[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.116' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 28.682653] ODEBUG: free active (active state 1) object type: rcu_head hint: (null) [ 28.692026] ------------[ cut here ]------------ [ 28.696765] WARNING: CPU: 1 PID: 7982 at lib/debugobjects.c:287 debug_print_object.cold+0xa7/0xdb [ 28.705745] Kernel panic - not syncing: panic_on_warn set ... [ 28.705745] [ 28.713088] CPU: 1 PID: 7982 Comm: syz-executor388 Not tainted 4.14.278-syzkaller #0 [ 28.720941] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.730270] Call Trace: [ 28.732843] dump_stack+0x1b2/0x281 [ 28.736445] panic+0x1f9/0x42d [ 28.739635] ? add_taint.cold+0x16/0x16 [ 28.743588] ? debug_print_object.cold+0xa7/0xdb [ 28.748317] ? debug_print_object.cold+0xa7/0xdb [ 28.753044] __warn.cold+0x20/0x44 [ 28.756563] ? ist_end_non_atomic+0x10/0x10 [ 28.760860] ? debug_print_object.cold+0xa7/0xdb [ 28.765590] report_bug+0x208/0x250 [ 28.769190] do_error_trap+0x195/0x2d0 [ 28.773056] ? math_error+0x2d0/0x2d0 [ 28.776838] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 28.781673] invalid_op+0x1b/0x40 [ 28.785104] RIP: 0010:debug_print_object.cold+0xa7/0xdb [ 28.790436] RSP: 0018:ffff8880a97e71d8 EFLAGS: 00010086 [ 28.795772] RAX: 0000000000000051 RBX: 0000000000000003 RCX: 0000000000000000 [ 28.803013] RDX: 0000000000000000 RSI: ffffffff878bc600 RDI: ffffed10152fce31 [ 28.810264] RBP: ffffffff878b1780 R08: 0000000000000051 R09: 0000000000000000 [ 28.817507] R10: 0000000000000000 R11: ffff88809be4a540 R12: 0000000000000000 [ 28.824749] R13: 0000000000000001 R14: ffff8880a8860780 R15: ffff8880b60ac968 [ 28.832001] ? debug_print_object.cold+0xa7/0xdb [ 28.836733] debug_check_no_obj_freed+0x3b7/0x680 [ 28.841555] ? debug_object_activate+0x490/0x490 [ 28.846285] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 28.851707] kfree+0xb9/0x250 [ 28.854786] __tcf_idr_release+0x202/0x260 [ 28.859004] tcf_sample_init+0x788/0x8c0 [ 28.863046] ? tcf_sample_cleanup_rcu+0x60/0x60 [ 28.867689] tcf_action_init_1+0x51a/0x9e0 [ 28.871897] ? tcf_action_dump_old+0x80/0x80 [ 28.876282] ? nla_parse+0x157/0x1f0 [ 28.879970] tcf_action_init+0x26d/0x400 [ 28.884005] ? tcf_action_init_1+0x9e0/0x9e0 [ 28.888389] ? memset+0x20/0x40 [ 28.891643] ? nla_parse+0x157/0x1f0 [ 28.895329] tc_ctl_action+0x2e3/0x510 [ 28.899199] ? tca_action_gd+0x790/0x790 [ 28.903322] ? rtnetlink_rcv_msg+0x2e8/0xb10 [ 28.907707] ? tca_action_gd+0x790/0x790 [ 28.911743] rtnetlink_rcv_msg+0x3be/0xb10 [ 28.915953] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 28.920423] ? __netlink_lookup+0x345/0x5d0 [ 28.924736] netlink_rcv_skb+0x125/0x390 [ 28.928799] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 28.933271] ? netlink_ack+0x9a0/0x9a0 [ 28.938471] netlink_unicast+0x437/0x610 [ 28.942508] ? netlink_sendskb+0xd0/0xd0 [ 28.946553] ? __check_object_size+0x179/0x230 [ 28.951111] netlink_sendmsg+0x648/0xbc0 [ 28.955150] ? nlmsg_notify+0x1b0/0x1b0 [ 28.959099] ? kernel_recvmsg+0x210/0x210 [ 28.963225] ? security_socket_sendmsg+0x83/0xb0 [ 28.967957] ? nlmsg_notify+0x1b0/0x1b0 [ 28.971908] sock_sendmsg+0xb5/0x100 [ 28.975603] ___sys_sendmsg+0x6c8/0x800 [ 28.981027] ? copy_msghdr_from_user+0x3b0/0x3b0 [ 28.985864] ? lock_downgrade+0x740/0x740 [ 28.989985] ? __lru_cache_add+0x178/0x250 [ 28.994197] ? do_raw_spin_unlock+0x164/0x220 [ 28.998668] ? _raw_spin_unlock+0x29/0x40 [ 29.002791] ? do_huge_pmd_anonymous_page+0x72e/0x1700 [ 29.008040] ? prep_transhuge_page+0xa0/0xa0 [ 29.012421] ? _raw_spin_unlock+0x29/0x40 [ 29.016546] ? __pmd_alloc+0x27f/0x3f0 [ 29.020408] ? __handle_mm_fault+0x80f/0x4620 [ 29.024943] ? lock_downgrade+0x740/0x740 [ 29.029064] ? vm_insert_page+0x7c0/0x7c0 [ 29.033188] ? __fdget+0x167/0x1f0 [ 29.036788] ? sockfd_lookup_light+0xb2/0x160 [ 29.041254] __sys_sendmsg+0xa3/0x120 [ 29.045029] ? SyS_shutdown+0x160/0x160 [ 29.048976] ? up_read+0x17/0x30 [ 29.052315] ? __do_page_fault+0x159/0xad0 [ 29.056522] SyS_sendmsg+0x27/0x40 [ 29.060038] ? __sys_sendmsg+0x120/0x120 [ 29.064075] do_syscall_64+0x1d5/0x640 [ 29.067938] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.073102] RIP: 0033:0x7fdc8c8d3259 [ 29.076787] RSP: 002b:00007fff3260bcb8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 29.084474] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fdc8c8d3259 [ 29.091715] RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000003 [ 29.098961] RBP: 00007fdc8c897240 R08: 0000000000000007 R09: 0000000000000000 [ 29.106205] R10: 000000000000000c R11: 0000000000000246 R12: 00007fdc8c8972d0 [ 29.113450] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 29.120699] [ 29.120702] ====================================================== [ 29.120703] WARNING: possible circular locking dependency detected [ 29.120705] 4.14.278-syzkaller #0 Not tainted [ 29.120706] ------------------------------------------------------ [ 29.120708] syz-executor388/7982 is trying to acquire lock: [ 29.120709] ((console_sem).lock){....}, at: [] down_trylock+0xe/0x60 [ 29.120713] [ 29.120714] but task is already holding lock: [ 29.120715] (&obj_hash[i].lock){-.-.}, at: [] debug_check_no_obj_freed+0x135/0x680 [ 29.120719] [ 29.120721] which lock already depends on the new lock. [ 29.120721] [ 29.120722] [ 29.120724] the existing dependency chain (in reverse order) is: [ 29.120724] [ 29.120725] -> #5 (&obj_hash[i].lock){-.-.}: [ 29.120729] _raw_spin_lock_irqsave+0x8c/0xc0 [ 29.120731] debug_object_activate+0x10f/0x490 [ 29.120732] enqueue_hrtimer+0x22/0x3b0 [ 29.120734] hrtimer_start_range_ns+0x4a0/0x10b0 [ 29.120735] schedule_hrtimeout_range_clock+0x144/0x320 [ 29.120736] wait_task_inactive+0x469/0x520 [ 29.120738] __kthread_bind_mask+0x1f/0xb0 [ 29.120739] create_worker+0x437/0x6c0 [ 29.120740] workqueue_init+0x4ef/0x759 [ 29.120742] kernel_init_freeable+0x3ac/0x626 [ 29.120743] kernel_init+0xd/0x162 [ 29.120744] ret_from_fork+0x24/0x30 [ 29.120745] [ 29.120745] -> #4 (hrtimer_bases.lock){-.-.}: [ 29.120750] _raw_spin_lock_irqsave+0x8c/0xc0 [ 29.120751] hrtimer_start_range_ns+0x77/0x10b0 [ 29.120752] enqueue_task_rt+0x584/0xf30 [ 29.120754] __sched_setscheduler.constprop.0+0xe73/0x2640 [ 29.120755] sched_setscheduler+0xfa/0x150 [ 29.120756] watchdog_enable+0x11b/0x170 [ 29.120758] smpboot_thread_fn+0x40d/0x920 [ 29.120759] kthread+0x30d/0x420 [ 29.120760] ret_from_fork+0x24/0x30 [ 29.120761] [ 29.120761] -> #3 (&rt_b->rt_runtime_lock){-...}: [ 29.120765] _raw_spin_lock+0x2a/0x40 [ 29.120767] enqueue_task_rt+0x514/0xf30 [ 29.120768] __sched_setscheduler.constprop.0+0xe73/0x2640 [ 29.120770] sched_setscheduler+0xfa/0x150 [ 29.120771] watchdog_enable+0x11b/0x170 [ 29.120772] smpboot_thread_fn+0x40d/0x920 [ 29.120773] kthread+0x30d/0x420 [ 29.120774] ret_from_fork+0x24/0x30 [ 29.120775] [ 29.120776] -> #2 (&rq->lock){-.-.}: [ 29.120780] _raw_spin_lock+0x2a/0x40 [ 29.120781] task_fork_fair+0x63/0x550 [ 29.120782] sched_fork+0x39a/0xb60 [ 29.120783] copy_process.part.0+0x15b2/0x71c0 [ 29.120785] _do_fork+0x184/0xc80 [ 29.120786] kernel_thread+0x2f/0x40 [ 29.120787] rest_init+0x1f/0x2a3 [ 29.120788] start_kernel+0x750/0x770 [ 29.120790] secondary_startup_64+0xa5/0xb0 [ 29.120790] [ 29.120791] -> #1 (&p->pi_lock){-.-.}: [ 29.120795] _raw_spin_lock_irqsave+0x8c/0xc0 [ 29.120796] try_to_wake_up+0x6a/0x1100 [ 29.120797] up+0x75/0xb0 [ 29.120799] __up_console_sem+0xa9/0x1b0 [ 29.120800] console_unlock+0x531/0xf20 [ 29.120801] vt_ioctl+0x150a/0x1d50 [ 29.120802] tty_ioctl+0x50f/0x1430 [ 29.120803] do_vfs_ioctl+0x75a/0xff0 [ 29.120804] SyS_ioctl+0x7f/0xb0 [ 29.120806] do_syscall_64+0x1d5/0x640 [ 29.120807] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.120808] [ 29.120808] -> #0 ((console_sem).lock){....}: [ 29.120813] lock_acquire+0x170/0x3f0 [ 29.120814] _raw_spin_lock_irqsave+0x8c/0xc0 [ 29.120815] down_trylock+0xe/0x60 [ 29.120817] __down_trylock_console_sem+0x97/0x1e0 [ 29.120818] vprintk_emit+0x1ee/0x620 [ 29.120819] vprintk_func+0x58/0x160 [ 29.120820] printk+0x9e/0xbc [ 29.120821] debug_print_object.cold+0xa7/0xdb [ 29.120823] debug_check_no_obj_freed+0x3b7/0x680 [ 29.120824] kfree+0xb9/0x250 [ 29.120825] __tcf_idr_release+0x202/0x260 [ 29.120827] tcf_sample_init+0x788/0x8c0 [ 29.120828] tcf_action_init_1+0x51a/0x9e0 [ 29.120829] tcf_action_init+0x26d/0x400 [ 29.120830] tc_ctl_action+0x2e3/0x510 [ 29.120832] rtnetlink_rcv_msg+0x3be/0xb10 [ 29.120833] netlink_rcv_skb+0x125/0x390 [ 29.120834] netlink_unicast+0x437/0x610 [ 29.120835] netlink_sendmsg+0x648/0xbc0 [ 29.120837] sock_sendmsg+0xb5/0x100 [ 29.120838] ___sys_sendmsg+0x6c8/0x800 [ 29.120839] __sys_sendmsg+0xa3/0x120 [ 29.120840] SyS_sendmsg+0x27/0x40 [ 29.120841] do_syscall_64+0x1d5/0x640 [ 29.120843] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.120844] [ 29.120845] other info that might help us debug this: [ 29.120846] [ 29.120847] Chain exists of: [ 29.120847] (console_sem).lock --> hrtimer_bases.lock --> &obj_hash[i].lock [ 29.120852] [ 29.120854] Possible unsafe locking scenario: [ 29.120854] [ 29.120856] CPU0 CPU1 [ 29.120857] ---- ---- [ 29.120858] lock(&obj_hash[i].lock); [ 29.120860] lock(hrtimer_bases.lock); [ 29.120863] lock(&obj_hash[i].lock); [ 29.120866] lock((console_sem).lock); [ 29.120868] [ 29.120869] *** DEADLOCK *** [ 29.120870] [ 29.120871] 2 locks held by syz-executor388/7982: [ 29.120872] #0: (rtnl_mutex){+.+.}, at: [] rtnetlink_rcv_msg+0x31d/0xb10 [ 29.120876] #1: (&obj_hash[i].lock){-.-.}, at: [] debug_check_no_obj_freed+0x135/0x680 [ 29.120881] [ 29.120882] stack backtrace: [ 29.120884] CPU: 1 PID: 7982 Comm: syz-executor388 Not tainted 4.14.278-syzkaller #0 [ 29.120886] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.120887] Call Trace: [ 29.120888] dump_stack+0x1b2/0x281 [ 29.120890] print_circular_bug.constprop.0.cold+0x2d7/0x41e [ 29.120891] __lock_acquire+0x2e0e/0x3f20 [ 29.120892] ? pointer+0x31f/0x9e0 [ 29.120894] ? trace_hardirqs_on+0x10/0x10 [ 29.120895] ? format_decode+0x1cb/0x890 [ 29.120896] ? check_preemption_disabled+0x35/0x240 [ 29.120898] ? kvm_clock_read+0x1f/0x30 [ 29.120899] ? kvm_sched_clock_read+0x5/0x10 [ 29.120900] ? sched_clock+0x2a/0x40 [ 29.120901] ? sched_clock_cpu+0x18/0x1b0 [ 29.120902] lock_acquire+0x170/0x3f0 [ 29.120904] ? down_trylock+0xe/0x60 [ 29.120905] ? vprintk_func+0x58/0x160 [ 29.120906] _raw_spin_lock_irqsave+0x8c/0xc0 [ 29.120907] ? down_trylock+0xe/0x60 [ 29.120908] down_trylock+0xe/0x60 [ 29.120909] ? vprintk_func+0x58/0x160 [ 29.120911] ? vprintk_func+0x58/0x160 [ 29.120912] __down_trylock_console_sem+0x97/0x1e0 [ 29.120913] vprintk_emit+0x1ee/0x620 [ 29.120914] vprintk_func+0x58/0x160 [ 29.120915] printk+0x9e/0xbc [ 29.120917] ? log_store.cold+0x16/0x16 [ 29.120918] ? lock_acquire+0x170/0x3f0 [ 29.120919] ? debug_check_no_obj_freed+0x135/0x680 [ 29.120920] debug_print_object.cold+0xa7/0xdb [ 29.120922] debug_check_no_obj_freed+0x3b7/0x680 [ 29.120923] ? debug_object_activate+0x490/0x490 [ 29.120925] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 29.120926] kfree+0xb9/0x250 [ 29.120927] __tcf_idr_release+0x202/0x260 [ 29.120928] tcf_sample_init+0x788/0x8c0 [ 29.120929] ? tcf_sample_cleanup_rcu+0x60/0x60 [ 29.120931] tcf_action_init_1+0x51a/0x9e0 [ 29.120932] ? tcf_action_dump_old+0x80/0x80 [ 29.120933] ? nla_parse+0x157/0x1f0 [ 29.120934] tcf_action_init+0x26d/0x400 [ 29.120936] ? tcf_action_init_1+0x9e0/0x9e0 [ 29.120937] ? memset+0x20/0x40 [ 29.120938] ? nla_parse+0x157/0x1f0 [ 29.120939] tc_ctl_action+0x2e3/0x510 [ 29.120940] ? tca_action_gd+0x790/0x790 [ 29.120942] ? rtnetlink_rcv_msg+0x2e8/0xb10 [ 29.120943] ? tca_action_gd+0x790/0x790 [ 29.120944] rtnetlink_rcv_msg+0x3be/0xb10 [ 29.120945] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 29.120947] ? __netlink_lookup+0x345/0x5d0 [ 29.120948] netlink_rcv_skb+0x125/0x390 [ 29.120949] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 29.120950] ? netlink_ack+0x9a0/0x9a0 [ 29.120951] netlink_unicast+0x437/0x610 [ 29.120953] ? netlink_sendskb+0xd0/0xd0 [ 29.120954] ? __check_object_size+0x179/0x230 [ 29.120955] netlink_sendmsg+0x648/0xbc0 [ 29.120956] ? nlmsg_notify+0x1b0/0x1b0 [ 29.120958] ? kernel_recvmsg+0x210/0x210 [ 29.120959] ? security_socket_sendmsg+0x83/0xb0 [ 29.120960] ? nlmsg_notify+0x1b0/0x1b0 [ 29.120961] sock_sendmsg+0xb5/0x100 [ 29.120962] ___sys_sendmsg+0x6c8/0x800 [ 29.120964] ? copy_msghdr_from_user+0x3b0/0x3b0 [ 29.120965] ? lock_downgrade+0x740/0x740 [ 29.120966] ? __lru_cache_add+0x178/0x250 [ 29.120968] ? do_raw_spin_unlock+0x164/0x220 [ 29.120969] ? _raw_spin_unlock+0x29/0x40 [ 29.120970] ? do_huge_pmd_anonymous_page+0x72e/0x1700 [ 29.120972] ? prep_transhuge_page+0xa0/0xa0 [ 29.120973] ? _raw_spin_unlock+0x29/0x40 [ 29.120974] ? __pmd_alloc+0x27f/0x3f0 [ 29.120975] ? __handle_mm_fault+0x80f/0x4620 [ 29.120977] ? lock_downgrade+0x740/0x740 [ 29.120978] ? vm_insert_page+0x7c0/0x7c0 [ 29.120979] ? __fdget+0x167/0x1f0 [ 29.120980] ? sockfd_lookup_light+0xb2/0x160 [ 29.120981] __sys_sendmsg+0xa3/0x120 [ 29.120982] ? SyS_shutdown+0x160/0x160 [ 29.120984] ? up_read+0x17/0x30 [ 29.120985] ? __do_page_fault+0x159/0xad0 [ 29.120986] SyS_sendmsg+0x27/0x40 [ 29.120987] ? __sys_sendmsg+0x120/0x120 [ 29.120988] do_syscall_64+0x1d5/0x640 [ 29.120990] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.120991] RIP: 0033:0x7fdc8c8d3259 [ 29.120992] RSP: 002b:00007fff3260bcb8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 29.120995] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fdc8c8d3259 [ 29.120997] RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000003 [ 29.120999] RBP: 00007fdc8c897240 R08: 0000000000000007 R09: 0000000000000000 [ 29.121001] R10: 000000000000000c R11: 0000000000000246 R12: 00007fdc8c8972d0 [ 29.121003] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 29.121184] Kernel Offset: disabled [ 30.069126] Rebooting in 86400 seconds..