Warning: Permanently added '10.128.1.29' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 46.720828] kauditd_printk_skb: 2 callbacks suppressed [ 46.720842] audit: type=1400 audit(1566880183.389:36): avc: denied { map } for pid=7599 comm="syz-executor439" path="/root/syz-executor439346795" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 51.732517] ------------[ cut here ]------------ [ 51.738698] ODEBUG: free active (active state 0) object type: timer_list hint: rfcomm_dlc_timeout+0x0/0x80 [ 51.748860] WARNING: CPU: 0 PID: 7602 at lib/debugobjects.c:325 debug_print_object+0x168/0x250 [ 51.757690] Kernel panic - not syncing: panic_on_warn set ... [ 51.757690] [ 51.765051] CPU: 0 PID: 7602 Comm: syz-executor439 Not tainted 4.19.68 #42 [ 51.772655] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 51.782022] Call Trace: [ 51.784624] dump_stack+0x172/0x1f0 [ 51.788341] panic+0x263/0x507 [ 51.791726] ? __warn_printk+0xf3/0xf3 [ 51.795693] ? debug_print_object+0x168/0x250 [ 51.800544] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 51.806802] ? __warn.cold+0x5/0x4a [ 51.810622] ? __warn+0xe8/0x1d0 [ 51.814418] ? debug_print_object+0x168/0x250 [ 51.818909] __warn.cold+0x20/0x4a [ 51.822547] ? trace_hardirqs_off+0x62/0x220 [ 51.827096] ? debug_print_object+0x168/0x250 [ 51.831673] report_bug+0x263/0x2b0 [ 51.835315] do_error_trap+0x204/0x360 [ 51.839198] ? math_error+0x340/0x340 [ 51.842986] ? wake_up_klogd+0x99/0xd0 [ 51.851116] ? vprintk_emit+0x1ab/0x690 [ 51.855106] ? error_entry+0x7c/0xe0 [ 51.858981] ? trace_hardirqs_off_caller+0x65/0x220 [ 51.864020] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 51.868881] do_invalid_op+0x1b/0x20 [ 51.872797] invalid_op+0x14/0x20 [ 51.876559] RIP: 0010:debug_print_object+0x168/0x250 [ 51.881764] Code: dd a0 52 82 87 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 b5 00 00 00 48 8b 14 dd a0 52 82 87 48 c7 c7 e0 47 82 87 e8 e6 32 19 fe <0f> 0b 83 05 5b b9 17 06 01 48 83 c4 20 5b 41 5c 41 5d 41 5e 5d c3 [ 51.904601] RSP: 0018:ffff88809e82f8d8 EFLAGS: 00010086 [ 51.910330] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000 [ 51.917882] RDX: 0000000000000000 RSI: ffffffff8155cdd6 RDI: ffffed1013d05f0d [ 51.925538] RBP: ffff88809e82f918 R08: ffff888093886040 R09: ffffed1015d03ee3 [ 51.933980] R10: ffffed1015d03ee2 R11: ffff8880ae81f717 R12: 0000000000000001 [ 51.941245] R13: ffffffff887ac4c0 R14: ffffffff815b4350 R15: ffff88809b10a868 [ 51.948518] ? __internal_add_timer+0x1f0/0x1f0 [ 51.953197] ? vprintk_func+0x86/0x189 [ 51.957079] ? debug_print_object+0x168/0x250 [ 51.962296] debug_check_no_obj_freed+0x29f/0x464 [ 51.968235] kfree+0xbd/0x220 [ 51.975753] rfcomm_dlc_free+0x20/0x30 [ 51.979640] rfcomm_dev_ioctl+0x181f/0x1b60 [ 51.984217] ? __local_bh_enable_ip+0x15a/0x270 [ 51.992784] ? lock_sock_nested+0xe2/0x120 [ 51.997479] ? __local_bh_enable_ip+0x15a/0x270 [ 52.002673] ? rfcomm_dev_state_change+0x150/0x150 [ 52.007906] ? __local_bh_enable_ip+0x15a/0x270 [ 52.012718] rfcomm_sock_ioctl+0x90/0xb0 [ 52.016777] sock_do_ioctl+0xd8/0x2f0 [ 52.020587] ? compat_ifr_data_ioctl+0x160/0x160 [ 52.025352] ? __lock_acquire+0x6ee/0x49c0 [ 52.029813] ? rcu_read_lock_sched_held+0x110/0x130 [ 52.041009] ? kmem_cache_alloc+0x32a/0x700 [ 52.045534] sock_ioctl+0x325/0x610 [ 52.049166] ? dlci_ioctl_set+0x40/0x40 [ 52.053142] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 52.059014] ? __might_sleep+0x95/0x190 [ 52.063003] ? find_held_lock+0x35/0x130 [ 52.068034] ? dlci_ioctl_set+0x40/0x40 [ 52.072745] do_vfs_ioctl+0xd5f/0x1380 [ 52.076731] ? selinux_file_ioctl+0x46f/0x5e0 [ 52.081384] ? selinux_file_ioctl+0x125/0x5e0 [ 52.086123] ? ioctl_preallocate+0x210/0x210 [ 52.092201] ? selinux_file_mprotect+0x620/0x620 [ 52.097050] ? __sanitizer_cov_trace_cmp1+0xb/0x20 [ 52.101968] ? __fd_install+0x200/0x640 [ 52.105954] ? fd_install+0x4d/0x60 [ 52.111291] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 52.116962] ? security_file_ioctl+0x8d/0xc0 [ 52.121470] ksys_ioctl+0xab/0xd0 [ 52.124922] __x64_sys_ioctl+0x73/0xb0 [ 52.128816] do_syscall_64+0xfd/0x620 [ 52.132733] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.137931] RIP: 0033:0x441229 [ 52.141619] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 52.162494] RSP: 002b:00007ffce0263b68 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 52.170194] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441229 [ 52.177496] RDX: 0000000020000100 RSI: 00000000400452c8 RDI: 0000000000000004 [ 52.184757] RBP: 000000000000c9f3 R08: 00000000004002c8 R09: 00000000004002c8 [ 52.192528] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000402050 [ 52.199906] R13: 00000000004020e0 R14: 0000000000000000 R15: 0000000000000000 [ 52.207772] [ 52.207779] ====================================================== [ 52.207782] WARNING: possible circular locking dependency detected [ 52.207785] 4.19.68 #42 Not tainted [ 52.207788] ------------------------------------------------------ [ 52.207791] syz-executor439/7602 is trying to acquire lock: [ 52.207793] 000000008dbbecca (console_owner){-...}, at: console_unlock+0x41f/0x10b0 [ 52.207802] [ 52.207804] but task is already holding lock: [ 52.207806] 00000000fbcea760 (&obj_hash[i].lock){-.-.}, at: debug_check_no_obj_freed+0xbe/0x464 [ 52.207815] [ 52.207818] which lock already depends on the new lock. [ 52.207819] [ 52.207821] [ 52.207824] the existing dependency chain (in reverse order) is: [ 52.207825] [ 52.207826] -> #3 (&obj_hash[i].lock){-.-.}: [ 52.207835] _raw_spin_lock_irqsave+0x95/0xcd [ 52.207838] debug_object_activate+0x131/0x4e0 [ 52.207841] __queue_work+0xcf/0x10a0 [ 52.207844] queue_work_on+0x192/0x200 [ 52.207847] tty_flip_buffer_push+0xc5/0x100 [ 52.207849] pty_write+0x1a6/0x200 [ 52.207851] n_tty_write+0xafa/0x10f0 [ 52.207853] tty_write+0x458/0x7a0 [ 52.207855] __vfs_write+0x114/0x810 [ 52.207858] vfs_write+0x20c/0x560 [ 52.207860] ksys_write+0x14f/0x2d0 [ 52.207862] __x64_sys_write+0x73/0xb0 [ 52.207864] do_syscall_64+0xfd/0x620 [ 52.207867] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.207868] [ 52.207869] -> #2 (&(&port->lock)->rlock){-.-.}: [ 52.207878] _raw_spin_lock_irqsave+0x95/0xcd [ 52.207880] tty_port_tty_get+0x22/0x80 [ 52.207883] tty_port_default_wakeup+0x16/0x40 [ 52.207885] tty_port_tty_wakeup+0x57/0x70 [ 52.207888] uart_write_wakeup+0x46/0x70 [ 52.207891] serial8250_tx_chars+0x495/0xaf0 [ 52.207894] serial8250_handle_irq.part.0+0x261/0x2b0 [ 52.207896] serial8250_default_handle_irq+0xc0/0x150 [ 52.207899] serial8250_interrupt+0xfc/0x1e0 [ 52.207902] __handle_irq_event_percpu+0x144/0x8f0 [ 52.207904] handle_irq_event_percpu+0x74/0x160 [ 52.207907] handle_irq_event+0xa7/0x134 [ 52.207909] handle_edge_irq+0x25e/0x8d0 [ 52.207911] handle_irq+0x39/0x50 [ 52.207913] do_IRQ+0x99/0x1d0 [ 52.207916] ret_from_intr+0x0/0x1e [ 52.207918] _raw_spin_unlock_irqrestore+0x95/0xe0 [ 52.207920] uart_write+0x3a9/0x6e0 [ 52.207923] n_tty_write+0x3f9/0x10f0 [ 52.207925] tty_write+0x458/0x7a0 [ 52.207927] redirected_tty_write+0xb2/0xc0 [ 52.207930] __vfs_write+0x114/0x810 [ 52.207932] vfs_write+0x20c/0x560 [ 52.207934] ksys_write+0x14f/0x2d0 [ 52.207937] __x64_sys_write+0x73/0xb0 [ 52.207939] do_syscall_64+0xfd/0x620 [ 52.207942] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.207943] [ 52.207944] -> #1 (&port_lock_key){-.-.}: [ 52.207952] _raw_spin_lock_irqsave+0x95/0xcd [ 52.207955] serial8250_console_write+0x7ca/0x9f0 [ 52.207958] univ8250_console_write+0x5f/0x70 [ 52.207960] console_unlock+0xbde/0x10b0 [ 52.207962] vprintk_emit+0x238/0x690 [ 52.207964] vprintk_default+0x28/0x30 [ 52.207967] vprintk_func+0x7e/0x189 [ 52.207969] printk+0xba/0xed [ 52.207971] register_console+0x77f/0xb90 [ 52.207974] univ8250_console_init+0x3e/0x4b [ 52.207976] console_init+0x4f7/0x761 [ 52.207978] start_kernel+0x59c/0x8c5 [ 52.207981] x86_64_start_reservations+0x29/0x2b [ 52.207983] x86_64_start_kernel+0x77/0x7b [ 52.207985] secondary_startup_64+0xa4/0xb0 [ 52.207987] [ 52.207988] -> #0 (console_owner){-...}: [ 52.207996] lock_acquire+0x16f/0x3f0 [ 52.207998] console_unlock+0x489/0x10b0 [ 52.208000] vprintk_emit+0x238/0x690 [ 52.208003] vprintk_default+0x28/0x30 [ 52.208005] vprintk_func+0x7e/0x189 [ 52.208007] printk+0xba/0xed [ 52.208009] __warn_printk+0x9b/0xf3 [ 52.208011] debug_print_object+0x168/0x250 [ 52.208014] debug_check_no_obj_freed+0x29f/0x464 [ 52.208016] kfree+0xbd/0x220 [ 52.208018] rfcomm_dlc_free+0x20/0x30 [ 52.208020] rfcomm_dev_ioctl+0x181f/0x1b60 [ 52.208023] rfcomm_sock_ioctl+0x90/0xb0 [ 52.208025] sock_do_ioctl+0xd8/0x2f0 [ 52.208027] sock_ioctl+0x325/0x610 [ 52.208029] do_vfs_ioctl+0xd5f/0x1380 [ 52.208032] ksys_ioctl+0xab/0xd0 [ 52.208034] __x64_sys_ioctl+0x73/0xb0 [ 52.208036] do_syscall_64+0xfd/0x620 [ 52.208039] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.208040] [ 52.208042] other info that might help us debug this: [ 52.208044] [ 52.208045] Chain exists of: [ 52.208047] console_owner --> &(&port->lock)->rlock --> &obj_hash[i].lock [ 52.208057] [ 52.208059] Possible unsafe locking scenario: [ 52.208061] [ 52.208063] CPU0 CPU1 [ 52.208065] ---- ---- [ 52.208067] lock(&obj_hash[i].lock); [ 52.208072] lock(&(&port->lock)->rlock); [ 52.208078] lock(&obj_hash[i].lock); [ 52.208082] lock(console_owner); [ 52.208086] [ 52.208088] *** DEADLOCK *** [ 52.208089] [ 52.208092] 4 locks held by syz-executor439/7602: [ 52.208093] #0: 000000001df97f60 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}, at: rfcomm_sock_ioctl+0x82/0xb0 [ 52.208103] #1: 0000000058e67a72 (rfcomm_ioctl_mutex){+.+.}, at: rfcomm_dev_ioctl+0x4f0/0x1b60 [ 52.208113] #2: 00000000fbcea760 (&obj_hash[i].lock){-.-.}, at: debug_check_no_obj_freed+0xbe/0x464 [ 52.208123] #3: 000000003139ba6a (console_lock){+.+.}, at: vprintk_emit+0x21d/0x690 [ 52.208133] [ 52.208134] stack backtrace: [ 52.208138] CPU: 0 PID: 7602 Comm: syz-executor439 Not tainted 4.19.68 #42 [ 52.208142] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 52.208144] Call Trace: [ 52.208146] dump_stack+0x172/0x1f0 [ 52.208149] print_circular_bug.isra.0.cold+0x1cc/0x28f [ 52.208151] __lock_acquire+0x2e19/0x49c0 [ 52.208153] ? mark_held_locks+0x100/0x100 [ 52.208155] ? sprintf+0xc0/0x100 [ 52.208158] ? console_unlock+0x464/0x10b0 [ 52.208160] ? console_unlock+0x464/0x10b0 [ 52.208162] lock_acquire+0x16f/0x3f0 [ 52.208165] ? console_unlock+0x41f/0x10b0 [ 52.208167] console_unlock+0x489/0x10b0 [ 52.208169] ? console_unlock+0x41f/0x10b0 [ 52.208171] vprintk_emit+0x238/0x690 [ 52.208174] ? __internal_add_timer+0x1f0/0x1f0 [ 52.208176] vprintk_default+0x28/0x30 [ 52.208178] vprintk_func+0x7e/0x189 [ 52.208180] printk+0xba/0xed [ 52.208183] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 52.208185] ? __warn_printk+0x8f/0xf3 [ 52.208188] ? rfcomm_session_add+0x300/0x300 [ 52.208190] __warn_printk+0x9b/0xf3 [ 52.208192] ? add_taint.cold+0x16/0x16 [ 52.208194] ? skb_dequeue+0x12e/0x180 [ 52.208197] ? rfcomm_session_add+0x300/0x300 [ 52.208199] debug_print_object+0x168/0x250 [ 52.208202] debug_check_no_obj_freed+0x29f/0x464 [ 52.208204] kfree+0xbd/0x220 [ 52.208206] rfcomm_dlc_free+0x20/0x30 [ 52.208208] rfcomm_dev_ioctl+0x181f/0x1b60 [ 52.208211] ? __local_bh_enable_ip+0x15a/0x270 [ 52.208213] ? lock_sock_nested+0xe2/0x120 [ 52.208216] ? __local_bh_enable_ip+0x15a/0x270 [ 52.208218] ? rfcomm_dev_state_change+0x150/0x150 [ 52.208221] ? __local_bh_enable_ip+0x15a/0x270 [ 52.208223] rfcomm_sock_ioctl+0x90/0xb0 [ 52.208225] sock_do_ioctl+0xd8/0x2f0 [ 52.208228] ? compat_ifr_data_ioctl+0x160/0x160 [ 52.208230] ? __lock_acquire+0x6ee/0x49c0 [ 52.208233] ? rcu_read_lock_sched_held+0x110/0x130 [ 52.208235] ? kmem_cache_alloc+0x32a/0x700 [ 52.208237] sock_ioctl+0x325/0x610 [ 52.208239] ? dlci_ioctl_set+0x40/0x40 [ 52.208242] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 52.208244] ? __might_sleep+0x95/0x190 [ 52.208247] ? find_held_lock+0x35/0x130 [ 52.208249] ? dlci_ioctl_set+0x40/0x40 [ 52.208251] do_vfs_ioctl+0xd5f/0x1380 [ 52.208253] ? selinux_file_ioctl+0x46f/0x5e0 [ 52.208256] ? selinux_file_ioctl+0x125/0x5e0 [ 52.208258] ? ioctl_preallocate+0x210/0x210 [ 52.208261] ? selinux_file_mprotect+0x620/0x620 [ 52.208263] ? __sanitizer_cov_trace_cmp1+0xb/0x20 [ 52.208266] ? __fd_install+0x200/0x640 [ 52.208268] ? fd_install+0x4d/0x60 [ 52.208271] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 52.208273] ? security_file_ioctl+0x8d/0xc0 [ 52.208275] ksys_ioctl+0xab/0xd0 [ 52.208277] __x64_sys_ioctl+0x73/0xb0 [ 52.208279] do_syscall_64+0xfd/0x620 [ 52.208282] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.208284] RIP: 0033:0x441229 [ 52.208292] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 52.208295] RSP: 002b:00007ffce0263b68 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 52.208301] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441229 [ 52.208304] RDX: 0000000020000100 RSI: 00000000400452c8 RDI: 0000000000000004 [ 52.208308] RBP: 000000000000c9f3 R08: 00000000004002c8 R09: 00000000004002c8 [ 52.208312] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000402050 [ 52.208315] R13: 00000000004020e0 R14: 0000000000000000 R15: 0000000000000000 [ 52.209743] Kernel Offset: disabled [ 53.118056] Rebooting in 86400 seconds..