Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.15.212' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 28.593017] ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x90 [ 28.603747] ------------[ cut here ]------------ [ 28.608487] WARNING: CPU: 1 PID: 7984 at lib/debugobjects.c:287 debug_print_object.cold+0xa7/0xdb [ 28.617471] Kernel panic - not syncing: panic_on_warn set ... [ 28.617471] [ 28.625179] CPU: 1 PID: 7984 Comm: syz-executor165 Not tainted 4.14.259-syzkaller #0 [ 28.633034] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.642456] Call Trace: [ 28.645025] dump_stack+0x1b2/0x281 [ 28.648631] panic+0x1f9/0x42d [ 28.651822] ? add_taint.cold+0x16/0x16 [ 28.655862] ? debug_print_object.cold+0xa7/0xdb [ 28.660598] ? debug_print_object.cold+0xa7/0xdb [ 28.665342] __warn.cold+0x20/0x44 [ 28.668869] ? ist_end_non_atomic+0x10/0x10 [ 28.673175] ? debug_print_object.cold+0xa7/0xdb [ 28.677909] report_bug+0x208/0x250 [ 28.681518] do_error_trap+0x195/0x2d0 [ 28.685382] ? math_error+0x2d0/0x2d0 [ 28.689161] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 28.693975] invalid_op+0x1b/0x40 [ 28.697401] RIP: 0010:debug_print_object.cold+0xa7/0xdb [ 28.702734] RSP: 0018:ffff88808f2b72d8 EFLAGS: 00010086 [ 28.708071] RAX: 0000000000000061 RBX: 0000000000000003 RCX: 0000000000000000 [ 28.715315] RDX: 0000000000000000 RSI: ffffffff878bbcc0 RDI: ffffed1011e56e51 [ 28.722559] RBP: ffffffff878b6f80 R08: 0000000000000061 R09: 0000000000000000 [ 28.729802] R10: 0000000000000000 R11: ffff88809be42000 R12: ffffffff81361090 [ 28.737047] R13: 0000000000000000 R14: ffff88809bd5dc00 R15: ffff8880a1999818 [ 28.744383] ? execute_in_process_context+0x140/0x140 [ 28.749550] ? debug_print_object.cold+0xa7/0xdb [ 28.754282] debug_check_no_obj_freed+0x3b7/0x680 [ 28.759101] ? debug_object_activate+0x490/0x490 [ 28.763883] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 28.769309] kfree+0xb9/0x250 [ 28.772387] ? xps_cpus_show+0x620/0x620 [ 28.776428] kvfree+0x45/0x50 [ 28.779518] device_release+0x15f/0x1a0 [ 28.783477] ? dev_attr_show+0xc0/0xc0 [ 28.787336] kobject_put+0x251/0x550 [ 28.791022] put_device+0x1c/0x30 [ 28.794448] free_netdev+0x26f/0x360 [ 28.798139] rtnl_newlink+0x14e6/0x1860 [ 28.802086] ? rtnl_newlink+0x43d/0x1860 [ 28.806125] ? __lock_acquire+0x5fc/0x3f20 [ 28.810336] ? trace_hardirqs_on+0x10/0x10 [ 28.814545] ? rtnl_dellink+0x6a0/0x6a0 [ 28.818493] ? trace_hardirqs_on+0x10/0x10 [ 28.822715] ? __read_once_size_nocheck.constprop.0+0x10/0x10 [ 28.828580] ? deref_stack_reg+0x124/0x1a0 [ 28.832799] ? lock_acquire+0x170/0x3f0 [ 28.836750] ? lock_downgrade+0x740/0x740 [ 28.841046] ? rtnl_dellink+0x6a0/0x6a0 [ 28.844993] rtnetlink_rcv_msg+0x3be/0xb10 [ 28.849205] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 28.853677] ? __netlink_lookup+0x345/0x5d0 [ 28.857972] netlink_rcv_skb+0x125/0x390 [ 28.862010] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 28.866481] ? netlink_ack+0x9a0/0x9a0 [ 28.870342] netlink_unicast+0x437/0x610 [ 28.874377] ? netlink_sendskb+0xd0/0xd0 [ 28.878409] ? __check_object_size+0x179/0x230 [ 28.882962] netlink_sendmsg+0x648/0xbc0 [ 28.886994] ? nlmsg_notify+0x1b0/0x1b0 [ 28.890941] ? kernel_recvmsg+0x210/0x210 [ 28.895067] ? security_socket_sendmsg+0x83/0xb0 [ 28.899794] ? nlmsg_notify+0x1b0/0x1b0 [ 28.903740] sock_sendmsg+0xb5/0x100 [ 28.907426] ___sys_sendmsg+0x6c8/0x800 [ 28.911372] ? copy_msghdr_from_user+0x3b0/0x3b0 [ 28.916106] ? trace_hardirqs_on+0x10/0x10 [ 28.920328] ? trace_hardirqs_on+0x10/0x10 [ 28.924538] ? trace_hardirqs_on+0x10/0x10 [ 28.928750] ? __might_fault+0x104/0x1b0 [ 28.932784] ? lock_acquire+0x170/0x3f0 [ 28.936732] ? lock_downgrade+0x740/0x740 [ 28.940852] ? __might_fault+0x177/0x1b0 [ 28.944887] ? _copy_to_user+0x82/0xd0 [ 28.948746] ? move_addr_to_user+0x13f/0x180 [ 28.953135] ? __fdget+0x167/0x1f0 [ 28.956648] ? sockfd_lookup_light+0xb2/0x160 [ 28.961119] __sys_sendmsg+0xa3/0x120 [ 28.964892] ? SyS_shutdown+0x160/0x160 [ 28.968841] ? move_addr_to_kernel+0x60/0x60 [ 28.973227] ? __do_page_fault+0x159/0xad0 [ 28.977433] SyS_sendmsg+0x27/0x40 [ 28.980945] ? __sys_sendmsg+0x120/0x120 [ 28.984983] do_syscall_64+0x1d5/0x640 [ 28.988851] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 28.994016] RIP: 0033:0x7f1bac7dc3a9 [ 28.997702] RSP: 002b:00007ffe6731c3d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 29.005392] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1bac7dc3a9 [ 29.012633] RDX: 0000000004040000 RSI: 0000000020000080 RDI: 0000000000000004 [ 29.019899] RBP: 00007ffe6731c3e0 R08: 65732f636f72702f R09: 65732f636f72702f [ 29.027144] R10: 65732f636f72702f R11: 0000000000000246 R12: 00007f1bac7a0330 [ 29.035431] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 29.042698] [ 29.042700] ====================================================== [ 29.042702] WARNING: possible circular locking dependency detected [ 29.042703] 4.14.259-syzkaller #0 Not tainted [ 29.042705] ------------------------------------------------------ [ 29.042706] syz-executor165/7984 is trying to acquire lock: [ 29.042707] ((console_sem).lock){....}, at: [] down_trylock+0xe/0x60 [ 29.042711] [ 29.042713] but task is already holding lock: [ 29.042713] (&obj_hash[i].lock){-.-.}, at: [] debug_check_no_obj_freed+0x135/0x680 [ 29.042717] [ 29.042719] which lock already depends on the new lock. [ 29.042720] [ 29.042720] [ 29.042722] the existing dependency chain (in reverse order) is: [ 29.042723] [ 29.042723] -> #5 (&obj_hash[i].lock){-.-.}: [ 29.042728] _raw_spin_lock_irqsave+0x8c/0xc0 [ 29.042729] debug_object_activate+0x10f/0x490 [ 29.042730] enqueue_hrtimer+0x22/0x3b0 [ 29.042732] hrtimer_start_range_ns+0x4a0/0x10b0 [ 29.042733] schedule_hrtimeout_range_clock+0x144/0x320 [ 29.042735] wait_task_inactive+0x469/0x520 [ 29.042736] __kthread_bind_mask+0x1f/0xb0 [ 29.042737] create_worker+0x437/0x6c0 [ 29.042738] workqueue_init+0x4ef/0x759 [ 29.042740] kernel_init_freeable+0x3ac/0x626 [ 29.042741] kernel_init+0xd/0x161 [ 29.042742] ret_from_fork+0x24/0x30 [ 29.042743] [ 29.042743] -> #4 (hrtimer_bases.lock){-.-.}: [ 29.042748] _raw_spin_lock_irqsave+0x8c/0xc0 [ 29.042749] hrtimer_start_range_ns+0x77/0x10b0 [ 29.042750] enqueue_task_rt+0x584/0xf30 [ 29.042752] __sched_setscheduler.constprop.0+0xe73/0x2640 [ 29.042753] sched_setscheduler+0xfa/0x150 [ 29.042754] watchdog_enable+0x11b/0x170 [ 29.042756] smpboot_thread_fn+0x40d/0x920 [ 29.042757] kthread+0x30d/0x420 [ 29.042758] ret_from_fork+0x24/0x30 [ 29.042759] [ 29.042759] -> #3 (&rt_b->rt_runtime_lock){-.-.}: [ 29.042763] _raw_spin_lock+0x2a/0x40 [ 29.042765] enqueue_task_rt+0x514/0xf30 [ 29.042766] __sched_setscheduler.constprop.0+0xe73/0x2640 [ 29.042767] sched_setscheduler+0xfa/0x150 [ 29.042769] watchdog_enable+0x11b/0x170 [ 29.042770] smpboot_thread_fn+0x40d/0x920 [ 29.042771] kthread+0x30d/0x420 [ 29.042772] ret_from_fork+0x24/0x30 [ 29.042773] [ 29.042774] -> #2 (&rq->lock){-.-.}: [ 29.042778] _raw_spin_lock+0x2a/0x40 [ 29.042779] task_fork_fair+0x63/0x550 [ 29.042780] sched_fork+0x39a/0xb60 [ 29.042781] copy_process.part.0+0x15b2/0x71c0 [ 29.042782] _do_fork+0x184/0xc80 [ 29.042784] kernel_thread+0x2f/0x40 [ 29.042785] rest_init+0x1f/0x2a3 [ 29.042786] start_kernel+0x750/0x770 [ 29.042787] secondary_startup_64+0xa5/0xb0 [ 29.042788] [ 29.042789] -> #1 (&p->pi_lock){-.-.}: [ 29.042793] _raw_spin_lock_irqsave+0x8c/0xc0 [ 29.042794] try_to_wake_up+0x6a/0x1100 [ 29.042795] up+0x75/0xb0 [ 29.042796] __up_console_sem+0xa9/0x1b0 [ 29.042797] console_unlock+0x531/0xf20 [ 29.042799] vt_ioctl+0x1500/0x1d50 [ 29.042800] tty_ioctl+0x50f/0x1430 [ 29.042801] do_vfs_ioctl+0x75a/0xff0 [ 29.042802] SyS_ioctl+0x7f/0xb0 [ 29.042803] do_syscall_64+0x1d5/0x640 [ 29.042805] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.042806] [ 29.042806] -> #0 ((console_sem).lock){....}: [ 29.042810] lock_acquire+0x170/0x3f0 [ 29.042812] _raw_spin_lock_irqsave+0x8c/0xc0 [ 29.042813] down_trylock+0xe/0x60 [ 29.042814] __down_trylock_console_sem+0x97/0x1e0 [ 29.042815] vprintk_emit+0x1ee/0x620 [ 29.042817] vprintk_func+0x58/0x160 [ 29.042818] printk+0x9e/0xbc [ 29.042819] debug_print_object.cold+0xa7/0xdb [ 29.042820] debug_check_no_obj_freed+0x3b7/0x680 [ 29.042821] kfree+0xb9/0x250 [ 29.042822] kvfree+0x45/0x50 [ 29.042824] device_release+0x15f/0x1a0 [ 29.042825] kobject_put+0x251/0x550 [ 29.042826] put_device+0x1c/0x30 [ 29.042827] free_netdev+0x26f/0x360 [ 29.042829] rtnl_newlink+0x14e6/0x1860 [ 29.042830] rtnetlink_rcv_msg+0x3be/0xb10 [ 29.042831] netlink_rcv_skb+0x125/0x390 [ 29.042832] netlink_unicast+0x437/0x610 [ 29.042833] netlink_sendmsg+0x648/0xbc0 [ 29.042835] sock_sendmsg+0xb5/0x100 [ 29.042836] ___sys_sendmsg+0x6c8/0x800 [ 29.042837] __sys_sendmsg+0xa3/0x120 [ 29.042838] SyS_sendmsg+0x27/0x40 [ 29.042840] do_syscall_64+0x1d5/0x640 [ 29.042841] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.042842] [ 29.042843] other info that might help us debug this: [ 29.042844] [ 29.042845] Chain exists of: [ 29.042845] (console_sem).lock --> hrtimer_bases.lock --> &obj_hash[i].lock [ 29.042851] [ 29.042852] Possible unsafe locking scenario: [ 29.042853] [ 29.042854] CPU0 CPU1 [ 29.042855] ---- ---- [ 29.042856] lock(&obj_hash[i].lock); [ 29.042859] lock(hrtimer_bases.lock); [ 29.042861] lock(&obj_hash[i].lock); [ 29.042864] lock((console_sem).lock); [ 29.042866] [ 29.042867] *** DEADLOCK *** [ 29.042868] [ 29.042869] 2 locks held by syz-executor165/7984: [ 29.042870] #0: (rtnl_mutex){+.+.}, at: [] rtnetlink_rcv_msg+0x31d/0xb10 [ 29.042874] #1: (&obj_hash[i].lock){-.-.}, at: [] debug_check_no_obj_freed+0x135/0x680 [ 29.042879] [ 29.042880] stack backtrace: [ 29.042882] CPU: 1 PID: 7984 Comm: syz-executor165 Not tainted 4.14.259-syzkaller #0 [ 29.042884] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.042885] Call Trace: [ 29.042886] dump_stack+0x1b2/0x281 [ 29.042888] print_circular_bug.constprop.0.cold+0x2d7/0x41e [ 29.042889] __lock_acquire+0x2e0e/0x3f20 [ 29.042890] ? pointer+0x31f/0x9e0 [ 29.042891] ? trace_hardirqs_on+0x10/0x10 [ 29.042893] ? format_decode+0x1cb/0x890 [ 29.042894] ? unwind_next_frame+0xe54/0x17d0 [ 29.042895] ? check_preemption_disabled+0x35/0x240 [ 29.042897] ? kvm_clock_read+0x1f/0x30 [ 29.042898] ? kvm_sched_clock_read+0x5/0x10 [ 29.042899] ? sched_clock+0x2a/0x40 [ 29.042900] ? sched_clock_cpu+0x18/0x1b0 [ 29.042901] lock_acquire+0x170/0x3f0 [ 29.042902] ? down_trylock+0xe/0x60 [ 29.042904] ? vprintk_func+0x58/0x160 [ 29.042905] _raw_spin_lock_irqsave+0x8c/0xc0 [ 29.042906] ? down_trylock+0xe/0x60 [ 29.042907] down_trylock+0xe/0x60 [ 29.042909] ? vprintk_func+0x58/0x160 [ 29.042910] ? vprintk_func+0x58/0x160 [ 29.042911] __down_trylock_console_sem+0x97/0x1e0 [ 29.042912] vprintk_emit+0x1ee/0x620 [ 29.042913] vprintk_func+0x58/0x160 [ 29.042914] printk+0x9e/0xbc [ 29.042916] ? log_store.cold+0x16/0x16 [ 29.042917] ? lock_acquire+0x170/0x3f0 [ 29.042918] ? debug_check_no_obj_freed+0x135/0x680 [ 29.042920] ? execute_in_process_context+0x140/0x140 [ 29.042921] ? execute_in_process_context+0x140/0x140 [ 29.042922] debug_print_object.cold+0xa7/0xdb [ 29.042924] debug_check_no_obj_freed+0x3b7/0x680 [ 29.042925] ? debug_object_activate+0x490/0x490 [ 29.042927] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 29.042928] kfree+0xb9/0x250 [ 29.042929] ? xps_cpus_show+0x620/0x620 [ 29.042930] kvfree+0x45/0x50 [ 29.042931] device_release+0x15f/0x1a0 [ 29.042932] ? dev_attr_show+0xc0/0xc0 [ 29.042933] kobject_put+0x251/0x550 [ 29.042935] put_device+0x1c/0x30 [ 29.042936] free_netdev+0x26f/0x360 [ 29.042937] rtnl_newlink+0x14e6/0x1860 [ 29.042938] ? rtnl_newlink+0x43d/0x1860 [ 29.042939] ? __lock_acquire+0x5fc/0x3f20 [ 29.042941] ? trace_hardirqs_on+0x10/0x10 [ 29.042942] ? rtnl_dellink+0x6a0/0x6a0 [ 29.042943] ? trace_hardirqs_on+0x10/0x10 [ 29.042945] ? __read_once_size_nocheck.constprop.0+0x10/0x10 [ 29.042946] ? deref_stack_reg+0x124/0x1a0 [ 29.042947] ? lock_acquire+0x170/0x3f0 [ 29.042948] ? lock_downgrade+0x740/0x740 [ 29.042949] ? rtnl_dellink+0x6a0/0x6a0 [ 29.042951] rtnetlink_rcv_msg+0x3be/0xb10 [ 29.042952] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 29.042953] ? __netlink_lookup+0x345/0x5d0 [ 29.042955] netlink_rcv_skb+0x125/0x390 [ 29.042956] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 29.042957] ? netlink_ack+0x9a0/0x9a0 [ 29.042958] netlink_unicast+0x437/0x610 [ 29.042959] ? netlink_sendskb+0xd0/0xd0 [ 29.042961] ? __check_object_size+0x179/0x230 [ 29.042962] netlink_sendmsg+0x648/0xbc0 [ 29.042963] ? nlmsg_notify+0x1b0/0x1b0 [ 29.042965] ? kernel_recvmsg+0x210/0x210 [ 29.042966] ? security_socket_sendmsg+0x83/0xb0 [ 29.042967] ? nlmsg_notify+0x1b0/0x1b0 [ 29.042968] sock_sendmsg+0xb5/0x100 [ 29.042970] ___sys_sendmsg+0x6c8/0x800 [ 29.042971] ? copy_msghdr_from_user+0x3b0/0x3b0 [ 29.042972] ? trace_hardirqs_on+0x10/0x10 [ 29.042973] ? trace_hardirqs_on+0x10/0x10 [ 29.042975] ? trace_hardirqs_on+0x10/0x10 [ 29.042976] ? __might_fault+0x104/0x1b0 [ 29.042977] ? lock_acquire+0x170/0x3f0 [ 29.042978] ? lock_downgrade+0x740/0x740 [ 29.042979] ? __might_fault+0x177/0x1b0 [ 29.042981] ? _copy_to_user+0x82/0xd0 [ 29.042982] ? move_addr_to_user+0x13f/0x180 [ 29.042983] ? __fdget+0x167/0x1f0 [ 29.042984] ? sockfd_lookup_light+0xb2/0x160 [ 29.042985] __sys_sendmsg+0xa3/0x120 [ 29.042987] ? SyS_shutdown+0x160/0x160 [ 29.042988] ? move_addr_to_kernel+0x60/0x60 [ 29.042989] ? __do_page_fault+0x159/0xad0 [ 29.042990] SyS_sendmsg+0x27/0x40 [ 29.042991] ? __sys_sendmsg+0x120/0x120 [ 29.042993] do_syscall_64+0x1d5/0x640 [ 29.042994] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.042995] RIP: 0033:0x7f1bac7dc3a9 [ 29.042997] RSP: 002b:00007ffe6731c3d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 29.043000] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1bac7dc3a9 [ 29.043002] RDX: 0000000004040000 RSI: 0000000020000080 RDI: 0000000000000004 [ 29.043004] RBP: 00007ffe6731c3e0 R08: 65732f636f72702f R09: 65732f636f72702f [ 29.043006] R10: 65732f636f72702f R11: 0000000000000246 R12: 00007f1bac7a0330 [ 29.043007] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 29.043306] Kernel Offset: disabled [ 30.014622] Rebooting in 86400 seconds..