[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 22.185245] random: sshd: uninitialized urandom read (32 bytes read) [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 26.913772] random: sshd: uninitialized urandom read (32 bytes read) [ 27.254555] random: sshd: uninitialized urandom read (32 bytes read) [ 27.790531] random: sshd: uninitialized urandom read (32 bytes read) [ 27.963746] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.10.6' (ECDSA) to the list of known hosts. [ 33.536170] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 33.630999] L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html for details. [ 33.655534] ================================================================== [ 33.665461] BUG: KASAN: use-after-free in __schedule+0xf54/0x1df0 [ 33.671693] Read of size 8 at addr ffff8801acbd0058 by task syz-executor330/4432 [ 33.679215] [ 33.680844] CPU: 1 PID: 4432 Comm: syz-executor330 Not tainted 4.18.0+ #208 [ 33.687943] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.697288] Call Trace: [ 33.699886] dump_stack+0x1c9/0x2b4 [ 33.703518] ? dump_stack_print_info.cold.2+0x52/0x52 [ 33.708703] ? printk+0xa7/0xcf [ 33.711981] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 33.716737] ? __schedule+0xf54/0x1df0 [ 33.720622] print_address_description+0x6c/0x20b [ 33.725467] ? __schedule+0xf54/0x1df0 [ 33.729365] kasan_report.cold.7+0x242/0x30d [ 33.733776] __asan_report_load8_noabort+0x14/0x20 [ 33.738716] __schedule+0xf54/0x1df0 [ 33.742444] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 33.747546] ? __sched_text_start+0x8/0x8 [ 33.751694] ? __call_srcu+0x7e7/0x1040 [ 33.755678] ? check_same_owner+0x340/0x340 [ 33.759998] ? mark_held_locks+0x160/0x160 [ 33.764231] ? find_held_lock+0x36/0x1c0 [ 33.768293] preempt_schedule_common+0x22/0x60 [ 33.772876] _cond_resched+0x1d/0x30 [ 33.776590] wait_for_completion+0xa5/0x8d0 [ 33.780914] ? wait_for_completion_interruptible+0x950/0x950 [ 33.786709] ? __lockdep_init_map+0x105/0x590 [ 33.791204] ? __init_waitqueue_head+0x9e/0x150 [ 33.795873] ? init_wait_entry+0x1c0/0x1c0 [ 33.800113] __synchronize_srcu+0x189/0x240 [ 33.804433] ? call_srcu+0x10/0x10 [ 33.807974] ? rcu_unexpedite_gp+0x20/0x20 [ 33.812213] synchronize_srcu+0x335/0x56f [ 33.816363] ? lock_downgrade+0x8f0/0x8f0 [ 33.820535] ? synchronize_srcu_expedited+0x20/0x20 [ 33.825573] ? kasan_check_read+0x11/0x20 [ 33.829722] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 33.834300] ? kasan_check_write+0x14/0x20 [ 33.838530] ? do_raw_spin_lock+0xc1/0x200 [ 33.842768] kvm_page_track_unregister_notifier+0x17d/0x250 [ 33.848478] ? kvm_slot_page_track_remove_page+0x70/0x70 [ 33.853928] ? kvfree+0x61/0x70 [ 33.857205] ? rcu_read_lock_sched_held+0x108/0x120 [ 33.862219] kvm_mmu_uninit_vm+0x1c/0x20 [ 33.866277] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 33.870682] ? kvm_arch_sync_events+0x30/0x30 [ 33.875181] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 33.880717] ? mmu_notifier_unregister+0x474/0x600 [ 33.885639] ? trace_hardirqs_on+0x2c0/0x2c0 [ 33.890043] ? kfree+0x111/0x210 [ 33.893410] ? __mmu_notifier_register+0x30/0x30 [ 33.898168] ? __free_pages+0x10a/0x190 [ 33.902141] ? free_unref_page+0x930/0x930 [ 33.906382] kvm_put_kvm+0x73f/0x1060 [ 33.910190] ? kvm_write_guest_cached+0x40/0x40 [ 33.914869] ? _raw_spin_unlock_irq+0x27/0x70 [ 33.919366] ? _raw_spin_unlock_irq+0x27/0x70 [ 33.923859] ? lockdep_hardirqs_on+0x421/0x5c0 [ 33.928447] ? kasan_check_write+0x14/0x20 [ 33.932676] ? do_raw_spin_lock+0xc1/0x200 [ 33.936911] ? kvm_irqfd_release+0xdd/0x120 [ 33.941229] ? kvm_irqfd_release+0xdd/0x120 [ 33.945549] ? kvm_put_kvm+0x1060/0x1060 [ 33.949608] kvm_vm_release+0x42/0x50 [ 33.953410] __fput+0x36e/0x8c0 [ 33.956689] ? __alloc_file+0x400/0x400 [ 33.960663] ? check_same_owner+0x340/0x340 [ 33.964997] ? kasan_check_write+0x14/0x20 [ 33.969224] ? do_raw_spin_lock+0xc1/0x200 [ 33.973454] ____fput+0x15/0x20 [ 33.976732] task_work_run+0x1e8/0x2a0 [ 33.980616] ? task_work_cancel+0x240/0x240 [ 33.984939] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 33.990481] ? switch_task_namespaces+0xa2/0xd0 [ 33.995168] do_exit+0x1ae4/0x26e0 [ 33.998708] ? mm_update_next_owner+0x9a0/0x9a0 [ 34.003384] ? kvm_vcpu_ioctl+0x2b5/0x1280 [ 34.007628] ? rcu_read_lock_sched_held+0x108/0x120 [ 34.012641] ? kfree+0x1d7/0x210 [ 34.016008] ? kvm_vcpu_ioctl+0x2ba/0x1280 [ 34.020241] ? kvm_uevent_notify_change.part.32+0x440/0x440 [ 34.025974] ? is_bpf_text_address+0xd7/0x170 [ 34.030469] ? kernel_text_address+0x79/0xf0 [ 34.034882] ? __kernel_text_address+0xd/0x40 [ 34.039374] ? unwind_get_return_address+0x61/0xa0 [ 34.044316] ? __save_stack_trace+0x8d/0xf0 [ 34.048645] ? save_stack+0xa9/0xd0 [ 34.052267] ? save_stack+0x43/0xd0 [ 34.055903] ? __kasan_slab_free+0x11a/0x170 [ 34.060322] ? kasan_slab_free+0xe/0x10 [ 34.064298] ? putname+0xf2/0x130 [ 34.067771] ? __x64_sys_openat+0x9d/0x100 [ 34.072000] ? do_syscall_64+0x1b9/0x820 [ 34.076074] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.081436] ? trace_hardirqs_off+0xb8/0x2b0 [ 34.085840] ? kasan_check_read+0x11/0x20 [ 34.089991] ? do_raw_spin_unlock+0xa7/0x2f0 [ 34.094392] ? trace_hardirqs_on+0x2c0/0x2c0 [ 34.098828] ? initcall_blacklisted+0x9a/0x1e0 [ 34.103430] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 34.108537] ? kvm_uevent_notify_change.part.32+0x440/0x440 [ 34.114249] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.119781] ? do_vfs_ioctl+0x201/0x1720 [ 34.123836] ? rcu_is_watching+0x8c/0x150 [ 34.127983] ? trace_hardirqs_on+0xbd/0x2c0 [ 34.132301] ? ioctl_preallocate+0x300/0x300 [ 34.136707] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.142244] ? __fget_light+0x2f7/0x440 [ 34.146219] ? fget_raw+0x20/0x20 [ 34.149666] ? putname+0xf2/0x130 [ 34.153120] ? rcu_read_lock_sched_held+0x108/0x120 [ 34.158128] ? kmem_cache_free+0x246/0x280 [ 34.162363] ? putname+0xf7/0x130 [ 34.165988] do_group_exit+0x177/0x440 [ 34.169913] ? trace_hardirqs_on+0xbd/0x2c0 [ 34.174286] ? __ia32_sys_exit+0x50/0x50 [ 34.178380] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 34.183481] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 34.189016] ? ksys_ioctl+0x81/0xd0 [ 34.192642] __x64_sys_exit_group+0x3e/0x50 [ 34.196972] do_syscall_64+0x1b9/0x820 [ 34.200875] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 34.206237] ? syscall_return_slowpath+0x5e0/0x5e0 [ 34.211160] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 34.216000] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 34.221025] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 34.226043] ? prepare_exit_to_usermode+0x291/0x3b0 [ 34.231060] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 34.235921] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.241125] RIP: 0033:0x43ef08 [ 34.244318] Code: Bad RIP value. [ 34.247680] RSP: 002b:00007fff33e3a628 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 34.255392] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ef08 [ 34.262657] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 34.269926] RBP: 00000000004be7c8 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 34.277206] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 [ 34.284473] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 34.291747] [ 34.293388] Allocated by task 4432: [ 34.297022] save_stack+0x43/0xd0 [ 34.300958] kasan_kmalloc+0xc4/0xe0 [ 34.304673] kasan_slab_alloc+0x12/0x20 [ 34.308659] kmem_cache_alloc+0x12e/0x710 [ 34.312803] vmx_create_vcpu+0xcf/0x2830 [ 34.316900] kvm_arch_vcpu_create+0xe5/0x220 [ 34.321303] kvm_vm_ioctl+0x488/0x1d80 [ 34.325194] do_vfs_ioctl+0x1de/0x1720 [ 34.329101] ksys_ioctl+0xa9/0xd0 [ 34.332549] __x64_sys_ioctl+0x73/0xb0 [ 34.336431] do_syscall_64+0x1b9/0x820 [ 34.340317] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.345499] [ 34.347115] Freed by task 4432: [ 34.350391] save_stack+0x43/0xd0 [ 34.353840] __kasan_slab_free+0x11a/0x170 [ 34.358085] kasan_slab_free+0xe/0x10 [ 34.361880] kmem_cache_free+0x86/0x280 [ 34.365850] vmx_free_vcpu+0x26b/0x300 [ 34.369734] kvm_arch_destroy_vm+0x365/0x7c0 [ 34.374142] kvm_put_kvm+0x73f/0x1060 [ 34.377942] kvm_vm_release+0x42/0x50 [ 34.381740] __fput+0x36e/0x8c0 [ 34.385018] ____fput+0x15/0x20 [ 34.388299] task_work_run+0x1e8/0x2a0 [ 34.392179] do_exit+0x1ae4/0x26e0 [ 34.395711] do_group_exit+0x177/0x440 [ 34.399597] __x64_sys_exit_group+0x3e/0x50 [ 34.403920] do_syscall_64+0x1b9/0x820 [ 34.407806] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.412982] [ 34.414609] The buggy address belongs to the object at ffff8801acbd0040 [ 34.414609] which belongs to the cache kvm_vcpu of size 23872 [ 34.427212] The buggy address is located 24 bytes inside of [ 34.427212] 23872-byte region [ffff8801acbd0040, ffff8801acbd5d80) [ 34.439656] The buggy address belongs to the page: [ 34.444601] page:ffffea0006b2f400 count:1 mapcount:0 mapping:ffff8801d4be5a80 index:0x0 compound_mapcount: 0 [ 34.454572] flags: 0x2fffc0000008100(slab|head) [ 34.459253] raw: 02fffc0000008100 ffff8801d4be4b48 ffff8801d4be4b48 ffff8801d4be5a80 [ 34.467191] raw: 0000000000000000 ffff8801acbd0040 0000000100000001 0000000000000000 [ 34.475065] page dumped because: kasan: bad access detected [ 34.480764] [ 34.482394] Memory state around the buggy address: [ 34.487361] ffff8801acbcff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.494732] ffff8801acbcff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.502087] >ffff8801acbd0000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 34.509454] ^ [ 34.515683] ffff8801acbd0080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.523039] ffff8801acbd0100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.530399] ================================================================== [ 34.537750] Kernel panic - not syncing: panic_on_warn set ... [ 34.537750] [ 34.545114] CPU: 1 PID: 4432 Comm: syz-executor330 Tainted: G B 4.18.0+ #208 [ 34.553600] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.562950] Call Trace: [ 34.565546] dump_stack+0x1c9/0x2b4 [ 34.569180] ? dump_stack_print_info.cold.2+0x52/0x52 [ 34.574374] ? lock_downgrade+0x8f0/0x8f0 [ 34.578527] ? __schedule+0xf54/0x1df0 [ 34.582431] panic+0x238/0x4e7 [ 34.585621] ? add_taint.cold.5+0x16/0x16 [ 34.589770] ? print_shadow_for_address+0xba/0x116 [ 34.594697] ? trace_hardirqs_off+0xaf/0x2b0 [ 34.599106] ? trace_hardirqs_off+0x77/0x2b0 [ 34.603514] ? __schedule+0xf54/0x1df0 [ 34.607435] kasan_end_report+0x47/0x4f [ 34.611413] kasan_report.cold.7+0x76/0x30d [ 34.615736] __asan_report_load8_noabort+0x14/0x20 [ 34.620662] __schedule+0xf54/0x1df0 [ 34.624378] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 34.629491] ? __sched_text_start+0x8/0x8 [ 34.633641] ? __call_srcu+0x7e7/0x1040 [ 34.637617] ? check_same_owner+0x340/0x340 [ 34.641933] ? mark_held_locks+0x160/0x160 [ 34.646165] ? find_held_lock+0x36/0x1c0 [ 34.650226] preempt_schedule_common+0x22/0x60 [ 34.654806] _cond_resched+0x1d/0x30 [ 34.658524] wait_for_completion+0xa5/0x8d0 [ 34.662861] ? wait_for_completion_interruptible+0x950/0x950 [ 34.668657] ? __lockdep_init_map+0x105/0x590 [ 34.673166] ? __init_waitqueue_head+0x9e/0x150 [ 34.677832] ? init_wait_entry+0x1c0/0x1c0 [ 34.682069] __synchronize_srcu+0x189/0x240 [ 34.686383] ? call_srcu+0x10/0x10 [ 34.689940] ? rcu_unexpedite_gp+0x20/0x20 [ 34.694178] synchronize_srcu+0x335/0x56f [ 34.698322] ? lock_downgrade+0x8f0/0x8f0 [ 34.702477] ? synchronize_srcu_expedited+0x20/0x20 [ 34.707505] ? kasan_check_read+0x11/0x20 [ 34.711663] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 34.716241] ? kasan_check_write+0x14/0x20 [ 34.720472] ? do_raw_spin_lock+0xc1/0x200 [ 34.724708] kvm_page_track_unregister_notifier+0x17d/0x250 [ 34.730427] ? kvm_slot_page_track_remove_page+0x70/0x70 [ 34.735881] ? kvfree+0x61/0x70 [ 34.739159] ? rcu_read_lock_sched_held+0x108/0x120 [ 34.744171] kvm_mmu_uninit_vm+0x1c/0x20 [ 34.748232] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 34.752641] ? kvm_arch_sync_events+0x30/0x30 [ 34.757140] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 34.762679] ? mmu_notifier_unregister+0x474/0x600 [ 34.767608] ? trace_hardirqs_on+0x2c0/0x2c0 [ 34.772026] ? kfree+0x111/0x210 [ 34.775416] ? __mmu_notifier_register+0x30/0x30 [ 34.780173] ? __free_pages+0x10a/0x190 [ 34.784143] ? free_unref_page+0x930/0x930 [ 34.788383] kvm_put_kvm+0x73f/0x1060 [ 34.792194] ? kvm_write_guest_cached+0x40/0x40 [ 34.796866] ? _raw_spin_unlock_irq+0x27/0x70 [ 34.801363] ? _raw_spin_unlock_irq+0x27/0x70 [ 34.805856] ? lockdep_hardirqs_on+0x421/0x5c0 [ 34.810450] ? kasan_check_write+0x14/0x20 [ 34.814682] ? do_raw_spin_lock+0xc1/0x200 [ 34.818918] ? kvm_irqfd_release+0xdd/0x120 [ 34.823235] ? kvm_irqfd_release+0xdd/0x120 [ 34.827556] ? kvm_put_kvm+0x1060/0x1060 [ 34.831611] kvm_vm_release+0x42/0x50 [ 34.835447] __fput+0x36e/0x8c0 [ 34.838755] ? __alloc_file+0x400/0x400 [ 34.842728] ? check_same_owner+0x340/0x340 [ 34.847046] ? kasan_check_write+0x14/0x20 [ 34.851278] ? do_raw_spin_lock+0xc1/0x200 [ 34.855512] ____fput+0x15/0x20 [ 34.858788] task_work_run+0x1e8/0x2a0 [ 34.862684] ? task_work_cancel+0x240/0x240 [ 34.867007] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 34.872544] ? switch_task_namespaces+0xa2/0xd0 [ 34.877210] do_exit+0x1ae4/0x26e0 [ 34.880751] ? mm_update_next_owner+0x9a0/0x9a0 [ 34.885422] ? kvm_vcpu_ioctl+0x2b5/0x1280 [ 34.889654] ? rcu_read_lock_sched_held+0x108/0x120 [ 34.894669] ? kfree+0x1d7/0x210 [ 34.898039] ? kvm_vcpu_ioctl+0x2ba/0x1280 [ 34.902273] ? kvm_uevent_notify_change.part.32+0x440/0x440 [ 34.907982] ? is_bpf_text_address+0xd7/0x170 [ 34.912477] ? kernel_text_address+0x79/0xf0 [ 34.916884] ? __kernel_text_address+0xd/0x40 [ 34.921376] ? unwind_get_return_address+0x61/0xa0 [ 34.926305] ? __save_stack_trace+0x8d/0xf0 [ 34.930627] ? save_stack+0xa9/0xd0 [ 34.934252] ? save_stack+0x43/0xd0 [ 34.937899] ? __kasan_slab_free+0x11a/0x170 [ 34.942315] ? kasan_slab_free+0xe/0x10 [ 34.946304] ? putname+0xf2/0x130 [ 34.949756] ? __x64_sys_openat+0x9d/0x100 [ 34.953993] ? do_syscall_64+0x1b9/0x820 [ 34.958056] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.963418] ? trace_hardirqs_off+0xb8/0x2b0 [ 34.967823] ? kasan_check_read+0x11/0x20 [ 34.971968] ? do_raw_spin_unlock+0xa7/0x2f0 [ 34.976376] ? trace_hardirqs_on+0x2c0/0x2c0 [ 34.980791] ? initcall_blacklisted+0x9a/0x1e0 [ 34.985381] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 34.990488] ? kvm_uevent_notify_change.part.32+0x440/0x440 [ 34.996204] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.001742] ? do_vfs_ioctl+0x201/0x1720 [ 35.005798] ? rcu_is_watching+0x8c/0x150 [ 35.009992] ? trace_hardirqs_on+0xbd/0x2c0 [ 35.014314] ? ioctl_preallocate+0x300/0x300 [ 35.018729] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.024284] ? __fget_light+0x2f7/0x440 [ 35.028259] ? fget_raw+0x20/0x20 [ 35.031708] ? putname+0xf2/0x130 [ 35.035164] ? rcu_read_lock_sched_held+0x108/0x120 [ 35.040182] ? kmem_cache_free+0x246/0x280 [ 35.044417] ? putname+0xf7/0x130 [ 35.047875] do_group_exit+0x177/0x440 [ 35.051778] ? trace_hardirqs_on+0xbd/0x2c0 [ 35.056095] ? __ia32_sys_exit+0x50/0x50 [ 35.060152] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 35.065253] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 35.070788] ? ksys_ioctl+0x81/0xd0 [ 35.074420] __x64_sys_exit_group+0x3e/0x50 [ 35.078739] do_syscall_64+0x1b9/0x820 [ 35.082630] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 35.087992] ? syscall_return_slowpath+0x5e0/0x5e0 [ 35.092941] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 35.097778] ? trace_hardirqs_on_caller+0x2b0/0x2b0 [ 35.102796] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 35.107839] ? prepare_exit_to_usermode+0x291/0x3b0 [ 35.112867] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 35.117719] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.122905] RIP: 0033:0x43ef08 [ 35.126095] Code: Bad RIP value. [ 35.129453] RSP: 002b:00007fff33e3a628 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 35.137159] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ef08 [ 35.144429] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 35.151717] RBP: 00000000004be7c8 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 35.158985] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 [ 35.166251] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 35.173544] [ 35.173550] ====================================================== [ 35.173556] WARNING: possible circular locking dependency detected [ 35.173559] 4.18.0+ #208 Not tainted [ 35.173565] ------------------------------------------------------ [ 35.173570] syz-executor330/4432 is trying to acquire lock: [ 35.173573] 000000007c4c8770 ((console_sem).lock){-...}, at: down_trylock+0x13/0x70 [ 35.173588] [ 35.173592] but task is already holding lock: [ 35.173596] 00000000558be7f3 (report_lock){....}, at: kasan_report+0x8e/0x110 [ 35.173610] [ 35.173614] which lock already depends on the new lock. [ 35.173617] [ 35.173619] [ 35.173624] the existing dependency chain (in reverse order) is: [ 35.173626] [ 35.173629] -> #3 (report_lock){....}: [ 35.173643] _raw_spin_lock_irqsave+0x96/0xc0 [ 35.173647] kasan_report+0x8e/0x110 [ 35.173652] __asan_report_load8_noabort+0x14/0x20 [ 35.173656] __schedule+0xf54/0x1df0 [ 35.173660] preempt_schedule_common+0x22/0x60 [ 35.173664] _cond_resched+0x1d/0x30 [ 35.173668] wait_for_completion+0xa5/0x8d0 [ 35.173672] __synchronize_srcu+0x189/0x240 [ 35.173677] synchronize_srcu+0x335/0x56f [ 35.173682] kvm_page_track_unregister_notifier+0x17d/0x250 [ 35.173686] kvm_mmu_uninit_vm+0x1c/0x20 [ 35.173690] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 35.173694] kvm_put_kvm+0x73f/0x1060 [ 35.173698] kvm_vm_release+0x42/0x50 [ 35.173701] __fput+0x36e/0x8c0 [ 35.173705] ____fput+0x15/0x20 [ 35.173708] task_work_run+0x1e8/0x2a0 [ 35.173712] do_exit+0x1ae4/0x26e0 [ 35.173716] do_group_exit+0x177/0x440 [ 35.173720] __x64_sys_exit_group+0x3e/0x50 [ 35.173724] do_syscall_64+0x1b9/0x820 [ 35.173729] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.173731] [ 35.173733] -> #2 (&rq->lock){-.-.}: [ 35.173748] _raw_spin_lock+0x2a/0x40 [ 35.173751] task_fork_fair+0x93/0x680 [ 35.173755] sched_fork+0x44b/0xbd0 [ 35.173759] copy_process+0x235e/0x7ad0 [ 35.173763] _do_fork+0x1ca/0x1170 [ 35.173767] kernel_thread+0x34/0x40 [ 35.173770] rest_init+0x22/0xe4 [ 35.173774] start_kernel+0x913/0x94e [ 35.173779] x86_64_start_reservations+0x29/0x2b [ 35.173783] x86_64_start_kernel+0x76/0x79 [ 35.173787] secondary_startup_64+0xa4/0xb0 [ 35.173789] [ 35.173791] -> #1 (&p->pi_lock){-.-.}: [ 35.173806] _raw_spin_lock_irqsave+0x96/0xc0 [ 35.173810] try_to_wake_up+0xd2/0x1250 [ 35.173814] wake_up_process+0x10/0x20 [ 35.173818] __up.isra.1+0x1c0/0x2a0 [ 35.173821] up+0x13c/0x1c0 [ 35.173825] __up_console_sem+0xbe/0x1b0 [ 35.173829] console_unlock+0x506/0x10d0 [ 35.173833] do_con_write+0x1375/0x23d0 [ 35.173837] con_write+0x25/0xc0 [ 35.173840] n_tty_write+0x6c1/0x11a0 [ 35.173844] tty_write+0x3f1/0x880 [ 35.173848] __vfs_write+0x117/0x9d0 [ 35.173852] vfs_write+0x1fc/0x560 [ 35.173855] ksys_write+0x101/0x260 [ 35.173859] __x64_sys_write+0x73/0xb0 [ 35.173869] do_syscall_64+0x1b9/0x820 [ 35.173874] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.173876] [ 35.173879] -> #0 ((console_sem).lock){-...}: [ 35.173893] lock_acquire+0x1e4/0x4f0 [ 35.173898] _raw_spin_lock_irqsave+0x96/0xc0 [ 35.173901] down_trylock+0x13/0x70 [ 35.173906] __down_trylock_console_sem+0xae/0x200 [ 35.173910] console_trylock+0x15/0xa0 [ 35.173914] vprintk_emit+0x31f/0x910 [ 35.173918] vprintk_default+0x28/0x30 [ 35.173921] vprintk_func+0x7a/0x117 [ 35.173925] printk+0xa7/0xcf [ 35.173929] kasan_report+0x9e/0x110 [ 35.173933] __asan_report_load8_noabort+0x14/0x20 [ 35.173937] __schedule+0xf54/0x1df0 [ 35.173941] preempt_schedule_common+0x22/0x60 [ 35.173945] _cond_resched+0x1d/0x30 [ 35.173949] wait_for_completion+0xa5/0x8d0 [ 35.173954] __synchronize_srcu+0x189/0x240 [ 35.173958] synchronize_srcu+0x335/0x56f [ 35.173963] kvm_page_track_unregister_notifier+0x17d/0x250 [ 35.173967] kvm_mmu_uninit_vm+0x1c/0x20 [ 35.173971] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 35.173975] kvm_put_kvm+0x73f/0x1060 [ 35.173979] kvm_vm_release+0x42/0x50 [ 35.173982] __fput+0x36e/0x8c0 [ 35.173986] ____fput+0x15/0x20 [ 35.173990] task_work_run+0x1e8/0x2a0 [ 35.173994] do_exit+0x1ae4/0x26e0 [ 35.173998] do_group_exit+0x177/0x440 [ 35.174002] __x64_sys_exit_group+0x3e/0x50 [ 35.174006] do_syscall_64+0x1b9/0x820 [ 35.174011] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.174013] [ 35.174017] other info that might help us debug this: [ 35.174020] [ 35.174023] Chain exists of: [ 35.174025] (console_sem).lock --> &rq->lock --> report_lock [ 35.174043] [ 35.174047] Possible unsafe locking scenario: [ 35.174049] [ 35.174053] CPU0 CPU1 [ 35.174057] ---- ---- [ 35.174060] lock(report_lock); [ 35.174069] lock(&rq->lock); [ 35.174078] lock(report_lock); [ 35.174086] lock((console_sem).lock); [ 35.174094] [ 35.174098] *** DEADLOCK *** [ 35.174100] [ 35.174104] 2 locks held by syz-executor330/4432: [ 35.174106] #0: 000000006cbec41f (&rq->lock){-.-.}, at: __schedule+0x24d/0x1df0 [ 35.174123] #1: 00000000558be7f3 (report_lock){....}, at: kasan_report+0x8e/0x110 [ 35.174140] [ 35.174143] stack backtrace: [ 35.174149] CPU: 1 PID: 4432 Comm: syz-executor330 Not tainted 4.18.0+ #208 [ 35.174156] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.174159] Call Trace: [ 35.174163] dump_stack+0x1c9/0x2b4 [ 35.174168] ? dump_stack_print_info.cold.2+0x52/0x52 [ 35.174172] ? vprintk_func+0x100/0x117 [ 35.174177] print_circular_bug.isra.34.cold.55+0x1bd/0x27d [ 35.174180] ? save_trace+0xe0/0x290 [ 35.174184] __lock_acquire+0x3449/0x5020 [ 35.174189] ? mark_held_locks+0x160/0x160 [ 35.174193] ? mark_held_locks+0x160/0x160 [ 35.174197] ? rcu_cleanup_dead_rnp+0x200/0x200 [ 35.174201] ? is_bpf_text_address+0xd7/0x170 [ 35.174205] ? kernel_text_address+0x79/0xf0 [ 35.174210] ? __kernel_text_address+0xd/0x40 [ 35.174214] ? __save_stack_trace+0x8d/0xf0 [ 35.174218] ? add_lock_to_list.isra.27+0x1ec/0x4b0 [ 35.174222] ? save_trace+0x290/0x290 [ 35.174226] ? save_stack_trace+0x1a/0x20 [ 35.174230] ? save_trace+0xe0/0x290 [ 35.174233] ? graph_lock+0x170/0x170 [ 35.174238] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 35.174242] lock_acquire+0x1e4/0x4f0 [ 35.174246] ? down_trylock+0x13/0x70 [ 35.174250] ? lock_release+0x9f0/0x9f0 [ 35.174255] ? trace_hardirqs_off+0xb8/0x2b0 [ 35.174259] ? trace_hardirqs_on+0x2c0/0x2c0 [ 35.174263] ? trace_hardirqs_off+0xb8/0x2b0 [ 35.174267] ? log_store+0x34f/0x4c0 [ 35.174271] ? vprintk_emit+0x31f/0x910 [ 35.174275] _raw_spin_lock_irqsave+0x96/0xc0 [ 35.174279] ? down_trylock+0x13/0x70 [ 35.174282] down_trylock+0x13/0x70 [ 35.174287] __down_trylock_console_sem+0xae/0x200 [ 35.174291] console_trylock+0x15/0xa0 [ 35.174294] vprintk_emit+0x31f/0x910 [ 35.174298] ? wake_up_klogd+0x110/0x110 [ 35.174303] ? run_rebalance_domains+0x4c0/0x4c0 [ 35.174307] ? kasan_check_read+0x11/0x20 [ 35.174311] ? rcu_is_watching+0x8c/0x150 [ 35.174315] ? rcu_pm_notify+0xc0/0xc0 [ 35.174318] ? lock_acquire+0x1e4/0x4f0 [ 35.174322] ? kasan_report+0x8e/0x110 [ 35.174326] ? __schedule+0xf54/0x1df0 [ 35.174330] vprintk_default+0x28/0x30 [ 35.174334] vprintk_func+0x7a/0x117 [ 35.174337] printk+0xa7/0xcf [ 35.174351] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 35.174355] ? kasan_check_write+0x14/0x20 [ 35.174359] ? do_raw_spin_lock+0xc1/0x200 [ 35.174363] ? do_raw_spin_lock+0xc1/0x200 [ 35.174367] kasan_report+0x9e/0x110 [ 35.174371] __asan_report_load8_noabort+0x14/0x20 [ 35.174375] __schedule+0xf54/0x1df0 [ 35.174379] ? trace_hardirqs_off_caller+0x2b0/0x2b0 [ 35.174383] ? __sched_text_start+0x8/0x8 [ 35.174387] ? __call_srcu+0x7e7/0x1040 [ 35.174392] ? check_same_owner+0x340/0x340 [ 35.174396] ? mark_held_locks+0x160/0x160 [ 35.174400] ? find_held_lock+0x36/0x1c0 [ 35.174404] preempt_schedule_common+0x22/0x60 [ 35.174408] _cond_resched+0x1d/0x30 [ 35.174412] wait_for_completion+0xa5/0x8d0 [ 35.174417] ? wait_for_completion_interruptible+0x950/0x950 [ 35.174421] ? __lockdep_init_map+0x105/0x590 [ 35.174426] ? __init_waitqueue_head+0x9e/0x150 [ 35.174430] ? init_wait_entry+0x1c0/0x1c0 [ 35.174434] __synchronize_srcu+0x189/0x240 [ 35.174438] ? call_srcu+0x10/0x10 [ 35.174442] ? rcu_unexpedite_gp+0x20/0x20 [ 35.174446] synchronize_srcu+0x335/0x56f [ 35.174450] ? lock_downgrade+0x8f0/0x8f0 [ 35.174455] ? synchronize_srcu_expedited+0x20/0x20 [ 35.174459] ? kasan_check_read+0x11/0x20 [ 35.174463] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 35.174467] ? kasan_check_write+0x14/0x20 [ 35.174471] ? do_raw_spin_lock+0xc1/0x200 [ 35.174476] kvm_page_track_unregister_notifier+0x17d/0x250 [ 35.174481] ? kvm_slot_page_track_remove_page+0x70/0x70 [ 35.174484] ? kvfree+0x61/0x70 [ 35.174489] ? rcu_read_lock_sched_held+0x108/0x120 [ 35.174493] kvm_mmu_uninit_vm+0x1c/0x20 [ 35.174497] kvm_arch_destroy_vm+0x5f2/0x7c0 [ 35.174501] ? kvm_arch_sync_events+0x30/0x30 [ 35.174506] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 35.174511] ? mmu_notifier_unregister+0x474/0x600 [ 35.174515] ? trace_hardirqs_on+0x2c0/0x2c0 [ 35.174518] ? kfree+0x111/0x210 [ 35.174523] ? __mmu_notifier_register+0x30/0x30 [ 35.174527] ? __free_pages+0x10a/0x190 [ 35.174531] ? free_unref_page+0x930/0x930 [ 35.174535] kvm_put_kvm+0x73f/0x1060 [ 35.174539] ? kvm_write_guest_cached+0x40/0x40 [ 35.174543] ? _raw_spin_unlock_irq+0x27/0x70 [ 35.174547] ? _raw_spin_unlock_irq+0x27/0x70 [ 35.174552] ? lockdep_hardirqs_on+0x421/0x5c0 [ 35.174556] ? kasan_check_write+0x14/0x20 [ 35.174560] ? do_raw_spin_lock+0xc1/0x200 [ 35.174564] ? kvm_irqfd_release+0xdd/0x120 [ 35.174568] ? kvm_irqfd_release+0xdd/0x120 [ 35.174572] ? kvm_put_kvm+0x1060/0x1060 [ 35.174576] kvm_vm_release+0x42/0x50 [ 35.174579] __fput+0x36e/0x8c0 [ 35.174583] ? __alloc_file+0x400/0x400 [ 35.174587] ? check_same_owner+0x340/0x340 [ 35.174591] ? kasan_check_write+0x14/0x20 [ 35.174595] ? do_raw_spin_lock+0xc1/0x200 [ 35.174599] ____fput+0x15/0x20 [ 35.174603] task_work_run+0x1e8/0x2a0 [ 35.174607] ? task_work_cancel+0x240/0x240 [ 35.174612] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 35.174617] ? switch_task_namespaces+0xa2/0xd0 [ 35.174620] do_exit+0x1ae4/0x26e0 [ 35.174624] ? mm_update_next_owner+0x9a0/0x9a0 [ 35.174629] ? kvm_vcpu_ioctl+0x2b5/0x1280 [ 35.174633] ? rcu_read_lock_sched_held+0x108/0x120 [ 35.174637] ? kfree+0x1d7/0x210 [ 35.174641] ? kvm_vcpu_ioctl+0x2ba/0x1280 [ 35.174646] ? kvm_uevent_notify_change.part.32+0x440/0x440 [ 35.174648] ? [ 35.174656] Lost 56 message(s)! [ 36.292474] Shutting down cpus with NMI [ 37.351968] Dumping ftrace buffer: [ 37.355495] (ftrace buffer empty) [ 37.359184] Kernel Offset: disabled [ 37.362792] Rebooting in 86400 seconds..