[ 33.723984] audit: type=1800 audit(1579778852.536:33): pid=7096 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 33.750622] audit: type=1800 audit(1579778852.536:34): pid=7096 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 36.825232] random: sshd: uninitialized urandom read (32 bytes read) [ 37.148588] audit: type=1400 audit(1579778855.956:35): avc: denied { map } for pid=7268 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 37.194827] random: sshd: uninitialized urandom read (32 bytes read) [ 37.875890] random: sshd: uninitialized urandom read (32 bytes read) [ 38.065061] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.91' (ECDSA) to the list of known hosts. [ 43.572901] random: sshd: uninitialized urandom read (32 bytes read) [ 43.702107] audit: type=1400 audit(1579778862.516:36): avc: denied { map } for pid=7280 comm="syz-executor439" path="/root/syz-executor439222196" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 43.705217] ODEBUG: free active (active state 1) object type: rcu_head hint: (null) [ 43.737191] ------------[ cut here ]------------ [ 43.741938] WARNING: CPU: 0 PID: 7280 at lib/debugobjects.c:287 debug_print_object.cold+0xa7/0xdb [ 43.752056] Kernel panic - not syncing: panic_on_warn set ... [ 43.752056] [ 43.759412] CPU: 0 PID: 7280 Comm: syz-executor439 Not tainted 4.14.167-syzkaller #0 [ 43.767635] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.776980] Call Trace: [ 43.779559] dump_stack+0x142/0x197 [ 43.783184] panic+0x1f9/0x42d [ 43.786367] ? add_taint.cold+0x16/0x16 [ 43.790326] ? debug_print_object.cold+0xa7/0xdb [ 43.795123] ? debug_print_object.cold+0xa7/0xdb [ 43.800040] __warn.cold+0x2f/0x2f [ 43.803570] ? ist_end_non_atomic+0x10/0x10 [ 43.807897] ? debug_print_object.cold+0xa7/0xdb [ 43.812637] report_bug+0x216/0x254 [ 43.816244] do_error_trap+0x1bb/0x310 [ 43.820129] ? math_error+0x360/0x360 [ 43.823927] ? vprintk_emit+0x171/0x600 [ 43.827880] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 43.832698] do_invalid_op+0x1b/0x20 [ 43.836401] invalid_op+0x1b/0x40 [ 43.839851] RIP: 0010:debug_print_object.cold+0xa7/0xdb [ 43.845204] RSP: 0018:ffff88807d49f110 EFLAGS: 00010086 [ 43.850564] RAX: 0000000000000051 RBX: 0000000000000003 RCX: 0000000000000000 [ 43.857811] RDX: 0000000000000000 RSI: ffffffff86cc2fe0 RDI: ffffed100fa93e18 [ 43.865071] RBP: ffff88807d49f138 R08: 0000000000000051 R09: 0000000000000000 [ 43.872335] R10: 0000000000000000 R11: ffff88808bc88180 R12: ffffffff86cb86e0 [ 43.879589] R13: 0000000000000000 R14: 0000000000000001 R15: ffff88808d120b10 [ 43.886857] debug_check_no_obj_freed+0x3f5/0x7b7 [ 43.891682] ? free_obj_work+0x6d0/0x6d0 [ 43.895723] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 43.901169] kfree+0xbd/0x270 [ 43.904277] free_tcf+0x13c/0x190 [ 43.907716] __tcf_idr_release+0x213/0x260 [ 43.911952] tcf_sample_init+0x7f2/0x960 [ 43.916003] ? tcf_sample_act+0x9f0/0x9f0 [ 43.920128] ? rcu_read_lock_sched_held+0x110/0x130 [ 43.925159] ? _raw_read_unlock+0x2d/0x50 [ 43.929282] tcf_action_init_1+0x53c/0xaa0 [ 43.933496] ? tcf_action_dump_old+0x80/0x80 [ 43.937883] ? lock_downgrade+0x740/0x740 [ 43.942027] ? nla_parse+0x186/0x240 [ 43.945719] tcf_action_init+0x2ab/0x480 [ 43.949774] ? tcf_action_init_1+0xaa0/0xaa0 [ 43.954168] ? memset+0x32/0x40 [ 43.957425] ? nla_parse+0x186/0x240 [ 43.961128] tc_ctl_action+0x30a/0x548 [ 43.964992] ? tca_action_gd+0x840/0x840 [ 43.969043] ? tca_action_gd+0x840/0x840 [ 43.973094] rtnetlink_rcv_msg+0x3da/0xb70 [ 43.977333] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 43.981998] ? netlink_deliver_tap+0x93/0x8f0 [ 43.986484] netlink_rcv_skb+0x14f/0x3c0 [ 43.990532] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 43.995096] ? lock_downgrade+0x740/0x740 [ 43.999222] ? netlink_ack+0x9a0/0x9a0 [ 44.003091] ? netlink_deliver_tap+0xba/0x8f0 [ 44.007573] rtnetlink_rcv+0x1d/0x30 [ 44.011269] netlink_unicast+0x44d/0x650 [ 44.015337] ? netlink_attachskb+0x6a0/0x6a0 [ 44.019740] ? security_netlink_send+0x81/0xb0 [ 44.024303] netlink_sendmsg+0x7c4/0xc60 [ 44.028356] ? netlink_unicast+0x650/0x650 [ 44.032573] ? security_socket_sendmsg+0x89/0xb0 [ 44.037308] ? netlink_unicast+0x650/0x650 [ 44.041524] sock_sendmsg+0xce/0x110 [ 44.045213] ___sys_sendmsg+0x70a/0x840 [ 44.049163] ? lock_downgrade+0x740/0x740 [ 44.053287] ? copy_msghdr_from_user+0x3f0/0x3f0 [ 44.058019] ? do_raw_spin_unlock+0x174/0x260 [ 44.062496] ? _raw_spin_unlock+0x2d/0x50 [ 44.066647] ? do_huge_pmd_anonymous_page+0x2f9/0x1200 [ 44.071914] ? prep_transhuge_page+0xa0/0xa0 [ 44.076322] ? __handle_mm_fault+0x692/0x33d0 [ 44.080811] ? save_trace+0x290/0x290 [ 44.084617] ? copy_page_range+0x1de0/0x1de0 [ 44.089014] ? __do_page_fault+0x4e9/0xb80 [ 44.093605] ? __fget_light+0x172/0x1f0 [ 44.097572] ? __fdget+0x1b/0x20 [ 44.100915] ? sockfd_lookup_light+0xb4/0x160 [ 44.105385] __sys_sendmsg+0xb9/0x140 [ 44.109163] ? SyS_shutdown+0x170/0x170 [ 44.113116] SyS_sendmsg+0x2d/0x50 [ 44.116719] ? __sys_sendmsg+0x140/0x140 [ 44.120759] do_syscall_64+0x1e8/0x640 [ 44.124622] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 44.129450] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.134620] RIP: 0033:0x440369 [ 44.137801] RSP: 002b:00007fff50801088 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 44.145499] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440369 [ 44.152745] RDX: 0000000000000000 RSI: 0000000020002980 RDI: 0000000000000003 [ 44.160081] RBP: 00000000006ca018 R08: 000000000000000b R09: 00000000004002c8 [ 44.167328] R10: 0000000000000040 R11: 0000000000000246 R12: 0000000000401bf0 [ 44.174577] R13: 0000000000401c80 R14: 0000000000000000 R15: 0000000000000000 [ 44.181832] [ 44.181834] ====================================================== [ 44.181836] WARNING: possible circular locking dependency detected [ 44.181837] 4.14.167-syzkaller #0 Not tainted [ 44.181839] ------------------------------------------------------ [ 44.181841] syz-executor439/7280 is trying to acquire lock: [ 44.181841] ((console_sem).lock){-...}, at: [] down_trylock+0x13/0x70 [ 44.181846] [ 44.181847] but task is already holding lock: [ 44.181848] (&obj_hash[i].lock){-.-.}, at: [] debug_check_no_obj_freed+0x12d/0x7b7 [ 44.181852] [ 44.181853] which lock already depends on the new lock. [ 44.181854] [ 44.181855] [ 44.181856] the existing dependency chain (in reverse order) is: [ 44.181857] [ 44.181858] -> #5 (&obj_hash[i].lock){-.-.}: [ 44.181862] lock_acquire+0x16f/0x430 [ 44.181863] _raw_spin_lock_irqsave+0x95/0xcd [ 44.181865] debug_object_activate+0x10b/0x450 [ 44.181866] enqueue_hrtimer+0x27/0x3b0 [ 44.181868] hrtimer_start_range_ns+0x50a/0x10d0 [ 44.181869] schedule_hrtimeout_range_clock+0x17c/0x340 [ 44.181870] schedule_hrtimeout+0x25/0x30 [ 44.181872] wait_task_inactive+0x4ac/0x580 [ 44.181873] __kthread_bind_mask+0x24/0xc0 [ 44.181874] kthread_bind_mask+0x23/0x30 [ 44.181875] create_worker+0x31b/0x530 [ 44.181877] workqueue_init+0x57b/0x68a [ 44.181878] kernel_init_freeable+0x2af/0x532 [ 44.181879] kernel_init+0x12/0x162 [ 44.181880] ret_from_fork+0x24/0x30 [ 44.181881] [ 44.181882] -> #4 (hrtimer_bases.lock){-.-.}: [ 44.181886] lock_acquire+0x16f/0x430 [ 44.181887] _raw_spin_lock_irqsave+0x95/0xcd [ 44.181889] lock_hrtimer_base.isra.0+0x75/0x130 [ 44.181890] hrtimer_start_range_ns+0x7a/0x10d0 [ 44.181891] enqueue_task_rt+0x972/0xe40 [ 44.181893] __sched_setscheduler.constprop.0+0xc59/0x2340 [ 44.181894] _sched_setscheduler+0x10e/0x180 [ 44.181896] sched_setscheduler+0xe/0x10 [ 44.181897] watchdog_enable+0x10b/0x160 [ 44.181898] smpboot_thread_fn+0x444/0x960 [ 44.181899] kthread+0x319/0x430 [ 44.181900] ret_from_fork+0x24/0x30 [ 44.181901] [ 44.181902] -> #3 (&rt_b->rt_runtime_lock){-.-.}: [ 44.181906] lock_acquire+0x16f/0x430 [ 44.181907] _raw_spin_lock+0x2f/0x40 [ 44.181908] enqueue_task_rt+0x524/0xe40 [ 44.181910] __sched_setscheduler.constprop.0+0xc59/0x2340 [ 44.181911] _sched_setscheduler+0x10e/0x180 [ 44.181913] sched_setscheduler+0xe/0x10 [ 44.181914] watchdog_enable+0x10b/0x160 [ 44.181915] smpboot_thread_fn+0x444/0x960 [ 44.181916] kthread+0x319/0x430 [ 44.181917] ret_from_fork+0x24/0x30 [ 44.181918] [ 44.181919] -> #2 (&rq->lock){-.-.}: [ 44.181923] lock_acquire+0x16f/0x430 [ 44.181924] _raw_spin_lock+0x2f/0x40 [ 44.181925] task_fork_fair+0x63/0x5b0 [ 44.181926] sched_fork+0x3a6/0xc10 [ 44.181928] copy_process.part.0+0x15b7/0x6a70 [ 44.181929] _do_fork+0x19e/0xce0 [ 44.181930] kernel_thread+0x34/0x40 [ 44.181931] rest_init+0x24/0x1e2 [ 44.181932] start_kernel+0x6df/0x6fd [ 44.181934] x86_64_start_reservations+0x29/0x2b [ 44.181935] x86_64_start_kernel+0x77/0x7b [ 44.181936] secondary_startup_64+0xa5/0xb0 [ 44.181937] [ 44.181938] -> #1 (&p->pi_lock){-.-.}: [ 44.181942] lock_acquire+0x16f/0x430 [ 44.181943] _raw_spin_lock_irqsave+0x95/0xcd [ 44.181944] try_to_wake_up+0x79/0xf90 [ 44.181946] wake_up_process+0x10/0x20 [ 44.181947] __up.isra.0+0x136/0x1a0 [ 44.181948] up+0x9c/0xe0 [ 44.181949] __up_console_sem+0xad/0x1b0 [ 44.181950] console_unlock+0x59d/0xed0 [ 44.181952] vprintk_emit+0x1f9/0x600 [ 44.181953] vprintk_default+0x28/0x30 [ 44.181954] vprintk_func+0x5d/0x159 [ 44.181955] printk+0x9e/0xbc [ 44.181956] kauditd_hold_skb.cold+0x3e/0x4d [ 44.181958] kauditd_send_queue+0xfe/0x140 [ 44.181959] kauditd_thread+0x644/0x860 [ 44.181960] kthread+0x319/0x430 [ 44.181961] ret_from_fork+0x24/0x30 [ 44.181962] [ 44.181963] -> #0 ((console_sem).lock){-...}: [ 44.181967] __lock_acquire+0x2cb3/0x4620 [ 44.181968] lock_acquire+0x16f/0x430 [ 44.181969] _raw_spin_lock_irqsave+0x95/0xcd [ 44.181971] down_trylock+0x13/0x70 [ 44.181972] __down_trylock_console_sem+0x9c/0x200 [ 44.181973] console_trylock+0x17/0x80 [ 44.181975] vprintk_emit+0x1eb/0x600 [ 44.181976] vprintk_default+0x28/0x30 [ 44.181977] vprintk_func+0x5d/0x159 [ 44.181978] printk+0x9e/0xbc [ 44.181979] debug_print_object.cold+0xa7/0xdb [ 44.181981] debug_check_no_obj_freed+0x3f5/0x7b7 [ 44.181982] kfree+0xbd/0x270 [ 44.181983] free_tcf+0x13c/0x190 [ 44.181984] __tcf_idr_release+0x213/0x260 [ 44.181986] tcf_sample_init+0x7f2/0x960 [ 44.181987] tcf_action_init_1+0x53c/0xaa0 [ 44.181988] tcf_action_init+0x2ab/0x480 [ 44.181989] tc_ctl_action+0x30a/0x548 [ 44.181991] rtnetlink_rcv_msg+0x3da/0xb70 [ 44.181992] netlink_rcv_skb+0x14f/0x3c0 [ 44.181993] rtnetlink_rcv+0x1d/0x30 [ 44.181994] netlink_unicast+0x44d/0x650 [ 44.181996] netlink_sendmsg+0x7c4/0xc60 [ 44.181997] sock_sendmsg+0xce/0x110 [ 44.181998] ___sys_sendmsg+0x70a/0x840 [ 44.181999] __sys_sendmsg+0xb9/0x140 [ 44.182001] SyS_sendmsg+0x2d/0x50 [ 44.182002] do_syscall_64+0x1e8/0x640 [ 44.182003] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.182004] [ 44.182005] other info that might help us debug this: [ 44.182006] [ 44.182007] Chain exists of: [ 44.182008] (console_sem).lock --> hrtimer_bases.lock --> &obj_hash[i].lock [ 44.182013] [ 44.182014] Possible unsafe locking scenario: [ 44.182015] [ 44.182016] CPU0 CPU1 [ 44.182018] ---- ---- [ 44.182018] lock(&obj_hash[i].lock); [ 44.182021] lock(hrtimer_bases.lock); [ 44.182024] lock(&obj_hash[i].lock); [ 44.182026] lock((console_sem).lock); [ 44.182029] [ 44.182030] *** DEADLOCK *** [ 44.182030] [ 44.182032] 2 locks held by syz-executor439/7280: [ 44.182032] #0: (rtnl_mutex){+.+.}, at: [] rtnetlink_rcv_msg+0x339/0xb70 [ 44.182037] #1: (&obj_hash[i].lock){-.-.}, at: [] debug_check_no_obj_freed+0x12d/0x7b7 [ 44.182042] [ 44.182043] stack backtrace: [ 44.182045] CPU: 0 PID: 7280 Comm: syz-executor439 Not tainted 4.14.167-syzkaller #0 [ 44.182047] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.182048] Call Trace: [ 44.182049] dump_stack+0x142/0x197 [ 44.182051] print_circular_bug.isra.0.cold+0x1cc/0x28f [ 44.182052] __lock_acquire+0x2cb3/0x4620 [ 44.182053] ? string+0x184/0x1d0 [ 44.182054] ? trace_hardirqs_on+0x10/0x10 [ 44.182055] ? netdev_bits+0xb0/0xb0 [ 44.182056] ? format_decode+0x1d8/0x930 [ 44.182058] ? kvm_clock_read+0x23/0x40 [ 44.182059] ? kvm_sched_clock_read+0x9/0x20 [ 44.182060] lock_acquire+0x16f/0x430 [ 44.182061] ? down_trylock+0x13/0x70 [ 44.182062] ? vprintk_emit+0x109/0x600 [ 44.182064] _raw_spin_lock_irqsave+0x95/0xcd [ 44.182065] ? down_trylock+0x13/0x70 [ 44.182066] ? vprintk_emit+0x1eb/0x600 [ 44.182067] down_trylock+0x13/0x70 [ 44.182068] ? vprintk_emit+0x1eb/0x600 [ 44.182070] __down_trylock_console_sem+0x9c/0x200 [ 44.182071] console_trylock+0x17/0x80 [ 44.182072] vprintk_emit+0x1eb/0x600 [ 44.182073] vprintk_default+0x28/0x30 [ 44.182074] vprintk_func+0x5d/0x159 [ 44.182075] printk+0x9e/0xbc [ 44.182077] ? show_regs_print_info+0x63/0x63 [ 44.182078] ? lock_acquire+0x16f/0x430 [ 44.182079] ? debug_check_no_obj_freed+0x12d/0x7b7 [ 44.182081] debug_print_object.cold+0xa7/0xdb [ 44.182082] debug_check_no_obj_freed+0x3f5/0x7b7 [ 44.182083] ? free_obj_work+0x6d0/0x6d0 [ 44.182085] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 44.182086] kfree+0xbd/0x270 [ 44.182087] free_tcf+0x13c/0x190 [ 44.182088] __tcf_idr_release+0x213/0x260 [ 44.182089] tcf_sample_init+0x7f2/0x960 [ 44.182091] ? tcf_sample_act+0x9f0/0x9f0 [ 44.182092] ? rcu_read_lock_sched_held+0x110/0x130 [ 44.182093] ? _raw_read_unlock+0x2d/0x50 [ 44.182094] tcf_action_init_1+0x53c/0xaa0 [ 44.182096] ? tcf_action_dump_old+0x80/0x80 [ 44.182097] ? lock_downgrade+0x740/0x740 [ 44.182098] ? nla_parse+0x186/0x240 [ 44.182099] tcf_action_init+0x2ab/0x480 [ 44.182101] ? tcf_action_init_1+0xaa0/0xaa0 [ 44.182102] ? memset+0x32/0x40 [ 44.182103] ? nla_parse+0x186/0x240 [ 44.182104] tc_ctl_action+0x30a/0x548 [ 44.182105] ? tca_action_gd+0x840/0x840 [ 44.182107] ? tca_action_gd+0x840/0x840 [ 44.182108] rtnetlink_rcv_msg+0x3da/0xb70 [ 44.182109] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 44.182110] ? netlink_deliver_tap+0x93/0x8f0 [ 44.182112] netlink_rcv_skb+0x14f/0x3c0 [ 44.182113] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 44.182114] ? lock_downgrade+0x740/0x740 [ 44.182115] ? netlink_ack+0x9a0/0x9a0 [ 44.182117] ? netlink_deliver_tap+0xba/0x8f0 [ 44.182118] rtnetlink_rcv+0x1d/0x30 [ 44.182119] netlink_unicast+0x44d/0x650 [ 44.182120] ? netlink_attachskb+0x6a0/0x6a0 [ 44.182122] ? security_netlink_send+0x81/0xb0 [ 44.182123] netlink_sendmsg+0x7c4/0xc60 [ 44.182124] ? netlink_unicast+0x650/0x650 [ 44.182125] ? security_socket_sendmsg+0x89/0xb0 [ 44.182127] ? netlink_unicast+0x650/0x650 [ 44.182128] sock_sendmsg+0xce/0x110 [ 44.182129] ___sys_sendmsg+0x70a/0x840 [ 44.182130] ? lock_downgrade+0x740/0x740 [ 44.182131] ? copy_msghdr_from_user+0x3f0/0x3f0 [ 44.182133] ? do_raw_spin_unlock+0x174/0x260 [ 44.182134] ? _raw_spin_unlock+0x2d/0x50 [ 44.182136] ? do_huge_pmd_anonymous_page+0x2f9/0x1200 [ 44.182137] ? prep_transhuge_page+0xa0/0xa0 [ 44.182138] ? __handle_mm_fault+0x692/0x33d0 [ 44.182139] ? save_trace+0x290/0x290 [ 44.182141] ? copy_page_range+0x1de0/0x1de0 [ 44.182142] ? __do_page_fault+0x4e9/0xb80 [ 44.182143] ? __fget_light+0x172/0x1f0 [ 44.182144] ? __fdget+0x1b/0x20 [ 44.182145] ? sockfd_lookup_light+0xb4/0x160 [ 44.182147] __sys_sendmsg+0xb9/0x140 [ 44.182148] ? SyS_shutdown+0x170/0x170 [ 44.182149] SyS_sendmsg+0x2d/0x50 [ 44.182150] ? __sys_sendmsg+0x140/0x140 [ 44.182151] do_syscall_64+0x1e8/0x640 [ 44.182153] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 44.182154] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.182155] RIP: 0033:0x440369 [ 44.182156] RSP: 002b:00007fff50801088 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 44.182160] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440369 [ 44.182161] RDX: 0000000000000000 RSI: 0000000020002980 RDI: 0000000000000003 [ 44.182163] RBP: 00000000006ca018 R08: 000000000000000b R09: 00000000004002c8 [ 44.182165] R10: 0000000000000040 R11: 0000000000000246 [ 44.182167] Lost 1 message(s)! [ 44.183593] Kernel Offset: disabled [ 45.242743] Rebooting in 86400 seconds..