[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context[ 37.902777] audit: type=1800 audit(1571132701.508:33): pid=7298 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 maintaining daemon: restorecond[ 37.926648] audit: type=1800 audit(1571132701.508:34): pid=7298 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 [?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 41.361308] audit: type=1400 audit(1571132704.968:35): avc: denied { map } for pid=7477 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.10.30' (ECDSA) to the list of known hosts. executing program [ 60.934585] audit: type=1400 audit(1571132724.538:36): avc: denied { map } for pid=7489 comm="syz-executor256" path="/root/syz-executor256689262" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program [ 65.946195] ------------[ cut here ]------------ [ 65.952007] ODEBUG: free active (active state 0) object type: timer_list hint: rfcomm_dlc_timeout+0x0/0x80 [ 65.962046] WARNING: CPU: 0 PID: 7492 at lib/debugobjects.c:325 debug_print_object+0x168/0x250 [ 65.970783] Kernel panic - not syncing: panic_on_warn set ... [ 65.970783] [ 65.978139] CPU: 0 PID: 7492 Comm: syz-executor256 Not tainted 4.19.79 #0 [ 65.985059] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 65.994408] Call Trace: [ 65.996980] dump_stack+0x172/0x1f0 [ 66.000591] panic+0x263/0x507 [ 66.003769] ? __warn_printk+0xf3/0xf3 [ 66.007640] ? debug_print_object+0x168/0x250 [ 66.012121] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 66.017639] ? __warn.cold+0x5/0x4a [ 66.021247] ? __warn+0xe8/0x1d0 [ 66.024623] ? debug_print_object+0x168/0x250 [ 66.029098] __warn.cold+0x20/0x4a [ 66.032621] ? trace_hardirqs_off+0x62/0x220 [ 66.037016] ? debug_print_object+0x168/0x250 [ 66.041503] report_bug+0x263/0x2b0 [ 66.045112] do_error_trap+0x204/0x360 [ 66.048987] ? math_error+0x340/0x340 [ 66.052773] ? wake_up_klogd+0x99/0xd0 [ 66.056641] ? vprintk_emit+0x1ab/0x690 [ 66.060597] ? error_entry+0x7c/0xe0 [ 66.064294] ? trace_hardirqs_off_caller+0x65/0x220 [ 66.069295] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 66.074120] do_invalid_op+0x1b/0x20 [ 66.077817] invalid_op+0x14/0x20 [ 66.081254] RIP: 0010:debug_print_object+0x168/0x250 [ 66.086338] Code: dd 60 5a 82 87 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 b5 00 00 00 48 8b 14 dd 60 5a 82 87 48 c7 c7 a0 4f 82 87 e8 b6 db 18 fe <0f> 0b 83 05 6b 68 17 06 01 48 83 c4 20 5b 41 5c 41 5d 41 5e 5d c3 [ 66.105233] RSP: 0018:ffff8880866c78d8 EFLAGS: 00010086 [ 66.110578] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000 [ 66.117828] RDX: 0000000000000000 RSI: ffffffff8155f4a6 RDI: ffffed1010cd8f0d [ 66.125089] RBP: ffff8880866c7918 R08: ffff88808fcd84c0 R09: ffffed1015d03ee3 [ 66.132341] R10: ffffed1015d03ee2 R11: ffff8880ae81f717 R12: 0000000000000001 [ 66.139597] R13: ffffffff887ac640 R14: ffffffff815b6a30 R15: ffff888091ec10a8 [ 66.146860] ? __internal_add_timer+0x1f0/0x1f0 [ 66.151514] ? vprintk_func+0x86/0x189 [ 66.155399] ? debug_print_object+0x168/0x250 [ 66.159878] debug_check_no_obj_freed+0x29f/0x464 [ 66.164704] kfree+0xbd/0x220 [ 66.167811] rfcomm_dlc_free+0x20/0x30 [ 66.171682] rfcomm_dev_ioctl+0x181f/0x1b60 [ 66.175986] ? __local_bh_enable_ip+0x15a/0x270 [ 66.180635] ? lock_sock_nested+0xe2/0x120 [ 66.184850] ? __local_bh_enable_ip+0x15a/0x270 [ 66.189499] ? rfcomm_dev_state_change+0x150/0x150 [ 66.194412] ? __local_bh_enable_ip+0x15a/0x270 [ 66.199064] rfcomm_sock_ioctl+0x90/0xb0 [ 66.203117] sock_do_ioctl+0xd8/0x2f0 [ 66.206900] ? compat_ifr_data_ioctl+0x160/0x160 [ 66.211648] ? __lock_acquire+0x6ee/0x49c0 [ 66.215889] ? rcu_read_lock_sched_held+0x110/0x130 [ 66.220887] ? kmem_cache_alloc+0x32a/0x700 [ 66.225197] sock_ioctl+0x325/0x610 [ 66.228806] ? dlci_ioctl_set+0x40/0x40 [ 66.232770] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 66.238289] ? __might_sleep+0x95/0x190 [ 66.242262] ? find_held_lock+0x35/0x130 [ 66.246303] ? dlci_ioctl_set+0x40/0x40 [ 66.250261] do_vfs_ioctl+0xd5f/0x1380 [ 66.254130] ? selinux_file_ioctl+0x46f/0x5e0 [ 66.258623] ? selinux_file_ioctl+0x125/0x5e0 [ 66.263100] ? ioctl_preallocate+0x210/0x210 [ 66.267492] ? selinux_file_mprotect+0x620/0x620 [ 66.272232] ? __sanitizer_cov_trace_const_cmp4+0xb/0x20 [ 66.277665] ? __fd_install+0x200/0x640 [ 66.281620] ? fd_install+0x4d/0x60 [ 66.285230] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 66.290764] ? security_file_ioctl+0x8d/0xc0 [ 66.295157] ksys_ioctl+0xab/0xd0 [ 66.298592] __x64_sys_ioctl+0x73/0xb0 [ 66.302799] do_syscall_64+0xfd/0x620 [ 66.306627] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 66.311795] RIP: 0033:0x441229 [ 66.314988] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 66.333869] RSP: 002b:00007ffc93539168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 66.341564] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441229 [ 66.348834] RDX: 0000000020000100 RSI: 00000000400452c8 RDI: 0000000000000004 [ 66.356083] RBP: 0000000000010176 R08: 00000000004002c8 R09: 00000000004002c8 [ 66.363334] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000402050 [ 66.370598] R13: 00000000004020e0 R14: 0000000000000000 R15: 0000000000000000 [ 66.377855] [ 66.377859] ====================================================== [ 66.377862] WARNING: possible circular locking dependency detected [ 66.377864] 4.19.79 #0 Not tainted [ 66.377867] ------------------------------------------------------ [ 66.377870] syz-executor256/7492 is trying to acquire lock: [ 66.377872] 0000000026d15b50 ((console_sem).lock){-...}, at: down_trylock+0x13/0x70 [ 66.377882] [ 66.377884] but task is already holding lock: [ 66.377886] 00000000c6eaf777 (&obj_hash[i].lock){-.-.}, at: debug_check_no_obj_freed+0xbe/0x464 [ 66.377895] [ 66.377897] which lock already depends on the new lock. [ 66.377899] [ 66.377900] [ 66.377903] the existing dependency chain (in reverse order) is: [ 66.377904] [ 66.377906] -> #3 (&obj_hash[i].lock){-.-.}: [ 66.377914] _raw_spin_lock_irqsave+0x95/0xcd [ 66.377917] __debug_object_init+0xc6/0xc30 [ 66.377919] debug_object_init+0x16/0x20 [ 66.377921] hrtimer_init+0x2a/0x300 [ 66.377924] init_dl_task_timer+0x1b/0x50 [ 66.377926] __sched_fork+0x22a/0x4b0 [ 66.377928] init_idle+0x75/0x800 [ 66.377930] sched_init+0x952/0x9f0 [ 66.377933] start_kernel+0x402/0x8c5 [ 66.377935] x86_64_start_reservations+0x29/0x2b [ 66.377938] x86_64_start_kernel+0x77/0x7b [ 66.377940] secondary_startup_64+0xa4/0xb0 [ 66.377942] [ 66.377943] -> #2 (&rq->lock){-.-.}: [ 66.377951] _raw_spin_lock+0x2f/0x40 [ 66.377953] task_fork_fair+0x6a/0x520 [ 66.377955] sched_fork+0x3af/0x900 [ 66.377958] copy_process.part.0+0x1859/0x7a30 [ 66.377960] _do_fork+0x257/0xfd0 [ 66.377962] kernel_thread+0x34/0x40 [ 66.377964] rest_init+0x24/0x222 [ 66.377967] start_kernel+0x88c/0x8c5 [ 66.377969] x86_64_start_reservations+0x29/0x2b [ 66.377972] x86_64_start_kernel+0x77/0x7b [ 66.377974] secondary_startup_64+0xa4/0xb0 [ 66.377975] [ 66.377977] -> #1 (&p->pi_lock){-.-.}: [ 66.377985] _raw_spin_lock_irqsave+0x95/0xcd [ 66.377987] try_to_wake_up+0x94/0xf50 [ 66.377989] wake_up_process+0x10/0x20 [ 66.377992] __up.isra.0+0x136/0x1a0 [ 66.377994] up+0x9c/0xe0 [ 66.377996] __up_console_sem+0xb7/0x1c0 [ 66.377998] console_unlock+0x6c7/0x10b0 [ 66.378001] vprintk_emit+0x238/0x690 [ 66.378003] vprintk_default+0x28/0x30 [ 66.378005] vprintk_func+0x7e/0x189 [ 66.378007] printk+0xba/0xed [ 66.378010] kauditd_hold_skb.cold+0x3f/0x4e [ 66.378012] kauditd_send_queue+0x12b/0x170 [ 66.378014] kauditd_thread+0x732/0xa60 [ 66.378016] kthread+0x354/0x420 [ 66.378019] ret_from_fork+0x24/0x30 [ 66.378020] [ 66.378021] -> #0 ((console_sem).lock){-...}: [ 66.378029] lock_acquire+0x16f/0x3f0 [ 66.378032] _raw_spin_lock_irqsave+0x95/0xcd [ 66.378034] down_trylock+0x13/0x70 [ 66.378037] __down_trylock_console_sem+0xa8/0x210 [ 66.378039] console_trylock+0x15/0xa0 [ 66.378042] vprintk_emit+0x21d/0x690 [ 66.378044] vprintk_default+0x28/0x30 [ 66.378046] vprintk_func+0x7e/0x189 [ 66.378048] printk+0xba/0xed [ 66.378050] __warn_printk+0x9b/0xf3 [ 66.378053] debug_print_object+0x168/0x250 [ 66.378056] debug_check_no_obj_freed+0x29f/0x464 [ 66.378058] kfree+0xbd/0x220 [ 66.378060] rfcomm_dlc_free+0x20/0x30 [ 66.378063] rfcomm_dev_ioctl+0x181f/0x1b60 [ 66.378065] rfcomm_sock_ioctl+0x90/0xb0 [ 66.378068] sock_do_ioctl+0xd8/0x2f0 [ 66.378070] sock_ioctl+0x325/0x610 [ 66.378072] do_vfs_ioctl+0xd5f/0x1380 [ 66.378074] ksys_ioctl+0xab/0xd0 [ 66.378077] __x64_sys_ioctl+0x73/0xb0 [ 66.378079] do_syscall_64+0xfd/0x620 [ 66.378082] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 66.378083] [ 66.378086] other info that might help us debug this: [ 66.378087] [ 66.378089] Chain exists of: [ 66.378090] (console_sem).lock --> &rq->lock --> &obj_hash[i].lock [ 66.378100] [ 66.378103] Possible unsafe locking scenario: [ 66.378105] [ 66.378108] CPU0 CPU1 [ 66.378112] ---- ---- [ 66.378113] lock(&obj_hash[i].lock); [ 66.378118] lock(&rq->lock); [ 66.378124] lock(&obj_hash[i].lock); [ 66.378128] lock((console_sem).lock); [ 66.378133] [ 66.378135] *** DEADLOCK *** [ 66.378136] [ 66.378139] 3 locks held by syz-executor256/7492: [ 66.378140] #0: 00000000d0ad90eb (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}, at: rfcomm_sock_ioctl+0x82/0xb0 [ 66.378150] #1: 00000000896c7831 (rfcomm_ioctl_mutex){+.+.}, at: rfcomm_dev_ioctl+0x4f0/0x1b60 [ 66.378160] #2: 00000000c6eaf777 (&obj_hash[i].lock){-.-.}, at: debug_check_no_obj_freed+0xbe/0x464 [ 66.378170] [ 66.378172] stack backtrace: [ 66.378176] CPU: 0 PID: 7492 Comm: syz-executor256 Not tainted 4.19.79 #0 [ 66.378180] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 66.378182] Call Trace: [ 66.378184] dump_stack+0x172/0x1f0 [ 66.378187] print_circular_bug.isra.0.cold+0x1cc/0x28f [ 66.378190] __lock_acquire+0x2e19/0x49c0 [ 66.378192] ? mark_held_locks+0x100/0x100 [ 66.378194] ? kvm_clock_read+0x18/0x30 [ 66.378197] ? kvm_sched_clock_read+0x9/0x20 [ 66.378199] lock_acquire+0x16f/0x3f0 [ 66.378202] ? down_trylock+0x13/0x70 [ 66.378204] _raw_spin_lock_irqsave+0x95/0xcd [ 66.378207] ? down_trylock+0x13/0x70 [ 66.378209] ? vprintk_emit+0x21d/0x690 [ 66.378211] down_trylock+0x13/0x70 [ 66.378213] ? vprintk_emit+0x21d/0x690 [ 66.378216] __down_trylock_console_sem+0xa8/0x210 [ 66.378218] console_trylock+0x15/0xa0 [ 66.378221] vprintk_emit+0x21d/0x690 [ 66.378223] ? __internal_add_timer+0x1f0/0x1f0 [ 66.378225] vprintk_default+0x28/0x30 [ 66.378227] vprintk_func+0x7e/0x189 [ 66.378229] printk+0xba/0xed [ 66.378232] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 66.378234] ? __warn_printk+0x8f/0xf3 [ 66.378237] ? rfcomm_session_add+0x300/0x300 [ 66.378239] __warn_printk+0x9b/0xf3 [ 66.378241] ? add_taint.cold+0x16/0x16 [ 66.378243] ? skb_dequeue+0x12e/0x180 [ 66.378246] ? rfcomm_session_add+0x300/0x300 [ 66.378248] debug_print_object+0x168/0x250 [ 66.378251] debug_check_no_obj_freed+0x29f/0x464 [ 66.378253] kfree+0xbd/0x220 [ 66.378255] rfcomm_dlc_free+0x20/0x30 [ 66.378258] rfcomm_dev_ioctl+0x181f/0x1b60 [ 66.378260] ? __local_bh_enable_ip+0x15a/0x270 [ 66.378262] ? lock_sock_nested+0xe2/0x120 [ 66.378265] ? __local_bh_enable_ip+0x15a/0x270 [ 66.378268] ? rfcomm_dev_state_change+0x150/0x150 [ 66.378270] ? __local_bh_enable_ip+0x15a/0x270 [ 66.378273] rfcomm_sock_ioctl+0x90/0xb0 [ 66.378275] sock_do_ioctl+0xd8/0x2f0 [ 66.378277] ? compat_ifr_data_ioctl+0x160/0x160 [ 66.378280] ? __lock_acquire+0x6ee/0x49c0 [ 66.378282] ? rcu_read_lock_sched_held+0x110/0x130 [ 66.378285] ? kmem_cache_alloc+0x32a/0x700 [ 66.378287] sock_ioctl+0x325/0x610 [ 66.378289] ? dlci_ioctl_set+0x40/0x40 [ 66.378292] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 66.378294] ? __might_sleep+0x95/0x190 [ 66.378297] ? find_held_lock+0x35/0x130 [ 66.378299] ? dlci_ioctl_set+0x40/0x40 [ 66.378301] do_vfs_ioctl+0xd5f/0x1380 [ 66.378304] ? selinux_file_ioctl+0x46f/0x5e0 [ 66.378306] ? selinux_file_ioctl+0x125/0x5e0 [ 66.378309] ? ioctl_preallocate+0x210/0x210 [ 66.378311] ? selinux_file_mprotect+0x620/0x620 [ 66.378314] ? __sanitizer_cov_trace_const_cmp4+0xb/0x20 [ 66.378317] ? __fd_install+0x200/0x640 [ 66.378319] ? fd_install+0x4d/0x60 [ 66.378322] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 66.378324] ? security_file_ioctl+0x8d/0xc0 [ 66.378326] ksys_ioctl+0xab/0xd0 [ 66.378329] __x64_sys_ioctl+0x73/0xb0 [ 66.378331] do_syscall_64+0xfd/0x620 [ 66.378333] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 66.378335] RIP: 0033:0x441229 [ 66.378346] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 66.378350] RSP: 002b:00007ffc93539168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 66.378360] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441229 [ 66.378366] RDX: 0000000020000100 RSI: 00000000400452c8 RDI: 0000000000000004 [ 66.378372] RBP: 0000000000010176 R08: 00000000004002c8 R09: 00000000004002c8 [ 66.378378] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000402050 [ 66.378384] R13: 00000000004020e0 R14: 0000000000000000 R15: 0000000000000000 [ 66.379856] Kernel Offset: disabled [ 67.199809] Rebooting in 86400 seconds..