[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.57' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 42.046994] ODEBUG: free active (active state 1) object type: rcu_head hint: (null) [ 42.056297] ------------[ cut here ]------------ [ 42.061028] WARNING: CPU: 1 PID: 7981 at lib/debugobjects.c:287 debug_print_object.cold+0xa7/0xdb [ 42.070005] Kernel panic - not syncing: panic_on_warn set ... [ 42.070005] [ 42.077345] CPU: 1 PID: 7981 Comm: syz-executor373 Not tainted 4.14.301-syzkaller #0 [ 42.085191] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 42.094515] Call Trace: [ 42.097077] dump_stack+0x1b2/0x281 [ 42.100674] panic+0x1f9/0x42d [ 42.103837] ? add_taint.cold+0x16/0x16 [ 42.107781] ? debug_print_object.cold+0xa7/0xdb [ 42.112513] ? debug_print_object.cold+0xa7/0xdb [ 42.117239] __warn.cold+0x20/0x44 [ 42.120750] ? ist_end_non_atomic+0x10/0x10 [ 42.125042] ? debug_print_object.cold+0xa7/0xdb [ 42.129778] report_bug+0x208/0x250 [ 42.133387] do_error_trap+0x195/0x2d0 [ 42.137252] ? math_error+0x2d0/0x2d0 [ 42.141028] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 42.145846] invalid_op+0x1b/0x40 [ 42.149280] RIP: 0010:debug_print_object.cold+0xa7/0xdb [ 42.154612] RSP: 0018:ffff888091d471d8 EFLAGS: 00010086 [ 42.159945] RAX: 0000000000000051 RBX: 0000000000000003 RCX: 0000000000000000 [ 42.167280] RDX: 0000000000000000 RSI: ffffffff878bd020 RDI: ffffed10123a8e31 [ 42.174525] RBP: ffffffff878b2140 R08: 0000000000000051 R09: 0000000000000000 [ 42.181769] R10: 0000000000000000 R11: ffff8880a495e0c0 R12: 0000000000000000 [ 42.189014] R13: 0000000000000001 R14: ffff8880b34e37c0 R15: ffff8880a1859ab8 [ 42.196270] ? debug_print_object.cold+0xa7/0xdb [ 42.200998] debug_check_no_obj_freed+0x3b7/0x680 [ 42.205816] ? debug_object_activate+0x490/0x490 [ 42.210545] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 42.215968] kfree+0xb9/0x250 [ 42.219046] __tcf_idr_release+0x202/0x260 [ 42.223253] tcf_sample_init+0x788/0x8c0 [ 42.227286] ? tcf_sample_cleanup_rcu+0x60/0x60 [ 42.232013] tcf_action_init_1+0x51a/0x9e0 [ 42.236220] ? tcf_action_dump_old+0x80/0x80 [ 42.240602] ? nla_parse+0x157/0x1f0 [ 42.244286] tcf_action_init+0x26d/0x400 [ 42.248318] ? tcf_action_init_1+0x9e0/0x9e0 [ 42.252701] ? memset+0x20/0x40 [ 42.255952] ? nla_parse+0x157/0x1f0 [ 42.259700] tc_ctl_action+0x2e3/0x510 [ 42.263557] ? tca_action_gd+0x790/0x790 [ 42.267588] ? rtnetlink_rcv_msg+0x2e8/0xb10 [ 42.271966] ? tca_action_gd+0x790/0x790 [ 42.275999] rtnetlink_rcv_msg+0x3be/0xb10 [ 42.280207] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 42.284689] ? __netlink_lookup+0x345/0x5d0 [ 42.288992] netlink_rcv_skb+0x125/0x390 [ 42.293029] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 42.297509] ? netlink_ack+0x9a0/0x9a0 [ 42.301379] netlink_unicast+0x437/0x610 [ 42.305417] ? netlink_sendskb+0xd0/0xd0 [ 42.309451] ? __check_object_size+0x179/0x230 [ 42.314024] netlink_sendmsg+0x648/0xbc0 [ 42.318082] ? nlmsg_notify+0x1b0/0x1b0 [ 42.322029] ? kernel_recvmsg+0x210/0x210 [ 42.326148] ? security_socket_sendmsg+0x83/0xb0 [ 42.330872] ? nlmsg_notify+0x1b0/0x1b0 [ 42.334820] sock_sendmsg+0xb5/0x100 [ 42.338502] ___sys_sendmsg+0x6c8/0x800 [ 42.342449] ? copy_msghdr_from_user+0x3b0/0x3b0 [ 42.347178] ? lock_downgrade+0x740/0x740 [ 42.351295] ? __lru_cache_add+0x178/0x250 [ 42.355500] ? do_raw_spin_unlock+0x164/0x220 [ 42.359966] ? _raw_spin_unlock+0x29/0x40 [ 42.364086] ? do_huge_pmd_anonymous_page+0x72e/0x1700 [ 42.369333] ? prep_transhuge_page+0xa0/0xa0 [ 42.373713] ? _raw_spin_unlock+0x29/0x40 [ 42.377832] ? __pmd_alloc+0x27f/0x3f0 [ 42.381688] ? __handle_mm_fault+0x80f/0x4620 [ 42.386153] ? lock_downgrade+0x740/0x740 [ 42.390270] ? vm_insert_page+0x7c0/0x7c0 [ 42.394388] ? __fdget+0x167/0x1f0 [ 42.397900] ? sockfd_lookup_light+0xb2/0x160 [ 42.402365] __sys_sendmsg+0xa3/0x120 [ 42.406137] ? SyS_shutdown+0x160/0x160 [ 42.410082] ? up_read+0x17/0x30 [ 42.413420] ? __do_page_fault+0x159/0xad0 [ 42.417644] SyS_sendmsg+0x27/0x40 [ 42.421164] ? __sys_sendmsg+0x120/0x120 [ 42.425210] do_syscall_64+0x1d5/0x640 [ 42.429079] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 42.434263] RIP: 0033:0x7f8cc7aec259 [ 42.437942] RSP: 002b:00007ffc08c43628 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 42.445625] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f8cc7aec259 [ 42.452867] RDX: 0000000000000000 RSI: 0000000020002980 RDI: 0000000000000003 [ 42.460109] RBP: 00007f8cc7ab0240 R08: 0000000000000007 R09: 0000000000000000 [ 42.467348] R10: 000000000000000c R11: 0000000000000246 R12: 00007f8cc7ab02d0 [ 42.474590] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 42.481953] [ 42.481955] ====================================================== [ 42.481957] WARNING: possible circular locking dependency detected [ 42.481958] 4.14.301-syzkaller #0 Not tainted [ 42.481960] ------------------------------------------------------ [ 42.481961] syz-executor373/7981 is trying to acquire lock: [ 42.481962] ((console_sem).lock){....}, at: [] down_trylock+0xe/0x60 [ 42.481966] [ 42.481967] but task is already holding lock: [ 42.481968] (&obj_hash[i].lock){-.-.}, at: [] debug_check_no_obj_freed+0x135/0x680 [ 42.481972] [ 42.481974] which lock already depends on the new lock. [ 42.481974] [ 42.481975] [ 42.481977] the existing dependency chain (in reverse order) is: [ 42.481977] [ 42.481978] -> #5 (&obj_hash[i].lock){-.-.}: [ 42.481982] _raw_spin_lock_irqsave+0x8c/0xc0 [ 42.481984] debug_object_activate+0x10f/0x490 [ 42.481985] enqueue_hrtimer+0x22/0x3b0 [ 42.481987] hrtimer_start_range_ns+0x4a0/0x10b0 [ 42.481988] schedule_hrtimeout_range_clock+0x144/0x320 [ 42.481989] wait_task_inactive+0x469/0x520 [ 42.481991] __kthread_bind_mask+0x1f/0xb0 [ 42.481992] create_worker+0x437/0x6c0 [ 42.481993] workqueue_init+0x4ef/0x756 [ 42.481994] kernel_init_freeable+0x3ac/0x626 [ 42.481996] kernel_init+0xd/0x15d [ 42.481997] ret_from_fork+0x24/0x30 [ 42.481997] [ 42.481998] -> #4 (hrtimer_bases.lock){-.-.}: [ 42.482002] _raw_spin_lock_irqsave+0x8c/0xc0 [ 42.482004] hrtimer_start_range_ns+0x77/0x10b0 [ 42.482005] enqueue_task_rt+0x584/0xf30 [ 42.482006] __sched_setscheduler.constprop.0+0xe73/0x2640 [ 42.482008] sched_setscheduler+0xfa/0x150 [ 42.482009] watchdog_enable+0x11b/0x170 [ 42.482010] smpboot_thread_fn+0x40d/0x920 [ 42.482011] kthread+0x30d/0x420 [ 42.482012] ret_from_fork+0x24/0x30 [ 42.482013] [ 42.482014] -> #3 (&rt_b->rt_runtime_lock){-.-.}: [ 42.482018] _raw_spin_lock+0x2a/0x40 [ 42.482019] enqueue_task_rt+0x514/0xf30 [ 42.482020] __sched_setscheduler.constprop.0+0xe73/0x2640 [ 42.482022] sched_setscheduler+0xfa/0x150 [ 42.482023] watchdog_enable+0x11b/0x170 [ 42.482024] smpboot_thread_fn+0x40d/0x920 [ 42.482025] kthread+0x30d/0x420 [ 42.482026] ret_from_fork+0x24/0x30 [ 42.482027] [ 42.482028] -> #2 (&rq->lock){-.-.}: [ 42.482032] _raw_spin_lock+0x2a/0x40 [ 42.482033] task_fork_fair+0x63/0x550 [ 42.482034] sched_fork+0x39a/0xb60 [ 42.482035] copy_process.part.0+0x15b2/0x71c0 [ 42.482036] _do_fork+0x184/0xc80 [ 42.482038] kernel_thread+0x2f/0x40 [ 42.482039] rest_init+0x1f/0x2a3 [ 42.482040] start_kernel+0x743/0x763 [ 42.482041] secondary_startup_64+0xa5/0xb0 [ 42.482042] [ 42.482043] -> #1 (&p->pi_lock){-.-.}: [ 42.482047] _raw_spin_lock_irqsave+0x8c/0xc0 [ 42.482048] try_to_wake_up+0x6a/0x1100 [ 42.482049] up+0x75/0xb0 [ 42.482050] __up_console_sem+0xa9/0x1b0 [ 42.482051] console_unlock+0x531/0xf20 [ 42.482053] vt_ioctl+0x12eb/0x1b90 [ 42.482054] tty_ioctl+0x50f/0x1430 [ 42.482055] do_vfs_ioctl+0x75a/0xff0 [ 42.482057] SyS_ioctl+0x7f/0xb0 [ 42.482059] do_syscall_64+0x1d5/0x640 [ 42.482061] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 42.482061] [ 42.482062] -> #0 ((console_sem).lock){....}: [ 42.482066] lock_acquire+0x170/0x3f0 [ 42.482067] _raw_spin_lock_irqsave+0x8c/0xc0 [ 42.482069] down_trylock+0xe/0x60 [ 42.482070] __down_trylock_console_sem+0x97/0x1e0 [ 42.482071] vprintk_emit+0x1ee/0x620 [ 42.482072] vprintk_func+0x58/0x160 [ 42.482073] printk+0x9e/0xbc [ 42.482075] debug_print_object.cold+0xa7/0xdb [ 42.482076] debug_check_no_obj_freed+0x3b7/0x680 [ 42.482078] kfree+0xb9/0x250 [ 42.482080] __tcf_idr_release+0x202/0x260 [ 42.482081] tcf_sample_init+0x788/0x8c0 [ 42.482082] tcf_action_init_1+0x51a/0x9e0 [ 42.482084] tcf_action_init+0x26d/0x400 [ 42.482085] tc_ctl_action+0x2e3/0x510 [ 42.482086] rtnetlink_rcv_msg+0x3be/0xb10 [ 42.482087] netlink_rcv_skb+0x125/0x390 [ 42.482089] netlink_unicast+0x437/0x610 [ 42.482090] netlink_sendmsg+0x648/0xbc0 [ 42.482091] sock_sendmsg+0xb5/0x100 [ 42.482092] ___sys_sendmsg+0x6c8/0x800 [ 42.482093] __sys_sendmsg+0xa3/0x120 [ 42.482094] SyS_sendmsg+0x27/0x40 [ 42.482096] do_syscall_64+0x1d5/0x640 [ 42.482097] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 42.482098] [ 42.482099] other info that might help us debug this: [ 42.482100] [ 42.482101] Chain exists of: [ 42.482101] (console_sem).lock --> hrtimer_bases.lock --> &obj_hash[i].lock [ 42.482107] [ 42.482108] Possible unsafe locking scenario: [ 42.482109] [ 42.482110] CPU0 CPU1 [ 42.482111] ---- ---- [ 42.482112] lock(&obj_hash[i].lock); [ 42.482115] lock(hrtimer_bases.lock); [ 42.482118] lock(&obj_hash[i].lock); [ 42.482120] lock((console_sem).lock); [ 42.482122] [ 42.482123] *** DEADLOCK *** [ 42.482124] [ 42.482125] 2 locks held by syz-executor373/7981: [ 42.482126] #0: (rtnl_mutex){+.+.}, at: [] rtnetlink_rcv_msg+0x31d/0xb10 [ 42.482130] #1: (&obj_hash[i].lock){-.-.}, at: [] debug_check_no_obj_freed+0x135/0x680 [ 42.482135] [ 42.482136] stack backtrace: [ 42.482138] CPU: 1 PID: 7981 Comm: syz-executor373 Not tainted 4.14.301-syzkaller #0 [ 42.482140] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 42.482141] Call Trace: [ 42.482142] dump_stack+0x1b2/0x281 [ 42.482143] print_circular_bug.constprop.0.cold+0x2d7/0x41e [ 42.482145] __lock_acquire+0x2e0e/0x3f20 [ 42.482146] ? pointer+0x31f/0x9e0 [ 42.482147] ? trace_hardirqs_on+0x10/0x10 [ 42.482148] ? format_decode+0x1cb/0x890 [ 42.482150] ? check_preemption_disabled+0x35/0x240 [ 42.482151] ? kvm_clock_read+0x1f/0x30 [ 42.482152] ? kvm_sched_clock_read+0x5/0x10 [ 42.482153] ? sched_clock+0x2a/0x40 [ 42.482155] ? sched_clock_cpu+0x18/0x1b0 [ 42.482156] lock_acquire+0x170/0x3f0 [ 42.482157] ? down_trylock+0xe/0x60 [ 42.482158] ? vprintk_func+0x58/0x160 [ 42.482159] _raw_spin_lock_irqsave+0x8c/0xc0 [ 42.482160] ? down_trylock+0xe/0x60 [ 42.482162] down_trylock+0xe/0x60 [ 42.482163] ? vprintk_func+0x58/0x160 [ 42.482164] ? vprintk_func+0x58/0x160 [ 42.482165] __down_trylock_console_sem+0x97/0x1e0 [ 42.482166] vprintk_emit+0x1ee/0x620 [ 42.482168] vprintk_func+0x58/0x160 [ 42.482169] printk+0x9e/0xbc [ 42.482170] ? log_store.cold+0x16/0x16 [ 42.482171] ? lock_acquire+0x170/0x3f0 [ 42.482173] ? debug_check_no_obj_freed+0x135/0x680 [ 42.482174] debug_print_object.cold+0xa7/0xdb [ 42.482175] debug_check_no_obj_freed+0x3b7/0x680 [ 42.482177] ? debug_object_activate+0x490/0x490 [ 42.482178] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 42.482179] kfree+0xb9/0x250 [ 42.482180] __tcf_idr_release+0x202/0x260 [ 42.482182] tcf_sample_init+0x788/0x8c0 [ 42.482183] ? tcf_sample_cleanup_rcu+0x60/0x60 [ 42.482184] tcf_action_init_1+0x51a/0x9e0 [ 42.482185] ? tcf_action_dump_old+0x80/0x80 [ 42.482187] ? nla_parse+0x157/0x1f0 [ 42.482188] tcf_action_init+0x26d/0x400 [ 42.482189] ? tcf_action_init_1+0x9e0/0x9e0 [ 42.482190] ? memset+0x20/0x40 [ 42.482191] ? nla_parse+0x157/0x1f0 [ 42.482192] tc_ctl_action+0x2e3/0x510 [ 42.482194] ? tca_action_gd+0x790/0x790 [ 42.482195] ? rtnetlink_rcv_msg+0x2e8/0xb10 [ 42.482196] ? tca_action_gd+0x790/0x790 [ 42.482197] rtnetlink_rcv_msg+0x3be/0xb10 [ 42.482198] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 42.482200] ? __netlink_lookup+0x345/0x5d0 [ 42.482201] netlink_rcv_skb+0x125/0x390 [ 42.482202] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 42.482203] ? netlink_ack+0x9a0/0x9a0 [ 42.482205] netlink_unicast+0x437/0x610 [ 42.482206] ? netlink_sendskb+0xd0/0xd0 [ 42.482207] ? __check_object_size+0x179/0x230 [ 42.482208] netlink_sendmsg+0x648/0xbc0 [ 42.482210] ? nlmsg_notify+0x1b0/0x1b0 [ 42.482211] ? kernel_recvmsg+0x210/0x210 [ 42.482212] ? security_socket_sendmsg+0x83/0xb0 [ 42.482213] ? nlmsg_notify+0x1b0/0x1b0 [ 42.482214] sock_sendmsg+0xb5/0x100 [ 42.482216] ___sys_sendmsg+0x6c8/0x800 [ 42.482217] ? copy_msghdr_from_user+0x3b0/0x3b0 [ 42.482218] ? lock_downgrade+0x740/0x740 [ 42.482219] ? __lru_cache_add+0x178/0x250 [ 42.482221] ? do_raw_spin_unlock+0x164/0x220 [ 42.482222] ? _raw_spin_unlock+0x29/0x40 [ 42.482224] ? do_huge_pmd_anonymous_page+0x72e/0x1700 [ 42.482225] ? prep_transhuge_page+0xa0/0xa0 [ 42.482226] ? _raw_spin_unlock+0x29/0x40 [ 42.482227] ? __pmd_alloc+0x27f/0x3f0 [ 42.482228] ? __handle_mm_fault+0x80f/0x4620 [ 42.482230] ? lock_downgrade+0x740/0x740 [ 42.482231] ? vm_insert_page+0x7c0/0x7c0 [ 42.482232] ? __fdget+0x167/0x1f0 [ 42.482233] ? sockfd_lookup_light+0xb2/0x160 [ 42.482234] __sys_sendmsg+0xa3/0x120 [ 42.482235] ? SyS_shutdown+0x160/0x160 [ 42.482237] ? up_read+0x17/0x30 [ 42.482238] ? __do_page_fault+0x159/0xad0 [ 42.482239] SyS_sendmsg+0x27/0x40 [ 42.482240] ? __sys_sendmsg+0x120/0x120 [ 42.482241] do_syscall_64+0x1d5/0x640 [ 42.482243] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 42.482244] RIP: 0033:0x7f8cc7aec259 [ 42.482245] RSP: 002b:00007ffc08c43628 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 42.482248] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f8cc7aec259 [ 42.482250] RDX: 0000000000000000 RSI: 0000000020002980 RDI: 0000000000000003 [ 42.482252] RBP: 00007f8cc7ab0240 R08: 0000000000000007 R09: 0000000000000000 [ 42.482254] R10: 000000000000000c R11: 0000000000000246 R12: 00007f8cc7ab02d0 [ 42.482256] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 42.482431] Kernel Offset: disabled [ 43.430789] Rebooting in 86400 seconds..