[ 41.212729] audit: type=1800 audit(1565919170.963:32): pid=7413 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2450 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [ 42.068570] audit: type=1800 audit(1565919171.913:33): pid=7413 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.8' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 49.695874] kauditd_printk_skb: 2 callbacks suppressed [ 49.695889] audit: type=1400 audit(1565919179.543:36): avc: denied { map } for pid=7602 comm="syz-executor590" path="/root/syz-executor590667288" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 54.706876] ------------[ cut here ]------------ [ 54.712606] ODEBUG: free active (active state 0) object type: timer_list hint: rfcomm_dlc_timeout+0x0/0x80 [ 54.722598] WARNING: CPU: 1 PID: 7605 at lib/debugobjects.c:325 debug_print_object+0x168/0x250 [ 54.731332] Kernel panic - not syncing: panic_on_warn set ... [ 54.731332] [ 54.738680] CPU: 1 PID: 7605 Comm: syz-executor590 Not tainted 4.19.66 #40 [ 54.745671] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.755003] Call Trace: [ 54.757577] dump_stack+0x172/0x1f0 [ 54.761196] panic+0x263/0x507 [ 54.764382] ? __warn_printk+0xf3/0xf3 [ 54.768261] ? debug_print_object+0x168/0x250 [ 54.772737] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.778255] ? __warn.cold+0x5/0x4a [ 54.781861] ? __warn+0xe8/0x1d0 [ 54.785207] ? debug_print_object+0x168/0x250 [ 54.789681] __warn.cold+0x20/0x4a [ 54.793202] ? trace_hardirqs_off+0x62/0x220 [ 54.797589] ? debug_print_object+0x168/0x250 [ 54.802130] report_bug+0x263/0x2b0 [ 54.805940] do_error_trap+0x204/0x360 [ 54.809811] ? math_error+0x340/0x340 [ 54.813646] ? wake_up_klogd+0x99/0xd0 [ 54.817527] ? vprintk_emit+0x1ab/0x690 [ 54.821614] ? error_entry+0x7c/0xe0 [ 54.825311] ? trace_hardirqs_off_caller+0x65/0x220 [ 54.830312] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 54.835142] do_invalid_op+0x1b/0x20 [ 54.838841] invalid_op+0x14/0x20 [ 54.842279] RIP: 0010:debug_print_object+0x168/0x250 [ 54.847361] Code: dd a0 52 82 87 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 b5 00 00 00 48 8b 14 dd a0 52 82 87 48 c7 c7 e0 47 82 87 e8 a6 23 19 fe <0f> 0b 83 05 bb aa 17 06 01 48 83 c4 20 5b 41 5c 41 5d 41 5e 5d c3 [ 54.866245] RSP: 0018:ffff8880952a78d8 EFLAGS: 00010086 [ 54.871622] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000 [ 54.878885] RDX: 0000000000000000 RSI: ffffffff8155d916 RDI: ffffed1012a54f0d [ 54.886138] RBP: ffff8880952a7918 R08: ffff8880948306c0 R09: ffffed1015d23ee3 [ 54.893391] R10: ffffed1015d23ee2 R11: ffff8880ae91f717 R12: 0000000000000001 [ 54.900651] R13: ffffffff887ac4c0 R14: ffffffff815b4e70 R15: ffff888094ee40a8 [ 54.907918] ? __internal_add_timer+0x1f0/0x1f0 [ 54.912573] ? vprintk_func+0x86/0x189 [ 54.916447] ? debug_print_object+0x168/0x250 [ 54.920922] debug_check_no_obj_freed+0x29f/0x464 [ 54.925750] kfree+0xbd/0x220 [ 54.928841] rfcomm_dlc_free+0x20/0x30 [ 54.932710] rfcomm_dev_ioctl+0x181f/0x1b60 [ 54.937026] ? __local_bh_enable_ip+0x15a/0x270 [ 54.941677] ? lock_sock_nested+0xe2/0x120 [ 54.945892] ? __local_bh_enable_ip+0x15a/0x270 [ 54.950563] ? rfcomm_dev_state_change+0x150/0x150 [ 54.955489] ? __local_bh_enable_ip+0x15a/0x270 [ 54.960142] rfcomm_sock_ioctl+0x90/0xb0 [ 54.964189] sock_do_ioctl+0xd8/0x2f0 [ 54.967980] ? compat_ifr_data_ioctl+0x160/0x160 [ 54.972778] ? __lock_acquire+0x6ee/0x49c0 [ 54.977009] ? rcu_read_lock_sched_held+0x110/0x130 [ 54.982010] ? kmem_cache_alloc+0x32a/0x700 [ 54.986317] sock_ioctl+0x325/0x610 [ 54.989927] ? dlci_ioctl_set+0x40/0x40 [ 54.993887] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.999417] ? __might_sleep+0x95/0x190 [ 55.003373] ? find_held_lock+0x35/0x130 [ 55.007419] ? dlci_ioctl_set+0x40/0x40 [ 55.011388] do_vfs_ioctl+0xd5f/0x1380 [ 55.015262] ? selinux_file_ioctl+0x46f/0x5e0 [ 55.019746] ? selinux_file_ioctl+0x125/0x5e0 [ 55.024227] ? ioctl_preallocate+0x210/0x210 [ 55.028618] ? selinux_file_mprotect+0x620/0x620 [ 55.033360] ? __sanitizer_cov_trace_cmp1+0x1b/0x20 [ 55.038416] ? __fd_install+0x200/0x640 [ 55.042391] ? fd_install+0x4d/0x60 [ 55.046007] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 55.051524] ? security_file_ioctl+0x8d/0xc0 [ 55.055912] ksys_ioctl+0xab/0xd0 [ 55.059347] __x64_sys_ioctl+0x73/0xb0 [ 55.063217] do_syscall_64+0xfd/0x620 [ 55.066999] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.072171] RIP: 0033:0x441229 [ 55.075346] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 55.094231] RSP: 002b:00007ffef33b6428 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 55.101918] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441229 [ 55.109165] RDX: 0000000020000100 RSI: 00000000400452c8 RDI: 0000000000000004 [ 55.116414] RBP: 000000000000d592 R08: 00000000004002c8 R09: 00000000004002c8 [ 55.123671] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000402050 [ 55.130936] R13: 00000000004020e0 R14: 0000000000000000 R15: 0000000000000000 [ 55.138203] [ 55.138207] ====================================================== [ 55.138210] WARNING: possible circular locking dependency detected [ 55.138212] 4.19.66 #40 Not tainted [ 55.138216] ------------------------------------------------------ [ 55.138219] syz-executor590/7605 is trying to acquire lock: [ 55.138221] 00000000fb5e79f6 ((console_sem).lock){-...}, at: down_trylock+0x13/0x70 [ 55.138230] [ 55.138232] but task is already holding lock: [ 55.138234] 00000000fb7af437 (&obj_hash[i].lock){-.-.}, at: debug_check_no_obj_freed+0xbe/0x464 [ 55.138243] [ 55.138245] which lock already depends on the new lock. [ 55.138247] [ 55.138248] [ 55.138251] the existing dependency chain (in reverse order) is: [ 55.138252] [ 55.138254] -> #3 (&obj_hash[i].lock){-.-.}: [ 55.138263] _raw_spin_lock_irqsave+0x95/0xcd [ 55.138265] __debug_object_init+0xc6/0xc30 [ 55.138267] debug_object_init+0x16/0x20 [ 55.138270] hrtimer_init+0x2a/0x300 [ 55.138272] init_dl_task_timer+0x1b/0x50 [ 55.138274] __sched_fork+0x22a/0x4b0 [ 55.138281] init_idle+0x75/0x800 [ 55.138283] sched_init+0x952/0x9f0 [ 55.138285] start_kernel+0x402/0x8c5 [ 55.138288] x86_64_start_reservations+0x29/0x2b [ 55.138291] x86_64_start_kernel+0x77/0x7b [ 55.138293] secondary_startup_64+0xa4/0xb0 [ 55.138294] [ 55.138296] -> #2 (&rq->lock){-.-.}: [ 55.138304] _raw_spin_lock+0x2f/0x40 [ 55.138306] task_fork_fair+0x6a/0x520 [ 55.138308] sched_fork+0x3af/0x900 [ 55.138311] copy_process.part.0+0x1859/0x7a30 [ 55.138313] _do_fork+0x257/0xfd0 [ 55.138315] kernel_thread+0x34/0x40 [ 55.138318] rest_init+0x24/0x222 [ 55.138320] start_kernel+0x88c/0x8c5 [ 55.138322] x86_64_start_reservations+0x29/0x2b [ 55.138325] x86_64_start_kernel+0x77/0x7b [ 55.138327] secondary_startup_64+0xa4/0xb0 [ 55.138329] [ 55.138330] -> #1 (&p->pi_lock){-.-.}: [ 55.138338] _raw_spin_lock_irqsave+0x95/0xcd [ 55.138341] try_to_wake_up+0x94/0xf50 [ 55.138343] wake_up_process+0x10/0x20 [ 55.138345] __up.isra.0+0x136/0x1a0 [ 55.138347] up+0x9c/0xe0 [ 55.138350] __up_console_sem+0xb7/0x1c0 [ 55.138352] console_unlock+0x6c7/0x10b0 [ 55.138355] do_con_write.part.0+0xeec/0x1eb0 [ 55.138357] con_write+0x46/0xd0 [ 55.138359] n_tty_write+0x3f9/0x10f0 [ 55.138362] tty_write+0x458/0x7a0 [ 55.138364] __vfs_write+0x114/0x810 [ 55.138366] vfs_write+0x20c/0x560 [ 55.138368] ksys_write+0x14f/0x2d0 [ 55.138371] __x64_sys_write+0x73/0xb0 [ 55.138373] do_syscall_64+0xfd/0x620 [ 55.138376] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.138377] [ 55.138378] -> #0 ((console_sem).lock){-...}: [ 55.138387] lock_acquire+0x16f/0x3f0 [ 55.138389] _raw_spin_lock_irqsave+0x95/0xcd [ 55.138391] down_trylock+0x13/0x70 [ 55.138394] __down_trylock_console_sem+0xa8/0x210 [ 55.138397] console_trylock+0x15/0xa0 [ 55.138399] vprintk_emit+0x21d/0x690 [ 55.138401] vprintk_default+0x28/0x30 [ 55.138404] vprintk_func+0x7e/0x189 [ 55.138406] printk+0xba/0xed [ 55.138408] __warn_printk+0x9b/0xf3 [ 55.138410] debug_print_object+0x168/0x250 [ 55.138413] debug_check_no_obj_freed+0x29f/0x464 [ 55.138415] kfree+0xbd/0x220 [ 55.138417] rfcomm_dlc_free+0x20/0x30 [ 55.138420] rfcomm_dev_ioctl+0x181f/0x1b60 [ 55.138422] rfcomm_sock_ioctl+0x90/0xb0 [ 55.138425] sock_do_ioctl+0xd8/0x2f0 [ 55.138427] sock_ioctl+0x325/0x610 [ 55.138429] do_vfs_ioctl+0xd5f/0x1380 [ 55.138431] ksys_ioctl+0xab/0xd0 [ 55.138434] __x64_sys_ioctl+0x73/0xb0 [ 55.138436] do_syscall_64+0xfd/0x620 [ 55.138439] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.138440] [ 55.138443] other info that might help us debug this: [ 55.138444] [ 55.138446] Chain exists of: [ 55.138447] (console_sem).lock --> &rq->lock --> &obj_hash[i].lock [ 55.138459] [ 55.138463] Possible unsafe locking scenario: [ 55.138465] [ 55.138468] CPU0 CPU1 [ 55.138472] ---- ---- [ 55.138475] lock(&obj_hash[i].lock); [ 55.138484] lock(&rq->lock); [ 55.138494] lock(&obj_hash[i].lock); [ 55.138503] lock((console_sem).lock); [ 55.138510] [ 55.138511] *** DEADLOCK *** [ 55.138513] [ 55.138515] 3 locks held by syz-executor590/7605: [ 55.138517] #0: 0000000002980732 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}, at: rfcomm_sock_ioctl+0x82/0xb0 [ 55.138527] #1: 000000007e3d2c7f (rfcomm_ioctl_mutex){+.+.}, at: rfcomm_dev_ioctl+0x4f0/0x1b60 [ 55.138537] #2: 00000000fb7af437 (&obj_hash[i].lock){-.-.}, at: debug_check_no_obj_freed+0xbe/0x464 [ 55.138547] [ 55.138549] stack backtrace: [ 55.138553] CPU: 1 PID: 7605 Comm: syz-executor590 Not tainted 4.19.66 #40 [ 55.138557] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.138559] Call Trace: [ 55.138561] dump_stack+0x172/0x1f0 [ 55.138564] print_circular_bug.isra.0.cold+0x1cc/0x28f [ 55.138566] __lock_acquire+0x2e19/0x49c0 [ 55.138569] ? mark_held_locks+0x100/0x100 [ 55.138571] ? kvm_clock_read+0x18/0x30 [ 55.138573] ? kvm_sched_clock_read+0x9/0x20 [ 55.138576] lock_acquire+0x16f/0x3f0 [ 55.138578] ? down_trylock+0x13/0x70 [ 55.138580] _raw_spin_lock_irqsave+0x95/0xcd [ 55.138583] ? down_trylock+0x13/0x70 [ 55.138585] ? vprintk_emit+0x21d/0x690 [ 55.138587] down_trylock+0x13/0x70 [ 55.138589] ? vprintk_emit+0x21d/0x690 [ 55.138592] __down_trylock_console_sem+0xa8/0x210 [ 55.138594] console_trylock+0x15/0xa0 [ 55.138597] vprintk_emit+0x21d/0x690 [ 55.138599] ? __internal_add_timer+0x1f0/0x1f0 [ 55.138601] vprintk_default+0x28/0x30 [ 55.138604] vprintk_func+0x7e/0x189 [ 55.138606] printk+0xba/0xed [ 55.138608] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 55.138611] ? __warn_printk+0x8f/0xf3 [ 55.138613] ? rfcomm_session_add+0x300/0x300 [ 55.138615] __warn_printk+0x9b/0xf3 [ 55.138618] ? add_taint.cold+0x16/0x16 [ 55.138620] ? skb_dequeue+0x12e/0x180 [ 55.138623] ? rfcomm_session_add+0x300/0x300 [ 55.138625] debug_print_object+0x168/0x250 [ 55.138628] debug_check_no_obj_freed+0x29f/0x464 [ 55.138630] kfree+0xbd/0x220 [ 55.138632] rfcomm_dlc_free+0x20/0x30 [ 55.138635] rfcomm_dev_ioctl+0x181f/0x1b60 [ 55.138637] ? __local_bh_enable_ip+0x15a/0x270 [ 55.138640] ? lock_sock_nested+0xe2/0x120 [ 55.138643] ? __local_bh_enable_ip+0x15a/0x270 [ 55.138645] ? rfcomm_dev_state_change+0x150/0x150 [ 55.138648] ? __local_bh_enable_ip+0x15a/0x270 [ 55.138650] rfcomm_sock_ioctl+0x90/0xb0 [ 55.138653] sock_do_ioctl+0xd8/0x2f0 [ 55.138655] ? compat_ifr_data_ioctl+0x160/0x160 [ 55.138658] ? __lock_acquire+0x6ee/0x49c0 [ 55.138660] ? rcu_read_lock_sched_held+0x110/0x130 [ 55.138663] ? kmem_cache_alloc+0x32a/0x700 [ 55.138665] sock_ioctl+0x325/0x610 [ 55.138667] ? dlci_ioctl_set+0x40/0x40 [ 55.138670] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 55.138672] ? __might_sleep+0x95/0x190 [ 55.138675] ? find_held_lock+0x35/0x130 [ 55.138677] ? dlci_ioctl_set+0x40/0x40 [ 55.138679] do_vfs_ioctl+0xd5f/0x1380 [ 55.138682] ? selinux_file_ioctl+0x46f/0x5e0 [ 55.138684] ? selinux_file_ioctl+0x125/0x5e0 [ 55.138687] ? ioctl_preallocate+0x210/0x210 [ 55.138689] ? selinux_file_mprotect+0x620/0x620 [ 55.138692] ? __sanitizer_cov_trace_cmp1+0x1b/0x20 [ 55.138694] ? __fd_install+0x200/0x640 [ 55.138696] ? fd_install+0x4d/0x60 [ 55.138699] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 55.138702] ? security_file_ioctl+0x8d/0xc0 [ 55.138704] ksys_ioctl+0xab/0xd0 [ 55.138707] __x64_sys_ioctl+0x73/0xb0 [ 55.138709] do_syscall_64+0xfd/0x620 [ 55.138711] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.138713] RIP: 0033:0x441229 [ 55.138722] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 55.138724] RSP: 002b:00007ffef33b6428 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 55.138730] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441229 [ 55.138734] RDX: 0000000020000100 RSI: 00000000400452c8 RDI: 0000000000000004 [ 55.138738] RBP: 000000000000d592 R08: 00000000004002c8 R09: 00000000004002c8 [ 55.138742] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000402050 [ 55.138745] R13: 00000000004020e0 R14: 0000000000000000 R15: 0000000000000000 [ 55.139826] Kernel Offset: disabled [ 55.974733] Rebooting in 86400 seconds..