[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 26.036286] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 28.599616] random: sshd: uninitialized urandom read (32 bytes read) [ 28.905155] random: sshd: uninitialized urandom read (32 bytes read) [ 29.499816] random: sshd: uninitialized urandom read (32 bytes read) [ 29.725713] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.16' (ECDSA) to the list of known hosts. [ 35.294755] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 35.429450] L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html for details. [ 35.455758] ================================================================== [ 35.465806] BUG: KASAN: use-after-free in __schedule+0xfc3/0x1ed0 [ 35.472034] Read of size 8 at addr ffff8801d8480058 by task syz-executor147/5354 [ 35.479577] [ 35.481222] CPU: 0 PID: 5354 Comm: syz-executor147 Not tainted 4.19.0-rc2+ #7 [ 35.488502] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.497953] Call Trace: [ 35.500557] dump_stack+0x1c4/0x2b4 [ 35.504189] ? dump_stack_print_info.cold.2+0x52/0x52 [ 35.509403] ? printk+0xa7/0xcf [ 35.512684] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 35.517445] print_address_description.cold.8+0x9/0x1ff [ 35.522830] kasan_report.cold.9+0x242/0x309 [ 35.527250] ? __schedule+0xfc3/0x1ed0 [ 35.531141] __asan_report_load8_noabort+0x14/0x20 [ 35.536087] __schedule+0xfc3/0x1ed0 [ 35.539809] ? __sched_text_start+0x8/0x8 [ 35.543961] ? __lock_is_held+0xb5/0x140 [ 35.548020] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 35.553128] ? find_held_lock+0x36/0x1c0 [ 35.557195] ? __call_srcu+0x7f9/0x1070 [ 35.561197] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 35.566319] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 35.571448] ? lockdep_hardirqs_on+0x421/0x5c0 [ 35.576040] ? preempt_schedule+0x4d/0x60 [ 35.580191] preempt_schedule_common+0x1f/0xd0 [ 35.584801] preempt_schedule+0x4d/0x60 [ 35.588787] ___preempt_schedule+0x16/0x18 [ 35.593023] _raw_spin_unlock_irqrestore+0xbb/0xd0 [ 35.597952] __call_srcu+0x7f9/0x1070 [ 35.601769] ? _raw_spin_unlock_irqrestore+0x6d/0xd0 [ 35.606877] ? srcu_offline_cpu+0x120/0x120 [ 35.611198] ? debug_object_free+0x690/0x690 [ 35.615622] ? mark_held_locks+0x130/0x130 [ 35.619857] ? kvm_arch_destroy_vm+0x414/0x7c0 [ 35.624445] ? lock_release+0x970/0x970 [ 35.628436] ? arch_local_save_flags+0x40/0x40 [ 35.633026] ? depot_save_stack+0x292/0x470 [ 35.637358] ? __lockdep_init_map+0x105/0x590 [ 35.641865] ? __init_waitqueue_head+0x9e/0x150 [ 35.646533] ? init_wait_entry+0x1c0/0x1c0 [ 35.650780] __synchronize_srcu+0x17b/0x230 [ 35.655106] ? call_srcu+0x10/0x10 [ 35.658652] ? rcu_unexpedite_gp+0x20/0x20 [ 35.662894] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 35.668429] ? check_preemption_disabled+0x48/0x200 [ 35.673449] synchronize_srcu+0x356/0x5ab [ 35.677598] ? lock_downgrade+0x900/0x900 [ 35.681745] ? synchronize_srcu_expedited+0x20/0x20 [ 35.686770] ? kasan_check_read+0x11/0x20 [ 35.690922] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 35.695507] ? kasan_check_write+0x14/0x20 [ 35.699741] ? do_raw_spin_lock+0xc1/0x200 [ 35.703981] kvm_page_track_unregister_notifier+0x17d/0x250 [ 35.709693] ? kvm_slot_page_track_remove_page+0x70/0x70 [ 35.715142] ? kvfree+0x61/0x70 [ 35.718440] ? rcu_read_lock_sched_held+0x108/0x120 [ 35.723471] kvm_mmu_uninit_vm+0x1c/0x20 [ 35.727542] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 35.731954] ? kvm_arch_sync_events+0x30/0x30 [ 35.736455] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 35.741992] ? mmu_notifier_unregister+0x474/0x600 [ 35.746919] ? kfree+0x107/0x230 [ 35.750285] ? __mmu_notifier_register+0x30/0x30 [ 35.755042] ? __free_pages+0x10a/0x190 [ 35.759016] ? free_unref_page+0x960/0x960 [ 35.763279] kvm_put_kvm+0x6c8/0xff0 [ 35.767002] ? kvm_write_guest_cached+0x40/0x40 [ 35.771675] ? kvm_irqfd_release+0xd1/0x120 [ 35.775995] ? _raw_spin_unlock_irq+0x27/0x80 [ 35.780490] ? _raw_spin_unlock_irq+0x27/0x80 [ 35.784992] ? kasan_check_write+0x14/0x20 [ 35.789241] ? do_raw_spin_lock+0xc1/0x200 [ 35.793483] ? kvm_irqfd_release+0xdd/0x120 [ 35.797801] ? kvm_irqfd_release+0xdd/0x120 [ 35.802124] ? kvm_put_kvm+0xff0/0xff0 [ 35.806011] kvm_vm_release+0x42/0x50 [ 35.809808] __fput+0x385/0xa30 [ 35.813087] ? get_max_files+0x20/0x20 [ 35.816975] ? trace_hardirqs_on+0xbd/0x310 [ 35.821304] ? ___might_sleep+0x1ed/0x300 [ 35.825453] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 35.830905] ? arch_local_save_flags+0x40/0x40 [ 35.835490] ? kasan_check_write+0x14/0x20 [ 35.839724] ? do_raw_spin_lock+0xc1/0x200 [ 35.843969] ____fput+0x15/0x20 [ 35.847265] task_work_run+0x1e8/0x2a0 [ 35.851162] ? task_work_cancel+0x240/0x240 [ 35.855498] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 35.861037] ? switch_task_namespaces+0x9d/0xd0 [ 35.865707] do_exit+0x1ad7/0x2610 [ 35.869280] ? mm_update_next_owner+0x990/0x990 [ 35.873956] ? kvm_vcpu_ioctl+0x29c/0x1150 [ 35.878189] ? rcu_read_lock_sched_held+0x108/0x120 [ 35.883234] ? kfree+0x1fa/0x230 [ 35.886628] ? kvm_vcpu_ioctl+0x2a1/0x1150 [ 35.890884] ? kvm_vcpu_block+0x1030/0x1030 [ 35.895232] ? is_bpf_text_address+0xd3/0x170 [ 35.899731] ? kernel_text_address+0x79/0xf0 [ 35.904140] ? __kernel_text_address+0xd/0x40 [ 35.908635] ? unwind_get_return_address+0x61/0xa0 [ 35.913564] ? __save_stack_trace+0x8d/0xf0 [ 35.917891] ? save_stack+0xa9/0xd0 [ 35.921516] ? save_stack+0x43/0xd0 [ 35.925137] ? __kasan_slab_free+0x102/0x150 [ 35.929541] ? kasan_slab_free+0xe/0x10 [ 35.933513] ? putname+0xf2/0x130 [ 35.936980] ? __x64_sys_openat+0x9d/0x100 [ 35.941223] ? do_syscall_64+0x1b9/0x820 [ 35.945306] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.950677] ? trace_hardirqs_off+0xb8/0x310 [ 35.955084] ? kasan_check_read+0x11/0x20 [ 35.959251] ? do_raw_spin_unlock+0xa7/0x2f0 [ 35.963661] ? trace_hardirqs_on+0x310/0x310 [ 35.968075] ? __bpf_trace_initcall_finish+0x2a/0x30 [ 35.973178] ? trace_hardirqs_off+0xb8/0x310 [ 35.977584] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.983127] ? check_preemption_disabled+0x48/0x200 [ 35.988141] ? check_preemption_disabled+0x48/0x200 [ 35.993158] ? kvm_vcpu_block+0x1030/0x1030 [ 35.997481] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 36.003017] ? do_vfs_ioctl+0x201/0x1720 [ 36.007077] ? rcu_dynticks_curr_cpu_in_eqs+0x9f/0x160 [ 36.012359] ? ioctl_preallocate+0x300/0x300 [ 36.016773] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 36.022309] ? __fget_light+0x2e9/0x430 [ 36.026286] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 36.031827] ? smack_file_ioctl+0x210/0x3c0 [ 36.036144] ? fget_raw+0x20/0x20 [ 36.039596] ? smack_file_lock+0x2e0/0x2e0 [ 36.043840] do_group_exit+0x177/0x440 [ 36.047727] ? trace_hardirqs_on+0xbd/0x310 [ 36.052049] ? __ia32_sys_exit+0x50/0x50 [ 36.056109] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 36.061558] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 36.067095] ? ksys_ioctl+0x81/0xd0 [ 36.070730] __x64_sys_exit_group+0x3e/0x50 [ 36.075056] do_syscall_64+0x1b9/0x820 [ 36.078944] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 36.084311] ? syscall_return_slowpath+0x5e0/0x5e0 [ 36.089249] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 36.094096] ? trace_hardirqs_on_caller+0x310/0x310 [ 36.099117] ? prepare_exit_to_usermode+0x291/0x3b0 [ 36.104137] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 36.108984] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 36.114169] RIP: 0033:0x43ecc8 [ 36.117359] Code: Bad RIP value. [ 36.120719] RSP: 002b:00007ffcc9919168 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 36.128426] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ecc8 [ 36.135693] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 36.142968] RBP: 00000000004be588 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 36.150256] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 [ 36.157539] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 36.164837] [ 36.166461] Allocated by task 5354: [ 36.170086] save_stack+0x43/0xd0 [ 36.173535] kasan_kmalloc+0xc7/0xe0 [ 36.177248] kasan_slab_alloc+0x12/0x20 [ 36.181236] kmem_cache_alloc+0x12e/0x730 [ 36.185387] vmx_create_vcpu+0xcf/0x25e0 [ 36.189443] kvm_arch_vcpu_create+0xe5/0x220 [ 36.193847] kvm_vm_ioctl+0x470/0x1d40 [ 36.197732] do_vfs_ioctl+0x1de/0x1720 [ 36.201616] ksys_ioctl+0xa9/0xd0 [ 36.205069] __x64_sys_ioctl+0x73/0xb0 [ 36.208955] do_syscall_64+0x1b9/0x820 [ 36.212854] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 36.218029] [ 36.219650] Freed by task 5354: [ 36.222925] save_stack+0x43/0xd0 [ 36.226383] __kasan_slab_free+0x102/0x150 [ 36.230623] kasan_slab_free+0xe/0x10 [ 36.234431] kmem_cache_free+0x83/0x290 [ 36.238405] vmx_free_vcpu+0x26b/0x300 [ 36.242290] kvm_arch_destroy_vm+0x365/0x7c0 [ 36.246697] kvm_put_kvm+0x6c8/0xff0 [ 36.250419] kvm_vm_release+0x42/0x50 [ 36.254221] __fput+0x385/0xa30 [ 36.257503] ____fput+0x15/0x20 [ 36.260781] task_work_run+0x1e8/0x2a0 [ 36.264667] do_exit+0x1ad7/0x2610 [ 36.268203] do_group_exit+0x177/0x440 [ 36.272102] __x64_sys_exit_group+0x3e/0x50 [ 36.276423] do_syscall_64+0x1b9/0x820 [ 36.280311] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 36.285487] [ 36.287111] The buggy address belongs to the object at ffff8801d8480040 [ 36.287111] which belongs to the cache kvm_vcpu of size 23872 [ 36.299679] The buggy address is located 24 bytes inside of [ 36.299679] 23872-byte region [ffff8801d8480040, ffff8801d8485d80) [ 36.311639] The buggy address belongs to the page: [ 36.316564] page:ffffea0007612000 count:1 mapcount:0 mapping:ffff8801d56db900 index:0x0 compound_mapcount: 0 [ 36.326534] flags: 0x2fffc0000008100(slab|head) [ 36.331207] raw: 02fffc0000008100 ffff8801d56d8248 ffff8801d56d8248 ffff8801d56db900 [ 36.339101] raw: 0000000000000000 ffff8801d8480040 0000000100000001 0000000000000000 [ 36.346982] page dumped because: kasan: bad access detected [ 36.352678] [ 36.354304] Memory state around the buggy address: [ 36.359237] ffff8801d847ff00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 36.366591] ffff8801d847ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.373945] >ffff8801d8480000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 36.381304] ^ [ 36.387533] ffff8801d8480080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.394889] ffff8801d8480100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.402239] ================================================================== [ 36.409610] Kernel panic - not syncing: panic_on_warn set ... [ 36.409610] [ 36.416976] CPU: 0 PID: 5354 Comm: syz-executor147 Tainted: G B 4.19.0-rc2+ #7 [ 36.425629] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.434975] Call Trace: [ 36.437563] dump_stack+0x1c4/0x2b4 [ 36.441194] ? dump_stack_print_info.cold.2+0x52/0x52 [ 36.446403] ? lock_downgrade+0x900/0x900 [ 36.450567] panic+0x238/0x4e7 [ 36.453759] ? add_taint.cold.5+0x16/0x16 [ 36.457941] ? print_shadow_for_address+0xb6/0x116 [ 36.462873] ? trace_hardirqs_off+0xaf/0x310 [ 36.467283] kasan_end_report+0x47/0x4f [ 36.471268] kasan_report.cold.9+0x76/0x309 [ 36.475590] ? __schedule+0xfc3/0x1ed0 [ 36.479481] __asan_report_load8_noabort+0x14/0x20 [ 36.484411] __schedule+0xfc3/0x1ed0 [ 36.488141] ? __sched_text_start+0x8/0x8 [ 36.492302] ? __lock_is_held+0xb5/0x140 [ 36.496372] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 36.501487] ? find_held_lock+0x36/0x1c0 [ 36.505552] ? __call_srcu+0x7f9/0x1070 [ 36.509529] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 36.514629] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 36.519731] ? lockdep_hardirqs_on+0x421/0x5c0 [ 36.524315] ? preempt_schedule+0x4d/0x60 [ 36.528467] preempt_schedule_common+0x1f/0xd0 [ 36.533049] preempt_schedule+0x4d/0x60 [ 36.537025] ___preempt_schedule+0x16/0x18 [ 36.541266] _raw_spin_unlock_irqrestore+0xbb/0xd0 [ 36.546195] __call_srcu+0x7f9/0x1070 [ 36.550034] ? _raw_spin_unlock_irqrestore+0x6d/0xd0 [ 36.555144] ? srcu_offline_cpu+0x120/0x120 [ 36.559465] ? debug_object_free+0x690/0x690 [ 36.563874] ? mark_held_locks+0x130/0x130 [ 36.568108] ? kvm_arch_destroy_vm+0x414/0x7c0 [ 36.572693] ? lock_release+0x970/0x970 [ 36.576671] ? arch_local_save_flags+0x40/0x40 [ 36.581258] ? depot_save_stack+0x292/0x470 [ 36.585584] ? __lockdep_init_map+0x105/0x590 [ 36.590081] ? __init_waitqueue_head+0x9e/0x150 [ 36.594748] ? init_wait_entry+0x1c0/0x1c0 [ 36.598989] __synchronize_srcu+0x17b/0x230 [ 36.603316] ? call_srcu+0x10/0x10 [ 36.606858] ? rcu_unexpedite_gp+0x20/0x20 [ 36.611099] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 36.616657] ? check_preemption_disabled+0x48/0x200 [ 36.622166] synchronize_srcu+0x356/0x5ab [ 36.626317] ? lock_downgrade+0x900/0x900 [ 36.630463] ? synchronize_srcu_expedited+0x20/0x20 [ 36.635481] ? kasan_check_read+0x11/0x20 [ 36.639629] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 36.644213] ? kasan_check_write+0x14/0x20 [ 36.648481] ? do_raw_spin_lock+0xc1/0x200 [ 36.652720] kvm_page_track_unregister_notifier+0x17d/0x250 [ 36.658441] ? kvm_slot_page_track_remove_page+0x70/0x70 [ 36.663891] ? kvfree+0x61/0x70 [ 36.667190] ? rcu_read_lock_sched_held+0x108/0x120 [ 36.672232] kvm_mmu_uninit_vm+0x1c/0x20 [ 36.676299] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 36.680709] ? kvm_arch_sync_events+0x30/0x30 [ 36.685204] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 36.690743] ? mmu_notifier_unregister+0x474/0x600 [ 36.695675] ? kfree+0x107/0x230 [ 36.699041] ? __mmu_notifier_register+0x30/0x30 [ 36.703795] ? __free_pages+0x10a/0x190 [ 36.707768] ? free_unref_page+0x960/0x960 [ 36.712011] kvm_put_kvm+0x6c8/0xff0 [ 36.715728] ? kvm_write_guest_cached+0x40/0x40 [ 36.720397] ? kvm_irqfd_release+0xd1/0x120 [ 36.724716] ? _raw_spin_unlock_irq+0x27/0x80 [ 36.729583] ? _raw_spin_unlock_irq+0x27/0x80 [ 36.734100] ? kasan_check_write+0x14/0x20 [ 36.738332] ? do_raw_spin_lock+0xc1/0x200 [ 36.742589] ? kvm_irqfd_release+0xdd/0x120 [ 36.746907] ? kvm_irqfd_release+0xdd/0x120 [ 36.751256] ? kvm_put_kvm+0xff0/0xff0 [ 36.755165] kvm_vm_release+0x42/0x50 [ 36.758957] __fput+0x385/0xa30 [ 36.762259] ? get_max_files+0x20/0x20 [ 36.766187] ? trace_hardirqs_on+0xbd/0x310 [ 36.770516] ? ___might_sleep+0x1ed/0x300 [ 36.774662] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 36.780114] ? arch_local_save_flags+0x40/0x40 [ 36.784695] ? kasan_check_write+0x14/0x20 [ 36.788930] ? do_raw_spin_lock+0xc1/0x200 [ 36.793165] ____fput+0x15/0x20 [ 36.796446] task_work_run+0x1e8/0x2a0 [ 36.800336] ? task_work_cancel+0x240/0x240 [ 36.804672] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 36.810208] ? switch_task_namespaces+0x9d/0xd0 [ 36.814896] do_exit+0x1ad7/0x2610 [ 36.818438] ? mm_update_next_owner+0x990/0x990 [ 36.823113] ? kvm_vcpu_ioctl+0x29c/0x1150 [ 36.827348] ? rcu_read_lock_sched_held+0x108/0x120 [ 36.832366] ? kfree+0x1fa/0x230 [ 36.835732] ? kvm_vcpu_ioctl+0x2a1/0x1150 [ 36.839987] ? kvm_vcpu_block+0x1030/0x1030 [ 36.844346] ? is_bpf_text_address+0xd3/0x170 [ 36.848844] ? kernel_text_address+0x79/0xf0 [ 36.853258] ? __kernel_text_address+0xd/0x40 [ 36.857759] ? unwind_get_return_address+0x61/0xa0 [ 36.862693] ? __save_stack_trace+0x8d/0xf0 [ 36.867018] ? save_stack+0xa9/0xd0 [ 36.870643] ? save_stack+0x43/0xd0 [ 36.874268] ? __kasan_slab_free+0x102/0x150 [ 36.878695] ? kasan_slab_free+0xe/0x10 [ 36.882674] ? putname+0xf2/0x130 [ 36.886144] ? __x64_sys_openat+0x9d/0x100 [ 36.890386] ? do_syscall_64+0x1b9/0x820 [ 36.894446] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 36.899811] ? trace_hardirqs_off+0xb8/0x310 [ 36.904249] ? kasan_check_read+0x11/0x20 [ 36.908399] ? do_raw_spin_unlock+0xa7/0x2f0 [ 36.912808] ? trace_hardirqs_on+0x310/0x310 [ 36.917232] ? __bpf_trace_initcall_finish+0x2a/0x30 [ 36.922339] ? trace_hardirqs_off+0xb8/0x310 [ 36.926750] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 36.932296] ? check_preemption_disabled+0x48/0x200 [ 36.937323] ? check_preemption_disabled+0x48/0x200 [ 36.942342] ? kvm_vcpu_block+0x1030/0x1030 [ 36.946662] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 36.952196] ? do_vfs_ioctl+0x201/0x1720 [ 36.956273] ? rcu_dynticks_curr_cpu_in_eqs+0x9f/0x160 [ 36.961561] ? ioctl_preallocate+0x300/0x300 [ 36.965981] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 36.971515] ? __fget_light+0x2e9/0x430 [ 36.975493] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 36.981031] ? smack_file_ioctl+0x210/0x3c0 [ 36.985354] ? fget_raw+0x20/0x20 [ 36.988810] ? smack_file_lock+0x2e0/0x2e0 [ 36.993066] do_group_exit+0x177/0x440 [ 36.996964] ? trace_hardirqs_on+0xbd/0x310 [ 37.001283] ? __ia32_sys_exit+0x50/0x50 [ 37.005344] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 37.010792] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 37.016336] ? ksys_ioctl+0x81/0xd0 [ 37.019966] __x64_sys_exit_group+0x3e/0x50 [ 37.024327] do_syscall_64+0x1b9/0x820 [ 37.028223] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 37.033592] ? syscall_return_slowpath+0x5e0/0x5e0 [ 37.038517] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 37.043362] ? trace_hardirqs_on_caller+0x310/0x310 [ 37.048383] ? prepare_exit_to_usermode+0x291/0x3b0 [ 37.053403] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 37.058261] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 37.063447] RIP: 0033:0x43ecc8 [ 37.066638] Code: Bad RIP value. [ 37.069995] RSP: 002b:00007ffcc9919168 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 37.077727] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ecc8 [ 37.084989] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 37.092253] RBP: 00000000004be588 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 37.099516] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 [ 37.106781] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 37.114058] [ 37.114064] ====================================================== [ 37.114070] WARNING: possible circular locking dependency detected [ 37.114074] 4.19.0-rc2+ #7 Not tainted [ 37.114079] ------------------------------------------------------ [ 37.114084] syz-executor147/5354 is trying to acquire lock: [ 37.114088] 000000000b872b03 ((console_sem).lock){-...}, at: down_trylock+0x13/0x70 [ 37.114104] [ 37.114108] but task is already holding lock: [ 37.114112] 000000002589527f (report_lock){....}, at: kasan_report+0x8b/0x110 [ 37.114127] [ 37.114132] which lock already depends on the new lock. [ 37.114134] [ 37.114137] [ 37.114142] the existing dependency chain (in reverse order) is: [ 37.114145] [ 37.114147] -> #3 (report_lock){....}: [ 37.114163] _raw_spin_lock_irqsave+0x99/0xd0 [ 37.114167] kasan_report+0x8b/0x110 [ 37.114172] __asan_report_load8_noabort+0x14/0x20 [ 37.114176] __schedule+0xfc3/0x1ed0 [ 37.114180] preempt_schedule_common+0x1f/0xd0 [ 37.114185] preempt_schedule+0x4d/0x60 [ 37.114189] ___preempt_schedule+0x16/0x18 [ 37.114194] _raw_spin_unlock_irqrestore+0xbb/0xd0 [ 37.114198] __call_srcu+0x7f9/0x1070 [ 37.114202] __synchronize_srcu+0x17b/0x230 [ 37.114207] synchronize_srcu+0x356/0x5ab [ 37.114220] kvm_page_track_unregister_notifier+0x17d/0x250 [ 37.114225] kvm_mmu_uninit_vm+0x1c/0x20 [ 37.114235] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 37.114240] kvm_put_kvm+0x6c8/0xff0 [ 37.114244] kvm_vm_release+0x42/0x50 [ 37.114248] __fput+0x385/0xa30 [ 37.114252] ____fput+0x15/0x20 [ 37.114256] task_work_run+0x1e8/0x2a0 [ 37.114260] do_exit+0x1ad7/0x2610 [ 37.114264] do_group_exit+0x177/0x440 [ 37.114269] __x64_sys_exit_group+0x3e/0x50 [ 37.114273] do_syscall_64+0x1b9/0x820 [ 37.114278] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 37.114280] [ 37.114283] -> #2 (&rq->lock){-.-.}: [ 37.114298] _raw_spin_lock+0x2d/0x40 [ 37.114302] task_fork_fair+0xb0/0x6d0 [ 37.114306] sched_fork+0x443/0xba0 [ 37.114311] copy_process+0x2586/0x8780 [ 37.114315] _do_fork+0x1cb/0x11d0 [ 37.114319] kernel_thread+0x34/0x40 [ 37.114323] rest_init+0x22/0xe5 [ 37.114327] start_kernel+0x8f4/0x92f [ 37.114332] x86_64_start_reservations+0x29/0x2b [ 37.114336] x86_64_start_kernel+0x76/0x79 [ 37.114341] secondary_startup_64+0xa4/0xb0 [ 37.114343] [ 37.114346] -> #1 (&p->pi_lock){-.-.}: [ 37.114362] _raw_spin_lock_irqsave+0x99/0xd0 [ 37.114366] try_to_wake_up+0xd2/0x12f0 [ 37.114370] wake_up_process+0x10/0x20 [ 37.114374] __up.isra.1+0x1c0/0x2a0 [ 37.114378] up+0x13c/0x1c0 [ 37.114382] __up_console_sem+0xbe/0x1b0 [ 37.114387] console_unlock+0x524/0x11a0 [ 37.114391] vprintk_emit+0x33d/0x930 [ 37.114395] vprintk_default+0x28/0x30 [ 37.114399] vprintk_func+0x7e/0x181 [ 37.114403] printk+0xa7/0xcf [ 37.114407] load_umh+0x51/0xbd [ 37.114411] do_one_initcall+0x145/0x957 [ 37.114416] kernel_init_freeable+0x4bb/0x5ae [ 37.114420] kernel_init+0x11/0x1b2 [ 37.114424] ret_from_fork+0x3a/0x50 [ 37.114427] [ 37.114429] -> #0 ((console_sem).lock){-...}: [ 37.114445] lock_acquire+0x1ed/0x520 [ 37.114449] _raw_spin_lock_irqsave+0x99/0xd0 [ 37.114454] down_trylock+0x13/0x70 [ 37.114458] __down_trylock_console_sem+0xae/0x200 [ 37.114463] console_trylock+0x15/0xa0 [ 37.114467] vprintk_emit+0x322/0x930 [ 37.114471] vprintk_default+0x28/0x30 [ 37.114475] vprintk_func+0x7e/0x181 [ 37.114479] printk+0xa7/0xcf [ 37.114483] kasan_report+0x9b/0x110 [ 37.114488] __asan_report_load8_noabort+0x14/0x20 [ 37.114492] __schedule+0xfc3/0x1ed0 [ 37.114497] preempt_schedule_common+0x1f/0xd0 [ 37.114501] preempt_schedule+0x4d/0x60 [ 37.114506] ___preempt_schedule+0x16/0x18 [ 37.114510] _raw_spin_unlock_irqrestore+0xbb/0xd0 [ 37.114515] __call_srcu+0x7f9/0x1070 [ 37.114519] __synchronize_srcu+0x17b/0x230 [ 37.114524] synchronize_srcu+0x356/0x5ab [ 37.114529] kvm_page_track_unregister_notifier+0x17d/0x250 [ 37.114533] kvm_mmu_uninit_vm+0x1c/0x20 [ 37.114538] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 37.114542] kvm_put_kvm+0x6c8/0xff0 [ 37.114546] kvm_vm_release+0x42/0x50 [ 37.114550] __fput+0x385/0xa30 [ 37.114554] ____fput+0x15/0x20 [ 37.114558] task_work_run+0x1e8/0x2a0 [ 37.114562] do_exit+0x1ad7/0x2610 [ 37.114566] do_group_exit+0x177/0x440 [ 37.114571] __x64_sys_exit_group+0x3e/0x50 [ 37.114575] do_syscall_64+0x1b9/0x820 [ 37.114580] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 37.114583] [ 37.114587] other info that might help us debug this: [ 37.114590] [ 37.114593] Chain exists of: [ 37.114596] (console_sem).lock --> &rq->lock --> report_lock [ 37.114616] [ 37.114620] Possible unsafe locking scenario: [ 37.114623] [ 37.114627] CPU0 CPU1 [ 37.114631] ---- ---- [ 37.114634] lock(report_lock); [ 37.114644] lock(&rq->lock); [ 37.114654] lock(report_lock); [ 37.114662] lock((console_sem).lock); [ 37.114671] [ 37.114675] *** DEADLOCK *** [ 37.114677] [ 37.114682] 2 locks held by syz-executor147/5354: [ 37.114684] #0: 0000000017269c95 (&rq->lock){-.-.}, at: __schedule+0x236/0x1ed0 [ 37.114702] #1: 000000002589527f (report_lock){....}, at: kasan_report+0x8b/0x110 [ 37.114721] [ 37.114724] stack backtrace: [ 37.114731] CPU: 0 PID: 5354 Comm: syz-executor147 Not tainted 4.19.0-rc2+ #7 [ 37.114739] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.114742] Call Trace: [ 37.114746] dump_stack+0x1c4/0x2b4 [ 37.114751] ? dump_stack_print_info.cold.2+0x52/0x52 [ 37.114756] ? vprintk_func+0x85/0x181 [ 37.114761] print_circular_bug.isra.33.cold.54+0x1bd/0x27d [ 37.114765] ? save_trace+0xe0/0x290 [ 37.114769] __lock_acquire+0x33e4/0x4ec0 [ 37.114774] ? mark_held_locks+0x130/0x130 [ 37.114778] ? mark_held_locks+0x130/0x130 [ 37.114782] ? rcu_bh_qs+0xc0/0xc0 [ 37.114787] ? unwind_dump+0x190/0x190 [ 37.114791] ? is_bpf_text_address+0xd3/0x170 [ 37.114796] ? kernel_text_address+0x79/0xf0 [ 37.114800] ? __kernel_text_address+0xd/0x40 [ 37.114805] ? __save_stack_trace+0x8d/0xf0 [ 37.114809] ? add_lock_to_list.isra.26+0x1ec/0x4b0 [ 37.114814] ? save_trace+0x290/0x290 [ 37.114818] ? save_stack_trace+0x1a/0x20 [ 37.114822] ? save_trace+0xe0/0x290 [ 37.114826] ? kasan_check_read+0x11/0x20 [ 37.114831] ? graph_lock+0x170/0x170 [ 37.114836] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 37.114840] lock_acquire+0x1ed/0x520 [ 37.114844] ? down_trylock+0x13/0x70 [ 37.114848] ? find_held_lock+0x36/0x1c0 [ 37.114852] ? lock_release+0x970/0x970 [ 37.114857] ? trace_hardirqs_off+0xb8/0x310 [ 37.114861] ? vprintk_emit+0x1d3/0x930 [ 37.114866] ? trace_hardirqs_on+0x310/0x310 [ 37.114870] ? trace_hardirqs_off+0xb8/0x310 [ 37.114874] ? log_store+0x344/0x4c0 [ 37.114879] ? vprintk_emit+0x322/0x930 [ 37.114883] _raw_spin_lock_irqsave+0x99/0xd0 [ 37.114887] ? down_trylock+0x13/0x70 [ 37.114892] down_trylock+0x13/0x70 [ 37.114896] __down_trylock_console_sem+0xae/0x200 [ 37.114901] console_trylock+0x15/0xa0 [ 37.114905] vprintk_emit+0x322/0x930 [ 37.114909] ? wake_up_klogd+0x180/0x180 [ 37.114914] ? run_rebalance_domains+0x500/0x500 [ 37.114918] ? wake_up_worker+0x117/0x190 [ 37.114922] ? find_held_lock+0x36/0x1c0 [ 37.114927] ? __queue_work+0x6be/0x1440 [ 37.114931] ? lock_acquire+0x1ed/0x520 [ 37.114936] vprintk_default+0x28/0x30 [ 37.114940] vprintk_func+0x7e/0x181 [ 37.114943] printk+0xa7/0xcf [ 37.114948] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 37.114953] ? kasan_check_write+0x14/0x20 [ 37.114957] ? do_raw_spin_lock+0xc1/0x200 [ 37.114961] ? do_raw_spin_lock+0xc1/0x200 [ 37.114966] kasan_report+0x9b/0x110 [ 37.114970] ? __schedule+0xfc3/0x1ed0 [ 37.114975] __asan_report_load8_noabort+0x14/0x20 [ 37.114979] __schedule+0xfc3/0x1ed0 [ 37.114983] ? __sched_text_start+0x8/0x8 [ 37.114987] ? __lock_is_held+0xb5/0x140 [ 37.114992] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 37.114997] ? find_held_lock+0x36/0x1c0 [ 37.115001] ? __call_srcu+0x7f9/0x1070 [ 37.115006] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 37.115011] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 37.115015] ? lockdep_hardirqs_on+0x421/0x5c0 [ 37.115020] ? preempt_schedule+0x4d/0x60 [ 37.115024] preempt_schedule_common+0x1f/0xd0 [ 37.115029] preempt_schedule+0x4d/0x60 [ 37.115033] ___preempt_schedule+0x16/0x18 [ 37.115038] _raw_spin_unlock_irqrestore+0xbb/0xd0 [ 37.115042] __call_srcu+0x7f9/0x1070 [ 37.115047] ? _raw_spin_unlock_irqrestore+0x6d/0xd0 [ 37.115051] ? srcu_offline_cpu+0x120/0x120 [ 37.115056] ? debug_object_free+0x690/0x690 [ 37.115061] ? mark_held_locks+0x130/0x130 [ 37.115065] ? kvm_arch_destroy_vm+0x414/0x7c0 [ 37.115069] ? lock_release+0x970/0x970 [ 37.115074] ? arch_local_save_flags+0x40/0x40 [ 37.115079] ? depot_save_stack+0x292/0x470 [ 37.115083] ? __lockdep_init_map+0x105/0x590 [ 37.115088] ? __init_waitqueue_head+0x9e/0x150 [ 37.115092] ? init_wait_entry+0x1c0/0x1c0 [ 37.115097] __synchronize_srcu+0x17b/0x230 [ 37.115101] ? call_srcu+0x10/0x10 [ 37.115105] ? rcu_unexpedite_gp+0x20/0x20 [ 37.115110] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 37.115115] ? check_preemption_disabled+0x48/0x200 [ 37.115120] synchronize_srcu+0x356/0x5ab [ 37.115124] ? lock_downgrade+0x900/0x900 [ 37.115129] ? synchronize_srcu_expedited+0x20/0x20 [ 37.115133] ? kasan_check_read+0x11/0x20 [ 37.115138] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 37.115142] ? kasan_check_write+0x14/0x20 [ 37.115147] ? do_raw_spin_lock+0xc1/0x200 [ 37.115152] kvm_page_track_unregister_notifier+0x17d/0x250 [ 37.115157] ? kvm_slot_page_track_remove_page+0x70/0x70 [ 37.115161] ? kvfree+0x61/0x70 [ 37.115166] ? rcu_read_lock_sched_held+0x108/0x120 [ 37.115170] kvm_mmu_uninit_vm+0x1c/0x20 [ 37.115175] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 37.115179] ? kvm_arch_sync_events+0x30/0x30 [ 37.115184] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 37.115189] ? mmu_notifier_unregister+0x474/0x600 [ 37.115193] ? kfree+0x107/0x230 [ 37.115198] ? __mmu_notifier_register+0x30/0x30 [ 37.115202] ? __free_pages+0x10a/0x190 [ 37.115206] ? free_unref_page+0x960/0x960 [ 37.115211] kvm_put_kvm+0x6c8/0xff0 [ 37.115222] ? kvm_write_guest_cached+0x40/0x40 [ 37.115232] ? kvm_irqfd_release+0xd1/0x120 [ 37.115237] ? _raw_spin_unlock_irq+0x27/0x80 [ 37.115241] ? _raw_spin_unlock_irq+0x27/0x80 [ 37.115246] ? kasan_check_write+0x14/0x20 [ 37.115250] ? do_raw_spin_lock+0xc1/0x200 [ 37.115254] ? kvm_irqfd_release+0xdd/0 [ 37.115262] Lost 80 message(s)! [ 38.274433] Shutting down cpus with NMI [ 39.333624] Dumping ftrace buffer: [ 39.337153] (ftrace buffer empty) [ 39.341420] Kernel Offset: disabled [ 39.345039] Rebooting in 86400 seconds..