[ 35.973458] audit: type=1800 audit(1583874454.408:33): pid=7303 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 35.997732] audit: type=1800 audit(1583874454.408:34): pid=7303 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 37.459364] random: sshd: uninitialized urandom read (32 bytes read) [ 37.765048] audit: type=1400 audit(1583874456.198:35): avc: denied { map } for pid=7476 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 37.810312] random: sshd: uninitialized urandom read (32 bytes read) [ 38.529921] random: sshd: uninitialized urandom read (32 bytes read) [ 38.728023] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.1.6' (ECDSA) to the list of known hosts. [ 44.395627] random: sshd: uninitialized urandom read (32 bytes read) [ 44.520437] audit: type=1400 audit(1583874462.958:36): avc: denied { map } for pid=7488 comm="syz-executor628" path="/root/syz-executor628109498" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 44.771102] IPVS: ftp: loaded support on port[0] = 21 executing program [ 45.573090] ODEBUG: activate active (active state 1) object type: rcu_head hint: (null) [ 45.583320] ------------[ cut here ]------------ [ 45.588085] WARNING: CPU: 1 PID: 7491 at lib/debugobjects.c:287 debug_print_object.cold+0xa7/0xdb [ 45.597092] Kernel panic - not syncing: panic_on_warn set ... [ 45.597092] [ 45.604592] CPU: 1 PID: 7491 Comm: syz-executor628 Not tainted 4.14.172-syzkaller #0 [ 45.612489] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.621842] Call Trace: [ 45.624545] dump_stack+0x13e/0x194 [ 45.628169] panic+0x1f9/0x42d [ 45.631475] ? add_taint.cold+0x16/0x16 [ 45.635438] ? debug_print_object.cold+0xa7/0xdb [ 45.640182] ? debug_print_object.cold+0xa7/0xdb [ 45.645051] __warn.cold+0x2f/0x30 [ 45.648581] ? ist_end_non_atomic+0x10/0x10 [ 45.652944] ? debug_print_object.cold+0xa7/0xdb [ 45.657704] report_bug+0x20a/0x248 [ 45.661316] do_error_trap+0x195/0x2d0 [ 45.665187] ? math_error+0x2d0/0x2d0 [ 45.668980] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 45.673814] invalid_op+0x1b/0x40 [ 45.677343] RIP: 0010:debug_print_object.cold+0xa7/0xdb [ 45.683348] RSP: 0018:ffff88809fcbf430 EFLAGS: 00010082 [ 45.688725] RAX: 0000000000000055 RBX: 0000000000000003 RCX: 0000000000000000 [ 45.695978] RDX: 0000000000000000 RSI: ffffffff86ac0860 RDI: ffffed1013f97e7c [ 45.703250] RBP: ffffffff86ab5f60 R08: 0000000000000055 R09: 0000000000000000 [ 45.710634] R10: fffffbfff14a8ce0 R11: ffff888087b9a580 R12: 0000000000000000 [ 45.717917] R13: 0000000000000001 R14: 1ffff11013f97e90 R15: ffffffff87d842c0 [ 45.725189] debug_object_activate+0x307/0x450 [ 45.729755] ? debug_object_free+0x390/0x390 [ 45.734168] ? find_held_lock+0x2d/0x110 [ 45.738230] ? route4_walk+0x450/0x450 [ 45.742118] __call_rcu.constprop.0+0x31/0x7e0 [ 45.746700] route4_change+0xb27/0x1c4d [ 45.750664] ? route4_delete+0x760/0x760 [ 45.754712] ? route4_delete+0x760/0x760 [ 45.758886] tc_ctl_tfilter+0xf13/0x18e6 [ 45.762951] ? tfilter_notify+0x240/0x240 [ 45.767296] ? mutex_trylock+0x1a0/0x1a0 [ 45.771357] ? rtnetlink_rcv_msg+0x2e8/0xb10 [ 45.775752] ? tfilter_notify+0x240/0x240 [ 45.779884] rtnetlink_rcv_msg+0x3be/0xb10 [ 45.784110] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 45.788675] ? save_trace+0x290/0x290 [ 45.792460] ? save_trace+0x290/0x290 [ 45.796366] netlink_rcv_skb+0x127/0x370 [ 45.800421] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 45.804988] ? netlink_ack+0x960/0x960 [ 45.808864] netlink_unicast+0x437/0x620 [ 45.812908] ? netlink_attachskb+0x600/0x600 [ 45.817319] netlink_sendmsg+0x733/0xbe0 [ 45.821381] ? netlink_unicast+0x620/0x620 [ 45.825624] ? SYSC_sendto+0x2b0/0x2b0 [ 45.829505] ? security_socket_sendmsg+0x83/0xb0 [ 45.834257] ? netlink_unicast+0x620/0x620 [ 45.838480] sock_sendmsg+0xc5/0x100 [ 45.842296] ___sys_sendmsg+0x70a/0x840 [ 45.846273] ? trace_hardirqs_on+0x10/0x10 [ 45.850487] ? copy_msghdr_from_user+0x380/0x380 [ 45.855234] ? find_held_lock+0x2d/0x110 [ 45.859282] ? lock_downgrade+0x6e0/0x6e0 [ 45.863415] ? __fget+0x228/0x360 [ 45.866846] ? __fget_light+0x199/0x1f0 [ 45.870809] ? sockfd_lookup_light+0xb2/0x160 [ 45.875289] __sys_sendmsg+0xa3/0x120 [ 45.879087] ? SyS_shutdown+0x160/0x160 [ 45.883051] ? move_addr_to_kernel+0x60/0x60 [ 45.887581] ? __do_page_fault+0x35b/0xb40 [ 45.892197] SyS_sendmsg+0x27/0x40 [ 45.895729] ? __sys_sendmsg+0x120/0x120 [ 45.900510] do_syscall_64+0x1d5/0x640 [ 45.904395] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.909639] RIP: 0033:0x446ed9 [ 45.912819] RSP: 002b:00007fd4c1eead98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 45.920544] RAX: ffffffffffffffda RBX: 00000000006dbc68 RCX: 0000000000446ed9 [ 45.927797] RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003 [ 45.935164] RBP: 00000000006dbc60 R08: 0000000000000000 R09: 0000000000000000 [ 45.942430] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc6c [ 45.949702] R13: 0000000000000005 R14: 00a3a20740000000 R15: 0507002400000038 [ 45.957150] [ 45.957152] ====================================================== [ 45.957157] WARNING: possible circular locking dependency detected [ 45.957158] 4.14.172-syzkaller #0 Not tainted [ 45.957159] ------------------------------------------------------ [ 45.957161] syz-executor628/7491 is trying to acquire lock: [ 45.957162] ((console_sem).lock){-...}, at: [] down_trylock+0xe/0x60 [ 45.957166] [ 45.957167] but task is already holding lock: [ 45.957168] (&obj_hash[i].lock){-.-.}, at: [] debug_object_activate+0x10b/0x450 [ 45.957172] [ 45.957173] which lock already depends on the new lock. [ 45.957174] [ 45.957175] [ 45.957176] the existing dependency chain (in reverse order) is: [ 45.957177] [ 45.957178] -> #5 (&obj_hash[i].lock){-.-.}: [ 45.957182] _raw_spin_lock_irqsave+0x8c/0xbf [ 45.957183] debug_object_activate+0x10b/0x450 [ 45.957184] enqueue_hrtimer+0x22/0x3b0 [ 45.957186] hrtimer_start_range_ns+0x4e6/0x1060 [ 45.957187] schedule_hrtimeout_range_clock+0x13c/0x2f0 [ 45.957188] wait_task_inactive+0x478/0x530 [ 45.957189] __kthread_bind_mask+0x1f/0xb0 [ 45.957190] create_worker+0x313/0x530 [ 45.957192] workqueue_init+0x55f/0x66e [ 45.957193] kernel_init_freeable+0x2ab/0x526 [ 45.957194] kernel_init+0xd/0x15b [ 45.957195] ret_from_fork+0x24/0x30 [ 45.957196] [ 45.957196] -> #4 (hrtimer_bases.lock){-.-.}: [ 45.957201] _raw_spin_lock_irqsave+0x8c/0xbf [ 45.957202] lock_hrtimer_base.isra.0+0x6d/0x120 [ 45.957203] hrtimer_start_range_ns+0x7b/0x1060 [ 45.957204] enqueue_task_rt+0x94d/0xdb0 [ 45.957206] __sched_setscheduler.constprop.0+0xc11/0x1f70 [ 45.957207] _sched_setscheduler+0xf9/0x150 [ 45.957208] watchdog_enable+0xff/0x150 [ 45.957210] smpboot_thread_fn+0x40d/0x920 [ 45.957211] kthread+0x30d/0x420 [ 45.957212] ret_from_fork+0x24/0x30 [ 45.957213] [ 45.957213] -> #3 (&rt_b->rt_runtime_lock){-.-.}: [ 45.957217] _raw_spin_lock+0x2a/0x40 [ 45.957218] enqueue_task_rt+0x508/0xdb0 [ 45.957220] __sched_setscheduler.constprop.0+0xc11/0x1f70 [ 45.957221] _sched_setscheduler+0xf9/0x150 [ 45.957222] watchdog_enable+0xff/0x150 [ 45.957223] smpboot_thread_fn+0x40d/0x920 [ 45.957225] kthread+0x30d/0x420 [ 45.957226] ret_from_fork+0x24/0x30 [ 45.957226] [ 45.957227] -> #2 (&rq->lock){-.-.}: [ 45.957231] _raw_spin_lock+0x2a/0x40 [ 45.957235] task_fork_fair+0x63/0x5b0 [ 45.957236] sched_fork+0x39a/0xbd0 [ 45.957237] copy_process.part.0+0x15b7/0x6a70 [ 45.957238] _do_fork+0x180/0xc80 [ 45.957240] kernel_thread+0x2f/0x40 [ 45.957241] rest_init+0x1f/0x1d2 [ 45.957242] start_kernel+0x659/0x676 [ 45.957243] secondary_startup_64+0xa5/0xb0 [ 45.957244] [ 45.957244] -> #1 (&p->pi_lock){-.-.}: [ 45.957248] _raw_spin_lock_irqsave+0x8c/0xbf [ 45.957249] try_to_wake_up+0x6a/0xef0 [ 45.957250] up+0x92/0xe0 [ 45.957252] __up_console_sem+0xa9/0x1b0 [ 45.957253] console_unlock+0x596/0xec0 [ 45.957254] vprintk_emit+0x1f8/0x600 [ 45.957255] vprintk_func+0x58/0x152 [ 45.957256] printk+0x9e/0xbc [ 45.957257] kauditd_hold_skb.cold+0x3e/0x4d [ 45.957258] kauditd_send_queue+0xfb/0x140 [ 45.957260] kauditd_thread+0x625/0x840 [ 45.957261] kthread+0x30d/0x420 [ 45.957262] ret_from_fork+0x24/0x30 [ 45.957262] [ 45.957263] -> #0 ((console_sem).lock){-...}: [ 45.957267] lock_acquire+0x170/0x3f0 [ 45.957268] _raw_spin_lock_irqsave+0x8c/0xbf [ 45.957270] down_trylock+0xe/0x60 [ 45.957271] __down_trylock_console_sem+0x97/0x1f0 [ 45.957272] console_trylock+0x14/0x70 [ 45.957273] vprintk_emit+0x1ea/0x600 [ 45.957274] vprintk_func+0x58/0x152 [ 45.957275] printk+0x9e/0xbc [ 45.957277] debug_print_object.cold+0xa7/0xdb [ 45.957278] debug_object_activate+0x307/0x450 [ 45.957279] __call_rcu.constprop.0+0x31/0x7e0 [ 45.957280] route4_change+0xb27/0x1c4d [ 45.957281] tc_ctl_tfilter+0xf13/0x18e6 [ 45.957283] rtnetlink_rcv_msg+0x3be/0xb10 [ 45.957284] netlink_rcv_skb+0x127/0x370 [ 45.957285] netlink_unicast+0x437/0x620 [ 45.957286] netlink_sendmsg+0x733/0xbe0 [ 45.957287] sock_sendmsg+0xc5/0x100 [ 45.957288] ___sys_sendmsg+0x70a/0x840 [ 45.957289] __sys_sendmsg+0xa3/0x120 [ 45.957291] SyS_sendmsg+0x27/0x40 [ 45.957292] do_syscall_64+0x1d5/0x640 [ 45.957293] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.957294] [ 45.957295] other info that might help us debug this: [ 45.957296] [ 45.957296] Chain exists of: [ 45.957297] (console_sem).lock --> hrtimer_bases.lock --> &obj_hash[i].lock [ 45.957302] [ 45.957303] Possible unsafe locking scenario: [ 45.957307] [ 45.957308] CPU0 CPU1 [ 45.957309] ---- ---- [ 45.957310] lock(&obj_hash[i].lock); [ 45.957313] lock(hrtimer_bases.lock); [ 45.957315] lock(&obj_hash[i].lock); [ 45.957318] lock((console_sem).lock); [ 45.957320] [ 45.957321] *** DEADLOCK *** [ 45.957321] [ 45.957323] 2 locks held by syz-executor628/7491: [ 45.957323] #0: (rtnl_mutex){+.+.}, at: [] rtnetlink_rcv_msg+0x31d/0xb10 [ 45.957328] #1: (&obj_hash[i].lock){-.-.}, at: [] debug_object_activate+0x10b/0x450 [ 45.957332] [ 45.957333] stack backtrace: [ 45.957335] CPU: 1 PID: 7491 Comm: syz-executor628 Not tainted 4.14.172-syzkaller #0 [ 45.957337] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.957338] Call Trace: [ 45.957339] dump_stack+0x13e/0x194 [ 45.957340] print_circular_bug.isra.0.cold+0x1c4/0x282 [ 45.957341] __lock_acquire+0x2cb3/0x4620 [ 45.957342] ? string+0x17e/0x1d0 [ 45.957343] ? trace_hardirqs_on+0x10/0x10 [ 45.957344] ? netdev_bits+0xa0/0xa0 [ 45.957345] ? kvm_clock_read+0x1f/0x30 [ 45.957347] ? kvm_sched_clock_read+0x5/0x10 [ 45.957348] lock_acquire+0x170/0x3f0 [ 45.957349] ? down_trylock+0xe/0x60 [ 45.957350] _raw_spin_lock_irqsave+0x8c/0xbf [ 45.957351] ? down_trylock+0xe/0x60 [ 45.957352] down_trylock+0xe/0x60 [ 45.957353] ? vprintk_emit+0x1ea/0x600 [ 45.957354] __down_trylock_console_sem+0x97/0x1f0 [ 45.957356] console_trylock+0x14/0x70 [ 45.957357] vprintk_emit+0x1ea/0x600 [ 45.957358] vprintk_func+0x58/0x152 [ 45.957359] printk+0x9e/0xbc [ 45.957360] ? show_regs_print_info+0x5b/0x5b [ 45.957361] ? lock_acquire+0x170/0x3f0 [ 45.957362] ? debug_object_activate+0x10b/0x450 [ 45.957363] debug_print_object.cold+0xa7/0xdb [ 45.957364] debug_object_activate+0x307/0x450 [ 45.957366] ? debug_object_free+0x390/0x390 [ 45.957367] ? find_held_lock+0x2d/0x110 [ 45.957368] ? route4_walk+0x450/0x450 [ 45.957369] __call_rcu.constprop.0+0x31/0x7e0 [ 45.957370] route4_change+0xb27/0x1c4d [ 45.957371] ? route4_delete+0x760/0x760 [ 45.957372] ? route4_delete+0x760/0x760 [ 45.957374] tc_ctl_tfilter+0xf13/0x18e6 [ 45.957378] ? tfilter_notify+0x240/0x240 [ 45.957380] ? mutex_trylock+0x1a0/0x1a0 [ 45.957383] ? rtnetlink_rcv_msg+0x2e8/0xb10 [ 45.957384] ? tfilter_notify+0x240/0x240 [ 45.957386] rtnetlink_rcv_msg+0x3be/0xb10 [ 45.957388] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 45.957390] ? save_trace+0x290/0x290 [ 45.957392] ? save_trace+0x290/0x290 [ 45.957394] netlink_rcv_skb+0x127/0x370 [ 45.957396] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 45.957398] ? netlink_ack+0x960/0x960 [ 45.957400] netlink_unicast+0x437/0x620 [ 45.957402] ? netlink_attachskb+0x600/0x600 [ 45.957404] netlink_sendmsg+0x733/0xbe0 [ 45.957406] ? netlink_unicast+0x620/0x620 [ 45.957408] ? SYSC_sendto+0x2b0/0x2b0 [ 45.957410] ? security_socket_sendmsg+0x83/0xb0 [ 45.957412] ? netlink_unicast+0x620/0x620 [ 45.957414] sock_sendmsg+0xc5/0x100 [ 45.957416] ___sys_sendmsg+0x70a/0x840 [ 45.957418] ? trace_hardirqs_on+0x10/0x10 [ 45.957420] ? copy_msghdr_from_user+0x380/0x380 [ 45.957422] ? find_held_lock+0x2d/0x110 [ 45.957424] ? lock_downgrade+0x6e0/0x6e0 [ 45.957426] ? __fget+0x228/0x360 [ 45.957427] ? __fget_light+0x199/0x1f0 [ 45.957429] ? sockfd_lookup_light+0xb2/0x160 [ 45.957430] __sys_sendmsg+0xa3/0x120 [ 45.957431] ? SyS_shutdown+0x160/0x160 [ 45.957432] ? move_addr_to_kernel+0x60/0x60 [ 45.957434] ? __do_page_fault+0x35b/0xb40 [ 45.957435] SyS_sendmsg+0x27/0x40 [ 45.957436] ? __sys_sendmsg+0x120/0x120 [ 45.957437] do_syscall_64+0x1d5/0x640 [ 45.957438] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.957439] RIP: 0033:0x446ed9 [ 45.957440] RSP: 002b:00007fd4c1eead98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 45.957443] RAX: ffffffffffffffda RBX: 00000000006dbc68 RCX: 0000000000446ed9 [ 45.957445] RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003 [ 45.957447] RBP: 00000000006dbc60 R08: 0000000000000000 R09: 0000000000000000 [ 45.957448] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc6c [ 45.957454] R13: 0000000000000005 R14: 00a3a20740000000 R15: 0507002400000038 [ 45.958969] Kernel Offset: disabled [ 46.857016] Rebooting in 86400 seconds..