Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 49.371132] kauditd_printk_skb: 4 callbacks suppressed [ 49.371148] audit: type=1400 audit(1546259446.778:35): avc: denied { map } for pid=8347 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 49.426783] sshd (8345) used greatest stack depth: 19848 bytes left Warning: Permanently added '10.128.0.70' (ECDSA) to the list of known hosts. executing program [ 56.055898] audit: type=1400 audit(1546259453.458:36): avc: denied { map } for pid=8359 comm="syz-executor066" path="/root/syz-executor066205236" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 56.063249] FAULT_INJECTION: forcing a failure. [ 56.063249] name failslab, interval 1, probability 0, space 0, times 1 [ 56.093342] CPU: 0 PID: 8359 Comm: syz-executor066 Not tainted 4.20.0+ #1 [ 56.100249] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 56.109580] Call Trace: [ 56.112161] dump_stack+0x1db/0x2d0 [ 56.115767] ? dump_stack_print_info.cold+0x20/0x20 [ 56.120766] ? kasan_check_read+0x11/0x20 [ 56.124896] ? __lock_acquire+0x2514/0x4a30 [ 56.129200] should_fail.cold+0xa/0x15 [ 56.133071] ? fault_create_debugfs_attr+0x1e0/0x1e0 [ 56.138211] ? print_usage_bug+0xd0/0xd0 [ 56.142290] ? __lock_acquire+0x572/0x4a30 [ 56.146506] __should_failslab+0x121/0x190 [ 56.150722] should_failslab+0x9/0x14 [ 56.154519] __kmalloc+0x71/0x740 [ 56.157954] ? __tty_buffer_request_room+0x2bf/0x7e0 [ 56.163061] __tty_buffer_request_room+0x2bf/0x7e0 [ 56.167984] ? tty_buffer_free+0x160/0x160 [ 56.172214] ? kasan_check_read+0x11/0x20 [ 56.176354] ? do_raw_spin_lock+0x156/0x360 [ 56.180666] ? lock_release+0xc40/0xc40 [ 56.184623] tty_insert_flip_string_fixed_flag+0x93/0x1f0 [ 56.190144] pty_write+0x133/0x200 [ 56.193669] tty_send_xchar+0x28c/0x390 [ 56.197627] ? tty_write_message+0x130/0x130 [ 56.202030] ? arch_local_save_flags+0x50/0x50 [ 56.206626] ? rcu_dynticks_curr_cpu_in_eqs+0x71/0x170 [ 56.211888] ? rcu_read_unlock_special+0x380/0x380 [ 56.216797] n_tty_ioctl_helper+0x192/0x3b0 [ 56.221102] n_tty_ioctl+0x59/0x360 [ 56.224725] ? ldsem_down_read+0x33/0x40 [ 56.228769] tty_ioctl+0xb53/0x16c0 [ 56.232379] ? commit_echoes+0x1c0/0x1c0 [ 56.236422] ? tty_vhangup+0x30/0x30 [ 56.240124] ? kasan_check_read+0x11/0x20 [ 56.244252] ? rcu_read_unlock_special+0x380/0x380 [ 56.249162] ? save_stack+0x45/0xd0 [ 56.252767] ? __kasan_slab_free+0x102/0x150 [ 56.257212] ? kasan_slab_free+0xe/0x10 [ 56.261209] ? kmem_cache_free+0x86/0x260 [ 56.265341] ? ___might_sleep+0x1e7/0x310 [ 56.269470] ? arch_local_save_flags+0x50/0x50 [ 56.274032] ? vfs_write+0x2f0/0x580 [ 56.277727] ? find_held_lock+0x35/0x120 [ 56.281772] ? __might_sleep+0x95/0x190 [ 56.285731] ? tty_vhangup+0x30/0x30 [ 56.289425] do_vfs_ioctl+0x107b/0x17d0 [ 56.293383] ? selinux_file_ioctl+0x511/0x720 [ 56.297873] ? selinux_file_ioctl+0x125/0x720 [ 56.302350] ? ioctl_preallocate+0x2f0/0x2f0 [ 56.306743] ? selinux_file_mprotect+0x620/0x620 [ 56.311480] ? __fget_light+0x2db/0x420 [ 56.315467] ? vfs_write+0x160/0x580 [ 56.319245] ? do_syscall_64+0x8c/0x800 [ 56.323208] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 56.328740] ? security_file_ioctl+0x93/0xc0 [ 56.333128] ksys_ioctl+0xab/0xd0 [ 56.336561] __x64_sys_ioctl+0x73/0xb0 [ 56.340432] do_syscall_64+0x1a3/0x800 [ 56.344303] ? syscall_return_slowpath+0x5f0/0x5f0 [ 56.349215] ? prepare_exit_to_usermode+0x232/0x3b0 [ 56.354312] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 56.359141] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 56.364310] RIP: 0033:0x4402e9 [ 56.367487] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 56.386374] RSP: 002b:00007ffee51fffe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 56.394062] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004402e9 [ 56.401327] RDX: 0000000000000003 RSI: 000000000000540a RDI: 0000000000000003 [ 56.408579] RBP: 00000000006cb018 R08: 0000000000000001 R09: 0000000000000031 [ 56.415838] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004 [ 56.423109] R13: ffffffffffffffff R14: 0000000000000000 R15: 0000000000000000 [ 56.430375] [ 56.430379] ====================================================== [ 56.430382] WARNING: possible circular locking dependency detected [ 56.430384] 4.20.0+ #1 Not tainted [ 56.430387] ------------------------------------------------------ [ 56.430390] syz-executor066/8359 is trying to acquire lock: [ 56.430392] 00000000caabada3 (console_owner){-.-.}, at: vprintk_emit+0x54f/0x960 [ 56.430400] [ 56.430403] but task is already holding lock: [ 56.430404] 00000000da6a7ef7 (&(&port->lock)->rlock){-.-.}, at: pty_write+0xff/0x200 [ 56.430412] [ 56.430415] which lock already depends on the new lock. [ 56.430416] [ 56.430417] [ 56.430420] the existing dependency chain (in reverse order) is: [ 56.430422] [ 56.430423] -> #2 (&(&port->lock)->rlock){-.-.}: [ 56.430431] _raw_spin_lock_irqsave+0x95/0xcd [ 56.430433] tty_port_tty_get+0x22/0x80 [ 56.430436] tty_port_default_wakeup+0x16/0x40 [ 56.430438] tty_port_tty_wakeup+0x5d/0x70 [ 56.430440] uart_write_wakeup+0x46/0x70 [ 56.430443] serial8250_tx_chars+0x4a4/0xb20 [ 56.430446] serial8250_handle_irq.part.0+0x1be/0x2e0 [ 56.430449] serial8250_default_handle_irq+0xc5/0x150 [ 56.430451] serial8250_interrupt+0xfb/0x1a0 [ 56.430454] __handle_irq_event_percpu+0x1c6/0xb10 [ 56.430456] handle_irq_event_percpu+0xa0/0x1d0 [ 56.430459] handle_irq_event+0xa7/0x134 [ 56.430461] handle_edge_irq+0x232/0x8a0 [ 56.430463] handle_irq+0x252/0x3d8 [ 56.430465] do_IRQ+0x99/0x1d0 [ 56.430467] ret_from_intr+0x0/0x1e [ 56.430469] native_safe_halt+0x2/0x10 [ 56.430472] arch_cpu_idle+0x10/0x20 [ 56.430474] default_idle_call+0x36/0x90 [ 56.430476] do_idle+0x386/0x5d0 [ 56.430478] cpu_startup_entry+0x1b/0x20 [ 56.430480] start_secondary+0x435/0x620 [ 56.430483] secondary_startup_64+0xa4/0xb0 [ 56.430484] [ 56.430485] -> #1 (&port_lock_key){-.-.}: [ 56.430493] _raw_spin_lock_irqsave+0x95/0xcd [ 56.430496] serial8250_console_write+0x253/0xab0 [ 56.430498] univ8250_console_write+0x5f/0x70 [ 56.430500] console_unlock+0xcff/0x11e0 [ 56.430502] vprintk_emit+0x370/0x960 [ 56.430505] vprintk_default+0x28/0x30 [ 56.430507] vprintk_func+0x7e/0x189 [ 56.430509] printk+0xba/0xed [ 56.430511] register_console+0x74d/0xb50 [ 56.430513] univ8250_console_init+0x3e/0x4b [ 56.430516] console_init+0x6b7/0x9fe [ 56.430518] start_kernel+0x5df/0x8bd [ 56.430520] x86_64_start_reservations+0x29/0x2b [ 56.430523] x86_64_start_kernel+0x77/0x7b [ 56.430525] secondary_startup_64+0xa4/0xb0 [ 56.430526] [ 56.430528] -> #0 (console_owner){-.-.}: [ 56.430535] lock_acquire+0x1db/0x570 [ 56.430537] vprintk_emit+0x5a5/0x960 [ 56.430539] vprintk_default+0x28/0x30 [ 56.430542] vprintk_func+0x7e/0x189 [ 56.430543] printk+0xba/0xed [ 56.430546] should_fail+0xa59/0xd22 [ 56.430548] __should_failslab+0x121/0x190 [ 56.430550] should_failslab+0x9/0x14 [ 56.430552] __kmalloc+0x71/0x740 [ 56.430555] __tty_buffer_request_room+0x2bf/0x7e0 [ 56.430558] tty_insert_flip_string_fixed_flag+0x93/0x1f0 [ 56.430560] pty_write+0x133/0x200 [ 56.430562] tty_send_xchar+0x28c/0x390 [ 56.430564] n_tty_ioctl_helper+0x192/0x3b0 [ 56.430567] n_tty_ioctl+0x59/0x360 [ 56.430569] tty_ioctl+0xb53/0x16c0 [ 56.430571] do_vfs_ioctl+0x107b/0x17d0 [ 56.430573] ksys_ioctl+0xab/0xd0 [ 56.430575] __x64_sys_ioctl+0x73/0xb0 [ 56.430577] do_syscall_64+0x1a3/0x800 [ 56.430580] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 56.430581] [ 56.430584] other info that might help us debug this: [ 56.430585] [ 56.430587] Chain exists of: [ 56.430588] console_owner --> &port_lock_key --> &(&port->lock)->rlock [ 56.430598] [ 56.430600] Possible unsafe locking scenario: [ 56.430601] [ 56.430603] CPU0 CPU1 [ 56.430606] ---- ---- [ 56.430607] lock(&(&port->lock)->rlock); [ 56.430612] lock(&port_lock_key); [ 56.430618] lock(&(&port->lock)->rlock); [ 56.430622] lock(console_owner); [ 56.430626] [ 56.430628] *** DEADLOCK *** [ 56.430629] [ 56.430632] 4 locks held by syz-executor066/8359: [ 56.430633] #0: 0000000094bc7f36 (&tty->ldisc_sem){++++}, at: ldsem_down_read+0x33/0x40 [ 56.430642] #1: 00000000b7f0e8a5 (&tty->atomic_write_lock){+.+.}, at: tty_write_lock+0x23/0x90 [ 56.430651] #2: 00000000527f1cff (&tty->termios_rwsem){++++}, at: tty_send_xchar+0x224/0x390 [ 56.430660] #3: 00000000da6a7ef7 (&(&port->lock)->rlock){-.-.}, at: pty_write+0xff/0x200 [ 56.430670] [ 56.430671] stack backtrace: [ 56.430675] CPU: 0 PID: 8359 Comm: syz-executor066 Not tainted 4.20.0+ #1 [ 56.430679] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 56.430681] Call Trace: [ 56.430683] dump_stack+0x1db/0x2d0 [ 56.430686] ? dump_stack_print_info.cold+0x20/0x20 [ 56.430688] ? print_stack_trace+0x77/0xb0 [ 56.430690] ? vprintk_func+0x86/0x189 [ 56.430693] print_circular_bug.isra.0.cold+0x1cc/0x28f [ 56.430695] __lock_acquire+0x3014/0x4a30 [ 56.430697] ? mark_held_locks+0x100/0x100 [ 56.430699] ? number+0x956/0xc80 [ 56.430702] ? add_lock_to_list.isra.0+0x450/0x450 [ 56.430705] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 56.430707] ? add_lock_to_list.isra.0+0x450/0x450 [ 56.430710] ? find_held_lock+0x35/0x120 [ 56.430712] ? down_trylock+0x4f/0x70 [ 56.430714] ? vprintk_emit+0x580/0x960 [ 56.430716] ? find_held_lock+0x35/0x120 [ 56.430718] lock_acquire+0x1db/0x570 [ 56.430720] ? vprintk_emit+0x54f/0x960 [ 56.430723] ? lock_release+0xc40/0xc40 [ 56.430725] ? do_raw_spin_trylock+0x270/0x270 [ 56.430727] ? vprintk_emit+0x351/0x960 [ 56.430730] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 56.430732] vprintk_emit+0x5a5/0x960 [ 56.430734] ? vprintk_emit+0x54f/0x960 [ 56.430737] ? wake_up_klogd+0x180/0x180 [ 56.430739] ? check_usage_forwards+0x3e0/0x3e0 [ 56.430741] ? kasan_check_read+0x11/0x20 [ 56.430743] ? __bfs+0x291/0x7a0 [ 56.430745] ? print_usage_bug+0xd0/0xd0 [ 56.430748] ? rcu_read_unlock_special+0x380/0x380 [ 56.430750] vprintk_default+0x28/0x30 [ 56.430752] vprintk_func+0x7e/0x189 [ 56.430754] printk+0xba/0xed [ 56.430757] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 56.430759] ? ___ratelimit+0xac/0x686 [ 56.430761] ? idr_get_free+0xee0/0xee0 [ 56.430763] ? kasan_check_read+0x11/0x20 [ 56.430765] ? __lock_acquire+0x2514/0x4a30 [ 56.430768] should_fail+0xa59/0xd22 [ 56.430770] ? fault_create_debugfs_attr+0x1e0/0x1e0 [ 56.430772] ? print_usage_bug+0xd0/0xd0 [ 56.430775] ? __lock_acquire+0x572/0x4a30 [ 56.430777] __should_failslab+0x121/0x190 [ 56.430779] should_failslab+0x9/0x14 [ 56.430781] __kmalloc+0x71/0x740 [ 56.430784] ? __tty_buffer_request_room+0x2bf/0x7e0 [ 56.430786] __tty_buffer_request_room+0x2bf/0x7e0 [ 56.430789] ? tty_buffer_free+0x160/0x160 [ 56.430791] ? kasan_check_read+0x11/0x20 [ 56.430793] ? do_raw_spin_lock+0x156/0x360 [ 56.430795] ? lock_release+0xc40/0xc40 [ 56.430798] tty_insert_flip_string_fixed_flag+0x93/0x1f0 [ 56.430800] pty_write+0x133/0x200 [ 56.430802] tty_send_xchar+0x28c/0x390 [ 56.430805] ? tty_write_message+0x130/0x130 [ 56.430807] ? arch_local_save_flags+0x50/0x50 [ 56.430810] ? rcu_dynticks_curr_cpu_in_eqs+0x71/0x170 [ 56.430812] ? rcu_read_unlock_special+0x380/0x380 [ 56.430815] n_tty_ioctl_helper+0x192/0x3b0 [ 56.430817] n_tty_ioctl+0x59/0x360 [ 56.430819] ? ldsem_down_read+0x33/0x40 [ 56.430821] tty_ioctl+0xb53/0x16c0 [ 56.430823] ? commit_echoes+0x1c0/0x1c0 [ 56.430825] ? tty_vhangup+0x30/0x30 [ 56.430828] ? kasan_check_read+0x11/0x20 [ 56.430830] ? rcu_read_unlock_special+0x380/0x380 [ 56.430832] ? save_stack+0x45/0xd0 [ 56.430835] ? __kasan_slab_free+0x102/0x150 [ 56.430837] ? kasan_slab_free+0xe/0x10 [ 56.430839] ? kmem_cache_free+0x86/0x260 [ 56.430841] ? ___might_sleep+0x1e7/0x310 [ 56.430844] ? arch_local_save_flags+0x50/0x50 [ 56.430846] ? vfs_write+0x2f0/0x580 [ 56.430856] ? find_held_lock+0x35/0x120 [ 56.430858] ? __might_sleep+0x95/0x190 [ 56.430864] ? tty_vhangup+0x30/0x30 [ 56.430866] do_vfs_ioctl+0x107b/0x17d0 [ 56.430869] ? selinux_file_ioctl+0x511/0x720 [ 56.430871] ? selinux_file_ioctl+0x125/0x720 [ 56.430874] ? ioctl_preallocate+0x2f0/0x2f0 [ 56.430876] ? selinux_file_mprotect+0x620/0x620 [ 56.430879] ? __fget_light+0x2db/0x420 [ 56.430881] ? vfs_write+0x160/0x580 [ 56.430883] ? do_syscall_64+0x8c/0x800 [ 56.430886] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 56.430889] ? security_file_ioctl+0x93/0xc0 [ 56.430891] ksys_ioctl+0xab/0xd0 [ 56.430893] __x64_sys_ioctl+0x73/0xb0 [ 56.430895] do_syscall_64+0x1a3/0x800 [ 56.430898] ? syscall_return_slowpath+0x5f0/0x5f0 [ 56.430901] ? prepare_exit_to_usermode+0x232/0x3b0 [ 56.430903] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 56.430906] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 56.430908] RIP: 0033:0x4402e9 [ 56.430916] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 56.430919] RSP: 002b:00007ffee51fffe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 56.430924] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004402e9 [ 56.430928] RDX: 0000000000000003 RSI: 000000000000540a RDI: 0000000000000003 [ 56.430931] RBP: 00000000006cb018 R08: 0000000000000001 R09: 0000000000000031 [ 56.430935] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004 [ 56.430938] R13: ffffffffffffffff R