[ 34.286214] audit: type=1800 audit(1564329250.207:33): pid=7071 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 34.314770] audit: type=1800 audit(1564329250.207:34): pid=7071 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 38.053579] random: sshd: uninitialized urandom read (32 bytes read) [ 38.340253] audit: type=1400 audit(1564329254.257:35): avc: denied { map } for pid=7242 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 38.397824] random: sshd: uninitialized urandom read (32 bytes read) [ 38.995742] random: sshd: uninitialized urandom read (32 bytes read) [ 39.208114] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.169' (ECDSA) to the list of known hosts. [ 44.711788] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 44.840731] audit: type=1400 audit(1564329260.767:36): avc: denied { map } for pid=7256 comm="syz-executor317" path="/root/syz-executor317104973" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 49.851380] ODEBUG: free active (active state 0) object type: timer_list hint: rfcomm_dlc_timeout+0x0/0x60 [ 49.861880] ------------[ cut here ]------------ [ 49.870957] WARNING: CPU: 1 PID: 7259 at lib/debugobjects.c:287 debug_print_object.cold+0xa7/0xdb [ 49.880640] Kernel panic - not syncing: panic_on_warn set ... [ 49.880640] [ 49.887986] CPU: 1 PID: 7259 Comm: syz-executor317 Not tainted 4.14.134 #30 [ 49.896062] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.905423] Call Trace: [ 49.908030] dump_stack+0x138/0x19c [ 49.911652] panic+0x1f2/0x426 [ 49.914825] ? add_taint.cold+0x16/0x16 [ 49.918788] ? debug_print_object.cold+0xa7/0xdb [ 49.923569] ? debug_print_object.cold+0xa7/0xdb [ 49.928323] __warn.cold+0x2f/0x36 [ 49.931871] ? ist_end_non_atomic+0x10/0x10 [ 49.936176] ? debug_print_object.cold+0xa7/0xdb [ 49.940912] report_bug+0x216/0x254 [ 49.944544] do_error_trap+0x1bb/0x310 [ 49.948430] ? math_error+0x360/0x360 [ 49.952216] ? vprintk_emit+0x171/0x600 [ 49.956197] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 49.961024] do_invalid_op+0x1b/0x20 [ 49.964741] invalid_op+0x1b/0x40 [ 49.968183] RIP: 0010:debug_print_object.cold+0xa7/0xdb [ 49.974306] RSP: 0018:ffff88809f9cfaa8 EFLAGS: 00010086 [ 49.979658] RAX: 000000000000005e RBX: 0000000000000003 RCX: 0000000000000000 [ 49.987018] RDX: 0000000000000000 RSI: ffffffff866d0e00 RDI: ffffed1013f39f4b [ 49.994281] RBP: ffff88809f9cfad0 R08: 000000000000005e R09: 0000000000000000 [ 50.001542] R10: 0000000000000000 R11: ffff8880a5926340 R12: ffffffff866cc000 [ 50.008970] R13: ffffffff8581ffe0 R14: 0000000000000000 R15: ffff8880a970d368 [ 50.016259] ? rfcomm_session_add+0x340/0x340 [ 50.020742] ? debug_print_object.cold+0xa7/0xdb [ 50.025486] debug_check_no_obj_freed+0x3f5/0x7b7 [ 50.030332] ? free_obj_work+0x6d0/0x6d0 [ 50.034375] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 50.039818] kfree+0xbd/0x270 [ 50.042930] rfcomm_dlc_free+0x20/0x30 [ 50.046824] rfcomm_dev_ioctl+0x1590/0x18b0 [ 50.051143] ? mark_held_locks+0xb1/0x100 [ 50.055271] ? __local_bh_enable_ip+0x99/0x1a0 [ 50.059837] ? rfcomm_dev_state_change+0x130/0x130 [ 50.064755] ? __local_bh_enable_ip+0x99/0x1a0 [ 50.069321] rfcomm_sock_ioctl+0x82/0xa0 [ 50.073383] sock_do_ioctl+0x64/0xb0 [ 50.077100] sock_ioctl+0x2a6/0x470 [ 50.080734] ? dlci_ioctl_set+0x40/0x40 [ 50.086190] do_vfs_ioctl+0x7ae/0x1060 [ 50.090068] ? selinux_file_mprotect+0x5d0/0x5d0 [ 50.094810] ? ioctl_preallocate+0x1c0/0x1c0 [ 50.099212] ? lock_downgrade+0x6e0/0x6e0 [ 50.103358] ? security_file_ioctl+0x7d/0xb0 [ 50.107763] ? security_file_ioctl+0x89/0xb0 [ 50.112181] SyS_ioctl+0x8f/0xc0 [ 50.115530] ? do_vfs_ioctl+0x1060/0x1060 [ 50.119668] do_syscall_64+0x1e8/0x640 [ 50.123554] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 50.128421] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 50.133597] RIP: 0033:0x441229 [ 50.136765] RSP: 002b:00007ffdc1c6ba48 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 50.144472] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441229 [ 50.151898] RDX: 0000000020000100 RSI: 00000000400452c8 RDI: 0000000000000003 [ 50.159159] RBP: 000000000000c2b6 R08: 00000000004002c8 R09: 00000000004002c8 [ 50.166409] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000402050 [ 50.173661] R13: 00000000004020e0 R14: 0000000000000000 R15: 0000000000000000 [ 50.180943] [ 50.180945] ====================================================== [ 50.180947] WARNING: possible circular locking dependency detected [ 50.180949] 4.14.134 #30 Not tainted [ 50.180951] ------------------------------------------------------ [ 50.180953] syz-executor317/7259 is trying to acquire lock: [ 50.180954] ((console_sem).lock){-...}, at: [] down_trylock+0x13/0x70 [ 50.180959] [ 50.180961] but task is already holding lock: [ 50.180962] (&obj_hash[i].lock){-.-.}, at: [] debug_check_no_obj_freed+0x12d/0x7b7 [ 50.180966] [ 50.180968] which lock already depends on the new lock. [ 50.180969] [ 50.180970] [ 50.180973] the existing dependency chain (in reverse order) is: [ 50.180974] [ 50.180975] -> #3 (&obj_hash[i].lock){-.-.}: [ 50.180982] lock_acquire+0x16f/0x430 [ 50.180984] _raw_spin_lock_irqsave+0x95/0xcd [ 50.180986] __debug_object_init+0xa9/0x8e0 [ 50.180988] debug_object_init+0x16/0x20 [ 50.180990] hrtimer_init+0x2a/0x2e0 [ 50.180992] init_dl_task_timer+0x1b/0x50 [ 50.180994] __sched_fork+0x222/0xab0 [ 50.180996] init_idle+0x75/0x800 [ 50.180998] sched_init+0xaa1/0xbb3 [ 50.181000] start_kernel+0x339/0x6fd [ 50.181002] x86_64_start_reservations+0x29/0x2b [ 50.181004] x86_64_start_kernel+0x77/0x7b [ 50.181007] secondary_startup_64+0xa5/0xb0 [ 50.181008] [ 50.181009] -> #2 (&rq->lock){-.-.}: [ 50.181016] lock_acquire+0x16f/0x430 [ 50.181018] _raw_spin_lock+0x2f/0x40 [ 50.181020] task_fork_fair+0x63/0x5b0 [ 50.181022] sched_fork+0x3a6/0xc10 [ 50.181024] copy_process.part.0+0x15b7/0x6a00 [ 50.181026] _do_fork+0x19e/0xce0 [ 50.181028] kernel_thread+0x34/0x40 [ 50.181030] rest_init+0x24/0xf6 [ 50.181032] start_kernel+0x6df/0x6fd [ 50.181035] x86_64_start_reservations+0x29/0x2b [ 50.181037] x86_64_start_kernel+0x77/0x7b [ 50.181039] secondary_startup_64+0xa5/0xb0 [ 50.181040] [ 50.181042] -> #1 (&p->pi_lock){-.-.}: [ 50.181049] lock_acquire+0x16f/0x430 [ 50.181051] _raw_spin_lock_irqsave+0x95/0xcd [ 50.181052] try_to_wake_up+0x79/0xf90 [ 50.181053] wake_up_process+0x10/0x20 [ 50.181055] __up.isra.0+0x136/0x1a0 [ 50.181056] up+0x9c/0xe0 [ 50.181058] __up_console_sem+0xad/0x1b0 [ 50.181061] console_unlock+0x59d/0xed0 [ 50.181063] do_con_write.part.0+0xbf1/0x1b50 [ 50.181065] con_write+0x38/0xc0 [ 50.181067] n_tty_write+0x38b/0xee0 [ 50.181068] tty_write+0x3f6/0x700 [ 50.181070] __vfs_write+0x105/0x6b0 [ 50.181071] vfs_write+0x198/0x500 [ 50.181072] SyS_write+0xfd/0x230 [ 50.181073] do_syscall_64+0x1e8/0x640 [ 50.181075] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 50.181076] [ 50.181076] -> #0 ((console_sem).lock){-...}: [ 50.181081] __lock_acquire+0x2c89/0x45e0 [ 50.181082] lock_acquire+0x16f/0x430 [ 50.181083] _raw_spin_lock_irqsave+0x95/0xcd [ 50.181085] down_trylock+0x13/0x70 [ 50.181086] __down_trylock_console_sem+0x9c/0x200 [ 50.181087] console_trylock+0x17/0x80 [ 50.181089] vprintk_emit+0x1eb/0x600 [ 50.181090] vprintk_default+0x28/0x30 [ 50.181091] vprintk_func+0x5d/0x159 [ 50.181092] printk+0x9e/0xbc [ 50.181094] debug_print_object.cold+0xa7/0xdb [ 50.181095] debug_check_no_obj_freed+0x3f5/0x7b7 [ 50.181096] kfree+0xbd/0x270 [ 50.181097] rfcomm_dlc_free+0x20/0x30 [ 50.181098] rfcomm_dev_ioctl+0x1590/0x18b0 [ 50.181100] rfcomm_sock_ioctl+0x82/0xa0 [ 50.181101] sock_do_ioctl+0x64/0xb0 [ 50.181102] sock_ioctl+0x2a6/0x470 [ 50.181103] do_vfs_ioctl+0x7ae/0x1060 [ 50.181104] SyS_ioctl+0x8f/0xc0 [ 50.181105] do_syscall_64+0x1e8/0x640 [ 50.181107] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 50.181108] [ 50.181109] other info that might help us debug this: [ 50.181110] [ 50.181111] Chain exists of: [ 50.181111] (console_sem).lock --> &rq->lock --> &obj_hash[i].lock [ 50.181117] [ 50.181118] Possible unsafe locking scenario: [ 50.181119] [ 50.181120] CPU0 CPU1 [ 50.181121] ---- ---- [ 50.181122] lock(&obj_hash[i].lock); [ 50.181125] lock(&rq->lock); [ 50.181127] lock(&obj_hash[i].lock); [ 50.181130] lock((console_sem).lock); [ 50.181133] [ 50.181134] *** DEADLOCK *** [ 50.181135] [ 50.181136] 3 locks held by syz-executor317/7259: [ 50.181137] #0: (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}, at: [] rfcomm_sock_ioctl+0x74/0xa0 [ 50.181142] #1: (rfcomm_ioctl_mutex){+.+.}, at: [] rfcomm_dev_ioctl+0x442/0x18b0 [ 50.181146] #2: (&obj_hash[i].lock){-.-.}, at: [] debug_check_no_obj_freed+0x12d/0x7b7 [ 50.181152] [ 50.181153] stack backtrace: [ 50.181155] CPU: 1 PID: 7259 Comm: syz-executor317 Not tainted 4.14.134 #30 [ 50.181157] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 50.181158] Call Trace: [ 50.181159] dump_stack+0x138/0x19c [ 50.181160] print_circular_bug.isra.0.cold+0x1cc/0x28f [ 50.181162] __lock_acquire+0x2c89/0x45e0 [ 50.181163] ? add_lock_to_list.isra.0+0x17c/0x330 [ 50.181164] ? trace_hardirqs_on+0x10/0x10 [ 50.181165] ? netdev_bits+0xb0/0xb0 [ 50.181166] ? save_trace+0x290/0x290 [ 50.181168] ? kvm_clock_read+0x23/0x40 [ 50.181169] ? kvm_sched_clock_read+0x9/0x20 [ 50.181170] lock_acquire+0x16f/0x430 [ 50.181171] ? down_trylock+0x13/0x70 [ 50.181172] ? vprintk_emit+0x109/0x600 [ 50.181174] _raw_spin_lock_irqsave+0x95/0xcd [ 50.181175] ? down_trylock+0x13/0x70 [ 50.181176] ? vprintk_emit+0x1eb/0x600 [ 50.181178] down_trylock+0x13/0x70 [ 50.181179] ? vprintk_emit+0x1eb/0x600 [ 50.181181] __down_trylock_console_sem+0x9c/0x200 [ 50.181183] console_trylock+0x17/0x80 [ 50.181184] vprintk_emit+0x1eb/0x600 [ 50.181185] vprintk_default+0x28/0x30 [ 50.181186] vprintk_func+0x5d/0x159 [ 50.181188] ? rfcomm_session_add+0x340/0x340 [ 50.181189] printk+0x9e/0xbc [ 50.181190] ? show_regs_print_info+0x63/0x63 [ 50.181192] ? lock_acquire+0x16f/0x430 [ 50.181193] ? debug_check_no_obj_freed+0x12d/0x7b7 [ 50.181194] ? rfcomm_session_add+0x340/0x340 [ 50.181196] debug_print_object.cold+0xa7/0xdb [ 50.181197] debug_check_no_obj_freed+0x3f5/0x7b7 [ 50.181198] ? free_obj_work+0x6d0/0x6d0 [ 50.181200] ? rcu_lockdep_current_cpu_online+0xf2/0x140 [ 50.181201] kfree+0xbd/0x270 [ 50.181202] rfcomm_dlc_free+0x20/0x30 [ 50.181203] rfcomm_dev_ioctl+0x1590/0x18b0 [ 50.181205] ? mark_held_locks+0xb1/0x100 [ 50.181206] ? __local_bh_enable_ip+0x99/0x1a0 [ 50.181207] ? rfcomm_dev_state_change+0x130/0x130 [ 50.181208] ? __local_bh_enable_ip+0x99/0x1a0 [ 50.181210] rfcomm_sock_ioctl+0x82/0xa0 [ 50.181211] sock_do_ioctl+0x64/0xb0 [ 50.181212] sock_ioctl+0x2a6/0x470 [ 50.181213] ? dlci_ioctl_set+0x40/0x40 [ 50.181214] do_vfs_ioctl+0x7ae/0x1060 [ 50.181216] ? selinux_file_mprotect+0x5d0/0x5d0 [ 50.181217] ? ioctl_preallocate+0x1c0/0x1c0 [ 50.181218] ? lock_downgrade+0x6e0/0x6e0 [ 50.181219] ? security_file_ioctl+0x7d/0xb0 [ 50.181221] ? security_file_ioctl+0x89/0xb0 [ 50.181222] SyS_ioctl+0x8f/0xc0 [ 50.181224] ? do_vfs_ioctl+0x1060/0x1060 [ 50.181226] do_syscall_64+0x1e8/0x640 [ 50.181228] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 50.181229] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 50.181230] RIP: 0033:0x441229 [ 50.181232] RSP: 002b:00007ffdc1c6ba48 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 50.181236] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441229 [ 50.181238] RDX: 0000000020000100 RSI: 00000000400452c8 RDI: 0000000000000003 [ 50.181239] RBP: 000000000000c2b6 R08: 00000000004002c8 R09: 00000000004002c8 [ 50.181241] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000402050 [ 50.181243] R13: 00000000004020e0 R14: 0000000000000000 R15: 0000000000000000 [ 50.182198] Kernel Offset: disabled [ 50.955734] Rebooting in 86400 seconds..