[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [ 30.859184] kauditd_printk_skb: 9 callbacks suppressed [ 30.859196] audit: type=1800 audit(1540928216.885:33): pid=5665 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 30.886062] audit: type=1800 audit(1540928216.885:34): pid=5665 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 55.732454] audit: type=1400 audit(1540928241.765:35): avc: denied { map } for pid=5843 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.119' (ECDSA) to the list of known hosts. executing program [ 62.474374] audit: type=1400 audit(1540928248.505:36): avc: denied { map } for pid=5855 comm="syz-executor922" path="/root/syz-executor922256841" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 62.484821] FAULT_INJECTION: forcing a failure. [ 62.484821] name failslab, interval 1, probability 0, space 0, times 1 [ 62.511854] CPU: 1 PID: 5855 Comm: syz-executor922 Not tainted 4.19.0+ #90 [ 62.518844] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.528194] Call Trace: [ 62.530794] dump_stack+0x244/0x39d [ 62.534406] ? dump_stack_print_info.cold.1+0x20/0x20 [ 62.539579] ? mark_held_locks+0x130/0x130 [ 62.543796] ? kasan_check_read+0x11/0x20 [ 62.547925] should_fail.cold.4+0xa/0x17 [ 62.551967] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 62.557051] ? kasan_check_read+0x11/0x20 [ 62.561180] ? __lock_acquire+0x2aff/0x4c20 [ 62.565487] ? mark_held_locks+0x130/0x130 [ 62.569722] ? lock_acquire+0x1ed/0x520 [ 62.573680] ? n_tty_receive_buf_common+0x1187/0x2cb0 [ 62.578852] ? lock_release+0xa00/0xa00 [ 62.582805] ? perf_trace_sched_process_exec+0x860/0x860 [ 62.588236] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 62.593786] __should_failslab+0x124/0x180 [ 62.598021] should_failslab+0x9/0x14 [ 62.601802] __kmalloc+0x70/0x760 [ 62.605234] ? n_tty_receive_buf_common+0x1187/0x2cb0 [ 62.610404] ? __tty_buffer_request_room+0x2da/0x810 [ 62.615503] __tty_buffer_request_room+0x2da/0x810 [ 62.620414] ? tty_buffer_free+0x160/0x160 [ 62.624651] ? lock_acquire+0x1ed/0x520 [ 62.628615] ? pty_write+0xf9/0x1f0 [ 62.632259] ? kasan_check_read+0x11/0x20 [ 62.636390] ? do_raw_spin_lock+0x14f/0x350 [ 62.640696] tty_insert_flip_string_fixed_flag+0x88/0x1f0 [ 62.646230] pty_write+0x12c/0x1f0 [ 62.649752] tty_put_char+0x137/0x160 [ 62.653550] ? dev_match_devt+0x90/0x90 [ 62.657537] ? pty_write_room+0xc9/0xf0 [ 62.661516] __process_echoes+0x456/0x9b0 [ 62.665665] n_tty_receive_buf_common+0x11bf/0x2cb0 [ 62.670684] ? n_tty_receive_char_special+0x34c0/0x34c0 [ 62.676045] ? perf_trace_sched_process_exec+0x860/0x860 [ 62.681488] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 62.687034] n_tty_receive_buf+0x30/0x40 [ 62.691089] tty_ioctl+0x7cc/0x17d0 [ 62.694704] ? tty_vhangup+0x30/0x30 [ 62.698411] ? avc_has_extended_perms+0xab2/0x15a0 [ 62.703322] ? avc_ss_reset+0x190/0x190 [ 62.707277] ? rcu_read_unlock_special+0x1c0/0x1c0 [ 62.712187] ? rcu_softirq_qs+0x20/0x20 [ 62.716143] ? find_vpid+0xf0/0xf0 [ 62.719667] ? zap_class+0x640/0x640 [ 62.723360] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 62.728883] ? perf_trace_sched_process_exec+0x860/0x860 [ 62.734319] ? tty_vhangup+0x30/0x30 [ 62.738019] do_vfs_ioctl+0x1de/0x1720 [ 62.741890] ? ioctl_preallocate+0x300/0x300 [ 62.746296] ? selinux_file_mprotect+0x620/0x620 [ 62.751034] ? __sb_end_write+0xd9/0x110 [ 62.755083] ? do_syscall_64+0x9a/0x820 [ 62.759039] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 62.764557] ? security_file_ioctl+0x94/0xc0 [ 62.768951] ksys_ioctl+0xa9/0xd0 [ 62.772392] __x64_sys_ioctl+0x73/0xb0 [ 62.776263] do_syscall_64+0x1b9/0x820 [ 62.780133] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 62.785479] ? syscall_return_slowpath+0x5e0/0x5e0 [ 62.790391] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 62.795218] ? trace_hardirqs_on_caller+0x310/0x310 [ 62.800245] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 62.805252] ? prepare_exit_to_usermode+0x291/0x3b0 [ 62.810252] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 62.815081] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 62.820252] RIP: 0033:0x440589 [ 62.823432] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 62.842323] RSP: 002b:00007ffd9d96c468 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 62.850019] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440589 [ 62.857270] RDX: 0000000020000040 RSI: 0000000000005412 RDI: 0000000000000006 [ 62.864519] RBP: 00007ffd9d96c480 R08: 0000000000000001 R09: 0000000000000000 [ 62.871784] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000007 [ 62.879033] R13: ffffffffffffffff R14: 0000000000000000 R15: 0000000000000000 [ 62.886294] [ 62.886297] ====================================================== [ 62.886301] WARNING: possible circular locking dependency detected [ 62.886303] 4.19.0+ #90 Not tainted [ 62.886306] ------------------------------------------------------ [ 62.886309] syz-executor922/5855 is trying to acquire lock: [ 62.886310] 00000000ae98dff4 (console_owner){-.-.}, at: vprintk_emit+0x57f/0x990 [ 62.886318] [ 62.886321] but task is already holding lock: [ 62.886322] 00000000c548ed67 (&(&port->lock)->rlock){-.-.}, at: pty_write+0xf9/0x1f0 [ 62.886330] [ 62.886332] which lock already depends on the new lock. [ 62.886334] [ 62.886335] [ 62.886338] the existing dependency chain (in reverse order) is: [ 62.886339] [ 62.886340] -> #2 (&(&port->lock)->rlock){-.-.}: [ 62.886348] _raw_spin_lock_irqsave+0x99/0xd0 [ 62.886350] tty_port_tty_get+0x20/0x80 [ 62.886353] tty_port_default_wakeup+0x15/0x40 [ 62.886355] tty_port_tty_wakeup+0x5d/0x70 [ 62.886357] uart_write_wakeup+0x44/0x60 [ 62.886360] serial8250_tx_chars+0x4be/0xb60 [ 62.886362] serial8250_handle_irq.part.23+0x1ee/0x280 [ 62.886365] serial8250_default_handle_irq+0xc8/0x150 [ 62.886367] serial8250_interrupt+0xef/0x190 [ 62.886370] __handle_irq_event_percpu+0x195/0xb30 [ 62.886372] handle_irq_event_percpu+0xa0/0x1d0 [ 62.886375] handle_irq_event+0xa7/0x135 [ 62.886381] handle_edge_irq+0x227/0x880 [ 62.886383] handle_irq+0x252/0x3d8 [ 62.886385] do_IRQ+0x98/0x1c0 [ 62.886387] ret_from_intr+0x0/0x1e [ 62.886390] _raw_spin_unlock_irqrestore+0xaf/0xd0 [ 62.886392] uart_write+0x4b2/0x740 [ 62.886394] n_tty_write+0x6c1/0x11a0 [ 62.886396] tty_write+0x3f1/0x880 [ 62.886399] redirected_tty_write+0xaf/0xc0 [ 62.886401] __vfs_write+0x119/0x9f0 [ 62.886403] vfs_write+0x1fc/0x560 [ 62.886405] ksys_write+0x101/0x260 [ 62.886408] __x64_sys_write+0x73/0xb0 [ 62.886410] do_syscall_64+0x1b9/0x820 [ 62.886413] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 62.886414] [ 62.886415] -> #1 (&port_lock_key){-.-.}: [ 62.886423] _raw_spin_lock_irqsave+0x99/0xd0 [ 62.886426] serial8250_console_write+0x8e8/0xb10 [ 62.886428] univ8250_console_write+0x5f/0x70 [ 62.886431] console_unlock+0xb1f/0x1190 [ 62.886433] vprintk_emit+0x391/0x990 [ 62.886435] vprintk_default+0x28/0x30 [ 62.886437] vprintk_func+0x7e/0x181 [ 62.886439] printk+0xa7/0xcf [ 62.886441] register_console+0x8df/0xcf0 [ 62.886444] univ8250_console_init+0x3f/0x4b [ 62.886446] console_init+0x6ac/0x9dc [ 62.886448] start_kernel+0x73a/0xa5a [ 62.886451] x86_64_start_reservations+0x2e/0x30 [ 62.886453] x86_64_start_kernel+0x76/0x79 [ 62.886455] secondary_startup_64+0xa4/0xb0 [ 62.886457] [ 62.886458] -> #0 (console_owner){-.-.}: [ 62.886465] lock_acquire+0x1ed/0x520 [ 62.886467] vprintk_emit+0x5db/0x990 [ 62.886470] vprintk_default+0x28/0x30 [ 62.886472] vprintk_func+0x7e/0x181 [ 62.886474] printk+0xa7/0xcf [ 62.886476] should_fail+0xac1/0xd01 [ 62.886478] __should_failslab+0x124/0x180 [ 62.886480] should_failslab+0x9/0x14 [ 62.886482] __kmalloc+0x70/0x760 [ 62.886485] __tty_buffer_request_room+0x2da/0x810 [ 62.886488] tty_insert_flip_string_fixed_flag+0x88/0x1f0 [ 62.886490] pty_write+0x12c/0x1f0 [ 62.886492] tty_put_char+0x137/0x160 [ 62.886494] __process_echoes+0x456/0x9b0 [ 62.886497] n_tty_receive_buf_common+0x11bf/0x2cb0 [ 62.886499] n_tty_receive_buf+0x30/0x40 [ 62.886501] tty_ioctl+0x7cc/0x17d0 [ 62.886504] do_vfs_ioctl+0x1de/0x1720 [ 62.886506] ksys_ioctl+0xa9/0xd0 [ 62.886508] __x64_sys_ioctl+0x73/0xb0 [ 62.886510] do_syscall_64+0x1b9/0x820 [ 62.886513] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 62.886514] [ 62.886516] other info that might help us debug this: [ 62.886518] [ 62.886519] Chain exists of: [ 62.886521] console_owner --> &port_lock_key --> &(&port->lock)->rlock [ 62.886530] [ 62.886532] Possible unsafe locking scenario: [ 62.886534] [ 62.886536] CPU0 CPU1 [ 62.886538] ---- ---- [ 62.886539] lock(&(&port->lock)->rlock); [ 62.886545] lock(&port_lock_key); [ 62.886550] lock(&(&port->lock)->rlock); [ 62.886554] lock(console_owner); [ 62.886558] [ 62.886560] *** DEADLOCK *** [ 62.886561] [ 62.886563] 4 locks held by syz-executor922/5855: [ 62.886565] #0: 00000000679b9cce (&tty->ldisc_sem){++++}, at: ldsem_down_read+0x32/0x40 [ 62.886574] #1: 0000000083ed5d81 (&o_tty->termios_rwsem/1){++++}, at: n_tty_receive_buf_common+0xeb/0x2cb0 [ 62.886584] #2: 00000000ec53077d (&ldata->output_lock){+.+.}, at: n_tty_receive_buf_common+0x1187/0x2cb0 [ 62.886593] #3: 00000000c548ed67 (&(&port->lock)->rlock){-.-.}, at: pty_write+0xf9/0x1f0 [ 62.886602] [ 62.886604] stack backtrace: [ 62.886613] CPU: 1 PID: 5855 Comm: syz-executor922 Not tainted 4.19.0+ #90 [ 62.886617] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.886619] Call Trace: [ 62.886621] dump_stack+0x244/0x39d [ 62.886624] ? dump_stack_print_info.cold.1+0x20/0x20 [ 62.886626] ? vprintk_func+0x85/0x181 [ 62.886629] print_circular_bug.isra.35.cold.54+0x1bd/0x27d [ 62.886631] ? save_trace+0xe0/0x290 [ 62.886633] __lock_acquire+0x3399/0x4c20 [ 62.886636] ? mark_held_locks+0x130/0x130 [ 62.886638] ? zap_class+0x640/0x640 [ 62.886640] ? print_usage_bug+0xc0/0xc0 [ 62.886642] ? zap_class+0x640/0x640 [ 62.886644] ? print_bfs_bug+0x80/0x80 [ 62.886646] ? number+0x972/0xca0 [ 62.886649] ? zap_class+0x640/0x640 [ 62.886651] ? find_held_lock+0x36/0x1c0 [ 62.886653] ? find_held_lock+0x36/0x1c0 [ 62.886655] lock_acquire+0x1ed/0x520 [ 62.886657] ? vprintk_emit+0x57f/0x990 [ 62.886660] ? lock_release+0xa00/0xa00 [ 62.886662] ? kasan_check_read+0x11/0x20 [ 62.886664] ? do_raw_spin_unlock+0xa7/0x330 [ 62.886667] ? do_raw_spin_trylock+0x270/0x270 [ 62.886669] ? trace_hardirqs_on+0x310/0x310 [ 62.886672] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 62.886674] vprintk_emit+0x5db/0x990 [ 62.886676] ? vprintk_emit+0x57f/0x990 [ 62.886679] ? wake_up_klogd+0x180/0x180 [ 62.886681] ? kasan_check_read+0x11/0x20 [ 62.886683] ? check_usage+0x1aa/0x790 [ 62.886685] ? __lock_acquire+0x62f/0x4c20 [ 62.886688] ? check_usage_forwards+0x3d0/0x3d0 [ 62.886690] vprintk_default+0x28/0x30 [ 62.886692] vprintk_func+0x7e/0x181 [ 62.886694] printk+0xa7/0xcf [ 62.886696] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 62.886699] ? mark_held_locks+0x130/0x130 [ 62.886701] ? kasan_check_read+0x11/0x20 [ 62.886703] should_fail+0xac1/0xd01 [ 62.886706] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 62.886708] ? kasan_check_read+0x11/0x20 [ 62.886710] ? __lock_acquire+0x2aff/0x4c20 [ 62.886712] ? mark_held_locks+0x130/0x130 [ 62.886714] ? lock_acquire+0x1ed/0x520 [ 62.886717] ? n_tty_receive_buf_common+0x1187/0x2cb0 [ 62.886719] ? lock_release+0xa00/0xa00 [ 62.886722] ? perf_trace_sched_process_exec+0x860/0x860 [ 62.886725] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 62.886727] __should_failslab+0x124/0x180 [ 62.886729] should_failslab+0x9/0x14 [ 62.886731] __kmalloc+0x70/0x760 [ 62.886734] ? n_tty_receive_buf_common+0x1187/0x2cb0 [ 62.886736] ? __tty_buffer_request_room+0x2da/0x810 [ 62.886739] __tty_buffer_request_room+0x2da/0x810 [ 62.886741] ? tty_buffer_free+0x160/0x160 [ 62.886743] ? lock_acquire+0x1ed/0x520 [ 62.886745] ? pty_write+0xf9/0x1f0 [ 62.886748] ? kasan_check_read+0x11/0x20 [ 62.886750] ? do_raw_spin_lock+0x14f/0x350 [ 62.886753] tty_insert_flip_string_fixed_flag+0x88/0x1f0 [ 62.886755] pty_write+0x12c/0x1f0 [ 62.886757] tty_put_char+0x137/0x160 [ 62.886759] ? dev_match_devt+0x90/0x90 [ 62.886761] ? pty_write_room+0xc9/0xf0 [ 62.886764] __process_echoes+0x456/0x9b0 [ 62.886766] n_tty_receive_buf_common+0x11bf/0x2cb0 [ 62.886769] ? n_tty_receive_char_special+0x34c0/0x34c0 [ 62.886772] ? perf_trace_sched_process_exec+0x860/0x860 [ 62.886774] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 62.886777] n_tty_receive_buf+0x30/0x40 [ 62.886779] tty_ioctl+0x7cc/0x17d0 [ 62.886781] ? tty_vhangup+0x30/0x30 [ 62.886783] ? avc_has_extended_perms+0xab2/0x15a0 [ 62.886785] ? avc_ss_reset+0x190/0x190 [ 62.886788] ? rcu_read_unlock_special+0x1c0/0x1c0 [ 62.886790] ? rcu_softirq_qs+0x20/0x20 [ 62.886792] ? find_vpid+0xf0/0xf0 [ 62.886794] ? zap_class+0x640/0x640 [ 62.886797] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 62.886800] ? perf_trace_sched_process_exec+0x860/0x860 [ 62.886802] ? tty_vhangup+0x30/0x30 [ 62.886804] do_vfs_ioctl+0x1de/0x1720 [ 62.886806] ? ioctl_preallocate+0x300/0x300 [ 62.886809] ? selinux_file_mprotect+0x620/0x620 [ 62.886811] ? __sb_end_write+0xd9/0x110 [ 62.886829] ? do_syscall_64+0x9a/0x820 [ 62.886832] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 62.886834] ? security_file_ioctl+0x94/0xc0 [ 62.886836] ksys_ioctl+0xa9/0xd0 [ 62.886838] __x64_sys_ioctl+0x73/0xb0 [ 62.886840] do_syscall_64+0x1b9/0x820 [ 62.886843] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 62.886846] ? syscall_return_slowpath+0x5e0/0x5e0 [ 62.886848] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 62.886851] ? trace_hardirqs_on_caller+0x310/0x310 [ 62.886854] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 62.886856] ? prepare_exit_to_usermode+0x291/0x3b0 [ 62.886859] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 62.886862] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 62.886864] RIP: 0033:0x440589 [ 62.886872] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3