[ 42.516867] audit: type=1800 audit(1577423808.378:30): pid=7613 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2490 res=0 Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 46.411573] kauditd_printk_skb: 4 callbacks suppressed [ 46.411589] audit: type=1400 audit(1577423812.298:35): avc: denied { map } for pid=7790 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.174' (ECDSA) to the list of known hosts. executing program [ 53.114880] audit: type=1400 audit(1577423819.008:36): avc: denied { map } for pid=7802 comm="syz-executor888" path="/root/syz-executor888514868" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 55.913077] audit: type=1400 audit(1577423821.798:37): avc: denied { map } for pid=7805 comm="sh" path="/bin/dash" dev="sda1" ino=1473 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 executing program executing program [ 58.128223] ------------[ cut here ]------------ [ 58.134400] ODEBUG: free active (active state 0) object type: timer_list hint: rfcomm_dlc_timeout+0x0/0x80 [ 58.144452] WARNING: CPU: 1 PID: 7808 at lib/debugobjects.c:325 debug_print_object+0x168/0x250 [ 58.153188] Kernel panic - not syncing: panic_on_warn set ... [ 58.153188] [ 58.160561] CPU: 1 PID: 7808 Comm: syz-executor888 Not tainted 4.19.91-syzkaller #0 [ 58.168349] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.177685] Call Trace: [ 58.180265] dump_stack+0x197/0x210 [ 58.183899] panic+0x26a/0x50e [ 58.187079] ? __warn_printk+0xf3/0xf3 [ 58.190970] ? debug_print_object+0x168/0x250 [ 58.195466] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 58.200991] ? __warn.cold+0x5/0x53 [ 58.204611] ? __warn+0xe8/0x1d0 [ 58.208016] ? debug_print_object+0x168/0x250 [ 58.212776] __warn.cold+0x20/0x53 [ 58.216307] ? trace_hardirqs_off+0x62/0x220 [ 58.220721] ? debug_print_object+0x168/0x250 [ 58.225263] report_bug+0x263/0x2b0 [ 58.228903] do_error_trap+0x204/0x360 [ 58.232776] ? math_error+0x340/0x340 [ 58.236561] ? wake_up_klogd+0x99/0xd0 [ 58.240432] ? vprintk_emit+0x1ce/0x6d0 [ 58.244465] ? error_entry+0x7c/0xe0 [ 58.248186] ? trace_hardirqs_off_caller+0x65/0x220 [ 58.253211] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 58.258071] do_invalid_op+0x1b/0x20 [ 58.261773] invalid_op+0x14/0x20 [ 58.265222] RIP: 0010:debug_print_object+0x168/0x250 [ 58.270317] Code: dd e0 63 ea 87 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 b5 00 00 00 48 8b 14 dd e0 63 ea 87 48 c7 c7 20 59 ea 87 e8 a6 46 dc fd <0f> 0b 83 05 ab 96 6a 06 01 48 83 c4 20 5b 41 5c 41 5d 41 5e 5d c3 [ 58.289215] RSP: 0018:ffff8880a832f8b8 EFLAGS: 00010082 [ 58.294605] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000 [ 58.301858] RDX: 0000000000000000 RSI: ffffffff8155bb16 RDI: ffffed1015065f09 [ 58.309120] RBP: ffff8880a832f8f8 R08: ffff8880a6cfa700 R09: ffffed1015d23ee3 [ 58.316382] R10: ffffed1015d23ee2 R11: ffff8880ae91f717 R12: 0000000000000001 [ 58.323634] R13: ffffffff88fa43a0 R14: ffffffff815b30d0 R15: ffff8880a60093a8 [ 58.330900] ? __internal_add_timer+0x1f0/0x1f0 [ 58.335557] ? vprintk_func+0x86/0x189 [ 58.339442] ? debug_print_object+0x168/0x250 [ 58.343927] debug_check_no_obj_freed+0x29f/0x464 [ 58.348755] kfree+0xbd/0x220 [ 58.351843] rfcomm_dlc_free+0x20/0x30 [ 58.355734] rfcomm_dev_ioctl+0x1988/0x1c90 [ 58.360044] ? mark_held_locks+0xb1/0x100 [ 58.364184] ? lock_sock_nested+0xe2/0x120 [ 58.368415] ? rfcomm_tty_install+0x1a0/0x1a0 [ 58.372890] ? lock_sock_nested+0x9a/0x120 [ 58.377119] ? trace_hardirqs_on+0x67/0x220 [ 58.381425] ? __local_bh_enable_ip+0x15a/0x270 [ 58.386092] rfcomm_sock_ioctl+0x90/0xb0 [ 58.390149] sock_do_ioctl+0xd8/0x2f0 [ 58.393933] ? compat_ifr_data_ioctl+0x160/0x160 [ 58.398673] ? __lock_acquire+0x6ee/0x49c0 [ 58.402892] ? rcu_read_lock_sched_held+0x110/0x130 [ 58.407931] ? kmem_cache_alloc+0x32a/0x700 [ 58.412246] sock_ioctl+0x325/0x610 [ 58.415878] ? dlci_ioctl_set+0x40/0x40 [ 58.420275] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 58.425806] ? __might_sleep+0x95/0x190 [ 58.429766] ? find_held_lock+0x35/0x130 [ 58.433826] ? dlci_ioctl_set+0x40/0x40 [ 58.437795] do_vfs_ioctl+0xd5f/0x1380 [ 58.441681] ? selinux_file_ioctl+0x46f/0x5e0 [ 58.446180] ? selinux_file_ioctl+0x125/0x5e0 [ 58.450675] ? ioctl_preallocate+0x210/0x210 [ 58.455082] ? selinux_file_mprotect+0x620/0x620 [ 58.459825] ? __sanitizer_cov_trace_cmp1+0xb/0x20 [ 58.464743] ? __fd_install+0x200/0x640 [ 58.468701] ? fd_install+0x4d/0x60 [ 58.472311] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 58.477830] ? security_file_ioctl+0x8d/0xc0 [ 58.482233] ksys_ioctl+0xab/0xd0 [ 58.485671] __x64_sys_ioctl+0x73/0xb0 [ 58.489542] do_syscall_64+0xfd/0x620 [ 58.493327] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 58.498498] RIP: 0033:0x4412b9 [ 58.501673] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 58.520574] RSP: 002b:00007fff669711e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 58.528281] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004412b9 [ 58.535535] RDX: 0000000020000100 RSI: 00000000400452c8 RDI: 0000000000000004 [ 58.542789] RBP: 000000000000e2e4 R08: 00000000004002c8 R09: 00000000004002c8 [ 58.550131] R10: 00000000004002c8 R11: 0000000000000246 R12: 00000000004020e0 [ 58.557390] R13: 0000000000402170 R14: 0000000000000000 R15: 0000000000000000 [ 58.564676] [ 58.564680] ====================================================== [ 58.564683] WARNING: possible circular locking dependency detected [ 58.564686] 4.19.91-syzkaller #0 Not tainted [ 58.564689] ------------------------------------------------------ [ 58.564693] syz-executor888/7808 is trying to acquire lock: [ 58.564695] 00000000b9c795d0 ((console_sem).lock){-...}, at: down_trylock+0x13/0x70 [ 58.564703] [ 58.564706] but task is already holding lock: [ 58.564708] 00000000c170331a (&obj_hash[i].lock){-.-.}, at: debug_check_no_obj_freed+0xbe/0x464 [ 58.564716] [ 58.564719] which lock already depends on the new lock. [ 58.564721] [ 58.564722] [ 58.564725] the existing dependency chain (in reverse order) is: [ 58.564726] [ 58.564728] -> #5 (&obj_hash[i].lock){-.-.}: [ 58.564739] _raw_spin_lock_irqsave+0x95/0xcd [ 58.564741] debug_object_activate+0x131/0x4e0 [ 58.564744] enqueue_hrtimer+0x2a/0x3f0 [ 58.564746] hrtimer_start_range_ns+0x603/0xc70 [ 58.564749] schedule_hrtimeout_range_clock+0x1a0/0x380 [ 58.564752] schedule_hrtimeout+0x25/0x30 [ 58.564754] wait_task_inactive+0x4a2/0x630 [ 58.564757] __kthread_bind_mask+0x24/0xb0 [ 58.564759] kthread_bind_mask+0x23/0x30 [ 58.564762] init_rescuer.part.0+0xfc/0x190 [ 58.564764] workqueue_init+0x51a/0x808 [ 58.564767] kernel_init_freeable+0x2c0/0x5c8 [ 58.564769] kernel_init+0x12/0x1c2 [ 58.564771] ret_from_fork+0x24/0x30 [ 58.564772] [ 58.564774] -> #4 (hrtimer_bases.lock){-.-.}: [ 58.564782] _raw_spin_lock_irqsave+0x95/0xcd [ 58.564785] lock_hrtimer_base.isra.0+0x75/0x130 [ 58.564787] hrtimer_start_range_ns+0xff/0xc70 [ 58.564790] enqueue_task_rt+0x998/0xe70 [ 58.564793] __sched_setscheduler+0xd93/0x1ed0 [ 58.564795] _sched_setscheduler+0x10a/0x1b0 [ 58.564798] sched_setscheduler+0xe/0x10 [ 58.564800] watchdog_dev_init+0xe0/0x1b2 [ 58.564803] watchdog_init+0x17/0x181 [ 58.564805] do_one_initcall+0x107/0x78c [ 58.564808] kernel_init_freeable+0x4d4/0x5c8 [ 58.564810] kernel_init+0x12/0x1c2 [ 58.564812] ret_from_fork+0x24/0x30 [ 58.564813] [ 58.564815] -> #3 (&rt_b->rt_runtime_lock){-.-.}: [ 58.564828] _raw_spin_lock+0x2f/0x40 [ 58.564832] rq_online_rt+0xb4/0x390 [ 58.564836] set_rq_online.part.0+0xe4/0x140 [ 58.564841] sched_cpu_activate+0x17f/0x270 [ 58.564845] cpuhp_invoke_callback+0x201/0x1af0 [ 58.564850] cpuhp_thread_fun+0x453/0x850 [ 58.564855] smpboot_thread_fn+0x6a3/0xa30 [ 58.564858] kthread+0x354/0x420 [ 58.564862] ret_from_fork+0x24/0x30 [ 58.564864] [ 58.564867] -> #2 (&rq->lock){-.-.}: [ 58.564878] _raw_spin_lock+0x2f/0x40 [ 58.564880] task_fork_fair+0x6a/0x520 [ 58.564882] sched_fork+0x3af/0x900 [ 58.564885] copy_process.part.0+0x1859/0x7a30 [ 58.564887] _do_fork+0x257/0xfd0 [ 58.564890] kernel_thread+0x34/0x40 [ 58.564892] rest_init+0x24/0x222 [ 58.564894] start_kernel+0x88c/0x8c5 [ 58.564897] x86_64_start_reservations+0x29/0x2b [ 58.564899] x86_64_start_kernel+0x77/0x7b [ 58.564902] secondary_startup_64+0xa4/0xb0 [ 58.564903] [ 58.564904] -> #1 (&p->pi_lock){-.-.}: [ 58.564912] _raw_spin_lock_irqsave+0x95/0xcd [ 58.564915] try_to_wake_up+0x94/0xf50 [ 58.564917] wake_up_process+0x10/0x20 [ 58.564919] __up.isra.0+0x136/0x1a0 [ 58.564921] up+0x9c/0xe0 [ 58.564924] __up_console_sem+0xb7/0x1c0 [ 58.564926] console_unlock+0x6c7/0x10d0 [ 58.564929] vprintk_emit+0x280/0x6d0 [ 58.564931] vprintk_default+0x28/0x30 [ 58.564933] vprintk_func+0x7e/0x189 [ 58.564935] printk+0xba/0xed [ 58.564938] kauditd_hold_skb.cold+0x3f/0x4e [ 58.564940] kauditd_send_queue+0x12d/0x170 [ 58.564943] kauditd_thread+0x71c/0xa50 [ 58.564945] kthread+0x354/0x420 [ 58.564947] ret_from_fork+0x24/0x30 [ 58.564948] [ 58.564949] -> #0 ((console_sem).lock){-...}: [ 58.564957] lock_acquire+0x16f/0x3f0 [ 58.564960] _raw_spin_lock_irqsave+0x95/0xcd [ 58.564962] down_trylock+0x13/0x70 [ 58.564965] __down_trylock_console_sem+0xa8/0x210 [ 58.564967] console_trylock+0x15/0xa0 [ 58.564970] vprintk_emit+0x267/0x6d0 [ 58.564972] vprintk_default+0x28/0x30 [ 58.564974] vprintk_func+0x7e/0x189 [ 58.564976] printk+0xba/0xed [ 58.564978] __warn_printk+0x9b/0xf3 [ 58.564981] debug_print_object+0x168/0x250 [ 58.564984] debug_check_no_obj_freed+0x29f/0x464 [ 58.564986] kfree+0xbd/0x220 [ 58.564988] rfcomm_dlc_free+0x20/0x30 [ 58.564990] rfcomm_dev_ioctl+0x1988/0x1c90 [ 58.564993] rfcomm_sock_ioctl+0x90/0xb0 [ 58.564995] sock_do_ioctl+0xd8/0x2f0 [ 58.564997] sock_ioctl+0x325/0x610 [ 58.565000] do_vfs_ioctl+0xd5f/0x1380 [ 58.565002] ksys_ioctl+0xab/0xd0 [ 58.565004] __x64_sys_ioctl+0x73/0xb0 [ 58.565007] do_syscall_64+0xfd/0x620 [ 58.565009] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 58.565011] [ 58.565013] other info that might help us debug this: [ 58.565014] [ 58.565016] Chain exists of: [ 58.565017] (console_sem).lock --> hrtimer_bases.lock --> &obj_hash[i].lock [ 58.565028] [ 58.565030] Possible unsafe locking scenario: [ 58.565031] [ 58.565034] CPU0 CPU1 [ 58.565036] ---- ---- [ 58.565038] lock(&obj_hash[i].lock); [ 58.565043] lock(hrtimer_bases.lock); [ 58.565049] lock(&obj_hash[i].lock); [ 58.565053] lock((console_sem).lock); [ 58.565058] [ 58.565059] *** DEADLOCK *** [ 58.565061] [ 58.565063] 3 locks held by syz-executor888/7808: [ 58.565064] #0: 00000000383788a3 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}, at: rfcomm_sock_ioctl+0x82/0xb0 [ 58.565075] #1: 00000000d839c272 (rfcomm_ioctl_mutex){+.+.}, at: rfcomm_dev_ioctl+0x923/0x1c90 [ 58.565085] #2: 00000000c170331a (&obj_hash[i].lock){-.-.}, at: debug_check_no_obj_freed+0xbe/0x464 [ 58.565094] [ 58.565096] stack backtrace: [ 58.565100] CPU: 1 PID: 7808 Comm: syz-executor888 Not tainted 4.19.91-syzkaller #0 [ 58.565105] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.565107] Call Trace: [ 58.565109] dump_stack+0x197/0x210 [ 58.565112] print_circular_bug.isra.0.cold+0x1cc/0x28f [ 58.565114] __lock_acquire+0x2e19/0x49c0 [ 58.565117] ? mark_held_locks+0x100/0x100 [ 58.565119] ? kvm_clock_read+0x18/0x30 [ 58.565122] ? kvm_sched_clock_read+0x9/0x20 [ 58.565124] lock_acquire+0x16f/0x3f0 [ 58.565126] ? down_trylock+0x13/0x70 [ 58.565129] _raw_spin_lock_irqsave+0x95/0xcd [ 58.565131] ? down_trylock+0x13/0x70 [ 58.565133] ? vprintk_emit+0x267/0x6d0 [ 58.565135] down_trylock+0x13/0x70 [ 58.565138] ? vprintk_emit+0x267/0x6d0 [ 58.565140] __down_trylock_console_sem+0xa8/0x210 [ 58.565143] console_trylock+0x15/0xa0 [ 58.565145] vprintk_emit+0x267/0x6d0 [ 58.565148] ? __internal_add_timer+0x1f0/0x1f0 [ 58.565150] vprintk_default+0x28/0x30 [ 58.565152] vprintk_func+0x7e/0x189 [ 58.565154] printk+0xba/0xed [ 58.565157] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 58.565159] ? __warn_printk+0x8f/0xf3 [ 58.565161] ? rfcomm_dlc_link+0x170/0x170 [ 58.565164] __warn_printk+0x9b/0xf3 [ 58.565166] ? add_taint.cold+0x16/0x16 [ 58.565168] ? skb_dequeue+0x12e/0x180 [ 58.565171] ? rfcomm_dlc_link+0x170/0x170 [ 58.565173] debug_print_object+0x168/0x250 [ 58.565176] debug_check_no_obj_freed+0x29f/0x464 [ 58.565178] kfree+0xbd/0x220 [ 58.565180] rfcomm_dlc_free+0x20/0x30 [ 58.565183] rfcomm_dev_ioctl+0x1988/0x1c90 [ 58.565185] ? mark_held_locks+0xb1/0x100 [ 58.565188] ? lock_sock_nested+0xe2/0x120 [ 58.565190] ? rfcomm_tty_install+0x1a0/0x1a0 [ 58.565193] ? lock_sock_nested+0x9a/0x120 [ 58.565195] ? trace_hardirqs_on+0x67/0x220 [ 58.565198] ? __local_bh_enable_ip+0x15a/0x270 [ 58.565200] rfcomm_sock_ioctl+0x90/0xb0 [ 58.565202] sock_do_ioctl+0xd8/0x2f0 [ 58.565205] ? compat_ifr_data_ioctl+0x160/0x160 [ 58.565207] ? __lock_acquire+0x6ee/0x49c0 [ 58.565210] ? rcu_read_lock_sched_held+0x110/0x130 [ 58.565213] ? kmem_cache_alloc+0x32a/0x700 [ 58.565215] sock_ioctl+0x325/0x610 [ 58.565217] ? dlci_ioctl_set+0x40/0x40 [ 58.565220] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 58.565222] ? __might_sleep+0x95/0x190 [ 58.565225] ? find_held_lock+0x35/0x130 [ 58.565227] ? dlci_ioctl_set+0x40/0x40 [ 58.565229] do_vfs_ioctl+0xd5f/0x1380 [ 58.565247] ? selinux_file_ioctl+0x46f/0x5e0 [ 58.565250] ? selinux_file_ioctl+0x125/0x5e0 [ 58.565253] ? ioctl_preallocate+0x210/0x210 [ 58.565255] ? selinux_file_mprotect+0x620/0x620 [ 58.565258] ? __sanitizer_cov_trace_cmp1+0xb/0x20 [ 58.565260] ? __fd_install+0x200/0x640 [ 58.565263] ? fd_install+0x4d/0x60 [ 58.565266] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 58.565268] ? security_file_ioctl+0x8d/0xc0 [ 58.565270] ksys_ioctl+0xab/0xd0 [ 58.565273] __x64_sys_ioctl+0x73/0xb0 [ 58.565275] do_syscall_64+0xfd/0x620 [ 58.565278] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 58.565280] RIP: 0033:0x4412b9 [ 58.565289] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 58.565292] RSP: 002b:00007fff669711e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 58.565298] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004412b9 [ 58.565302] RDX: 0000000020000100 RSI: 00000000400452c8 RDI: 0000000000000004 [ 58.565305] RBP: 000000000000e2e4 R08: 00000000004002c8 R09: 00000000004002c8 [ 58.565309] R10: 00000000004002c8 R11: 0000000000000246 R12: 00000000004020e0 [ 58.565313] R13: 0000000000402170 R14: 0000000000000000 R15: 0000000000000000 [ 58.566625] Kernel Offset: disabled [ 59.519424] Rebooting in 86400 seconds..