_slab_free+0xe/0x10 [ 34.835938] kmem_cache_free+0x86/0x280 [ 34.839922] vmx_free_vcpu+0x26b/0x300 [ 34.843806] kvm_arch_destroy_vm+0x365/0x7c0 [ 34.848211] kvm_put_kvm+0x73f/0x1060 [ 34.852008] kvm_vm_release+0x42/0x50 [ 34.855810] __fput+0x38a/0xa40 [ 34.859172] ____fput+0x15/0x20 [ 34.862506] task_work_run+0x1e8/0x2a0 [ 34.866582] do_exit+0x1ae4/0x26e0 [ 34.870122] do_group_exit+0x177/0x440 [ 34.874006] __x64_sys_exit_group+0x3e/0x50 [ 34.878356] do_syscall_64+0x1b9/0x820 [ 34.882308] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.887644] [ 34.889526] The buggy address belongs to the object at ffff8801b6c70040 [ 34.889526] which belongs to the cache kvm_vcpu of size 23872 [ 34.902107] The buggy address is located 24 bytes inside of [ 34.902107] 23872-byte region [ffff8801b6c70040, ffff8801b6c75d80) [ 34.914076] The buggy address belongs to the page: [ 34.919015] page:ffffea0006db1c00 count:1 mapcount:0 mapping:ffff8801d529ac00 index:0x0 compound_mapcount: 0 [ 34.928986] flags: 0x2fffc0000008100(slab|head) [ 34.933652] raw: 02fffc0000008100 ffff8801d5294548 ffff8801d5294548 ffff8801d529ac00 [ 34.941594] raw: 0000000000000000 ffff8801b6c70040 0000000100000001 0000000000000000 [ 34.949466] page dumped because: kasan: bad access detected [ 34.955170] [ 34.956786] Memory state around the buggy address: [ 34.961709] ffff8801b6c6ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 34.969067] ffff8801b6c6ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 34.976514] >ffff8801b6c70000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 34.983867] ^ [ 34.990181] ffff8801b6c70080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.997545] ffff8801b6c70100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.004894] ================================================================== [ 35.012246] Kernel panic - not syncing: panic_on_warn set ... [ 35.012246] [ 35.019605] CPU: 1 PID: 4673 Comm: syz-executor937 Tainted: G B 4.19.0-rc1+ #217 [ 35.028455] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.037921] Call Trace: [ 35.040579] dump_stack+0x1c9/0x2b4 [ 35.044205] ? dump_stack_print_info.cold.2+0x52/0x52 [ 35.049393] ? lock_downgrade+0x8f0/0x8f0 [ 35.053566] ? __schedule+0xf54/0x1df0 [ 35.057470] panic+0x238/0x4e7 [ 35.060709] ? add_taint.cold.5+0x16/0x16 [ 35.064858] ? print_shadow_for_address+0xba/0x116 [ 35.069783] ? trace_hardirqs_off+0xaf/0x2b0 [ 35.074186] ? trace_hardirqs_off+0x77/0x2b0 [ 35.078592] ? __schedule+0xf54/0x1df0 [ 35.082476] kasan_end_report+0x47/0x4f [ 35.086469] kasan_report.cold.7+0x76/0x30d [ 35.090787] __asan_report_load8_noabort+0x14/0x20 [ 35.095712] __schedule+0xf54/0x1df0 [ 35.099445] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 35.104612] ? __sched_text_start+0x8/0x8 [ 35.108767] ? __call_srcu+0x7e7/0x1040 [ 35.112744] ? check_same_owner+0x340/0x340 [ 35.117079] ? mark_held_locks+0x160/0x160 [ 35.121384] ? find_held_lock+0x36/0x1c0 [ 35.125475] preempt_schedule_common+0x22/0x60 [ 35.130065] _cond_resched+0x1d/0x30 [ 35.133789] wait_for_completion+0xa5/0x8d0 [ 35.138118] ? wait_for_completion_interruptible+0x950/0x950 [ 35.143914] ? __lockdep_init_map+0x105/0x590 [ 35.148453] ? __init_waitqueue_head+0x9e/0x150 [ 35.153127] ? init_wait_entry+0x1c0/0x1c0 [ 35.157361] __synchronize_srcu+0x189/0x240 [ 35.161676] ? call_srcu+0x10/0x10 [ 35.165215] ? rcu_unexpedite_gp+0x20/0x20 [ 35.169552] synchronize_srcu+0x335/0x56f [ 35.173695] ? lock_downgrade+0x8f0/0x8f0 [ 35.177905] ? synchronize_srcu_expedited+0x20/0x20 [ 35.182922] ? kasan_check_read+0x11/0x20 [ 35.187077] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 35.191684] ? kasan_check_write+0x14/0x20 [ 35.195913] ? do_raw_spin_lock+0xc1/0x200 [ 35.200149] kvm_page_track_unregister_notifier+0x17d/0x250 [ 35.205855] ? kvm_slot_page_track_remove_page+0x70/0x70 [ 35.211439] ? kvfree+0x61/0x70 [ 35.214723] ? rcu_read_lock_sched_held+0x108/0x120 [ 35.219735] kvm_mmu_uninit_vm+0x1c/0x20 [ 35.223791] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 35.228197] ? kvm_arch_sync_events+0x30/0x30 [ 35.232873] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 35.238407] ? mmu_notifier_unregister+0x474/0x600 [ 35.243365] ? trace_hardirqs_on+0x2c0/0x2c0 [ 35.247823] ? kfree+0x111/0x210 [ 35.251189] ? __mmu_notifier_register+0x30/0x30 [ 35.255945] ? __free_pages+0x10a/0x190 [ 35.259921] ? free_unref_page+0x930/0x930 [ 35.264158] kvm_put_kvm+0x73f/0x1060 [ 35.267961] ? kvm_write_guest_cached+0x40/0x40 [ 35.272629] ? _raw_spin_unlock_irq+0x27/0x70 [ 35.277132] ? _raw_spin_unlock_irq+0x27/0x70 [ 35.281625] ? lockdep_hardirqs_on+0x421/0x5c0 [ 35.286207] ? kasan_check_write+0x14/0x20 [ 35.290464] ? do_raw_spin_lock+0xc1/0x200 [ 35.294700] ? kvm_irqfd_release+0xdd/0x120 [ 35.299017] ? kvm_irqfd_release+0xdd/0x120 [ 35.303347] ? kvm_put_kvm+0x1060/0x1060 [ 35.307404] kvm_vm_release+0x42/0x50 [ 35.311233] __fput+0x38a/0xa40 [ 35.314511] ? __alloc_file+0x400/0x400 [ 35.318486] ? check_same_owner+0x340/0x340 [ 35.322805] ? kasan_check_write+0x14/0x20 [ 35.327128] ? do_raw_spin_lock+0xc1/0x200 [ 35.331373] ____fput+0x15/0x20 [ 35.334651] task_work_run+0x1e8/0x2a0 [ 35.338541] ? task_work_cancel+0x240/0x240 [ 35.342872] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 35.348448] ? switch_task_namespaces+0xa2/0xd0 [ 35.353138] do_exit+0x1ae4/0x26e0 [ 35.356685] ? mm_update_next_owner+0x9a0/0x9a0 [ 35.361354] ? kvm_vcpu_ioctl+0x2b5/0x1280 [ 35.365588] ? rcu_read_lock_sched_held+0x108/0x120 [ 35.370645] ? kfree+0x1d7/0x210 [ 35.374007] ? kvm_vcpu_ioctl+0x2ba/0x1280 [ 35.378236] ? kvm_uevent_notify_change.part.32+0x440/0x440 [ 35.383941] ? is_bpf_text_address+0xd7/0x170 [ 35.388444] ? kernel_text_address+0x79/0xf0 [ 35.392844] ? __kernel_text_address+0xd/0x40 [ 35.397344] ? unwind_get_return_address+0x61/0xa0 [ 35.402263] ? __save_stack_trace+0x8d/0xf0 [ 35.406578] ? save_stack+0xa9/0xd0 [ 35.410189] ? save_stack+0x43/0xd0 [ 35.413797] ? __kasan_slab_free+0x11a/0x170 [ 35.418189] ? kasan_slab_free+0xe/0x10 [ 35.422149] ? putname+0xf2/0x130 [ 35.425586] ? __x64_sys_openat+0x9d/0x100 [ 35.429808] ? do_syscall_64+0x1b9/0x820 [ 35.433853] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.439200] ? trace_hardirqs_off+0xb8/0x2b0 [ 35.443591] ? kasan_check_read+0x11/0x20 [ 35.447725] ? do_raw_spin_unlock+0xa7/0x2f0 [ 35.452116] ? trace_hardirqs_on+0x2c0/0x2c0 [ 35.456511] ? initcall_blacklisted+0x9a/0x1e0 [ 35.461082] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 35.466172] ? kvm_uevent_notify_change.part.32+0x440/0x440 [ 35.471869] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.477392] ? do_vfs_ioctl+0x201/0x1720 [ 35.481450] ? rcu_is_watching+0x8c/0x150 [ 35.485584] ? trace_hardirqs_on+0xbd/0x2c0 [ 35.489892] ? ioctl_preallocate+0x300/0x300 [ 35.494285] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.499808] ? __fget_light+0x2f7/0x440 [ 35.503768] ? fget_raw+0x20/0x20 [ 35.507204] ? putname+0xf2/0x130 [ 35.510642] ? rcu_read_lock_sched_held+0x108/0x120 [ 35.515643] ? kmem_cache_free+0x246/0x280 [ 35.519874] ? putname+0xf7/0x130 [ 35.523313] do_group_exit+0x177/0x440 [ 35.527184] ? trace_hardirqs_on+0xbd/0x2c0 [ 35.531490] ? __ia32_sys_exit+0x50/0x50 [ 35.535533] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 35.540630] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.546153] ? ksys_ioctl+0x81/0xd0 [ 35.549764] __x64_sys_exit_group+0x3e/0x50 [ 35.554075] do_syscall_64+0x1b9/0x820 [ 35.557962] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 35.563309] ? syscall_return_slowpath+0x5e0/0x5e0 [ 35.568221] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 35.573056] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 35.578069] ? prepare_exit_to_usermode+0x291/0x3b0 [ 35.583076] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 35.587907] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.593082] RIP: 0033:0x43ef08 [ 35.596259] Code: Bad RIP value. [ 35.599607] RSP: 002b:00007ffd6a954f18 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 35.607306] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ef08 [ 35.614557] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 35.621809] RBP: 00000000004be7c8 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 35.629067] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 [ 35.636322] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 35.643579] [ 35.643583] ====================================================== [ 35.643586] WARNING: possible circular locking dependency detected [ 35.643589] 4.19.0-rc1+ #217 Not tainted [ 35.643592] ------------------------------------------------------ [ 35.643595] syz-executor937/4673 is trying to acquire lock: [ 35.643597] 00000000644a62da ((console_sem).lock){-...}, at: down_trylock+0x13/0x70 [ 35.643606] [ 35.643608] but task is already holding lock: [ 35.643610] 00000000a74c6b98 (report_lock){....}, at: kasan_report+0x8e/0x110 [ 35.643618] [ 35.643621] which lock already depends on the new lock. [ 35.643622] [ 35.643623] [ 35.643626] the existing dependency chain (in reverse order) is: [ 35.643627] [ 35.643629] -> #3 (report_lock){....}: [ 35.643637] _raw_spin_lock_irqsave+0x96/0xc0 [ 35.643639] kasan_report+0x8e/0x110 [ 35.643642] __asan_report_load8_noabort+0x14/0x20 [ 35.643644] __schedule+0xf54/0x1df0 [ 35.643647] preempt_schedule_common+0x22/0x60 [ 35.643649] _cond_resched+0x1d/0x30 [ 35.643652] wait_for_completion+0xa5/0x8d0 [ 35.643654] __synchronize_srcu+0x189/0x240 [ 35.643657] synchronize_srcu+0x335/0x56f [ 35.643660] kvm_page_track_unregister_notifier+0x17d/0x250 [ 35.643662] kvm_mmu_uninit_vm+0x1c/0x20 [ 35.643665] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 35.643667] kvm_put_kvm+0x73f/0x1060 [ 35.643670] kvm_vm_release+0x42/0x50 [ 35.643672] __fput+0x38a/0xa40 [ 35.643674] ____fput+0x15/0x20 [ 35.643676] task_work_run+0x1e8/0x2a0 [ 35.643678] do_exit+0x1ae4/0x26e0 [ 35.643681] do_group_exit+0x177/0x440 [ 35.643683] __x64_sys_exit_group+0x3e/0x50 [ 35.643685] do_syscall_64+0x1b9/0x820 [ 35.643688] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.643690] [ 35.643691] -> #2 (&rq->lock){-.-.}: [ 35.643699] _raw_spin_lock+0x2a/0x40 [ 35.643701] task_fork_fair+0x93/0x680 [ 35.643703] sched_fork+0x44b/0xbd0 [ 35.643705] copy_process+0x235e/0x7ad0 [ 35.643708] _do_fork+0x1ca/0x1170 [ 35.643710] kernel_thread+0x34/0x40 [ 35.643712] rest_init+0x22/0xe4 [ 35.643714] start_kernel+0x913/0x94e [ 35.643717] x86_64_start_reservations+0x29/0x2b [ 35.643719] x86_64_start_kernel+0x76/0x79 [ 35.643722] secondary_startup_64+0xa4/0xb0 [ 35.643723] [ 35.643724] -> #1 (&p->pi_lock){-.-.}: [ 35.643732] _raw_spin_lock_irqsave+0x96/0xc0 [ 35.643735] try_to_wake_up+0xd2/0x1250 [ 35.643737] wake_up_process+0x10/0x20 [ 35.643739] __up.isra.1+0x1c0/0x2a0 [ 35.643741] up+0x13c/0x1c0 [ 35.643744] __up_console_sem+0xbe/0x1b0 [ 35.643746] console_unlock+0x506/0x10d0 [ 35.643748] vprintk_emit+0x33a/0x910 [ 35.643750] vprintk_default+0x28/0x30 [ 35.643753] vprintk_func+0x7a/0x117 [ 35.643755] printk+0xa7/0xcf [ 35.643757] load_umh+0x51/0xbd [ 35.643759] do_one_initcall+0x127/0x838 [ 35.643762] kernel_init_freeable+0x4bb/0x5ae [ 35.643764] kernel_init+0x11/0x1b3 [ 35.643766] ret_from_fork+0x3a/0x50 [ 35.643767] [ 35.643768] -> #0 ((console_sem).lock){-...}: [ 35.643777] lock_acquire+0x1e4/0x4f0 [ 35.643779] _raw_spin_lock_irqsave+0x96/0xc0 [ 35.643781] down_trylock+0x13/0x70 [ 35.643784] __down_trylock_console_sem+0xae/0x200 [ 35.643786] console_trylock+0x15/0xa0 [ 35.643789] vprintk_emit+0x31f/0x910 [ 35.643791] vprintk_default+0x28/0x30 [ 35.643793] vprintk_func+0x7a/0x117 [ 35.643795] printk+0xa7/0xcf [ 35.643798] kasan_report+0x9e/0x110 [ 35.643800] __asan_report_load8_noabort+0x14/0x20 [ 35.643803] __schedule+0xf54/0x1df0 [ 35.643805] preempt_schedule_common+0x22/0x60 [ 35.643808] _cond_resched+0x1d/0x30 [ 35.643810] wait_for_completion+0xa5/0x8d0 [ 35.643813] __synchronize_srcu+0x189/0x240 [ 35.643815] synchronize_srcu+0x335/0x56f [ 35.643818] kvm_page_track_unregister_notifier+0x17d/0x250 [ 35.643820] kvm_mmu_uninit_vm+0x1c/0x20 [ 35.643823] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 35.643825] kvm_put_kvm+0x73f/0x1060 [ 35.643828] kvm_vm_release+0x42/0x50 [ 35.643830] __fput+0x38a/0xa40 [ 35.643832] ____fput+0x15/0x20 [ 35.643834] task_work_run+0x1e8/0x2a0 [ 35.643836] do_exit+0x1ae4/0x26e0 [ 35.643839] do_group_exit+0x177/0x440 [ 35.643841] __x64_sys_exit_group+0x3e/0x50 [ 35.643843] do_syscall_64+0x1b9/0x820 [ 35.643846] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.643847] [ 35.643850] other info that might help us debug this: [ 35.643851] [ 35.643853] Chain exists of: [ 35.643854] (console_sem).lock --> &rq->lock --> report_lock [ 35.643864] [ 35.643867] Possible unsafe locking scenario: [ 35.643868] [ 35.643870] CPU0 CPU1 [ 35.643873] ---- ---- [ 35.643874] lock(report_lock); [ 35.643879] lock(&rq->lock); [ 35.643884] lock(report_lock); [ 35.643889] lock((console_sem).lock); [ 35.643893] [ 35.643895] *** DEADLOCK *** [ 35.643896] [ 35.643899] 2 locks held by syz-executor937/4673: [ 35.643900] #0: 0000000000828e66 (&rq->lock){-.-.}, at: __schedule+0x24d/0x1df0 [ 35.643910] #1: 00000000a74c6b98 (report_lock){....}, at: kasan_report+0x8e/0x110 [ 35.643919] [ 35.643921] stack backtrace: [ 35.643924] CPU: 1 PID: 4673 Comm: syz-executor937 Not tainted 4.19.0-rc1+ #217 [ 35.643929] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.643931] Call Trace: [ 35.643933] dump_stack+0x1c9/0x2b4 [ 35.643935] ? dump_stack_print_info.cold.2+0x52/0x52 [ 35.643938] ? vprintk_func+0x100/0x117 [ 35.643941] print_circular_bug.isra.34.cold.55+0x1bd/0x27d [ 35.643943] ? save_trace+0xe0/0x290 [ 35.643945] __lock_acquire+0x3449/0x5020 [ 35.643947] ? mark_held_locks+0x160/0x160 [ 35.643955] ? mark_held_locks+0x160/0x160 [ 35.643958] ? rcu_cleanup_dead_rnp+0x200/0x200 [ 35.643961] ? is_bpf_text_address+0xd7/0x170 [ 35.643963] ? kernel_text_address+0x79/0xf0 [ 35.643965] ? __kernel_text_address+0xd/0x40 [ 35.643968] ? __save_stack_trace+0x8d/0xf0 [ 35.643971] ? add_lock_to_list.isra.27+0x1ec/0x4b0 [ 35.643973] ? save_trace+0x290/0x290 [ 35.643975] ? save_stack_trace+0x1a/0x20 [ 35.643977] ? save_trace+0xe0/0x290 [ 35.643979] ? graph_lock+0x170/0x170 [ 35.643982] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 35.643984] lock_acquire+0x1e4/0x4f0 [ 35.643987] ? down_trylock+0x13/0x70 [ 35.643989] ? lock_release+0x9f0/0x9f0 [ 35.643991] ? trace_hardirqs_off+0xb8/0x2b0 [ 35.643994] ? trace_hardirqs_on+0x2c0/0x2c0 [ 35.643996] ? trace_hardirqs_off+0xb8/0x2b0 [ 35.643998] ? log_store+0x34f/0x4c0 [ 35.644001] ? vprintk_emit+0x31f/0x910 [ 35.644003] _raw_spin_lock_irqsave+0x96/0xc0 [ 35.644005] ? down_trylock+0x13/0x70 [ 35.644008] down_trylock+0x13/0x70 [ 35.644010] __down_trylock_console_sem+0xae/0x200 [ 35.644013] console_trylock+0x15/0xa0 [ 35.644015] vprintk_emit+0x31f/0x910 [ 35.644017] ? wake_up_klogd+0x110/0x110 [ 35.644020] ? run_rebalance_domains+0x4c0/0x4c0 [ 35.644022] ? kasan_check_read+0x11/0x20 [ 35.644025] ? rcu_is_watching+0x8c/0x150 [ 35.644029] ? rcu_pm_notify+0xc0/0xc0 [ 35.644032] ? lock_acquire+0x1e4/0x4f0 [ 35.644036] ? kasan_report+0x8e/0x110 [ 35.644040] ? __schedule+0xf54/0x1df0 [ 35.644044] vprintk_default+0x28/0x30 [ 35.644048] vprintk_func+0x7a/0x117 [ 35.644051] printk+0xa7/0xcf [ 35.644056] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 35.644060] ? kasan_check_write+0x14/0x20 [ 35.644064] ? do_raw_spin_lock+0xc1/0x200 [ 35.644068] ? do_raw_spin_lock+0xc1/0x200 [ 35.644070] kasan_report+0x9e/0x110 [ 35.644073] __asan_report_load8_noabort+0x14/0x20 [ 35.644075] __schedule+0xf54/0x1df0 [ 35.644078] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 35.644080] ? __sched_text_start+0x8/0x8 [ 35.644082] ? __call_srcu+0x7e7/0x1040 [ 35.644085] ? check_same_owner+0x340/0x340 [ 35.644087] ? mark_held_locks+0x160/0x160 [ 35.644090] ? find_held_lock+0x36/0x1c0 [ 35.644092] preempt_schedule_common+0x22/0x60 [ 35.644094] _cond_resched+0x1d/0x30 [ 35.644097] wait_for_completion+0xa5/0x8d0 [ 35.644100] ? wait_for_completion_interruptible+0x950/0x950 [ 35.644102] ? __lockdep_init_map+0x105/0x590 [ 35.644105] ? __init_waitqueue_head+0x9e/0x150 [ 35.644107] ? init_wait_entry+0x1c0/0x1c0 [ 35.644110] __synchronize_srcu+0x189/0x240 [ 35.644112] ? call_srcu+0x10/0x10 [ 35.644114] ? rcu_unexpedite_gp+0x20/0x20 [ 35.644116] synchronize_srcu+0x335/0x56f [ 35.644119] ? lock_downgrade+0x8f0/0x8f0 [ 35.644122] ? synchronize_srcu_expedited+0x20/0x20 [ 35.644124] ? kasan_check_read+0x11/0x20 [ 35.644126] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 35.644129] ? kasan_check_write+0x14/0x20 [ 35.644131] ? do_raw_spin_lock+0xc1/0x200 [ 35.644134] kvm_page_track_unregister_notifier+0x17d/0x250 [ 35.644137] ? kvm_slot_page_track_remove_page+0x70/0x70 [ 35.644139] ? kvfree+0x61/0x70 [ 35.644142] ? rcu_read_lock_sched_held+0x108/0x120 [ 35.644144] kvm_mmu_uninit_vm+0x1c/0x20 [ 35.644147] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 35.644149] ? kvm_arch_sync_events+0x30/0x30 [ 35.644152] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 35.644155] ? mmu_notifier_unregister+0x474/0x600 [ 35.644157] ? trace_hardirqs_on+0x2c0/0x2c0 [ 35.644159] ? kfree+0x111/0x210 [ 35.644162] ? __mmu_notifier_register+0x30/0x30 [ 35.644164] ? __free_pages+0x10a/0x190 [ 35.644167] ? free_unref_page+0x930/0x930 [ 35.644169] kvm_put_kvm+0x73f/0x1060 [ 35.644171] ? kvm_write_guest_cached+0x40/0x40 [ 35.644174] ? _raw_spin_unlock_irq+0x27/0x70 [ 35.644176] ? _raw_spin_unlock_irq+0x27/0x70 [ 35.644179] ? lockdep_hardirqs_on+0x421/0x5c0 [ 35.644181] ? kasan_check_write+0x14/0x20 [ 35.644183] ? do_raw_spin_lock+0xc1/0x200 [ 35.644186] ? kvm_irqfd_release+0xdd/0x120 [ 35.644188] ? kvm_irqfd_release+0xdd/0x120 [ 35.644190] ? kvm_put_kvm+0x1060/0x1060 [ 35.644192] kvm_vm_release+0x42/0x50 [ 35.644194] __fput+0x38a/0xa40 [ 35.644197] ? __alloc_file+0x400/0x400 [ 35.644199] ? check_same_owner+0x340/0x340 [ 35.644201] ? kasan_check_write+0x14/0x20 [ 35.644204] ? do_raw_spin_lock+0xc1/0x200 [ 35.644206] ____fput+0x15/0x20 [ 35.644208] task_work_run+0x1e8/0x2a0 [ 35.644210] ? task_work_cancel+0x240/0x240 [ 35.644213] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 35.644216] ? switch_task_namespaces+0xa2/0xd0 [ 35.644218] do_exit+0x1ae4/0x26e0 [ 35.644220] ? mm_update_next_owner+0x9a0/0x9a0 [ 35.644223] ? kvm_vcpu_ioctl+0x2b5/0x1280 [ 35.644225] ? rcu_read_lock_sched_held+0x108/0x120 [ 35.644227] ? kfree+0x1d7/0x210 [ 35.644230] ? kvm_vcpu_ioctl+0x2ba/0x1280 [ 35.644232] ? kvm_uevent_notify_change.part.32+0x440/0x440 [ 35.644235] ? is_bpf_text_address+0xd7/0x170 [ 35.644236] ? [ 35.644241] Lost 54 message(s)! [ 35.644571] Dumping ftrace buffer: [ 36.700822] (ftrace buffer empty) [ 36.704513] Kernel Offset: disabled [ 36.708121] Rebooting in 86400 seconds..